kstlib 2.1.4__tar.gz → 2.2.0__tar.gz

{kstlib-2.1.4/src/kstlib.egg-info → kstlib-2.2.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: kstlib
-Version: 2.1.4
+Version: 2.2.0
 Summary: Config-driven helpers for Python projects (dynamic config, secure secrets, preset logging, and more…)
 Author-email: Michel TRUONG <michel.truong@gmail.com>
 Maintainer-email: Michel TRUONG <michel.truong@gmail.com>
@@ -30,6 +30,8 @@ Requires-Dist: pyyaml<7,>=6.0
 Requires-Dist: tomli<3,>=2.3
 Requires-Dist: tomli-w<2,>=1.0
 Requires-Dist: python-box<8,>=7.3
+Requires-Dist: platformdirs<5,>=4.0
+Requires-Dist: defusedxml<1,>=0.7
 Requires-Dist: typer<1,>=0.19
 Requires-Dist: click<9,>=8.3
 Requires-Dist: rich<15,>=14.2
@@ -42,16 +44,17 @@ Requires-Dist: humanize<5,>=4.11
 Requires-Dist: httpx<1,>=0.28
 Requires-Dist: authlib<2,>=1.6.9
 Requires-Dist: pendulum<4,>=3.0
-Requires-Dist: cryptography>=46.0.6
+Requires-Dist: cryptography>=46.0.7
 Requires-Dist: requests>=2.33.0
 Requires-Dist: urllib3>=2.6.3
 Provides-Extra: dev
-Requires-Dist: pytest<9,>=8.4; extra == "dev"
+Requires-Dist: pytest<10,>=9.0.3; extra == "dev"
 Requires-Dist: pytest-cov<8,>=7.0; extra == "dev"
 Requires-Dist: pytest-asyncio<2,>=1.2; extra == "dev"
 Requires-Dist: ruff<1,>=0.14; extra == "dev"
 Requires-Dist: mypy<2,>=1.18; extra == "dev"
 Requires-Dist: types-PyYAML<7,>=6.0; extra == "dev"
+Requires-Dist: types-defusedxml<1,>=0.7; extra == "dev"
 Requires-Dist: pre-commit<5,>=4.0; extra == "dev"
 Requires-Dist: filelock>=3.20.3; extra == "dev"
 Requires-Dist: jaraco-context>=6.1.0; extra == "dev"
@@ -81,12 +84,13 @@ Requires-Dist: awscli-local<1,>=0.22; extra == "infra-tools"
 Provides-Extra: textual
 Requires-Dist: textual<7,>=6.3; extra == "textual"
 Provides-Extra: all
-Requires-Dist: pytest<9,>=8.4; extra == "all"
+Requires-Dist: pytest<10,>=9.0.3; extra == "all"
 Requires-Dist: pytest-cov<8,>=7.0; extra == "all"
 Requires-Dist: pytest-asyncio<2,>=1.2; extra == "all"
 Requires-Dist: ruff<1,>=0.14; extra == "all"
 Requires-Dist: mypy<2,>=1.18; extra == "all"
 Requires-Dist: types-PyYAML<7,>=6.0; extra == "all"
+Requires-Dist: types-defusedxml<1,>=0.7; extra == "all"
 Requires-Dist: sphinx<9,>=8.1; extra == "all"
 Requires-Dist: furo<2026,>=2025.9; extra == "all"
 Requires-Dist: myst-parser<5,>=4.0; extra == "all"

{kstlib-2.1.4 → kstlib-2.2.0}/pyproject.toml

@@ -32,10 +32,12 @@ keywords = [
 dynamic = ["version"]
 dependencies = [
     # --- Configuration & Serialization ---
-    "pyyaml>=6.0,<7",     # YAML config parsing
-    "tomli>=2.3,<3",      # Read-only TOML parser (for pyproject & configs)
-    "tomli-w>=1.0,<2",    # TOML writer for config exports
-    "python-box>=7.3,<8", # Dot-access dicts (Box, BoxList, ConfigBox)
+    "pyyaml>=6.0,<7",        # YAML config parsing
+    "tomli>=2.3,<3",         # Read-only TOML parser (for pyproject & configs)
+    "tomli-w>=1.0,<2",       # TOML writer for config exports
+    "python-box>=7.3,<8",    # Dot-access dicts (Box, BoxList, ConfigBox)
+    "platformdirs>=4.0,<5",  # Cross-platform system config dirs (XDG on Linux, native on Mac/Windows)
+    "defusedxml>=0.7,<1",    # XXE-safe XML parsing for kstlib.transform (CVE protection)
 
     # --- CLI & Output Interface ---
     "typer>=0.19,<1", # CLI framework (based on Click)
@@ -60,7 +62,7 @@ dependencies = [
     "pendulum>=3.0,<4", # Modern datetime library with timezone support
 
     # --- Security: transitive dep lower bounds (CVE) ---
-    "cryptography>=46.0.6",  # CVE-2026-26007 + CVE-2026-34073 (via authlib)
+    "cryptography>=46.0.7",  # CVE-2026-26007 + CVE-2026-34073 + CVE-2026-39892
     "requests>=2.33.0",      # CVE-2024-47081 + CVE-2026-25645 (via httpx)
     "urllib3>=2.6.3",         # CVE-2025-50182/50181 + CVE-2025-66418/66471 + CVE-2026-21441 (via requests)
 ]
@@ -91,7 +93,7 @@ Changelog = "https://github.com/KaminoU/kstlib/blob/main/CHANGELOG.md"
 [project.optional-dependencies]
 # Development tools (testing, linting, typing)
 dev = [
-    "pytest>=8.4,<9",
+    "pytest>=9.0.3,<10",      # >=9.0.3 pulls CVE-2025-71176 temp dir fix
     "pytest-cov>=7.0,<8",
     "pytest-asyncio>=1.2,<2", # For async tests (roadmap Phase 0)
 
@@ -99,8 +101,9 @@ dev = [
     "ruff>=0.14,<1",  # Fast linter + formatter (replaces Flake8, isort, Black, Pylint)
 
     # Typing checks
-    "mypy>=1.18,<2",        # Static type checker (validates type hints)
-    "types-PyYAML>=6.0,<7", # Type stubs for PyYAML (used by mypy)
+    "mypy>=1.18,<2",            # Static type checker (validates type hints)
+    "types-PyYAML>=6.0,<7",     # Type stubs for PyYAML (used by mypy)
+    "types-defusedxml>=0.7,<1", # Type stubs for defusedxml (used by mypy)
 
     # Git hooks
     "pre-commit>=4.0,<5", # Git pre-commit hooks for local CI checks
@@ -152,12 +155,13 @@ textual = ["textual>=6.3,<7"]
 
 # Everything for local development
 all = [
-    "pytest>=8.4,<9",
+    "pytest>=9.0.3,<10",  # >=9.0.3 pulls CVE-2025-71176 temp dir fix
     "pytest-cov>=7.0,<8",
     "pytest-asyncio>=1.2,<2",
     "ruff>=0.14,<1",
     "mypy>=1.18,<2",
     "types-PyYAML>=6.0,<7",
+    "types-defusedxml>=0.7,<1",
     "sphinx>=8.1,<9",
     "furo>=2025.9,<2026",
     "myst-parser>=4.0,<5",
@@ -285,11 +289,14 @@ ignore = [
 "src/kstlib/cli/commands/secrets/encrypt.py" = ["PLR0913"]
 "src/kstlib/cli/commands/secrets/shred.py" = ["PLR0913"]
 # T201: print statement - acceptable for CLI raw output (piping, --raw flags)
-# PLR0912/C901/PLR0915: Too many branches/complexity/statements - acceptable for CLI commands with multiple output modes
-"src/kstlib/cli/commands/auth/login.py" = ["PLR0912", "C901"]
+# PLR0912/C901/PLR0913/PLR0915: Too many branches/complexity/args/statements - acceptable for CLI commands with multiple output modes
+"src/kstlib/cli/commands/auth/login.py" = ["PLR0912", "PLR0913", "C901"]
 "src/kstlib/cli/commands/auth/status.py" = ["PLR0912", "C901"]
 "src/kstlib/cli/commands/auth/token.py" = ["T201", "C901", "PLR0912", "PLR0913", "PLR0915"]
 "src/kstlib/cli/commands/auth/whoami.py" = ["T201", "PLR0912", "C901"]
+"src/kstlib/cli/commands/ops/common.py" = ["PLR0913"]
+"src/kstlib/cli/commands/ops/start.py" = ["PLR0913"]
+"src/kstlib/cli/commands/ops/stop.py" = ["PLR0913"]
 "src/kstlib/cli/commands/rapi/call.py" = ["T201", "PLR0913"]
 # S110: try-except-pass - config loading is intentionally optional (no-op on failure)
 # PLR0913: Too many arguments - decorator API requires multiple options
@@ -353,6 +360,37 @@ ignore = [
 "src/kstlib/alerts/channels/slack.py" = ["PLR0913"]
 # Alert manager - transport factory has many branches for different transport types
 "src/kstlib/alerts/manager.py" = ["C901"]
+# Auth check - "token_type" is a label string ("id_token"/"access_token"), not a credential
+"src/kstlib/auth/check.py" = ["S107"]
+# aiosqlcipher - optional dependency feature detection via try/except import
+"src/kstlib/db/aiosqlcipher.py" = ["F401"]
+# Logging - auto-init and preset discovery MUST swallow exceptions to avoid breaking host apps
+"src/kstlib/logging/__init__.py" = ["S110"]
+"src/kstlib/logging/manager.py" = ["S110"]
+# Mail builder - snapshot/notify path legitimately reassigns same-class private state
+"src/kstlib/mail/builder.py" = ["SLF001"]
+# Monitoring image - RenderError chain already raised via "from err"; no additional ignores needed here
+# Monitoring renderer - Markup values are escaped before wrapping; jinja2 Environment defaults to autoescape=True
+"src/kstlib/monitoring/renderer.py" = ["S701", "S704"]
+# Monitoring service config has many options
+"src/kstlib/monitoring/monitoring.py" = ["PLR0913"]
+# ops/* - subprocess calls validated via ops/validators.py (binary resolved via shutil.which, list-form args)
+# S606/S108: tmux default socket path /tmp/tmux-<uid> is a Unix convention, not a user-controlled tempfile
+"src/kstlib/ops/container.py" = ["S603"]
+"src/kstlib/ops/tmux.py" = ["S603", "S606", "S108", "ARG002"]
+# Pipeline steps - subprocess calls validated (python via shutil.which, shell is documented opt-in)
+"src/kstlib/pipeline/steps/python.py" = ["S603"]
+"src/kstlib/pipeline/steps/shell.py" = ["S602"]
+# Pipeline validators - many validation options
+"src/kstlib/pipeline/validators.py" = ["PLR0913"]
+# Transform chain config has many options
+"src/kstlib/transform/chain.py" = ["PLR0913"]
+# Transform primitives - PrimitiveConfig used in runtime signatures (not TYPE_CHECKING-only)
+# N817: ElementTree imported as ET is the stdlib-documented convention for xml/defusedxml
+"src/kstlib/transform/primitives.py" = ["TC001", "N817"]
+# utils/http_trace - httpx._types accessed intentionally for accurate event hook typing
+"src/kstlib/utils/http_trace.py" = ["SLF001"]
+# utils/serialization - defusedxml.minidom used for display pretty-printing
 
 [tool.ruff.format]
 # Use double quotes for strings
@@ -499,6 +537,7 @@ addopts = [
     "--cov=src",
     "--cov-report=term-missing",
     "--cov-report=html",
+    "--doctest-modules",
 ]
 
 # Markers for test categorization

{kstlib-2.1.4 → kstlib-2.2.0}/src/kstlib/__init__.py

@@ -187,23 +187,16 @@ def __getattr__(name: str) -> Any:
     # Handle lazy imports
     if name in _LAZY_IMPORTS:
         module_path, attr_name = _LAZY_IMPORTS[name]
-        try:
-            module = importlib.import_module(module_path)
-            attr = getattr(module, attr_name)
-            _loaded[name] = attr
-            return attr
-        except (ImportError, AttributeError):
-            # ConfigNotLoadedError might not exist in minimal installs
-            if name == "ConfigNotLoadedError":
-                _loaded[name] = None
-                return None
-            raise
+        module = importlib.import_module(module_path)
+        attr = getattr(module, attr_name)
+        _loaded[name] = attr
+        return attr
 
     raise AttributeError(f"module 'kstlib' has no attribute {name!r}")
 
 
 # Auto-install rich traceback if KSTLIB_TRACEBACK=1 (opt-in for fast imports)
-# Default changed from "1" to "0" for metricsormance - users must opt-in now
+# Default changed from "1" to "0" for performance - users must opt-in now
 if TYPE_CHECKING:
     # For static analysis - provide type hints for lazy-loaded symbols
     # pylint: disable=useless-import-alias

{kstlib-2.1.4 → kstlib-2.2.0}/src/kstlib/alerts/__init__.py

@@ -85,6 +85,7 @@ Examples:
             config=app_config["alerts"],
             credential_resolver=resolver,
         )
+
 """
 
 from kstlib.alerts.exceptions import (

{kstlib-2.1.4 → kstlib-2.2.0}/src/kstlib/alerts/channels/__init__.py

@@ -22,6 +22,7 @@ Examples:
             sender="alerts@example.com",
             recipients=["oncall@example.com"],
         )
+
 """
 
 from kstlib.alerts.channels.base import AlertChannel, AsyncAlertChannel

{kstlib-2.1.4 → kstlib-2.2.0}/src/kstlib/alerts/channels/base.py

@@ -27,6 +27,7 @@ Examples:
                     # Send via HTTP POST
                     pass
                 return AlertResult(channel=self.name, success=True)
+
 """
 
 from __future__ import annotations
@@ -57,6 +58,7 @@ class AlertChannel(ABC):
                 def send(self, alert: AlertMessage) -> AlertResult:
                     print(f"[{alert.level.name}] {alert.title}")
                     return AlertResult(channel=self.name, success=True)
+
     """
 
     @property
@@ -79,6 +81,7 @@ class AlertChannel(ABC):
 
         Raises:
             AlertDeliveryError: If delivery fails.
+
         """
 
 
@@ -100,6 +103,7 @@ class AsyncAlertChannel(ABC):
                     async with httpx.AsyncClient() as client:
                         await client.post(...)
                     return AlertResult(channel=self.name, success=True)
+
     """
 
     @property
@@ -122,6 +126,7 @@ class AsyncAlertChannel(ABC):
 
         Raises:
             AlertDeliveryError: If delivery fails.
+
         """
 
 
@@ -144,6 +149,7 @@ class AsyncChannelWrapper(AsyncAlertChannel):
 
             # Now usable in async context
             await async_channel.send(alert)
+
     """
 
     def __init__(
@@ -157,6 +163,7 @@ class AsyncChannelWrapper(AsyncAlertChannel):
         Args:
             channel: The sync channel to wrap.
             executor: Optional custom thread pool executor.
+
         """
         self._channel = channel
         self._executor = executor
@@ -185,6 +192,7 @@ class AsyncChannelWrapper(AsyncAlertChannel):
 
         Raises:
             AlertDeliveryError: If the underlying channel fails.
+
         """
         loop = asyncio.get_running_loop()
         return await loop.run_in_executor(

{kstlib-2.1.4 → kstlib-2.2.0}/src/kstlib/alerts/channels/email.py

@@ -29,6 +29,7 @@ Examples:
             recipients=["oncall@example.com", "backup@example.com"],
             subject_prefix="[PROD ALERT]",
         )
+
 """
 
 from __future__ import annotations
@@ -96,6 +97,7 @@ class EmailChannel(AsyncAlertChannel):
                 recipients=["oncall@company.com"],
                 subject_prefix="[PROD]",
             )
+
     """
 
     def __init__(
@@ -118,6 +120,7 @@ class EmailChannel(AsyncAlertChannel):
 
         Raises:
             AlertConfigurationError: If configuration is invalid.
+
         """
         if not sender:
             raise AlertConfigurationError("Email sender is required")
@@ -161,6 +164,7 @@ class EmailChannel(AsyncAlertChannel):
 
         Raises:
             AlertDeliveryError: If email delivery fails.
+
         """
         message = self._build_message(alert)
 
@@ -195,6 +199,7 @@ class EmailChannel(AsyncAlertChannel):
 
         Returns:
             EmailMessage ready for transport.
+
         """
         message = EmailMessage()
 

{kstlib-2.1.4 → kstlib-2.2.0}/src/kstlib/alerts/channels/slack.py

@@ -35,6 +35,7 @@ Examples:
             config={"credentials": "slack_webhook"},
             credential_resolver=resolver,
         )
+
 """
 
 from __future__ import annotations
@@ -100,6 +101,7 @@ def _mask_webhook_url(url: str) -> str:
     Examples:
         >>> _mask_webhook_url("https://hooks.slack.com/services/T123/B456/xyz")
         'https://hooks.slack.com/services/T***/B***/***'
+
     """
     if not url or "hooks.slack.com" not in url:
         return "***"
@@ -123,6 +125,7 @@ def _truncate(text: str, max_length: int) -> str:
 
     Returns:
         Truncated text with '...' if exceeded.
+
     """
     if len(text) <= max_length:
         return text
@@ -161,6 +164,7 @@ class SlackChannel(AsyncAlertChannel):
                 icon_emoji=":fire:",
                 timeout=5.0,
             )
+
     """
 
     def __init__(
@@ -190,6 +194,7 @@ class SlackChannel(AsyncAlertChannel):
 
         Raises:
             AlertConfigurationError: If webhook_url is invalid.
+
         """
         if not webhook_url:
             raise AlertConfigurationError("Slack webhook URL is required")
@@ -240,6 +245,7 @@ class SlackChannel(AsyncAlertChannel):
 
         Raises:
             AlertDeliveryError: If the webhook request fails.
+
         """
         try:
             import httpx
@@ -303,6 +309,7 @@ class SlackChannel(AsyncAlertChannel):
 
         Returns:
             Dict suitable for JSON serialization.
+
         """
         # Truncate to Slack limits (use formatted_title for timestamp support)
         title = _truncate(alert.formatted_title, MAX_TITLE_LENGTH)
@@ -353,6 +360,7 @@ class SlackChannel(AsyncAlertChannel):
 
         Raises:
             AlertConfigurationError: If configuration is invalid.
+
         """
         # Get webhook URL from credentials
         cred_name = config.get("credentials")

{kstlib-2.1.4 → kstlib-2.2.0}/src/kstlib/alerts/exceptions.py

@@ -26,6 +26,7 @@ class AlertDeliveryError(AlertError):
         'slack'
         >>> err.retryable
         True
+
     """
 
     def __init__(self, message: str, *, channel: str, retryable: bool = False) -> None:
@@ -35,6 +36,7 @@ class AlertDeliveryError(AlertError):
             message: Error description.
             channel: Name of the channel that failed.
             retryable: Whether the delivery could succeed on retry.
+
         """
         super().__init__(message)
         self.channel = channel
@@ -51,6 +53,7 @@ class AlertThrottledError(AlertError):
         >>> err = AlertThrottledError("Rate limit exceeded", retry_after=30.0)
         >>> err.retry_after
         30.0
+
     """
 
     def __init__(self, message: str, *, retry_after: float) -> None:
@@ -59,6 +62,7 @@ class AlertThrottledError(AlertError):
         Args:
             message: Error description.
             retry_after: Seconds until the rate limit resets.
+
         """
         super().__init__(message)
         self.retry_after = retry_after

{kstlib-2.1.4 → kstlib-2.2.0}/src/kstlib/alerts/manager.py

@@ -29,6 +29,7 @@ Examples:
             .add_channel(slack_channel, min_level=AlertLevel.INFO)
             .add_channel(email_channel, min_level=AlertLevel.CRITICAL)
         )
+
 """
 
 from __future__ import annotations
@@ -77,6 +78,7 @@ class AlertManagerStats:
         total_failed: Total alerts that failed delivery.
         total_throttled: Total alerts dropped due to throttling.
         by_channel: Per-channel statistics.
+
     """
 
     total_sent: int = 0
@@ -147,6 +149,7 @@ class AlertManager:
                 config=config["alerts"],
                 credential_resolver=resolver,
             )
+
     """
 
     def __init__(self) -> None:
@@ -191,6 +194,7 @@ class AlertManager:
             AlertManager(channels=1)
             >>> manager.add_channel(email_channel, min_level=AlertLevel.CRITICAL)  # doctest: +SKIP
             AlertManager(channels=2)
+
         """
         # Wrap sync channels for async usage
         if isinstance(channel, AlertChannel):
@@ -249,6 +253,7 @@ class AlertManager:
 
                 >>> alerts = [alert1, alert2, alert3]  # doctest: +SKIP
                 >>> results = await manager.send(alerts, channel="watchdog")  # doctest: +SKIP
+
         """
         if not self._channels:
             log.warning("No channels configured, alert not sent")
@@ -289,6 +294,7 @@ class AlertManager:
 
         Returns:
             List of results for this alert.
+
         """
         # Determine matching entries
         if target_entries is not None:
@@ -325,6 +331,7 @@ class AlertManager:
 
         Returns:
             List with matching entry, or empty list if not found.
+
         """
         for entry in self._channels:
             # Match by key (e.g., "hb")
@@ -351,6 +358,7 @@ class AlertManager:
 
         Returns:
             AlertResult with delivery status.
+
         """
         channel_name = entry.channel.name
 
@@ -433,6 +441,7 @@ class AlertManager:
 
         Raises:
             AlertConfigurationError: If configuration is invalid.
+
         """
         from kstlib.alerts.channels import SlackChannel
         from kstlib.alerts.throttle import AlertThrottle
@@ -524,6 +533,7 @@ def _parse_level(level_str: str) -> AlertLevel:
 
     Raises:
         AlertConfigurationError: If level is invalid.
+
     """
     level_map = {
         "info": AlertLevel.INFO,
@@ -537,6 +547,76 @@ def _parse_level(level_str: str) -> AlertLevel:
     return level
 
 
+def _create_smtp_transport(
+    transport_config: Mapping[str, Any],
+) -> MailTransport:
+    """Build an SMTP mail transport from raw config."""
+    from kstlib.mail.transports import SMTPCredentials, SMTPSecurity, SMTPTransport
+
+    credentials = None
+    username = transport_config.get("username")
+    if username:
+        credentials = SMTPCredentials(
+            username=username,
+            password=transport_config.get("password"),
+        )
+
+    security = SMTPSecurity(
+        use_starttls=transport_config.get("use_tls", True),
+    )
+
+    return SMTPTransport(
+        host=transport_config.get("host", "localhost"),
+        port=int(transport_config.get("port", 587)),
+        credentials=credentials,
+        security=security,
+    )
+
+
+def _create_resend_transport(
+    transport_config: Mapping[str, Any],
+    name: str,
+    credential_resolver: CredentialResolver | None,
+) -> AsyncMailTransport:
+    """Build a Resend mail transport from raw config."""
+    from kstlib.mail.transports import ResendTransport
+
+    api_key = transport_config.get("api_key")
+    if not api_key and credential_resolver:
+        cred_name = transport_config.get("credentials")
+        if cred_name:
+            record = credential_resolver.resolve(cred_name)
+            api_key = record.value
+
+    if not api_key:
+        raise AlertConfigurationError(f"Resend transport for '{name}' requires 'api_key' or 'credentials'")
+
+    return ResendTransport(api_key=api_key)
+
+
+def _create_ses_transport(
+    transport_config: Mapping[str, Any],
+    credential_resolver: CredentialResolver | None,
+) -> AsyncMailTransport:
+    """Build an AWS SES mail transport from raw config."""
+    from kstlib.mail.transports import SesTransport
+
+    aws_access_key_id = transport_config.get("aws_access_key_id")
+    aws_secret_access_key = transport_config.get("aws_secret_access_key")
+
+    if credential_resolver:
+        cred_name = transport_config.get("credentials")
+        if cred_name:
+            record = credential_resolver.resolve(cred_name)
+            aws_access_key_id = aws_access_key_id or record.value
+
+    return SesTransport(
+        region=transport_config.get("region", "eu-west-3"),
+        aws_access_key_id=aws_access_key_id,
+        aws_secret_access_key=aws_secret_access_key,
+    )
+
+
 def _create_email_transport(
     transport_config: Mapping[str, Any],
     name: str,
@@ -544,6 +624,8 @@ def _create_email_transport(
 ) -> MailTransport | AsyncMailTransport:
     """Create a mail transport from configuration.
 
+    Delegates to a per-type factory to keep the dispatcher small.
+
     Args:
         transport_config: Transport configuration dict.
         name: Channel name for error messages.
@@ -554,72 +636,20 @@ def _create_email_transport(
 
     Raises:
         AlertConfigurationError: If configuration is invalid.
+
     """
     transport_type = transport_config.get("type", "smtp").lower()
-
     if transport_type == "smtp":
-        from kstlib.mail.transports import SMTPCredentials, SMTPSecurity, SMTPTransport
-
-        credentials = None
-        username = transport_config.get("username")
-        if username:
-            credentials = SMTPCredentials(
-                username=username,
-                password=transport_config.get("password"),
-            )
-
-        security = SMTPSecurity(
-            use_starttls=transport_config.get("use_tls", True),
-        )
-
-        return SMTPTransport(
-            host=transport_config.get("host", "localhost"),
-            port=int(transport_config.get("port", 587)),
-            credentials=credentials,
-            security=security,
-        )
-
+        return _create_smtp_transport(transport_config)
     if transport_type == "gmail":
-        # Gmail requires OAuth2 Token from kstlib.auth module
-        # Use GmailTransport directly with a Token object in code
         raise AlertConfigurationError(
             f"Gmail transport for '{name}' requires programmatic configuration. "
             "Use GmailTransport(token=...) directly instead of config."
         )
-
     if transport_type == "resend":
-        from kstlib.mail.transports import ResendTransport
-
-        api_key = transport_config.get("api_key")
-        if not api_key and credential_resolver:
-            cred_name = transport_config.get("credentials")
-            if cred_name:
-                record = credential_resolver.resolve(cred_name)
-                api_key = record.value
-
-        if not api_key:
-            raise AlertConfigurationError(f"Resend transport for '{name}' requires 'api_key' or 'credentials'")
-
-        return ResendTransport(api_key=api_key)
-
+        return _create_resend_transport(transport_config, name, credential_resolver)
     if transport_type == "ses":
-        from kstlib.mail.transports import SesTransport
-
-        aws_access_key_id = transport_config.get("aws_access_key_id")
-        aws_secret_access_key = transport_config.get("aws_secret_access_key")
-
-        if credential_resolver:
-            cred_name = transport_config.get("credentials")
-            if cred_name:
-                record = credential_resolver.resolve(cred_name)
-                aws_access_key_id = aws_access_key_id or record.value
-
-        return SesTransport(
-            region=transport_config.get("region", "eu-west-3"),
-            aws_access_key_id=aws_access_key_id,
-            aws_secret_access_key=aws_secret_access_key,
-        )
-
+        return _create_ses_transport(transport_config, credential_resolver)
     raise AlertConfigurationError(f"Unknown transport type '{transport_type}' for email channel '{name}'")
 
 
@@ -640,6 +670,7 @@ def _create_email_channel(
 
     Raises:
         AlertConfigurationError: If configuration is invalid.
+
     """
     from kstlib.alerts.channels import EmailChannel