ml-dash 0.5.9__py3-none-any.whl → 0.6.0__py3-none-any.whl

ml_dash/auth/token_storage.py

@@ -0,0 +1,262 @@
+"""Token storage backends for ml-dash authentication."""
+
+import json
+from abc import ABC, abstractmethod
+from pathlib import Path
+from typing import Optional
+
+from .exceptions import StorageError
+
+
+class TokenStorage(ABC):
+    """Abstract base class for token storage backends."""
+
+    @abstractmethod
+    def store(self, key: str, value: str) -> None:
+        """Store a token.
+
+        Args:
+            key: Storage key
+            value: Token string to store
+        """
+        pass
+
+    @abstractmethod
+    def load(self, key: str) -> Optional[str]:
+        """Load a token.
+
+        Args:
+            key: Storage key
+
+        Returns:
+            Token string or None if not found
+        """
+        pass
+
+    @abstractmethod
+    def delete(self, key: str) -> None:
+        """Delete a token.
+
+        Args:
+            key: Storage key
+        """
+        pass
+
+
+class KeyringStorage(TokenStorage):
+    """OS keyring storage backend (macOS Keychain, Windows Credential Manager, Linux Secret Service)."""
+
+    SERVICE_NAME = "ml-dash"
+
+    def __init__(self):
+        """Initialize keyring storage."""
+        try:
+            import keyring
+            self.keyring = keyring
+        except ImportError:
+            raise StorageError(
+                "keyring library not installed. "
+                "Install with: pip install keyring"
+            )
+
+    def store(self, key: str, value: str) -> None:
+        """Store token in OS keyring."""
+        try:
+            self.keyring.set_password(self.SERVICE_NAME, key, value)
+        except Exception as e:
+            raise StorageError(f"Failed to store token in keyring: {e}")
+
+    def load(self, key: str) -> Optional[str]:
+        """Load token from OS keyring."""
+        try:
+            return self.keyring.get_password(self.SERVICE_NAME, key)
+        except Exception as e:
+            raise StorageError(f"Failed to load token from keyring: {e}")
+
+    def delete(self, key: str) -> None:
+        """Delete token from OS keyring."""
+        try:
+            self.keyring.delete_password(self.SERVICE_NAME, key)
+        except Exception:
+            # Silently ignore if key doesn't exist
+            pass
+
+
+class EncryptedFileStorage(TokenStorage):
+    """Encrypted file storage backend using Fernet symmetric encryption."""
+
+    def __init__(self, config_dir: Path):
+        """Initialize encrypted file storage.
+
+        Args:
+            config_dir: Configuration directory path
+        """
+        self.config_dir = Path(config_dir)
+        self.tokens_file = self.config_dir / "tokens.encrypted"
+        self.key_file = self.config_dir / "encryption.key"
+
+        try:
+            from cryptography.fernet import Fernet
+            self.Fernet = Fernet
+        except ImportError:
+            raise StorageError(
+                "cryptography library not installed. "
+                "Install with: pip install cryptography"
+            )
+
+        # Ensure config directory exists
+        self.config_dir.mkdir(parents=True, exist_ok=True)
+
+        # Generate or load encryption key
+        if not self.key_file.exists():
+            key = self.Fernet.generate_key()
+            self.key_file.write_bytes(key)
+            self.key_file.chmod(0o600)  # User read/write only
+        else:
+            key = self.key_file.read_bytes()
+
+        self.cipher = self.Fernet(key)
+
+    def _load_all(self) -> dict:
+        """Load all tokens from encrypted file."""
+        if not self.tokens_file.exists():
+            return {}
+
+        try:
+            encrypted = self.tokens_file.read_bytes()
+            decrypted = self.cipher.decrypt(encrypted)
+            return json.loads(decrypted)
+        except Exception as e:
+            raise StorageError(f"Failed to decrypt tokens file: {e}")
+
+    def _save_all(self, data: dict) -> None:
+        """Save all tokens to encrypted file."""
+        try:
+            plaintext = json.dumps(data).encode()
+            encrypted = self.cipher.encrypt(plaintext)
+            self.tokens_file.write_bytes(encrypted)
+            self.tokens_file.chmod(0o600)  # User read/write only
+        except Exception as e:
+            raise StorageError(f"Failed to encrypt tokens file: {e}")
+
+    def store(self, key: str, value: str) -> None:
+        """Store token in encrypted file."""
+        all_tokens = self._load_all()
+        all_tokens[key] = value
+        self._save_all(all_tokens)
+
+    def load(self, key: str) -> Optional[str]:
+        """Load token from encrypted file."""
+        all_tokens = self._load_all()
+        return all_tokens.get(key)
+
+    def delete(self, key: str) -> None:
+        """Delete token from encrypted file."""
+        all_tokens = self._load_all()
+        if key in all_tokens:
+            del all_tokens[key]
+            self._save_all(all_tokens)
+
+
+class PlaintextFileStorage(TokenStorage):
+    """Plaintext file storage backend (INSECURE - only for testing/fallback)."""
+
+    _warning_shown = False
+
+    def __init__(self, config_dir: Path):
+        """Initialize plaintext file storage.
+
+        Args:
+            config_dir: Configuration directory path
+        """
+        self.config_dir = Path(config_dir)
+        self.tokens_file = self.config_dir / "tokens.json"
+
+        # Ensure config directory exists
+        self.config_dir.mkdir(parents=True, exist_ok=True)
+
+        # Show security warning on first use
+        if not PlaintextFileStorage._warning_shown:
+            try:
+                from rich.console import Console
+                console = Console()
+                console.print(
+                    "\n[bold red]WARNING: Storing tokens in plaintext![/bold red]\n"
+                    "[yellow]Your authentication tokens are being stored unencrypted.[/yellow]\n"
+                    "[yellow]This is insecure and only recommended for testing.[/yellow]\n\n"
+                    "To use secure storage:\n"
+                    "  • Install keyring: pip install keyring\n"
+                    "  • Or encrypted storage will be used automatically\n"
+                )
+            except ImportError:
+                print("WARNING: Storing tokens in plaintext! This is insecure.")
+
+            PlaintextFileStorage._warning_shown = True
+
+    def _load_all(self) -> dict:
+        """Load all tokens from file."""
+        if not self.tokens_file.exists():
+            return {}
+
+        try:
+            with open(self.tokens_file, "r") as f:
+                return json.load(f)
+        except (json.JSONDecodeError, IOError):
+            return {}
+
+    def _save_all(self, data: dict) -> None:
+        """Save all tokens to file."""
+        with open(self.tokens_file, "w") as f:
+            json.dump(data, f, indent=2)
+        self.tokens_file.chmod(0o600)  # User read/write only
+
+    def store(self, key: str, value: str) -> None:
+        """Store token in plaintext file."""
+        all_tokens = self._load_all()
+        all_tokens[key] = value
+        self._save_all(all_tokens)
+
+    def load(self, key: str) -> Optional[str]:
+        """Load token from plaintext file."""
+        all_tokens = self._load_all()
+        return all_tokens.get(key)
+
+    def delete(self, key: str) -> None:
+        """Delete token from plaintext file."""
+        all_tokens = self._load_all()
+        if key in all_tokens:
+            del all_tokens[key]
+            self._save_all(all_tokens)
+
+
+def get_token_storage(config_dir: Optional[Path] = None) -> TokenStorage:
+    """Auto-detect and return appropriate storage backend.
+
+    Tries backends in order of security:
+    1. KeyringStorage (OS keyring)
+    2. EncryptedFileStorage (encrypted file)
+    3. PlaintextFileStorage (plaintext file with warning)
+
+    Args:
+        config_dir: Configuration directory (defaults to ~/.ml-dash)
+
+    Returns:
+        TokenStorage instance
+    """
+    if config_dir is None:
+        config_dir = Path.home() / ".ml-dash"
+
+    # Try keyring first
+    try:
+        return KeyringStorage()
+    except (ImportError, StorageError):
+        pass
+
+    # Try encrypted file storage
+    try:
+        return EncryptedFileStorage(config_dir)
+    except (ImportError, StorageError):
+        pass
+
+    # Fallback to plaintext (with warning)
+    return PlaintextFileStorage(config_dir)

ml_dash/auto_start.py

@@ -1,33 +1,56 @@
 """
-Auto-start module for ML-Dash SDK.
+Pre-configured experiment singleton for ML-Dash SDK.
 
-Provides a pre-configured, auto-started experiment singleton named 'dxp'.
+Provides a pre-configured experiment singleton named 'dxp' in remote mode.
+Requires authentication - run 'ml-dash login' first.
+Requires manual start using 'with' statement or explicit start() call.
 
 Usage:
-    from ml_dash.auto_start import dxp
+    # First, authenticate
+    # $ ml-dash login
 
-    # Ready to use immediately - no need to open/start
-    dxp.log("Hello from dxp!")
-    dxp.params.set(lr=0.001)
-    dxp.metrics("loss").append(step=0, value=0.5)
+    from ml_dash import dxp
 
-    # Automatically closed on Python exit
+    # Use with statement (recommended)
+    with dxp.run:
+        dxp.log().info("Hello from dxp!")
+        dxp.params.set(lr=0.001)
+        dxp.metrics("loss").append(step=0, value=0.5)
+    # Automatically completes on exit from with block
+
+    # Or start/complete manually
+    dxp.run.start()
+    dxp.log().info("Training...")
+    dxp.run.complete()
 """
 
 import atexit
 from .experiment import Experiment
+from .auth.token_storage import get_token_storage
+from .auth.exceptions import AuthenticationError
+
+# Check if user is authenticated
+_storage = get_token_storage()
+_token = _storage.load("ml-dash-token")
 
-# Create pre-configured singleton experiment
+if not _token:
+    raise AuthenticationError(
+        "Not authenticated. Please run 'ml-dash login' to authenticate before using dxp.\n\n"
+        "To login:\n"
+        "  ml-dash login\n\n"
+        "Or use Experiment() with explicit api_key parameter."
+    )
+
+# Create pre-configured singleton experiment in remote mode
+# Uses default remote server (https://api.dash.ml)
+# Token is auto-loaded from storage
 dxp = Experiment(
     name="dxp",
     project="scratch",
-    local_path=".ml-dash"
+    remote="https://api.dash.ml",
 )
 
-# Auto-start the experiment on import
-dxp.run.start()
-
-# Register cleanup handler to complete experiment on Python exit
+# Register cleanup handler to complete experiment on Python exit (if still open)
 def _cleanup():
     """Complete the dxp experiment on exit if still open."""
     if dxp._is_open:

ml_dash/cli.py

@@ -21,7 +21,13 @@ def create_parser() -> argparse.ArgumentParser:
     )
 
     # Import and add command parsers
-    from .cli_commands import upload, download, list as list_cmd
+    from .cli_commands import upload, download, list as list_cmd, login, logout
+
+    # Authentication commands
+    login.add_parser(subparsers)
+    logout.add_parser(subparsers)
+
+    # Data commands
     upload.add_parser(subparsers)
     download.add_parser(subparsers)
     list_cmd.add_parser(subparsers)
@@ -48,7 +54,13 @@ def main(argv: Optional[List[str]] = None) -> int:
         return 0
 
     # Route to command handlers
-    if args.command == "upload":
+    if args.command == "login":
+        from .cli_commands import login
+        return login.cmd_login(args)
+    elif args.command == "logout":
+        from .cli_commands import logout
+        return logout.cmd_logout(args)
+    elif args.command == "upload":
         from .cli_commands import upload
         return upload.cmd_upload(args)
     elif args.command == "download":

ml_dash/cli_commands/download.py

@@ -52,7 +52,6 @@ class DownloadState:
     """State for resuming interrupted downloads."""
     remote_url: str
     local_path: str
-    namespace: str
     completed_experiments: List[str] = field(default_factory=list)
     failed_experiments: List[str] = field(default_factory=list)
     in_progress_experiment: Optional[str] = None
@@ -141,7 +140,6 @@ def _experiment_from_graphql(graphql_data: Dict[str, Any]) -> ExperimentInfo:
 
 def discover_experiments(
     remote_client: RemoteClient,
-    namespace: str,
     project_filter: Optional[str] = None,
     experiment_filter: Optional[str] = None,
 ) -> List[ExperimentInfo]:
@@ -150,7 +148,6 @@ def discover_experiments(
 
     Args:
         remote_client: Remote API client
-        namespace: Namespace slug
         project_filter: Optional project slug filter
         experiment_filter: Optional experiment name filter
 
@@ -159,38 +156,26 @@ def discover_experiments(
     """
     # Specific experiment requested
     if project_filter and experiment_filter:
-        exp_data = remote_client.get_experiment_graphql(namespace, project_filter, experiment_filter)
+        exp_data = remote_client.get_experiment_graphql(project_filter, experiment_filter)
         if exp_data:
             return [_experiment_from_graphql(exp_data)]
         return []
 
     # Project filter - get all experiments in project
     if project_filter:
-        experiments_data = remote_client.list_experiments_graphql(namespace, project_filter)
+        experiments_data = remote_client.list_experiments_graphql(project_filter)
         return [_experiment_from_graphql(exp) for exp in experiments_data]
 
     # No filter - get all projects and their experiments
-    projects = remote_client.list_projects_graphql(namespace)
+    projects = remote_client.list_projects_graphql()
     all_experiments = []
     for project in projects:
-        experiments_data = remote_client.list_experiments_graphql(namespace, project['slug'])
+        experiments_data = remote_client.list_experiments_graphql(project['slug'])
         all_experiments.extend([_experiment_from_graphql(exp) for exp in experiments_data])
 
     return all_experiments
 
 
-def _get_or_generate_api_key(args: argparse.Namespace, config: Config) -> str:
-    """Get API key from args, config, or generate from username."""
-    if args.api_key:
-        return args.api_key
-    if config.api_key:
-        return config.api_key
-    if args.username:
-        from ..cli_commands.upload import generate_api_key_from_username
-        return generate_api_key_from_username(args.username)
-    return ""
-
-
 # ============================================================================
 # Experiment Downloader
 # ============================================================================
@@ -577,23 +562,14 @@ def cmd_download(args: argparse.Namespace) -> int:
     # Load configuration
     config = Config()
     remote_url = args.remote or config.remote_url
-    api_key = _get_or_generate_api_key(args, config)
-    namespace = args.namespace or args.username
+    api_key = args.api_key or config.api_key  # RemoteClient will auto-load if None
 
     # Validate inputs
     if not remote_url:
         console.print("[red]Error:[/red] --remote is required (or set in config)")
         return 1
 
-    if not api_key:
-        console.print("[red]Error:[/red] --api-key or --username is required")
-        return 1
-
-    if not namespace:
-        console.print("[red]Error:[/red] --namespace or --username is required")
-        return 1
-
-    # Initialize clients
+    # Initialize clients (RemoteClient will auto-load token if api_key is None)
     remote_client = RemoteClient(base_url=remote_url, api_key=api_key)
     local_storage = LocalStorage(root_path=Path(args.path))
 
@@ -607,21 +583,19 @@ def cmd_download(args: argparse.Namespace) -> int:
             console.print("[yellow]No previous state found, starting fresh[/yellow]")
             state = DownloadState(
                 remote_url=remote_url,
-                local_path=str(args.path),
-                namespace=namespace
+                local_path=str(args.path)
             )
     else:
         state = DownloadState(
             remote_url=remote_url,
-            local_path=str(args.path),
-            namespace=namespace
+            local_path=str(args.path)
         )
 
     # Discover experiments
     console.print("[bold]Discovering experiments on remote server...[/bold]")
     try:
         experiments = discover_experiments(
-            remote_client, namespace, args.project, args.experiment
+            remote_client, args.project, args.experiment
         )
     except Exception as e:
         console.print(f"[red]Failed to discover experiments: {e}[/red]")
@@ -751,13 +725,11 @@ def add_parser(subparsers):
 
     # Remote configuration
     parser.add_argument("--remote", help="Remote server URL")
-    parser.add_argument("--api-key", help="JWT authentication token")
-    parser.add_argument("--username", help="Username for auto-generating API key")
+    parser.add_argument("--api-key", help="JWT authentication token (optional - auto-loads from 'ml-dash login')")
 
     # Scope control
     parser.add_argument("--project", help="Download only this project")
     parser.add_argument("--experiment", help="Download specific experiment (requires --project)")
-    parser.add_argument("--namespace", help="Namespace slug (defaults to username)")
 
     # Data filtering
     parser.add_argument("--skip-logs", action="store_true", help="Don't download logs")

ml_dash/cli_commands/list.py

@@ -58,7 +58,6 @@ def _get_status_style(status: str) -> str:
 
 def list_projects(
     remote_client: RemoteClient,
-    namespace: str,
     output_json: bool = False,
     verbose: bool = False
 ) -> int:
@@ -67,7 +66,6 @@ def list_projects(
 
     Args:
         remote_client: Remote API client
-        namespace: Namespace slug
         output_json: Output as JSON
         verbose: Show verbose output
 
@@ -76,12 +74,11 @@ def list_projects(
     """
     try:
         # Get projects via GraphQL
-        projects = remote_client.list_projects_graphql(namespace)
+        projects = remote_client.list_projects_graphql()
 
         if output_json:
             # JSON output
             output = {
-                "namespace": namespace,
                 "projects": projects,
                 "count": len(projects)
             }
@@ -90,10 +87,10 @@ def list_projects(
 
         # Human-readable output
         if not projects:
-            console.print(f"[yellow]No projects found for namespace: {namespace}[/yellow]")
+            console.print(f"[yellow]No projects found[/yellow]")
             return 0
 
-        console.print(f"\n[bold]Projects for {namespace}[/bold]\n")
+        console.print(f"\n[bold]Projects[/bold]\n")
 
         # Create table
         table = Table(box=box.ROUNDED)
@@ -128,7 +125,6 @@ def list_projects(
 
 def list_experiments(
     remote_client: RemoteClient,
-    namespace: str,
     project: str,
     status_filter: Optional[str] = None,
     tags_filter: Optional[List[str]] = None,
@@ -141,7 +137,6 @@ def list_experiments(
 
     Args:
         remote_client: Remote API client
-        namespace: Namespace slug
         project: Project slug
         status_filter: Filter by status (COMPLETED, RUNNING, FAILED, ARCHIVED)
         tags_filter: Filter by tags
@@ -155,7 +150,7 @@ def list_experiments(
     try:
         # Get experiments via GraphQL
         experiments = remote_client.list_experiments_graphql(
-            namespace, project, status=status_filter
+            project, status=status_filter
         )
 
         # Filter by tags if specified
@@ -168,7 +163,6 @@ def list_experiments(
         if output_json:
             # JSON output
             output = {
-                "namespace": namespace,
                 "project": project,
                 "experiments": experiments,
                 "count": len(experiments)
@@ -263,26 +257,9 @@ def cmd_list(args: argparse.Namespace) -> int:
         console.print("[red]Error:[/red] --remote URL is required (or set in config)")
         return 1
 
-    # Get API key (command line > config > generate from username)
+    # Get API key (command line > config > auto-loaded from storage)
     api_key = args.api_key or config.api_key
 
-    # If no API key, try to generate from username
-    if not api_key:
-        if args.username:
-            from .upload import generate_api_key_from_username
-            api_key = generate_api_key_from_username(args.username)
-            if args.verbose:
-                console.print(f"[dim]Generated API key from username: {args.username}[/dim]")
-        else:
-            console.print("[red]Error:[/red] --api-key or --username is required")
-            return 1
-
-    # Get namespace (defaults to username or config)
-    namespace = args.namespace or args.username or config.namespace
-    if not namespace:
-        console.print("[red]Error:[/red] --namespace or --username is required")
-        return 1
-
     # Create remote client
     try:
         remote_client = RemoteClient(base_url=remote_url, api_key=api_key)
@@ -299,7 +276,6 @@ def cmd_list(args: argparse.Namespace) -> int:
 
         return list_experiments(
             remote_client=remote_client,
-            namespace=namespace,
             project=args.project,
             status_filter=args.status,
             tags_filter=tags_filter,
@@ -310,7 +286,6 @@ def cmd_list(args: argparse.Namespace) -> int:
     else:
         return list_projects(
             remote_client=remote_client,
-            namespace=namespace,
             output_json=args.json,
             verbose=args.verbose
         )
@@ -326,10 +301,11 @@ def add_parser(subparsers) -> None:
 
     # Remote configuration
     parser.add_argument("--remote", type=str, help="Remote server URL")
-    parser.add_argument("--api-key", type=str, help="JWT authentication token")
-    parser.add_argument("--username", type=str, help="Username for auto-generating API key")
-    parser.add_argument("--namespace", type=str, help="Namespace slug (defaults to username)")
-
+    parser.add_argument(
+        "--api-key",
+        type=str,
+        help="JWT authentication token (auto-loaded from storage if not provided)"
+    )
     # Filtering options
     parser.add_argument("--project", type=str, help="List experiments in this project")
     parser.add_argument("--status", type=str,