kilit 0.1.0__tar.gz

kilit-0.1.0/.github/workflows/publish-to-pypi.yml

@@ -0,0 +1,68 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      test_pypi:
+        description: 'Publish to Test PyPI instead of PyPI'
+        required: false
+        type: boolean
+        default: true
+
+jobs:
+  build-and-publish:
+    name: Build and publish Python distribution to PyPI
+    runs-on: ubuntu-latest
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    
+    - name: Verify tag format (only for releases)
+      if: github.event_name == 'release'
+      run: |
+        TAG="${{ github.ref_name }}"
+        if [[ ! "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          echo "Error: Tag must match v*.*.* format (e.g., v0.1.0)"
+          exit 1
+        fi
+    
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.10'
+    
+    - name: Install build dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install build twine
+    
+    - name: Build package
+      run: python -m build
+    
+    - name: Check package
+      run: twine check dist/*
+    
+    - name: Smoke test - Install and import
+      run: |
+        pip install dist/*.whl
+        python -c "import kilit; print(kilit.__version__); from kilit import Credentials; print('✅ ok')"
+        kilit --help
+    
+    - name: Publish to Test PyPI
+      if: github.event_name == 'workflow_dispatch' && inputs.test_pypi
+      env:
+        TWINE_USERNAME: __token__
+        TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}
+      run: |
+        twine upload --repository testpypi dist/*
+    
+    - name: Publish to PyPI
+      if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && !inputs.test_pypi)
+      env:
+        TWINE_USERNAME: __token__
+        TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+      run: |
+        twine upload dist/*

kilit-0.1.0/.github/workflows/tests.yml

@@ -0,0 +1,51 @@
+name: Tests
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+
+jobs:
+  test:
+    name: Test on Python ${{ matrix.python-version }}
+    runs-on: ${{ matrix.os }}
+    
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        python-version: ['3.10', '3.11', '3.12']
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ matrix.python-version }}
+    
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -e ".[dev,yaml]"
+    
+    - name: Lint with Ruff
+      run: |
+        ruff check src/
+    
+    - name: Check formatting with Ruff
+      run: |
+        ruff format --check src/
+    
+    - name: Run tests
+      run: |
+        pytest tests/ -v --cov=kilit --cov-report=xml --cov-report=term --cov-fail-under=60
+    
+    - name: Upload coverage to Codecov
+      if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.10'
+      uses: codecov/codecov-action@v4
+      with:
+        file: ./coverage.xml
+        fail_ci_if_error: false

kilit-0.1.0/.gitignore

@@ -0,0 +1,54 @@
+# Kilit master keys (NEVER commit these!)
+config/master.key
+*.key
+.env
+.env.*
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# Virtual environments
+venv/
+ENV/
+env/
+.venv
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.tox/
+.hypothesis/
+
+# IDEs
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+.DS_Store
+
+# Ruff
+.ruff_cache/
+
+# Benchmarks
+.benchmarks/

kilit-0.1.0/CHANGELOG.md

@@ -0,0 +1,52 @@
+# Changelog
+
+All notable changes to Kilit will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+- Initial release of Kilit
+- AES-256-GCM encryption with Scrypt KDF
+- CLI commands: init, edit, show, export, rotate
+- Thread-safe runtime API
+- JSON and YAML codec support
+- Cross-platform file permissions
+- Django, Flask, and FastAPI integration examples
+- Comprehensive documentation
+
+### Security
+- Scrypt parameters stored in envelope for deterministic decryption
+- No master key printing by default
+- Signal handling for temp file cleanup
+- Safe `__repr__` methods that don't expose secrets
+- Sanitized error messages
+
+## [0.1.0] - 2024-02-28
+
+### Added
+- Initial public release
+- Core cryptographic layer with AES-256-GCM
+- Scrypt KDF with parameter validation
+- Atomic file writes with fsync
+- Cross-platform secure file permissions
+- JSON codec (built-in)
+- YAML codec (optional)
+- CLI with 5 commands (init, edit, show, export, rotate)
+- Thread-safe Credentials API
+- Dotted path access for nested secrets
+- Environment variable support
+- Master key rotation
+- Framework integration examples (Django, Flask, FastAPI)
+- Comprehensive README and documentation
+
+### Security
+- Master key never printed by default
+- Temp files cleaned up on interruption
+- Scrypt parameters in envelope (not environment-dependent)
+- Error messages don't leak secrets
+
+[Unreleased]: https://github.com/erhan/kilit/compare/v0.1.0...HEAD
+[0.1.0]: https://github.com/erhan/kilit/releases/tag/v0.1.0

kilit-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Erhan BÜTE
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

kilit-0.1.0/MANIFEST.in

@@ -0,0 +1,33 @@
+# Include essential files
+include README.md
+include LICENSE
+include CHANGELOG.md
+include pyproject.toml
+
+# Include source code
+recursive-include src/kilit *.py
+
+# Exclude unwanted files
+global-exclude *.pyc
+global-exclude *.pyo
+global-exclude *.pyd
+global-exclude __pycache__
+global-exclude .DS_Store
+global-exclude .git*
+global-exclude .pytest_cache
+global-exclude .ruff_cache
+global-exclude *.egg-info
+global-exclude .coverage
+global-exclude htmlcov
+global-exclude dist
+global-exclude build
+global-exclude .venv
+global-exclude venv
+global-exclude ENV
+global-exclude __MACOSX
+
+# Exclude development files
+exclude .gitignore
+exclude PUBLISHING.md
+recursive-exclude examples *
+recursive-exclude .github *

kilit-0.1.0/PKG-INFO

@@ -0,0 +1,221 @@
+Metadata-Version: 2.4
+Name: kilit
+Version: 0.1.0
+Summary: Encrypted secrets management for Python, inspired by Rails credentials
+Project-URL: Homepage, https://github.com/erhan/kilit
+Project-URL: Documentation, https://github.com/erhan/kilit#readme
+Project-URL: Repository, https://github.com/erhan/kilit
+Project-URL: Issues, https://github.com/erhan/kilit/issues
+Author-email: Erhan Büte <erhan@hey.com>
+License: MIT
+License-File: LICENSE
+Keywords: configuration,credentials,encryption,secrets,security
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.10
+Requires-Dist: cryptography>=41.0.0
+Requires-Dist: typer>=0.9.0
+Provides-Extra: dev
+Requires-Dist: hypothesis>=6.82.0; extra == 'dev'
+Requires-Dist: pytest-cov>=4.1.0; extra == 'dev'
+Requires-Dist: pytest>=7.4.0; extra == 'dev'
+Requires-Dist: ruff>=0.1.0; extra == 'dev'
+Provides-Extra: yaml
+Requires-Dist: pyyaml>=6.0; extra == 'yaml'
+Description-Content-Type: text/markdown
+
+# Kilit 🔐
+
+Encrypted secrets management for Python, inspired by Rails credentials.
+
+Store API keys, database passwords, and sensitive config in version control safely.
+
+## Features
+
+- 🔒 AES-256-GCM encryption with Scrypt KDF
+- 📝 Edit secrets in your editor with auto-encryption
+- 🔑 Multiple master key sources (file, env var, CLI)
+- 📦 JSON and YAML support
+- 🔄 Key rotation
+- 🧵 Thread-safe runtime API
+- 🌍 Cross-platform
+
+## Installation
+
+```bash
+pip install kilit
+pip install kilit[yaml]  # With YAML support
+```
+
+## Quick Start
+
+```bash
+# Initialize
+kilit init
+
+# Edit secrets
+kilit edit
+```
+
+```json
+{
+  "database": {"host": "localhost", "password": "secret123"},
+  "api": {"key": "sk_live_abc123"}
+}
+```
+
+```python
+# Use in your app
+from kilit import Credentials
+
+creds = Credentials("config/credentials.json.enc")
+db_password = creds.get("database.password")
+api_key = creds.require("api.key")  # Raises if missing
+```
+
+## CLI Commands
+
+```bash
+kilit init                        # Initialize
+kilit init --format yaml          # Use YAML
+kilit init --print-master-key     # Print key for CI/CD
+
+kilit edit                        # Edit in $EDITOR
+kilit show                        # Display secrets
+kilit show --redact               # Show structure only
+
+eval $(kilit export)              # Export as env vars
+kilit export --prefix MYAPP_      # With prefix
+
+kilit rotate --write-new-master-key config/master.key  # Rotate key
+```
+
+## Runtime API
+
+```python
+from kilit import Credentials
+
+creds = Credentials("config/credentials.json.enc")
+
+# Dotted path access
+db_host = creds.get("database.host")
+timeout = creds.get("api.timeout", 30)  # With default
+secret = creds.require("api.key")       # Raises if missing
+
+# Reload
+creds.reload()
+```
+
+Thread-safe for concurrent access.
+
+## Master Key Management
+
+**Priority:** CLI arg > `KILIT_MASTER_KEY` env var > `--master-key-path` > `config/master.key`
+
+**Development:**
+```bash
+echo "config/master.key" >> .gitignore
+```
+
+**Production:**
+```bash
+export KILIT_MASTER_KEY="<your-key>"
+```
+
+**CI/CD:**
+```yaml
+env:
+  KILIT_MASTER_KEY: ${{ secrets.KILIT_MASTER_KEY }}
+run: eval $(kilit export) && python app.py
+```
+
+## Security
+
+- **Encryption:** AES-256-GCM with Scrypt KDF
+- **Salt:** Unique per file (forward secrecy)
+- **Authentication:** Tampering detection via GCM
+
+**Protection:** Encrypted files safe in git. Secrets protected without master key. Scrypt makes brute-force expensive.
+
+**Master key:** Single point of trust. Store securely (password manager, vault, env vars). Rotate if compromised.
+
+**Runtime:** Secrets exist in memory during use. Follow secure coding practices.
+
+**Permissions:** Unix systems auto-set 0600 on master key files.
+
+## Configuration
+
+**Scrypt (affects NEW encryptions only):**
+```bash
+export KILIT_SCRYPT_N=32768  # CPU/memory cost (default: 16384)
+export KILIT_SCRYPT_R=8      # Block size (default: 8)
+export KILIT_SCRYPT_P=1      # Parallelization (default: 1)
+```
+
+**Format:** Auto-detected from extension (`.json`, `.yaml`, `.yml`). Override: `--format yaml`
+
+## Examples
+
+See [examples/](examples/) for Django, Flask, and FastAPI integration.
+
+## FAQ
+
+**Why not env vars?** Lack structure, encryption at rest, easy to expose. Kilit provides both.
+
+**Lost master key?** No recovery by design. Store in multiple secure locations.
+
+**Multiple files?** Yes: `Credentials("config/prod.json.enc")`
+
+## Development
+
+```bash
+git clone https://github.com/erhan/kilit.git
+cd kilit
+uv venv && source .venv/bin/activate
+uv pip install -e ".[dev,yaml]"
+
+uv run pytest --cov=kilit
+uv run ruff check .
+```
+
+**Coverage:** Goal 85%+, CI enforces 60% minimum.
+
+## Tasks
+
+- [ ] Increase test coverage to 85%+
+- [ ] Add more integration tests
+- [ ] Improve CLI test coverage
+
+## Contributing
+
+Contributions are welcome!
+
+1. Fork the repository
+2. Create a feature branch: `git checkout -b feature/amazing-feature`
+3. Make your changes
+4. Add tests for new functionality
+5. Run tests: `pytest --cov=kilit`
+6. Lint code: `ruff check . && ruff format .`
+7. Commit: `git commit -m 'Add amazing feature'`
+8. Push: `git push origin feature/amazing-feature`
+9. Open a Pull Request
+
+## Credits
+
+Inspired by Rails credentials. Built with [cryptography](https://cryptography.io/) and [typer](https://typer.tiangolo.com/).
+
+Special thanks to Kiro AI. 🤖✨
+
+## License
+
+Copyright (c) 2026 Erhan Büte  
+Licensed under the MIT License.