dotseal 0.1.0__py3-none-any.whl

dotseal/__init__.py

@@ -0,0 +1,56 @@
+"""dotseal: Git-friendly encrypted env var manager with cleartext keys and sealed values.
+
+Public API
+----------
+* :func:`load_env` -- runtime loader (decrypt into ``os.environ``); drop-in for
+  ``python-dotenv``'s ``load_dotenv``.
+* :func:`encrypt_text` / :func:`decrypt_text` -- whole-file transforms.
+* :func:`decrypt_to_dict` -- decrypt into a mapping, in memory.
+* :func:`generate_master_key` / :func:`resolve_master_key` -- key helpers.
+* The exception hierarchy rooted at :class:`DotsealError`.
+"""
+
+from __future__ import annotations
+
+from .core import (
+    ENV_VAR_NAME,
+    KEY_FILE_NAME,
+    decrypt_text,
+    decrypt_to_dict,
+    encrypt_text,
+    resolve_master_key,
+)
+from .crypto import generate_master_key, key_fingerprint, load_key_bytes
+from .exceptions import (
+    DecryptionError,
+    EncryptionError,
+    InvalidMasterKeyError,
+    KeyFingerprintMismatchError,
+    MasterKeyNotFoundError,
+    ParseError,
+    DotsealError,
+)
+from .loader import load_env
+
+__version__ = "0.1.0"
+
+__all__ = [
+    "__version__",
+    "load_env",
+    "encrypt_text",
+    "decrypt_text",
+    "decrypt_to_dict",
+    "generate_master_key",
+    "resolve_master_key",
+    "load_key_bytes",
+    "key_fingerprint",
+    "ENV_VAR_NAME",
+    "KEY_FILE_NAME",
+    "DotsealError",
+    "MasterKeyNotFoundError",
+    "InvalidMasterKeyError",
+    "KeyFingerprintMismatchError",
+    "DecryptionError",
+    "EncryptionError",
+    "ParseError",
+]

dotseal/cli.py

@@ -0,0 +1,240 @@
+"""Command-line interface for dotseal (built on argparse, no extra deps).
+
+Commands:
+    init                     create a master key + gitignore it
+    encrypt [in] [out]       .env      -> .env.enc
+    decrypt [in] [out]       .env.enc  -> .env
+    edit [file]              decrypt -> $EDITOR -> re-encrypt (sops-style)
+"""
+
+from __future__ import annotations
+
+import argparse
+import os
+import shlex
+import subprocess
+import sys
+import tempfile
+from typing import List, Optional
+
+from . import __version__, core, crypto
+from .exceptions import DotsealError
+
+_GITIGNORE_NOTE = "# Added by `dotseal init` -- never commit your master key"
+
+
+# --- small IO helpers -------------------------------------------------------
+
+def _read(path: str) -> str:
+    if not os.path.isfile(path):
+        raise DotsealError(f"Input file not found: {path}")
+    with open(path, "r", encoding="utf-8") as fh:
+        return fh.read()
+
+
+def _err(msg: str) -> None:
+    print(f"dotseal: error: {msg}", file=sys.stderr)
+
+
+def _resolve_key_bytes(args: argparse.Namespace, *, search_dir: str) -> bytes:
+    key_str = core.resolve_master_key(
+        getattr(args, "key", None),
+        key_file=getattr(args, "key_file", None),
+        search_dir=search_dir,
+    )
+    return crypto.load_key_bytes(key_str)
+
+
+def _secure_delete(path: str) -> None:
+    """Best-effort secure delete: overwrite then unlink."""
+    try:
+        size = os.path.getsize(path)
+        with open(path, "r+b") as fh:
+            fh.write(b"\x00" * size)
+            fh.flush()
+            os.fsync(fh.fileno())
+    except OSError:
+        pass
+    finally:
+        try:
+            os.unlink(path)
+        except OSError:
+            pass
+
+
+# --- gitignore handling -----------------------------------------------------
+
+def _ensure_gitignored(name: str, directory: str) -> str:
+    """Make sure ``name`` is ignored by git. Returns a human-readable status."""
+    gitignore = os.path.join(directory, ".gitignore")
+    if os.path.isfile(gitignore):
+        with open(gitignore, "r", encoding="utf-8") as fh:
+            content = fh.read()
+        if any(line.strip() == name for line in content.splitlines()):
+            return f"{name} already present in .gitignore"
+        sep = "" if content.endswith("\n") or content == "" else "\n"
+        with open(gitignore, "a", encoding="utf-8") as fh:
+            fh.write(f"{sep}{_GITIGNORE_NOTE}\n{name}\n")
+        return f"appended {name} to existing .gitignore"
+    with open(gitignore, "w", encoding="utf-8") as fh:
+        fh.write(f"{_GITIGNORE_NOTE}\n{name}\n")
+    return f"created .gitignore and added {name}"
+
+
+# --- commands ---------------------------------------------------------------
+
+def cmd_init(args: argparse.Namespace) -> int:
+    directory = os.getcwd()
+    key_path = os.path.join(directory, core.KEY_FILE_NAME)
+
+    if os.path.exists(key_path) and not args.force:
+        _err(
+            f"{core.KEY_FILE_NAME} already exists. Refusing to overwrite "
+            "(use --force to replace it -- this will make existing .env.enc "
+            "files undecryptable)."
+        )
+        return 1
+
+    key_str = crypto.generate_master_key()
+    core.write_secret_file(key_path, key_str + "\n", mode=0o600)
+    fingerprint = crypto.key_fingerprint(crypto.load_key_bytes(key_str))
+    gitignore_status = _ensure_gitignored(core.KEY_FILE_NAME, directory)
+
+    print(f"Created master key: {key_path} (mode 0600)")
+    print(f"Key fingerprint:    {fingerprint}")
+    print(f"gitignore:          {gitignore_status}")
+    print()
+    print("To use this key in CI/containers instead of the file, export:")
+    print(f"  export {core.ENV_VAR_NAME}=$(cat {core.KEY_FILE_NAME})")
+    return 0
+
+
+def cmd_encrypt(args: argparse.Namespace) -> int:
+    text = _read(args.input)
+    key_bytes = bytearray(_resolve_key_bytes(args, search_dir=os.path.dirname(os.path.abspath(args.input))))
+    try:
+        out = core.encrypt_text(text, bytes(key_bytes))
+    finally:
+        crypto._zero(key_bytes)
+    # .env.enc is safe to commit -> default permissions are fine.
+    with open(args.output, "w", encoding="utf-8") as fh:
+        fh.write(out)
+    print(f"Encrypted {args.input} -> {args.output}")
+    return 0
+
+
+def cmd_decrypt(args: argparse.Namespace) -> int:
+    text = _read(args.input)
+    key_bytes = bytearray(_resolve_key_bytes(args, search_dir=os.path.dirname(os.path.abspath(args.input))))
+    try:
+        out = core.decrypt_text(text, bytes(key_bytes))
+    finally:
+        crypto._zero(key_bytes)
+    # Cleartext output contains secrets -> owner-only perms.
+    core.write_secret_file(args.output, out, mode=0o600)
+    print(f"Decrypted {args.input} -> {args.output} (mode 0600)")
+    return 0
+
+
+def cmd_edit(args: argparse.Namespace) -> int:
+    search_dir = os.path.dirname(os.path.abspath(args.input))
+    if os.path.isfile(args.input):
+        text = _read(args.input)
+        key_bytes = bytearray(_resolve_key_bytes(args, search_dir=search_dir))
+        try:
+            cleartext = core.decrypt_text(text, bytes(key_bytes))
+        finally:
+            crypto._zero(key_bytes)
+    else:
+        # Allow creating a new encrypted file by editing from scratch.
+        key_bytes = bytearray(_resolve_key_bytes(args, search_dir=search_dir))
+        crypto._zero(key_bytes)
+        cleartext = "# New encrypted env file. Add KEY=value lines.\n"
+
+    fd, tmp_path = tempfile.mkstemp(suffix=".env", prefix=".dotseal-edit-")
+    try:
+        os.fchmod(fd, 0o600)
+        with os.fdopen(fd, "w", encoding="utf-8") as fh:
+            fh.write(cleartext)
+
+        editor = os.environ.get("EDITOR", "nano")
+        cmd = shlex.split(editor) + [tmp_path]
+        try:
+            result = subprocess.run(cmd)
+        except FileNotFoundError:
+            _err(f"Editor not found: {editor!r}. Set $EDITOR to a valid editor.")
+            return 1
+        if result.returncode != 0:
+            _err(f"Editor exited with status {result.returncode}; aborting (no changes saved).")
+            return 1
+
+        with open(tmp_path, "r", encoding="utf-8") as fh:
+            edited = fh.read()
+
+        key_bytes = bytearray(_resolve_key_bytes(args, search_dir=search_dir))
+        try:
+            out = core.encrypt_text(edited, bytes(key_bytes))
+        finally:
+            crypto._zero(key_bytes)
+        with open(args.input, "w", encoding="utf-8") as fh:
+            fh.write(out)
+        print(f"Saved encrypted changes to {args.input}")
+        return 0
+    finally:
+        _secure_delete(tmp_path)
+
+
+# --- argument parsing -------------------------------------------------------
+
+def build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(
+        prog="dotseal",
+        description="Git-friendly encrypted .env manager with cleartext keys and sealed values.",
+    )
+    parser.add_argument("--version", action="version", version=f"dotseal {__version__}")
+
+    def add_key_args(p: argparse.ArgumentParser) -> None:
+        p.add_argument("-k", "--key", help="Master key (base64). Overrides env var and key file.")
+        p.add_argument("--key-file", help=f"Path to a key file (default: discover {core.KEY_FILE_NAME}).")
+
+    sub = parser.add_subparsers(dest="command", required=True)
+
+    p_init = sub.add_parser("init", help="Generate a master key and gitignore it.")
+    p_init.add_argument("--force", action="store_true", help="Overwrite an existing key file.")
+    p_init.set_defaults(func=cmd_init)
+
+    p_enc = sub.add_parser("encrypt", help="Encrypt a cleartext .env into .env.enc.")
+    p_enc.add_argument("input", nargs="?", default=".env")
+    p_enc.add_argument("output", nargs="?", default=".env.enc")
+    add_key_args(p_enc)
+    p_enc.set_defaults(func=cmd_encrypt)
+
+    p_dec = sub.add_parser("decrypt", help="Decrypt .env.enc into a cleartext .env.")
+    p_dec.add_argument("input", nargs="?", default=".env.enc")
+    p_dec.add_argument("output", nargs="?", default=".env")
+    add_key_args(p_dec)
+    p_dec.set_defaults(func=cmd_decrypt)
+
+    p_edit = sub.add_parser("edit", help="Decrypt, open $EDITOR, then re-encrypt (sops-style).")
+    p_edit.add_argument("input", nargs="?", default=".env.enc")
+    add_key_args(p_edit)
+    p_edit.set_defaults(func=cmd_edit)
+
+    return parser
+
+
+def main(argv: Optional[List[str]] = None) -> int:
+    parser = build_parser()
+    args = parser.parse_args(argv)
+    try:
+        return args.func(args)
+    except DotsealError as exc:
+        _err(str(exc))
+        return 1
+    except KeyboardInterrupt:  # pragma: no cover
+        _err("interrupted")
+        return 130
+
+
+if __name__ == "__main__":  # pragma: no cover
+    sys.exit(main())

dotseal/core.py

@@ -0,0 +1,200 @@
+"""High-level orchestration: key resolution and whole-file transforms.
+
+This ties together :mod:`dotseal.crypto` (primitives) and
+:mod:`dotseal.parser` (structure) into the operations the CLI and the
+runtime loader actually need:
+
+* find the master key (explicit arg -> env var -> local key file),
+* encrypt / decrypt an entire file's text while preserving structure,
+* embed and verify a key fingerprint so a wrong key fails fast.
+"""
+
+from __future__ import annotations
+
+import os
+from typing import Dict, Optional
+
+from . import crypto, parser
+from .exceptions import (
+    KeyFingerprintMismatchError,
+    MasterKeyNotFoundError,
+)
+
+# --- Well-known names -------------------------------------------------------
+
+KEY_FILE_NAME = ".dotseal.key"
+ENV_VAR_NAME = "DOTSEAL_MASTER_KEY"
+
+BANNER = "# Generated by dotseal. DO NOT EDIT VALUES MANUALLY."
+METADATA_PREFIX = "# dotseal:"
+METADATA_VERSION = "1"
+
+
+# --- Key resolution ---------------------------------------------------------
+
+def find_key_file(start_dir: Optional[str] = None) -> Optional[str]:
+    """Return the path to a local key file, searching upward from ``start_dir``.
+
+    Walks up the directory tree (like git looking for ``.git``) so the tool
+    works from subdirectories of a project.
+    """
+    current = os.path.abspath(start_dir or os.getcwd())
+    while True:
+        candidate = os.path.join(current, KEY_FILE_NAME)
+        if os.path.isfile(candidate):
+            return candidate
+        parent = os.path.dirname(current)
+        if parent == current:
+            return None
+        current = parent
+
+
+def resolve_master_key(
+    master_key: Optional[str] = None,
+    *,
+    key_file: Optional[str] = None,
+    search_dir: Optional[str] = None,
+) -> str:
+    """Resolve the master key as a base64 string.
+
+    Resolution order (first match wins):
+        1. ``master_key`` argument,
+        2. the ``DOTSEAL_MASTER_KEY`` environment variable,
+        3. an explicit ``key_file`` path, then a discovered local key file.
+
+    Raises:
+        MasterKeyNotFoundError: if no key can be found.
+    """
+    if master_key:
+        return master_key.strip()
+
+    env_value = os.environ.get(ENV_VAR_NAME)
+    if env_value and env_value.strip():
+        return env_value.strip()
+
+    path = key_file or find_key_file(search_dir)
+    if path and os.path.isfile(path):
+        with open(path, "r", encoding="utf-8") as fh:
+            return fh.read().strip()
+
+    raise MasterKeyNotFoundError(
+        "No master key found. Provide one explicitly, set the "
+        f"{ENV_VAR_NAME} environment variable, or run `dotseal init` "
+        f"to create a local {KEY_FILE_NAME} file."
+    )
+
+
+# --- Metadata ---------------------------------------------------------------
+
+def build_metadata_line(key_bytes: bytes) -> str:
+    fp = crypto.key_fingerprint(key_bytes)
+    return f"{METADATA_PREFIX} v={METADATA_VERSION} alg={crypto.ALGORITHM} key_fp={fp}"
+
+
+def parse_metadata(parsed: parser.ParsedEnv) -> Dict[str, str]:
+    """Extract the ``# dotseal:`` metadata tokens, if present."""
+    for record in parsed.records:
+        if record.kind == "comment" and record.raw.strip().startswith(METADATA_PREFIX):
+            body = record.raw.strip()[len(METADATA_PREFIX):].strip()
+            meta: Dict[str, str] = {}
+            for token in body.split():
+                if "=" in token:
+                    k, v = token.split("=", 1)
+                    meta[k] = v
+            return meta
+    return {}
+
+
+def _strip_managed_comments(parsed: parser.ParsedEnv) -> None:
+    """Remove dotseal's own banner / metadata comments (keep user ones)."""
+    kept = []
+    for record in parsed.records:
+        if record.kind == "comment":
+            text = record.raw.strip()
+            if text == BANNER or text.startswith(METADATA_PREFIX):
+                continue
+        kept.append(record)
+    parsed.records = kept
+
+
+# --- Whole-file transforms --------------------------------------------------
+
+def encrypt_text(text: str, key_bytes: bytes) -> str:
+    """Encrypt all cleartext values in ``text``; return ``.env.enc`` text."""
+    parsed = parser.parse(text)
+    _strip_managed_comments(parsed)
+    for record in parsed.records:
+        if record.kind != "entry":
+            continue
+        if crypto.is_encrypted_value(record.value):
+            continue  # idempotent: already encrypted
+        record.value = crypto.encrypt_value(key_bytes, record.value, aad=record.key)
+
+    body = parser.serialize(parsed).rstrip("\n")
+    parts = [BANNER]
+    if body:
+        parts.append(body)
+    parts.append(build_metadata_line(key_bytes))
+    return "\n".join(parts) + "\n"
+
+
+def verify_key(parsed: parser.ParsedEnv, key_bytes: bytes) -> None:
+    """Raise if the file's recorded fingerprint does not match ``key_bytes``."""
+    meta = parse_metadata(parsed)
+    recorded = meta.get("key_fp")
+    if recorded and recorded != crypto.key_fingerprint(key_bytes):
+        raise KeyFingerprintMismatchError(
+            "The master key does not match the key used to encrypt this file "
+            f"(expected fingerprint {recorded}). Wrong key?"
+        )
+
+
+def decrypt_text(text: str, key_bytes: bytes) -> str:
+    """Decrypt all encrypted values in ``text``; return cleartext ``.env`` text."""
+    parsed = parser.parse(text)
+    verify_key(parsed, key_bytes)
+    for record in parsed.records:
+        if record.kind != "entry":
+            continue
+        if crypto.is_encrypted_value(record.value):
+            plaintext = crypto.decrypt_value(key_bytes, record.value, aad=record.key)
+            record.value = parser.format_value(plaintext)
+        else:
+            record.value = parser.format_value(record.value)
+    _strip_managed_comments(parsed)
+    return parser.serialize(parsed)
+
+
+def decrypt_to_dict(text: str, key_bytes: bytes) -> Dict[str, str]:
+    """Decrypt ``text`` into a ``{name: value}`` mapping, in memory only."""
+    parsed = parser.parse(text)
+    verify_key(parsed, key_bytes)
+    result: Dict[str, str] = {}
+    for record in parsed.records:
+        if record.kind != "entry":
+            continue
+        if crypto.is_encrypted_value(record.value):
+            result[record.key] = crypto.decrypt_value(
+                key_bytes, record.value, aad=record.key
+            )
+        else:
+            result[record.key] = record.value
+    return result
+
+
+# --- Filesystem helpers -----------------------------------------------------
+
+def write_secret_file(path: str, text: str, *, mode: int = 0o600) -> None:
+    """Write ``text`` to ``path`` with restrictive (owner-only) permissions."""
+    directory = os.path.dirname(os.path.abspath(path))
+    fd = os.open(path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, mode)
+    try:
+        with os.fdopen(fd, "w", encoding="utf-8") as fh:
+            fh.write(text)
+    finally:
+        # Re-assert mode in case the file pre-existed with looser perms.
+        try:
+            os.chmod(path, mode)
+        except OSError:
+            pass
+    _ = directory  # reserved for future atomic-rename hardening

dotseal/crypto.py

@@ -0,0 +1,160 @@
+"""Cryptographic primitives for dotseal.
+
+Encryption scheme
+-----------------
+* Cipher:        AES-256-GCM (AEAD) via ``cryptography.hazmat``.
+* Master key:    32 random bytes, stored/transported as standard base64 text.
+* Per value:     a fresh random 12-byte nonce is generated for every value.
+* Wire format:   ``ENC[AES_GCM,data:<base64(nonce || ciphertext || tag)>]``
+* AAD:           the variable *name* is bound as Additional Authenticated Data.
+                 This means a ciphertext for ``ADMIN_TOKEN`` will not decrypt if
+                 it is moved onto ``GUEST_TOKEN`` in the file -- it prevents
+                 value-swapping tampering, not just bit-flipping.
+
+Nothing here shells out to external binaries (age/gpg/openssl/sops). It is pure
+Python on top of the ``cryptography`` package.
+"""
+
+from __future__ import annotations
+
+import base64
+import binascii
+import hashlib
+import os
+
+from cryptography.exceptions import InvalidTag
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+
+from .exceptions import (
+    DecryptionError,
+    EncryptionError,
+    InvalidMasterKeyError,
+)
+
+# --- Format constants -------------------------------------------------------
+
+ALGORITHM = "AES_GCM"
+KEY_SIZE = 32  # AES-256
+NONCE_SIZE = 12  # 96-bit nonce recommended for GCM
+
+ENC_PREFIX = f"ENC[{ALGORITHM},data:"
+ENC_SUFFIX = "]"
+
+# Domain separation string so the public fingerprint can never be confused with
+# any other hash of the key material.
+_FINGERPRINT_DOMAIN = b"dotseal/key-fingerprint/v1"
+
+
+# --- Helpers ----------------------------------------------------------------
+
+def _zero(buf: bytearray) -> None:
+    """Best-effort overwrite of a mutable byte buffer.
+
+    Python cannot guarantee secrets are erased from memory (immutable ``bytes``/
+    ``str`` and GC copies make this impossible in the general case), but for the
+    mutable buffers we control we overwrite them promptly to shrink the window.
+    """
+    for i in range(len(buf)):
+        buf[i] = 0
+
+
+# --- Key management ---------------------------------------------------------
+
+def generate_master_key() -> str:
+    """Generate a new cryptographically secure master key (base64 text)."""
+    return base64.b64encode(os.urandom(KEY_SIZE)).decode("ascii")
+
+
+def load_key_bytes(master_key: str) -> bytes:
+    """Decode and validate a base64-encoded master key string into raw bytes.
+
+    Raises:
+        InvalidMasterKeyError: if the key is not valid base64 or has the wrong
+            length for AES-256.
+    """
+    if not isinstance(master_key, str):
+        raise InvalidMasterKeyError("Master key must be a string.")
+    cleaned = master_key.strip()
+    if not cleaned:
+        raise InvalidMasterKeyError("Master key is empty.")
+    try:
+        raw = base64.b64decode(cleaned, validate=True)
+    except (binascii.Error, ValueError) as exc:
+        raise InvalidMasterKeyError(
+            "Master key is not valid base64. It must be a base64-encoded "
+            "32-byte key as produced by `dotseal init`."
+        ) from exc
+    if len(raw) != KEY_SIZE:
+        raise InvalidMasterKeyError(
+            f"Master key must decode to {KEY_SIZE} bytes (got {len(raw)}). "
+            "Did you copy the whole key?"
+        )
+    return raw
+
+
+def key_fingerprint(key_bytes: bytes) -> str:
+    """Return a short, non-reversible fingerprint of a key (16 hex chars).
+
+    This is safe to store in the encrypted file: it lets us detect a wrong key
+    up front without revealing key material.
+    """
+    digest = hashlib.sha256(_FINGERPRINT_DOMAIN + key_bytes).digest()
+    return digest[:8].hex()
+
+
+# --- Value encryption / decryption ------------------------------------------
+
+def is_encrypted_value(value: str) -> bool:
+    """Return True if ``value`` is a well-formed ENC[...] token."""
+    return value.startswith(ENC_PREFIX) and value.endswith(ENC_SUFFIX)
+
+
+def encrypt_value(key_bytes: bytes, plaintext: str, *, aad: str) -> str:
+    """Encrypt a single value, returning the ``ENC[...]`` wire token.
+
+    Args:
+        key_bytes: raw 32-byte AES key.
+        plaintext: the cleartext value to protect.
+        aad: additional authenticated data (the variable name) bound to the
+            ciphertext. Must be supplied identically at decryption time.
+    """
+    aesgcm = AESGCM(key_bytes)
+    nonce = os.urandom(NONCE_SIZE)
+    pt = bytearray(plaintext.encode("utf-8"))
+    try:
+        ciphertext = aesgcm.encrypt(nonce, bytes(pt), aad.encode("utf-8"))
+    except Exception as exc:  # pragma: no cover - defensive
+        raise EncryptionError(f"Failed to encrypt value: {exc}") from exc
+    finally:
+        _zero(pt)
+    payload = base64.b64encode(nonce + ciphertext).decode("ascii")
+    return f"{ENC_PREFIX}{payload}{ENC_SUFFIX}"
+
+
+def decrypt_value(key_bytes: bytes, token: str, *, aad: str) -> str:
+    """Decrypt an ``ENC[...]`` token back into the cleartext value.
+
+    Raises:
+        DecryptionError: if the token is malformed, the key is wrong, the AAD
+            (variable name) does not match, or the ciphertext was tampered with.
+    """
+    if not is_encrypted_value(token):
+        raise DecryptionError(
+            "Value is not a recognized ENC[AES_GCM,...] token."
+        )
+    payload_b64 = token[len(ENC_PREFIX):-len(ENC_SUFFIX)]
+    try:
+        blob = base64.b64decode(payload_b64, validate=True)
+    except (binascii.Error, ValueError) as exc:
+        raise DecryptionError("Corrupted data: payload is not valid base64.") from exc
+    if len(blob) <= NONCE_SIZE:
+        raise DecryptionError("Corrupted data: ciphertext is too short.")
+    nonce, ciphertext = blob[:NONCE_SIZE], blob[NONCE_SIZE:]
+    aesgcm = AESGCM(key_bytes)
+    try:
+        plaintext = aesgcm.decrypt(nonce, ciphertext, aad.encode("utf-8"))
+    except InvalidTag as exc:
+        raise DecryptionError(
+            "Invalid Master Key or Corrupted Data."
+        ) from exc
+    return plaintext.decode("utf-8")

dotseal/exceptions.py

@@ -0,0 +1,44 @@
+"""Custom exception hierarchy for dotseal.
+
+These exceptions exist so that failures surface as clear, actionable messages
+instead of leaking raw cryptographic tracebacks (which are both confusing and a
+minor information-leak risk) to end users.
+"""
+
+from __future__ import annotations
+
+
+class DotsealError(Exception):
+    """Base class for all dotseal errors."""
+
+
+class KeyError_(DotsealError):
+    """Base for key-related problems."""
+
+
+class MasterKeyNotFoundError(KeyError_):
+    """Raised when no master key can be located via any supported method."""
+
+
+class InvalidMasterKeyError(KeyError_):
+    """Raised when a provided master key is malformed (wrong length/encoding)."""
+
+
+class KeyFingerprintMismatchError(DotsealError):
+    """Raised when the key fingerprint in the file does not match the supplied key.
+
+    This lets us fail fast with a helpful message *before* attempting to decrypt
+    every value with an obviously-wrong key.
+    """
+
+
+class DecryptionError(DotsealError):
+    """Raised when a value cannot be decrypted (bad key or tampered ciphertext)."""
+
+
+class EncryptionError(DotsealError):
+    """Raised when a value cannot be encrypted."""
+
+
+class ParseError(DotsealError):
+    """Raised when a .env / .env.enc file cannot be parsed."""

dotseal/loader.py

@@ -0,0 +1,79 @@
+"""Runtime loader: decrypt an ``.env.enc`` into ``os.environ`` with no disk write.
+
+This is the import-time companion to the CLI and a drop-in replacement for
+``python-dotenv``'s ``load_dotenv``: call :func:`load_env` early in startup to
+make your (encrypted) secrets available via ``os.environ`` / ``os.getenv``
+without ever materializing a cleartext file.
+"""
+
+from __future__ import annotations
+
+import os
+from typing import Optional
+
+from . import core, crypto
+from .exceptions import MasterKeyNotFoundError, DotsealError
+
+
+def load_env(
+    dotenv_path: str = ".env.enc",
+    *,
+    master_key: Optional[str] = None,
+    override: bool = False,
+    encoding: str = "utf-8",
+) -> bool:
+    """Decrypt ``dotenv_path`` in memory and inject the values into ``os.environ``.
+
+    Mirrors ``python-dotenv``'s ``load_dotenv`` so it can be used as a drop-in
+    replacement, but reads a structurally-encrypted ``.env.enc`` file.
+
+    Args:
+        dotenv_path: path to the encrypted env file (default ``".env.enc"``).
+        master_key: base64 master key. If ``None``, it is resolved from the
+            ``DOTSEAL_MASTER_KEY`` env var or a local key file.
+        override: if ``False`` (default), variables already present in
+            ``os.environ`` are left untouched (the process environment wins,
+            which matches typical 12-factor behavior). If ``True``, decrypted
+            values overwrite existing ones.
+        encoding: text encoding used to read the file.
+
+    Returns:
+        ``True`` if at least one variable was set in ``os.environ``, else
+        ``False`` (matching ``load_dotenv``). To get the decrypted values back
+        as a mapping instead, use :func:`dotseal.decrypt_to_dict`.
+
+    Raises:
+        FileNotFoundError: if ``dotenv_path`` does not exist.
+        MasterKeyNotFoundError / DecryptionError / KeyFingerprintMismatchError:
+            on key resolution or decryption problems.
+    """
+    if not os.path.isfile(dotenv_path):
+        raise FileNotFoundError(f"Encrypted env file not found: {dotenv_path}")
+
+    key_str = core.resolve_master_key(
+        master_key, search_dir=os.path.dirname(os.path.abspath(dotenv_path))
+    )
+    key_bytes = bytearray(crypto.load_key_bytes(key_str))
+
+    with open(dotenv_path, "r", encoding=encoding) as fh:
+        text = fh.read()
+
+    try:
+        values = core.decrypt_to_dict(text, bytes(key_bytes))
+    finally:
+        crypto._zero(key_bytes)
+
+    set_any = False
+    for name, value in values.items():
+        if override or name not in os.environ:
+            os.environ[name] = value
+            set_any = True
+
+    return set_any
+
+
+__all__ = [
+    "load_env",
+    "MasterKeyNotFoundError",
+    "DotsealError",
+]

dotseal/parser.py

@@ -0,0 +1,170 @@
+"""Structure-preserving parser for ``.env`` / ``.env.enc`` files.
+
+The whole point of dotseal is *structural* encryption: keys stay in
+cleartext, comments and blank lines are preserved, and only values change. To
+make that possible the parser does not collapse a file into a ``dict`` -- it
+keeps an ordered list of :class:`Record` objects so the document can be
+faithfully re-serialized.
+
+Value handling follows common ``.env`` conventions:
+
+* ``export FOO=bar`` -- the optional ``export`` prefix is preserved.
+* Whitespace around ``=`` and around an unquoted value is trimmed.
+* Values may be wrapped in single or double quotes. Double-quoted values
+  support ``\\n``, ``\\t``, ``\\r``, ``\\\\`` and ``\\"`` escapes (this is how
+  multi-line values are represented on a single physical line). Single-quoted
+  values are taken literally.
+* The first ``=`` separates key and value, so values may themselves contain
+  ``=`` (e.g. ``PASSWORD=!!@#$%=``).
+"""
+
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+from typing import List
+
+from .exceptions import ParseError
+
+# Matches an optional `export ` prefix followed by KEY=...
+_ENTRY_RE = re.compile(
+    r"""^(?P<export>export\s+)?      # optional export prefix
+         (?P<key>[A-Za-z_][A-Za-z0-9_.]*)   # variable name
+         \s*=                         # separator
+         (?P<value>.*)$               # everything after the first =
+    """,
+    re.VERBOSE | re.DOTALL,
+)
+
+
+@dataclass
+class Record:
+    """A single logical line of the document."""
+
+    kind: str  # 'blank' | 'comment' | 'entry'
+    raw: str = ""  # verbatim text for blank/comment records
+    key: str = ""
+    value: str = ""  # logical (unquoted) value, or an ENC[...] token
+    export: bool = False
+
+
+@dataclass
+class ParsedEnv:
+    records: List[Record]
+
+    def entries(self) -> List[Record]:
+        return [r for r in self.records if r.kind == "entry"]
+
+
+# --- Value decoding / encoding ----------------------------------------------
+
+_DOUBLE_UNESCAPE = {
+    "\\n": "\n",
+    "\\t": "\t",
+    "\\r": "\r",
+    '\\"': '"',
+    "\\\\": "\\",
+}
+
+_DOUBLE_ESCAPE = {
+    "\\": "\\\\",
+    '"': '\\"',
+    "\n": "\\n",
+    "\t": "\\t",
+    "\r": "\\r",
+}
+
+
+def _unquote(raw: str) -> str:
+    """Turn a raw on-disk value into its logical string value."""
+    value = raw.strip()
+    if len(value) >= 2 and value[0] == value[-1] and value[0] in ("'", '"'):
+        inner = value[1:-1]
+        if value[0] == '"':
+            return _unescape_double(inner)
+        return inner  # single quotes: literal
+    return value
+
+
+def _unescape_double(inner: str) -> str:
+    out = []
+    i = 0
+    while i < len(inner):
+        two = inner[i : i + 2]
+        if two in _DOUBLE_UNESCAPE:
+            out.append(_DOUBLE_UNESCAPE[two])
+            i += 2
+        else:
+            out.append(inner[i])
+            i += 1
+    return "".join(out)
+
+
+def format_value(value: str) -> str:
+    """Render a logical value back to a safe on-disk representation.
+
+    Quotes (and escapes) the value only when necessary so simple values stay
+    diff-friendly and unquoted.
+    """
+    if value == "":
+        return ""
+    needs_quoting = (
+        value != value.strip()  # leading/trailing whitespace
+        or any(c in value for c in (" ", "\t", "#", "\n", "\r", '"', "'"))
+    )
+    if not needs_quoting:
+        return value
+    escaped = "".join(_DOUBLE_ESCAPE.get(c, c) for c in value)
+    return f'"{escaped}"'
+
+
+# --- Parsing ----------------------------------------------------------------
+
+def parse(text: str) -> ParsedEnv:
+    """Parse the full text of a ``.env``/``.env.enc`` file into records."""
+    records: List[Record] = []
+    for lineno, line in enumerate(text.splitlines(), start=1):
+        stripped = line.strip()
+        if stripped == "":
+            records.append(Record(kind="blank", raw=""))
+            continue
+        if stripped.startswith("#"):
+            records.append(Record(kind="comment", raw=line))
+            continue
+        match = _ENTRY_RE.match(line)
+        if not match:
+            raise ParseError(
+                f"Line {lineno}: could not parse entry: {line!r}"
+            )
+        key = match.group("key")
+        raw_value = match.group("value")
+        records.append(
+            Record(
+                kind="entry",
+                key=key,
+                value=_unquote(raw_value),
+                export=bool(match.group("export")),
+            )
+        )
+    return ParsedEnv(records=records)
+
+
+def serialize(parsed: ParsedEnv) -> str:
+    """Serialize records back to file text (values rendered via ``format_value``).
+
+    Entry values are written verbatim (already-final form -- either an ENC[...]
+    token or an already-formatted cleartext value). Use :func:`format_value`
+    before assigning cleartext values you want safely quoted.
+    """
+    lines: List[str] = []
+    for r in parsed.records:
+        if r.kind == "blank":
+            lines.append("")
+        elif r.kind == "comment":
+            lines.append(r.raw)
+        elif r.kind == "entry":
+            prefix = "export " if r.export else ""
+            lines.append(f"{prefix}{r.key}={r.value}")
+        else:  # pragma: no cover - defensive
+            raise ParseError(f"Unknown record kind: {r.kind!r}")
+    return "\n".join(lines) + "\n"

dotseal-0.1.0.dist-info/METADATA

@@ -0,0 +1,288 @@
+Metadata-Version: 2.4
+Name: dotseal
+Version: 0.1.0
+Summary: Git-friendly encrypted .env files with cleartext keys and sealed values (SOPS-inspired structural encryption).
+Project-URL: Homepage, https://github.com/Jastchi/dotseal
+Project-URL: Repository, https://github.com/Jastchi/dotseal
+Author: dotseal contributors
+License: MIT
+License-File: LICENSE
+Keywords: aes-gcm,configuration,dotenv,dotseal,encryption,env,secrets,sops
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.8
+Requires-Dist: cryptography>=42.0.0
+Provides-Extra: dev
+Requires-Dist: pytest<9,>=8.0.0; (python_version < '3.10') and extra == 'dev'
+Requires-Dist: pytest>=9.0.0; (python_version >= '3.10') and extra == 'dev'
+Requires-Dist: ruff>=0.15; (python_version >= '3.9') and extra == 'dev'
+Requires-Dist: ty>=0.0.47; (python_version >= '3.9') and extra == 'dev'
+Provides-Extra: test
+Requires-Dist: pytest<9,>=8.0.0; (python_version < '3.10') and extra == 'test'
+Requires-Dist: pytest>=9.0.0; (python_version >= '3.10') and extra == 'test'
+Description-Content-Type: text/markdown
+
+# dotseal
+
+Git-friendly encrypted `.env` files with cleartext keys and sealed values — an offline-first environment-variable manager for Python, inspired by [Mozilla SOPS](https://github.com/getsops/sops) but built natively for the Python ecosystem.
+
+`dotseal` performs **structural encryption**: it leaves your `.env` **keys in cleartext** and encrypts only the **values**. The result is a `.env.enc` file you can safely commit, review in pull requests, and merge — because the diff still shows *which* variables changed, just not their secret contents.
+
+```diff
+  DATABASE_URL=ENC[AES_GCM,data:Zm9vYmFy...]
+- DEBUG=ENC[AES_GCM,data:TXVzaWM=]
++ DEBUG=ENC[AES_GCM,data:b3RoZXI=]
+  API_KEY=ENC[AES_GCM,data:c2VjcmV0...]
+```
+
+- **No OS dependencies.** Pure Python on top of [`cryptography`](https://cryptography.io). No `age`, `gpg`, `sops`, `openssl` CLI, or Go binaries required.
+- **Authenticated encryption.** AES-256-GCM (AEAD) with a fresh nonce per value.
+- **Tamper-evident & swap-proof.** Each value is bound to its variable name as Additional Authenticated Data (AAD), so ciphertext can't be moved between keys.
+- **Runtime loader.** Decrypt straight into `os.environ` — no cleartext file ever touches disk.
+
+---
+
+## Installation
+
+```bash
+pip install dotseal
+```
+
+Requires Python 3.8+.
+
+---
+
+## Quickstart
+
+```bash
+# 1. Generate a master key (saved to .dotseal.key and gitignored)
+dotseal init
+
+# 2. Write a normal .env file
+cat > .env <<'EOF'
+DATABASE_URL=postgres://user:pass@localhost:5432/db
+DEBUG=True
+API_KEY=super-secret
+EOF
+
+# 3. Encrypt it → .env.enc (commit this; never commit .env or the key)
+dotseal encrypt
+
+# 4. Decrypt when you need it back
+dotseal decrypt
+```
+
+### What gets committed?
+
+| File                  | Commit it? | Contents                                  |
+| --------------------- | ---------- | ----------------------------------------- |
+| `.env.enc`            | ✅ Yes      | Keys in cleartext, values encrypted       |
+| `.env`                | ❌ No       | Full cleartext secrets                    |
+| `.dotseal.key`        | ❌ **Never**| The master key (auto-added to `.gitignore`) |
+
+---
+
+## CLI Reference
+
+### `dotseal init`
+Generates a new cryptographically secure master key, writes it to `.dotseal.key` (mode `0600`), and adds it to `.gitignore` (creating one if needed). Prints the key **fingerprint** (not the key) so you can verify which key encrypted a file. Use `--force` to replace an existing key (this makes existing `.env.enc` files undecryptable).
+
+### `dotseal encrypt [input] [output]`
+Encrypts the values of a cleartext env file. Defaults: `.env` → `.env.enc`. Idempotent — values that are already encrypted are left untouched.
+
+### `dotseal decrypt [input] [output]`
+Decrypts values back to cleartext. Defaults: `.env.enc` → `.env`. The output is written with owner-only (`0600`) permissions since it contains secrets.
+
+### `dotseal edit [file]`
+SOPS-style editing. Decrypts `.env.enc` to a temporary file (mode `0600`), opens it in `$EDITOR` (falling back to `nano`), and re-encrypts on save. The temp file is securely overwritten and deleted afterward. If the file doesn't exist yet, you get a fresh template to start from.
+
+### Common options
+All commands except `init` accept:
+
+- `-k, --key <base64>` — provide the master key directly (overrides env var and key file).
+- `--key-file <path>` — use a specific key file instead of auto-discovery.
+
+---
+
+## Key Management
+
+The master key is resolved in this order (first match wins):
+
+1. An explicit `--key` argument (CLI) or `master_key=` argument (loader).
+2. The `DOTSEAL_MASTER_KEY` environment variable.
+3. A local `.dotseal.key` file (searched for in the current directory and upward through parent directories).
+
+The key is a base64-encoded 32-byte (AES-256) value. Generate one programmatically with:
+
+```python
+from dotseal import generate_master_key
+print(generate_master_key())
+```
+
+---
+
+## Runtime Loader (no cleartext on disk)
+
+`load_env` is a **drop-in replacement for `python-dotenv`'s `load_dotenv`** — it just reads an encrypted `.env.enc` instead of a cleartext `.env`. Call it once at startup and your secrets are available as ordinary environment variables through the `os` module:
+
+```python
+import os
+from dotseal import load_env
+
+# Resolves the key from DOTSEAL_MASTER_KEY or .dotseal.key
+load_env()                                # reads ".env.enc" by default
+
+os.getenv("DATABASE_URL")                 # now available, like any env var
+```
+
+Signature:
+
+```python
+def load_env(
+    dotenv_path: str = ".env.enc",
+    *,
+    master_key: str | None = None,
+    override: bool = False,
+    encoding: str = "utf-8",
+) -> bool:
+    ...
+```
+
+- `override=False` (default): existing process env vars win (12-factor friendly).
+- `override=True`: decrypted values overwrite anything already in `os.environ`.
+- Returns `True` if at least one variable was set (matching `load_dotenv`). Want the values as a `dict` instead? Use `decrypt_to_dict` (below).
+
+Other programmatic helpers:
+
+```python
+from dotseal import encrypt_text, decrypt_text, decrypt_to_dict, load_key_bytes
+
+key = load_key_bytes("BASE64KEY==")
+enc = encrypt_text("FOO=bar\n", key)      # -> ".env.enc" text
+cleartext = decrypt_text(enc, key)        # -> ".env" text
+mapping = decrypt_to_dict(enc, key)       # -> {"FOO": "bar"}
+```
+
+---
+
+## File Format
+
+```env
+# Generated by dotseal. DO NOT EDIT VALUES MANUALLY.
+DATABASE_URL=ENC[AES_GCM,data:<base64(nonce ‖ ciphertext ‖ tag)>]
+DEBUG=ENC[AES_GCM,data:...]
+# dotseal: v=1 alg=AES_GCM key_fp=7ef08b59e6a945e4
+```
+
+- Each value's payload is `base64(12-byte nonce ‖ ciphertext ‖ GCM tag)`.
+- The variable name is bound as AAD, so values cannot be swapped between keys.
+- The trailing `# dotseal:` metadata line records the algorithm and a **key fingerprint** (a one-way hash of the key). On decrypt, the fingerprint is checked first so a wrong key fails fast with a clear message instead of a cryptic crypto error.
+- Comments and blank lines are preserved. Values containing spaces, `#`, or newlines are safely quoted/escaped on decryption.
+
+---
+
+## CI/CD Integration
+
+The pattern is always the same: provide the master key via the `DOTSEAL_MASTER_KEY` environment variable (from your platform's secret store), commit only `.env.enc`, and either decrypt to a file or load at runtime.
+
+### GitHub Actions
+
+Store the key as a repository/environment **secret** named `DOTSEAL_MASTER_KEY`.
+
+```yaml
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    env:
+      DOTSEAL_MASTER_KEY: ${{ secrets.DOTSEAL_MASTER_KEY }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - run: pip install dotseal
+
+      # Option A: decrypt to a real .env for tools that expect a file
+      - run: dotseal decrypt .env.enc .env
+
+      # Option B: load at runtime inside your app (no cleartext file)
+      - run: python -c "from dotseal import load_env; load_env(); import app"
+```
+
+### Docker
+
+Bake only the encrypted file into the image and pass the key at runtime:
+
+```dockerfile
+FROM python:3.12-slim
+WORKDIR /app
+RUN pip install dotseal
+COPY .env.enc .
+COPY . .
+# App calls load_env() on startup.
+CMD ["python", "main.py"]
+```
+
+```bash
+docker run -e DOTSEAL_MASTER_KEY="$(cat .dotseal.key)" my-image
+```
+
+```python
+# main.py
+from dotseal import load_env
+load_env()   # picks up DOTSEAL_MASTER_KEY from the container env
+```
+
+### Kubernetes
+
+Store the master key in a `Secret` and expose it as `DOTSEAL_MASTER_KEY`:
+
+```yaml
+env:
+  - name: DOTSEAL_MASTER_KEY
+    valueFrom:
+      secretKeyRef:
+        name: dotseal
+        key: master-key
+```
+
+---
+
+## Security Notes & Limitations
+
+- **AES-256-GCM** provides confidentiality *and* integrity. Tampered ciphertext or a wrong key is rejected rather than silently producing garbage.
+- **AAD binding** prevents an attacker who can edit the committed `.env.enc` from relocating a high-privilege secret onto a low-privilege variable name.
+- **Key fingerprint** is a domain-separated SHA-256 hash truncated to 8 bytes; it reveals nothing about the key itself.
+- **Memory hygiene is best-effort.** dotseal overwrites the mutable key buffers it controls, but Python's immutable `str`/`bytes` and garbage collector mean secrets can still linger in memory. Do not rely on this for protection against an attacker with live process access.
+- **The master key is the whole ballgame.** Anyone with the key can decrypt everything. Rotate it by re-encrypting with `dotseal init --force` followed by `encrypt`, and store it only in trusted secret managers.
+- This tool is a single-key symmetric scheme. It does **not** implement multi-recipient/asymmetric key sharing (a SOPS + `age`/KMS feature).
+
+---
+
+## Development
+
+```bash
+uv venv && uv pip install -e ".[dev]"
+uv run pytest
+```
+
+CI runs the full test suite on Python 3.8 through 3.14 (see `.github/workflows/test.yml`).
+
+The test suite covers crypto round-trips, edge-case values (empty strings, `!!@#$%=`, unicode, multi-line, large), structural parsing, the runtime loader (asserting no side-effect files are written), and the full CLI lifecycle including `edit`.
+
+## License
+
+MIT

dotseal-0.1.0.dist-info/RECORD

@@ -0,0 +1,12 @@
+dotseal/__init__.py,sha256=QSHDVx0HmqkS8tTXrSGIW5cLQwVf7kqAWUZTBeNLafg,1430
+dotseal/cli.py,sha256=VObJQjzoL50gRnMVjwd4nl10UemNA5YaWVFPwCSI5ys,8640
+dotseal/core.py,sha256=W-i_NxnFSu-wDq9foVdA4Id-WJ0eh5FYpmPHjHicK5k,7035
+dotseal/crypto.py,sha256=rOTuuepc1nWB_Xz0HQZlQ6TsxDttXhP9d8u2GeFm4Rs,5911
+dotseal/exceptions.py,sha256=cYHDqjZtiudtMiKukrLMNdUIeLk7H2RI5udR2KgpvrA,1261
+dotseal/loader.py,sha256=ax7E9P8Fx0XCeyNqhhHBEh2aQkg8-pTYUOODPwxf5KY,2705
+dotseal/parser.py,sha256=mw_k-m1BGx2YvcyeqR6CqLjxnQ4JpE9uN1RWMBADans,5316
+dotseal-0.1.0.dist-info/METADATA,sha256=mD0BtAzdrdQ0u1-S3w9CrDm8gLer2Wn47pFRSnBBsgk,10978
+dotseal-0.1.0.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+dotseal-0.1.0.dist-info/entry_points.txt,sha256=OcZ6MVNeCRe60U3rXchD-so_nu-OBscyt3jwHUYwtEE,45
+dotseal-0.1.0.dist-info/licenses/LICENSE,sha256=f5qyXeHyRYQU-yXrmItXA1eohCQtgjGI8R5riBIbDWU,1077
+dotseal-0.1.0.dist-info/RECORD,,

dotseal-0.1.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.30.1
+Root-Is-Purelib: true
+Tag: py3-none-any

dotseal-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+dotseal = dotseal.cli:main

dotseal-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 dotseal contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.