keepassxc-ssh-agent 0.8.0__tar.gz

keepassxc_ssh_agent-0.8.0/.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"

keepassxc_ssh_agent-0.8.0/.github/workflows/auto-merge-dependabot.yml

@@ -0,0 +1,32 @@
+name: Auto Merge Dependabot
+on:
+  pull_request:
+    types:
+      - opened
+    branches:
+      - main
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  auto-merge:
+    name: Auto Merge Dependabot PR
+    runs-on: ubuntu-24.04
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/create-github-app-token@v2
+        id: generate-token
+        with:
+          app-id: ${{ secrets.APP_ID_MERGE }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY_MERGE }}
+      - name: Enable Pull Request Automerge
+        run: gh pr merge --squash --auto "${{ github.event.pull_request.number }}"
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+      - name: Auto approve
+        run: gh pr review --approve "${{ github.event.pull_request.number }}"
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}

keepassxc_ssh_agent-0.8.0/.github/workflows/auto-release.yml

@@ -0,0 +1,38 @@
+name: Auto Release
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  auto-release:
+    if: github.event.pull_request.merged == true && github.event.pull_request.user.login == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'pip')
+
+    name: Auto Release
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Get Version
+        id: get-version
+        run: |
+          LATEST_TAG=$(curl -s "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" | jq -r '.name')
+          # Strip leading 'v' if present
+          VERSION="${LATEST_TAG#v}"
+          # Parse semver components
+          IFS='.' read -r MAJOR MINOR PATCH <<< "$VERSION"
+          # Bump minor, reset patch
+          MINOR=$((MINOR + 1))
+          PATCH=0
+          echo "version=v${MAJOR}.${MINOR}.${PATCH}" >> $GITHUB_OUTPUT
+      - uses: actions/create-github-app-token@v2
+        id: generate-token
+        with:
+          app-id: ${{ secrets.APP_ID_MERGE }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY_MERGE }}
+      - name: Create Release
+        run: gh release create ${{ steps.get-version.outputs.version }} --generate-notes
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}

keepassxc_ssh_agent-0.8.0/.github/workflows/lint_and_test.yml

@@ -0,0 +1,56 @@
+name: Python Lint and Test
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths-ignore:
+      - "**.md"
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - "**.md"
+
+jobs:
+  Test:
+    runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
+      fail-fast: false
+
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install ruff
+          pip install -e ".[dev]"
+      - name: Test with pytest
+        run: |
+          pytest --cov=keepassxc_ssh_agent --cov-report=term-missing
+      - name: Lint with ruff
+        env:
+          PY_VER: ${{ matrix.python-version }}
+        run: |
+          PY_VER=$(echo py${PY_VER} | tr -d '.')
+          ruff check --output-format=github --ignore=E501 --exclude=__init__.py --target-version=${PY_VER} ./keepassxc_ssh_agent
+
+  Check-Test:
+    if: ${{ always() }}
+    runs-on: ubuntu-24.04
+    needs:
+      - Test
+    steps:
+      - run: |
+          result="${{ needs.Test.result }}"
+          if [[ $result == "success" || $result == "skipped" ]]; then
+            exit 0
+          else
+            exit 1
+          fi

keepassxc_ssh_agent-0.8.0/.github/workflows/pypi.yml

@@ -0,0 +1,76 @@
+name: Build & Upload Python Package
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  Setup:
+    runs-on: ubuntu-24.04
+    outputs:
+      version: ${{ steps.set-version.outputs.version }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+    - name: Get Version
+      id: set-version
+      env:
+        VERSION: ${{ github.ref_name }}
+      run: |
+        if grep -c -E '^v[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}$' <<< ${VERSION}; then
+          VERSION=$(sed 's/^.\{1\}//g' <<< ${VERSION})
+        else
+          echo "This branch shouldn't be build: ${VERSION}"
+          exit 1
+        fi
+        echo "version=$(echo ${VERSION})" >> $GITHUB_OUTPUT
+
+  Deploy:
+    runs-on: ubuntu-24.04
+    needs: Setup
+    environment:
+      name: pypi
+      url: https://pypi.org/p/keepassxc-ssh-agent/
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+    - name: Set up Python
+      uses: actions/setup-python@v6
+      with:
+        python-version: '3.x'
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install build
+    - name: Build package
+      env:
+        SETUPTOOLS_SCM_PRETEND_VERSION: ${{ needs.Setup.outputs.version }}
+      run: python -m build
+    - name: Publish package
+      uses: pypa/gh-action-pypi-publish@v1.13.0
+
+  Notify-Homebrew:
+    runs-on: ubuntu-24.04
+    needs: [Setup, Deploy]
+    steps:
+      - uses: actions/create-github-app-token@v2
+        id: generate-token
+        with:
+          app-id: ${{ secrets.APP_ID_MERGE }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY_MERGE }}
+          owner: ${{ github.repository_owner }}
+          repositories: homebrew-tap
+      - name: Trigger Homebrew formula update
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
+          gh api repos/${{ github.repository_owner }}/homebrew-tap/dispatches \
+            -f event_type=update-formula \
+            -f "client_payload[version]=${{ needs.Setup.outputs.version }}"

keepassxc_ssh_agent-0.8.0/.gitignore

@@ -0,0 +1,216 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[codz]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#   Usually these files are written by a python script from a template
+#   before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py.cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+# Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+# uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+# poetry.lock
+# poetry.toml
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
+#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
+# pdm.lock
+# pdm.toml
+.pdm-python
+.pdm-build/
+
+# pixi
+#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
+# pixi.lock
+#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
+#   in the .venv directory. It is recommended not to include this directory in version control.
+.pixi
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# Redis
+*.rdb
+*.aof
+*.pid
+
+# RabbitMQ
+mnesia/
+rabbitmq/
+rabbitmq-data/
+
+# ActiveMQ
+activemq-data/
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.envrc
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#   JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#   be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#   and can be added to the global gitignore or merged into this file.  For a more nuclear
+#   option (not recommended) you can uncomment the following to ignore the entire idea folder.
+# .idea/
+
+# Abstra
+#   Abstra is an AI-powered process automation framework.
+#   Ignore directories containing user credentials, local state, and settings.
+#   Learn more at https://abstra.io/docs
+.abstra/
+
+# Visual Studio Code
+#   Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#   that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
+#   and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#   you could uncomment the following to ignore the entire vscode folder
+# .vscode/
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Marimo
+marimo/_static/
+marimo/_lsp/
+__marimo__/
+
+# Streamlit
+.streamlit/secrets.toml

keepassxc_ssh_agent-0.8.0/CLAUDE.md

@@ -0,0 +1,74 @@
+# KeePassXC SSH Agent - Claude Code Instructions
+
+## Project Overview
+
+Standalone Python tool - an SSH IdentityAgent proxy for macOS that triggers KeePassXC database unlock (via TouchID) when SSH keys are needed.
+
+## Architecture
+
+- **Proxy pattern**: SSH Client → keepassxc-ssh-agent (Unix socket) → System ssh-agent
+- **Unlock trigger**: Uses KeePassXC's browser extension protocol (NaCl-encrypted JSON over Unix socket)
+- **No signing**: The proxy does NOT implement SSH key signing. KeePassXC pushes keys to the system ssh-agent on unlock, and the proxy forwards requests there.
+- **SSH_AUTH_SOCK interception**: Renames the real ssh-agent socket to `.system` suffix and symlinks the original path to the proxy socket. Restores on shutdown.
+
+### Key Files
+
+- `keepassxc_ssh_agent/server.py` - SSH agent proxy server (threading-based, Unix socket)
+- `keepassxc_ssh_agent/browser_client.py` - KeePassXC browser extension protocol client (NaCl crypto)
+- `keepassxc_ssh_agent/ssh_agent_protocol.py` - SSH agent wire format (4-byte length prefix + message)
+- `keepassxc_ssh_agent/config.py` - Config persistence (`~/.keepassxc/ssh-agent.json`)
+- `keepassxc_ssh_agent/__main__.py` - CLI with subcommands: install, run, status, uninstall
+
+### KeePassXC Browser Protocol Details
+
+- Socket: `$TMPDIR/org.keepassxc.KeePassXC.BrowserServer` (macOS), `$XDG_RUNTIME_DIR/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer` (Linux)
+- Every JSON message MUST include a `clientID` field (KeePassXC silently drops messages without it)
+- Key exchange via `change-public-keys` (unencrypted), all subsequent messages use NaCl `crypto_box`
+- `openDatabase(triggerUnlock=true)` is NON-BLOCKING - returns immediately, must poll for unlock
+- `test-associate` only works when DB is unlocked
+- Relevant KeePassXC source files (in KeePassXC repo): `src/browser/BrowserAction.cpp`, `src/browser/BrowserService.cpp`
+
+## Commands
+
+```shell
+# Install
+pip install -e ".[dev]"
+
+# Run tests
+pytest
+
+# Run tests with coverage
+pytest --cov=keepassxc_ssh_agent
+
+# Lint
+ruff check --ignore=E501 --exclude=__init__.py ./keepassxc_ssh_agent
+```
+
+## Conventions
+
+- Python >= 3.10, no async (threading-based for simplicity)
+- `from __future__ import annotations` in all source files for modern type syntax (`X | None`)
+- PyNaCl for NaCl crypto (not raw libsodium)
+- Config files use 0600 permissions (owner-only)
+- Tests use `short_tmp` fixture for Unix socket paths (macOS `tmp_path` is too long for AF_UNIX)
+- LaunchAgent label: `org.keepassxc.ssh-agent`
+
+## Known Limitations
+
+- macOS only (browser extension socket path is platform-specific)
+- If DB is unlocked but ssh-agent is cleared (`ssh-add -D`), keys won't reload without lock/unlock cycle
+- `triggerUnlock` only works for the active database tab in KeePassXC
+
+## Homebrew
+
+- Tap repo: `mietzen/homebrew-tap` (access locally via `cd $(brew --repository mietzen/homebrew-tap)`)
+- Formula: `Formula/keepassxc-ssh-agent.rb` — uses `Language::Python::Virtualenv`, depends on python@3.13, libsodium
+- Service managed via `brew services` (not the tool's own LaunchAgent when installed via Homebrew)
+- Formula auto-updated on new PyPI releases via `repository_dispatch` from `pypi.yml`
+
+## CI
+
+- `lint_and_test.yml` - Unit tests + ruff lint across Python 3.10-3.14
+- `pypi.yml` - Build & publish on release, then dispatch to homebrew-tap to update the formula
+- `auto-release.yml` - Auto-create patch release on dependabot merge
+- `auto-merge-dependabot.yml` - Auto-merge dependabot PRs

keepassxc_ssh_agent-0.8.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Nils Stein
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.