secry 1.1.6__tar.gz

secry-1.1.6/PKG-INFO

@@ -0,0 +1,95 @@
+Metadata-Version: 2.4
+Name: secry
+Version: 1.1.6
+Summary: AES-256-GCM token encryption — interoperable with Node.js secry
+License: MIT
+Project-URL: Homepage, https://github.com/rushpym-dotcom/secry
+Keywords: encryption,aes-256-gcm,crypto,token
+Requires-Python: >=3.6
+Description-Content-Type: text/markdown
+
+# secry
+
+AES-256-GCM token encryption for Python. Zero dependencies. Tokens are fully interoperable with the [Node.js secry package](https://www.npmjs.com/package/secry).
+
+```sh
+pip install secry
+```
+
+---
+
+## Usage
+
+```python
+import secry
+
+token = secry.encrypt("my secret", "mypassword")
+text  = secry.decrypt(token, "mypassword")
+ok    = secry.verify(token, "mypassword")
+fp    = secry.fingerprint("hello", "secret")
+pw    = secry.generate(32)
+meta  = secry.inspect(token)
+```
+
+## Compact mode
+
+Use `compact=True` to get shorter tokens with the `sec:` prefix:
+
+```python
+token = secry.encrypt("my secret", "mypassword", compact=True)
+# → sec:v2:...  (shorter token)
+
+# decrypt works the same way — prefix is detected automatically
+text = secry.decrypt(token, "mypassword")
+```
+
+## Expiry
+
+```python
+token = secry.encrypt("temporary", "mypassword", expires="1h")
+token = secry.encrypt("temporary", "mypassword", expires="30m")
+token = secry.encrypt("temporary", "mypassword", expires="7d")
+```
+
+## Token prefixes
+
+```
+secry:v1:   AES-256-GCM        (full)
+secry:v2:   ChaCha20-Poly1305  (full)
+secry:v3:   AES-256-CBC        (full)
+
+sec:v1:     AES-256-GCM        (compact)
+sec:v2:     ChaCha20-Poly1305  (compact)
+sec:v3:     AES-256-CBC        (compact)
+
+rwn64:v*:   legacy — still accepted by decrypt/verify/inspect
+```
+
+## Inspect
+
+```python
+meta = secry.inspect(token)
+# {
+#   "prefix": "secry:v2:",
+#   "version": "v2",
+#   "algo": "ChaCha20-Poly1305",
+#   "compact": False,
+#   "legacy": False,
+#   "kdf": "scrypt (N=16384,r=8,p=1)",
+#   "salt_hex": "...",
+#   "nonce_hex": "...",
+#   "payload_bytes": 64
+# }
+```
+
+## Security
+
+- AES-256-GCM / ChaCha20-Poly1305 authenticated encryption
+- scrypt key derivation (N=16384, r=8, p=1)
+- Random salt + nonce per token
+- Auth tag detects tampering before decryption
+- Zero external dependencies
+
+## License
+
+MIT

secry-1.1.6/README.md

@@ -0,0 +1,85 @@
+# secry
+
+AES-256-GCM token encryption for Python. Zero dependencies. Tokens are fully interoperable with the [Node.js secry package](https://www.npmjs.com/package/secry).
+
+```sh
+pip install secry
+```
+
+---
+
+## Usage
+
+```python
+import secry
+
+token = secry.encrypt("my secret", "mypassword")
+text  = secry.decrypt(token, "mypassword")
+ok    = secry.verify(token, "mypassword")
+fp    = secry.fingerprint("hello", "secret")
+pw    = secry.generate(32)
+meta  = secry.inspect(token)
+```
+
+## Compact mode
+
+Use `compact=True` to get shorter tokens with the `sec:` prefix:
+
+```python
+token = secry.encrypt("my secret", "mypassword", compact=True)
+# → sec:v2:...  (shorter token)
+
+# decrypt works the same way — prefix is detected automatically
+text = secry.decrypt(token, "mypassword")
+```
+
+## Expiry
+
+```python
+token = secry.encrypt("temporary", "mypassword", expires="1h")
+token = secry.encrypt("temporary", "mypassword", expires="30m")
+token = secry.encrypt("temporary", "mypassword", expires="7d")
+```
+
+## Token prefixes
+
+```
+secry:v1:   AES-256-GCM        (full)
+secry:v2:   ChaCha20-Poly1305  (full)
+secry:v3:   AES-256-CBC        (full)
+
+sec:v1:     AES-256-GCM        (compact)
+sec:v2:     ChaCha20-Poly1305  (compact)
+sec:v3:     AES-256-CBC        (compact)
+
+rwn64:v*:   legacy — still accepted by decrypt/verify/inspect
+```
+
+## Inspect
+
+```python
+meta = secry.inspect(token)
+# {
+#   "prefix": "secry:v2:",
+#   "version": "v2",
+#   "algo": "ChaCha20-Poly1305",
+#   "compact": False,
+#   "legacy": False,
+#   "kdf": "scrypt (N=16384,r=8,p=1)",
+#   "salt_hex": "...",
+#   "nonce_hex": "...",
+#   "payload_bytes": 64
+# }
+```
+
+## Security
+
+- AES-256-GCM / ChaCha20-Poly1305 authenticated encryption
+- scrypt key derivation (N=16384, r=8, p=1)
+- Random salt + nonce per token
+- Auth tag detects tampering before decryption
+- Zero external dependencies
+
+## License
+
+MIT

secry-1.1.6/pyproject.toml

@@ -0,0 +1,20 @@
+[build-system]
+requires      = ["setuptools>=68","wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name            = "secry"
+version         = "1.1.6"
+description     = "AES-256-GCM token encryption — interoperable with Node.js secry"
+readme          = "README.md"
+license         = {text="MIT"}
+requires-python = ">=3.6"
+dependencies    = []
+keywords        = ["encryption","aes-256-gcm","crypto","token"]
+
+[project.urls]
+Homepage = "https://github.com/rushpym-dotcom/secry"
+
+[tool.setuptools.packages.find]
+where   = ["."]
+include = ["secry*"]

secry-1.1.6/secry/__init__.py

@@ -0,0 +1,50 @@
+from __future__ import annotations
+import os as _os
+from importlib.metadata import version as _ver, PackageNotFoundError as _PNF
+from ._crypto import encrypt as _enc, decrypt as _dec
+from ._util   import fingerprint as _fp, parse_expiry, inspect as _ins
+
+try:
+    __version__ = _ver("secry")
+except _PNF:
+    __version__ = "dev"
+
+__all__ = ["encrypt","decrypt","verify","fingerprint","generate","inspect","parse_expiry"]
+
+TOKEN_PREFIX = "secry:v2:"
+
+def encrypt(text: str, password: str, *, expires: str | None = None, expires_ms: int | None = None, version: int = 2, compact: bool = False) -> str:
+    if not password: raise TypeError("password must be non-empty")
+    exp = parse_expiry(expires) if expires else expires_ms
+    return _enc(text, password, expires_ms=exp, version=version, compact=compact)
+
+def decrypt(token: str, password: str) -> str:
+    if not token:    raise TypeError("token must be non-empty")
+    if not password: raise TypeError("password must be non-empty")
+    return _dec(token, password)[0]
+
+def verify(token: str, password: str) -> bool:
+    try: _dec(token, password); return True
+    except: return False
+
+def fingerprint(text: str, secret: str) -> str: return _fp(text, secret)
+
+def inspect(token: str) -> dict: return _ins(token)
+
+def generate(nbytes: int = 24, *, upper: bool = False, count: int = 1) -> str | list[str]:
+    if not (8 <= nbytes <= 256): raise ValueError("nbytes must be between 8 and 256")
+    if not (1 <= count <= 20):   raise ValueError("count must be between 1 and 20")
+    _CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"
+    def _gen() -> str:
+        raw = _os.urandom(nbytes)
+        pw  = "".join(_CHARS[b % 64] for b in raw)
+        if upper and not any(c.isupper() for c in pw):
+            i  = _os.urandom(1)[0] % len(pw)
+            pw = pw[:i] + pw[i].upper() + pw[i+1:]
+        return pw
+    pws = [_gen() for _ in range(count)]
+    return pws if count > 1 else pws[0]
+
+def example() -> None:
+    from ._example import show
+    show()

secry-1.1.6/secry/_crypto.py

@@ -0,0 +1,298 @@
+from __future__ import annotations
+import os as _o, struct as _s, time as _t, base64 as _b64, hashlib as _h, hmac as _hm
+import ctypes as _c, sys as _sys
+
+# ─── load openssl ─────────────────────────────────────────────────────────────
+
+def _load_lib() -> _c.CDLL:
+    if _sys.platform == "win32":
+        for n in ("libcrypto-3-x64.dll","libcrypto-3.dll","libcrypto.dll"):
+            try: return _c.CDLL(n)
+            except OSError: continue
+        raise OSError("OpenSSL not found. Install from https://slproweb.com/products/Win32OpenSSL.html")
+    elif _sys.platform == "darwin":
+        for n in ("libcrypto.3.dylib","libcrypto.dylib","/opt/homebrew/lib/libcrypto.3.dylib","/usr/local/lib/libcrypto.3.dylib"):
+            try: return _c.CDLL(n)
+            except OSError: continue
+        raise OSError("OpenSSL not found. Install via: brew install openssl")
+    else:
+        for n in ("libcrypto.so.3","libcrypto.so"):
+            try: return _c.CDLL(n)
+            except OSError: continue
+        raise OSError("OpenSSL not found. Install via: apt install libssl-dev")
+
+_lib = _load_lib()
+_ci  = _c.c_int
+_cv  = _c.c_void_p
+_cc  = _c.c_char_p
+
+# ─── openssl bindings ────────────────────────────────────────────────────────
+
+_lib.EVP_CIPHER_CTX_new.restype          = _cv
+_lib.EVP_aes_256_gcm.restype             = _cv
+_lib.EVP_aes_256_cbc.restype             = _cv
+_lib.EVP_chacha20_poly1305.restype       = _cv
+_lib.EVP_EncryptInit_ex.argtypes         = [_cv,_cv,_cv,_cc,_cc]; _lib.EVP_EncryptInit_ex.restype  = _ci
+_lib.EVP_DecryptInit_ex.argtypes         = [_cv,_cv,_cv,_cc,_cc]; _lib.EVP_DecryptInit_ex.restype  = _ci
+_lib.EVP_CIPHER_CTX_ctrl.argtypes        = [_cv,_ci,_ci,_cv];     _lib.EVP_CIPHER_CTX_ctrl.restype = _ci
+_lib.EVP_EncryptUpdate.argtypes          = [_cv,_cc,_c.POINTER(_ci),_cc,_ci]; _lib.EVP_EncryptUpdate.restype  = _ci
+_lib.EVP_DecryptUpdate.argtypes          = [_cv,_cc,_c.POINTER(_ci),_cc,_ci]; _lib.EVP_DecryptUpdate.restype  = _ci
+_lib.EVP_EncryptFinal_ex.argtypes        = [_cv,_cc,_c.POINTER(_ci)]; _lib.EVP_EncryptFinal_ex.restype = _ci
+_lib.EVP_DecryptFinal_ex.argtypes        = [_cv,_cc,_c.POINTER(_ci)]; _lib.EVP_DecryptFinal_ex.restype = _ci
+_lib.EVP_CIPHER_CTX_free.argtypes        = [_cv]
+_lib.EVP_CIPHER_CTX_set_padding.argtypes = [_cv,_ci]; _lib.EVP_CIPHER_CTX_set_padding.restype = _ci
+
+_GCM_SIVLEN = 0x9
+_GCM_GTAG   = 0x10
+_GCM_STAG   = 0x11
+
+# ─── prefixes ────────────────────────────────────────────────────────────────
+# full
+_PX1 = b"secry:v1:"
+_PX2 = b"secry:v2:"
+_PX3 = b"secry:v3:"
+# compact
+_CPX1 = b"sec:v1:"
+_CPX2 = b"sec:v2:"
+_CPX3 = b"sec:v3:"
+# legacy rwn64 (read-only compat)
+_LPX1 = b"rwn64:v1:"
+_LPX2 = b"rwn64:v2:"
+_LPX3 = b"rwn64:v3:"
+
+# sizes
+_SL   = 16   # salt full
+_SL_C = 8    # salt compact
+_NL   = 12   # nonce v1/v2 full
+_NL3  = 16   # nonce v3 full
+_NL_C = 8    # nonce compact (all versions)
+_TL   = 16   # tag
+_KL   = 32   # key
+_N,_R,_P = 16384,8,1
+
+# ─── encoding detection ──────────────────────────────────────────────────────
+
+def _detect_encoding(data: bytes) -> str:
+    if data[:3] == b"\xef\xbb\xbf": return "utf-8-sig"
+    if data[:2] in (b"\xff\xfe", b"\xfe\xff"): return "utf-16"
+    try: data.decode("utf-8"); return "utf-8"
+    except UnicodeDecodeError: pass
+    for enc in ("latin-1", "cp1252", "iso-8859-1"):
+        try: data.decode(enc); return enc
+        except UnicodeDecodeError: continue
+    return "latin-1"
+
+def decode_auto(data: bytes) -> tuple[str, str]:
+    enc = _detect_encoding(data)
+    return data.decode(enc), enc
+
+# ─── kdf ─────────────────────────────────────────────────────────────────────
+
+def _kdf(pw: bytes, salt: bytes) -> bytes:
+    return _h.scrypt(pw, salt=salt, n=_N, r=_R, p=_P, dklen=_KL)
+
+# ─── v1 — AES-256-GCM ────────────────────────────────────────────────────────
+
+def _enc_v1(key: bytes, nonce: bytes, pt: bytes) -> tuple[bytes, bytes]:
+    x = _lib.EVP_CIPHER_CTX_new()
+    _lib.EVP_EncryptInit_ex(x, _lib.EVP_aes_256_gcm(), None, None, None)
+    _lib.EVP_CIPHER_CTX_ctrl(x, _GCM_SIVLEN, len(nonce), None)
+    _lib.EVP_EncryptInit_ex(x, None, None, key, nonce)
+    buf = _c.create_string_buffer(len(pt)+16); l = _ci(0)
+    _lib.EVP_EncryptUpdate(x, buf, _c.byref(l), pt, len(pt))
+    ct = buf.raw[:l.value]
+    _lib.EVP_EncryptFinal_ex(x, buf, _c.byref(l))
+    tag = _c.create_string_buffer(16)
+    _lib.EVP_CIPHER_CTX_ctrl(x, _GCM_GTAG, 16, tag)
+    _lib.EVP_CIPHER_CTX_free(x)
+    return ct, tag.raw
+
+def _dec_v1(key: bytes, nonce: bytes, ct: bytes, tag: bytes) -> bytes:
+    x = _lib.EVP_CIPHER_CTX_new()
+    _lib.EVP_DecryptInit_ex(x, _lib.EVP_aes_256_gcm(), None, None, None)
+    _lib.EVP_CIPHER_CTX_ctrl(x, _GCM_SIVLEN, len(nonce), None)
+    _lib.EVP_DecryptInit_ex(x, None, None, key, nonce)
+    buf = _c.create_string_buffer(len(ct)+16); l = _ci(0)
+    _lib.EVP_DecryptUpdate(x, buf, _c.byref(l), ct, len(ct))
+    pt = buf.raw[:l.value]
+    _lib.EVP_CIPHER_CTX_ctrl(x, _GCM_STAG, 16, _c.c_char_p(tag))
+    fin = _c.create_string_buffer(16)
+    ok = _lib.EVP_DecryptFinal_ex(x, fin, _c.byref(l))
+    _lib.EVP_CIPHER_CTX_free(x)
+    if ok <= 0: raise ValueError("wrong password or corrupted token")
+    return pt
+
+# ─── v2 — ChaCha20-Poly1305 ──────────────────────────────────────────────────
+
+def _enc_v2(key: bytes, nonce: bytes, pt: bytes) -> tuple[bytes, bytes]:
+    x = _lib.EVP_CIPHER_CTX_new()
+    _lib.EVP_EncryptInit_ex(x, _lib.EVP_chacha20_poly1305(), None, None, None)
+    _lib.EVP_CIPHER_CTX_ctrl(x, _GCM_SIVLEN, len(nonce), None)
+    _lib.EVP_EncryptInit_ex(x, None, None, key, nonce)
+    buf = _c.create_string_buffer(len(pt)+16); l = _ci(0)
+    _lib.EVP_EncryptUpdate(x, buf, _c.byref(l), pt, len(pt))
+    ct = buf.raw[:l.value]
+    _lib.EVP_EncryptFinal_ex(x, buf, _c.byref(l))
+    tag = _c.create_string_buffer(16)
+    _lib.EVP_CIPHER_CTX_ctrl(x, _GCM_GTAG, 16, tag)
+    _lib.EVP_CIPHER_CTX_free(x)
+    return ct, tag.raw
+
+def _dec_v2(key: bytes, nonce: bytes, ct: bytes, tag: bytes) -> bytes:
+    x = _lib.EVP_CIPHER_CTX_new()
+    _lib.EVP_DecryptInit_ex(x, _lib.EVP_chacha20_poly1305(), None, None, None)
+    _lib.EVP_CIPHER_CTX_ctrl(x, _GCM_SIVLEN, len(nonce), None)
+    _lib.EVP_DecryptInit_ex(x, None, None, key, nonce)
+    buf = _c.create_string_buffer(len(ct)+16); l = _ci(0)
+    _lib.EVP_DecryptUpdate(x, buf, _c.byref(l), ct, len(ct))
+    pt = buf.raw[:l.value]
+    _lib.EVP_CIPHER_CTX_ctrl(x, _GCM_STAG, 16, _c.c_char_p(tag))
+    fin = _c.create_string_buffer(16)
+    ok = _lib.EVP_DecryptFinal_ex(x, fin, _c.byref(l))
+    _lib.EVP_CIPHER_CTX_free(x)
+    if ok <= 0: raise ValueError("wrong password or corrupted token")
+    return pt
+
+# ─── v3 — AES-256-CBC ────────────────────────────────────────────────────────
+
+def _pad(data: bytes) -> bytes:
+    pad_len = 16 - len(data) % 16
+    return data + bytes([pad_len] * pad_len)
+
+def _unpad(data: bytes) -> bytes:
+    return data[:-data[-1]]
+
+def _enc_v3(key: bytes, iv: bytes, pt: bytes) -> bytes:
+    x = _lib.EVP_CIPHER_CTX_new()
+    _lib.EVP_EncryptInit_ex(x, _lib.EVP_aes_256_cbc(), None, key, iv)
+    _lib.EVP_CIPHER_CTX_set_padding(x, 0)
+    padded = _pad(pt)
+    buf = _c.create_string_buffer(len(padded)+16); l = _ci(0)
+    _lib.EVP_EncryptUpdate(x, buf, _c.byref(l), padded, len(padded))
+    ct = buf.raw[:l.value]
+    _lib.EVP_EncryptFinal_ex(x, buf, _c.byref(l))
+    _lib.EVP_CIPHER_CTX_free(x)
+    return ct
+
+def _dec_v3(key: bytes, iv: bytes, ct: bytes) -> bytes:
+    x = _lib.EVP_CIPHER_CTX_new()
+    _lib.EVP_DecryptInit_ex(x, _lib.EVP_aes_256_cbc(), None, key, iv)
+    _lib.EVP_CIPHER_CTX_set_padding(x, 0)
+    buf = _c.create_string_buffer(len(ct)+16); l = _ci(0)
+    _lib.EVP_DecryptUpdate(x, buf, _c.byref(l), ct, len(ct))
+    pt = buf.raw[:l.value]
+    _lib.EVP_DecryptFinal_ex(x, buf, _c.byref(l))
+    _lib.EVP_CIPHER_CTX_free(x)
+    return _unpad(pt)
+
+# ─── helpers ─────────────────────────────────────────────────────────────────
+
+def _b64e(b: bytes) -> bytes: return _b64.urlsafe_b64encode(b).rstrip(b"=")
+def _b64d(b: bytes) -> bytes:
+    p = 4 - len(b) % 4
+    return _b64.urlsafe_b64decode(b + (b"=" * p if p != 4 else b""))
+
+def _eexp(ms: int) -> bytes: return _s.pack(">II", ms >> 32, ms & 0xFFFFFFFF)
+def _dexp(b: bytes) -> int:
+    hi, lo = _s.unpack(">II", b); return (hi << 32) | lo
+
+def _build_inner(plaintext: str | bytes, expires_ms: int | None) -> bytes:
+    if isinstance(plaintext, bytes):
+        plaintext, _ = decode_auto(plaintext)
+    hx = expires_ms is not None
+    return (b"\x01" + _eexp(expires_ms) if hx else b"\x00") + plaintext.encode("utf-8")
+
+def _parse_inner(inner: bytes) -> tuple[str, int | None]:
+    if inner[0] == 1:
+        exp = _dexp(inner[1:9])
+        if int(_t.time() * 1000) > exp:
+            raise ValueError(f"token expired at {exp}")
+        return inner[9:].decode("utf-8"), exp
+    return inner[1:].decode("utf-8"), None
+
+# ─── detect token ────────────────────────────────────────────────────────────
+
+def _detect(tb: bytes):
+    """Returns (prefix, version_int, nonce_len, salt_len, compact, is_legacy)"""
+    checks = [
+        (_PX1,  1, _NL,   _SL,   False, False),
+        (_PX2,  2, _NL,   _SL,   False, False),
+        (_PX3,  3, _NL3,  _SL,   False, False),
+        (_CPX1, 1, _NL_C, _SL_C, True,  False),
+        (_CPX2, 2, _NL_C, _SL_C, True,  False),
+        (_CPX3, 3, _NL_C, _SL_C, True,  False),
+        (_LPX1, 1, _NL,   _SL,   False, True),
+        (_LPX2, 2, _NL,   _SL,   False, True),
+        (_LPX3, 3, _NL3,  _SL,   False, True),
+    ]
+    for pfx, ver, nl, sl, compact, legacy in checks:
+        if tb.startswith(pfx):
+            return pfx, ver, nl, sl, compact, legacy
+    raise ValueError("invalid token format")
+
+# ─── nonce helpers for compact mode ──────────────────────────────────────────
+
+def _pad_nonce(n: bytes, target: int) -> bytes:
+    """Pad or truncate nonce to target length."""
+    if len(n) >= target:
+        return n[:target]
+    return n + b"\x00" * (target - len(n))
+
+# ─── public api ──────────────────────────────────────────────────────────────
+
+def encrypt(plaintext: str | bytes, password: str, *, expires_ms: int | None = None, version: int = 2, compact: bool = False) -> str:
+    sl    = _SL_C if compact else _SL
+    nl    = _NL_C if compact else (_NL3 if version == 3 else _NL)
+    salt  = _o.urandom(sl)
+    nonce = _o.urandom(nl)
+    key   = _kdf(password.encode(), salt)
+    inner = _build_inner(plaintext, expires_ms)
+
+    if compact:
+        pfx = {1: _CPX1, 2: _CPX2, 3: _CPX3}[version]
+        # pad nonce to required cipher length
+        nonce_full = _pad_nonce(nonce, 12 if version in (1, 2) else 16)
+        if version == 1:
+            ct, tag = _enc_v1(key, nonce_full, inner)
+            return (pfx + _b64e(salt + nonce + tag + ct)).decode()
+        elif version == 3:
+            ct = _enc_v3(key, nonce_full, inner)
+            return (pfx + _b64e(salt + nonce + ct)).decode()
+        else:
+            ct, tag = _enc_v2(key, nonce_full, inner)
+            return (pfx + _b64e(salt + nonce + tag + ct)).decode()
+    else:
+        pfx = {1: _PX1, 2: _PX2, 3: _PX3}[version]
+        if version == 1:
+            ct, tag = _enc_v1(key, nonce, inner)
+            return (pfx + _b64e(salt + nonce + tag + ct)).decode()
+        elif version == 3:
+            ct = _enc_v3(key, nonce, inner)
+            return (pfx + _b64e(salt + nonce + ct)).decode()
+        else:
+            ct, tag = _enc_v2(key, nonce, inner)
+            return (pfx + _b64e(salt + nonce + tag + ct)).decode()
+
+def decrypt(token: str, password: str) -> tuple[str, int | None]:
+    tb = token.encode()
+    pfx, ver, nl, sl, compact, _ = _detect(tb)
+
+    raw   = _b64d(tb[len(pfx):])
+    salt  = raw[:sl]
+    nonce_raw = raw[sl:sl+nl]
+    key   = _kdf(password.encode(), salt)
+
+    if compact:
+        nonce_full = _pad_nonce(nonce_raw, 12 if ver in (1, 2) else 16)
+    else:
+        nonce_full = nonce_raw
+
+    if ver == 3:
+        ct    = raw[sl+nl:]
+        inner = _dec_v3(key, nonce_full, ct)
+    else:
+        tag   = raw[sl+nl:sl+nl+_TL]
+        ct    = raw[sl+nl+_TL:]
+        inner = _dec_v1(key, nonce_full, ct, tag) if ver == 1 else _dec_v2(key, nonce_full, ct, tag)
+
+    return _parse_inner(inner)

secry-1.1.6/secry/_example.py

@@ -0,0 +1,84 @@
+from __future__ import annotations
+import sys
+
+_NC = sys.stdout.isatty() is False
+_c = {
+    "r":"", "dim":"", "bold":"", "hi":"", "cyan":"", "gray":"", "green":""
+} if _NC else {
+    "r":    "\x1b[0m",
+    "dim":  "\x1b[2m",
+    "bold": "\x1b[1m",
+    "hi":   "\x1b[38;5;252m",
+    "cyan": "\x1b[36m",
+    "gray": "\x1b[38;5;245m",
+    "green":"\x1b[32m",
+}
+
+def _vis(s: str) -> int:
+    import re
+    return len(re.sub(r"\x1b\[[0-9;]*m", "", s))
+
+def _code_box(title: str, lines: list[tuple[str, str]]) -> None:
+    lw = max(len(l) for l, _ in lines) if lines else 0
+    rows = []
+    for label, val in lines:
+        pad = " " * (lw - len(label) + 1)
+        lc  = _c["gray"]  if label.startswith("#") or label == "" else _c["cyan"]
+        vc  = _c["dim"]   if label.startswith("#") or label == "" else _c["hi"]
+        rows.append(f"{lc}{label}{_c['r']}{pad}{vc}{val}{_c['r']}")
+
+    width = max((_vis(r) for r in rows), default=0)
+    width = max(width, len(title) + 4) + 4
+
+    def hline(l: str, r: str) -> str:
+        return f"{_c['gray']}{l}{'─' * (width - 2)}{r}{_c['r']}\n"
+
+    sys.stderr.write(f"\n  {_c['dim']}{title}{_c['r']}\n")
+    sys.stderr.write(hline("┌", "┐"))
+    for row in rows:
+        pad = max(0, width - _vis(row) - 2)
+        sys.stderr.write(f"{_c['gray']}│{_c['r']} {row}{' ' * pad} {_c['gray']}│{_c['r']}\n")
+    sys.stderr.write(hline("└", "┘"))
+
+def show() -> None:
+    import secry
+    ver = secry.__version__
+
+    sys.stderr.write(f"\n{_c['gray']}{'─' * 48}{_c['r']}\n")
+    sys.stderr.write(f"  {_c['bold']}{_c['cyan']}secry{_c['r']}  {_c['gray']}v{ver}  examples  (python){_c['r']}\n")
+    sys.stderr.write(f"{_c['gray']}{'─' * 48}{_c['r']}\n")
+
+    _code_box("library  (python)", [
+        ("# install",                      ""),
+        ("pip install",                    "secry"),
+        ("",                               ""),
+        ("import",                         "secry"),
+        ("",                               ""),
+        ("# generate password",            ""),
+        ("pw",                             "= secry.generate(32)"),
+        ("",                               ""),
+        ("# encrypt  (full token)",        ""),
+        ("token",                          "= secry.encrypt('my secret', pw)"),
+        ("token",                          "= secry.encrypt('expires', pw, expires='1h')"),
+        ("",                               ""),
+        ("# encrypt  (compact token)",     ""),
+        ("token",                          "= secry.encrypt('my secret', pw, compact=True)"),
+        ("",                               ""),
+        ("# decrypt  (secry:, sec:, rwn64: all accepted)", ""),
+        ("text",                           "= secry.decrypt(token, pw)"),
+        ("",                               ""),
+        ("# verify",                       ""),
+        ("ok",                             "= secry.verify(token, pw)"),
+        ("",                               ""),
+        ("# fingerprint",                  ""),
+        ("fp",                             "= secry.fingerprint('hello', 'secret')"),
+        ("",                               ""),
+        ("# inspect token metadata",       ""),
+        ("meta",                           "= secry.inspect(token)"),
+        ("# meta",                         "{ version, algo, compact, legacy, kdf, salt_hex, nonce_hex, payload_bytes }"),
+    ])
+
+    sys.stderr.write(f"\n{_c['gray']}{'─' * 48}{_c['r']}\n\n")
+
+if __name__ == "__main__":
+    show()

secry-1.1.6/secry/_util.py

@@ -0,0 +1,35 @@
+from __future__ import annotations
+import base64 as _b,hashlib as _h,hmac as _m,os as _o,re as _r,time as _t
+
+def _b64e(b:bytes)->bytes: return _b.urlsafe_b64encode(b).rstrip(b"=")
+def _b64d(b:bytes)->bytes:
+    p=4-len(b)%4; return _b.urlsafe_b64decode(b+(b"="*p if p!=4 else b""))
+
+def fingerprint(text:str,secret:str)->str:
+    return _m.new(secret.encode(),text.encode(),_h.sha256).hexdigest()[:16]
+
+def generate(nbytes:int=24)->str:
+    return _b64e(_o.urandom(nbytes)).decode()
+
+def parse_expiry(raw:str)->int:
+    m=_r.fullmatch(r"(\d+)(s|m|h|d)",raw.strip())
+    if not m: raise ValueError(f'invalid expiry: "{raw}" — use 30s 5m 2h 7d')
+    return int(_t.time()*1000)+int(m.group(1))*{"s":1000,"m":60000,"h":3600000,"d":86400000}[m.group(2)]
+
+def inspect(token:str)->dict:
+    from ._crypto import _b64d, _detect
+    tb = token.encode()
+    pfx, ver, nl, sl, compact, legacy = _detect(tb)
+    raw = _b64d(tb[len(pfx):])
+    algo_map = {1: "AES-256-GCM", 2: "ChaCha20-Poly1305", 3: "AES-256-CBC"}
+    return {
+        "prefix":        pfx.decode(),
+        "version":       f"v{ver}",
+        "algo":          algo_map[ver],
+        "compact":       compact,
+        "legacy":        legacy,
+        "kdf":           "scrypt (N=16384,r=8,p=1)",
+        "salt_hex":      raw[:sl].hex(),
+        "nonce_hex":     raw[sl:sl+nl].hex(),
+        "payload_bytes": len(raw),
+    }

secry-1.1.6/secry.egg-info/PKG-INFO

@@ -0,0 +1,95 @@
+Metadata-Version: 2.4
+Name: secry
+Version: 1.1.6
+Summary: AES-256-GCM token encryption — interoperable with Node.js secry
+License: MIT
+Project-URL: Homepage, https://github.com/rushpym-dotcom/secry
+Keywords: encryption,aes-256-gcm,crypto,token
+Requires-Python: >=3.6
+Description-Content-Type: text/markdown
+
+# secry
+
+AES-256-GCM token encryption for Python. Zero dependencies. Tokens are fully interoperable with the [Node.js secry package](https://www.npmjs.com/package/secry).
+
+```sh
+pip install secry
+```
+
+---
+
+## Usage
+
+```python
+import secry
+
+token = secry.encrypt("my secret", "mypassword")
+text  = secry.decrypt(token, "mypassword")
+ok    = secry.verify(token, "mypassword")
+fp    = secry.fingerprint("hello", "secret")
+pw    = secry.generate(32)
+meta  = secry.inspect(token)
+```
+
+## Compact mode
+
+Use `compact=True` to get shorter tokens with the `sec:` prefix:
+
+```python
+token = secry.encrypt("my secret", "mypassword", compact=True)
+# → sec:v2:...  (shorter token)
+
+# decrypt works the same way — prefix is detected automatically
+text = secry.decrypt(token, "mypassword")
+```
+
+## Expiry
+
+```python
+token = secry.encrypt("temporary", "mypassword", expires="1h")
+token = secry.encrypt("temporary", "mypassword", expires="30m")
+token = secry.encrypt("temporary", "mypassword", expires="7d")
+```
+
+## Token prefixes
+
+```
+secry:v1:   AES-256-GCM        (full)
+secry:v2:   ChaCha20-Poly1305  (full)
+secry:v3:   AES-256-CBC        (full)
+
+sec:v1:     AES-256-GCM        (compact)
+sec:v2:     ChaCha20-Poly1305  (compact)
+sec:v3:     AES-256-CBC        (compact)
+
+rwn64:v*:   legacy — still accepted by decrypt/verify/inspect
+```
+
+## Inspect
+
+```python
+meta = secry.inspect(token)
+# {
+#   "prefix": "secry:v2:",
+#   "version": "v2",
+#   "algo": "ChaCha20-Poly1305",
+#   "compact": False,
+#   "legacy": False,
+#   "kdf": "scrypt (N=16384,r=8,p=1)",
+#   "salt_hex": "...",
+#   "nonce_hex": "...",
+#   "payload_bytes": 64
+# }
+```
+
+## Security
+
+- AES-256-GCM / ChaCha20-Poly1305 authenticated encryption
+- scrypt key derivation (N=16384, r=8, p=1)
+- Random salt + nonce per token
+- Auth tag detects tampering before decryption
+- Zero external dependencies
+
+## License
+
+MIT

secry-1.1.6/secry.egg-info/SOURCES.txt

@@ -0,0 +1,12 @@
+README.md
+pyproject.toml
+secry/__init__.py
+secry/_crypto.py
+secry/_example.py
+secry/_util.py
+secry.egg-info/PKG-INFO
+secry.egg-info/SOURCES.txt
+secry.egg-info/dependency_links.txt
+secry.egg-info/top_level.txt
+tests/test_rwn64.py
+tests/test_secry.py

secry-1.1.6/secry.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

secry-1.1.6/secry.egg-info/top_level.txt

@@ -0,0 +1 @@
+secry

secry-1.1.6/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

secry-1.1.6/tests/test_rwn64.py

@@ -0,0 +1,91 @@
+import sys,os,time
+sys.path.insert(0,os.path.join(os.path.dirname(__file__),".."))
+import rwn64
+
+_G="\x1b[32m✔\x1b[0m"; _R="\x1b[31m✘\x1b[0m"
+_H="\x1b[1m\x1b[38;5;252m"; _D="\x1b[38;5;245m"; _E="\x1b[0m"
+_p=_f=0
+
+def _head(t): print(f"\n{_H}{t}{_E}")
+def _assert(c,m="assertion failed"):
+    if not c: raise AssertionError(m)
+
+def test(label,fn):
+    global _p,_f
+    try:    fn(); print(f"  {_G}  {label}"); _p+=1
+    except Exception as e: print(f"  {_R}  {label}\n     {_D}{e}{_E}"); _f+=1
+
+_head("encrypt / decrypt")
+test("returns rwn64:v1: token",          lambda:_assert(rwn64.encrypt("hi","pw").startswith("rwn64:v1:")))
+test("roundtrip plaintext",              lambda:_assert(rwn64.decrypt(rwn64.encrypt("secret","pw"),"pw")=="secret"))
+test("unique tokens per call",           lambda:_assert(rwn64.encrypt("x","pw")!=rwn64.encrypt("x","pw")))
+test("unicode roundtrip",                lambda:_assert(rwn64.decrypt(rwn64.encrypt("日本語 ñ @#$","pw"),"pw")=="日本語 ñ @#$"))
+test("10 KB roundtrip",                  lambda:_assert(rwn64.decrypt(rwn64.encrypt("x"*10240,"pw"),"pw")=="x"*10240))
+
+_head("wrong password / tampered")
+def _t6():
+    tok=rwn64.encrypt("secret","correct")
+    try: rwn64.decrypt(tok,"wrong"); raise AssertionError("should raise")
+    except ValueError: pass
+test("wrong password raises",_t6)
+
+def _t7():
+    tok=rwn64.encrypt("secret","pw")
+    try: rwn64.decrypt(tok[:-6]+"AAAAAA","pw"); raise AssertionError("should raise")
+    except Exception: pass
+test("tampered token raises",_t7)
+
+def _t8():
+    try: rwn64.decrypt("notatoken","pw"); raise AssertionError("should raise")
+    except Exception: pass
+test("invalid format raises",_t8)
+
+_head("verify")
+test("valid token → True",   lambda:_assert(rwn64.verify(rwn64.encrypt("x","pw"),"pw") is True))
+test("wrong password → False",lambda:_assert(rwn64.verify(rwn64.encrypt("x","pw"),"bad") is False))
+test("garbage → False",       lambda:_assert(rwn64.verify("garbage","pw") is False))
+
+_head("expiry")
+test("no expiry decrypts",    lambda:_assert(rwn64.decrypt(rwn64.encrypt("x","pw"),"pw")=="x"))
+test("future expiry decrypts",lambda:_assert(rwn64.decrypt(rwn64.encrypt("x","pw",expires_ms=int(time.time()*1000)+60000),"pw")=="x"))
+test("expires= string (1h)",  lambda:_assert(rwn64.decrypt(rwn64.encrypt("x","pw",expires="1h"),"pw")=="x"))
+
+def _t13():
+    tok=rwn64.encrypt("x","pw",expires_ms=int(time.time()*1000)+100)
+    time.sleep(0.2)
+    try: rwn64.decrypt(tok,"pw"); raise AssertionError("should raise")
+    except ValueError as e: _assert("expired" in str(e).lower())
+test("expired token raises",_t13)
+
+_head("fingerprint")
+test("deterministic",         lambda:_assert(rwn64.fingerprint("hi","s")==rwn64.fingerprint("hi","s")))
+test("different input differs",lambda:_assert(rwn64.fingerprint("a","s")!=rwn64.fingerprint("b","s")))
+test("16 hex chars",          lambda:_assert(len(rwn64.fingerprint("x","s"))==16))
+
+_head("generate")
+test("non-empty string",      lambda:_assert(isinstance(rwn64.generate(),str) and len(rwn64.generate())>0))
+test("unique values",         lambda:_assert(rwn64.generate()!=rwn64.generate()))
+
+_head("inspect")
+def _t_ins():
+    m=rwn64.inspect(rwn64.encrypt("x","pw"))
+    _assert(m["version"]=="v1")
+    _assert(m["algo"]=="AES-256-GCM")
+    _assert(m["prefix"]=="rwn64:v1:")
+test("inspect metadata",_t_ins)
+
+_head("node interoperability")
+_TOK ="rwn64:v1:IaQVjP7tITZRERd-MWZBpxGMdo432gsidiGNlK9vZFSt-Vqhs2ioZt4dFykhmciisVa9a07VY0M"
+_PASS="minhasenha"
+_TXT ="old v1 text"
+test("decrypt Node.js token", lambda:_assert(rwn64.decrypt(_TOK,_PASS)==_TXT))
+test("Python token is valid", lambda:_assert(rwn64.decrypt(rwn64.encrypt(_TXT,_PASS),_PASS)==_TXT))
+
+total=_p+_f
+print(f"\n{_D}{'─'*48}{_E}\n")
+print(f"  total   {total}")
+print(f"  \x1b[32mpassed  {_p}\x1b[0m")
+if _f: print(f"  \x1b[31mfailed  {_f}\x1b[0m")
+print()
+if not _f: print(f"  \x1b[32m\x1b[1mall tests passed\x1b[0m\n")
+else:      print(f"  \x1b[31m\x1b[1m{_f} test(s) failed\x1b[0m\n"); sys.exit(1)

secry-1.1.6/tests/test_secry.py

@@ -0,0 +1,130 @@
+import sys,os,time
+sys.path.insert(0,os.path.join(os.path.dirname(__file__),".."))
+import secry
+
+_G="\x1b[32m✔\x1b[0m"; _R="\x1b[31m✘\x1b[0m"
+_H="\x1b[1m\x1b[38;5;252m"; _D="\x1b[38;5;245m"; _E="\x1b[0m"
+_p=_f=0
+
+def _head(t): print(f"\n{_H}{t}{_E}")
+def _assert(c,m="assertion failed"):
+    if not c: raise AssertionError(m)
+
+def test(label,fn):
+    global _p,_f
+    try:    fn(); print(f"  {_G}  {label}"); _p+=1
+    except Exception as e: print(f"  {_R}  {label}\n     {_D}{e}{_E}"); _f+=1
+
+# ── encrypt / decrypt ─────────────────────────────────────────────────────────
+
+_head("encrypt / decrypt")
+test("returns secry:v2: token",          lambda:_assert(secry.encrypt("hi","pw").startswith("secry:v2:")))
+test("roundtrip plaintext",              lambda:_assert(secry.decrypt(secry.encrypt("secret","pw"),"pw")=="secret"))
+test("unique tokens per call",           lambda:_assert(secry.encrypt("x","pw")!=secry.encrypt("x","pw")))
+test("unicode roundtrip",                lambda:_assert(secry.decrypt(secry.encrypt("日本語 ñ @#$","pw"),"pw")=="日本語 ñ @#$"))
+test("10 KB roundtrip",                  lambda:_assert(secry.decrypt(secry.encrypt("x"*10240,"pw"),"pw")=="x"*10240))
+test("version=1 roundtrip",             lambda:_assert(secry.decrypt(secry.encrypt("hi","pw",version=1),"pw")=="hi"))
+test("version=3 roundtrip",             lambda:_assert(secry.decrypt(secry.encrypt("hi","pw",version=3),"pw")=="hi"))
+
+# ── compact mode ──────────────────────────────────────────────────────────────
+
+_head("compact mode")
+test("compact returns sec:v2: token",    lambda:_assert(secry.encrypt("hi","pw",compact=True).startswith("sec:v2:")))
+test("compact v1 returns sec:v1:",       lambda:_assert(secry.encrypt("hi","pw",version=1,compact=True).startswith("sec:v1:")))
+test("compact v3 returns sec:v3:",       lambda:_assert(secry.encrypt("hi","pw",version=3,compact=True).startswith("sec:v3:")))
+test("compact roundtrip",               lambda:_assert(secry.decrypt(secry.encrypt("secret","pw",compact=True),"pw")=="secret"))
+test("compact token shorter than full", lambda:_assert(len(secry.encrypt("hi","pw",compact=True))<len(secry.encrypt("hi","pw"))))
+test("compact unicode roundtrip",       lambda:_assert(secry.decrypt(secry.encrypt("日本語","pw",compact=True),"pw")=="日本語"))
+
+# ── wrong password / tampered ─────────────────────────────────────────────────
+
+_head("wrong password / tampered")
+def _t6():
+    tok=secry.encrypt("secret","correct")
+    try: secry.decrypt(tok,"wrong"); raise AssertionError("should raise")
+    except ValueError: pass
+test("wrong password raises",_t6)
+
+def _t7():
+    tok=secry.encrypt("secret","pw")
+    try: secry.decrypt(tok[:-6]+"AAAAAA","pw"); raise AssertionError("should raise")
+    except Exception: pass
+test("tampered token raises",_t7)
+
+def _t8():
+    try: secry.decrypt("notatoken","pw"); raise AssertionError("should raise")
+    except Exception: pass
+test("invalid format raises",_t8)
+
+# ── verify ────────────────────────────────────────────────────────────────────
+
+_head("verify")
+test("valid token → True",    lambda:_assert(secry.verify(secry.encrypt("x","pw"),"pw") is True))
+test("wrong password → False", lambda:_assert(secry.verify(secry.encrypt("x","pw"),"bad") is False))
+test("garbage → False",        lambda:_assert(secry.verify("garbage","pw") is False))
+test("compact valid → True",   lambda:_assert(secry.verify(secry.encrypt("x","pw",compact=True),"pw") is True))
+
+# ── expiry ────────────────────────────────────────────────────────────────────
+
+_head("expiry")
+test("no expiry decrypts",     lambda:_assert(secry.decrypt(secry.encrypt("x","pw"),"pw")=="x"))
+test("future expiry decrypts", lambda:_assert(secry.decrypt(secry.encrypt("x","pw",expires_ms=int(time.time()*1000)+60000),"pw")=="x"))
+test("expires= string (1h)",   lambda:_assert(secry.decrypt(secry.encrypt("x","pw",expires="1h"),"pw")=="x"))
+
+def _t13():
+    tok=secry.encrypt("x","pw",expires_ms=int(time.time()*1000)+100)
+    time.sleep(0.2)
+    try: secry.decrypt(tok,"pw"); raise AssertionError("should raise")
+    except ValueError as e: _assert("expired" in str(e).lower())
+test("expired token raises",_t13)
+
+# ── fingerprint ───────────────────────────────────────────────────────────────
+
+_head("fingerprint")
+test("deterministic",          lambda:_assert(secry.fingerprint("hi","s")==secry.fingerprint("hi","s")))
+test("different input differs", lambda:_assert(secry.fingerprint("a","s")!=secry.fingerprint("b","s")))
+test("16 hex chars",           lambda:_assert(len(secry.fingerprint("x","s"))==16))
+
+# ── generate ──────────────────────────────────────────────────────────────────
+
+_head("generate")
+test("non-empty string",       lambda:_assert(isinstance(secry.generate(),str) and len(secry.generate())>0))
+test("unique values",          lambda:_assert(secry.generate()!=secry.generate()))
+
+# ── inspect ───────────────────────────────────────────────────────────────────
+
+_head("inspect")
+def _t_ins():
+    m=secry.inspect(secry.encrypt("x","pw"))
+    _assert(m["version"]=="v2")
+    _assert(m["algo"]=="ChaCha20-Poly1305")
+    _assert(m["prefix"]=="secry:v2:")
+    _assert(m["compact"] is False)
+    _assert(m["legacy"] is False)
+test("inspect full token",_t_ins)
+
+def _t_ins_c():
+    m=secry.inspect(secry.encrypt("x","pw",compact=True))
+    _assert(m["compact"] is True)
+    _assert(m["prefix"]=="sec:v2:")
+test("inspect compact token",_t_ins_c)
+
+# ── legacy rwn64 compat ───────────────────────────────────────────────────────
+
+_head("legacy rwn64 compat")
+_TOK  = "rwn64:v1:IaQVjP7tITZRERd-MWZBpxGMdo432gsidiGNlK9vZFSt-Vqhs2ioZt4dFykhmciisVa9a07VY0M"
+_PASS = "minhasenha"
+_TXT  = "old v1 text"
+test("decrypt rwn64:v1: token",  lambda:_assert(secry.decrypt(_TOK,_PASS)==_TXT))
+test("inspect rwn64 token legacy flag", lambda:_assert(secry.inspect(_TOK)["legacy"] is True))
+
+# ── summary ───────────────────────────────────────────────────────────────────
+
+total=_p+_f
+print(f"\n{_D}{'─'*48}{_E}\n")
+print(f"  total   {total}")
+print(f"  \x1b[32mpassed  {_p}\x1b[0m")
+if _f: print(f"  \x1b[31mfailed  {_f}\x1b[0m")
+print()
+if not _f: print(f"  \x1b[32m\x1b[1mall tests passed\x1b[0m\n")
+else:      print(f"  \x1b[31m\x1b[1m{_f} test(s) failed\x1b[0m\n"); sys.exit(1)