"""Pydantic schemas for REST and services.""" from datetime import datetime from enum import StrEnum from typing import Generic, TypeVar from uuid import UUID from pydantic import BaseModel, ConfigDict, Field, field_validator T = TypeVar("T") class SecretStatus(StrEnum): actual = "actual" outdated = "outdated" class Channel(StrEnum): ui = "ui" rest = "rest" mcp = "mcp" class Scope(StrEnum): read = "read" reveal = "reveal" write = "write" admin = "admin" mcp = "mcp" class SecretFieldIn(BaseModel): name: str = Field(min_length=1, max_length=120) value: str = Field(max_length=65536) encrypted: bool = False masked: bool = False position: int = 0 class SecretFieldOut(BaseModel): name: str value: str | None = None encrypted: bool masked: bool position: int class SecretCreate(BaseModel): title: str = Field(min_length=1, max_length=255) purpose: str | None = Field(default=None, max_length=255) category: str | None = Field(default=None, max_length=120) source: str | None = Field(default=None, max_length=255) notes: str | None = Field(default=None, max_length=140) tags: list[str] = Field(default_factory=list) status: SecretStatus = SecretStatus.actual archived: bool = False allow_ui: bool = True allow_rest_api: bool = True allow_mcp: bool = False fields: list[SecretFieldIn] = Field(default_factory=list) @field_validator("tags") @classmethod def normalize_tags(cls, tags: list[str]) -> list[str]: result = [] for tag in tags: value = tag.strip().lower() if value and value not in result: result.append(value[:80]) return result class SecretUpdate(BaseModel): title: str | None = Field(default=None, min_length=1, max_length=255) purpose: str | None = Field(default=None, max_length=255) category: str | None = Field(default=None, max_length=120) source: str | None = Field(default=None, max_length=255) notes: str | None = Field(default=None, max_length=140) tags: list[str] | None = None status: SecretStatus | None = None archived: bool | None = None allow_ui: bool | None = None allow_rest_api: bool | None = None allow_mcp: bool | None = None fields: list[SecretFieldIn] | None = None class SecretRead(BaseModel): id: UUID title: str purpose: str | None category: str | None source: str | None notes: str | None tags: list[str] status: SecretStatus archived: bool allow_ui: bool allow_rest_api: bool allow_mcp: bool created_at: datetime updated_at: datetime fields: list[SecretFieldOut] class SecretReveal(SecretRead): version_id: UUID version_number: int class SecretVersionRead(BaseModel): id: UUID version_number: int created_at: datetime fields: list[SecretFieldOut] class Page(BaseModel, Generic[T]): items: list[T] total: int offset: int limit: int class ApiTokenCreate(BaseModel): name: str = Field(min_length=1, max_length=120) scopes: list[Scope] class ApiTokenRead(BaseModel): id: UUID public_id: str name: str scopes: list[str] created_at: datetime revoked_at: datetime | None last_used_at: datetime | None class ApiTokenCreated(ApiTokenRead): token: str class AuditEventRead(BaseModel): model_config = ConfigDict(from_attributes=True) id: UUID user_id: UUID | None actor_user_id: UUID | None api_token_id: UUID | None secret_id: UUID | None channel: str action: str ip_address: str | None user_agent: str | None audit_metadata: dict = Field(serialization_alias="metadata") created_at: datetime class UserRead(BaseModel): id: UUID email: str display_name: str | None locale: str | None role: str status: str avatar_url: str | None = None auth_profile_url: str | None = None class UserUpdate(BaseModel): display_name: str | None = Field(default=None, max_length=120) locale: str | None = Field(default=None, max_length=10) class ExportResponse(BaseModel): format: str version: int exported_at: datetime secrets: list[dict] class ImportPayload(BaseModel): format: str version: int exported_at: datetime secrets: list[SecretCreate] class StatsRead(BaseModel): total_secrets: int active_secrets: int mcp_enabled_secrets: int