feat!: rewrite in pure Python (#62)

* Begin rewrite in pure Python

* Organize: git mv src/otdf_python/test_*.py tests/

* Format according to 'ruff'

* Fix static analysis

* Cleanup and organize tests/test_validate_otdf_python.py

* Remove 'TDFConfig' type from 'otdf_python.tdf'

* Fix description & formatting

* Add 'pydantic-settings' to dev & update dependencies

* Correct version number

* Cleanup and fix OIDC tests

* Comment old style integration test

* Execute majority of tests

* Allow import from 'tests'

* Fix string encryption test

* Remove dead code

* Adjust integration test

* Remove old build scripts

* Update README

* Update GHA triggers

* Fix endpoint URL and TLS verification

* ✅ Significant update 143 out of 150 tests passing

- When run with the proper .env file: 7 failed, 142 passed, 2 skipped, 1 warning
- Critical naming fix
- Update .proto files
- Add script to update .proto files
- Ditch HTTP impl
- Improve manifest and encrypt test
- Python CLI decrypt now works correctly with TDF files created by otdfctl

* Run all tests, except integration

* Update GHA configuration

* Mark integration tests

* Fix mocked tests/test_kas_client.py

* Mark integration tests

* Only build for 3.13 (temporary)

* Update license

* Enable and fix integration tests in CI

Cleanup tests

* Improve support for plaintext

* Make log collection optional

* Fix tests for plaintext

* Fix docstrings

* Fix docstrings

* Extract Connect RPC class

* Fix additional roundtrip testing

* Fix tests after kas_client updates

* Expand KAS client integration tests

* Fix mimeType

* Expand testing, fix compression bug

* Auto-use check_for_otdfctl fixture

* Expand static analysis, fix FURB188

* Use 'NULL_POLICY_UUID' for now

* Update kas_client.py & tdf.py, expand tests

* Expand & organize integration tests

* Expand static analysis, fix PT018

* Use configurable attrs in testing

* Use configurable attrs in testing

* Examine entitlements in CI

* Extract 'temp_credentials_file' fixture

* Rename file

* Modernize release workflows

* Modernize release workflows

* Update release workflow

* Manage 'otdf-python-proto' as a sub-package

* Update README

* Manage 'otdf-python-proto' as a sub-package

* Support Python 3.10+

* Fix version number

* Fix Python version requirement

* Bump version 0.3.0a4 -> 0.3.0a5

* Fix version extract command

* Undo file name change

* More support for PE flows, cleanup & improved typing (#70)

* Cleanup & improved typing

* Disable odd policy enforcement

* Add ".env-docker" file for local testing

* Add PE test support (GHA and docker) (#71)

* Add docker start script

* Gemini fixes

* Update GHA configuration

* Gemini fixes

* Enable PE e2e test

* Run 'pre-commit autoupdate' & fix lint issues

* Extract '_get_sdk_builder' function

* Cleanup & remove redundant function

* Improve typing

* Use patch() context manager, reduce imports

* Remove unnecessary import

* Combine 'yq' expressions

* Point to commit SHA

* Remove hallucination

* Match version number

* Bump 0.3.0a5 to 0.3.0a6

* Chore/update docs and release process (#72)

* Cleanup docs

* Refine workflows for release management and testing

- Implement `release-please` workflow for automated releases.
- Create `publish-test` and `publish` workflows to handle package builds and releases.
- Introduce `test-suite` workflow to run tests before publishing.
- Update configuration files for release management.

* Add 'ruff' as dev dependency

* Configure ruff to ignore generated files

* Fail fast if linting fails

* Document release process

* Bump version to 0.3.0a7

* Publish new alpha

* Allow replacing artifacts with the same name

* Remove the duplicate integration-test job

* Attempt alpha release

* chore: improve pre-commit configuration

* chore: revert 'rm CONNECT_RPC_MIGRATION.md'

* chore: disable TestPyPIBuild unless workflow_dispatch

* chore: bump version 0.3.0a7 -> 0.3.0a8

* chore: bump version 0.3.0a8 -> 0.3.0a9

* chore: target this branch

* chore: target develop branch

* chore: fix release-please config

* chore: fix version number

* chore: use standard 'workflow_call'

* chore: clean up publishing

* fix: fix publishing

* chore: release 0.3.0a10

Release-As: 0.3.0a10

* fix: fix publishing

* chore: release 0.3.0a11

Release-As: 0.3.0a11

* chore: release develop (#81)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: align version numbers

* chore: add 'otdf-python-proto/uv.lock' file

* chore: add 'otdf-python-proto/uv.lock' file

* fix: omit README from Github releases

* chore: document legacy version

* fix: address pre-commit (lint) issues

* chore: verbose output for pypi uploads

* fix: use correct 'extra-files' for uv.lock

See also: googleapis/release-please#2561

* chore: release 0.3.1

Release-As: 0.3.1

* chore: release develop (#82)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: organize docs

* fix: remove unnecessary 'ncipollo/release-action'

* chore: add developer doc

* chore: CI improvements (#88)

* chore: prevent TestPyPI publishing <= 0.3.2

* chore: update .pre-commit-config.yaml

* chore: align versions

* chore: ensure future version alignment

* chore: comment unused GHA step

* chore: simplify version parsing

* chore: add tomli for Python < 3.11

* fix: get version dynamically in 'test_cli.py'

* fix: guarantee target-version decrypt support (#84)

* fix: add test data

* fix: improve target-version support

* fix: add get_cli_flags function

* fix: fix tests

* fix: bug handling bytes | BinaryIO & tests

* fix: update .gitignore

* fix: remove invalid default KAS

* fix: disable attrs for now

* fix: DRY test fixtures

* chore: cleanup

* fix:target mode encryption (#86)

* chore: update pre-commit

* fix: type annotations in tdf.py

* chore: expand inspect tests

* chore: cleanup tests

* chore: organize imports

* chore: require sorted imports

* chore: add test_cli_decrypt.py

* chore: organize integration tests

* chore: organize integration tests

* Tweak attributes

* chore: cleanup tests

* chore: cleanup tests

* chore: dry tests (#87)

* chore: dry tests

* chore: relocate run_cli_inspect

* chore: fix type annotation

* chore: note token isn't important

* chore: cleanup args & typing

* chore: extract 'get_platform_url' function

* chore: extract 'support_otdfctl_args' module

* chore: use '*get_cli_flags()' pattern

* chore: DRY code

* chore: DRY code

* chore: extract 'get_testing_environ' function

* chore: DRY code

* chore: DRY code

* chore: DRY code

* chore: improve pre-commit config

* fix: mirrored workflows for target-mode (#91)

* chore: cleanup for mirrored workflows

* chore: cleanup for mirrored workflows

* chore: cleanup for mirrored workflows

* chore: cleanup for mirrored workflows

* chore: cleanup for mirrored workflows

* chore: remove otdf-python-proto from manifest

* chore: cleanup and release (#93)

* fix: don't inspect without auth

* fix: process otdf-python-proto/pyproject.toml correctly

* chore: remove NanoTDF from README

* chore: mention legacy version in main README

* chore: set version to 0.3.1

* chore: fix release-please

* fix: release-please configuration (#95)

* fix: "jsonpath" in release-please-config.json

* chore: remove invalid changelog entries

* chore: cleanup branches used in release-please

* chore: remove invalid changelog file

* chore: reset version to 0.3.0

* chore: cleanup whitespace

* chore: improve release process

* chore: document release process

* chore: delete invalid information

* fix: update prerelease config for develop branch

* chore(develop): release otdf-python 0.3.1 (#96)

* chore(develop): release otdf-python 0.3.1

* Update CHANGELOG.md

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: b-long <[email protected]>

* fix: fix .release-please-config.json file (#97)

* fix: fix .release-please-config.json file

* chore: align for version 0.3.1

* chore: use importlib for version

* chore: manage .py files without relese-please

* fix: allow for development version in CLI version test

* Update src/otdf_python/cli.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* chore(develop): release otdf-python 0.3.2 (#98)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: release configuration (#99)

* chore: fix release-please config

* chore: remove invalid changelog entries

* chore: roll back to 0.3.0

* fix: add develop-specific release-please files and update workflow

- Add .release-please-config-develop.json with prerelease: true
- Add .release-please-manifest-develop.json with current version
- Remove dynamic file creation from workflow
- Files are now committed to repo instead of generated at runtime

* chore(develop): release otdf-python 0.3.1 (#100)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Author: 3 people

.env-docker

@@ -0,0 +1,6 @@
+OPENTDF_PLATFORM_HOST="localhost"
+OPENTDF_PLATFORM_PORT=8080
+OPENTDF_PLATFORM_URL="http://localhost:8080"
+
+KEYCLOAK_URL="http://localhost:8888/auth"
+OIDC_OP_TOKEN_ENDPOINT="http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token"

.github/check_entitlements.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+# Derive additional environment variables
+TOKEN_URL="${OIDC_OP_TOKEN_ENDPOINT}"
+OTDF_HOST_AND_PORT="${OPENTDF_PLATFORM_HOST}"
+OTDF_CLIENT="${OPENTDF_CLIENT_ID}"
+OTDF_CLIENT_SECRET="${OPENTDF_CLIENT_SECRET}"
+
+echo "🔧 Environment Configuration:"
+echo "   TOKEN_URL: ${TOKEN_URL}"
+echo "   OTDF_HOST_AND_PORT: ${OTDF_HOST_AND_PORT}"
+echo "   OTDF_CLIENT: ${OTDF_CLIENT}"
+echo "   OTDF_CLIENT_SECRET: ${OTDF_CLIENT_SECRET}"
+echo ""
+
+get_token() {
+    curl -k --location "$TOKEN_URL" \
+    --header "X-VirtruPubKey;" \
+    --header "Content-Type: application/x-www-form-urlencoded" \
+    --data-urlencode "grant_type=client_credentials" \
+    --data-urlencode "client_id=$OTDF_CLIENT" \
+    --data-urlencode "client_secret=$OTDF_CLIENT_SECRET"
+}
+
+echo "🔐 Getting access token..."
+BEARER=$( get_token | jq -r '.access_token' )
+# NOTE: It's always okay to print this token, because it will
+# only be valid / available in dummy / dev scenarios
+[[ "${DEBUG:-}" == "1" ]] && echo "Got Access Token: ${BEARER}"
+echo ""
+
+# Array of usernames to check
+USERNAMES=("opentdf" "sample-user" "sample-user-1" "cli-client" "opentdf-sdk")
+
+for USERNAME in "${USERNAMES[@]}"; do
+    echo "👤 Fetching entitlements for username: ${USERNAME}"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+    grpcurl -plaintext \
+      -H "authorization: Bearer $BEARER" \
+      -d "{
+      \"entities\": [
+        {
+          \"userName\": \"$USERNAME\"
+        }
+      ]
+    }" \
+      "$OTDF_HOST_AND_PORT" \
+      authorization.AuthorizationService/GetEntitlements
+
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo "✅ Entitlements retrieval complete for ${USERNAME}!"
+    echo ""
+done
+
+echo "🎉 All entitlement checks completed!"

.github/start_opentdf_docker.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if ! [ -d platform ]; then
+  git clone https://github.com/opentdf/platform.git
+fi
+cd platform
+git checkout 3360befcb3e6e9791d7bfd2e89128aee0e7d2818 # Branch 'DSPX-1539-keytoolnomore'
+
+yq -i '.realms[0].clients[0].client.directAccessGrantsEnabled = true | .realms[0].clients[0].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+
+yq -i '.realms[0].clients[1].client.directAccessGrantsEnabled = true | .realms[0].clients[1].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+
+yq -i '.realms[0].clients[4].client.directAccessGrantsEnabled = true | .realms[0].clients[4].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+
+
+if ! [ -d ./keys ]; then
+  go mod download
+
+  go mod verify
+
+  .github/scripts/init-temp-keys.sh
+  cp opentdf-example.yaml opentdf.yaml
+
+  # Edit 'opentdf.yaml' for our use case
+  yq -i 'del(.db) | .services.entityresolution.url = "http://localhost:8888/auth" | .server.auth.issuer = "http://localhost:8888/auth/realms/opentdf"' opentdf.yaml
+  # The above expression can also be written as 3 separate commands:
+  # yq -i 'del(.db)' opentdf.yaml
+  # yq -i '.services.entityresolution.url = "http://localhost:8888/auth"' opentdf.yaml
+  # yq -i '.server.auth.issuer = "http://localhost:8888/auth/realms/opentdf"' opentdf.yaml
+
+  yq -i '
+.server.cryptoProvider = {
+  "type": "standard",
+  "standard": {
+    "keys": [
+      {
+        "kid": "r1",
+        "alg": "rsa:2048",
+        "private": "kas-private.pem",
+        "cert": "kas-cert.pem"
+      },
+      {
+        "kid": "e1",
+        "alg": "ec:secp256r1",
+        "private": "kas-ec-private.pem",
+        "cert": "kas-ec-cert.pem"
+      }
+    ]
+  }
+}
+' opentdf.yaml
+  chmod -R 700 ./keys
+fi
+
+docker compose up -d --wait --wait-timeout 360
+
+go run ./service provision keycloak
+
+go run ./service provision fixtures

.github/workflows/build-golang-macos.yaml

@@ -1,44 +1,42 @@
----
-name: Build Python package(s)
-
+# Build otdf-python wheel using uv and output the wheel path for downstream workflows
+name: "Build Python Wheel"
 on:
-    push:
-        branches:
-            - disabled
+  push:
+    branches:
+      - chore/rewrite
+  pull_request:
 
 jobs:
-    build:
-
-        runs-on: ubuntu-22.04
-        strategy:
-            matrix:
-                go-version: [1.24.x]
+  build:
+    runs-on: ubuntu-22.04
+    outputs:
+      wheel: ${{ steps.find_wheel.outputs.wheel_path }}
+    steps:
+      - name: Checkout this repo
+        uses: actions/checkout@v4
 
-        steps:
-            - uses: actions/checkout@v4
-      # - name: Setup Go
-      #   uses: actions/setup-go@v4
-      #   with:
-      #     go-version: ${{ matrix.go-version }}
-      #     cache-dependency-path: go.sum
-      # - name: Install dependencies
-      #   run: go get .
-      # - name: Test with Go
-      #   run: go test -timeout 40s -run ^TestHello$ gotdf_python -count=1 # go test
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
 
-            - name: Set up Python
-              uses: actions/setup-python@v4
-              with:
-                  python-version: '3.12'
-            - name: Install dependencies
-              run: |
-                  pip install poetry
-            - name: Invoke pylint with all dependencies
-              run: |
-                  # Since we don't have our wheel build / install configured yet we use '--no-root'
-                  poetry install --no-root
+      - name: Build otdf-python wheel using uv
+        run: |
+          uv sync --frozen
+          uv build
+        shell: bash
 
-                  # poetry install
+      - name: Find built wheel
+        id: find_wheel
+        run: |
+          wheel_path=$(ls dist/*.whl | head -n1)
+          echo "wheel_path=$wheel_path" >> $GITHUB_OUTPUT
+        shell: bash
 
-                  # Bring this back later
-                  # poetry run pytest tests/
+      # - name: Upload wheel as artifact
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: python-wheel
+      #     path: dist/*.whl
+      #     overwrite: true