Centralized, serverless secrets manager for solo developers — Python module
Project description
envpact (Python)
Zero-dependency Python module for envpact — a centralized, serverless, Git-backed secrets manager for solo developers.
Read & write the same vault that envpact-cli, envpact-mcp, and envpact-vscode use. Identical semantics, native Python API.
Part of the envpact ecosystem.
Installation
pip install envpact
Python 3.10+. No runtime dependencies — just stdlib.
Quick Start
If you don't have a vault yet, bootstrap it once with the Node CLI:
npx envpact-cli --init auto
Then use Python directly:
from envpact import EnvPact
pact = EnvPact()
pact.generate_env() # writes .env for the current project
pact.add_shared("OPENAI_API_KEY", "sk-…")
pact.rotate("OPENAI_API_KEY", "sk-new")
pact.sync_github(project_name="my-app")
CLI
The package also ships a thin CLI mirroring envpact-cli:
python -m envpact # generate .env
python -m envpact --list # list projects
python -m envpact --rotate OPENAI_API_KEY
After installation, the envpact script is also on your $PATH.
API
EnvPact(...)
EnvPact(
*,
vault_file: Path | str | None = None,
secrets_dir: Path | str | None = None,
project_name: str | None = None,
environment: str | None = None,
auto_pull: bool = True,
auto_push: bool = True,
)
Methods
| Method | Returns |
|---|---|
resolve(project_name=None, environment=None) |
dict with resolved, unresolved, invalid, environment, missing |
generate_env(...) |
dict with output_path, resolved_count, missing |
list_projects() |
list[str] |
list_shared() |
list[str] (names only) |
list_environments(project_name) |
list[str] |
add_secret(project, key, value, environment=None) |
push status |
add_shared(key, value) |
push status |
rotate(key, new_value) |
references + push status |
sync_github(...) |
sync stats |
pull() / push(message) |
git result |
Resolver helpers
from envpact import resolve_project, resolve_string, list_project_environments
# Pure functions over a parsed vault dict — useful for tests.
result = resolve_project(vault_dict, "my-app", "production")
Vault Schema
Identical to envpact-cli — see SHARED_SPEC §1.
Security
- Vault values are read directly from the user's local clone at
~/.envpact/secrets/. Nothing is ever sent to a third party. list_shared()returns names only..envfiles are written with mode 0600 where the OS supports it.- All vault commits are signed-off (
-s).
License
MIT © Chirag Singhal — see LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file envpact-0.2.0.tar.gz.
File metadata
- Download URL: envpact-0.2.0.tar.gz
- Upload date:
- Size: 15.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fa27c6344847b7bd2150ad41b41e0c4acb2d566775dab699685a0cd26e1dd397
|
|
| MD5 |
c6c29b7d3eea6cda21ee7a805a6afa89
|
|
| BLAKE2b-256 |
e1c78fb241710907eaca1c1ce04e29805c103d102a74fa067b2d97099a142847
|
File details
Details for the file envpact-0.2.0-py3-none-any.whl.
File metadata
- Download URL: envpact-0.2.0-py3-none-any.whl
- Upload date:
- Size: 15.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0789185ee00718f600009f5a8dd9444cbadce35983efee17bb2083b4227dbaa2
|
|
| MD5 |
733c5f8ba858eb394716687463e68495
|
|
| BLAKE2b-256 |
7c2a82567ef8ab174e1fe3b9279eba3e159ac4399b1b1b37415f11e39da0ee98
|
