Skip to main content

Reach Commons is a versatile utility library designed to streamline and enhance development workflows within the Reach ecosystem.

Project description

reach_commons

Reach's shared Python utility library — SMS encoding, phone validation, structured logging, persistence wrappers (Mongo, DynamoDB, S3, SQS, Firehose, KMS), Redis rate-limiting, and HTTP clients for internal Reach services (event-processor, callback-processor, reach-ops, reach-data-bridge), plus third-party integrations (HubSpot, Outscraper).

Distributed as the reach-commons wheel on PyPI. Source of truth: https://gitlab.com/reach.ai/reach-commons.

Install

pip install reach-commons

Pin a version in requirements.txt / pyproject.toml like any other dep. Releases are published from main by GitLab CI (see Release flow).

Quick example

from reach_commons.sms_smart_encoding import MessageSmartEncoding

msg = MessageSmartEncoding("Hello world!")
print(msg.encoding, msg.length, msg.segments)  # GSM-7 12 1

Repo layout

reach_commons/
├── app_logging/          structured logger, http logger, deprecation tracker
├── clients/              thin HTTP wrappers for Reach internal services + 3rd-party APIs
│   ├── _auth.py            shared Bearer-header helper (reads lambda_function_api_key)
│   ├── callback_processor.py
│   ├── event_processor.py
│   ├── hubspot.py
│   ├── nightly_lambda.py
│   ├── outscraper.py
│   ├── reach_data_bridge.py
│   └── reach_ops_api.py
├── mongo/                MongoDB customer persistence (sync + async)
├── reach_aws/            boto3 wrappers (dynamodb, s3, sqs, firehose, kms, rate limiter)
├── reach_base_model.py
├── redis_manager.py
├── sms_smart_encoding.py   GSM-7 / UCS-2 detection + segment math
├── utils.py
└── validations.py          phone-number validator (Twilio Lookups)
tests/                   pytest, every suite uses @pytest.mark.parametrize

Security model

Starting with version 0.18.57, the wheel published to PyPI contains zero credentials. Every secret consumed by reach_commons is fetched at runtime from AWS Systems Manager Parameter Store (SecureString), sourced from /terraform/shared-config.tf (shared_ssm_secure).

Why this matters: reach_commons is published to public PyPI. Anyone can pip download reach-commons. The wheel is intended to be safe in that posture — if it gets shared outside Reach (forked, cloned by an external dev, included in a third-party tool), no Reach credentials travel with it.

Access control lives in IAM: a consumer Lambda can only read the secrets its execution role grants ssm:GetParameter on. No env vars, no hardcoded fallbacks, no setattr side-channels.

SSM paths consumed at runtime

SSM path Read by Source line
/api-keys/{env}/lambda-function-api-key _auth.reach_api_bearer_header() — Bearer for EventProcessorClient, CallbackProcessorClient, ReachOpsApiClient, ReachDataBridgeClient /terraform/shared-config.tf:19
/twilio/{env}/account_sid CommonsPhoneNumberValidation /terraform/shared-config.tf:22
/twilio/{env}/auth_token CommonsPhoneNumberValidation /terraform/shared-config.tf:23
/outscraper/{env}/token OutscraperClient /terraform/shared-config.tf:24
/outscraper/{env}/webhook_url OutscraperClient /terraform/shared-config.tf:25

{env} resolves to staging / prod from the ENV Lambda env var (defaults to Staging).

Required consumer Lambda IAM

Every consumer must grant its execution role ssm:GetParameter on the paths it touches (only the ones whose clients it actually imports). Example for a Lambda that uses Bearer + Twilio + Outscraper:

statement {
  sid     = "ReachCommonsSSMRead"
  effect  = "Allow"
  actions = ["ssm:GetParameter", "ssm:GetParameters"]
  resources = [
    "arn:aws:ssm:us-east-1:383836045505:parameter/api-keys/${lower(var.tag)}/*",
    "arn:aws:ssm:us-east-1:383836045505:parameter/twilio/${lower(var.tag)}/*",
    "arn:aws:ssm:us-east-1:383836045505:parameter/outscraper/${lower(var.tag)}/*",
  ]
}

If the SSM SecureStrings are encrypted with a non-default KMS CMK, add kms:Decrypt on that key alias too. The current shared_ssm_secure block uses the default alias/aws/ssm so no extra KMS statement is needed.

Caching and rotation

reach_commons._ssm caches each SSM value in-memory with a 1-hour TTL per process. Cold start = 1 GetParameter per credential (~50ms each); warm container reuses the cached value until expiry.

After 1h, a rotation in SSM is picked up automatically on the next call — no redeploy needed. To force an immediate refresh, redeploy / recycle the Lambda containers.

Test / local override

Each affected client accepts explicit kwargs so tests and local tooling can bypass SSM entirely:

CommonsPhoneNumberValidation(account_sid="ACtest", auth_token="...")
OutscraperClient(token="...", webhook_url="https://...")

reach_api_bearer_header() has no kwarg path — tests should monkeypatch.setattr(reach_commons.clients._auth, "get_secure", lambda p: "...").

Local development

poetry install                       # runtime + dev deps into .venv
poetry run pre-commit install        # one-time: enables commit/push hooks

poetry run pytest                    # full suite
poetry run ruff check reach_commons tests
poetry run ruff format --check reach_commons tests
poetry run pyright reach_commons tests

Python floor: ^3.8. CI runs on python:3.13-slim.

Pre-commit hooks

.pre-commit-config.yaml installs three layers:

  • On commit (fast): trailing-whitespace, end-of-file-fixer, check-yaml, check-toml, check-merge-conflict, check-added-large-files, ruff (lint + autofix), ruff-format.
  • On push (slower): pyright with the runtime deps as additional_dependencies.

Pyright runs only on push so day-to-day commits stay fast.

Release flow

GitLab CI publishes to PyPI automatically. Workflow:

  1. Open an MR against main.
  2. CI runs lint + typecheck + test on every push (verify stage).
  3. Merge to main.
  4. The publish_pypi job compares the version in pyproject.toml against the latest version on PyPI:
    • If pyproject.toml > PyPI: builds the wheel + sdist and uploads via poetry publish.
    • Otherwise: logs ::: skip — local X <= PyPI Y and exits cleanly.

So a release = bump version in pyproject.toml, merge to main. Done.

Pipeline shape

verify ──► lint        (ruff check + ruff format --check)
       ──► typecheck   (pyright)
       ──► test        (pytest)
publish ──► publish_pypi   (only on main, only when version bumped)

All jobs run on the self-hosted EC2 GitLab runner (tags: [ec2-instance]).

PyPI authentication

poetry publish reads the POETRY_PYPI_TOKEN_PYPI env var (Poetry's standard convention). It's configured as a GitLab CI/CD Variable on the project (Settings → CI/CD → Variables): masked, scope = All environments.

Rotation = generate a new project-scoped token at https://pypi.org/manage/account/token/ (scope = reach-commons), paste into the same CI/CD Variable, revoke the old. No restart or SSH needed.

Branches

Branch Purpose
main source of truth; merges here trigger PyPI publish when version bumped
fix/*, feat/*, chore/* working branches; verify pipeline runs but no publish

Architecture cheat-sheet

consumer Lambda
   │
   ├─ os.environ[lambda_function_api_key]  ──┐
   │                                          ▼
   │                     reach_commons.clients._auth.reach_api_bearer_header()
   │                                          │
   ├─ EventProcessorClient    ────────────────┤
   ├─ CallbackProcessorClient ────────────────┤   "Authorization": "Bearer <token>"
   ├─ ReachOpsApiClient       ────────────────┤
   └─ ReachDataBridgeClient   ────────────────┘

Four client classes share the same Bearer token via a single helper — drop the env var on the Lambda and all four start sending Bearer (empty) → 401s.

Test layout

All test files in tests/ use @pytest.mark.parametrize. Adding a non-parametrized def test_x is discouraged — collapse into parameters or split if behaviors truly diverge.

File Coverage
test_imports.py parametrized over every reach_commons.* module via pkgutil.walk_packages — auto-discovers new submodules
test_sms_smart_encoding.py GSM-7 / UCS-2 detection, normalization map, segment math at length boundaries (160/161/306/307, 70/71)
test_validations.py Twilio HTTP wrapper status-code → bool fork; env var precedence (uppercase / lowercase / unset)
test_auth.py reach_api_bearer_header() with token set / empty / unset
test_outscraper.py env var → constructor → empty fallback resolution; X-API-KEY header

Migration history

  • 2026-05-12 — Migrated from AWS CodeCommit (reach-commons → renamed to reach-commons-MOVED-TO-GITLAB, read-only archive) to GitLab. Replaced manual python build.py publish with GitLab CI publish-on-version-bump. Removed hardcoded secrets from the wheel (Twilio creds, Bearer tokens shared across four internal-API clients, Outscraper token + webhook URL); all secrets now read from env vars sourced from /terraform/shared-config.tf SSM. Adopted ruff (replacing black + isort) and pyright; added parametrized test suite. Version 0.18.55 → 0.18.56.

Service ownership

Owner: Reach Engineering. Issues / MR reviews via the GitLab repo. The legacy CodeCommit archive at reach-commons-MOVED-TO-GITLAB is read-only and kept only for git archaeology.

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

reach_commons-0.18.63.tar.gz (39.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

reach_commons-0.18.63-py3-none-any.whl (48.9 kB view details)

Uploaded Python 3

File details

Details for the file reach_commons-0.18.63.tar.gz.

File metadata

  • Download URL: reach_commons-0.18.63.tar.gz
  • Upload date:
  • Size: 39.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.8.5 CPython/3.13.14 Linux/6.17.0-1013-aws

File hashes

Hashes for reach_commons-0.18.63.tar.gz
Algorithm Hash digest
SHA256 90a3a436edffe41410beef8eb46d0f1a3e627930f4cd103f9afab8070e3cd736
MD5 50e290574aa6f84f4e9ba9d86cff8407
BLAKE2b-256 e1dee1489ce887e93808d9cec30e73178914d4c967a77278611f53a591554493

See more details on using hashes here.

File details

Details for the file reach_commons-0.18.63-py3-none-any.whl.

File metadata

  • Download URL: reach_commons-0.18.63-py3-none-any.whl
  • Upload date:
  • Size: 48.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.8.5 CPython/3.13.14 Linux/6.17.0-1013-aws

File hashes

Hashes for reach_commons-0.18.63-py3-none-any.whl
Algorithm Hash digest
SHA256 e7e57aacf5363aa5da7d947524061cc0314e9c5cdc3979dd55d69e94ec28dbf8
MD5 933bacf0c50056e8164339f490923c19
BLAKE2b-256 048821fa8b6e1af8d0a9971f7413de839b88606c1e5dd2d9f48060a087230581

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page