photovault 0.2.0__tar.gz

photovault-0.2.0/PKG-INFO

@@ -0,0 +1,65 @@
+Metadata-Version: 2.4
+Name: photovault
+Version: 0.2.0
+Summary: Zero-knowledge photo backup scanner: encrypt photos to your PGP key and ship them to your Photovault server.
+Author-email: Jakob Holst <lyngknuden@gmail.com>
+License: MIT
+Project-URL: Homepage, https://photovault.traeck.it/
+Project-URL: Source, https://bitbucket.org/team-nine/photovault
+Project-URL: Bug Reports, https://bitbucket.org/team-nine/photovault/issues
+Keywords: photos,backup,pgp,encryption,icloud,scanner
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Environment :: MacOS X
+Classifier: Intended Audience :: End Users/Desktop
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: MacOS :: MacOS X
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Operating System :: Microsoft :: Windows
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Topic :: Multimedia :: Graphics
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: System :: Archiving :: Backup
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: httpx>=0.27
+Requires-Dist: Pillow>=10.0
+Requires-Dist: pillow-heif>=0.16
+Requires-Dist: python-gnupg>=0.5.2
+Requires-Dist: platformdirs>=4.0
+Requires-Dist: keyring>=24.0
+Requires-Dist: pyicloud>=1.0
+Requires-Dist: paramiko>=3.4
+Requires-Dist: osxphotos>=0.69; sys_platform == "darwin"
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+
+# photovault-scanner
+
+Cross-platform CLI that scans a computer for photos and uploads them to your
+Photovault, encrypted client-side to your PGP public key.
+
+Works on macOS, Linux, and Windows. Mac is the primary target.
+
+## Install
+
+    pipx install ./clients/scanner
+
+## Usage
+
+    photovault login --server https://vault.example.com
+    photovault status
+    photovault scan ~/Pictures
+    photovault scan --dry-run ~/Pictures ~/Downloads
+
+The CLI fetches your registered PGP public key from the server and encrypts
+each photo and its thumbnail locally before upload. The server only ever
+sees ciphertext.
+
+You must register a public key via the web UI (`/keygen/`) before scanning.

photovault-0.2.0/README.md

@@ -0,0 +1,23 @@
+# photovault-scanner
+
+Cross-platform CLI that scans a computer for photos and uploads them to your
+Photovault, encrypted client-side to your PGP public key.
+
+Works on macOS, Linux, and Windows. Mac is the primary target.
+
+## Install
+
+    pipx install ./clients/scanner
+
+## Usage
+
+    photovault login --server https://vault.example.com
+    photovault status
+    photovault scan ~/Pictures
+    photovault scan --dry-run ~/Pictures ~/Downloads
+
+The CLI fetches your registered PGP public key from the server and encrypts
+each photo and its thumbnail locally before upload. The server only ever
+sees ciphertext.
+
+You must register a public key via the web UI (`/keygen/`) before scanning.

photovault-0.2.0/photovault.egg-info/PKG-INFO

@@ -0,0 +1,65 @@
+Metadata-Version: 2.4
+Name: photovault
+Version: 0.2.0
+Summary: Zero-knowledge photo backup scanner: encrypt photos to your PGP key and ship them to your Photovault server.
+Author-email: Jakob Holst <lyngknuden@gmail.com>
+License: MIT
+Project-URL: Homepage, https://photovault.traeck.it/
+Project-URL: Source, https://bitbucket.org/team-nine/photovault
+Project-URL: Bug Reports, https://bitbucket.org/team-nine/photovault/issues
+Keywords: photos,backup,pgp,encryption,icloud,scanner
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Environment :: MacOS X
+Classifier: Intended Audience :: End Users/Desktop
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: MacOS :: MacOS X
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Operating System :: Microsoft :: Windows
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Topic :: Multimedia :: Graphics
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: System :: Archiving :: Backup
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: httpx>=0.27
+Requires-Dist: Pillow>=10.0
+Requires-Dist: pillow-heif>=0.16
+Requires-Dist: python-gnupg>=0.5.2
+Requires-Dist: platformdirs>=4.0
+Requires-Dist: keyring>=24.0
+Requires-Dist: pyicloud>=1.0
+Requires-Dist: paramiko>=3.4
+Requires-Dist: osxphotos>=0.69; sys_platform == "darwin"
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+
+# photovault-scanner
+
+Cross-platform CLI that scans a computer for photos and uploads them to your
+Photovault, encrypted client-side to your PGP public key.
+
+Works on macOS, Linux, and Windows. Mac is the primary target.
+
+## Install
+
+    pipx install ./clients/scanner
+
+## Usage
+
+    photovault login --server https://vault.example.com
+    photovault status
+    photovault scan ~/Pictures
+    photovault scan --dry-run ~/Pictures ~/Downloads
+
+The CLI fetches your registered PGP public key from the server and encrypts
+each photo and its thumbnail locally before upload. The server only ever
+sees ciphertext.
+
+You must register a public key via the web UI (`/keygen/`) before scanning.

photovault-0.2.0/photovault.egg-info/SOURCES.txt

@@ -0,0 +1,22 @@
+README.md
+pyproject.toml
+photovault.egg-info/PKG-INFO
+photovault.egg-info/SOURCES.txt
+photovault.egg-info/dependency_links.txt
+photovault.egg-info/entry_points.txt
+photovault.egg-info/requires.txt
+photovault.egg-info/top_level.txt
+photovault_scanner/__init__.py
+photovault_scanner/__main__.py
+photovault_scanner/cache.py
+photovault_scanner/cli.py
+photovault_scanner/client.py
+photovault_scanner/config.py
+photovault_scanner/crypto.py
+photovault_scanner/gui.py
+photovault_scanner/hetzner_storagebox.py
+photovault_scanner/icloud_direct.py
+photovault_scanner/imaging.py
+photovault_scanner/macos_photos.py
+photovault_scanner/scanner.py
+photovault_scanner/uploader.py

photovault-0.2.0/photovault.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

photovault-0.2.0/photovault.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+photovault = photovault_scanner.cli:main

photovault-0.2.0/photovault.egg-info/requires.txt

@@ -0,0 +1,14 @@
+httpx>=0.27
+Pillow>=10.0
+pillow-heif>=0.16
+python-gnupg>=0.5.2
+platformdirs>=4.0
+keyring>=24.0
+pyicloud>=1.0
+paramiko>=3.4
+
+[:sys_platform == "darwin"]
+osxphotos>=0.69
+
+[dev]
+pytest>=8.0

photovault-0.2.0/photovault.egg-info/top_level.txt

@@ -0,0 +1 @@
+photovault_scanner

photovault-0.2.0/photovault_scanner/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.1.0"

photovault-0.2.0/photovault_scanner/__main__.py

@@ -0,0 +1,4 @@
+from .cli import main
+
+if __name__ == "__main__":
+    raise SystemExit(main())

photovault-0.2.0/photovault_scanner/cache.py

@@ -0,0 +1,45 @@
+import sqlite3
+from pathlib import Path
+from typing import Optional
+
+
+SCHEMA = """
+CREATE TABLE IF NOT EXISTS hashes (
+    path TEXT PRIMARY KEY,
+    mtime REAL NOT NULL,
+    size INTEGER NOT NULL,
+    sha256 TEXT NOT NULL
+);
+CREATE INDEX IF NOT EXISTS hashes_sha256 ON hashes(sha256);
+"""
+
+
+class HashCache:
+    def __init__(self, db_path: Path):
+        db_path.parent.mkdir(parents=True, exist_ok=True)
+        self.conn = sqlite3.connect(str(db_path))
+        self.conn.executescript(SCHEMA)
+        self.conn.commit()
+
+    def lookup(self, path: str, mtime: float, size: int) -> Optional[str]:
+        cur = self.conn.execute(
+            "SELECT mtime, size, sha256 FROM hashes WHERE path = ?",
+            (path,),
+        )
+        row = cur.fetchone()
+        if row is None:
+            return None
+        cached_mtime, cached_size, sha = row
+        if abs(cached_mtime - mtime) < 1e-3 and cached_size == size:
+            return sha
+        return None
+
+    def remember(self, path: str, mtime: float, size: int, sha256: str) -> None:
+        self.conn.execute(
+            "INSERT OR REPLACE INTO hashes(path, mtime, size, sha256) VALUES (?, ?, ?, ?)",
+            (path, mtime, size, sha256),
+        )
+        self.conn.commit()
+
+    def close(self) -> None:
+        self.conn.close()

photovault-0.2.0/photovault_scanner/cli.py

@@ -0,0 +1,376 @@
+import argparse
+import getpass
+import sys
+from pathlib import Path
+from typing import Sequence
+
+from . import __version__
+from .cache import HashCache
+from .client import PhotovaultClient
+from .config import Config, cache_db_path, config_path
+from .crypto import PGPEncryptor
+from .uploader import process_candidate_stream, scan_filesystem_and_upload
+
+
+def _print(msg: str) -> None:
+    print(msg, flush=True)
+
+
+def cmd_login(args: argparse.Namespace) -> int:
+    config = Config.load()
+    server = args.server or config.server
+    if not server:
+        _print("error: --server URL is required on first login")
+        return 2
+    username = args.username or input("Username: ").strip()
+    password = args.password or getpass.getpass("Password: ")
+
+    with PhotovaultClient(server) as client:
+        try:
+            token = client.login(username, password)
+        except Exception as e:
+            _print(f"login failed: {e}")
+            return 1
+        config.server = server
+        config.username = username
+        config.token = token
+
+        profile = client.get_public_key()
+        if profile:
+            config.public_key_armored = profile["public_key_armored"]
+            config.pgp_fingerprint = profile["pgp_fingerprint"]
+        else:
+            config.public_key_armored = ""
+            config.pgp_fingerprint = ""
+
+    config.save()
+    _print(f"logged in as {username} @ {server}")
+    _print(f"config: {config_path()}")
+    if not config.pgp_fingerprint:
+        _print("warning: no public key registered. Open the web UI and generate one.")
+    else:
+        _print(f"public key: {config.pgp_fingerprint}")
+    return 0
+
+
+def cmd_status(args: argparse.Namespace) -> int:
+    config = Config.load()
+    if not config.token:
+        _print("not logged in")
+        return 0
+    _print(f"server:      {config.server}")
+    _print(f"user:        {config.username}")
+    _print(f"fingerprint: {config.pgp_fingerprint or '(none registered)'}")
+    _print(f"config:      {config_path()}")
+    _print(f"hash cache:  {cache_db_path()}")
+
+    if args.refresh:
+        with PhotovaultClient(config.server, token=config.token) as client:
+            profile = client.get_public_key()
+        if profile:
+            if profile["pgp_fingerprint"] != config.pgp_fingerprint:
+                _print(
+                    f"public key changed on server: {config.pgp_fingerprint} -> {profile['pgp_fingerprint']}"
+                )
+            config.public_key_armored = profile["public_key_armored"]
+            config.pgp_fingerprint = profile["pgp_fingerprint"]
+            config.save()
+            _print("refreshed public key from server")
+        else:
+            _print("no public key registered on server")
+    return 0
+
+
+def cmd_scan(args: argparse.Namespace) -> int:
+    config = Config.load()
+    config.require_login()
+    config.require_public_key()
+
+    encryptor = PGPEncryptor(config.public_key_armored)
+    if encryptor.fingerprint != config.pgp_fingerprint:
+        _print(
+            f"warning: cached fingerprint {config.pgp_fingerprint} disagrees with key blob {encryptor.fingerprint}"
+        )
+
+    paths = [Path(p).expanduser().resolve() for p in args.paths]
+    for p in paths:
+        if not p.exists():
+            _print(f"warning: {p} does not exist")
+
+    cache = HashCache(cache_db_path())
+    try:
+        with PhotovaultClient(config.server, token=config.token) as client:
+            stats = scan_filesystem_and_upload(
+                paths,
+                client=client,
+                encryptor=encryptor,
+                cache=cache,
+                dry_run=args.dry_run,
+                reporter=_print if args.verbose else None,
+                workers=args.workers,
+            )
+    finally:
+        cache.close()
+
+    _print("")
+    _print(f"seen:               {stats.seen}")
+    _print(f"skipped (existing): {stats.skipped_existing}")
+    _print(f"skipped (unread):   {stats.skipped_unreadable}")
+    _print(f"uploaded:           {stats.uploaded}{' (dry run)' if args.dry_run else ''}")
+    _print(f"failed:             {stats.failed}")
+    return 0 if stats.failed == 0 else 1
+
+
+def cmd_scan_photos(args: argparse.Namespace) -> int:
+    if sys.platform != "darwin":
+        _print("scan-photos only works on macOS (it reads the system Photos library).")
+        return 2
+
+    from . import macos_photos
+
+    config = Config.load()
+    config.require_login()
+    config.require_public_key()
+
+    encryptor = PGPEncryptor(config.public_key_armored)
+    if encryptor.fingerprint != config.pgp_fingerprint:
+        _print(
+            f"warning: cached fingerprint {config.pgp_fingerprint} disagrees with key blob {encryptor.fingerprint}"
+        )
+
+    library = Path(args.library).expanduser().resolve() if args.library else None
+    cache = HashCache(cache_db_path())
+
+    try:
+        with PhotovaultClient(config.server, token=config.token) as client:
+            reporter = _print if args.verbose else None
+            candidates = macos_photos.iter_candidates(
+                cache,
+                library=library,
+                include_hidden=args.include_hidden,
+                include_trashed=args.include_trashed,
+                include_shared=args.include_shared,
+                download_missing=args.download_missing,
+                reporter=reporter,
+            )
+            stats = process_candidate_stream(
+                candidates,
+                client=client,
+                encryptor=encryptor,
+                dry_run=args.dry_run,
+                reporter=reporter,
+                workers=args.workers,
+            )
+    finally:
+        cache.close()
+
+    source_stats = getattr(macos_photos.iter_candidates, "stats", None)
+
+    _print("")
+    if source_stats is not None:
+        _print(f"in library:         {source_stats.total_in_library}")
+        if source_stats.not_downloaded:
+            _print(f"icloud-only:        {source_stats.not_downloaded} (rerun with --download-missing)")
+        if source_stats.skipped_hidden:
+            _print(f"hidden:             {source_stats.skipped_hidden}")
+        if source_stats.skipped_trashed:
+            _print(f"trashed:            {source_stats.skipped_trashed}")
+        if source_stats.skipped_shared:
+            _print(f"shared:             {source_stats.skipped_shared}")
+        if source_stats.skipped_unsupported:
+            _print(f"unsupported fmt:    {source_stats.skipped_unsupported}")
+        if source_stats.skipped_no_path:
+            _print(f"no on-disk path:    {source_stats.skipped_no_path}")
+        if source_stats.skipped_unreadable:
+            _print(f"unreadable:         {source_stats.skipped_unreadable}")
+    _print(f"considered:         {stats.seen}")
+    _print(f"skipped (existing): {stats.skipped_existing}")
+    _print(f"uploaded:           {stats.uploaded}{' (dry run)' if args.dry_run else ''}")
+    _print(f"failed:             {stats.failed}")
+    return 0 if stats.failed == 0 else 1
+
+
+def cmd_scan_storagebox(args: argparse.Namespace) -> int:
+    from . import hetzner_storagebox
+
+    config = Config.load()
+    config.require_login()
+    config.require_public_key()
+
+    host = args.host or config.sb_host
+    user = args.user or config.sb_user
+    port = args.port or config.sb_port or 23
+    root = args.path or config.sb_root or "."
+    if not host or not user:
+        _print("error: --host and --user are required (or run 'photovault gui' and use Configure Storage Box).")
+        return 2
+
+    password = hetzner_storagebox.load_password(host, user)
+    if not password:
+        password = getpass.getpass(f"Password for {user}@{host}: ")
+        if not password:
+            _print("aborted")
+            return 1
+        if args.save_password:
+            hetzner_storagebox.save_password(host, user, password)
+
+    config.sb_host = host
+    config.sb_user = user
+    config.sb_port = port
+    config.sb_root = root
+    config.save()
+
+    encryptor = PGPEncryptor(config.public_key_armored)
+    cache = HashCache(cache_db_path())
+    try:
+        with PhotovaultClient(config.server, token=config.token) as client:
+            reporter = _print if args.verbose else None
+            candidates = hetzner_storagebox.iter_candidates(
+                cache,
+                host=host,
+                user=user,
+                password=password,
+                port=port,
+                root=root,
+                include_hidden=args.include_hidden,
+                reporter=reporter,
+            )
+            stats = process_candidate_stream(
+                candidates,
+                client=client,
+                encryptor=encryptor,
+                dry_run=args.dry_run,
+                reporter=reporter,
+                workers=args.workers,
+            )
+    finally:
+        cache.close()
+
+    source_stats = getattr(hetzner_storagebox.iter_candidates, "stats", None)
+    _print("")
+    if source_stats is not None:
+        _print(f"directories walked: {source_stats.visited_dirs}")
+        _print(f"files discovered:   {source_stats.total_files}")
+        if source_stats.skipped_hidden:
+            _print(f"skipped hidden:     {source_stats.skipped_hidden}")
+        if source_stats.skipped_unsupported:
+            _print(f"unsupported fmt:    {source_stats.skipped_unsupported}")
+        if source_stats.skipped_download_failed:
+            _print(f"download failed:    {source_stats.skipped_download_failed}")
+        if source_stats.skipped_unreadable:
+            _print(f"unreadable:         {source_stats.skipped_unreadable}")
+    _print(f"considered:         {stats.seen}")
+    _print(f"skipped (existing): {stats.skipped_existing}")
+    _print(f"uploaded:           {stats.uploaded}{' (dry run)' if args.dry_run else ''}")
+    _print(f"failed:             {stats.failed}")
+    return 0 if stats.failed == 0 else 1
+
+
+def cmd_gui(args: argparse.Namespace) -> int:
+    from . import gui
+
+    return gui.run()
+
+
+def cmd_logout(args: argparse.Namespace) -> int:
+    config = Config.load()
+    config.token = ""
+    config.public_key_armored = ""
+    config.save()
+    _print("logged out (server, username, fingerprint kept for convenience)")
+    return 0
+
+
+def build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(
+        prog="photovault",
+        description="Scan a computer and back up photos to Photovault, encrypted client-side.",
+    )
+    parser.add_argument("--version", action="version", version=f"%(prog)s {__version__}")
+    sub = parser.add_subparsers(dest="cmd", required=True)
+
+    p_login = sub.add_parser("login", help="Log in to a Photovault server")
+    p_login.add_argument("--server", help="Server URL (e.g. https://vault.example.com)")
+    p_login.add_argument("--username")
+    p_login.add_argument("--password")
+    p_login.set_defaults(func=cmd_login)
+
+    p_status = sub.add_parser("status", help="Show current login and public key")
+    p_status.add_argument("--refresh", action="store_true", help="Refetch public key from server")
+    p_status.set_defaults(func=cmd_status)
+
+    p_scan = sub.add_parser("scan", help="Scan one or more directories and upload new photos")
+    p_scan.add_argument("paths", nargs="+", help="Directories or files to scan")
+    p_scan.add_argument("--dry-run", action="store_true", help="Report what would be uploaded; don't upload")
+    p_scan.add_argument("-v", "--verbose", action="store_true", help="Per-file logging")
+    p_scan.add_argument(
+        "-w",
+        "--workers",
+        type=int,
+        default=4,
+        help="Parallel encrypt+upload workers (default: 4)",
+    )
+    p_scan.set_defaults(func=cmd_scan)
+
+    p_photos = sub.add_parser(
+        "scan-photos",
+        help="(macOS) Scan the system Photos.app library and upload new photos",
+        description=(
+            "Iterate every photo Apple's Photos.app knows about (including iCloud) and "
+            "upload originals that aren't already in your vault. The terminal app needs "
+            "'Full Disk Access' or 'Photos' permission in System Settings -> Privacy & "
+            "Security to read the library."
+        ),
+    )
+    p_photos.add_argument("--library", help="Path to a .photoslibrary (defaults to the system library)")
+    p_photos.add_argument(
+        "--download-missing",
+        action="store_true",
+        help="Pull originals from iCloud if not yet on disk (uses PhotoKit; slower).",
+    )
+    p_photos.add_argument("--include-hidden", action="store_true", help="Include hidden photos")
+    p_photos.add_argument("--include-trashed", action="store_true", help="Include recently-deleted photos")
+    p_photos.add_argument("--include-shared", action="store_true", help="Include shared-album photos")
+    p_photos.add_argument("--dry-run", action="store_true", help="Report what would be uploaded; don't upload")
+    p_photos.add_argument("-v", "--verbose", action="store_true", help="Per-file logging")
+    p_photos.add_argument(
+        "-w",
+        "--workers",
+        type=int,
+        default=4,
+        help="Parallel encrypt+upload workers (default: 4)",
+    )
+    p_photos.set_defaults(func=cmd_scan_photos)
+
+    p_sb = sub.add_parser(
+        "scan-storagebox",
+        help="Scan a Hetzner Storage Box over SFTP and upload new photos",
+    )
+    p_sb.add_argument("--host", help="Storage Box hostname (e.g. u123456.your-storagebox.de)")
+    p_sb.add_argument("--user", help="Storage Box username (e.g. u123456)")
+    p_sb.add_argument("--port", type=int, help="SSH/SFTP port (default 23)")
+    p_sb.add_argument("--path", help="Remote path to walk (default: '.')")
+    p_sb.add_argument("--include-hidden", action="store_true", help="Include dotfiles/folders")
+    p_sb.add_argument("--save-password", action="store_true", help="Save the password to the OS keychain")
+    p_sb.add_argument("--dry-run", action="store_true", help="Report what would be uploaded; don't upload")
+    p_sb.add_argument("-v", "--verbose", action="store_true", help="Per-file logging")
+    p_sb.add_argument("-w", "--workers", type=int, default=4, help="Parallel encrypt+upload workers (default 4)")
+    p_sb.set_defaults(func=cmd_scan_storagebox)
+
+    p_gui = sub.add_parser("gui", help="Open the desktop window for scanning and uploading")
+    p_gui.set_defaults(func=cmd_gui)
+
+    p_logout = sub.add_parser("logout", help="Forget the auth token")
+    p_logout.set_defaults(func=cmd_logout)
+
+    return parser
+
+
+def main(argv: Sequence[str] | None = None) -> int:
+    parser = build_parser()
+    args = parser.parse_args(argv)
+    return args.func(args)
+
+
+if __name__ == "__main__":
+    sys.exit(main())