exchange-keyshare 0.1.0__tar.gz

exchange_keyshare-0.1.0/.claude/settings.local.json

@@ -0,0 +1,12 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(uv run:*)",
+      "Bash(git add:*)",
+      "Bash(git commit -m \"$\\(cat <<''EOF''\nFix S3 upload AccessDenied by specifying KMS encryption\n\nThe bucket policy requires explicit KMS encryption on uploads, but\nupload_credential wasn''t passing ServerSideEncryption or SSEKMSKeyId\nparameters. Also, kms_key_arn was retrieved from CloudFormation but\nnever saved to the config file.\n\n- Add kms_key_arn field to Config class\n- Save kms_key_arn during setup\n- Pass kms_key_arn to all upload_credential calls\n- Remove outdated placeholder ARN test\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")",
+      "Bash(git push)",
+      "Bash(uv sync:*)",
+      "Bash(git commit:*)"
+    ]
+  }
+}

exchange_keyshare-0.1.0/.github/workflows/ci.yaml

@@ -0,0 +1,28 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+
+      - name: Set up Python
+        run: uv python install 3.12
+
+      - name: Install dependencies
+        run: uv sync
+
+      - name: Run type checker
+        run: uv run pyright
+
+      - name: Run tests
+        run: uv run pytest

exchange_keyshare-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,20 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Build package
+        run: uv build
+
+      - name: Publish to TestPyPI
+        run: uv publish --publish-url https://test.pypi.org/legacy/ --token ${{ secrets.TEST_PYPI_TOKEN }}

exchange_keyshare-0.1.0/.gitignore

@@ -0,0 +1,39 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+dist/
+*.egg-info/
+*.egg
+.eggs/
+
+# Virtual environments
+.venv/
+venv/
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Local config (keep out of repo)
+config.yaml
+
+# Worktrees
+.worktrees/
+
+docs/plans
+.envrc

exchange_keyshare-0.1.0/CLAUDE.md

@@ -0,0 +1,122 @@
+# CLAUDE.md - exchange-keyshare
+
+CLI tool for market makers to securely share exchange API credentials.
+
+## Tech Stack
+
+- Python 3.12+
+- Click (CLI framework)
+- boto3 (AWS SDK)
+- rich (terminal UI)
+- questionary (interactive prompts)
+- uv (package manager)
+- pyright strict mode
+
+## Project Structure
+
+```
+src/exchange_keyshare/
+├── cli.py              # CLI entrypoint
+├── config.py           # Config file handling (~/.config/exchange-keyshare/)
+├── setup.py            # Stack creation logic
+├── keys.py             # S3 credential operations
+├── schema.py           # Credential validation
+├── cfn.py              # CloudFormation template loading
+├── templates/
+│   └── stack.yaml      # CloudFormation template
+└── commands/
+    ├── setup.py        # `exchange-keyshare setup` command
+    └── keys.py         # `exchange-keyshare keys` subcommands
+```
+
+## Commands
+
+```bash
+exchange-keyshare setup          # Create AWS infrastructure
+exchange-keyshare keys list      # List credentials
+exchange-keyshare keys create    # Create credential (interactive)
+exchange-keyshare keys delete    # Delete credential
+exchange-keyshare keys update    # Update pairs/labels
+```
+
+## Configuration
+
+Config file: `~/.config/exchange-keyshare/config.yaml`
+
+Created by `setup` command with:
+- `bucket`: S3 bucket name
+- `region`: AWS region
+- `stack_name`: CloudFormation stack name
+- `role_arn`: IAM role ARN
+- `external_id`: External ID for role assumption
+
+## Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `EXCHANGE_KEYSHARE_CONFIG` | Override config file path |
+| `AWS_REGION` / `AWS_DEFAULT_REGION` | Default AWS region |
+
+## CloudFormation Template
+
+The `setup` command deploys `templates/stack.yaml` which creates:
+
+**Resources:**
+- `CredentialsBucket` - S3 bucket for credentials (versioned, KMS-encrypted)
+- `AccessLogsBucket` - S3 access logs (90-day retention)
+- `CredentialsKey` - KMS key for encryption (auto-rotating)
+- `CredentialsKeyAlias` - KMS key alias
+- `ConsumerAccessRole` - IAM role for credential consumer to assume (read-only)
+- `CredentialsBucketPolicy` - Enforces KMS encryption on uploads
+- `AccessLogsBucketPolicy` - Allows S3 logging service
+
+**Security hardening:**
+- `DeletionPolicy: Retain` on bucket and KMS key (prevents accidental data loss)
+- Bucket policy denies unencrypted uploads or wrong KMS key
+- External ID required for role assumption (confused deputy protection)
+- All public access blocked
+- S3 access logging enabled
+
+**Consumer role permissions (read-only):**
+- `s3:ListBucket` (only `exchange-credentials/*` prefix)
+- `s3:GetObject` (only `exchange-credentials/*`)
+- `kms:Decrypt`, `kms:DescribeKey`
+
+## Credential Schema
+
+Credentials stored as YAML in S3 under `exchange-credentials/` prefix:
+
+```yaml
+version: "1"
+exchange: binance  # binance, coinbase, kraken, kucoin, bitget
+credential:
+  api_key: "..."
+  api_secret: "..."
+  passphrase: "..."  # Required for coinbase, kucoin, bitget
+pairs:              # Optional, BASE/QUOTE format
+  - BTC/USDT
+  - ETH/USDT
+labels:             # Optional
+  - key: environment
+    value: production
+```
+
+## Development
+
+```bash
+# Install dependencies
+uv sync
+
+# Run tests
+uv run pytest
+
+# Type checking
+uv run pyright
+
+# Linting
+uv run ruff check src/
+```
+
+## Worktrees
+
+Use `.worktrees/` directory for feature branches (already in `.gitignore`).

exchange_keyshare-0.1.0/PKG-INFO

@@ -0,0 +1,10 @@
+Metadata-Version: 2.4
+Name: exchange-keyshare
+Version: 0.1.0
+Summary: CLI for market makers to securely share exchange API credentials
+Requires-Python: >=3.12
+Requires-Dist: boto3>=1.34.0
+Requires-Dist: click>=8.1.0
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: questionary>=2.0.0
+Requires-Dist: rich>=13.0.0

exchange_keyshare-0.1.0/README.md

@@ -0,0 +1,62 @@
+# exchange-keyshare
+
+CLI tool for market makers to securely share exchange API credentials.
+
+## Before You Start
+
+The credential consumer will provide you with two values:
+- **Principal ARN**
+- **External ID**
+
+Keep these ready for the setup process.
+
+## Prerequisites
+
+- Python 3.12+
+- AWS CLI configured with credentials that can create CloudFormation stacks
+
+## Installation
+
+```bash
+pip install exchange-keyshare
+```
+
+## Quick Start
+
+### 1. Set up infrastructure
+
+```bash
+exchange-keyshare setup
+```
+
+This creates:
+- An S3 bucket for storing credentials (KMS-encrypted, versioned)
+- A KMS key for encryption (you control it)
+- An IAM role for the credential consumer to assume (read-only access)
+
+After setup, share the displayed Role ARN and Bucket with the credential consumer.
+
+### 2. Add credentials
+
+```bash
+exchange-keyshare keys create
+```
+
+Follow the interactive prompts to select an exchange and enter your API credentials.
+
+### 3. Manage credentials
+
+```bash
+# List all credentials
+exchange-keyshare keys list
+
+# Update pairs or labels
+exchange-keyshare keys update <key>
+
+# Delete a credential
+exchange-keyshare keys delete <key>
+```
+
+## Configuration
+
+Config is stored at `~/.config/exchange-keyshare/config.yaml` after running setup.

exchange_keyshare-0.1.0/pyproject.toml

@@ -0,0 +1,45 @@
+[project]
+name = "exchange-keyshare"
+version = "0.1.0"
+description = "CLI for market makers to securely share exchange API credentials"
+requires-python = ">=3.12"
+dependencies = [
+    "click>=8.1.0",
+    "boto3>=1.34.0",
+    "pyyaml>=6.0",
+    "rich>=13.0.0",
+    "questionary>=2.0.0",
+]
+
+[project.scripts]
+exchange-keyshare = "exchange_keyshare.cli:main"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/exchange_keyshare"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+pythonpath = ["src"]
+
+[tool.ruff]
+line-length = 100
+target-version = "py312"
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "UP"]
+
+[tool.pyright]
+pythonVersion = "3.12"
+typeCheckingMode = "strict"
+reportUnnecessaryCast = false  # False positive with boto3-stubs
+
+[dependency-groups]
+dev = [
+    "boto3-stubs[cloudformation,s3]>=1.34.0",
+    "pyright>=1.1.408",
+    "pytest>=9.0.2",
+]

exchange_keyshare-0.1.0/src/exchange_keyshare/__init__.py

@@ -0,0 +1,3 @@
+"""Exchange Keyshare - CLI for market makers to securely share exchange credentials."""
+
+__version__ = "0.1.0"

exchange_keyshare-0.1.0/src/exchange_keyshare/cfn.py

@@ -0,0 +1,14 @@
+"""CloudFormation operations for exchange-keyshare."""
+
+from pathlib import Path
+
+
+def get_template_path() -> Path:
+    """Get path to CloudFormation template."""
+    return Path(__file__).parent / "templates" / "stack.yaml"
+
+
+def load_template() -> str:
+    """Load CloudFormation template as string."""
+    path = get_template_path()
+    return path.read_text()

exchange_keyshare-0.1.0/src/exchange_keyshare/cli.py

@@ -0,0 +1,37 @@
+"""CLI entrypoint for exchange-keyshare."""
+
+from pathlib import Path
+
+import click
+
+from exchange_keyshare.commands.keys import keys
+from exchange_keyshare.commands.setup import setup
+from exchange_keyshare.config import Config
+
+
+@click.group()
+@click.version_option()
+@click.option(
+    "--config",
+    "config_path",
+    envvar="EXCHANGE_KEYSHARE_CONFIG",
+    type=click.Path(),
+    help="Path to config file",
+)
+@click.pass_context
+def main(ctx: click.Context, config_path: str | None) -> None:
+    """Exchange Keyshare - Securely share exchange API credentials."""
+    ctx.ensure_object(dict)
+    config = Config()
+    if config_path:
+        config.config_path = Path(config_path)
+    config.load()
+    ctx.obj["config"] = config
+
+
+main.add_command(setup)
+main.add_command(keys)
+
+
+if __name__ == "__main__":
+    main()

exchange_keyshare-0.1.0/src/exchange_keyshare/commands/__init__.py

@@ -0,0 +1 @@
+"""CLI command modules."""