keynest 0.0.1__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- keynest-0.0.1/.gitignore +220 -0
- keynest-0.0.1/LICENSE +21 -0
- keynest-0.0.1/PKG-INFO +135 -0
- keynest-0.0.1/README.md +108 -0
- keynest-0.0.1/keynest/__about__.py +38 -0
- keynest-0.0.1/keynest/__init__.py +5 -0
- keynest-0.0.1/keynest/__main__.py +6 -0
- keynest-0.0.1/keynest/app.py +24 -0
- keynest-0.0.1/keynest/backends/__init__.py +1 -0
- keynest-0.0.1/keynest/backends/aws_secrets_manager.py +226 -0
- keynest-0.0.1/keynest/backends/base.py +75 -0
- keynest-0.0.1/keynest/backends/os_keyring.py +166 -0
- keynest-0.0.1/keynest/backends/registry.py +34 -0
- keynest-0.0.1/keynest/cli.py +527 -0
- keynest-0.0.1/keynest/model.py +183 -0
- keynest-0.0.1/keynest/py.typed +0 -0
- keynest-0.0.1/keynest/services/__init__.py +1 -0
- keynest-0.0.1/keynest/services/audit.py +65 -0
- keynest-0.0.1/keynest/services/aws_policy.py +84 -0
- keynest-0.0.1/keynest/services/aws_wizard.py +194 -0
- keynest-0.0.1/keynest/services/clipboard.py +73 -0
- keynest-0.0.1/keynest/services/codegen.py +232 -0
- keynest-0.0.1/keynest/services/diagnostics.py +109 -0
- keynest-0.0.1/keynest/services/dotenv_parser.py +143 -0
- keynest-0.0.1/keynest/services/index_store.py +180 -0
- keynest-0.0.1/keynest/services/maptools.py +243 -0
- keynest-0.0.1/keynest/services/quick.py +88 -0
- keynest-0.0.1/keynest/services/repo_tools.py +58 -0
- keynest-0.0.1/keynest/services/runner.py +60 -0
- keynest-0.0.1/keynest/services/value_tools.py +68 -0
- keynest-0.0.1/keynest/ui/__init__.py +1 -0
- keynest-0.0.1/keynest/ui/actions_panel.py +31 -0
- keynest-0.0.1/keynest/ui/aws_wizard.py +118 -0
- keynest-0.0.1/keynest/ui/dialogs.py +95 -0
- keynest-0.0.1/keynest/ui/folder_panel.py +165 -0
- keynest-0.0.1/keynest/ui/main_window.py +484 -0
- keynest-0.0.1/keynest/ui/quick_dialogs.py +166 -0
- keynest-0.0.1/keynest/ui/secret_editor.py +200 -0
- keynest-0.0.1/pyproject.toml +225 -0
- keynest-0.0.1/tests/__init__.py +0 -0
- keynest-0.0.1/tests/conftest.py +81 -0
- keynest-0.0.1/tests/test_aws_backend.py +146 -0
- keynest-0.0.1/tests/test_aws_wizard.py +110 -0
- keynest-0.0.1/tests/test_cli.py +14 -0
- keynest-0.0.1/tests/test_cli_commands.py +235 -0
- keynest-0.0.1/tests/test_diagnostics_backup.py +37 -0
- keynest-0.0.1/tests/test_maptools.py +114 -0
- keynest-0.0.1/tests/test_model.py +82 -0
- keynest-0.0.1/tests/test_os_keyring_backend.py +76 -0
- keynest-0.0.1/tests/test_quick.py +62 -0
- keynest-0.0.1/tests/test_repo_tools.py +55 -0
- keynest-0.0.1/tests/test_services.py +133 -0
- keynest-0.0.1/tests/test_ui_aws_wizard_dialog.py +45 -0
- keynest-0.0.1/tests/test_ui_clipboard.py +63 -0
- keynest-0.0.1/tests/test_ui_main_window.py +269 -0
- keynest-0.0.1/tests/test_ui_panels.py +248 -0
keynest-0.0.1/.gitignore
ADDED
|
@@ -0,0 +1,220 @@
|
|
|
1
|
+
# Byte-compiled / optimized / DLL files
|
|
2
|
+
__pycache__/
|
|
3
|
+
*.py[codz]
|
|
4
|
+
*$py.class
|
|
5
|
+
|
|
6
|
+
# C extensions
|
|
7
|
+
*.so
|
|
8
|
+
|
|
9
|
+
# Distribution / packaging
|
|
10
|
+
.Python
|
|
11
|
+
build/
|
|
12
|
+
develop-eggs/
|
|
13
|
+
dist/
|
|
14
|
+
downloads/
|
|
15
|
+
eggs/
|
|
16
|
+
.eggs/
|
|
17
|
+
lib/
|
|
18
|
+
lib64/
|
|
19
|
+
parts/
|
|
20
|
+
sdist/
|
|
21
|
+
var/
|
|
22
|
+
wheels/
|
|
23
|
+
share/python-wheels/
|
|
24
|
+
*.egg-info/
|
|
25
|
+
.installed.cfg
|
|
26
|
+
*.egg
|
|
27
|
+
MANIFEST
|
|
28
|
+
|
|
29
|
+
# PyInstaller
|
|
30
|
+
# Usually these files are written by a python script from a template
|
|
31
|
+
# before PyInstaller builds the exe, so as to inject date/other infos into it.
|
|
32
|
+
*.manifest
|
|
33
|
+
*.spec
|
|
34
|
+
|
|
35
|
+
# Installer logs
|
|
36
|
+
pip-log.txt
|
|
37
|
+
pip-delete-this-directory.txt
|
|
38
|
+
|
|
39
|
+
# Unit test / coverage reports
|
|
40
|
+
htmlcov/
|
|
41
|
+
.tox/
|
|
42
|
+
.nox/
|
|
43
|
+
.coverage
|
|
44
|
+
.coverage.*
|
|
45
|
+
.cache
|
|
46
|
+
nosetests.xml
|
|
47
|
+
coverage.xml
|
|
48
|
+
junit.xml
|
|
49
|
+
*.cover
|
|
50
|
+
*.py.cover
|
|
51
|
+
.hypothesis/
|
|
52
|
+
.pytest_cache/
|
|
53
|
+
cover/
|
|
54
|
+
|
|
55
|
+
# Translations
|
|
56
|
+
*.mo
|
|
57
|
+
*.pot
|
|
58
|
+
|
|
59
|
+
# Django stuff:
|
|
60
|
+
*.log
|
|
61
|
+
local_settings.py
|
|
62
|
+
db.sqlite3
|
|
63
|
+
db.sqlite3-journal
|
|
64
|
+
|
|
65
|
+
# Flask stuff:
|
|
66
|
+
instance/
|
|
67
|
+
.webassets-cache
|
|
68
|
+
|
|
69
|
+
# Scrapy stuff:
|
|
70
|
+
.scrapy
|
|
71
|
+
|
|
72
|
+
# Sphinx documentation
|
|
73
|
+
docs/_build/
|
|
74
|
+
|
|
75
|
+
# PyBuilder
|
|
76
|
+
.pybuilder/
|
|
77
|
+
target/
|
|
78
|
+
|
|
79
|
+
# Jupyter Notebook
|
|
80
|
+
.ipynb_checkpoints
|
|
81
|
+
|
|
82
|
+
# IPython
|
|
83
|
+
profile_default/
|
|
84
|
+
ipython_config.py
|
|
85
|
+
|
|
86
|
+
# pyenv
|
|
87
|
+
# For a library or package, you might want to ignore these files since the code is
|
|
88
|
+
# intended to run in multiple environments; otherwise, check them in:
|
|
89
|
+
# .python-version
|
|
90
|
+
|
|
91
|
+
# pipenv
|
|
92
|
+
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
|
|
93
|
+
# However, in case of collaboration, if having platform-specific dependencies or dependencies
|
|
94
|
+
# having no cross-platform support, pipenv may install dependencies that don't work, or not
|
|
95
|
+
# install all needed dependencies.
|
|
96
|
+
# Pipfile.lock
|
|
97
|
+
|
|
98
|
+
# UV
|
|
99
|
+
# Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
|
|
100
|
+
# This is especially recommended for binary packages to ensure reproducibility, and is more
|
|
101
|
+
# commonly ignored for libraries.
|
|
102
|
+
# uv.lock
|
|
103
|
+
|
|
104
|
+
# poetry
|
|
105
|
+
# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
|
|
106
|
+
# This is especially recommended for binary packages to ensure reproducibility, and is more
|
|
107
|
+
# commonly ignored for libraries.
|
|
108
|
+
# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
|
|
109
|
+
# poetry.lock
|
|
110
|
+
# poetry.toml
|
|
111
|
+
|
|
112
|
+
# pdm
|
|
113
|
+
# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
|
|
114
|
+
# pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
|
|
115
|
+
# https://pdm-project.org/en/latest/usage/project/#working-with-version-control
|
|
116
|
+
# pdm.lock
|
|
117
|
+
# pdm.toml
|
|
118
|
+
.pdm-python
|
|
119
|
+
.pdm-build/
|
|
120
|
+
|
|
121
|
+
# pixi
|
|
122
|
+
# Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
|
|
123
|
+
# pixi.lock
|
|
124
|
+
# Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
|
|
125
|
+
# in the .venv directory. It is recommended not to include this directory in version control.
|
|
126
|
+
.pixi
|
|
127
|
+
|
|
128
|
+
# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
|
|
129
|
+
__pypackages__/
|
|
130
|
+
|
|
131
|
+
# Celery stuff
|
|
132
|
+
celerybeat-schedule
|
|
133
|
+
celerybeat.pid
|
|
134
|
+
|
|
135
|
+
# Redis
|
|
136
|
+
*.rdb
|
|
137
|
+
*.aof
|
|
138
|
+
*.pid
|
|
139
|
+
|
|
140
|
+
# RabbitMQ
|
|
141
|
+
mnesia/
|
|
142
|
+
rabbitmq/
|
|
143
|
+
rabbitmq-data/
|
|
144
|
+
|
|
145
|
+
# ActiveMQ
|
|
146
|
+
activemq-data/
|
|
147
|
+
|
|
148
|
+
# SageMath parsed files
|
|
149
|
+
*.sage.py
|
|
150
|
+
|
|
151
|
+
# Environments
|
|
152
|
+
.env
|
|
153
|
+
.envrc
|
|
154
|
+
.venv
|
|
155
|
+
env/
|
|
156
|
+
venv/
|
|
157
|
+
ENV/
|
|
158
|
+
env.bak/
|
|
159
|
+
venv.bak/
|
|
160
|
+
|
|
161
|
+
# Spyder project settings
|
|
162
|
+
.spyderproject
|
|
163
|
+
.spyproject
|
|
164
|
+
|
|
165
|
+
# Rope project settings
|
|
166
|
+
.ropeproject
|
|
167
|
+
|
|
168
|
+
# mkdocs documentation
|
|
169
|
+
/site
|
|
170
|
+
|
|
171
|
+
# mypy
|
|
172
|
+
.mypy_cache/
|
|
173
|
+
.dmypy.json
|
|
174
|
+
dmypy.json
|
|
175
|
+
|
|
176
|
+
# Pyre type checker
|
|
177
|
+
.pyre/
|
|
178
|
+
|
|
179
|
+
# pytype static type analyzer
|
|
180
|
+
.pytype/
|
|
181
|
+
|
|
182
|
+
# Cython debug symbols
|
|
183
|
+
cython_debug/
|
|
184
|
+
|
|
185
|
+
# PyCharm
|
|
186
|
+
# JetBrains specific template is maintained in a separate JetBrains.gitignore that can
|
|
187
|
+
# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
|
|
188
|
+
# and can be added to the global gitignore or merged into this file. For a more nuclear
|
|
189
|
+
# option (not recommended) you can uncomment the following to ignore the entire idea folder.
|
|
190
|
+
# .idea/
|
|
191
|
+
|
|
192
|
+
# Abstra
|
|
193
|
+
# Abstra is an AI-powered process automation framework.
|
|
194
|
+
# Ignore directories containing user credentials, local state, and settings.
|
|
195
|
+
# Learn more at https://abstra.io/docs
|
|
196
|
+
.abstra/
|
|
197
|
+
|
|
198
|
+
# Visual Studio Code
|
|
199
|
+
# Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore
|
|
200
|
+
# that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
|
|
201
|
+
# and can be added to the global gitignore or merged into this file. However, if you prefer,
|
|
202
|
+
# you could uncomment the following to ignore the entire vscode folder
|
|
203
|
+
# .vscode/
|
|
204
|
+
# Temporary file for partial code execution
|
|
205
|
+
tempCodeRunnerFile.py
|
|
206
|
+
|
|
207
|
+
# Ruff stuff:
|
|
208
|
+
.ruff_cache/
|
|
209
|
+
|
|
210
|
+
# PyPI configuration file
|
|
211
|
+
.pypirc
|
|
212
|
+
|
|
213
|
+
# Marimo
|
|
214
|
+
marimo/_static/
|
|
215
|
+
marimo/_lsp/
|
|
216
|
+
__marimo__/
|
|
217
|
+
|
|
218
|
+
# Streamlit
|
|
219
|
+
.streamlit/secrets.toml
|
|
220
|
+
.idea
|
keynest-0.0.1/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Matthew Martin
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
keynest-0.0.1/PKG-INFO
ADDED
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: keynest
|
|
3
|
+
Version: 0.0.1
|
|
4
|
+
Summary: Developer secret workbench: a pure-Python keystore with GUI and CLI for OS keyring and AWS Secrets Manager
|
|
5
|
+
Project-URL: Repository, https://github.com/matthewdeanmartin/keynest
|
|
6
|
+
Project-URL: Documentation, https://keynest.readthedocs.io/en/latest/
|
|
7
|
+
Project-URL: Changelog, https://github.com/matthewdeanmartin/keynest/blob/main/CHANGELOG.md
|
|
8
|
+
Project-URL: homepage, https://github.com/matthewdeanmartin/keynest
|
|
9
|
+
Project-URL: issues, https://github.com/matthewdeanmartin/keynest/issues/
|
|
10
|
+
Author-email: Matthew Martin <matthewdeanmartin@gmail.com>
|
|
11
|
+
License-Expression: MIT
|
|
12
|
+
License-File: LICENSE
|
|
13
|
+
Keywords: aws,cli,credentials,developer-tools,gui,keyring,secrets,secrets-manager,tkinter,vault
|
|
14
|
+
Classifier: Development Status :: 3 - Alpha
|
|
15
|
+
Classifier: Intended Audience :: Developers
|
|
16
|
+
Classifier: License :: OSI Approved :: MIT License
|
|
17
|
+
Classifier: Operating System :: OS Independent
|
|
18
|
+
Classifier: Programming Language :: Python
|
|
19
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
20
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
21
|
+
Classifier: Programming Language :: Python :: 3.13
|
|
22
|
+
Classifier: Programming Language :: Python :: 3.14
|
|
23
|
+
Requires-Python: >=3.11
|
|
24
|
+
Requires-Dist: boto3>=1.34.0
|
|
25
|
+
Requires-Dist: keyring>=24.0.0
|
|
26
|
+
Description-Content-Type: text/markdown
|
|
27
|
+
|
|
28
|
+
# keynest
|
|
29
|
+
|
|
30
|
+
Developer keystore that is pipx-installable and supports the OS keychain / credential
|
|
31
|
+
manager and AWS Secrets Manager — with both a CLI and a Tkinter GUI.
|
|
32
|
+
|
|
33
|
+
keynest is a **developer secret workbench**. It helps a single developer stop scattering
|
|
34
|
+
secrets across Notepad, stray `.env` files, shell history, and repo-adjacent config. It
|
|
35
|
+
manages *secret maps* (JSON dictionaries of keys to values) in either the laptop OS secret
|
|
36
|
+
store (via Python [`keyring`](https://pypi.org/project/keyring/)) or
|
|
37
|
+
[AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) (via `boto3`).
|
|
38
|
+
|
|
39
|
+
The guiding opinion: **make the safe path the easy path.** Instead of
|
|
40
|
+
|
|
41
|
+
```bash
|
|
42
|
+
export DATABASE_PASSWORD=...
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
prefer
|
|
46
|
+
|
|
47
|
+
```bash
|
|
48
|
+
keynest run my-app -- python app.py
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
See [spec/spec.md](spec/spec.md) for the full product specification.
|
|
52
|
+
|
|
53
|
+
## Prior Art
|
|
54
|
+
|
|
55
|
+
[aws-vault](https://github.com/ByteNess/aws-vault) is the best prior art and is recommended
|
|
56
|
+
over this tool for the moment. The main advantage of keynest will be that it is pure Python
|
|
57
|
+
and ships a GUI. keynest also borrows patterns shamelessly from `chamber`, SOPS, KeePassXC,
|
|
58
|
+
and the developer-docs-as-a-feature approach of Infisical / Doppler / 1Password.
|
|
59
|
+
|
|
60
|
+
## Installation
|
|
61
|
+
|
|
62
|
+
```bash
|
|
63
|
+
pipx install keynest
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
Or with pip:
|
|
67
|
+
|
|
68
|
+
```bash
|
|
69
|
+
pip install keynest
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
## Usage
|
|
73
|
+
|
|
74
|
+
```bash
|
|
75
|
+
keynest --help
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
> Note: keynest is in early development. The CLI and GUI described in the
|
|
79
|
+
> [spec](spec/spec.md) are not yet implemented — the package scaffold and quality gates
|
|
80
|
+
> are in place first.
|
|
81
|
+
|
|
82
|
+
## Contributing
|
|
83
|
+
|
|
84
|
+
See [CONTRIBUTING.md](docs/extending/CONTRIBUTING.md).
|
|
85
|
+
|
|
86
|
+
## License
|
|
87
|
+
|
|
88
|
+
MIT — see [LICENSE](LICENSE).
|
|
89
|
+
|
|
90
|
+
## Changelog
|
|
91
|
+
|
|
92
|
+
See [CHANGELOG.md](CHANGELOG.md).
|
|
93
|
+
|
|
94
|
+
## Current implementation
|
|
95
|
+
|
|
96
|
+
The implementation has moved beyond the early scaffold note above: both the CLI and Tkinter GUI are available, with
|
|
97
|
+
OS-keyring and AWS Secrets Manager backends. The specification remains useful as product history, while the
|
|
98
|
+
[user documentation](docs/index.md) describes the behavior and limitations of the current code.
|
|
99
|
+
|
|
100
|
+
The preferred installation is an isolated global tool environment:
|
|
101
|
+
|
|
102
|
+
```bash
|
|
103
|
+
uv tool install keynest
|
|
104
|
+
```
|
|
105
|
+
|
|
106
|
+
or:
|
|
107
|
+
|
|
108
|
+
```bash
|
|
109
|
+
pipx install keynest
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
The install provides `keynest` and `keynest-gui`. Start with:
|
|
113
|
+
|
|
114
|
+
```bash
|
|
115
|
+
keynest health
|
|
116
|
+
keynest --help
|
|
117
|
+
keynest-gui
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
The recommended usage path injects a map only into a child process:
|
|
121
|
+
|
|
122
|
+
```bash
|
|
123
|
+
keynest run my-app/dev -- python app.py
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
See the [documentation home](docs/index.md), [concepts and storage](docs/concepts.md), dedicated
|
|
127
|
+
[CLI reference](docs/usage/cli.md), [GUI guide](docs/usage/gui.md), [AWS guide](docs/aws.md), and
|
|
128
|
+
[security model](docs/security.md).
|
|
129
|
+
|
|
130
|
+
On Windows, keynest does not enumerate Credential Manager. It uses Python `keyring` to request exact entries under
|
|
131
|
+
its own `DeveloperSecretWorkbench` service and keeps a separate non-secret index for listing. Windows itself has a
|
|
132
|
+
credential-enumeration API, but keynest does not call it; this is an implementation boundary, not protection from
|
|
133
|
+
other software running as your user. Consequently, unrelated credentials stored by other applications do not appear
|
|
134
|
+
in keynest. The [storage documentation](docs/concepts.md#why-keynest-cannot-see-your-other-windows-credentials) has the
|
|
135
|
+
full explanation.
|
keynest-0.0.1/README.md
ADDED
|
@@ -0,0 +1,108 @@
|
|
|
1
|
+
# keynest
|
|
2
|
+
|
|
3
|
+
Developer keystore that is pipx-installable and supports the OS keychain / credential
|
|
4
|
+
manager and AWS Secrets Manager — with both a CLI and a Tkinter GUI.
|
|
5
|
+
|
|
6
|
+
keynest is a **developer secret workbench**. It helps a single developer stop scattering
|
|
7
|
+
secrets across Notepad, stray `.env` files, shell history, and repo-adjacent config. It
|
|
8
|
+
manages *secret maps* (JSON dictionaries of keys to values) in either the laptop OS secret
|
|
9
|
+
store (via Python [`keyring`](https://pypi.org/project/keyring/)) or
|
|
10
|
+
[AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) (via `boto3`).
|
|
11
|
+
|
|
12
|
+
The guiding opinion: **make the safe path the easy path.** Instead of
|
|
13
|
+
|
|
14
|
+
```bash
|
|
15
|
+
export DATABASE_PASSWORD=...
|
|
16
|
+
```
|
|
17
|
+
|
|
18
|
+
prefer
|
|
19
|
+
|
|
20
|
+
```bash
|
|
21
|
+
keynest run my-app -- python app.py
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
See [spec/spec.md](spec/spec.md) for the full product specification.
|
|
25
|
+
|
|
26
|
+
## Prior Art
|
|
27
|
+
|
|
28
|
+
[aws-vault](https://github.com/ByteNess/aws-vault) is the best prior art and is recommended
|
|
29
|
+
over this tool for the moment. The main advantage of keynest will be that it is pure Python
|
|
30
|
+
and ships a GUI. keynest also borrows patterns shamelessly from `chamber`, SOPS, KeePassXC,
|
|
31
|
+
and the developer-docs-as-a-feature approach of Infisical / Doppler / 1Password.
|
|
32
|
+
|
|
33
|
+
## Installation
|
|
34
|
+
|
|
35
|
+
```bash
|
|
36
|
+
pipx install keynest
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
Or with pip:
|
|
40
|
+
|
|
41
|
+
```bash
|
|
42
|
+
pip install keynest
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
## Usage
|
|
46
|
+
|
|
47
|
+
```bash
|
|
48
|
+
keynest --help
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
> Note: keynest is in early development. The CLI and GUI described in the
|
|
52
|
+
> [spec](spec/spec.md) are not yet implemented — the package scaffold and quality gates
|
|
53
|
+
> are in place first.
|
|
54
|
+
|
|
55
|
+
## Contributing
|
|
56
|
+
|
|
57
|
+
See [CONTRIBUTING.md](docs/extending/CONTRIBUTING.md).
|
|
58
|
+
|
|
59
|
+
## License
|
|
60
|
+
|
|
61
|
+
MIT — see [LICENSE](LICENSE).
|
|
62
|
+
|
|
63
|
+
## Changelog
|
|
64
|
+
|
|
65
|
+
See [CHANGELOG.md](CHANGELOG.md).
|
|
66
|
+
|
|
67
|
+
## Current implementation
|
|
68
|
+
|
|
69
|
+
The implementation has moved beyond the early scaffold note above: both the CLI and Tkinter GUI are available, with
|
|
70
|
+
OS-keyring and AWS Secrets Manager backends. The specification remains useful as product history, while the
|
|
71
|
+
[user documentation](docs/index.md) describes the behavior and limitations of the current code.
|
|
72
|
+
|
|
73
|
+
The preferred installation is an isolated global tool environment:
|
|
74
|
+
|
|
75
|
+
```bash
|
|
76
|
+
uv tool install keynest
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
or:
|
|
80
|
+
|
|
81
|
+
```bash
|
|
82
|
+
pipx install keynest
|
|
83
|
+
```
|
|
84
|
+
|
|
85
|
+
The install provides `keynest` and `keynest-gui`. Start with:
|
|
86
|
+
|
|
87
|
+
```bash
|
|
88
|
+
keynest health
|
|
89
|
+
keynest --help
|
|
90
|
+
keynest-gui
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
The recommended usage path injects a map only into a child process:
|
|
94
|
+
|
|
95
|
+
```bash
|
|
96
|
+
keynest run my-app/dev -- python app.py
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
See the [documentation home](docs/index.md), [concepts and storage](docs/concepts.md), dedicated
|
|
100
|
+
[CLI reference](docs/usage/cli.md), [GUI guide](docs/usage/gui.md), [AWS guide](docs/aws.md), and
|
|
101
|
+
[security model](docs/security.md).
|
|
102
|
+
|
|
103
|
+
On Windows, keynest does not enumerate Credential Manager. It uses Python `keyring` to request exact entries under
|
|
104
|
+
its own `DeveloperSecretWorkbench` service and keeps a separate non-secret index for listing. Windows itself has a
|
|
105
|
+
credential-enumeration API, but keynest does not call it; this is an implementation boundary, not protection from
|
|
106
|
+
other software running as your user. Consequently, unrelated credentials stored by other applications do not appear
|
|
107
|
+
in keynest. The [storage documentation](docs/concepts.md#why-keynest-cannot-see-your-other-windows-credentials) has the
|
|
108
|
+
full explanation.
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
"""Metadata for keynest."""
|
|
2
|
+
|
|
3
|
+
__all__ = [
|
|
4
|
+
"__credits__",
|
|
5
|
+
"__dependencies__",
|
|
6
|
+
"__description__",
|
|
7
|
+
"__keywords__",
|
|
8
|
+
"__license__",
|
|
9
|
+
"__readme__",
|
|
10
|
+
"__requires_python__",
|
|
11
|
+
"__status__",
|
|
12
|
+
"__title__",
|
|
13
|
+
"__version__",
|
|
14
|
+
]
|
|
15
|
+
|
|
16
|
+
__title__ = "keynest"
|
|
17
|
+
__version__ = "0.0.1"
|
|
18
|
+
__description__ = (
|
|
19
|
+
"Developer secret workbench: a pure-Python keystore with GUI and CLI for OS keyring and AWS Secrets Manager"
|
|
20
|
+
)
|
|
21
|
+
__readme__ = "README.md"
|
|
22
|
+
__credits__ = [{"name": "Matthew Martin", "email": "matthewdeanmartin@gmail.com"}]
|
|
23
|
+
__keywords__ = [
|
|
24
|
+
"secrets",
|
|
25
|
+
"keyring",
|
|
26
|
+
"aws",
|
|
27
|
+
"secrets-manager",
|
|
28
|
+
"credentials",
|
|
29
|
+
"vault",
|
|
30
|
+
"developer-tools",
|
|
31
|
+
"cli",
|
|
32
|
+
"gui",
|
|
33
|
+
"tkinter",
|
|
34
|
+
]
|
|
35
|
+
__license__ = "MIT"
|
|
36
|
+
__requires_python__ = ">=3.11"
|
|
37
|
+
__status__ = "3 - Alpha"
|
|
38
|
+
__dependencies__ = ["keyring>=24.0.0", "boto3>=1.34.0"]
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
"""Tkinter application entry point for keynest.
|
|
2
|
+
|
|
3
|
+
Launch with ``python -m keynest.app`` or the ``keynest-gui`` console script.
|
|
4
|
+
"""
|
|
5
|
+
|
|
6
|
+
from __future__ import annotations
|
|
7
|
+
|
|
8
|
+
import sys
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
def main() -> int:
|
|
12
|
+
"""Launch the keynest GUI, returning a process exit code."""
|
|
13
|
+
try:
|
|
14
|
+
# Imported lazily so the CLI works even where tkinter is unavailable.
|
|
15
|
+
from keynest.ui.main_window import run # pylint: disable=import-outside-toplevel
|
|
16
|
+
except ImportError as exc: # pragma: no cover - tkinter missing on some builds
|
|
17
|
+
print(f"Could not start the GUI (is tkinter installed?): {exc}", file=sys.stderr)
|
|
18
|
+
return 1
|
|
19
|
+
run()
|
|
20
|
+
return 0
|
|
21
|
+
|
|
22
|
+
|
|
23
|
+
if __name__ == "__main__":
|
|
24
|
+
raise SystemExit(main())
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
"""Storage backends for secret maps."""
|