devnomads-cli 0.3.0__tar.gz → 0.4.1__tar.gz

{devnomads_cli-0.3.0 → devnomads_cli-0.4.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devnomads-cli
-Version: 0.3.0
+Version: 0.4.1
 Summary: Manage your DevNomads services from the command line
 Author-email: DevNomads <support@devnomads.nl>
 License: MIT
@@ -11,9 +11,7 @@ Requires-Dist: typer>=0.12
 Requires-Dist: httpx>=0.27
 Requires-Dist: rich>=13
 Requires-Dist: cryptography>=42
-Requires-Dist: devnomads>=0.1
-Provides-Extra: cert
-Requires-Dist: devnomads[acme]>=0.1; extra == "cert"
+Requires-Dist: devnomads[acme]>=0.2.3
 Dynamic: license-file
 
 # dncli
@@ -56,7 +54,7 @@ Sleutels**, then store it:
 dncli configure
 ```
 
-The key is written to `~/.config/dnctl/credentials`, readable only
+The key is written to `~/.config/dncli/credentials`, readable only
 by you. From here every command works:
 
 ```sh
@@ -128,13 +126,21 @@ dncli services list | jq -r '.[].entity'
 
 ## Certificates
 
-The `cert` extra adds Let's Encrypt issuance over DNS-01 and HTTP-01:
+`dncli` issues Let's Encrypt certificates over DNS-01 and HTTP-01:
 
 ```sh
-uv tool install "devnomads-cli[cert]"
-dncli cert issue example.com -d "*.example.com"
+dncli cert issue example.com -d www.example.com -d "*.example.com"
 ```
 
+The first argument is the primary domain (the certificate CN); add
+extra names (SANs) by repeating `--san`/`-d`. The certificate is
+written to `~/.config/dncli/certs/<domain>/` as `cert.pem`,
+`fullchain.pem`, `chain.pem`, and `privkey.pem` (0600); override the
+location with `--out`.
+
+Keys are ECDSA P-384 by default. Pick another with `--key-type`
+(`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
+
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:
 
 ```sh

{devnomads_cli-0.3.0 → devnomads_cli-0.4.1}/README.md

@@ -38,7 +38,7 @@ Sleutels**, then store it:
 dncli configure
 ```
 
-The key is written to `~/.config/dnctl/credentials`, readable only
+The key is written to `~/.config/dncli/credentials`, readable only
 by you. From here every command works:
 
 ```sh
@@ -110,13 +110,21 @@ dncli services list | jq -r '.[].entity'
 
 ## Certificates
 
-The `cert` extra adds Let's Encrypt issuance over DNS-01 and HTTP-01:
+`dncli` issues Let's Encrypt certificates over DNS-01 and HTTP-01:
 
 ```sh
-uv tool install "devnomads-cli[cert]"
-dncli cert issue example.com -d "*.example.com"
+dncli cert issue example.com -d www.example.com -d "*.example.com"
 ```
 
+The first argument is the primary domain (the certificate CN); add
+extra names (SANs) by repeating `--san`/`-d`. The certificate is
+written to `~/.config/dncli/certs/<domain>/` as `cert.pem`,
+`fullchain.pem`, `chain.pem`, and `privkey.pem` (0600); override the
+location with `--out`.
+
+Keys are ECDSA P-384 by default. Pick another with `--key-type`
+(`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
+
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:
 
 ```sh

{devnomads_cli-0.3.0 → devnomads_cli-0.4.1}/devnomads_cli.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devnomads-cli
-Version: 0.3.0
+Version: 0.4.1
 Summary: Manage your DevNomads services from the command line
 Author-email: DevNomads <support@devnomads.nl>
 License: MIT
@@ -11,9 +11,7 @@ Requires-Dist: typer>=0.12
 Requires-Dist: httpx>=0.27
 Requires-Dist: rich>=13
 Requires-Dist: cryptography>=42
-Requires-Dist: devnomads>=0.1
-Provides-Extra: cert
-Requires-Dist: devnomads[acme]>=0.1; extra == "cert"
+Requires-Dist: devnomads[acme]>=0.2.3
 Dynamic: license-file
 
 # dncli
@@ -56,7 +54,7 @@ Sleutels**, then store it:
 dncli configure
 ```
 
-The key is written to `~/.config/dnctl/credentials`, readable only
+The key is written to `~/.config/dncli/credentials`, readable only
 by you. From here every command works:
 
 ```sh
@@ -128,13 +126,21 @@ dncli services list | jq -r '.[].entity'
 
 ## Certificates
 
-The `cert` extra adds Let's Encrypt issuance over DNS-01 and HTTP-01:
+`dncli` issues Let's Encrypt certificates over DNS-01 and HTTP-01:
 
 ```sh
-uv tool install "devnomads-cli[cert]"
-dncli cert issue example.com -d "*.example.com"
+dncli cert issue example.com -d www.example.com -d "*.example.com"
 ```
 
+The first argument is the primary domain (the certificate CN); add
+extra names (SANs) by repeating `--san`/`-d`. The certificate is
+written to `~/.config/dncli/certs/<domain>/` as `cert.pem`,
+`fullchain.pem`, `chain.pem`, and `privkey.pem` (0600); override the
+location with `--out`.
+
+Keys are ECDSA P-384 by default. Pick another with `--key-type`
+(`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
+
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:
 
 ```sh

{devnomads_cli-0.3.0 → devnomads_cli-0.4.1}/devnomads_cli.egg-info/requires.txt

@@ -2,7 +2,4 @@ typer>=0.12
 httpx>=0.27
 rich>=13
 cryptography>=42
-devnomads>=0.1
-
-[cert]
-devnomads[acme]>=0.1
+devnomads[acme]>=0.2.3

{devnomads_cli-0.3.0 → devnomads_cli-0.4.1}/dncli.py

@@ -44,6 +44,7 @@ from devnomads.api import DevNomadsError
 from devnomads.api.client import _unwrap as _lib_unwrap
 from devnomads.dns import Dns, challenge_name
 from rich.console import Console
+from rich.markup import escape
 from rich.table import Table
 from typer.core import TyperGroup
 
@@ -71,7 +72,7 @@ class CliError(typer.Exit):
 
     def __init__(self, message: str) -> None:
         # soft_wrap keeps the error a single grep-able line
-        err_console.print(f"[red]error:[/] {message}", soft_wrap=True)
+        err_console.print(f"[red]error:[/] {escape(message)}", soft_wrap=True)
         self.message = message
         super().__init__(code=1)
 
@@ -85,7 +86,7 @@ def config_dir() -> Path:
         return Path(env_dir)
     xdg = os.environ.get("XDG_CONFIG_HOME")
     base = Path(xdg) if xdg else Path.home() / ".config"
-    return base / "dnctl"
+    return base / "dncli"
 
 
 def credentials_path() -> Path:
@@ -1275,10 +1276,12 @@ def _hook_dispatch(dns: Dns, operation: str, args: list[str]) -> int:
         else:
             dns.unset_txt(record, token_value)
     except (AuthError, ApiError) as exc:
-        err_console.print(f"[red]error:[/] {_error_message(exc.status, exc.detail)}")
+        err_console.print(
+            f"[red]error:[/] {escape(_error_message(exc.status, exc.detail))}"
+        )
         return 1
     except DevNomadsError as exc:
-        err_console.print(f"[red]error:[/] {exc}")
+        err_console.print(f"[red]error:[/] {escape(str(exc))}")
         return 1
     return 0
 
@@ -1306,7 +1309,7 @@ def hook_main(argv: list[str] | None = None) -> int:
     try:
         client = ApiClient.from_environment()
     except DevNomadsError as exc:
-        err_console.print(f"[red]error:[/] {exc}")
+        err_console.print(f"[red]error:[/] {escape(str(exc))}")
         return 1
     try:
         return _hook_dispatch(Dns(client), operation, argv[2:])
@@ -1359,17 +1362,26 @@ LE_STAGING_DIRECTORY = "https://acme-staging-v02.api.letsencrypt.org/directory"
 CERT_RENEW_WINDOW_DAYS = 30
 
 
+class KeyType(str, Enum):
+    """Certificate key types. ECDSA is the default; RSA on request."""
+
+    ecdsa256 = "ecdsa256"
+    ecdsa384 = "ecdsa384"
+    ecdsa521 = "ecdsa521"
+    rsa2048 = "rsa2048"
+    rsa4096 = "rsa4096"
+
+
 def _load_acme() -> Any:
-    """Import devnomads.acme lazily, with a clean message if the extra is
-    missing."""
+    """Import devnomads.acme lazily, so non-cert commands skip the ACME
+    stack at startup."""
 
     try:
         import devnomads.acme as acme
     except ImportError as exc:
         raise CliError(
-            "certificate issuance needs the 'cert' extra; install it with: "
-            'pip install "devnomads-cli[cert]" '
-            '(or: uv tool install "devnomads-cli[cert]")'
+            "could not import devnomads.acme; the install looks broken - "
+            'reinstall with: pip install --force-reinstall "devnomads-cli"'
         ) from exc
     return acme
 
@@ -1496,8 +1508,13 @@ def cert_issue(
         str | None, typer.Option("--email", help="ACME account contact email.")
     ] = None,
     key_type: Annotated[
-        str, typer.Option("--key-type", help="Certificate key type.")
-    ] = "ec256",
+        KeyType,
+        typer.Option(
+            "--key-type",
+            help="Certificate key type "
+            "(ecdsa256/ecdsa384/ecdsa521/rsa2048/rsa4096).",
+        ),
+    ] = KeyType.ecdsa384,
     staging: Annotated[
         bool, typer.Option("--staging", help="Use the Let's Encrypt staging CA.")
     ] = False,
@@ -1526,7 +1543,7 @@ def cert_issue(
         webroot=webroot,
         standalone=standalone,
         email=email,
-        key_type=key_type,
+        key_type=key_type.value,
         staging=staging,
         out_dir=_cert_out_dir(out, domain),
     )
@@ -1562,8 +1579,13 @@ def cert_renew(
         str | None, typer.Option("--email", help="ACME account contact email.")
     ] = None,
     key_type: Annotated[
-        str, typer.Option("--key-type", help="Certificate key type.")
-    ] = "ec256",
+        KeyType,
+        typer.Option(
+            "--key-type",
+            help="Certificate key type "
+            "(ecdsa256/ecdsa384/ecdsa521/rsa2048/rsa4096).",
+        ),
+    ] = KeyType.ecdsa384,
     staging: Annotated[
         bool, typer.Option("--staging", help="Use the Let's Encrypt staging CA.")
     ] = False,
@@ -1595,7 +1617,7 @@ def cert_renew(
             webroot=None,
             standalone=False,
             email=email,
-            key_type=key_type,
+            key_type=key_type.value,
             staging=staging,
             out_dir=out_dir,
         )

{devnomads_cli-0.3.0 → devnomads_cli-0.4.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "devnomads-cli"
-version = "0.3.0"
+version = "0.4.1"
 description = "Manage your DevNomads services from the command line"
 readme = "README.md"
 requires-python = ">=3.10"
@@ -11,12 +11,9 @@ dependencies = [
     "httpx>=0.27",
     "rich>=13",
     "cryptography>=42",
-    "devnomads>=0.1",
+    "devnomads[acme]>=0.2.3",
 ]
 
-[project.optional-dependencies]
-cert = ["devnomads[acme]>=0.1"]
-
 [project.scripts]
 dncli = "dncli:run"
 dncli-dns-hook = "dncli:hook_main"

{devnomads_cli-0.3.0 → devnomads_cli-0.4.1}/tests/test_cert.py

@@ -57,6 +57,56 @@ def test_issue_dns01_default_uses_dns_provider(configured, captured, isolated_co
     assert stat.S_IMODE(privkey.stat().st_mode) == 0o600
 
 
+def _spy_generate_key(monkeypatch, seen):
+    import devnomads.acme as acme
+
+    def spy(algo):
+        seen["algo"] = algo
+        return object()
+
+    monkeypatch.setattr(acme, "generate_key", spy)
+
+
+def test_issue_default_key_type_is_ecdsa384(
+    configured, captured, isolated_config, monkeypatch
+):
+    seen = {}
+    _spy_generate_key(monkeypatch, seen)
+    result = runner.invoke(app, ["cert", "issue", "example.com"])
+    assert result.exit_code == 0, result.output
+    assert seen["algo"] == "ecdsa384"
+
+
+def test_issue_key_type_ecdsa521(configured, captured, isolated_config, monkeypatch):
+    seen = {}
+    _spy_generate_key(monkeypatch, seen)
+    result = runner.invoke(
+        app, ["cert", "issue", "example.com", "--key-type", "ecdsa521"]
+    )
+    assert result.exit_code == 0, result.output
+    assert seen["algo"] == "ecdsa521"
+
+
+def test_issue_key_type_is_selectable(
+    configured, captured, isolated_config, monkeypatch
+):
+    seen = {}
+    _spy_generate_key(monkeypatch, seen)
+    result = runner.invoke(
+        app, ["cert", "issue", "example.com", "--key-type", "rsa4096"]
+    )
+    assert result.exit_code == 0, result.output
+    assert seen["algo"] == "rsa4096"
+
+
+def test_issue_rejects_unknown_key_type():
+    result = runner.invoke(
+        app, ["cert", "issue", "example.com", "--key-type", "ed25519"]
+    )
+    assert result.exit_code != 0
+    assert "ed25519" in result.output
+
+
 def test_issue_http01_webroot_uses_webroot_solver(
     configured, captured, isolated_config, tmp_path
 ):
@@ -119,7 +169,7 @@ def test_issue_out_dir_override(configured, captured, isolated_config, tmp_path)
     assert (out / "fullchain.pem").read_text() == FULLCHAIN
 
 
-def test_load_acme_missing_extra_message(monkeypatch):
+def test_load_acme_import_error_message(monkeypatch):
     import builtins
 
     real_import = builtins.__import__
@@ -132,7 +182,7 @@ def test_load_acme_missing_extra_message(monkeypatch):
     monkeypatch.setattr(builtins, "__import__", fake_import)
     result = runner.invoke(app, ["cert", "issue", "example.com"])
     assert result.exit_code == 1
-    assert "cert" in result.output
+    assert "devnomads.acme" in result.output
 
 
 def test_renew_skips_valid_cert(configured, captured, isolated_config):

{devnomads_cli-0.3.0 → devnomads_cli-0.4.1}/tests/test_config.py

@@ -16,14 +16,14 @@ def test_config_dir_from_env(isolated_config):
 def test_config_dir_xdg_fallback(monkeypatch, tmp_path):
     monkeypatch.delenv(dncli.ENV_CONFIG_DIR, raising=False)
     monkeypatch.setenv("XDG_CONFIG_HOME", str(tmp_path / "xdg"))
-    assert dncli.config_dir() == tmp_path / "xdg" / "dnctl"
+    assert dncli.config_dir() == tmp_path / "xdg" / "dncli"
 
 
 def test_config_dir_home_fallback(monkeypatch, tmp_path):
     monkeypatch.delenv(dncli.ENV_CONFIG_DIR, raising=False)
     monkeypatch.delenv("XDG_CONFIG_HOME", raising=False)
     monkeypatch.setattr(Path, "home", lambda: tmp_path)
-    assert dncli.config_dir() == tmp_path / ".config" / "dnctl"
+    assert dncli.config_dir() == tmp_path / ".config" / "dncli"
 
 
 def test_save_credentials_sets_strict_permissions(write_profile):