azkv-ssh-fetch 0.1.0__tar.gz

azkv_ssh_fetch-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,44 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: ${{ matrix.python-version }} on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest]
+        python-version: ["3.10", "3.11", "3.12"]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+
+      - name: Install
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Lint (ruff)
+        run: |
+          ruff check .
+          ruff format --check .
+
+      - name: Type-check (mypy)
+        run: mypy src
+
+      - name: Test (pytest)
+        run: pytest -q

azkv_ssh_fetch-0.1.0/.github/workflows/release.yml

@@ -0,0 +1,50 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install build tooling
+        run: python -m pip install --upgrade pip build
+
+      - name: Build sdist + wheel
+        run: python -m build
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    # PyPI trusted publishing (OIDC). Requires the project to be pre-registered
+    # on PyPI with this GitHub repo + workflow allow-listed.
+    environment:
+      name: pypi
+      url: https://pypi.org/p/azkv-ssh-fetch
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - uses: pypa/gh-action-pypi-publish@release/v1

azkv_ssh_fetch-0.1.0/.gitignore

@@ -0,0 +1,52 @@
+# Byte-compiled / optimized
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# Virtual environments
+.venv/
+venv/
+env/
+.env
+
+# Tooling caches
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+.pytest_cache/
+.ruff_cache/
+.mypy_cache/
+htmlcov/
+coverage.xml
+*.cover
+.hypothesis/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+
+# OS
+.DS_Store
+Thumbs.db

azkv_ssh_fetch-0.1.0/.pre-commit-config.yaml

@@ -0,0 +1,28 @@
+repos:
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.5.7
+    hooks:
+      - id: ruff
+        args: [--fix, --exit-non-zero-on-fix]
+      - id: ruff-format
+
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.10.1
+    hooks:
+      - id: mypy
+        args: [--strict]
+        additional_dependencies:
+          - typer>=0.12
+          - rich>=13.7
+          - azure-identity>=1.17
+          - azure-keyvault-secrets>=4.8
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: check-yaml
+      - id: check-toml
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-merge-conflict
+      - id: check-added-large-files

azkv_ssh_fetch-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Naeem Hossain
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

azkv_ssh_fetch-0.1.0/PKG-INFO

@@ -0,0 +1,175 @@
+Metadata-Version: 2.4
+Name: azkv-ssh-fetch
+Version: 0.1.0
+Summary: Fetch SSH private keys from Azure Key Vault and connect to VMs/VMSS via Bastion.
+Project-URL: Homepage, https://github.com/NaeemH/azkv-ssh-fetch
+Project-URL: Repository, https://github.com/NaeemH/azkv-ssh-fetch
+Project-URL: Issues, https://github.com/NaeemH/azkv-ssh-fetch/issues
+Author-email: Naeem Hossain <naeemhossain.mail@gmail.com>
+License: MIT License
+        
+        Copyright (c) 2026 Naeem Hossain
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in
+        all copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+        THE SOFTWARE.
+License-File: LICENSE
+Keywords: azure,bastion,devops,key-vault,ssh,vmss
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: System Administrators
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: MacOS
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: System :: Systems Administration
+Requires-Python: >=3.10
+Requires-Dist: azure-identity>=1.17
+Requires-Dist: azure-keyvault-secrets>=4.8
+Requires-Dist: rich>=13.7
+Requires-Dist: typer>=0.12
+Provides-Extra: dev
+Requires-Dist: mypy>=1.10; extra == 'dev'
+Requires-Dist: pre-commit>=3.7; extra == 'dev'
+Requires-Dist: pytest-cov>=5.0; extra == 'dev'
+Requires-Dist: pytest-mock>=3.12; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.5; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# azkv-ssh-fetch
+
+[![CI](https://github.com/NaeemH/azkv-ssh-fetch/actions/workflows/ci.yml/badge.svg)](https://github.com/NaeemH/azkv-ssh-fetch/actions/workflows/ci.yml)
+[![PyPI](https://img.shields.io/pypi/v/azkv-ssh-fetch.svg)](https://pypi.org/project/azkv-ssh-fetch/)
+[![Python](https://img.shields.io/pypi/pyversions/azkv-ssh-fetch.svg)](https://pypi.org/project/azkv-ssh-fetch/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+
+> Fetch SSH private keys from **Azure Key Vault** and connect to VMs / VMSS instances through **Azure Bastion** — in one command.
+
+`azkv-ssh-fetch` (alias `akf`) wraps the boring half of the operator workflow:
+
+1. Authenticate via `DefaultAzureCredential` (env vars → managed identity → `az login`).
+2. Pull the named private key from a Key Vault.
+3. Write it to `~/.ssh/<name>` with mode `0600` (atomic replace, parent dir tightened to `0700`).
+4. Shell out to `az network bastion ssh` with the right flags.
+5. Optionally shred the key on disconnect.
+
+## Why this exists
+
+If your operating model says "private keys live in Key Vault, humans get to them through RBAC, and the only path to the VM is through Bastion" — then operators end up running the same 6-line shell snippet over and over. This packages that snippet, types it, tests it, and removes the foot-guns (wrong perms, stale keys lingering in `/tmp`, mis-typed resource IDs).
+
+## Install
+
+```bash
+pipx install azkv-ssh-fetch
+# or
+pip install --user azkv-ssh-fetch
+```
+
+Requires Python 3.10+ and the `az` CLI on `PATH` for the `connect` subcommand.
+
+## Quick start
+
+```bash
+# 1. List SSH-shaped secrets in a vault
+akf list --vault pro-zks1-nagios-kv
+
+# 2. Pull a key to ~/.ssh/nagios-ssh (mode 600, atomic)
+akf fetch --vault pro-zks1-nagios-kv nagios-ssh
+
+# 3. Fetch + Bastion SSH in one shot
+akf connect \
+  --vault pro-zks1-nagios-kv \
+  --secret nagios-ssh \
+  --bastion my-bastion \
+  --bastion-rg my-bastion-rg \
+  --target-id "/subscriptions/.../virtualMachineScaleSets/zks1-nagios/virtualMachines/0" \
+  --username azureuser
+```
+
+## Configuration
+
+| Variable      | Meaning                                                       |
+| ------------- | ------------------------------------------------------------- |
+| `AZKV_VAULT`  | Default Key Vault name (overridden by `--vault`).             |
+| `AZKV_DEBUG`  | Set to `1` for verbose `azure-identity` logging on stderr.    |
+| Standard `AZURE_*` env vars are honored by `DefaultAzureCredential`. |
+
+## Subcommands
+
+### `list`
+
+Show enabled secrets in the vault whose names look like SSH keys (match `ssh`, `key`, `id_rsa`, `id_ed25519`). Exits `1` if none found, `2` on access errors.
+
+### `fetch`
+
+Pull a single secret and write it to disk.
+
+```
+Usage: akf fetch [OPTIONS] SECRET
+
+  Pull SECRET from VAULT and write it locally (chmod 600).
+
+Options:
+  -v, --vault TEXT         Key Vault name. [env: AZKV_VAULT; required]
+  -o, --output PATH        Destination path. Default: ~/.ssh/<secret>.
+```
+
+### `connect`
+
+Fetch the key, open a Bastion SSH session, and (unless `--keep-key`) remove the key file on disconnect.
+
+```
+Usage: akf connect [OPTIONS]
+
+Options:
+  -v, --vault TEXT          Key Vault name. [env: AZKV_VAULT; required]
+  -s, --secret TEXT         KV secret name. [required]
+  -b, --bastion TEXT        Bastion name. [required]
+      --bastion-rg TEXT     Bastion's resource group. [required]
+  -t, --target-id TEXT      Full ARM resource ID of target VM or VMSS instance. [required]
+  -u, --username TEXT       SSH username on the target. [default: azureuser]
+      --keep-key/--shred-key
+                            Leave the key on disk after disconnect. [default: shred-key]
+```
+
+## Security notes
+
+- **Always 0600.** Keys are written through a sibling tempfile with `0600` set via `fchmod` *before* any bytes touch disk, then atomically renamed.
+- **No shell interpolation.** The `az` invocation is a fixed `argv` list — no `shell=True`.
+- **Key shredding.** `connect` removes the on-disk copy on disconnect by default. Pass `--keep-key` to retain it.
+- **Trust chain.** Auth uses `DefaultAzureCredential`; nothing custom about token handling.
+
+## Development
+
+```bash
+git clone https://github.com/NaeemH/azkv-ssh-fetch
+cd azkv-ssh-fetch
+python -m venv .venv && source .venv/bin/activate
+pip install -e ".[dev]"
+pre-commit install
+pytest
+ruff check . && ruff format --check .
+mypy src
+```
+
+## License
+
+[MIT](LICENSE) © 2026 Naeem Hossain

azkv_ssh_fetch-0.1.0/README.md

@@ -0,0 +1,119 @@
+# azkv-ssh-fetch
+
+[![CI](https://github.com/NaeemH/azkv-ssh-fetch/actions/workflows/ci.yml/badge.svg)](https://github.com/NaeemH/azkv-ssh-fetch/actions/workflows/ci.yml)
+[![PyPI](https://img.shields.io/pypi/v/azkv-ssh-fetch.svg)](https://pypi.org/project/azkv-ssh-fetch/)
+[![Python](https://img.shields.io/pypi/pyversions/azkv-ssh-fetch.svg)](https://pypi.org/project/azkv-ssh-fetch/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+
+> Fetch SSH private keys from **Azure Key Vault** and connect to VMs / VMSS instances through **Azure Bastion** — in one command.
+
+`azkv-ssh-fetch` (alias `akf`) wraps the boring half of the operator workflow:
+
+1. Authenticate via `DefaultAzureCredential` (env vars → managed identity → `az login`).
+2. Pull the named private key from a Key Vault.
+3. Write it to `~/.ssh/<name>` with mode `0600` (atomic replace, parent dir tightened to `0700`).
+4. Shell out to `az network bastion ssh` with the right flags.
+5. Optionally shred the key on disconnect.
+
+## Why this exists
+
+If your operating model says "private keys live in Key Vault, humans get to them through RBAC, and the only path to the VM is through Bastion" — then operators end up running the same 6-line shell snippet over and over. This packages that snippet, types it, tests it, and removes the foot-guns (wrong perms, stale keys lingering in `/tmp`, mis-typed resource IDs).
+
+## Install
+
+```bash
+pipx install azkv-ssh-fetch
+# or
+pip install --user azkv-ssh-fetch
+```
+
+Requires Python 3.10+ and the `az` CLI on `PATH` for the `connect` subcommand.
+
+## Quick start
+
+```bash
+# 1. List SSH-shaped secrets in a vault
+akf list --vault pro-zks1-nagios-kv
+
+# 2. Pull a key to ~/.ssh/nagios-ssh (mode 600, atomic)
+akf fetch --vault pro-zks1-nagios-kv nagios-ssh
+
+# 3. Fetch + Bastion SSH in one shot
+akf connect \
+  --vault pro-zks1-nagios-kv \
+  --secret nagios-ssh \
+  --bastion my-bastion \
+  --bastion-rg my-bastion-rg \
+  --target-id "/subscriptions/.../virtualMachineScaleSets/zks1-nagios/virtualMachines/0" \
+  --username azureuser
+```
+
+## Configuration
+
+| Variable      | Meaning                                                       |
+| ------------- | ------------------------------------------------------------- |
+| `AZKV_VAULT`  | Default Key Vault name (overridden by `--vault`).             |
+| `AZKV_DEBUG`  | Set to `1` for verbose `azure-identity` logging on stderr.    |
+| Standard `AZURE_*` env vars are honored by `DefaultAzureCredential`. |
+
+## Subcommands
+
+### `list`
+
+Show enabled secrets in the vault whose names look like SSH keys (match `ssh`, `key`, `id_rsa`, `id_ed25519`). Exits `1` if none found, `2` on access errors.
+
+### `fetch`
+
+Pull a single secret and write it to disk.
+
+```
+Usage: akf fetch [OPTIONS] SECRET
+
+  Pull SECRET from VAULT and write it locally (chmod 600).
+
+Options:
+  -v, --vault TEXT         Key Vault name. [env: AZKV_VAULT; required]
+  -o, --output PATH        Destination path. Default: ~/.ssh/<secret>.
+```
+
+### `connect`
+
+Fetch the key, open a Bastion SSH session, and (unless `--keep-key`) remove the key file on disconnect.
+
+```
+Usage: akf connect [OPTIONS]
+
+Options:
+  -v, --vault TEXT          Key Vault name. [env: AZKV_VAULT; required]
+  -s, --secret TEXT         KV secret name. [required]
+  -b, --bastion TEXT        Bastion name. [required]
+      --bastion-rg TEXT     Bastion's resource group. [required]
+  -t, --target-id TEXT      Full ARM resource ID of target VM or VMSS instance. [required]
+  -u, --username TEXT       SSH username on the target. [default: azureuser]
+      --keep-key/--shred-key
+                            Leave the key on disk after disconnect. [default: shred-key]
+```
+
+## Security notes
+
+- **Always 0600.** Keys are written through a sibling tempfile with `0600` set via `fchmod` *before* any bytes touch disk, then atomically renamed.
+- **No shell interpolation.** The `az` invocation is a fixed `argv` list — no `shell=True`.
+- **Key shredding.** `connect` removes the on-disk copy on disconnect by default. Pass `--keep-key` to retain it.
+- **Trust chain.** Auth uses `DefaultAzureCredential`; nothing custom about token handling.
+
+## Development
+
+```bash
+git clone https://github.com/NaeemH/azkv-ssh-fetch
+cd azkv-ssh-fetch
+python -m venv .venv && source .venv/bin/activate
+pip install -e ".[dev]"
+pre-commit install
+pytest
+ruff check . && ruff format --check .
+mypy src
+```
+
+## License
+
+[MIT](LICENSE) © 2026 Naeem Hossain

azkv_ssh_fetch-0.1.0/pyproject.toml

@@ -0,0 +1,90 @@
+[build-system]
+requires = ["hatchling>=1.18"]
+build-backend = "hatchling.build"
+
+[project]
+name = "azkv-ssh-fetch"
+version = "0.1.0"
+description = "Fetch SSH private keys from Azure Key Vault and connect to VMs/VMSS via Bastion."
+readme = "README.md"
+requires-python = ">=3.10"
+license = { file = "LICENSE" }
+authors = [{ name = "Naeem Hossain", email = "naeemhossain.mail@gmail.com" }]
+keywords = ["azure", "ssh", "key-vault", "bastion", "vmss", "devops"]
+classifiers = [
+  "Development Status :: 4 - Beta",
+  "Environment :: Console",
+  "Intended Audience :: System Administrators",
+  "License :: OSI Approved :: MIT License",
+  "Operating System :: POSIX :: Linux",
+  "Operating System :: MacOS",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Topic :: System :: Systems Administration",
+]
+dependencies = [
+  "typer>=0.12",
+  "rich>=13.7",
+  "azure-identity>=1.17",
+  "azure-keyvault-secrets>=4.8",
+]
+
+[project.optional-dependencies]
+dev = [
+  "pytest>=8.0",
+  "pytest-cov>=5.0",
+  "pytest-mock>=3.12",
+  "ruff>=0.5",
+  "mypy>=1.10",
+  "pre-commit>=3.7",
+]
+
+[project.urls]
+Homepage = "https://github.com/NaeemH/azkv-ssh-fetch"
+Repository = "https://github.com/NaeemH/azkv-ssh-fetch"
+Issues = "https://github.com/NaeemH/azkv-ssh-fetch/issues"
+
+[project.scripts]
+azkv-ssh-fetch = "azkv_ssh_fetch.cli:app"
+akf = "azkv_ssh_fetch.cli:app"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/azkv_ssh_fetch"]
+
+[tool.ruff]
+line-length = 100
+target-version = "py310"
+src = ["src", "tests"]
+
+[tool.ruff.lint]
+select = [
+  "E",   # pycodestyle errors
+  "W",   # pycodestyle warnings
+  "F",   # pyflakes
+  "I",   # isort
+  "B",   # flake8-bugbear
+  "C4",  # flake8-comprehensions
+  "UP",  # pyupgrade
+  "N",   # pep8-naming
+  "ARG", # flake8-unused-arguments
+  "SIM", # flake8-simplify
+]
+ignore = ["E501"] # handled by formatter
+
+[tool.ruff.format]
+quote-style = "double"
+
+[tool.mypy]
+python_version = "3.10"
+strict = true
+warn_return_any = true
+warn_unused_configs = true
+disallow_untyped_defs = true
+ignore_missing_imports = true
+
+[tool.pytest.ini_options]
+minversion = "8.0"
+addopts = "-ra --strict-markers --cov=azkv_ssh_fetch --cov-report=term-missing"
+testpaths = ["tests"]

azkv_ssh_fetch-0.1.0/src/azkv_ssh_fetch/__about__.py

@@ -0,0 +1 @@
+__version__ = "0.1.0"

azkv_ssh_fetch-0.1.0/src/azkv_ssh_fetch/__init__.py

@@ -0,0 +1,5 @@
+"""azkv-ssh-fetch — fetch SSH private keys from Azure Key Vault and connect via Bastion."""
+
+from azkv_ssh_fetch.__about__ import __version__
+
+__all__ = ["__version__"]

azkv_ssh_fetch-0.1.0/src/azkv_ssh_fetch/__main__.py

@@ -0,0 +1,6 @@
+"""Allow `python -m azkv_ssh_fetch ...`."""
+
+from azkv_ssh_fetch.cli import app
+
+if __name__ == "__main__":
+    app()

azkv_ssh_fetch-0.1.0/src/azkv_ssh_fetch/bastion.py

@@ -0,0 +1,70 @@
+"""Azure Bastion native-client invocation.
+
+Shells out to the `az network bastion ssh` command rather than reimplementing the
+RDP/SSH tunnel protocol. Requires `az` CLI >= 2.32 with the `ssh` extension.
+"""
+
+from __future__ import annotations
+
+import shutil
+import subprocess
+from dataclasses import dataclass
+from pathlib import Path
+
+from azkv_ssh_fetch.errors import BastionInvocationError
+
+
+@dataclass(frozen=True)
+class BastionTarget:
+    """Connection coordinates for a Bastion-fronted VM/VMSS instance."""
+
+    bastion_name: str
+    bastion_resource_group: str
+    target_resource_id: str
+    """Full ARM resource ID of the target VM or VMSS instance."""
+    username: str
+
+
+def _require_az() -> str:
+    """Return path to `az` or raise."""
+    az = shutil.which("az")
+    if az is None:
+        raise BastionInvocationError(
+            "the `az` CLI was not found on PATH; install from https://aka.ms/installazcli"
+        )
+    return az
+
+
+def ssh_via_bastion(target: BastionTarget, private_key: Path) -> int:
+    """Open an interactive SSH session through Azure Bastion.
+
+    Blocks until the user exits. Returns the SSH exit code.
+
+    Raises:
+        BastionInvocationError: `az` is missing or the command exited with a
+            non-SSH error (e.g., RBAC denial, unknown resource).
+    """
+    az = _require_az()
+    cmd = [
+        az,
+        "network",
+        "bastion",
+        "ssh",
+        "--name",
+        target.bastion_name,
+        "--resource-group",
+        target.bastion_resource_group,
+        "--target-resource-id",
+        target.target_resource_id,
+        "--auth-type",
+        "ssh-key",
+        "--username",
+        target.username,
+        "--ssh-key",
+        str(private_key),
+    ]
+    try:
+        completed = subprocess.run(cmd, check=False)  # noqa: S603 - args are controlled
+    except OSError as exc:
+        raise BastionInvocationError(f"failed to launch az: {exc}") from exc
+    return completed.returncode

azkv_ssh_fetch-0.1.0/src/azkv_ssh_fetch/cli.py

@@ -0,0 +1,191 @@
+"""Typer CLI: `azkv-ssh-fetch` (alias `akf`).
+
+Subcommands:
+    list      List SSH-shaped secrets in a Key Vault.
+    fetch     Pull a private key from KV to a local file (chmod 600).
+    connect   fetch + open Bastion SSH session in one command.
+
+All commands accept --vault from --vault flag or AZKV_VAULT env var.
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+from pathlib import Path
+from typing import Annotated
+
+import typer
+from rich.console import Console
+from rich.table import Table
+
+from azkv_ssh_fetch import __version__
+from azkv_ssh_fetch.bastion import BastionTarget, ssh_via_bastion
+from azkv_ssh_fetch.errors import AzkvSshFetchError
+from azkv_ssh_fetch.keyvault import fetch_secret, list_secrets
+from azkv_ssh_fetch.ssh import default_ssh_dir, write_private_key
+
+app = typer.Typer(
+    name="azkv-ssh-fetch",
+    help="Fetch SSH private keys from Azure Key Vault and connect via Bastion.",
+    no_args_is_help=True,
+    add_completion=True,
+    rich_markup_mode="rich",
+)
+stdout = Console()
+stderr = Console(stderr=True)
+
+VaultOpt = Annotated[
+    str,
+    typer.Option(
+        "--vault",
+        "-v",
+        envvar="AZKV_VAULT",
+        help="Key Vault name (not full URL). Required, or set [bold]AZKV_VAULT[/bold].",
+    ),
+]
+
+
+def _version_callback(value: bool) -> None:
+    if value:
+        stdout.print(f"azkv-ssh-fetch [bold cyan]{__version__}[/bold cyan]")
+        raise typer.Exit()
+
+
+@app.callback()
+def _root(
+    _version: Annotated[  # noqa: ARG001 - typer needs the param for the flag
+        bool,
+        typer.Option(
+            "--version",
+            callback=_version_callback,
+            is_eager=True,
+            help="Show version and exit.",
+        ),
+    ] = False,
+) -> None:
+    """Common options."""
+
+
+@app.command("list")
+def cmd_list(vault: VaultOpt) -> None:
+    """List secrets in [bold]VAULT[/bold] that look like SSH keys."""
+    try:
+        secrets = list(list_secrets(vault))
+    except AzkvSshFetchError as exc:
+        stderr.print(f"[red]error:[/red] {exc}")
+        raise typer.Exit(code=2) from exc
+
+    table = Table(title=f"Secrets in {vault}", show_lines=False)
+    table.add_column("Name", style="cyan")
+    table.add_column("Enabled", justify="center")
+    table.add_column("Content-Type", style="dim")
+
+    shown = 0
+    for s in secrets:
+        if not s.enabled:
+            continue
+        # Best-effort filter: SSH keys are usually named *ssh*, *key*, *id_rsa*
+        lower = s.name.lower()
+        looks_like_key = any(tok in lower for tok in ("ssh", "key", "id_rsa", "id_ed25519"))
+        if not looks_like_key:
+            continue
+        table.add_row(s.name, "yes", s.content_type or "")
+        shown += 1
+
+    if shown == 0:
+        stderr.print(
+            f"[yellow]no SSH-shaped secrets found in {vault}.[/yellow]"
+            " Try [bold]az keyvault secret list[/bold] for the full list."
+        )
+        raise typer.Exit(code=1)
+    stdout.print(table)
+
+
+@app.command("fetch")
+def cmd_fetch(
+    vault: VaultOpt,
+    secret: Annotated[str, typer.Argument(help="Secret name in the vault.")],
+    output: Annotated[
+        Path | None,
+        typer.Option(
+            "--output",
+            "-o",
+            help="Destination path. Default: ~/.ssh/<secret>.",
+        ),
+    ] = None,
+) -> None:
+    """Pull [bold]SECRET[/bold] from [bold]VAULT[/bold] and write it locally (chmod 600)."""
+    dest = output if output is not None else default_ssh_dir() / secret
+    try:
+        material = fetch_secret(vault, secret)
+        written = write_private_key(material, dest)
+    except AzkvSshFetchError as exc:
+        stderr.print(f"[red]error:[/red] {exc}")
+        raise typer.Exit(code=2) from exc
+    stdout.print(f"[green]wrote[/green] {written} (mode 600)")
+
+
+@app.command("connect")
+def cmd_connect(
+    vault: VaultOpt,
+    secret: Annotated[str, typer.Option("--secret", "-s", help="KV secret name.")],
+    bastion_name: Annotated[str, typer.Option("--bastion", "-b", help="Bastion name.")],
+    bastion_rg: Annotated[str, typer.Option("--bastion-rg", help="Bastion's resource group.")],
+    target_id: Annotated[
+        str,
+        typer.Option(
+            "--target-id",
+            "-t",
+            help="Full ARM resource ID of target VM or VMSS instance.",
+        ),
+    ],
+    username: Annotated[
+        str, typer.Option("--username", "-u", help="SSH username on the target.")
+    ] = "azureuser",
+    keep_key: Annotated[
+        bool,
+        typer.Option("--keep-key/--shred-key", help="Leave the key on disk after disconnect."),
+    ] = False,
+) -> None:
+    """Fetch private key, then SSH into target through Bastion."""
+    dest = default_ssh_dir() / f"akf-{secret}"
+    try:
+        material = fetch_secret(vault, secret)
+        key_path = write_private_key(material, dest)
+        stdout.print(f"[green]\u2713[/green] key fetched to {key_path}")
+        rc = ssh_via_bastion(
+            BastionTarget(
+                bastion_name=bastion_name,
+                bastion_resource_group=bastion_rg,
+                target_resource_id=target_id,
+                username=username,
+            ),
+            key_path,
+        )
+    except AzkvSshFetchError as exc:
+        stderr.print(f"[red]error:[/red] {exc}")
+        raise typer.Exit(code=2) from exc
+    finally:
+        if not keep_key:
+            try:
+                dest.unlink(missing_ok=True)
+                stdout.print(f"[dim]shredded {dest}[/dim]")
+            except OSError as exc:
+                stderr.print(f"[yellow]warning:[/yellow] could not remove {dest}: {exc}")
+
+    raise typer.Exit(code=rc)
+
+
+def main() -> None:
+    """Entry point for `python -m azkv_ssh_fetch` and the console-script."""
+    # Surface azure-identity verbose logs only when AZKV_DEBUG=1
+    if os.environ.get("AZKV_DEBUG") == "1":
+        import logging
+
+        logging.basicConfig(level=logging.DEBUG, stream=sys.stderr)
+    app()
+
+
+if __name__ == "__main__":
+    main()

azkv_ssh_fetch-0.1.0/src/azkv_ssh_fetch/errors.py

@@ -0,0 +1,23 @@
+"""Typed errors raised by the package."""
+
+from __future__ import annotations
+
+
+class AzkvSshFetchError(Exception):
+    """Base class for all package errors."""
+
+
+class KeyVaultAccessError(AzkvSshFetchError):
+    """Raised when Key Vault is unreachable or caller lacks permission."""
+
+
+class SecretNotFoundError(AzkvSshFetchError):
+    """Raised when the named secret does not exist in the vault."""
+
+
+class SshKeyWriteError(AzkvSshFetchError):
+    """Raised when the SSH key cannot be written to disk safely."""
+
+
+class BastionInvocationError(AzkvSshFetchError):
+    """Raised when `az network bastion` invocation fails."""

azkv_ssh_fetch-0.1.0/src/azkv_ssh_fetch/keyvault.py

@@ -0,0 +1,78 @@
+"""Azure Key Vault interactions.
+
+Thin wrapper around `azure-keyvault-secrets` + `azure-identity`. Centralizes auth
+and provides typed return values so the CLI layer stays free of SDK boilerplate.
+"""
+
+from __future__ import annotations
+
+from collections.abc import Iterator
+from dataclasses import dataclass
+
+from azure.core.exceptions import HttpResponseError, ResourceNotFoundError
+from azure.identity import DefaultAzureCredential
+from azure.keyvault.secrets import SecretClient
+
+from azkv_ssh_fetch.errors import KeyVaultAccessError, SecretNotFoundError
+
+
+@dataclass(frozen=True)
+class SecretSummary:
+    """Lightweight view of a Key Vault secret (no value)."""
+
+    name: str
+    enabled: bool
+    content_type: str | None
+
+
+def _client(vault_name: str) -> SecretClient:
+    """Build a SecretClient for `vault_name` using DefaultAzureCredential.
+
+    Auth precedence (azure-identity defaults): env vars, managed identity, az CLI,
+    VS Code, Azure PowerShell, interactive browser. The CLI relies on `az login`
+    in practice.
+    """
+    url = f"https://{vault_name}.vault.azure.net"
+    return SecretClient(vault_url=url, credential=DefaultAzureCredential())
+
+
+def list_secrets(vault_name: str) -> Iterator[SecretSummary]:
+    """Yield all enabled secrets in the vault.
+
+    Raises:
+        KeyVaultAccessError: caller lacks `list` permission or vault is unreachable.
+    """
+    client = _client(vault_name)
+    try:
+        for prop in client.list_properties_of_secrets():
+            yield SecretSummary(
+                name=prop.name or "",
+                enabled=bool(prop.enabled),
+                content_type=prop.content_type,
+            )
+    except HttpResponseError as exc:
+        raise KeyVaultAccessError(f"cannot list secrets in {vault_name!r}: {exc.message}") from exc
+
+
+def fetch_secret(vault_name: str, secret_name: str) -> str:
+    """Fetch the value of `secret_name` from `vault_name`.
+
+    Raises:
+        SecretNotFoundError: the secret does not exist (or caller cannot see it).
+        KeyVaultAccessError: any other access failure.
+    """
+    client = _client(vault_name)
+    try:
+        secret = client.get_secret(secret_name)
+    except ResourceNotFoundError as exc:
+        raise SecretNotFoundError(
+            f"secret {secret_name!r} not found in vault {vault_name!r}"
+        ) from exc
+    except HttpResponseError as exc:
+        raise KeyVaultAccessError(
+            f"cannot fetch {secret_name!r} from {vault_name!r}: {exc.message}"
+        ) from exc
+
+    if secret.value is None:
+        raise SecretNotFoundError(f"secret {secret_name!r} has no value")
+    return secret.value

azkv_ssh_fetch-0.1.0/src/azkv_ssh_fetch/ssh.py

@@ -0,0 +1,78 @@
+"""Local SSH key management: safe writes, mode 0600, atomic replace.
+
+Avoids common footguns:
+- Never write keys to world-readable temp dirs
+- Always set mode 0600 BEFORE writing key material
+- Use atomic os.replace so partial writes don't leave half-keys behind
+- Append trailing newline if missing (OpenSSH cares)
+"""
+
+from __future__ import annotations
+
+import os
+import stat
+import tempfile
+from pathlib import Path
+
+from azkv_ssh_fetch.errors import SshKeyWriteError
+
+DEFAULT_SSH_DIR = Path.home() / ".ssh"
+KEY_MODE = 0o600
+DIR_MODE = 0o700
+
+
+def default_ssh_dir() -> Path:
+    """Return ~/.ssh, creating it with mode 0700 if missing."""
+    DEFAULT_SSH_DIR.mkdir(mode=DIR_MODE, exist_ok=True)
+    # Tighten perms even if it already existed with looser bits
+    DEFAULT_SSH_DIR.chmod(DIR_MODE)
+    return DEFAULT_SSH_DIR
+
+
+def write_private_key(key_material: str, destination: Path) -> Path:
+    """Write `key_material` to `destination` with mode 0600, atomically.
+
+    Returns the resolved destination Path. Trailing newline is appended if missing.
+
+    Raises:
+        SshKeyWriteError: any IO problem (permissions, full disk, etc.).
+    """
+    if not key_material:
+        raise SshKeyWriteError("empty key material; refusing to write")
+
+    payload = key_material if key_material.endswith("\n") else key_material + "\n"
+
+    dest = destination.expanduser().resolve()
+    try:
+        dest.parent.mkdir(mode=DIR_MODE, parents=True, exist_ok=True)
+        # Tighten parent perms if it already existed
+        dest.parent.chmod(DIR_MODE)
+    except OSError as exc:
+        raise SshKeyWriteError(f"cannot prepare {dest.parent}: {exc}") from exc
+
+    # Write to a sibling tempfile with mode 0600, then atomic replace
+    fd, tmp_path_str = tempfile.mkstemp(
+        prefix=dest.name + ".",
+        suffix=".tmp",
+        dir=dest.parent,
+    )
+    tmp_path = Path(tmp_path_str)
+    try:
+        os.fchmod(fd, KEY_MODE)
+        with os.fdopen(fd, "w", encoding="utf-8") as fh:
+            fh.write(payload)
+        os.replace(tmp_path, dest)
+    except OSError as exc:
+        tmp_path.unlink(missing_ok=True)
+        raise SshKeyWriteError(f"failed to write key to {dest}: {exc}") from exc
+
+    # Belt-and-suspenders: enforce final mode in case umask interfered earlier
+    dest.chmod(KEY_MODE)
+    return dest
+
+
+def assert_safe_mode(path: Path) -> None:
+    """Raise if `path` is group/world readable (OpenSSH will reject)."""
+    st = path.stat()
+    if st.st_mode & (stat.S_IRWXG | stat.S_IRWXO):
+        raise SshKeyWriteError(f"{path} is group/world accessible; chmod 600 required")

azkv_ssh_fetch-0.1.0/tests/test_cli.py

@@ -0,0 +1,104 @@
+"""Tests for the CLI surface. Heavy mocking; no live Azure calls."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+import pytest
+from pytest_mock import MockerFixture
+from typer.testing import CliRunner
+
+from azkv_ssh_fetch import __version__
+from azkv_ssh_fetch.cli import app
+from azkv_ssh_fetch.errors import KeyVaultAccessError, SecretNotFoundError
+from azkv_ssh_fetch.keyvault import SecretSummary
+
+runner = CliRunner()
+
+
+def test_version_flag() -> None:
+    result = runner.invoke(app, ["--version"])
+    assert result.exit_code == 0
+    assert __version__ in result.stdout
+
+
+def test_help_lists_subcommands() -> None:
+    result = runner.invoke(app, ["--help"])
+    assert result.exit_code == 0
+    for cmd in ("list", "fetch", "connect"):
+        assert cmd in result.stdout
+
+
+def test_list_filters_to_ssh_shaped(mocker: MockerFixture) -> None:
+    mocker.patch(
+        "azkv_ssh_fetch.cli.list_secrets",
+        return_value=iter(
+            [
+                SecretSummary(name="alpha-ssh", enabled=True, content_type=None),
+                SecretSummary(name="db-password", enabled=True, content_type=None),
+                SecretSummary(name="id_rsa-prod", enabled=True, content_type=None),
+                SecretSummary(name="disabled-ssh", enabled=False, content_type=None),
+            ]
+        ),
+    )
+    result = runner.invoke(app, ["list", "--vault", "kv-test"])
+    assert result.exit_code == 0
+    assert "alpha-ssh" in result.stdout
+    assert "id_rsa-prod" in result.stdout
+    assert "db-password" not in result.stdout
+    assert "disabled-ssh" not in result.stdout
+
+
+def test_list_empty_exits_1(mocker: MockerFixture) -> None:
+    mocker.patch("azkv_ssh_fetch.cli.list_secrets", return_value=iter([]))
+    result = runner.invoke(app, ["list", "--vault", "kv-test"])
+    assert result.exit_code == 1
+
+
+def test_list_kv_error_exits_2(mocker: MockerFixture) -> None:
+    mocker.patch(
+        "azkv_ssh_fetch.cli.list_secrets",
+        side_effect=KeyVaultAccessError("nope"),
+    )
+    result = runner.invoke(app, ["list", "--vault", "kv-test"])
+    assert result.exit_code == 2
+
+
+def test_fetch_writes_to_output(tmp_path: Path, mocker: MockerFixture) -> None:
+    mocker.patch(
+        "azkv_ssh_fetch.cli.fetch_secret",
+        return_value="-----BEGIN OPENSSH PRIVATE KEY-----\ncontent\n-----END OPENSSH PRIVATE KEY-----",
+    )
+    out = tmp_path / "id_test"
+    result = runner.invoke(app, ["fetch", "--vault", "kv-test", "my-secret", "--output", str(out)])
+    assert result.exit_code == 0, result.stdout
+    assert out.exists()
+    import stat
+
+    assert stat.S_IMODE(out.stat().st_mode) == 0o600
+
+
+def test_fetch_missing_secret_exits_2(tmp_path: Path, mocker: MockerFixture) -> None:
+    mocker.patch(
+        "azkv_ssh_fetch.cli.fetch_secret",
+        side_effect=SecretNotFoundError("nope"),
+    )
+    result = runner.invoke(
+        app,
+        ["fetch", "--vault", "kv-test", "ghost", "--output", str(tmp_path / "k")],
+    )
+    assert result.exit_code == 2
+
+
+def test_vault_from_env(monkeypatch: pytest.MonkeyPatch, mocker: MockerFixture) -> None:
+    monkeypatch.setenv("AZKV_VAULT", "kv-from-env")
+    captured: dict[str, str] = {}
+
+    def fake_list(vault: str):
+        captured["vault"] = vault
+        return iter([SecretSummary(name="x-ssh", enabled=True, content_type=None)])
+
+    mocker.patch("azkv_ssh_fetch.cli.list_secrets", side_effect=fake_list)
+    result = runner.invoke(app, ["list"])
+    assert result.exit_code == 0
+    assert captured["vault"] == "kv-from-env"

azkv_ssh_fetch-0.1.0/tests/test_keyvault.py

@@ -0,0 +1,83 @@
+"""Tests for the Key Vault wrapper. SDK is mocked."""
+
+from __future__ import annotations
+
+from unittest.mock import MagicMock
+
+import pytest
+from azure.core.exceptions import HttpResponseError, ResourceNotFoundError
+from pytest_mock import MockerFixture
+
+from azkv_ssh_fetch import keyvault
+from azkv_ssh_fetch.errors import KeyVaultAccessError, SecretNotFoundError
+
+
+def _patch_client(mocker: MockerFixture) -> MagicMock:
+    """Patch the SecretClient factory and return the mock client."""
+    client = MagicMock()
+    mocker.patch.object(keyvault, "_client", return_value=client)
+    return client
+
+
+def test_fetch_secret_returns_value(mocker: MockerFixture) -> None:
+    client = _patch_client(mocker)
+    secret = MagicMock()
+    secret.value = "PRIVATE-KEY-CONTENT"
+    client.get_secret.return_value = secret
+
+    value = keyvault.fetch_secret("kv-test", "my-key")
+    assert value == "PRIVATE-KEY-CONTENT"
+    client.get_secret.assert_called_once_with("my-key")
+
+
+def test_fetch_secret_missing_raises(mocker: MockerFixture) -> None:
+    client = _patch_client(mocker)
+    client.get_secret.side_effect = ResourceNotFoundError(message="not found")
+
+    with pytest.raises(SecretNotFoundError, match="not found"):
+        keyvault.fetch_secret("kv-test", "missing")
+
+
+def test_fetch_secret_http_error_raises_access(mocker: MockerFixture) -> None:
+    client = _patch_client(mocker)
+    client.get_secret.side_effect = HttpResponseError(message="forbidden")
+
+    with pytest.raises(KeyVaultAccessError, match="forbidden"):
+        keyvault.fetch_secret("kv-test", "any")
+
+
+def test_fetch_secret_null_value_raises(mocker: MockerFixture) -> None:
+    client = _patch_client(mocker)
+    secret = MagicMock()
+    secret.value = None
+    client.get_secret.return_value = secret
+
+    with pytest.raises(SecretNotFoundError, match="no value"):
+        keyvault.fetch_secret("kv-test", "blank")
+
+
+def test_list_secrets_yields_summaries(mocker: MockerFixture) -> None:
+    client = _patch_client(mocker)
+    p1 = MagicMock(name="prop1")
+    p1.name = "alpha-ssh"
+    p1.enabled = True
+    p1.content_type = "application/x-pem-file"
+    p2 = MagicMock(name="prop2")
+    p2.name = "beta"
+    p2.enabled = False
+    p2.content_type = None
+    client.list_properties_of_secrets.return_value = iter([p1, p2])
+
+    out = list(keyvault.list_secrets("kv-test"))
+    assert [s.name for s in out] == ["alpha-ssh", "beta"]
+    assert out[0].enabled is True
+    assert out[0].content_type == "application/x-pem-file"
+    assert out[1].enabled is False
+
+
+def test_list_secrets_http_error(mocker: MockerFixture) -> None:
+    client = _patch_client(mocker)
+    client.list_properties_of_secrets.side_effect = HttpResponseError(message="denied")
+
+    with pytest.raises(KeyVaultAccessError, match="denied"):
+        list(keyvault.list_secrets("kv-test"))

azkv_ssh_fetch-0.1.0/tests/test_ssh.py

@@ -0,0 +1,77 @@
+"""Tests for the SSH key writer."""
+
+from __future__ import annotations
+
+import os
+import stat
+from pathlib import Path
+
+import pytest
+
+from azkv_ssh_fetch.errors import SshKeyWriteError
+from azkv_ssh_fetch.ssh import assert_safe_mode, write_private_key
+
+SAMPLE_KEY = "-----BEGIN OPENSSH PRIVATE KEY-----\nfake-base64-payload-here\n-----END OPENSSH PRIVATE KEY-----"
+
+
+def test_write_private_key_sets_mode_0600(tmp_path: Path) -> None:
+    dest = tmp_path / "ssh" / "id_test"
+    written = write_private_key(SAMPLE_KEY, dest)
+
+    assert written.exists()
+    mode = stat.S_IMODE(written.stat().st_mode)
+    assert mode == 0o600, f"expected 0600, got {oct(mode)}"
+
+
+def test_write_private_key_appends_trailing_newline(tmp_path: Path) -> None:
+    dest = tmp_path / "id_test"
+    write_private_key(SAMPLE_KEY, dest)
+    assert dest.read_text(encoding="utf-8").endswith("\n")
+
+
+def test_write_private_key_preserves_existing_newline(tmp_path: Path) -> None:
+    dest = tmp_path / "id_test"
+    write_private_key(SAMPLE_KEY + "\n", dest)
+    content = dest.read_text(encoding="utf-8")
+    assert content.endswith("\n")
+    assert not content.endswith("\n\n"), "should not double-newline"
+
+
+def test_write_private_key_atomic_replace(tmp_path: Path) -> None:
+    """A pre-existing key file should be replaced cleanly."""
+    dest = tmp_path / "id_test"
+    dest.write_text("OLD CONTENT\n", encoding="utf-8")
+    os.chmod(dest, 0o600)
+
+    write_private_key(SAMPLE_KEY, dest)
+    assert "OLD CONTENT" not in dest.read_text(encoding="utf-8")
+    assert SAMPLE_KEY in dest.read_text(encoding="utf-8")
+
+
+def test_write_private_key_creates_missing_parent(tmp_path: Path) -> None:
+    dest = tmp_path / "nested" / "deeply" / "id_test"
+    write_private_key(SAMPLE_KEY, dest)
+    assert dest.exists()
+    # Parent should be 0700
+    parent_mode = stat.S_IMODE(dest.parent.stat().st_mode)
+    assert parent_mode == 0o700
+
+
+def test_write_private_key_empty_raises(tmp_path: Path) -> None:
+    with pytest.raises(SshKeyWriteError, match="empty"):
+        write_private_key("", tmp_path / "id_test")
+
+
+def test_assert_safe_mode_passes_for_0600(tmp_path: Path) -> None:
+    p = tmp_path / "key"
+    p.write_text("x", encoding="utf-8")
+    p.chmod(0o600)
+    assert_safe_mode(p)  # no exception
+
+
+def test_assert_safe_mode_rejects_world_readable(tmp_path: Path) -> None:
+    p = tmp_path / "key"
+    p.write_text("x", encoding="utf-8")
+    p.chmod(0o644)
+    with pytest.raises(SshKeyWriteError, match="group/world"):
+        assert_safe_mode(p)