buun-stack/python-package/README.md

# buunstack

A Python package for buun-stack that provides secure secrets management with HashiCorp Vault using pre-acquired Vault tokens from JupyterHub for seamless authentication.

## Features

- 🔒 **Secure Secrets Management**: Integration with HashiCorp Vault
- 🚀 **Pre-acquired Authentication**: Uses Vault tokens created at notebook spawn
- 📱 **Simple API**: Easy-to-use interface for secrets storage and retrieval
- 🔄 **Automatic Token Renewal**: Built-in token refresh for long-running sessions
- 🏢 **Enterprise Ready**: Built for production environments

## Quick Start

### Installation

```bash
pip install buunstack
```

### Basic Usage

```python
from buunstack import SecretStore

# Initialize with pre-acquired Vault token (automatic)
secrets = SecretStore()

# Put API keys and configuration
secrets.put('api-keys',
    openai_key='sk-your-key-here',
    github_token='ghp_your-token',
    database_url='postgresql://user:pass@host:5432/db'
)

# Get secrets
api_keys = secrets.get('api-keys')
openai_key = api_keys['openai_key']

# Get specific field directly
openai_key = secrets.get('api-keys', field='openai_key')

# List all your secrets
all_secrets = secrets.list()

# List fields in a specific secret
fields = secrets.list_fields('api-keys')
print(f'Available fields: {fields}')  # ['openai_key', 'github_token', 'database_url']
```

### Configuration Options

```python
# Disable JupyterHub token synchronization
secrets = SecretStore(sync_with_jupyterhub=False)

# Custom token validity buffer
secrets = SecretStore(
    sync_with_jupyterhub=True,
    refresh_buffer_seconds=600  # Sync tokens 10 minutes before expiry
)

# Check synchronization status
status = secrets.get_status()
print(f"JupyterHub sync enabled: {status['sync_with_jupyterhub']}")
print(f"API configured: {status.get('jupyterhub_api_configured', False)}")
```

### Advanced Operations

```python
# Delete a specific field from a secret
secrets.delete('api-keys', field='github_token')

# Delete an entire secret
secrets.delete('old-config')

# Check if a field exists before accessing
if 'openai_key' in secrets.list_fields('api-keys'):
    key = secrets.get('api-keys', field='openai_key')
```

### Environment Variables Helper

```python
from buunstack import SecretStore, get_env_from_secrets, put_env_to_secrets

secrets = SecretStore()

# Put environment variables
project_env = {
    'PROJECT_NAME': 'ml-research',
    'MODEL_VERSION': 'v2.1',
    'DEBUG': 'false'
}
put_env_to_secrets(secrets, project_env)

# Get environment variables
loaded_vars = get_env_from_secrets(secrets)
# Now available as os.environ['PROJECT_NAME'], etc.
```

## Comparison with Other Platforms

| Platform | API | Features |
|----------|-----|----------|
| Google Colab | `userdata.get('KEY')` | Simple, strings only |
| Databricks | `dbutils.secrets.get(scope, key)` | Scoped management |
| AWS SageMaker | `boto3.client().get_secret_value()` | JSON support, IAM control |
| Azure ML | `SecretClient().get_secret()` | RBAC, HSM support |
| **buunstack** | `secrets.get('key')` | **JSON support, unlimited sessions, auto-refresh** |

## Requirements

- Python 3.8+
- JupyterHub environment with Keycloak OIDC authentication
- HashiCorp Vault backend
- Required environment variables:
    - `JUPYTERHUB_USER`
    - `VAULT_ADDR`
    - `JUPYTERHUB_OIDC_ACCESS_TOKEN`
    - `JUPYTERHUB_OIDC_REFRESH_TOKEN` (for auto-refresh)
    - `KEYCLOAK_HOST`, `KEYCLOAK_REALM` (for auto-refresh)

## Architecture

buunstack integrates with:

- **JupyterHub**: For user authentication and session management
- **Keycloak**: For OIDC token management and refresh
- **HashiCorp Vault**: For secure secrets storage
- **Kubernetes**: For container orchestration and networking

## License

This project is licensed under the MIT License - see the [LICENSE](../LICENSE) file for details.

## Security

For security issues, please email security@buunstack.dev instead of using the issue tracker.