exchange-keyshare 0.1.0__tar.gz → 0.1.2__tar.gz

{exchange_keyshare-0.1.0 → exchange_keyshare-0.1.2}/.claude/settings.local.json

@@ -6,7 +6,12 @@
       "Bash(git commit -m \"$\\(cat <<''EOF''\nFix S3 upload AccessDenied by specifying KMS encryption\n\nThe bucket policy requires explicit KMS encryption on uploads, but\nupload_credential wasn''t passing ServerSideEncryption or SSEKMSKeyId\nparameters. Also, kms_key_arn was retrieved from CloudFormation but\nnever saved to the config file.\n\n- Add kms_key_arn field to Config class\n- Save kms_key_arn during setup\n- Pass kms_key_arn to all upload_credential calls\n- Remove outdated placeholder ARN test\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")",
       "Bash(git push)",
       "Bash(uv sync:*)",
-      "Bash(git commit:*)"
+      "Bash(git commit:*)",
+      "Bash(uv pip install:*)",
+      "WebFetch(domain:github.com)",
+      "WebSearch",
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "WebFetch(domain:pypi.org)"
     ]
   }
 }

{exchange_keyshare-0.1.0 → exchange_keyshare-0.1.2}/CLAUDE.md

@@ -26,6 +26,8 @@ src/exchange_keyshare/
 │   └── stack.yaml      # CloudFormation template
 └── commands/
     ├── setup.py        # `exchange-keyshare setup` command
+    ├── config.py       # `exchange-keyshare config` command
+    ├── teardown.py     # `exchange-keyshare teardown` command
     └── keys.py         # `exchange-keyshare keys` subcommands
 ```
 
@@ -33,6 +35,8 @@ src/exchange_keyshare/
 
 ```bash
 exchange-keyshare setup          # Create AWS infrastructure
+exchange-keyshare config         # Display current configuration
+exchange-keyshare teardown       # Delete AWS infrastructure (revoke access)
 exchange-keyshare keys list      # List credentials
 exchange-keyshare keys create    # Create credential (interactive)
 exchange-keyshare keys delete    # Delete credential
@@ -47,8 +51,10 @@ Created by `setup` command with:
 - `bucket`: S3 bucket name
 - `region`: AWS region
 - `stack_name`: CloudFormation stack name
+- `stack_id`: CloudFormation stack ID (ARN)
 - `role_arn`: IAM role ARN
 - `external_id`: External ID for role assumption
+- `kms_key_arn`: KMS key ARN
 
 ## Environment Variables
 

{exchange_keyshare-0.1.0 → exchange_keyshare-0.1.2}/PKG-INFO

@@ -1,9 +1,10 @@
 Metadata-Version: 2.4
 Name: exchange-keyshare
-Version: 0.1.0
+Version: 0.1.2
 Summary: CLI for market makers to securely share exchange API credentials
 Requires-Python: >=3.12
 Requires-Dist: boto3>=1.34.0
+Requires-Dist: botocore[crt]>=1.34.0
 Requires-Dist: click>=8.1.0
 Requires-Dist: pyyaml>=6.0
 Requires-Dist: questionary>=2.0.0

{exchange_keyshare-0.1.0 → exchange_keyshare-0.1.2}/pyproject.toml

@@ -1,11 +1,12 @@
 [project]
 name = "exchange-keyshare"
-version = "0.1.0"
+version = "0.1.2"
 description = "CLI for market makers to securely share exchange API credentials"
 requires-python = ">=3.12"
 dependencies = [
     "click>=8.1.0",
     "boto3>=1.34.0",
+    "botocore[crt]>=1.34.0",
     "pyyaml>=6.0",
     "rich>=13.0.0",
     "questionary>=2.0.0",

{exchange_keyshare-0.1.0 → exchange_keyshare-0.1.2}/src/exchange_keyshare/cli.py

@@ -4,8 +4,10 @@ from pathlib import Path
 
 import click
 
+from exchange_keyshare.commands.config import config
 from exchange_keyshare.commands.keys import keys
 from exchange_keyshare.commands.setup import setup
+from exchange_keyshare.commands.teardown import teardown
 from exchange_keyshare.config import Config
 
 
@@ -30,6 +32,8 @@ def main(ctx: click.Context, config_path: str | None) -> None:
 
 
 main.add_command(setup)
+main.add_command(config)
+main.add_command(teardown)
 main.add_command(keys)
 
 

exchange_keyshare-0.1.2/src/exchange_keyshare/commands/config.py

@@ -0,0 +1,34 @@
+"""Config command for displaying current configuration."""
+
+import click
+from rich.console import Console
+from rich.table import Table
+
+from exchange_keyshare.config import Config
+
+
+@click.command()
+@click.pass_context
+def config(ctx: click.Context) -> None:
+    """Display current configuration."""
+    cfg: Config = ctx.obj["config"]
+    console = Console()
+
+    if not cfg.stack_name:
+        console.print("Not configured. Run [cyan]exchange-keyshare setup[/cyan] first.")
+        return
+
+    table = Table(show_header=False, box=None)
+    table.add_column("Key", style="dim")
+    table.add_column("Value", style="cyan")
+
+    table.add_row("Bucket", cfg.bucket or "")
+    table.add_row("Region", cfg.region or "")
+    table.add_row("Stack Name", cfg.stack_name or "")
+    table.add_row("Stack ID", cfg.stack_id or "")
+    table.add_row("Role ARN", cfg.role_arn or "")
+    table.add_row("External ID", cfg.external_id or "")
+    table.add_row("KMS Key ARN", cfg.kms_key_arn or "")
+    table.add_row("Config Path", str(cfg.config_path))
+
+    console.print(table)

{exchange_keyshare-0.1.0 → exchange_keyshare-0.1.2}/src/exchange_keyshare/commands/setup.py

@@ -155,6 +155,7 @@ def setup(ctx: click.Context) -> None:
     config.bucket = result.bucket
     config.region = result.region
     config.stack_name = result.stack_name
+    config.stack_id = result.stack_id
     config.role_arn = result.role_arn
     config.external_id = result.external_id
     config.kms_key_arn = result.kms_key_arn

exchange_keyshare-0.1.2/src/exchange_keyshare/commands/teardown.py

@@ -0,0 +1,208 @@
+"""Teardown command for deleting AWS infrastructure."""
+
+import click
+from rich.console import Console, Group, RenderableType
+from rich.live import Live
+from rich.panel import Panel
+from rich.spinner import Spinner
+from rich.table import Table
+from rich.text import Text
+
+from exchange_keyshare.config import Config
+from exchange_keyshare.keys import CredentialInfo, list_credentials
+from exchange_keyshare.setup import (
+    ResourceStatus,
+    StackProgress,
+    get_friendly_type,
+    get_stack_console_url,
+    poll_stack_deletion,
+    start_stack_deletion,
+)
+
+
+def get_delete_status_style(status: str) -> str:
+    """Get rich style for a deletion status."""
+    if "DELETE_COMPLETE" in status or "DELETE_SKIPPED" in status:
+        return "green"
+    elif "IN_PROGRESS" in status:
+        return "yellow"
+    elif "FAILED" in status:
+        return "red"
+    return "white"
+
+
+def get_delete_status_icon(status: str) -> str:
+    """Get icon for a deletion status."""
+    if "DELETE_COMPLETE" in status or "DELETE_SKIPPED" in status:
+        return "[green]✓[/green]"
+    elif "IN_PROGRESS" in status:
+        return "[yellow]⋯[/yellow]"
+    elif "FAILED" in status:
+        return "[red]✗[/red]"
+    return " "
+
+
+def build_deletion_progress_display(progress: StackProgress) -> RenderableType:
+    """Build a rich display showing resource deletion progress with spinner."""
+    table = Table(show_header=True, header_style="bold", box=None)
+    table.add_column("", width=2)
+    table.add_column("Resource", style="cyan", min_width=25)
+    table.add_column("Type", style="dim")
+    table.add_column("Status")
+
+    # Sort resources: in_progress first, then by name
+    def sort_key(item: tuple[str, ResourceStatus]) -> tuple[int, str]:
+        _, r = item
+        if "IN_PROGRESS" in r.status:
+            return (0, r.logical_id)
+        elif "COMPLETE" in r.status or "SKIPPED" in r.status:
+            return (2, r.logical_id)
+        else:
+            return (1, r.logical_id)
+
+    sorted_resources = sorted(progress.resources.items(), key=sort_key)
+
+    for _logical_id, resource in sorted_resources:
+        icon = get_delete_status_icon(resource.status)
+        style = get_delete_status_style(resource.status)
+        friendly_type = get_friendly_type(resource.resource_type)
+
+        # Simplify status text
+        status_text = resource.status.replace("_", " ").title()
+
+        table.add_row(
+            icon,
+            resource.logical_id,
+            friendly_type,
+            f"[{style}]{status_text}[/{style}]",
+        )
+
+    # Add spinner header if still in progress
+    if not progress.is_complete and not progress.is_failed:
+        spinner = Spinner("dots", text=Text(" Deleting infrastructure...", style="bold"))
+        return Group(spinner, Text(""), table)
+
+    return table
+
+
+@click.command()
+@click.pass_context
+def teardown(ctx: click.Context) -> None:
+    """Delete AWS infrastructure and revoke access.
+
+    This permanently deletes all infrastructure created by setup.
+    The S3 bucket and KMS key are retained but access is revoked.
+    """
+    cfg: Config = ctx.obj["config"]
+    console = Console()
+
+    if not cfg.stack_name:
+        console.print("Nothing to teardown. Run [cyan]exchange-keyshare setup[/cyan] first.")
+        return
+
+    region = cfg.region or "us-east-1"
+
+    # Try to list existing credentials (gracefully handle failure)
+    credentials: list[CredentialInfo] = []
+    if cfg.bucket and cfg.region:
+        try:
+            credentials = list_credentials(cfg.bucket, cfg.region)
+        except Exception:
+            pass  # Gracefully ignore - permissions may already be revoked
+
+    # Build credential list for warning
+    cred_text = ""
+    if credentials:
+        cred_text = "\n[bold]Credentials that will become inaccessible:[/bold]\n"
+        for cred in credentials:
+            cred_text += f"  - [cyan]{cred.exchange}[/cyan]\n"
+            if cred.pairs:
+                cred_text += f"    Pairs: {', '.join(cred.pairs)}\n"
+            if cred.labels:
+                labels_str = ", ".join(f"{lbl['key']}={lbl['value']}" for lbl in cred.labels)
+                cred_text += f"    Labels: {labels_str}\n"
+        cred_text += "\n"
+
+    # Build console URL if we have a stack ID
+    console_url = ""
+    if cfg.stack_id:
+        console_url = get_stack_console_url(cfg.stack_id, region)
+
+    # Show scary warning with specific resources
+    manual_cmd = f"aws cloudformation delete-stack --stack-name {cfg.stack_name} --region {region}"
+
+    warning = Panel(
+        "[bold red]WARNING: This action cannot be undone![/bold red]\n\n"
+        "[bold]Resources that will be DELETED:[/bold]\n"
+        f"  - IAM Role: [cyan]{cfg.role_arn}[/cyan]\n"
+        f"  - KMS Key Alias: [cyan]alias/{cfg.bucket}[/cyan]\n"
+        "  - S3 Bucket Policies\n\n"
+        "[bold]Resources that will be RETAINED (but inaccessible):[/bold]\n"
+        f"  - S3 Bucket: [cyan]{cfg.bucket}[/cyan]\n"
+        f"  - KMS Key: [cyan]{cfg.kms_key_arn}[/cyan]\n"
+        f"{cred_text}\n"
+        f"Stack: [cyan]{cfg.stack_name}[/cyan]\n"
+        f"Region: [cyan]{region}[/cyan]\n\n"
+        f"[dim]Manual command: {manual_cmd}[/dim]",
+        title="[bold red]Teardown Infrastructure[/bold red]",
+        border_style="red",
+    )
+    console.print(warning)
+    console.print()
+
+    # Require typing the stack name to confirm
+    console.print(f"To confirm, type the stack name: [bold]{cfg.stack_name}[/bold]")
+    confirmation = click.prompt("", default="", show_default=False)
+
+    if confirmation != cfg.stack_name:
+        console.print("[yellow]Aborted.[/yellow] Stack name did not match.")
+        raise SystemExit(1)
+
+    console.print()
+
+    # Show console URL before starting deletion
+    if console_url:
+        console.print(f"[dim]Monitor progress in AWS Console:[/dim]")
+        console.print(f"[link={console_url}]{console_url}[/link]")
+        console.print()
+        console.print("[dim]You can safely cancel this command (Ctrl+C) - deletion will continue in AWS.[/dim]")
+        console.print()
+
+    # Start deletion and poll with live display
+    try:
+        cfn = start_stack_deletion(cfg.stack_name, region)
+    except Exception as e:
+        console.print(f"[red]Error starting deletion: {e}[/red]")
+        raise SystemExit(1)
+
+    final_progress: StackProgress | None = None
+
+    try:
+        with Live(console=console, refresh_per_second=10) as live:
+            for progress in poll_stack_deletion(cfg.stack_name, cfn):
+                display = build_deletion_progress_display(progress)
+                live.update(display)
+                final_progress = progress
+
+                if progress.is_complete or progress.is_failed:
+                    break
+    except KeyboardInterrupt:
+        console.print()
+        console.print("[yellow]Interrupted.[/yellow] Deletion continues in AWS.")
+        if console_url:
+            console.print(f"[dim]Monitor progress:[/dim] {console_url}")
+        raise SystemExit(0)
+
+    if final_progress is None or final_progress.is_failed:
+        console.print()
+        console.print(f"[red]Error: {final_progress.failure_reason if final_progress else 'Unknown error'}[/red]")
+        if console_url:
+            console.print(f"[dim]Check AWS Console:[/dim] {console_url}")
+        raise SystemExit(1)
+
+    # Delete config file
+    if cfg.config_path.exists():
+        cfg.config_path.unlink()
+
+    console.print()
+    console.print("[green]Teardown complete.[/green] All access has been revoked.")

{exchange_keyshare-0.1.0 → exchange_keyshare-0.1.2}/src/exchange_keyshare/config.py

@@ -26,6 +26,7 @@ class Config:
     bucket: str | None = None
     region: str | None = None
     stack_name: str | None = None
+    stack_id: str | None = None
     role_arn: str | None = None
     external_id: str | None = None
     kms_key_arn: str | None = None
@@ -36,6 +37,7 @@ class Config:
         self.bucket = data.get("bucket")
         self.region = data.get("region")
         self.stack_name = data.get("stack_name")
+        self.stack_id = data.get("stack_id")
         self.role_arn = data.get("role_arn")
         self.external_id = data.get("external_id")
         self.kms_key_arn = data.get("kms_key_arn")
@@ -49,6 +51,8 @@ class Config:
             data["region"] = self.region
         if self.stack_name:
             data["stack_name"] = self.stack_name
+        if self.stack_id:
+            data["stack_id"] = self.stack_id
         if self.role_arn:
             data["role_arn"] = self.role_arn
         if self.external_id:

{exchange_keyshare-0.1.0 → exchange_keyshare-0.1.2}/src/exchange_keyshare/setup.py

@@ -40,6 +40,7 @@ class SetupResult:
     role_arn: str
     external_id: str
     stack_name: str
+    stack_id: str
     kms_key_arn: str
 
 
@@ -216,12 +217,142 @@ def _is_newer_status(new_status: str, old_status: str) -> bool:
         return True
 
 
+def get_stack_console_url(stack_id: str, region: str) -> str:
+    """Get AWS Console URL for a CloudFormation stack."""
+    # URL-encode the stack ID (it contains special characters)
+    from urllib.parse import quote
+    encoded_stack_id = quote(stack_id, safe="")
+    return f"https://{region}.console.aws.amazon.com/cloudformation/home?region={region}#/stacks/stackinfo?stackId={encoded_stack_id}"
+
+
+def start_stack_deletion(stack_name: str, region: str) -> "CloudFormationClient":
+    """Start CloudFormation stack deletion. Returns cfn_client for polling."""
+    cfn = cast("CloudFormationClient", boto3.client("cloudformation", region_name=region))  # pyright: ignore[reportUnknownMemberType]
+
+    try:
+        cfn.delete_stack(StackName=stack_name)  # pyright: ignore[reportUnknownMemberType]
+    except ClientError as e:
+        raise Exception(f"Failed to delete stack: {e}") from e
+
+    return cfn
+
+
+def poll_stack_deletion(
+    stack_name: str,
+    cfn: "CloudFormationClient",
+    poll_interval: float = 2.0,
+    max_attempts: int = 300,
+) -> Generator[StackProgress, None, None]:
+    """Poll stack deletion progress and yield updates."""
+    resources: dict[str, ResourceStatus] = {}
+
+    for _ in range(max_attempts):
+        # Get current stack status
+        try:
+            stacks_response = cfn.describe_stacks(StackName=stack_name)
+        except ClientError as e:
+            # Stack not found means deletion complete
+            if "does not exist" in str(e):
+                yield StackProgress(
+                    resources=resources,
+                    stack_status="DELETE_COMPLETE",
+                    is_complete=True,
+                    is_failed=False,
+                )
+                return
+            raise
+
+        stack = stacks_response["Stacks"][0]
+        stack_status = stack.get("StackStatus", "UNKNOWN")
+
+        # Get resource events (only delete-related)
+        try:
+            events_response = cfn.describe_stack_events(StackName=stack_name)
+            for event in events_response["StackEvents"]:
+                logical_id = event.get("LogicalResourceId", "")
+                resource_type = event.get("ResourceType", "")
+                status = event.get("ResourceStatus", "")
+                reason = event.get("ResourceStatusReason")
+
+                # Skip the stack itself
+                if resource_type == "AWS::CloudFormation::Stack":
+                    continue
+
+                # Only track delete-related statuses
+                if "DELETE" not in status:
+                    continue
+
+                # Update if this is a newer status for this resource
+                if logical_id not in resources or _is_newer_delete_status(status, resources[logical_id].status):
+                    resources[logical_id] = ResourceStatus(
+                        logical_id=logical_id,
+                        resource_type=resource_type,
+                        status=status,
+                        reason=reason,
+                    )
+        except ClientError:
+            pass  # Stack events may not be available
+
+        # Check for completion
+        is_complete = stack_status == "DELETE_COMPLETE"
+        is_failed = stack_status == "DELETE_FAILED"
+
+        failure_reason: str | None = None
+        if is_failed:
+            failed_resources = [r for r in resources.values() if "FAILED" in r.status]
+            if failed_resources:
+                reasons = [r.reason for r in failed_resources if r.reason]
+                failure_reason = "; ".join(reasons[:3]) if reasons else "Unknown error"
+
+        yield StackProgress(
+            resources=resources,
+            stack_status=stack_status,
+            is_complete=is_complete,
+            is_failed=is_failed,
+            failure_reason=failure_reason,
+        )
+
+        if is_complete or is_failed:
+            return
+
+        time.sleep(poll_interval)
+
+    # Timeout
+    yield StackProgress(
+        resources=resources,
+        stack_status="TIMEOUT",
+        is_complete=False,
+        is_failed=True,
+        failure_reason="Stack deletion timed out",
+    )
+
+
+def _is_newer_delete_status(new_status: str, old_status: str) -> bool:
+    """Check if new_status is more recent than old_status for deletion."""
+    status_order = [
+        "CREATE_COMPLETE",
+        "DELETE_IN_PROGRESS",
+        "DELETE_COMPLETE",
+        "DELETE_FAILED",
+        "DELETE_SKIPPED",
+    ]
+
+    try:
+        new_idx = status_order.index(new_status)
+        old_idx = status_order.index(old_status)
+        return new_idx > old_idx
+    except ValueError:
+        return True
+
+
 def get_stack_outputs(stack_name: str, region: str) -> SetupResult:
     """Get outputs from a completed stack."""
     cfn = cast("CloudFormationClient", boto3.client("cloudformation", region_name=region))  # pyright: ignore[reportUnknownMemberType]
 
     response = cfn.describe_stacks(StackName=stack_name)
-    stack_outputs = response["Stacks"][0].get("Outputs", [])
+    stack = response["Stacks"][0]
+    stack_id = stack.get("StackId", "")
+    stack_outputs = stack.get("Outputs", [])
     outputs: dict[str, str] = {
         o["OutputKey"]: o["OutputValue"]
         for o in stack_outputs
@@ -234,6 +365,7 @@ def get_stack_outputs(stack_name: str, region: str) -> SetupResult:
         role_arn=outputs["RoleArn"],
         external_id=outputs["ExternalId"],
         stack_name=stack_name,
+        stack_id=stack_id,
         kms_key_arn=outputs["KmsKeyArn"],
     )
 

exchange_keyshare-0.1.2/tests/test_cli.py

@@ -0,0 +1,257 @@
+"""Tests for CLI commands."""
+
+from pathlib import Path
+from unittest.mock import MagicMock, patch
+
+from click.testing import CliRunner
+
+from exchange_keyshare.cli import main
+from exchange_keyshare.config import save_config
+
+
+def test_config_command_displays_configuration(tmp_path: Path) -> None:
+    """Config command displays all configuration fields."""
+    config_path = tmp_path / "config.yaml"
+
+    save_config(
+        config_path,
+        {
+            "bucket": "test-bucket",
+            "region": "us-east-1",
+            "stack_name": "test-stack",
+            "stack_id": "arn:aws:cloudformation:us-east-1:123456789:stack/test-stack/abc123",
+            "role_arn": "arn:aws:iam::123456789:role/test-role",
+            "external_id": "test-external-id",
+            "kms_key_arn": "arn:aws:kms:us-east-1:123456789:key/abc123",
+        },
+    )
+
+    runner = CliRunner()
+    result = runner.invoke(main, ["--config", str(config_path), "config"])
+
+    assert result.exit_code == 0
+    assert "test-bucket" in result.output
+    assert "us-east-1" in result.output
+    assert "test-stack" in result.output
+    # Stack ID may be truncated by Rich table rendering, just check it starts showing
+    assert "arn:aws:cloudformation" in result.output
+    assert "arn:aws:iam" in result.output
+    assert "test-external-id" in result.output
+
+
+def test_config_command_shows_message_when_not_configured(tmp_path: Path) -> None:
+    """Config command shows helpful message when no config exists."""
+    config_path = tmp_path / "config.yaml"
+
+    runner = CliRunner()
+    result = runner.invoke(main, ["--config", str(config_path), "config"])
+
+    assert result.exit_code == 0
+    assert "not configured" in result.output.lower() or "setup" in result.output.lower()
+
+
+def test_teardown_requires_confirmation(tmp_path: Path) -> None:
+    """Teardown command requires typing confirmation to proceed."""
+    config_path = tmp_path / "config.yaml"
+    save_config(
+        config_path,
+        {
+            "bucket": "test-bucket",
+            "region": "us-east-1",
+            "stack_name": "test-stack",
+            "stack_id": "arn:aws:cloudformation:us-east-1:123456789:stack/test-stack/abc123",
+        },
+    )
+
+    runner = CliRunner()
+    # User types wrong confirmation
+    result = runner.invoke(main, ["--config", str(config_path), "teardown"], input="wrong\n")
+
+    assert result.exit_code == 1
+    assert "aborted" in result.output.lower() or "cancelled" in result.output.lower()
+    # Config file should still exist
+    assert config_path.exists()
+
+
+def test_teardown_shows_scary_warning(tmp_path: Path) -> None:
+    """Teardown command shows a scary warning about irreversibility."""
+    config_path = tmp_path / "config.yaml"
+    save_config(
+        config_path,
+        {
+            "bucket": "test-bucket",
+            "region": "us-east-1",
+            "stack_name": "test-stack",
+            "stack_id": "arn:aws:cloudformation:us-east-1:123456789:stack/test-stack/abc123",
+        },
+    )
+
+    runner = CliRunner()
+    result = runner.invoke(main, ["--config", str(config_path), "teardown"], input="\n")
+
+    # Should show warning text about irreversibility
+    output_lower = result.output.lower()
+    assert "warning" in output_lower or "cannot be undone" in output_lower or "permanent" in output_lower
+
+
+@patch("exchange_keyshare.commands.teardown.poll_stack_deletion")
+@patch("exchange_keyshare.commands.teardown.start_stack_deletion")
+def test_teardown_deletes_stack_and_config_on_confirmation(
+    mock_start_deletion: MagicMock,
+    mock_poll_deletion: MagicMock,
+    tmp_path: Path,
+) -> None:
+    """Teardown deletes CloudFormation stack and config file when confirmed."""
+    from exchange_keyshare.setup import StackProgress
+
+    # Mock successful deletion
+    mock_start_deletion.return_value = MagicMock()
+    mock_poll_deletion.return_value = iter([
+        StackProgress(
+            resources={},
+            stack_status="DELETE_COMPLETE",
+            is_complete=True,
+            is_failed=False,
+        )
+    ])
+
+    config_path = tmp_path / "config.yaml"
+    save_config(
+        config_path,
+        {
+            "bucket": "test-bucket",
+            "region": "us-east-1",
+            "stack_name": "test-stack",
+            "stack_id": "arn:aws:cloudformation:us-east-1:123456789:stack/test-stack/abc123",
+        },
+    )
+
+    runner = CliRunner()
+    # User types correct confirmation (the stack name)
+    result = runner.invoke(main, ["--config", str(config_path), "teardown"], input="test-stack\n")
+
+    assert result.exit_code == 0
+    mock_start_deletion.assert_called_once_with("test-stack", "us-east-1")
+    # Config file should be deleted
+    assert not config_path.exists()
+
+
+def test_teardown_shows_message_when_not_configured(tmp_path: Path) -> None:
+    """Teardown shows helpful message when no config exists."""
+    config_path = tmp_path / "config.yaml"
+
+    runner = CliRunner()
+    result = runner.invoke(main, ["--config", str(config_path), "teardown"])
+
+    assert result.exit_code == 0
+    assert "not configured" in result.output.lower() or "nothing to teardown" in result.output.lower()
+
+
+@patch("exchange_keyshare.commands.teardown.list_credentials")
+def test_teardown_shows_existing_credentials_with_pairs_and_labels(
+    mock_list_credentials: MagicMock, tmp_path: Path
+) -> None:
+    """Teardown shows existing credentials with pairs and labels in the warning."""
+    from exchange_keyshare.keys import CredentialInfo
+
+    mock_list_credentials.return_value = [
+        CredentialInfo(
+            key="exchange-credentials/binance-abc123.yaml",
+            exchange="binance",
+            pairs=["BTC/USDT", "ETH/USDT"],
+            labels=[{"key": "environment", "value": "production"}],
+        ),
+        CredentialInfo(
+            key="exchange-credentials/coinbase-def456.yaml",
+            exchange="coinbase",
+            pairs=None,
+            labels=None,
+        ),
+    ]
+
+    config_path = tmp_path / "config.yaml"
+    save_config(
+        config_path,
+        {
+            "bucket": "test-bucket",
+            "region": "us-east-1",
+            "stack_name": "test-stack",
+        },
+    )
+
+    runner = CliRunner()
+    result = runner.invoke(main, ["--config", str(config_path), "teardown"], input="\n")
+
+    # Should show credentials in output
+    assert "binance" in result.output.lower()
+    assert "coinbase" in result.output.lower()
+    # Should show pairs
+    assert "BTC/USDT" in result.output
+    assert "ETH/USDT" in result.output
+    # Should show labels
+    assert "environment=production" in result.output
+
+
+@patch("exchange_keyshare.commands.teardown.list_credentials")
+def test_teardown_gracefully_handles_list_credentials_failure(
+    mock_list_credentials: MagicMock, tmp_path: Path
+) -> None:
+    """Teardown continues gracefully if listing credentials fails."""
+    mock_list_credentials.side_effect = Exception("Access denied")
+
+    config_path = tmp_path / "config.yaml"
+    save_config(
+        config_path,
+        {
+            "bucket": "test-bucket",
+            "region": "us-east-1",
+            "stack_name": "test-stack",
+        },
+    )
+
+    runner = CliRunner()
+    result = runner.invoke(main, ["--config", str(config_path), "teardown"], input="\n")
+
+    # Should still show the warning and prompt (not crash)
+    assert "warning" in result.output.lower() or "cannot be undone" in result.output.lower()
+
+
+@patch("exchange_keyshare.commands.teardown.poll_stack_deletion")
+@patch("exchange_keyshare.commands.teardown.start_stack_deletion")
+def test_teardown_shows_console_url_and_cancel_message(
+    mock_start_deletion: MagicMock,
+    mock_poll_deletion: MagicMock,
+    tmp_path: Path,
+) -> None:
+    """Teardown shows AWS Console URL and message about safe cancellation."""
+    from exchange_keyshare.setup import StackProgress
+
+    mock_start_deletion.return_value = MagicMock()
+    mock_poll_deletion.return_value = iter([
+        StackProgress(
+            resources={},
+            stack_status="DELETE_COMPLETE",
+            is_complete=True,
+            is_failed=False,
+        )
+    ])
+
+    config_path = tmp_path / "config.yaml"
+    save_config(
+        config_path,
+        {
+            "bucket": "test-bucket",
+            "region": "us-east-1",
+            "stack_name": "test-stack",
+            "stack_id": "arn:aws:cloudformation:us-east-1:123456789:stack/test-stack/abc123",
+        },
+    )
+
+    runner = CliRunner()
+    result = runner.invoke(main, ["--config", str(config_path), "teardown"], input="test-stack\n")
+
+    assert result.exit_code == 0
+    # Should show console URL
+    assert "console.aws.amazon.com" in result.output
+    # Should show message about safe cancellation
+    assert "ctrl+c" in result.output.lower() or "cancel" in result.output.lower()

{exchange_keyshare-0.1.0 → exchange_keyshare-0.1.2}/tests/test_config.py

@@ -69,3 +69,20 @@ def test_save_config_sets_restrictive_permissions(tmp_path: Path) -> None:
     assert mode & stat.S_IRWXU == stat.S_IRUSR | stat.S_IWUSR  # owner rw
     assert mode & stat.S_IRWXG == 0  # no group permissions
     assert mode & stat.S_IRWXO == 0  # no other permissions
+
+
+def test_config_saves_and_loads_stack_id(tmp_path: Path) -> None:
+    """Config can save and load stack_id field."""
+    config_path = tmp_path / "config.yaml"
+
+    config = Config(config_path=config_path)
+    config.bucket = "test-bucket"
+    config.region = "us-east-1"
+    config.stack_name = "test-stack"
+    config.stack_id = "arn:aws:cloudformation:us-east-1:123456789:stack/test-stack/abc123"
+    config.save()
+
+    loaded = Config(config_path=config_path)
+    loaded.load()
+
+    assert loaded.stack_id == "arn:aws:cloudformation:us-east-1:123456789:stack/test-stack/abc123"

{exchange_keyshare-0.1.0 → exchange_keyshare-0.1.2}/uv.lock

@@ -6,6 +6,28 @@ resolution-markers = [
     "python_full_version < '3.14'",
 ]
 
+[[package]]
+name = "awscrt"
+version = "0.29.2"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/1c/90/f985002a50859ea39841e66bc816c224b623c03f943b34bfe08fee17165c/awscrt-0.29.2.tar.gz", hash = "sha256:c78d81b1308d42fda1eb21d27fcf26579137b821043e528550f2cfc6c09ab9ff", size = 38013553, upload-time = "2025-12-04T00:16:36.777Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/c8/7f/9d7b3d3f72369f80730ee5a0e964a1cd6ccf83d8c117a4d1df629e3ed6f9/awscrt-0.29.2-cp311-abi3-macosx_10_15_universal2.whl", hash = "sha256:3ff819a542acc5f11c46223204362c6b065031df0e4a37bf1ce2fc233a7145e4", size = 3407922, upload-time = "2025-12-04T00:15:49.071Z" },
+    { url = "https://files.pythonhosted.org/packages/17/f2/3e61a4683ff8e9bc59871214e833bf3f67e9f08b1884aae9e1166ef06ac3/awscrt-0.29.2-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:aa3d2f7fc0218a04707384afd871a8c3e97251185038eb921ae2fae4f61b7d90", size = 3817179, upload-time = "2025-12-04T00:15:50.965Z" },
+    { url = "https://files.pythonhosted.org/packages/3b/13/a7366b0465b998b1d05f8b3a05e5897a431ec101b9a389be6058fbbe5e26/awscrt-0.29.2-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:4f86d5a1a3c6d817dc0087d4e25abae1a7a1dd678d31fbcd226a15515719bdac", size = 4091388, upload-time = "2025-12-04T00:15:52.182Z" },
+    { url = "https://files.pythonhosted.org/packages/dd/90/a34b1b29612d91baad1273ea1d4e31ab3a90e2db4e516345329fecfbaeb2/awscrt-0.29.2-cp311-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:a6451a730c961b73b57dccdcf8599bf8058740053b531d3724efbf3a89e2d191", size = 3719628, upload-time = "2025-12-04T00:15:53.356Z" },
+    { url = "https://files.pythonhosted.org/packages/dd/94/2d93803e93cff7da0f5c9b6422b9f919d86db83640cdfbae569bdf22e606/awscrt-0.29.2-cp311-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:66a82b0960d281e14e7bfb95e9d6934cbc8e949b3f3e829709736b14bf0e6760", size = 3945694, upload-time = "2025-12-04T00:15:54.879Z" },
+    { url = "https://files.pythonhosted.org/packages/ec/26/e2517fe8eb2f565ba52274a59f301bc6fac25494e0d28b6257fde237190a/awscrt-0.29.2-cp311-abi3-win32.whl", hash = "sha256:c1c243a7d7b9ed9c1e10acfb44eaab81b88eec24b50915ce3db45a8ffa4f2edb", size = 3959540, upload-time = "2025-12-04T00:15:57.138Z" },
+    { url = "https://files.pythonhosted.org/packages/9a/49/bc9f3bcf2d49c58b97dd357f617c8331c1be02e5907316eb0ac39096941d/awscrt-0.29.2-cp311-abi3-win_amd64.whl", hash = "sha256:cd7349596f8f7b05805e047d29bfceb2304f5f0277fe0088e13ea8fe41ac3064", size = 4092749, upload-time = "2025-12-04T00:15:58.414Z" },
+    { url = "https://files.pythonhosted.org/packages/1f/41/a564e4537c8e56259d9a9a86239d6b89448a742a5a5769b8cb81e2db7b26/awscrt-0.29.2-cp313-abi3-macosx_10_15_universal2.whl", hash = "sha256:2377b9adf0db47fcf74ad6c89afcd901f6cf97f24ba4f0e5e352f5ffe12affef", size = 3406616, upload-time = "2025-12-04T00:15:59.966Z" },
+    { url = "https://files.pythonhosted.org/packages/9e/f2/4f88475ea7a9e4954871ebe188bfc9b5d29a60e1101e50a984afde904c3b/awscrt-0.29.2-cp313-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:e0cb67ce813577679dab7ab56cc8bb16a546328589db87a55f7b52314f54504f", size = 3809168, upload-time = "2025-12-04T00:16:01.288Z" },
+    { url = "https://files.pythonhosted.org/packages/22/6f/f08b3b646198d9a5fb45bc411e6a102ec976efc4acc34c01ac86cf557216/awscrt-0.29.2-cp313-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:cb7d44ed31baeb1b5720674a0249f48d8d6e548ea544ddfb93000b6bff559f34", size = 4084414, upload-time = "2025-12-04T00:16:03.504Z" },
+    { url = "https://files.pythonhosted.org/packages/3e/40/fd45b53bfc5486a31080a767947396f717534dde0ace1c9ee48b96c079b9/awscrt-0.29.2-cp313-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:e455776fd0a04929c586a66e590c6eb6f2ca08b96ec13323bfb087ee17fd6e99", size = 3710752, upload-time = "2025-12-04T00:16:04.777Z" },
+    { url = "https://files.pythonhosted.org/packages/53/25/179278c03b84e09332ef4a7770878b93b43f10564b6a94a82faa8d9329e6/awscrt-0.29.2-cp313-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:70fd197fe83b78c25c2c57293466808df6f63287a480984834b4af7b9d18d4c0", size = 3939687, upload-time = "2025-12-04T00:16:06.342Z" },
+    { url = "https://files.pythonhosted.org/packages/4f/5c/8330d3f8f5f080a85dc79c376c7125f24579dfb9c4e200224292062a36bb/awscrt-0.29.2-cp313-abi3-win32.whl", hash = "sha256:b3c46e4808ce7cfb6a63878e45b30b3410f5c314e352396d1210380787cafee2", size = 3954574, upload-time = "2025-12-04T00:16:07.539Z" },
+    { url = "https://files.pythonhosted.org/packages/e8/8f/630f3083d07a75e258aae67c0d06c7ed69098d4ca85550e9cd344d3f613d/awscrt-0.29.2-cp313-abi3-win_amd64.whl", hash = "sha256:74f8944e04bfc1508cce784b75927b4fb9895ff6a57310abb523c4b446b4f34f", size = 4085860, upload-time = "2025-12-04T00:16:08.752Z" },
+]
+
 [[package]]
 name = "boto3"
 version = "1.42.37"
@@ -55,6 +77,11 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/72/30/54042dd3ad8161964f8f47aa418785079bd8d2f17053c40d65bafb9f6eed/botocore-1.42.37-py3-none-any.whl", hash = "sha256:f13bb8b560a10714d96fb7b0c7f17828dfa6e6606a1ead8c01c6ebb8765acbd8", size = 14589390, upload-time = "2026-01-28T20:38:31.306Z" },
 ]
 
+[package.optional-dependencies]
+crt = [
+    { name = "awscrt" },
+]
+
 [[package]]
 name = "botocore-stubs"
 version = "1.42.40"
@@ -90,10 +117,11 @@ wheels = [
 
 [[package]]
 name = "exchange-keyshare"
-version = "0.1.0"
+version = "0.1.1"
 source = { editable = "." }
 dependencies = [
     { name = "boto3" },
+    { name = "botocore", extra = ["crt"] },
     { name = "click" },
     { name = "pyyaml" },
     { name = "questionary" },
@@ -110,6 +138,7 @@ dev = [
 [package.metadata]
 requires-dist = [
     { name = "boto3", specifier = ">=1.34.0" },
+    { name = "botocore", extras = ["crt"], specifier = ">=1.34.0" },
     { name = "click", specifier = ">=8.1.0" },
     { name = "pyyaml", specifier = ">=6.0" },
     { name = "questionary", specifier = ">=2.0.0" },