claude-dev-cli 0.3.1__tar.gz → 0.4.0__tar.gz

{claude_dev_cli-0.3.1/src/claude_dev_cli.egg-info → claude_dev_cli-0.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: claude-dev-cli
-Version: 0.3.1
+Version: 0.4.0
 Summary: A powerful CLI tool for developers using Claude AI with multi-API routing, test generation, code review, and usage tracking
 Author-email: Julio <thinmanj@users.noreply.github.com>
 License: MIT
@@ -26,6 +26,8 @@ Requires-Dist: anthropic>=0.18.0
 Requires-Dist: click>=8.1.0
 Requires-Dist: rich>=13.0.0
 Requires-Dist: pydantic>=2.0.0
+Requires-Dist: keyring>=24.0.0
+Requires-Dist: cryptography>=41.0.0
 Provides-Extra: toon
 Requires-Dist: toon-format>=0.9.0; extra == "toon"
 Provides-Extra: plugins
@@ -46,9 +48,10 @@ A powerful command-line tool for developers using Claude AI with multi-API routi
 ## Features
 
 ### 🔑 Multi-API Key Management
+- **Secure Storage**: API keys stored in system keyring (macOS Keychain, Linux Secret Service, Windows Credential Locker)
 - Route tasks to different Claude API keys (personal, client, enterprise)
 - Automatic API selection based on project configuration
-- Environment variable support for secure key management
+- Automatic migration from plaintext to secure storage
 
 ### 🧪 Developer Tools
 - **Test Generation**: Automatic pytest test generation for Python code
@@ -98,13 +101,17 @@ pip install claude-dev-cli[toon]
 # Add your personal API key
 export PERSONAL_ANTHROPIC_API_KEY="sk-ant-..."
 cdc config add personal --default --description "My personal API key"
+# 🔐 Stored securely in system keyring
 
 # Add client's API key
 export CLIENT_ANTHROPIC_API_KEY="sk-ant-..."
 cdc config add client --description "Client's Enterprise API"
 
-# List configured APIs
+# List configured APIs (shows storage method)
 cdc config list
+
+# Manually migrate existing keys (automatic on first run)
+cdc config migrate-keys
 ```
 
 ### 2. Basic Usage
@@ -186,22 +193,37 @@ cat large_data.json | cdc toon encode | cdc ask "analyze this data"
 
 ## Configuration
 
+### Secure API Key Storage
+
+**🔐 Your API keys are stored securely and never in plain text.**
+
+- **macOS**: Keychain
+- **Linux**: Secret Service API (GNOME Keyring, KWallet)
+- **Windows**: Windows Credential Locker
+- **Fallback**: Encrypted file (if keyring unavailable)
+
+Keys are automatically migrated from plaintext on first run. You can also manually migrate:
+
+```bash
+cdc config migrate-keys
+```
+
 ### Global Configuration
 
-Configuration is stored in `~/.claude-dev-cli/config.json`:
+Configuration metadata is stored in `~/.claude-dev-cli/config.json` (API keys are NOT in this file):
 
 ```json
 {
   "api_configs": [
     {
       "name": "personal",
-      "api_key": "sk-ant-...",
+      "api_key": "",  // Empty - actual key in secure storage
       "description": "My personal API key",
       "default": true
     },
     {
       "name": "client",
-      "api_key": "sk-ant-...",
+      "api_key": "",  // Empty - actual key in secure storage
       "description": "Client's Enterprise API",
       "default": false
     }

{claude_dev_cli-0.3.1 → claude_dev_cli-0.4.0}/README.md

@@ -5,9 +5,10 @@ A powerful command-line tool for developers using Claude AI with multi-API routi
 ## Features
 
 ### 🔑 Multi-API Key Management
+- **Secure Storage**: API keys stored in system keyring (macOS Keychain, Linux Secret Service, Windows Credential Locker)
 - Route tasks to different Claude API keys (personal, client, enterprise)
 - Automatic API selection based on project configuration
-- Environment variable support for secure key management
+- Automatic migration from plaintext to secure storage
 
 ### 🧪 Developer Tools
 - **Test Generation**: Automatic pytest test generation for Python code
@@ -57,13 +58,17 @@ pip install claude-dev-cli[toon]
 # Add your personal API key
 export PERSONAL_ANTHROPIC_API_KEY="sk-ant-..."
 cdc config add personal --default --description "My personal API key"
+# 🔐 Stored securely in system keyring
 
 # Add client's API key
 export CLIENT_ANTHROPIC_API_KEY="sk-ant-..."
 cdc config add client --description "Client's Enterprise API"
 
-# List configured APIs
+# List configured APIs (shows storage method)
 cdc config list
+
+# Manually migrate existing keys (automatic on first run)
+cdc config migrate-keys
 ```
 
 ### 2. Basic Usage
@@ -145,22 +150,37 @@ cat large_data.json | cdc toon encode | cdc ask "analyze this data"
 
 ## Configuration
 
+### Secure API Key Storage
+
+**🔐 Your API keys are stored securely and never in plain text.**
+
+- **macOS**: Keychain
+- **Linux**: Secret Service API (GNOME Keyring, KWallet)
+- **Windows**: Windows Credential Locker
+- **Fallback**: Encrypted file (if keyring unavailable)
+
+Keys are automatically migrated from plaintext on first run. You can also manually migrate:
+
+```bash
+cdc config migrate-keys
+```
+
 ### Global Configuration
 
-Configuration is stored in `~/.claude-dev-cli/config.json`:
+Configuration metadata is stored in `~/.claude-dev-cli/config.json` (API keys are NOT in this file):
 
 ```json
 {
   "api_configs": [
     {
       "name": "personal",
-      "api_key": "sk-ant-...",
+      "api_key": "",  // Empty - actual key in secure storage
       "description": "My personal API key",
       "default": true
     },
     {
       "name": "client",
-      "api_key": "sk-ant-...",
+      "api_key": "",  // Empty - actual key in secure storage
       "description": "Client's Enterprise API",
       "default": false
     }

{claude_dev_cli-0.3.1 → claude_dev_cli-0.4.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "claude-dev-cli"
-version = "0.3.1"
+version = "0.4.0"
 description = "A powerful CLI tool for developers using Claude AI with multi-API routing, test generation, code review, and usage tracking"
 readme = "README.md"
 requires-python = ">=3.9"
@@ -32,6 +32,8 @@ dependencies = [
     "click>=8.1.0",
     "rich>=13.0.0",
     "pydantic>=2.0.0",
+    "keyring>=24.0.0",
+    "cryptography>=41.0.0",
 ]
 
 [project.optional-dependencies]

{claude_dev_cli-0.3.1 → claude_dev_cli-0.4.0}/src/claude_dev_cli/cli.py

@@ -182,6 +182,49 @@ def config_add(
             make_default=default
         )
         console.print(f"[green]✓[/green] Added API config: {name}")
+        
+        # Show storage method
+        storage_method = config.secure_storage.get_storage_method()
+        if storage_method == "keyring":
+            console.print("[dim]🔐 Stored securely in system keyring[/dim]")
+        else:
+            console.print("[dim]🔒 Stored in encrypted file (keyring unavailable)[/dim]")
+    except Exception as e:
+        console.print(f"[red]Error: {e}[/red]")
+        sys.exit(1)
+
+
+@config.command('migrate-keys')
+@click.pass_context
+def config_migrate_keys(ctx: click.Context) -> None:
+    """Manually migrate API keys to secure storage."""
+    console = ctx.obj['console']
+    
+    try:
+        config = Config()
+        
+        # Check if any keys need migration
+        api_configs = config._data.get("api_configs", [])
+        plaintext_keys = {c["name"]: c.get("api_key", "") 
+                         for c in api_configs 
+                         if c.get("api_key")}
+        
+        if not plaintext_keys:
+            console.print("[green]✓[/green] All keys are already in secure storage.")
+            storage_method = config.secure_storage.get_storage_method()
+            console.print(f"[dim]Using: {storage_method}[/dim]")
+            return
+        
+        console.print(f"[yellow]Found {len(plaintext_keys)} plaintext key(s)[/yellow]")
+        console.print("Migrating to secure storage...\n")
+        
+        # Trigger migration
+        config._auto_migrate_keys()
+        
+        console.print(f"[green]✓[/green] Migrated {len(plaintext_keys)} key(s) to secure storage.")
+        storage_method = config.secure_storage.get_storage_method()
+        console.print(f"[dim]Using: {storage_method}[/dim]")
+        
     except Exception as e:
         console.print(f"[red]Error: {e}[/red]")
         sys.exit(1)
@@ -201,6 +244,14 @@ def config_list(ctx: click.Context) -> None:
         console.print("Run 'cdc config add' to add one.")
         return
     
+    # Show storage method
+    storage_method = config.secure_storage.get_storage_method()
+    storage_display = {
+        "keyring": "🔐 System Keyring (Secure)",
+        "encrypted_file": "🔒 Encrypted File (Fallback)"
+    }.get(storage_method, storage_method)
+    console.print(f"\n[dim]Storage: {storage_display}[/dim]\n")
+    
     for cfg in api_configs:
         default_marker = " [bold green](default)[/bold green]" if cfg.default else ""
         console.print(f"• {cfg.name}{default_marker}")

{claude_dev_cli-0.3.1 → claude_dev_cli-0.4.0}/src/claude_dev_cli/config.py

@@ -6,6 +6,8 @@ from pathlib import Path
 from typing import Dict, Optional, List
 from pydantic import BaseModel, Field
 
+from claude_dev_cli.secure_storage import SecureStorage
+
 
 class APIConfig(BaseModel):
     """Configuration for a Claude API key."""
@@ -39,6 +41,12 @@ class Config:
         
         self._ensure_config_dir()
         self._data: Dict = self._load_config()
+        
+        # Initialize secure storage
+        self.secure_storage = SecureStorage(self.config_dir)
+        
+        # Auto-migrate if plaintext keys exist
+        self._auto_migrate_keys()
     
     def _ensure_config_dir(self) -> None:
         """Ensure configuration directory exists."""
@@ -68,6 +76,22 @@ class Config:
         with open(self.config_file, 'w') as f:
             json.dump(data, f, indent=2)
     
+    def _auto_migrate_keys(self) -> None:
+        """Automatically migrate plaintext API keys to secure storage."""
+        api_configs = self._data.get("api_configs", [])
+        migrated = False
+        
+        for config in api_configs:
+            if "api_key" in config and config["api_key"]:
+                # Migrate this key to secure storage
+                self.secure_storage.store_key(config["name"], config["api_key"])
+                # Remove from plaintext config
+                config["api_key"] = ""  # Empty string indicates key is in secure storage
+                migrated = True
+        
+        if migrated:
+            self._save_config()
+    
     def add_api_config(
         self,
         name: str,
@@ -91,14 +115,18 @@ class Config:
             if config["name"] == name:
                 raise ValueError(f"API config with name '{name}' already exists")
         
+        # Store API key in secure storage
+        self.secure_storage.store_key(name, api_key)
+        
         # If this is the first config or make_default is True, set as default
         if make_default or not api_configs:
             for config in api_configs:
                 config["default"] = False
         
+        # Store metadata without the actual key (empty string indicates secure storage)
         api_config = APIConfig(
             name=name,
-            api_key=api_key,
+            api_key="",  # Empty string indicates key is in secure storage
             description=description,
             default=make_default or not api_configs
         )
@@ -111,21 +139,53 @@ class Config:
         """Get API configuration by name or default."""
         api_configs = self._data.get("api_configs", [])
         
+        config_data = None
         if name:
             for config in api_configs:
                 if config["name"] == name:
-                    return APIConfig(**config)
+                    config_data = config
+                    break
         else:
             # Return default
             for config in api_configs:
                 if config.get("default", False):
-                    return APIConfig(**config)
+                    config_data = config
+                    break
         
-        return None
+        if not config_data:
+            return None
+        
+        # Retrieve actual API key from secure storage
+        api_key = self.secure_storage.get_key(config_data["name"])
+        if not api_key:
+            # Fallback to plaintext if not in secure storage (shouldn't happen after migration)
+            api_key = config_data.get("api_key", "")
+        
+        # Return config with actual key
+        return APIConfig(
+            name=config_data["name"],
+            api_key=api_key,
+            description=config_data.get("description"),
+            default=config_data.get("default", False)
+        )
     
     def list_api_configs(self) -> List[APIConfig]:
         """List all API configurations."""
-        return [APIConfig(**c) for c in self._data.get("api_configs", [])]
+        configs = []
+        for c in self._data.get("api_configs", []):
+            # Retrieve actual API key from secure storage
+            api_key = self.secure_storage.get_key(c["name"])
+            if not api_key:
+                # Fallback to plaintext
+                api_key = c.get("api_key", "")
+            
+            configs.append(APIConfig(
+                name=c["name"],
+                api_key=api_key,
+                description=c.get("description"),
+                default=c.get("default", False)
+            ))
+        return configs
     
     def add_project_profile(
         self,

{claude_dev_cli-0.3.1 → claude_dev_cli-0.4.0}/src/claude_dev_cli/plugins/diff_editor/viewer.py

@@ -1,6 +1,8 @@
 """Interactive diff viewer with multiple keybinding modes."""
 
 import difflib
+import subprocess
+import tempfile
 from pathlib import Path
 from typing import List, Optional, Tuple
 import os
@@ -271,6 +273,77 @@ class DiffViewer:
         
         self.console.print(prompt)
     
+    def _edit_hunk(self, hunk: Hunk) -> Optional[List[str]]:
+        """Open hunk in editor for inline editing.
+        
+        Returns:
+            Edited lines or None if cancelled
+        """
+        # Get editor from environment
+        editor = os.environ.get("EDITOR", os.environ.get("VISUAL", "nano"))
+        
+        # Create temp file with proposed lines
+        with tempfile.NamedTemporaryFile(mode="w", suffix=".tmp", delete=False) as f:
+            f.write("".join(hunk.proposed_lines))
+            temp_path = f.name
+        
+        try:
+            # Open in editor
+            result = subprocess.run([editor, temp_path])
+            
+            if result.returncode == 0:
+                # Read edited content
+                with open(temp_path) as f:
+                    content = f.read()
+                return content.splitlines(keepends=True)
+            else:
+                self.console.print("[yellow]Edit cancelled[/yellow]")
+                return None
+        finally:
+            # Clean up temp file
+            Path(temp_path).unlink(missing_ok=True)
+    
+    def _split_hunk(self, hunk: Hunk, hunk_idx: int) -> None:
+        """Split a hunk into smaller hunks.
+        
+        For now, splits by line - each line becomes its own hunk.
+        More advanced splitting could be added later.
+        """
+        if len(hunk.proposed_lines) <= 1 and len(hunk.original_lines) <= 1:
+            self.console.print("[yellow]Hunk is too small to split[/yellow]")
+            return
+        
+        new_hunks = []
+        
+        # Split proposed lines into individual hunks
+        if hunk.proposed_lines:
+            for i, line in enumerate(hunk.proposed_lines):
+                new_hunks.append(Hunk(
+                    original_lines=[],
+                    proposed_lines=[line],
+                    original_start=hunk.original_start,
+                    proposed_start=hunk.proposed_start + i
+                ))
+        
+        # Split original lines into deletions
+        if hunk.original_lines and not hunk.proposed_lines:
+            for i, line in enumerate(hunk.original_lines):
+                new_hunks.append(Hunk(
+                    original_lines=[line],
+                    proposed_lines=[],
+                    original_start=hunk.original_start + i,
+                    proposed_start=hunk.proposed_start
+                ))
+        
+        if new_hunks:
+            # Replace current hunk with split hunks
+            self.hunks = (
+                self.hunks[:hunk_idx] +
+                new_hunks +
+                self.hunks[hunk_idx + 1:]
+            )
+            self.console.print(f"[green]✓ Split into {len(new_hunks)} hunks[/green]")
+    
     def run(self) -> Optional[str]:
         """Run the interactive diff viewer.
         
@@ -306,10 +379,20 @@ class DiffViewer:
                 hunk.accepted = False
                 self.current_hunk_idx += 1
             elif choice in kb["edit"]:
-                self.console.print("[yellow]Edit mode not yet implemented[/yellow]")
-                self.console.input("Press Enter to continue...")
+                # Enter edit mode for this hunk
+                edited_lines = self._edit_hunk(hunk)
+                if edited_lines is not None:
+                    # Save history
+                    self.history.append((self.current_hunk_idx, hunk.accepted))
+                    # Update hunk with edited content
+                    hunk.proposed_lines = edited_lines
+                    hunk.accepted = True
+                    self.console.print("[green]✓ Hunk updated with edits[/green]")
+                    self.console.input("Press Enter to continue...")
+                    self.current_hunk_idx += 1
             elif choice in kb["split"]:
-                self.console.print("[yellow]Split mode not yet implemented[/yellow]")
+                # Split current hunk
+                self._split_hunk(hunk, self.current_hunk_idx)
                 self.console.input("Press Enter to continue...")
             elif choice in kb["next"]:
                 if self.current_hunk_idx < len(self.hunks) - 1:

claude_dev_cli-0.4.0/src/claude_dev_cli/secure_storage.py

@@ -0,0 +1,219 @@
+"""Secure storage for API keys using system keyring.
+
+Supports:
+- macOS: Keychain
+- Linux: Secret Service API (GNOME Keyring, KWallet)
+- Windows: Windows Credential Locker
+
+Falls back to encrypted file storage if keyring is unavailable.
+"""
+
+import json
+import os
+from pathlib import Path
+from typing import Optional
+
+try:
+    import keyring
+    from keyring.errors import KeyringError
+    KEYRING_AVAILABLE = True
+except ImportError:
+    KEYRING_AVAILABLE = False
+
+from cryptography.fernet import Fernet
+
+
+class SecureStorage:
+    """Secure storage for API keys with cross-platform support."""
+    
+    SERVICE_NAME = "claude-dev-cli"
+    
+    def __init__(self, config_dir: Path, force_encrypted_file: bool = False):
+        """Initialize secure storage.
+        
+        Args:
+            config_dir: Directory to store encrypted fallback files
+            force_encrypted_file: Force use of encrypted file storage (for testing)
+        """
+        self.config_dir = config_dir
+        self.encrypted_file = config_dir / "keys.enc"
+        self.key_file = config_dir / ".keyfile"
+        
+        # Check if we should use keyring (disabled in test environments)
+        # Detect test environment by checking for pytest or TESTING env var
+        in_test = (
+            force_encrypted_file or
+            'pytest' in os.environ.get('_', '') or
+            os.environ.get('PYTEST_CURRENT_TEST') is not None or
+            os.environ.get('TESTING') == '1'
+        )
+        
+        if in_test:
+            # Always use encrypted file in tests to avoid Keychain prompts
+            self.use_keyring = False
+        else:
+            # Check if keyring backend is available in production
+            self.use_keyring = KEYRING_AVAILABLE and self._test_keyring()
+        
+        if not self.use_keyring:
+            # Initialize fallback encryption
+            self._ensure_encryption_key()
+    
+    def _test_keyring(self) -> bool:
+        """Test if keyring backend is working.
+        
+        Returns:
+            True if keyring is functional, False otherwise
+        """
+        try:
+            # Try to get/set a test value
+            test_key = f"{self.SERVICE_NAME}_test"
+            keyring.set_password(self.SERVICE_NAME, test_key, "test")
+            result = keyring.get_password(self.SERVICE_NAME, test_key)
+            keyring.delete_password(self.SERVICE_NAME, test_key)
+            return result == "test"
+        except (KeyringError, Exception):
+            return False
+    
+    def _ensure_encryption_key(self) -> None:
+        """Ensure encryption key exists for fallback storage."""
+        if not self.key_file.exists():
+            # Generate a new encryption key
+            key = Fernet.generate_key()
+            self.key_file.write_bytes(key)
+            # Secure the key file (Unix-like systems)
+            if hasattr(os, 'chmod'):
+                os.chmod(self.key_file, 0o600)
+    
+    def _get_cipher(self) -> Fernet:
+        """Get Fernet cipher for fallback encryption."""
+        key = self.key_file.read_bytes()
+        return Fernet(key)
+    
+    def _load_encrypted_keys(self) -> dict:
+        """Load keys from encrypted fallback file."""
+        if not self.encrypted_file.exists():
+            return {}
+        
+        try:
+            cipher = self._get_cipher()
+            encrypted_data = self.encrypted_file.read_bytes()
+            decrypted_data = cipher.decrypt(encrypted_data)
+            return json.loads(decrypted_data.decode())
+        except Exception:
+            # If decryption fails, return empty dict
+            return {}
+    
+    def _save_encrypted_keys(self, keys: dict) -> None:
+        """Save keys to encrypted fallback file."""
+        cipher = self._get_cipher()
+        data = json.dumps(keys).encode()
+        encrypted_data = cipher.encrypt(data)
+        self.encrypted_file.write_bytes(encrypted_data)
+        
+        # Secure the encrypted file
+        if hasattr(os, 'chmod'):
+            os.chmod(self.encrypted_file, 0o600)
+    
+    def store_key(self, name: str, api_key: str) -> None:
+        """Store an API key securely.
+        
+        Args:
+            name: Name/identifier for the API key
+            api_key: The API key to store
+        """
+        if self.use_keyring:
+            try:
+                keyring.set_password(self.SERVICE_NAME, name, api_key)
+                return
+            except KeyringError:
+                # Fall back to encrypted file if keyring fails
+                pass
+        
+        # Use encrypted file storage
+        keys = self._load_encrypted_keys()
+        keys[name] = api_key
+        self._save_encrypted_keys(keys)
+    
+    def get_key(self, name: str) -> Optional[str]:
+        """Retrieve an API key.
+        
+        Args:
+            name: Name/identifier for the API key
+            
+        Returns:
+            The API key or None if not found
+        """
+        if self.use_keyring:
+            try:
+                return keyring.get_password(self.SERVICE_NAME, name)
+            except KeyringError:
+                # Fall back to encrypted file
+                pass
+        
+        # Use encrypted file storage
+        keys = self._load_encrypted_keys()
+        return keys.get(name)
+    
+    def delete_key(self, name: str) -> bool:
+        """Delete an API key.
+        
+        Args:
+            name: Name/identifier for the API key
+            
+        Returns:
+            True if deleted, False if not found
+        """
+        if self.use_keyring:
+            try:
+                keyring.delete_password(self.SERVICE_NAME, name)
+                return True
+            except KeyringError:
+                # Fall back to encrypted file
+                pass
+        
+        # Use encrypted file storage
+        keys = self._load_encrypted_keys()
+        if name in keys:
+            del keys[name]
+            self._save_encrypted_keys(keys)
+            return True
+        return False
+    
+    def list_keys(self) -> list[str]:
+        """List all stored key names.
+        
+        Returns:
+            List of key names
+        """
+        if self.use_keyring:
+            # Keyring doesn't provide a list operation
+            # We need to maintain a separate index
+            # For now, fall through to encrypted file
+            pass
+        
+        keys = self._load_encrypted_keys()
+        return list(keys.keys())
+    
+    def get_storage_method(self) -> str:
+        """Get the current storage method being used.
+        
+        Returns:
+            'keyring' or 'encrypted_file'
+        """
+        return "keyring" if self.use_keyring else "encrypted_file"
+    
+    def migrate_from_plaintext(self, plaintext_keys: dict[str, str]) -> int:
+        """Migrate keys from plaintext config to secure storage.
+        
+        Args:
+            plaintext_keys: Dictionary of name -> api_key
+            
+        Returns:
+            Number of keys migrated
+        """
+        count = 0
+        for name, api_key in plaintext_keys.items():
+            self.store_key(name, api_key)
+            count += 1
+        return count