secure-credentials-kit 0.1.0__py3-none-any.whl

secure_credentials_kit/cli.py

@@ -0,0 +1,105 @@
+import argparse
+
+from secure_credentials_kit.credentials import edit_credentials, generate_credentials_key
+
+
+def print_key_paths(env: str, key_paths: dict) -> None:
+    for role, key_path in key_paths.items():
+        print(f"{role.title()} key for {env} has been generated and saved to {key_path}")
+
+
+def generate_key_main(argv=None) -> int:
+    parser = argparse.ArgumentParser(
+        description="Generate an encryption key for secure credentials."
+    )
+    parser.add_argument("env", help="Environment name")
+    parser.add_argument("--secrets-dir", default="secrets", help="Credentials directory")
+    parser.add_argument(
+        "--role",
+        choices=["all", "master", "readonly"],
+        default="all",
+        help="Key role to generate",
+    )
+    args = parser.parse_args(argv)
+
+    try:
+        key_paths = generate_credentials_key(args.env, args.secrets_dir, args.role)
+    except (FileExistsError, FileNotFoundError, PermissionError, ValueError) as exc:
+        print(exc)
+        return 1
+
+    print_key_paths(args.env, key_paths)
+    return 0
+
+
+def edit_main(argv=None) -> int:
+    parser = argparse.ArgumentParser(description="Edit encrypted secure credentials.")
+    parser.add_argument("env", help="Environment name")
+    parser.add_argument("--secrets-dir", default="secrets", help="Credentials directory")
+    parser.add_argument("--editor", help="Editor command to use")
+    args = parser.parse_args(argv)
+
+    try:
+        encrypted_path = edit_credentials(args.env, args.secrets_dir, args.editor)
+    except (FileNotFoundError, PermissionError, ValueError) as exc:
+        print(exc)
+        return 1
+
+    print(f"Data has been encrypted and saved to {encrypted_path}")
+    return 0
+
+
+def main(argv=None) -> int:
+    parser = argparse.ArgumentParser(prog="secure-credentials-kit")
+    subparsers = parser.add_subparsers(dest="command", required=True)
+
+    generate_parser = subparsers.add_parser(
+        "generate-key",
+        help="Generate an encryption key for an environment.",
+    )
+    generate_parser.add_argument("env", help="Environment name")
+    generate_parser.add_argument(
+        "--secrets-dir",
+        default="secrets",
+        help="Credentials directory",
+    )
+    generate_parser.add_argument(
+        "--role",
+        choices=["all", "master", "readonly"],
+        default="all",
+        help="Key role to generate",
+    )
+
+    edit_parser = subparsers.add_parser(
+        "edit",
+        help="Edit encrypted credentials for an environment.",
+    )
+    edit_parser.add_argument("env", help="Environment name")
+    edit_parser.add_argument(
+        "--secrets-dir",
+        default="secrets",
+        help="Credentials directory",
+    )
+    edit_parser.add_argument("--editor", help="Editor command to use")
+
+    args = parser.parse_args(argv)
+
+    if args.command == "generate-key":
+        try:
+            key_paths = generate_credentials_key(args.env, args.secrets_dir, args.role)
+        except (FileExistsError, FileNotFoundError, PermissionError, ValueError) as exc:
+            print(exc)
+            return 1
+        print_key_paths(args.env, key_paths)
+        return 0
+
+    if args.command == "edit":
+        try:
+            encrypted_path = edit_credentials(args.env, args.secrets_dir, args.editor)
+        except (FileNotFoundError, PermissionError, ValueError) as exc:
+            print(exc)
+            return 1
+        print(f"Data has been encrypted and saved to {encrypted_path}")
+        return 0
+
+    return 1

secure_credentials_kit/credentials.py

@@ -0,0 +1,128 @@
+from os import getenv, makedirs, path, remove
+from subprocess import run as subprocess_run
+from typing import Optional
+
+from secure_credentials_kit.utils import (
+    derive_readonly_key,
+    decrypt_credentials_data,
+    encrypt_credentials_data,
+    generate_credentials_key_pair,
+)
+
+
+def secret_path(secrets_dir: str, env: str, suffix: str) -> str:
+    return path.join(secrets_dir, f"{env}.{suffix}")
+
+
+def master_key_path(secrets_dir: str, env: str) -> str:
+    return secret_path(secrets_dir, env, "master.key")
+
+
+def readonly_key_path(secrets_dir: str, env: str) -> str:
+    return secret_path(secrets_dir, env, "readonly.key")
+
+
+def read_key(key_path: str) -> str:
+    with open(key_path, "r") as f:
+        return f.read()
+
+
+def resolve_read_key_path(env: str, secrets_dir: str = "secrets") -> str:
+    for key_path in (
+        readonly_key_path(secrets_dir, env),
+        master_key_path(secrets_dir, env),
+    ):
+        if path.exists(key_path):
+            return key_path
+
+    raise FileNotFoundError(f"Key for {env} does not exist!")
+
+
+def resolve_master_key_path(env: str, secrets_dir: str = "secrets") -> str:
+    key_path = master_key_path(secrets_dir, env)
+    if path.exists(key_path):
+        return key_path
+
+    if path.exists(readonly_key_path(secrets_dir, env)):
+        raise PermissionError(f"Master key for {env} does not exist!")
+
+    raise FileNotFoundError(f"Key for {env} does not exist!")
+
+
+def generate_credentials_key(
+    env: str,
+    secrets_dir: str = "secrets",
+    key_role: str = "all",
+) -> dict:
+    """Generate master and readonly credentials keys for an environment."""
+    if key_role not in {"all", "master", "readonly"}:
+        raise ValueError("key_role must be all, master, or readonly")
+
+    master_path = master_key_path(secrets_dir, env)
+    readonly_path = readonly_key_path(secrets_dir, env)
+
+    if key_role == "readonly":
+        if path.exists(readonly_path):
+            raise FileExistsError(f"Readonly key for {env} already exists!")
+        master_key = read_key(resolve_master_key_path(env, secrets_dir))
+        makedirs(secrets_dir, exist_ok=True)
+        with open(readonly_path, "w") as f:
+            f.write(derive_readonly_key(master_key))
+        return {"readonly": readonly_path}
+
+    if path.exists(master_path):
+        raise FileExistsError(f"Master key for {env} already exists!")
+    if key_role == "all" and path.exists(readonly_path):
+        raise FileExistsError(f"Readonly key for {env} already exists!")
+
+    makedirs(secrets_dir, exist_ok=True)
+    master_key, readonly_key = generate_credentials_key_pair()
+
+    with open(master_path, "w") as f:
+        f.write(master_key)
+
+    generated_paths = {"master": master_path}
+
+    if key_role == "all":
+        with open(readonly_path, "w") as f:
+            f.write(readonly_key)
+        generated_paths["readonly"] = readonly_path
+
+    return generated_paths
+
+
+def edit_credentials(
+    env: str,
+    secrets_dir: str = "secrets",
+    editor: Optional[str] = None,
+) -> str:
+    """Open decrypted credentials in an editor, then encrypt them again."""
+    from yaml import safe_dump, safe_load
+
+    key_path = resolve_master_key_path(env, secrets_dir)
+    encrypted_path = secret_path(secrets_dir, env, "yml.enc")
+    decrypted_path = secret_path(secrets_dir, env, "yml")
+
+    key = read_key(key_path)
+
+    if path.exists(encrypted_path):
+        with open(encrypted_path, "r") as f:
+            encrypted_data = f.read()
+    else:
+        encrypted_data = encrypt_credentials_data(key, "")
+
+    with open(decrypted_path, "w") as f:
+        f.write(decrypt_credentials_data(key, encrypted_data))
+
+    subprocess_run([editor or getenv("EDITOR", "nano"), decrypted_path], check=True)
+
+    with open(decrypted_path, "r") as f:
+        yaml_data = safe_load(f) or {}
+    if not isinstance(yaml_data, dict):
+        raise ValueError("Secure credentials YAML must contain a mapping at the root")
+
+    with open(encrypted_path, "w") as f:
+        f.write(encrypt_credentials_data(key, safe_dump(yaml_data)))
+
+    remove(decrypted_path)
+    return encrypted_path

secure_credentials_kit/fastapi.py

@@ -0,0 +1,53 @@
+from os import getenv
+from typing import Callable, Optional, TYPE_CHECKING
+
+from fastapi import FastAPI, Request
+
+if TYPE_CHECKING:
+    from secure_credentials_kit.secrets_loader import CredentialsContainer
+
+
+DEFAULT_STATE_ATTRIBUTE = "credentials"
+
+
+def resolve_environment(env: Optional[str] = None) -> str:
+    """Resolve the credentials environment for a FastAPI application."""
+    return (
+        env
+        or getenv("SECURE_CREDENTIALS_KIT_ENV")
+        or getenv("FASTAPI_ENV")
+        or getenv("ENV")
+        or "development"
+    )
+
+
+def load_credentials(env: Optional[str] = None) -> "CredentialsContainer":
+    from secure_credentials_kit.secrets_loader import decrypt_credentials
+
+    return decrypt_credentials(resolve_environment(env))
+
+
+def setup_secure_credentials_kit(
+    app: FastAPI,
+    env: Optional[str] = None,
+    state_attribute: str = DEFAULT_STATE_ATTRIBUTE,
+) -> "CredentialsContainer":
+    credentials = load_credentials(env)
+    setattr(app.state, state_attribute, credentials)
+    return credentials
+
+
+def get_credentials(
+    request: Request,
+    state_attribute: str = DEFAULT_STATE_ATTRIBUTE,
+) -> "CredentialsContainer":
+    return getattr(request.app.state, state_attribute)
+
+
+def credentials_dependency(
+    state_attribute: str = DEFAULT_STATE_ATTRIBUTE,
+) -> Callable[[Request], "CredentialsContainer"]:
+    def dependency(request: Request) -> "CredentialsContainer":
+        return get_credentials(request, state_attribute)
+
+    return dependency

secure_credentials_kit/management/commands/credentials_edit.py

@@ -0,0 +1,20 @@
+from django.core.management.base import BaseCommand
+
+from secure_credentials_kit.credentials import edit_credentials
+
+
+class Command(BaseCommand):
+    help = "Encrypt or decrypt data"
+
+    def add_arguments(self, parser):
+        parser.add_argument("env", type=str, help="Environment name")
+
+    def handle(self, *args, **kwargs):
+        env = kwargs["env"]
+        try:
+            encrypted_path = edit_credentials(env)
+        except (FileNotFoundError, PermissionError, ValueError) as exc:
+            self.stdout.write(str(exc))
+            return
+
+        self.stdout.write(f"Data has been encrypted and saved to {encrypted_path}")

secure_credentials_kit/management/commands/credentials_generate_key.py

@@ -0,0 +1,29 @@
+from django.core.management.base import BaseCommand
+
+from secure_credentials_kit.credentials import generate_credentials_key
+
+
+class Command(BaseCommand):
+    help = "Generate a new encryption key"
+
+    def add_arguments(self, parser):
+        parser.add_argument("env", type=str, help="Environment name")
+        parser.add_argument(
+            "--role",
+            choices=["all", "master", "readonly"],
+            default="all",
+            help="Key role to generate",
+        )
+
+    def handle(self, *args, **kwargs):
+        env = kwargs["env"]
+        try:
+            key_paths = generate_credentials_key(env, key_role=kwargs["role"])
+        except (FileExistsError, FileNotFoundError, PermissionError, ValueError) as exc:
+            self.stdout.write(str(exc))
+            return
+
+        for role, key_path in key_paths.items():
+            self.stdout.write(
+                f"{role.title()} key for {env} has been generated and saved to {key_path}"
+            )

secure_credentials_kit/secrets_loader.py

@@ -0,0 +1,63 @@
+from os import path
+from secure_credentials_kit.credentials import read_key, resolve_read_key_path, secret_path
+from secure_credentials_kit.utils import decrypt_credentials_data
+
+
+def normalize_credentials(credentials):
+    if credentials is None:
+        return {}
+    if not isinstance(credentials, dict):
+        raise ValueError("Secure credentials YAML must contain a mapping at the root")
+    return credentials
+
+
+class CredentialsContainer(object):
+    """A class to represent a container for credentials."""
+    def __init__(self, credentials: dict):
+        self._credentials = normalize_credentials(credentials)
+
+    def dig(self, *args):
+        """Dig into the credentials."""
+        value = None
+
+        # Copy the credentials
+        credentials = self._credentials.copy()
+
+        for key in args:
+            if key in credentials:
+                value = credentials[key]
+                credentials = value
+            else:
+                return None
+
+        return value
+
+    def get(self, key: str, default=None):
+        return self._credentials.get(key, default)
+
+
+def decrypt_credentials(env: str, secrets_dir: str = "secrets") -> CredentialsContainer:
+    """ Decrypt credentials """
+    from yaml import safe_load
+
+    # Check if the key exists
+    encrypted_path = secret_path(secrets_dir, env, "yml.enc")
+
+    try:
+        key_path = resolve_read_key_path(env, secrets_dir)
+    except FileNotFoundError:
+        print(f"Key for {env} does not exist!")
+        return CredentialsContainer({})
+
+    # Read encrypted data and key
+    key = read_key(key_path)
+
+    if path.exists(encrypted_path):
+        with open(encrypted_path, "r") as f:
+            data = f.read()
+    else:
+        print(f"Encrypted data for {env} does not exist!")
+        return CredentialsContainer({})
+
+    credentials = safe_load(decrypt_credentials_data(key, data))
+    return CredentialsContainer(credentials)

secure_credentials_kit/utils.py

@@ -0,0 +1,194 @@
+import base64
+import json
+from typing import Tuple
+
+KEY_FORMAT_VERSION = 2
+MASTER_KEY_ROLE = "master"
+READONLY_KEY_ROLE = "readonly"
+
+
+def _base64_encode(data: bytes) -> str:
+    return base64.urlsafe_b64encode(data).decode("utf-8")
+
+
+def _base64_decode(data: str) -> bytes:
+    return base64.urlsafe_b64decode(data.encode("utf-8"))
+
+
+def _generate_signing_key_pair():
+    from cryptography.hazmat.primitives import serialization
+    from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
+
+    private_key = Ed25519PrivateKey.generate()
+    public_key = private_key.public_key()
+
+    private_bytes = private_key.private_bytes(
+        encoding=serialization.Encoding.Raw,
+        format=serialization.PrivateFormat.Raw,
+        encryption_algorithm=serialization.NoEncryption(),
+    )
+    public_bytes = public_key.public_bytes(
+        encoding=serialization.Encoding.Raw,
+        format=serialization.PublicFormat.Raw,
+    )
+
+    return _base64_encode(private_bytes), _base64_encode(public_bytes)
+
+
+def _sign_data(signing_key: str, data: str) -> str:
+    from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
+
+    private_key = Ed25519PrivateKey.from_private_bytes(_base64_decode(signing_key))
+    return _base64_encode(private_key.sign(data.encode("utf-8")))
+
+
+def _verify_signature(verification_key: str, data: str, signature: str) -> None:
+    from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
+
+    public_key = Ed25519PublicKey.from_public_bytes(_base64_decode(verification_key))
+    public_key.verify(_base64_decode(signature), data.encode("utf-8"))
+
+
+def serialize_key(key_data: dict) -> str:
+    return json.dumps(key_data, sort_keys=True)
+
+
+def parse_key(key: str) -> dict:
+    stripped_key = key.strip()
+
+    try:
+        key_data = json.loads(stripped_key)
+    except json.JSONDecodeError:
+        raise ValueError("Unsupported credentials key format")
+
+    if not isinstance(key_data, dict):
+        raise ValueError("Unsupported credentials key format")
+
+    if key_data.get("version") != KEY_FORMAT_VERSION:
+        raise ValueError("Unsupported credentials key format")
+
+    role = key_data.get("role")
+    if role not in {MASTER_KEY_ROLE, READONLY_KEY_ROLE}:
+        raise ValueError("Unsupported credentials key role")
+
+    if not key_data.get("encryption_key"):
+        raise ValueError("Credentials key is missing encryption_key")
+
+    if not key_data.get("verification_key"):
+        raise ValueError("Credentials key is missing verification_key")
+
+    if role == MASTER_KEY_ROLE and not key_data.get("signing_key"):
+        raise ValueError("Master credentials key is missing signing_key")
+
+    return key_data
+
+
+def is_master_key(key: str) -> bool:
+    return parse_key(key)["role"] == MASTER_KEY_ROLE
+
+
+def is_readonly_key(key: str) -> bool:
+    return parse_key(key)["role"] == READONLY_KEY_ROLE
+
+
+def generate_credentials_key_pair() -> Tuple[str, str]:
+    encryption_key = generate_encryption_key()
+    signing_key, verification_key = _generate_signing_key_pair()
+
+    master_key = serialize_key(
+        {
+            "version": KEY_FORMAT_VERSION,
+            "role": MASTER_KEY_ROLE,
+            "encryption_key": encryption_key,
+            "signing_key": signing_key,
+            "verification_key": verification_key,
+        }
+    )
+    readonly_key = serialize_key(
+        {
+            "version": KEY_FORMAT_VERSION,
+            "role": READONLY_KEY_ROLE,
+            "encryption_key": encryption_key,
+            "verification_key": verification_key,
+        }
+    )
+
+    return master_key, readonly_key
+
+
+def derive_readonly_key(master_key: str) -> str:
+    key_data = parse_key(master_key)
+    if key_data["role"] != MASTER_KEY_ROLE:
+        raise PermissionError("Readonly key can only be derived from a master key")
+
+    return serialize_key(
+        {
+            "version": KEY_FORMAT_VERSION,
+            "role": READONLY_KEY_ROLE,
+            "encryption_key": key_data["encryption_key"],
+            "verification_key": key_data["verification_key"],
+        }
+    )
+
+
+def encrypt_credentials_data(key: str, data: str) -> str:
+    key_data = parse_key(key)
+
+    if key_data["role"] != MASTER_KEY_ROLE:
+        raise PermissionError("A master key is required to encrypt credentials")
+
+    encrypted_data = encrypt_data(key_data["encryption_key"], data)
+
+    return json.dumps(
+        {
+            "version": KEY_FORMAT_VERSION,
+            "payload": encrypted_data,
+            "signature": _sign_data(key_data["signing_key"], encrypted_data),
+        },
+        sort_keys=True,
+    )
+
+
+def decrypt_credentials_data(key: str, data: str) -> str:
+    key_data = parse_key(key)
+    stripped_data = data.strip()
+
+    try:
+        envelope = json.loads(stripped_data)
+    except json.JSONDecodeError:
+        raise ValueError("Encrypted credentials must use a signed envelope")
+
+    if envelope.get("version") != KEY_FORMAT_VERSION:
+        raise ValueError("Unsupported encrypted credentials format")
+
+    payload = envelope.get("payload")
+    signature = envelope.get("signature")
+    if not payload or not signature:
+        raise ValueError("Encrypted credentials are missing payload or signature")
+
+    _verify_signature(key_data["verification_key"], payload, signature)
+    return decrypt_data(key_data["encryption_key"], payload)
+
+
+def generate_encryption_key() -> str:
+    """ Generate random key for encryption """
+    from cryptography.fernet import Fernet
+
+    key = Fernet.generate_key()
+    return key.decode("utf-8")
+
+
+def encrypt_data(key: str, data: str) -> str:
+    """ Encrypt data using key """
+    from cryptography.fernet import Fernet
+
+    f = Fernet(key)
+    return f.encrypt(data.encode("utf-8")).decode("utf-8")
+
+
+def decrypt_data(key: str, data: str) -> str:
+    """ Decrypt data using key """
+    from cryptography.fernet import Fernet
+
+    f = Fernet(key)
+    return f.decrypt(data.encode("utf-8")).decode("utf-8")

secure_credentials_kit-0.1.0.dist-info/METADATA

@@ -0,0 +1,227 @@
+Metadata-Version: 2.4
+Name: secure-credentials-kit
+Version: 0.1.0
+Summary: A secure encrypted credentials system for Django and FastAPI, inspired by Rails credentials
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/lexpank/django-secure-credentials-kit
+Project-URL: Issues, https://github.com/lexpank/django-secure-credentials-kit/issues
+Keywords: django,fastapi,credentials,encryption,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Framework :: Django
+Classifier: Framework :: FastAPI
+Classifier: Topic :: Security
+Requires-Python: <3.15,>=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cryptography>=41.0.0
+Requires-Dist: pyyaml>=6.0
+Provides-Extra: django
+Requires-Dist: Django<6.1,>=5.2; extra == "django"
+Provides-Extra: fastapi
+Requires-Dist: fastapi>=0.100.0; extra == "fastapi"
+Dynamic: license-file
+
+# Secure Credentials Kit
+
+A secure, encrypted credentials system for Django and FastAPI, inspired by Rails credentials.
+
+## Features
+- Environment-specific encrypted credentials
+- Framework-neutral CLI for generating and editing encrypted credentials
+- Master keys for editing credentials and read-only keys for application runtime access
+- Django management commands
+- FastAPI helpers for loading credentials into application state
+
+## Installation
+
+The PyPI distribution, Python package, and CLI are all named for Secure
+Credentials Kit:
+
+- Distribution: `secure-credentials-kit`
+- Python package: `secure_credentials_kit`
+- CLI: `secure-credentials-kit`
+
+Supported versions:
+
+- Python 3.10, 3.11, 3.12, 3.13, and 3.14
+- Django 5.2 LTS and Django 6.0
+
+For Django:
+
+```sh
+pip install "secure-credentials-kit[django]"
+```
+
+For FastAPI:
+
+```sh
+pip install "secure-credentials-kit[fastapi]"
+```
+
+## Local Development
+
+This project uses `pyproject.toml` for package metadata and uv for local
+dependency management.
+
+Install uv, then create a development environment:
+
+```sh
+uv sync
+```
+
+Install framework extras when you need to test integrations:
+
+```sh
+uv sync --extra django
+uv sync --extra fastapi
+```
+
+Run tests:
+
+```sh
+uv run python -m unittest discover -v
+```
+
+Build the package:
+
+```sh
+uv run python -m build
+```
+
+## Credentials Files
+
+Add secret keys to `.gitignore`:
+
+```sh
+echo "secrets/*.key" >> .gitignore
+```
+
+Generate a new key:
+
+```sh
+secure-credentials-kit generate-key <environment>
+```
+
+This creates two keys:
+
+- `secrets/<environment>.master.key` can decrypt, edit, encrypt, and sign credentials.
+- `secrets/<environment>.readonly.key` can decrypt and verify credentials, but cannot produce accepted credential updates.
+
+You can regenerate a read-only key from an existing master key:
+
+```sh
+secure-credentials-kit generate-key <environment> --role readonly
+```
+
+Edit encrypted credentials:
+
+```sh
+secure-credentials-kit edit <environment>
+```
+
+Editing requires `secrets/<environment>.master.key`. Applications should normally
+run with only `secrets/<environment>.readonly.key`.
+
+The editor opens the decrypted YAML. The YAML root must be a mapping:
+
+```yaml
+SOME_ENV_VAR: secret-value
+database:
+  url: postgres://user:password@localhost:5432/app
+api:
+  token: token-value
+```
+
+Credentials are stored in `secrets/<environment>.yml.enc`, and keys are stored in
+`secrets/<environment>.master.key` and `secrets/<environment>.readonly.key`.
+The encrypted file is generated by the tool and should not be edited by hand. It
+contains a signed encrypted payload similar to:
+
+```json
+{
+  "version": 2,
+  "payload": "gAAAAAB...",
+  "signature": "..."
+}
+```
+
+## Django Usage
+
+Add `secure_credentials_kit` to your `INSTALLED_APPS` in `settings.py`:
+
+```python
+INSTALLED_APPS = [
+    ...
+    'secure_credentials_kit',
+    ...
+]
+```
+
+You can also use Django management commands:
+
+```sh
+python manage.py credentials_generate_key <environment>
+```
+
+```sh
+python manage.py credentials_generate_key <environment> --role readonly
+```
+
+```sh
+python manage.py credentials_edit <environment>
+```
+
+To load the credentials in your Django app:
+
+```python
+from secure_credentials_kit.secrets_loader import decrypt_credentials
+credentials = decrypt_credentials("environment")
+```
+
+Where `credentials` is an instance of class `CredentialsContainer` containing the decrypted credentials.
+
+## FastAPI Usage
+
+Load credentials into FastAPI application state:
+
+```python
+from fastapi import Depends, FastAPI
+from secure_credentials_kit.fastapi import (
+    credentials_dependency,
+    setup_secure_credentials_kit,
+)
+
+app = FastAPI()
+setup_secure_credentials_kit(app, "production")
+
+
+@app.get("/settings")
+def settings(credentials=Depends(credentials_dependency())):
+    return {"api_host": credentials.get("api_host")}
+```
+
+If no environment is passed to `setup_secure_credentials_kit`, the helper checks
+`SECURE_CREDENTIALS_KIT_ENV`, `FASTAPI_ENV`, `ENV`, then falls back to `development`.
+
+## Accessing Credentials
+
+To access a credential:
+
+```python
+credentials.get('key')
+```
+
+or
+
+```python
+credentials.dig('key', 'subkey')
+```
+
+for complex nested credentials.

secure_credentials_kit-0.1.0.dist-info/RECORD

@@ -0,0 +1,16 @@
+secure_credentials_kit/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+secure_credentials_kit/cli.py,sha256=TgB0fqfkYyY92OwB4s2UrNPuZCDvTuvmhIna54Ie8wM,3490
+secure_credentials_kit/credentials.py,sha256=_jcoJjSwP_opGzndAKo6g8cLF1JSFoqwKvkfc3qib-I,4090
+secure_credentials_kit/fastapi.py,sha256=ikLC-kZefR1DXu3yImFKquxiq5z-Ne1QPFn1EReC3Ns,1493
+secure_credentials_kit/secrets_loader.py,sha256=undYS0BAIpZX53W5DjeYIkSCVb4qS5jGGxzF-m2QSSg,1918
+secure_credentials_kit/utils.py,sha256=EWGfzKD3yD9Vmc0F8QINbjpHEZAfgH7bVXA9bCRoIzE,5965
+secure_credentials_kit/management/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+secure_credentials_kit/management/commands/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+secure_credentials_kit/management/commands/credentials_edit.py,sha256=slLi6QnAcMtCiKx7RZj-7MwSGI1G6XkzQJN7-IeRxJk,640
+secure_credentials_kit/management/commands/credentials_generate_key.py,sha256=v8NlrHfMwy5qGjoEUiRcAZcp1RSY5g2Nu5C7xB2yupY,980
+secure_credentials_kit-0.1.0.dist-info/licenses/LICENSE,sha256=OXjMtetlx854vD4bIH1r1HKvKhzRNnMPPtmtBT8tU_0,1066
+secure_credentials_kit-0.1.0.dist-info/METADATA,sha256=2itV1sNApjuRecDQRHbeavBV5NhilxM4A6mrbE4wDqc,5377
+secure_credentials_kit-0.1.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+secure_credentials_kit-0.1.0.dist-info/entry_points.txt,sha256=dmrkBiN5nVMXaopffcznlydYMGApiNiJeLwsaXcnjyQ,225
+secure_credentials_kit-0.1.0.dist-info/top_level.txt,sha256=bBDDI3bfOffsyqpy5H942mjU8FIMcFbqCCurwhETHz8,28
+secure_credentials_kit-0.1.0.dist-info/RECORD,,

secure_credentials_kit-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

secure_credentials_kit-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,4 @@
+[console_scripts]
+secure-credentials-kit = secure_credentials_kit.cli:main
+secure-credentials-kit-edit = secure_credentials_kit.cli:edit_main
+secure-credentials-kit-generate-key = secure_credentials_kit.cli:generate_key_main

secure_credentials_kit-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Alexander
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

secure_credentials_kit-0.1.0.dist-info/top_level.txt

@@ -0,0 +1,2 @@
+dist
+secure_credentials_kit