dtSpark 1.0.5__tar.gz → 1.0.9__tar.gz

{dtspark-1.0.5 → dtspark-1.0.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dtSpark
-Version: 1.0.5
+Version: 1.0.9
 Summary: Secure Personal AI Research Kit - Multi-provider LLM CLI/Web interface with MCP tool integration
 Home-page: https://github.com/digital-thought/dtSpark
 Author: Matthew Westwood-Hill

dtspark-1.0.9/src/dtSpark/_version.txt

@@ -0,0 +1 @@
+1.0.9

{dtspark-1.0.5 → dtspark-1.0.9}/src/dtSpark/core/application.py

@@ -124,6 +124,7 @@ class AWSBedrockCLI(AbstractApp):
         if value is not None:
             return value
 
+
         # Fallback: Navigate the dict manually
         parts = key.split('.')
         if len(parts) > 1:
@@ -1258,10 +1259,6 @@ class AWSBedrockCLI(AbstractApp):
         from dtSpark.cli_interface import CLIInterface
         cli = CLIInterface()
 
-        # Initialize secrets manager for storing sensitive credentials
-        from dtPyAppFramework.settings import Settings
-        secret_manager = Settings().secret_manager
-
         # Display SPARK splash screen
         cli.print_splash_screen(
             full_name=full_name(),
@@ -1283,10 +1280,23 @@ class AWSBedrockCLI(AbstractApp):
         ))
         cli.console.print()
 
-        # Destination: user data directory
-        user_data_path = ApplicationPaths().usr_data_root_path
-        dest_config_dir = os.path.join(user_data_path, 'config')
+        # Destination: depends on CONTAINER_MODE environment variable
+        container_mode = os.environ.get('CONTAINER_MODE', '').lower() == 'true'
+        if container_mode:
+            # Container mode: use working directory
+            dest_config_dir = os.path.join(os.getcwd(), 'config')
+            secrets_dir = os.getcwd()
+        else:
+            # Normal mode: use user data directory
+            user_data_path = ApplicationPaths().usr_data_root_path
+            dest_config_dir = os.path.join(user_data_path, 'config')
+            secrets_dir = user_data_path
+
         dest_config = os.path.join(dest_config_dir, 'config.yaml')
+        secrets_file = os.path.join(secrets_dir, 'secrets.yaml')
+
+        # Collection for secrets to be written to secrets.yaml
+        secrets_to_store = []
 
         cli.print_info(f"Configuration will be created at: {dest_config}")
         cli.console.print()
@@ -1327,8 +1337,14 @@ class AWSBedrockCLI(AbstractApp):
         # ═══════════════════════════════════════════════════════════════
         # AWS Bedrock Configuration
         # ═══════════════════════════════════════════════════════════════
+        aws_auth_method = "sso"
         aws_profile = "default"
         aws_region = "us-east-1"
+        aws_account_name = ""
+        aws_account_id = ""
+        aws_access_key_id = ""
+        aws_secret_access_key = ""
+        aws_session_token = ""
         enable_cost_tracking = False
 
         if use_aws_bedrock:
@@ -1338,16 +1354,94 @@ class AWSBedrockCLI(AbstractApp):
             cli.print_separator("═")
             cli.console.print()
 
-            aws_profile = Prompt.ask(
-                "AWS SSO profile name",
-                default="default"
+            # Authentication method selection
+            cli.console.print("[bold]Authentication Method[/bold]")
+            cli.console.print()
+            cli.console.print("  [1] SSO Profile - AWS Single Sign-On (recommended for interactive use)")
+            cli.console.print("  [2] IAM Access Keys - Long-lived credentials (recommended for autonomous actions)")
+            cli.console.print("  [3] Session Credentials - Temporary credentials with session token")
+            cli.console.print()
+            cli.console.print("[dim]Note: SSO and session credentials have timeouts which may interrupt[/dim]")
+            cli.console.print("[dim]autonomous actions running on a schedule. IAM access keys are recommended[/dim]")
+            cli.console.print("[dim]for unattended/scheduled operations as they do not expire.[/dim]")
+            cli.console.print()
+
+            auth_method_choices = {
+                "1": "sso",
+                "2": "iam",
+                "3": "session"
+            }
+            auth_method_choice = Prompt.ask(
+                "Select authentication method",
+                choices=["1", "2", "3"],
+                default="1"
             )
+            aws_auth_method = auth_method_choices[auth_method_choice]
+
+            cli.console.print()
 
+            # Region (common to all methods)
             aws_region = Prompt.ask(
                 "AWS region",
                 default="us-east-1"
             )
 
+            # SSO Profile authentication
+            if aws_auth_method == "sso":
+                cli.console.print()
+                aws_profile = Prompt.ask(
+                    "AWS SSO profile name",
+                    default="default"
+                )
+
+            # IAM or Session authentication
+            if aws_auth_method in ["iam", "session"]:
+                cli.console.print()
+                cli.console.print("[dim]AWS Account Information (optional, for reference):[/dim]")
+                aws_account_name = Prompt.ask(
+                    "AWS account name (friendly name)",
+                    default=""
+                )
+                aws_account_id = Prompt.ask(
+                    "AWS account ID (12-digit number)",
+                    default=""
+                )
+
+                cli.console.print()
+                cli.console.print("[dim]AWS Credentials (will be stored in secrets.yaml for secure ingestion):[/dim]")
+
+                # Access Key ID (not typically considered secret, but mask anyway for consistency)
+                aws_access_key_id_input = Prompt.ask(
+                    "AWS access key ID",
+                    default=""
+                )
+                if aws_access_key_id_input:
+                    secrets_to_store.append({"name": "aws_access_key_id", "value": aws_access_key_id_input})
+                    aws_access_key_id = "SEC/aws_access_key_id"
+
+                # Secret Access Key (sensitive - mask input)
+                aws_secret_access_key_input = Prompt.ask(
+                    "AWS secret access key",
+                    default="",
+                    password=True
+                )
+                if aws_secret_access_key_input:
+                    secrets_to_store.append({"name": "aws_secret_access_key", "value": aws_secret_access_key_input})
+                    aws_secret_access_key = "SEC/aws_secret_access_key"
+
+                # Session Token (only for session auth)
+                if aws_auth_method == "session":
+                    cli.console.print()
+                    aws_session_token_input = Prompt.ask(
+                        "AWS session token",
+                        default="",
+                        password=True
+                    )
+                    if aws_session_token_input:
+                        secrets_to_store.append({"name": "aws_session_token", "value": aws_session_token_input})
+                        aws_session_token = "SEC/aws_session_token"
+
+            cli.console.print()
             enable_cost_tracking = Confirm.ask(
                 "Enable AWS cost tracking?",
                 default=False
@@ -1384,14 +1478,14 @@ class AWSBedrockCLI(AbstractApp):
 
             anthropic_api_key_input = Prompt.ask(
                 "Anthropic API key (or press Enter to set via environment variable later)",
-                default=""
+                default="",
+                password=True
             )
 
-            # Store API key in secrets manager if provided
+            # Store API key in secrets.yaml if provided
             if anthropic_api_key_input:
-                secret_manager.set_secret("anthropic_api_key", anthropic_api_key_input)
+                secrets_to_store.append({"name": "anthropic_api_key", "value": anthropic_api_key_input})
                 anthropic_api_key = "SEC/anthropic_api_key"
-                cli.print_success("✓ Anthropic API key securely stored in secrets manager")
             else:
                 anthropic_api_key = ""
 
@@ -1450,23 +1544,21 @@ class AWSBedrockCLI(AbstractApp):
             cli.console.print("[dim]Leave username/password empty (null) to be prompted on startup (more secure)[/dim]")
             db_username_input = Prompt.ask("Database username (or press Enter for null)", default="")
 
-            # Store database username in secrets manager if provided
+            # Store database username in secrets.yaml if provided
             if db_username_input:
                 secret_key = f"db_{database_type}_username"
-                secret_manager.set_secret(secret_key, db_username_input)
+                secrets_to_store.append({"name": secret_key, "value": db_username_input})
                 db_username = f"SEC/{secret_key}"
-                cli.print_success(f"✓ Database username securely stored in secrets manager")
             else:
                 db_username = "null"
 
-            db_password_input = Prompt.ask("Database password (or press Enter for null)", default="")
+            db_password_input = Prompt.ask("Database password (or press Enter for null)", default="", password=True)
 
-            # Store database password in secrets manager if provided
+            # Store database password in secrets.yaml if provided
             if db_password_input:
                 secret_key = f"db_{database_type}_password"
-                secret_manager.set_secret(secret_key, db_password_input)
+                secrets_to_store.append({"name": secret_key, "value": db_password_input})
                 db_password = f"SEC/{secret_key}"
-                cli.print_success(f"✓ Database password securely stored in secrets manager")
             else:
                 db_password = "null"
 
@@ -1811,21 +1903,66 @@ class AWSBedrockCLI(AbstractApp):
             )
 
             # AWS settings
-            config_content = re.sub(
-                r'(sso_profile:\s+)[^\s#]+',
-                f'\\g<1>{aws_profile}',
-                config_content
-            )
-            config_content = re.sub(
-                r'(region:\s+)[^\s#]+',
-                f'\\g<1>{aws_region}',
-                config_content
-            )
-            config_content = re.sub(
-                r'(cost_tracking:\s*\n\s+enabled:\s+)(true|false)',
-                f'\\g<1>{str(enable_cost_tracking).lower()}',
-                config_content
-            )
+            if use_aws_bedrock:
+                # Auth method
+                config_content = re.sub(
+                    r'(auth_method:\s+)[^\s#]+',
+                    f'\\g<1>{aws_auth_method}',
+                    config_content
+                )
+                # Region
+                config_content = re.sub(
+                    r'(aws_bedrock:\s*\n(?:.*\n)*?\s+region:\s+)[^\s#]+',
+                    f'\\g<1>{aws_region}',
+                    config_content
+                )
+                # Account name (only if provided)
+                if aws_account_name:
+                    config_content = re.sub(
+                        r'(account_name:\s+)[^\s#]+',
+                        f'\\g<1>{aws_account_name}',
+                        config_content
+                    )
+                # Account ID (only if provided)
+                if aws_account_id:
+                    config_content = re.sub(
+                        r'(account_id:\s+)[^\s#]+',
+                        f'\\g<1>{aws_account_id}',
+                        config_content
+                    )
+                # SSO profile
+                config_content = re.sub(
+                    r'(sso_profile:\s+)[^\s#]+',
+                    f'\\g<1>{aws_profile}',
+                    config_content
+                )
+                # Access key ID (only if provided)
+                if aws_access_key_id:
+                    config_content = re.sub(
+                        r'(access_key_id:\s+)[^\s#]+',
+                        f'\\g<1>{aws_access_key_id}',
+                        config_content
+                    )
+                # Secret access key (only if provided)
+                if aws_secret_access_key:
+                    config_content = re.sub(
+                        r'(secret_access_key:\s+)[^\s#]+',
+                        f'\\g<1>{aws_secret_access_key}',
+                        config_content
+                    )
+                # Session token (only if provided)
+                if aws_session_token:
+                    config_content = re.sub(
+                        r'(session_token:\s+)[^\s#]+',
+                        f'\\g<1>{aws_session_token}',
+                        config_content
+                    )
+                # Cost tracking
+                config_content = re.sub(
+                    r'(cost_tracking:\s*\n\s+enabled:\s+)(true|false)',
+                    f'\\g<1>{str(enable_cost_tracking).lower()}',
+                    config_content
+                )
 
             # Ollama settings
             if use_ollama:
@@ -1835,11 +1972,11 @@ class AWSBedrockCLI(AbstractApp):
                     config_content
                 )
 
-            # Anthropic settings
+            # Anthropic settings - update api_key under anthropic section
             if use_anthropic and anthropic_api_key:
                 config_content = re.sub(
-                    r'(api_key:\s+")[^"]*(")',
-                    f'\\g<1>{anthropic_api_key}\\g<2>',
+                    r'(anthropic:\s*\n\s+enabled:\s+(?:true|false)\s*#[^\n]*\n\s+api_key:\s+)[^\s#]+',
+                    f'\\g<1>{anthropic_api_key}',
                     config_content
                 )
 
@@ -1965,30 +2102,34 @@ class AWSBedrockCLI(AbstractApp):
                 f.write(config_content)
 
             cli.console.print()
-            cli.print_success(f"✓ Configuration file created successfully!")
+            cli.print_success("✓ Configuration file created successfully!")
             cli.console.print()
             cli.print_info(f"Location: {dest_config}")
             cli.console.print()
 
-            # Display summary of secrets stored
-            secrets_stored = []
-            if use_anthropic and anthropic_api_key.startswith("SEC/"):
-                secrets_stored.append("• Anthropic API key")
-            if database_type != "sqlite":
-                if db_username.startswith("SEC/"):
-                    secrets_stored.append(f"• {database_type.upper()} database username")
-                if db_password.startswith("SEC/"):
-                    secrets_stored.append(f"• {database_type.upper()} database password")
-
-            if secrets_stored:
+            # Write secrets.yaml if there are secrets to store
+            if secrets_to_store:
+                import yaml
+                secrets_yaml_content = {"secrets": secrets_to_store}
+
+                # Ensure secrets directory exists
+                os.makedirs(secrets_dir, exist_ok=True)
+
+                with open(secrets_file, 'w', encoding='utf-8') as f:
+                    yaml.dump(secrets_yaml_content, f, default_flow_style=False, sort_keys=False)
+
                 cli.console.print()
                 cli.print_separator("─")
-                cli.console.print("[bold green]Secrets Securely Stored:[/bold green]")
-                for secret in secrets_stored:
-                    cli.console.print(f"  {secret}")
+                cli.console.print("[bold green]Secrets Written to secrets.yaml:[/bold green]")
+                for secret in secrets_to_store:
+                    cli.console.print(f"  • {secret['name']}")
+                cli.console.print()
+                cli.print_info(f"Location: {secrets_file}")
                 cli.console.print()
-                cli.console.print("[dim]These credentials are stored in the secrets manager and[/dim]")
-                cli.console.print("[dim]referenced in config.yaml as SEC/<key_name> for security.[/dim]")
+                cli.console.print("[dim]On next application startup, secrets will be automatically[/dim]")
+                cli.console.print("[dim]ingested into the secrets manager and secrets.yaml will be deleted.[/dim]")
+                cli.console.print()
+                cli.console.print("[dim]Secrets are referenced in config.yaml as SEC/<key_name>.[/dim]")
                 cli.print_separator("─")
                 cli.console.print()
 
@@ -3211,6 +3352,7 @@ class AWSBedrockCLI(AbstractApp):
             self.settings = Settings()
             self.settings.init_settings_readers()
 
+
             # Check if model is locked via configuration
             # Priority 1: Check for mandatory_model (forces model for ALL conversations)
             # Priority 2: Check for bedrock.model_id (legacy configuration)

{dtspark-1.0.5 → dtspark-1.0.9}/src/dtSpark/resources/config.yaml.template

@@ -83,20 +83,29 @@ llm_providers:
     enabled: true  # Set to false to disable AWS Bedrock
     region: us-east-1  # AWS region for Bedrock API
 
-    # Authentication method: Choose one of the following:
-    #
-    # 1. SSO Profile (recommended for interactive use)
+    # Authentication method: sso, iam, or session
+    # - sso: AWS SSO profile (recommended for interactive use, has session timeout)
+    # - iam: IAM access keys (recommended for autonomous actions, no timeout)
+    # - session: Temporary session credentials (has session timeout)
+    auth_method: sso  # Authentication method to use
+
+    # AWS Account Information (optional, for reference/logging)
+    account_name: null  # Friendly name for the AWS account
+    account_id: null  # AWS account ID (12-digit number)
+
+    # SSO Profile Authentication (used when auth_method: sso)
     sso_profile: default  # AWS SSO profile name
-    #
-    # 2. API Keys (for programmatic access, CI/CD, or when SSO is not available)
-    # Uncomment and set these to use API keys instead of SSO:
-    # access_key_id: YOUR_ACCESS_KEY_ID
-    # secret_access_key: YOUR_SECRET_ACCESS_KEY
-    # session_token: YOUR_SESSION_TOKEN  # Optional: for temporary credentials
-    #
-    # Note: API keys take precedence over SSO profile if both are configured
-    #
+
+    # API Key Authentication (used when auth_method: iam or session)
+    # For IAM: Set access_key_id and secret_access_key
+    # For Session: Also set session_token
+    # Note: Use SEC/<key_name> to reference secrets stored in secrets manager
+    access_key_id: null  # AWS access key ID
+    secret_access_key: null  # AWS secret access key (use SEC/aws_secret_access_key)
+    session_token: null  # Session token for temporary credentials (use SEC/aws_session_token)
+
     # Security Warning: Do NOT commit API keys to version control!
+    # Use the setup wizard (--setup) to securely store credentials in secrets manager
 
     cost_tracking:
       enabled: false  # Set to true to enable AWS Bedrock cost gathering and display

{dtspark-1.0.5 → dtspark-1.0.9}/src/dtSpark.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dtSpark
-Version: 1.0.5
+Version: 1.0.9
 Summary: Secure Personal AI Research Kit - Multi-provider LLM CLI/Web interface with MCP tool integration
 Home-page: https://github.com/digital-thought/dtSpark
 Author: Matthew Westwood-Hill

dtspark-1.0.5/src/dtSpark/_version.txt

@@ -1 +0,0 @@
-1.0.5