ownlock 0.1.0__tar.gz

ownlock-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,80 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+    tags: ["v*"]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            python-version: "3.11"
+          - os: ubuntu-latest
+            python-version: "3.12"
+          - os: macos-latest
+            python-version: "3.12"
+          - os: windows-latest
+            python-version: "3.12"
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e .
+          pip install pytest
+
+      - name: Run tests
+        run: pytest tests/ -v --tb=short
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install build
+        run: pip install build
+
+      - name: Build package
+        run: python -m build
+
+      - name: Upload distributions
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      id-token: write
+    steps:
+      - name: Download distributions
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

ownlock-0.1.0/.gitignore

@@ -0,0 +1,24 @@
+# Vault data
+.ownlock/
+*.db
+
+.DS_Store
+# Python
+.venv/
+__pycache__/
+*.py[cod]
+*.egg-info/
+dist/
+build/
+*.egg
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo

ownlock-0.1.0/CHANGELOG.md

@@ -0,0 +1,29 @@
+# Changelog
+
+All notable changes to ownlock will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] - 2026-02-17
+
+### Added
+
+- **CLI**: `ownlock` — lightweight secrets manager
+  - `init` — create global or project vault
+  - `set` / `get` / `list` / `delete` — manage secrets
+  - `run` — resolve `.env`, inject secrets, redact stdout
+  - `export` — print resolved KEY=VALUE pairs
+  - `import` — bulk import from plaintext `.env`
+  - `scan` — find leaked secrets in files
+- **Encryption**: AES-256-GCM, PBKDF2-HMAC-SHA256 (200K iterations)
+- **Storage**: SQLite vault at `~/.ownlock/vault.db` (global) or `.ownlock/vault.db` (project)
+- **Keyring**: macOS Keychain / GNOME Keyring for passphrase
+- **`.env` format**: `vault("key-name")` references with optional `env=` and `project=true`
+- **Redaction**: Automatically redact secret values in subprocess stdout/stderr
+- **Hardening**:
+  - Path validation (env files and scan dir must stay under cwd when relative)
+  - Secret name validation (alphanumeric, hyphen, underscore only)
+  - Scan limits (max 10K files, depth 20 by default)
+  - Clean error messages (no tracebacks for expected errors)
+  - Export value quoting for docker format

ownlock-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Ownly
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

ownlock-0.1.0/PKG-INFO

@@ -0,0 +1,96 @@
+Metadata-Version: 2.4
+Name: ownlock
+Version: 0.1.0
+Summary: Lightweight secrets manager — encrypted vault, env injection, stdout redaction. No Docker, no server, no account.
+Project-URL: Repository, https://github.com/thebscolaro/ownlock
+Author: Ownly
+License-Expression: MIT
+License-File: LICENSE
+Keywords: cli,encryption,env,secrets,vault
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Build Tools
+Requires-Python: >=3.11
+Requires-Dist: cryptography>=44.0
+Requires-Dist: keyring>=25.0
+Requires-Dist: python-dotenv>=1.0
+Requires-Dist: rich>=13.0
+Requires-Dist: typer>=0.15.0
+Description-Content-Type: text/markdown
+
+# ownlock
+
+Lightweight secrets manager — encrypted local vault, `.env` injection, stdout redaction.
+
+No Docker. No server. No account. Just `pip install ownlock`.
+
+## Quick start
+
+```bash
+pip install ownlock
+
+# Create a vault (passphrase saved to system keyring)
+ownlock init
+
+# Store secrets
+ownlock set anthropic-api-key
+> Enter value: ****
+
+# In your .env, use vault() instead of plain values:
+# ANTHROPIC_API_KEY=vault("anthropic-api-key")
+
+# Run commands with secrets injected and stdout redacted
+ownlock run -- python app.py
+```
+
+## .env format
+
+Plain values pass through unchanged. Secrets stay in the vault and are resolved at runtime:
+
+```bash
+# Non-sensitive config (stored as plain text)
+OLLAMA_BASE_URL=http://localhost:11434
+DEFAULT_WORKER_MODEL=anthropic:claude-opus-4-6
+
+# Secrets (resolved from vault at runtime)
+ANTHROPIC_API_KEY=vault("anthropic-api-key")
+OPENAI_API_KEY=vault("openai-api-key", env="production")
+```
+
+## Commands
+
+| Command | Description |
+|---|---|
+| `ownlock init` | Create a vault (global or `--project` local) |
+| `ownlock set KEY` | Store a secret in global vault (use `--project` for project vault) |
+| `ownlock set KEY=VALUE` | Store inline |
+| `ownlock get KEY` | Print decrypted value |
+| `ownlock list` | Show secret names (never values) |
+| `ownlock delete KEY` | Remove a secret |
+| `ownlock run -- CMD` | Resolve `.env`, inject secrets, redact stdout |
+| `ownlock export` | Print resolved `KEY=VALUE` pairs |
+| `ownlock import .env` | Bulk import from plaintext `.env` |
+| `ownlock scan .` | Scan files for leaked secret values |
+
+Add `--project` to any command to use the project vault (`.ownlock/vault.db`) instead of the global vault.
+
+## How it works
+
+- Secrets are encrypted with **AES-256-GCM** and stored in a local SQLite database
+- Key derivation: PBKDF2-HMAC-SHA256 with 200,000 iterations
+- Vault passphrase stored in your system keyring (macOS Keychain, GNOME Keyring, etc.)
+- `ownlock run` resolves `vault()` references, injects env vars into the subprocess, and redacts any secret values that appear in stdout/stderr
+- Zero network calls. Everything is local.
+
+## Storage
+
+- **Global vault**: `~/.ownlock/vault.db` — default for all commands
+- **Project vault**: `.ownlock/vault.db` — use `--project` flag
+
+## License
+
+MIT

ownlock-0.1.0/README.md

@@ -0,0 +1,72 @@
+# ownlock
+
+Lightweight secrets manager — encrypted local vault, `.env` injection, stdout redaction.
+
+No Docker. No server. No account. Just `pip install ownlock`.
+
+## Quick start
+
+```bash
+pip install ownlock
+
+# Create a vault (passphrase saved to system keyring)
+ownlock init
+
+# Store secrets
+ownlock set anthropic-api-key
+> Enter value: ****
+
+# In your .env, use vault() instead of plain values:
+# ANTHROPIC_API_KEY=vault("anthropic-api-key")
+
+# Run commands with secrets injected and stdout redacted
+ownlock run -- python app.py
+```
+
+## .env format
+
+Plain values pass through unchanged. Secrets stay in the vault and are resolved at runtime:
+
+```bash
+# Non-sensitive config (stored as plain text)
+OLLAMA_BASE_URL=http://localhost:11434
+DEFAULT_WORKER_MODEL=anthropic:claude-opus-4-6
+
+# Secrets (resolved from vault at runtime)
+ANTHROPIC_API_KEY=vault("anthropic-api-key")
+OPENAI_API_KEY=vault("openai-api-key", env="production")
+```
+
+## Commands
+
+| Command | Description |
+|---|---|
+| `ownlock init` | Create a vault (global or `--project` local) |
+| `ownlock set KEY` | Store a secret in global vault (use `--project` for project vault) |
+| `ownlock set KEY=VALUE` | Store inline |
+| `ownlock get KEY` | Print decrypted value |
+| `ownlock list` | Show secret names (never values) |
+| `ownlock delete KEY` | Remove a secret |
+| `ownlock run -- CMD` | Resolve `.env`, inject secrets, redact stdout |
+| `ownlock export` | Print resolved `KEY=VALUE` pairs |
+| `ownlock import .env` | Bulk import from plaintext `.env` |
+| `ownlock scan .` | Scan files for leaked secret values |
+
+Add `--project` to any command to use the project vault (`.ownlock/vault.db`) instead of the global vault.
+
+## How it works
+
+- Secrets are encrypted with **AES-256-GCM** and stored in a local SQLite database
+- Key derivation: PBKDF2-HMAC-SHA256 with 200,000 iterations
+- Vault passphrase stored in your system keyring (macOS Keychain, GNOME Keyring, etc.)
+- `ownlock run` resolves `vault()` references, injects env vars into the subprocess, and redacts any secret values that appear in stdout/stderr
+- Zero network calls. Everything is local.
+
+## Storage
+
+- **Global vault**: `~/.ownlock/vault.db` — default for all commands
+- **Project vault**: `.ownlock/vault.db` — use `--project` flag
+
+## License
+
+MIT

ownlock-0.1.0/SECURITY.md

@@ -0,0 +1,25 @@
+# Security
+
+## Reporting vulnerabilities
+
+If you discover a security vulnerability in ownlock, please report it responsibly:
+
+1. **Do not** open a public GitHub issue.
+2. Email the maintainers or open a [private security advisory](https://github.com/thebscolaro/ownlock/security/advisories/new) on GitHub.
+3. Include a description of the vulnerability, steps to reproduce, and any suggested fixes.
+4. We will respond promptly and work with you to address the issue.
+
+## Security model
+
+- **Encryption**: Secrets are encrypted with AES-256-GCM before storage. Key derivation uses PBKDF2-HMAC-SHA256 with 200,000 iterations.
+- **Passphrase**: Stored in the system keyring (macOS Keychain, GNOME Keyring) when possible. Can also be provided via `OWNLOCK_PASSPHRASE` or interactively.
+- **No network**: ownlock never makes network requests. All data stays local.
+- **Path safety**: Relative paths for `.env` files and scan directories are validated to stay within the current directory.
+- **Subprocess**: `ownlock run` passes the command as a list to the OS exec APIs. No shell interpretation. Secrets are injected as environment variables.
+- **Redaction**: Known secret values are replaced with `[REDACTED:NAME]` in subprocess stdout/stderr.
+
+## Known limitations
+
+- Decrypted secrets exist in process memory while commands run.
+- Environment variables are visible to child processes and can appear in process listings.
+- The system keyring can be accessed by other applications running as the same user.

ownlock-0.1.0/ownlock/__init__.py

@@ -0,0 +1,3 @@
+"""ownlock — lightweight secrets manager."""
+
+__version__ = "0.1.0"