Config job pack for Tessera: inventory config keys, check for leaked secrets, and report config drift.
Project description
tesserakit-config
Inventory a project's configuration, check for leaked secrets, and report config drift.
tessera-config scans env files and source code, aggregates every configuration key, redacts secret values at load time, and reports the gaps between what is documented, what is set, and what is actually used. No code is executed and no network calls are made.
What it scans
- Real env files (
.env,.env.local, ...) → keys and (redacted) values. - Example files (
.env.example,.env.sample,.env.template) → documented keys. - Source code (
.py,.js,.ts,.rb,.go, ...) → env-var references:os.getenv("X"),os.environ["X"],os.environ.get("X"),getenv("X"),process.env.X,process.env["X"].
Secret safety
Values for secret-named keys (*TOKEN*, *SECRET*, *PASSWORD*, *API_KEY*,
*CREDENTIAL*, ...) are masked before any record or artifact is written. The
inventory shows (set) for non-secret values and a masked preview for secret
ones; the raw value never leaves the source file.
Audit a project
tessera config audit --input . --output ./out/config_pack
Artifacts written:
config_inventory.jsonl one ConfigKey per key (env/example/code flags, masked value)
index.md the inventory table
validation_report.md findings (leaked secrets, drift)
coverage_report.md documented %, used %, secret count
drift_report.md used-but-undocumented / set-but-undocumented / documented-but-unused
Validation rules
possible_committed_secret— a secret-named key has a value in a real.envsecret_value_in_nonsecret_key— a value shaped like a secret (e.g.MY_THING=ghp_…) under a key whose name isn't secret-like; name-based detection alone would miss itmissing_in_example— used in code but not documented in any.env.exampleundocumented_env_key— set in.envbut not in any exampleunused_documented_key— documented in an example but never used or setno_config_keys— nothing found
Secret detection screens values by shape (AWS/GitHub/Slack/Stripe/JWT/etc. + a conservative high-entropy heuristic) in addition to key names, with UUIDs excluded.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tesserakit_config-0.3.1.tar.gz.
File metadata
- Download URL: tesserakit_config-0.3.1.tar.gz
- Upload date:
- Size: 9.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e51b99eb7fb667057a9d6fcd66593cdff01f2b2b5838cafd4f9e14382c1ae08c
|
|
| MD5 |
6dc5986feb960ee1305a52ce729aa766
|
|
| BLAKE2b-256 |
ed08b24f26a0bdd4231b25c3074cb68b5a0a4bacbf105728318d7533b8179b0d
|
File details
Details for the file tesserakit_config-0.3.1-py3-none-any.whl.
File metadata
- Download URL: tesserakit_config-0.3.1-py3-none-any.whl
- Upload date:
- Size: 11.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
01ef16f1466998d4083bdee42582d731d7a7f027241f1201241b2a2fff35bcf3
|
|
| MD5 |
77de0e08eb0664c7dbfb0513a30fbbc4
|
|
| BLAKE2b-256 |
5b90c763916d3c5b1e7672a5afcaab2db0709597b0fc418abce552f67d6adfee
|
