More support for PE flows, cleanup & improved typing (#70)

* Cleanup & improved typing

* Disable odd policy enforcement

* Add ".env-docker" file for local testing

* Add PE test support (GHA and docker) (#71)

* Add docker start script

* Gemini fixes

* Update GHA configuration

* Gemini fixes

* Enable PE e2e test

* Run 'pre-commit autoupdate' & fix lint issues

* Extract '_get_sdk_builder' function

* Cleanup & remove redundant function

* Improve typing

* Use patch() context manager, reduce imports

* Remove unnecessary import

* Combine 'yq' expressions

* Point to commit SHA

* Remove hallucination

* Match version number

* Bump 0.3.0a5 to 0.3.0a6

Author: b-long

.env-docker

@@ -0,0 +1,6 @@
+OPENTDF_PLATFORM_HOST="localhost"
+OPENTDF_PLATFORM_PORT=8080
+OPENTDF_PLATFORM_URL="http://localhost:8080"
+
+KEYCLOAK_URL="http://localhost:8888/auth"
+OIDC_OP_TOKEN_ENDPOINT="http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token"

.github/start_opentdf_docker.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if ! [ -d platform ]; then
+  git clone https://github.com/opentdf/platform.git
+fi
+cd platform
+git checkout 3360befcb3e6e9791d7bfd2e89128aee0e7d2818 # Branch 'DSPX-1539-keytoolnomore'
+
+yq -i '.realms[0].clients[0].client.directAccessGrantsEnabled = true | .realms[0].clients[0].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+
+yq -i '.realms[0].clients[1].client.directAccessGrantsEnabled = true | .realms[0].clients[1].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+
+yq -i '.realms[0].clients[4].client.directAccessGrantsEnabled = true | .realms[0].clients[4].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+
+
+if ! [ -d ./keys ]; then
+  go mod download
+
+  go mod verify
+
+  .github/scripts/init-temp-keys.sh
+  cp opentdf-example.yaml opentdf.yaml
+
+  # Edit 'opentdf.yaml' for our use case
+  yq -i 'del(.db) | .services.entityresolution.url = "http://localhost:8888/auth" | .server.auth.issuer = "http://localhost:8888/auth/realms/opentdf"' opentdf.yaml
+  # The above expression can also be written as 3 separate commands:
+  # yq -i 'del(.db)' opentdf.yaml
+  # yq -i '.services.entityresolution.url = "http://localhost:8888/auth"' opentdf.yaml
+  # yq -i '.server.auth.issuer = "http://localhost:8888/auth/realms/opentdf"' opentdf.yaml
+
+  yq -i '
+.server.cryptoProvider = {
+  "type": "standard",
+  "standard": {
+    "keys": [
+      {
+        "kid": "r1",
+        "alg": "rsa:2048",
+        "private": "kas-private.pem",
+        "cert": "kas-cert.pem"
+      },
+      {
+        "kid": "e1",
+        "alg": "ec:secp256r1",
+        "private": "kas-ec-private.pem",
+        "cert": "kas-ec-cert.pem"
+      }
+    ]
+  }
+}
+' opentdf.yaml
+  chmod -R 700 ./keys
+fi
+
+docker compose up -d --wait --wait-timeout 360
+
+go run ./service provision keycloak
+
+go run ./service provision fixtures

.github/workflows/platform-integration-test.yaml

@@ -55,7 +55,39 @@ jobs:
         shell: bash
         run: |
           .github/scripts/init-temp-keys.sh
-          cp opentdf-dev.yaml opentdf.yaml
+          # Edit Keycloak sample file for our use case
+          yq -i '.realms[0].clients[0].client.directAccessGrantsEnabled = true | .realms[0].clients[0].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+          yq -i '.realms[0].clients[1].client.directAccessGrantsEnabled = true | .realms[0].clients[1].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+          yq -i '.realms[0].clients[4].client.directAccessGrantsEnabled = true | .realms[0].clients[4].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+
+          cp opentdf-example.yaml opentdf.yaml
+          # Edit 'opentdf.yaml' for our use case
+          yq -i 'del(.db) | .services.entityresolution.url = "http://localhost:8888/auth" | .server.auth.issuer = "http://localhost:8888/auth/realms/opentdf"' opentdf.yaml
+          # The above expression can also be written as 3 separate commands:
+          # yq -i 'del(.db)' opentdf.yaml
+          # yq -i '.services.entityresolution.url = "http://localhost:8888/auth"' opentdf.yaml
+          # yq -i '.server.auth.issuer = "http://localhost:8888/auth/realms/opentdf"' opentdf.yaml
+          yq -i '
+          .server.cryptoProvider = {
+            "type": "standard",
+            "standard": {
+              "keys": [
+                {
+                  "kid": "r1",
+                  "alg": "rsa:2048",
+                  "private": "kas-private.pem",
+                  "cert": "kas-cert.pem"
+                },
+                {
+                  "kid": "e1",
+                  "alg": "ec:secp256r1",
+                  "private": "kas-ec-private.pem",
+                  "cert": "kas-ec-cert.pem"
+                }
+              ]
+            }
+          }
+          ' opentdf.yaml
           sudo chmod -R 777 ./keys
         working-directory: platform
       # - name: Trust the locally issued cert

.gitignore

@@ -1,6 +1,8 @@
 # Created by https://www.toptal.com/developers/gitignore/api/python
 # Edit at https://www.toptal.com/developers/gitignore?templates=python
 
+platform/
+
 ### Python ###
 # Byte-compiled / optimized / DLL files
 __pycache__/

.pre-commit-config.yaml

@@ -12,7 +12,7 @@ exclude: |
 # See https://pre-commit.com/hooks.html for more hooks#
 repos:
     - repo: https://github.com/pre-commit/pre-commit-hooks
-      rev: v5.0.0
+      rev: v6.0.0
       hooks:
           - id: check-yaml
           - id: end-of-file-fixer
@@ -45,7 +45,7 @@ repos:
 
     - repo: https://github.com/astral-sh/ruff-pre-commit
       # Ruff version.
-      rev: v0.12.8
+      rev: v0.12.10
       hooks:
         # Run the linter.
         - id: ruff

otdf-python-proto/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "otdf-python-proto"
-version = "0.1.0"
+version = "0.3.0a6"
 description = "Generated protobuf files for OpenTDF Python SDK"
 readme = "README.md"
 authors = [

otdf-python-proto/scripts/generate_connect_proto.py

@@ -26,7 +26,7 @@ def check_dependencies() -> bool:
         try:
             subprocess.run(check_cmd, shell=True, capture_output=True, check=True)
             print(f"✓ {name} is available")
-        except (subprocess.CalledProcessError, FileNotFoundError):
+        except (subprocess.CalledProcessError, FileNotFoundError):  # noqa: PERF203
             missing.append(name)
             print(f"✗ {name} is missing")
 
@@ -104,7 +104,7 @@ def copy_opentdf_proto_files(proto_gen_dir: Path) -> bool:
 
                     copied_files += 1
 
-                except Exception as e:
+                except Exception as e:  # noqa: PERF203
                     print(f"  Warning: Failed to copy {relative_path}: {e}")
 
         print(f"Found and copied {copied_files} proto files from repository")
@@ -235,7 +235,7 @@ def _fix_ignore_if_default_value(proto_files_dir):
 
             print(f"Updated {proto_file.name} to use IGNORE_IF_ZERO_VALUE")
 
-        except Exception as e:
+        except Exception as e:  # noqa: PERF203
             print(f"Error updating {proto_file.name}: {e}")
 
 

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "otdf-python"
-version = "0.3.0a5"
+version = "0.3.0a6"
 description = "Unofficial OpenTDF SDK for Python"
 readme = "README.md"
 authors = [

src/otdf_python/cli.py

@@ -3,7 +3,7 @@
 OpenTDF Python CLI
 
 A command-line interface for encrypting and decrypting files using OpenTDF.
-Provides encrypt, decrypt, and inspect commands similar to the TypeScript CLI.
+Provides encrypt, decrypt, and inspect commands similar to the otdfctl CLI.
 """
 
 import argparse
@@ -22,7 +22,7 @@
 
 
 # Version - get from project metadata
-__version__ = "0.3.0a5"
+__version__ = "0.3.0a6"
 
 
 # Set up logging
@@ -146,7 +146,7 @@ def build_sdk(args) -> SDK:
     else:
         raise CLIError(
             "CRITICAL",
-            "Authentication required: provide --with-client-creds-file, --client-id and --client-secret, or --auth",
+            "Authentication required: provide --with-client-creds-file OR --client-id and --client-secret",
         )
 
     if hasattr(args, "plaintext") and args.plaintext:
@@ -307,7 +307,9 @@ def cmd_decrypt(args):
                         # Regular TDF (ZIP format)
                         logger.debug("Decrypting TDF")
                         reader_config = TDFReaderConfig()
-                        tdf_reader = sdk.load_tdf(encrypted_data, reader_config)
+                        tdf_reader = sdk.load_tdf_with_config(
+                            encrypted_data, reader_config
+                        )
                         # Access payload directly from TDFReader
                         payload_bytes = tdf_reader.payload
                         output_file.write(payload_bytes)
@@ -331,7 +333,7 @@ def cmd_decrypt(args):
                 # Regular TDF (ZIP format)
                 logger.debug("Decrypting TDF")
                 reader_config = TDFReaderConfig()
-                tdf_reader = sdk.load_tdf(encrypted_data, reader_config)
+                tdf_reader = sdk.load_tdf_with_config(encrypted_data, reader_config)
                 payload_bytes = tdf_reader.payload
                 output_file.write(payload_bytes)
                 logger.info("Successfully decrypted TDF")
@@ -384,7 +386,9 @@ def cmd_inspect(args):
                 # Regular TDF
                 logger.debug("Inspecting TDF")
                 reader_config = TDFReaderConfig()
-                tdf_reader = sdk.load_tdf(BytesIO(encrypted_data), reader_config)
+                tdf_reader = sdk.load_tdf_with_config(
+                    BytesIO(encrypted_data), reader_config
+                )
                 manifest = tdf_reader.manifest
 
                 # Try to get data attributes
@@ -479,11 +483,6 @@ def create_parser() -> argparse.ArgumentParser:
     )
     auth_group.add_argument("--client-id", help="OAuth client ID")
     auth_group.add_argument("--client-secret", help="OAuth client secret")
-    # Keep --auth for backward compatibility
-    auth_group.add_argument(
-        "--auth",
-        help="Combined OAuth credentials (clientId:clientSecret) - deprecated, use --with-client-creds-file",
-    )
 
     # Security options
     security_group = parser.add_argument_group("Security")

src/otdf_python/crypto_utils.py

@@ -75,8 +75,3 @@ def get_rsa_private_key_from_pem(pem_data: str) -> rsa.RSAPrivateKey:
         if not isinstance(private_key, rsa.RSAPrivateKey):
             raise ValueError("Not an RSA private key")
         return private_key
-
-
-# Aliases for compatibility
-rsa_private_key_from_pem = CryptoUtils.get_rsa_private_key_from_pem
-rsa_public_key_from_pem = CryptoUtils.get_rsa_public_key_from_pem