constellation_utils.secrets._backends

Backends that resolve op://... URIs (or env vars) into credentials.

There is one real backend in the MVP: OpCLIBackend. It works on both laptops (biometric-unlocked desktop app session) and unattended hosts (OP_SERVICE_ACCOUNT_TOKEN set in env) — same op read shell-out, the auth difference is purely environmental.

EnvBackend is for tests and CI only — when R2_ACCESS_KEY_ID is already in env we short-circuit to direct env-var reads.

Module Contents

Classes

OpCLIBackend

Resolve credentials by shelling out to op read.

EnvBackend

Direct env-var reads. Tests/CI only — never the production path.

Functions

select_backend

Pick a backend based on the current env.

API

exception constellation_utils.secrets._backends.ConstellationAuthError[source]

Bases: RuntimeError

Raised when no auth backend is available or a read fails.

Messages aim to be actionable: what was expected, what was found, suggested next step.

Initialization

Initialize self. See help(type(self)) for accurate signature.

add_note()
class args
with_traceback()
class constellation_utils.secrets._backends.OpCLIBackend[source]

Resolve credentials by shelling out to op read.

Works for both laptop biometric sessions and unattended hosts that have OP_SERVICE_ACCOUNT_TOKEN set — the op CLI picks up the token from env automatically.

read_one(uri: str) str[source]
read_r2(uri_map: dict[str, str]) constellation_utils.secrets.models.R2Secrets[source]
read_cloudflare(uri_map: dict[str, str]) constellation_utils.secrets.models.CloudflareSecrets[source]
class constellation_utils.secrets._backends.EnvBackend[source]

Direct env-var reads. Tests/CI only — never the production path.

R2_ENV_MAP

None

CLOUDFLARE_ENV_MAP

None

read_r2(uri_map: dict[str, str]) constellation_utils.secrets.models.R2Secrets[source]
read_cloudflare(uri_map: dict[str, str]) constellation_utils.secrets.models.CloudflareSecrets[source]
constellation_utils.secrets._backends.select_backend() constellation_utils.secrets._backends._Backend[source]

Pick a backend based on the current env.

Order: 1. R2_ACCESS_KEY_ID or CLOUDFLARE_API_TOKEN set → EnvBackend (tests/CI escape hatch). 2. op on PATH → OpCLIBackend (laptops + rigs). 3. else → ConstellationAuthError.