Minimal secrets interface for Money Ex Machina, supporting gopass and env backends

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for moneyexmachina from gravatar.com moneyexmachina
Meta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: mxm
  • Tags secrets , gopass , environment , cli , mxm
  • Requires: Python >=3.12
Classifiers
Report project as malware

Project description

mxm-secrets

Version License Python Checked with pyright

A typed, minimal, pluggable Python interface for operational secret access within the Money Ex Machina ecosystem.

Built around explicit, scoped secret retrieval using gopass, with support for additional backends and deployment environments over time.

Purpose

mxm-secrets provides the canonical secret access layer for MXM packages.

The package exists to separate:

application code

from:

secret storage and operational credential management

MXM packages should never:

  • hardcode secrets,
  • preload global credential blobs,
  • depend directly on backend implementations,
  • or assume a particular secret storage mechanism.

Instead, packages retrieve secrets explicitly:

from mxm.secrets import get_secret

api_key = get_secret("prod/some-api-key")

This establishes:

  • explicit dependency boundaries,
  • process-local secret access,
  • backend composability,
  • operational portability,
  • and testable infrastructure interfaces.

Philosophy

Explicit

Secrets must be requested individually by name.

No global credential injection or hidden runtime state.

Scoped

Each process retrieves only the secrets it requires.

Composable

Designed for Unix-style workflows, automation pipelines, REPLs, and distributed runtime environments.

Pluggable

Supports multiple backend implementations behind a stable API surface.

Minimal

Small dependency surface, strict typing, and reproducible operational behavior.

Installation

Install from PyPI:

poetry add mxm-secrets

Or install from source:

git clone https://github.com/moneyexmachina/mxm-secrets.git
cd mxm-secrets
poetry install

Usage

Python API

from mxm.secrets import get_secret

api_key = get_secret("mxm/dev/api-key")
smtp_password = get_secret("prod/smtp-password", default="changeme")

CLI Usage

Retrieve a secret:

python -m mxm.secrets get mxm/dev/api-key

With fallback value:

python -m mxm.secrets get mxm/dev/api-key --default "changeme"

Verbose mode:

python -m mxm.secrets get mxm/dev/api-key --verbose

Secret Resolution Logic

When:

get_secret("mxm/dev/api-key")

is called, the package attempts resolution using configured backends in priority order.

Current default order:

  1. gopass
  2. environment variables

Example:

mxm/dev/api-key

maps to:

gopass show mxm/dev/api-key

and environment fallback:

MXM_DEV_API_KEY

If no backend resolves the secret:

  • the provided default value is returned,
  • otherwise None.

Secret Store Layout

Typical gopass structure:

mxm/
├── prod/
│   └── email-password
├── dev/
│   └── test-api-key
├── runtime/
└── bootstrap/

Each subtree may use separate .gpg-id files for scoped access control.

Example:

gopass insert mxm/dev/test-api-key

Available Backends

Backend Status Description
gopass Stable Local encrypted secret storage via GPG
Environment Stable Environment variable fallback backend
age Planned File-based encrypted secret backend
Vault Planned Centralized secret infrastructure

Configuration

Current backend priority is statically defined inside the package.

Future versions will support configuration through:

mxm-config

Planned future capabilities:

  • configurable backend ordering,
  • runtime session backends,
  • Vault integration,
  • Age integration,
  • deployment-specific backend chains.

Security Notes

mxm-secrets:

  • does not cache secrets,
  • does not preload credentials,
  • does not globally export secrets,
  • does not persist runtime secret state.

Secrets remain external to MXM repositories and operational codebases.

Development

Install development dependencies:

poetry install

Run formatting:

make fmt

Run linting:

make lint

Run static typing:

make type

Run tests:

make test

Run full validation:

make check

Run MXM package compliance validation:

mxm-foundry check .

Testing

The test suite includes coverage for:

  • backend dispatch,
  • gopass integration behavior,
  • environment fallback logic,
  • CLI functionality,
  • typing and packaging integration.

Tests are executed using:

pytest

License

MIT License. See LICENSE.

Links

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for moneyexmachina from gravatar.com moneyexmachina
Meta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: mxm
  • Tags secrets , gopass , environment , cli , mxm
  • Requires: Python >=3.12
Classifiers

Release history Release notifications | RSS feed

0.3.2

0.3.1

This version

0.2.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mxm_secrets-0.2.0.tar.gz (6.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mxm_secrets-0.2.0-py3-none-any.whl (9.2 kB view details)

Uploaded Python 3

File details

Details for the file mxm_secrets-0.2.0.tar.gz.

File metadata

  • Download URL: mxm_secrets-0.2.0.tar.gz
  • Upload date:
  • Size: 6.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for mxm_secrets-0.2.0.tar.gz
Algorithm Hash digest
SHA256 d1a9209940c1db624e361d3540f62df2235303e4da2cc0a863caace0177aee4e
MD5 e6eaac12c56a0893a32fea25a14c2113
BLAKE2b-256 303ec21a3949862d4c70c9d5df43dfff2d3f87e8e506318fc914cf9ff8150ac3

See more details on using hashes here.

Provenance

The following attestation bundles were made for mxm_secrets-0.2.0.tar.gz:

Publisher: release.yml on moneyexmachina/mxm-secrets

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file mxm_secrets-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: mxm_secrets-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 9.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for mxm_secrets-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b32658e97bbb39f3214e51d8a45c3510c992eda9549774638eafb34c73bd3198
MD5 4fa42dabb0247d81741b75ddf7f2b698
BLAKE2b-256 f703b8e813705724c51dc53d299a885df55cd0c3887637a2e0adcedd3b2051fa

See more details on using hashes here.

Provenance

The following attestation bundles were made for mxm_secrets-0.2.0-py3-none-any.whl:

Publisher: release.yml on moneyexmachina/mxm-secrets

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page