secure-credentials-kit 0.1.0__tar.gz

secure_credentials_kit-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Alexander
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

secure_credentials_kit-0.1.0/PKG-INFO

@@ -0,0 +1,227 @@
+Metadata-Version: 2.4
+Name: secure-credentials-kit
+Version: 0.1.0
+Summary: A secure encrypted credentials system for Django and FastAPI, inspired by Rails credentials
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/lexpank/django-secure-credentials-kit
+Project-URL: Issues, https://github.com/lexpank/django-secure-credentials-kit/issues
+Keywords: django,fastapi,credentials,encryption,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Framework :: Django
+Classifier: Framework :: FastAPI
+Classifier: Topic :: Security
+Requires-Python: <3.15,>=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cryptography>=41.0.0
+Requires-Dist: pyyaml>=6.0
+Provides-Extra: django
+Requires-Dist: Django<6.1,>=5.2; extra == "django"
+Provides-Extra: fastapi
+Requires-Dist: fastapi>=0.100.0; extra == "fastapi"
+Dynamic: license-file
+
+# Secure Credentials Kit
+
+A secure, encrypted credentials system for Django and FastAPI, inspired by Rails credentials.
+
+## Features
+- Environment-specific encrypted credentials
+- Framework-neutral CLI for generating and editing encrypted credentials
+- Master keys for editing credentials and read-only keys for application runtime access
+- Django management commands
+- FastAPI helpers for loading credentials into application state
+
+## Installation
+
+The PyPI distribution, Python package, and CLI are all named for Secure
+Credentials Kit:
+
+- Distribution: `secure-credentials-kit`
+- Python package: `secure_credentials_kit`
+- CLI: `secure-credentials-kit`
+
+Supported versions:
+
+- Python 3.10, 3.11, 3.12, 3.13, and 3.14
+- Django 5.2 LTS and Django 6.0
+
+For Django:
+
+```sh
+pip install "secure-credentials-kit[django]"
+```
+
+For FastAPI:
+
+```sh
+pip install "secure-credentials-kit[fastapi]"
+```
+
+## Local Development
+
+This project uses `pyproject.toml` for package metadata and uv for local
+dependency management.
+
+Install uv, then create a development environment:
+
+```sh
+uv sync
+```
+
+Install framework extras when you need to test integrations:
+
+```sh
+uv sync --extra django
+uv sync --extra fastapi
+```
+
+Run tests:
+
+```sh
+uv run python -m unittest discover -v
+```
+
+Build the package:
+
+```sh
+uv run python -m build
+```
+
+## Credentials Files
+
+Add secret keys to `.gitignore`:
+
+```sh
+echo "secrets/*.key" >> .gitignore
+```
+
+Generate a new key:
+
+```sh
+secure-credentials-kit generate-key <environment>
+```
+
+This creates two keys:
+
+- `secrets/<environment>.master.key` can decrypt, edit, encrypt, and sign credentials.
+- `secrets/<environment>.readonly.key` can decrypt and verify credentials, but cannot produce accepted credential updates.
+
+You can regenerate a read-only key from an existing master key:
+
+```sh
+secure-credentials-kit generate-key <environment> --role readonly
+```
+
+Edit encrypted credentials:
+
+```sh
+secure-credentials-kit edit <environment>
+```
+
+Editing requires `secrets/<environment>.master.key`. Applications should normally
+run with only `secrets/<environment>.readonly.key`.
+
+The editor opens the decrypted YAML. The YAML root must be a mapping:
+
+```yaml
+SOME_ENV_VAR: secret-value
+database:
+  url: postgres://user:password@localhost:5432/app
+api:
+  token: token-value
+```
+
+Credentials are stored in `secrets/<environment>.yml.enc`, and keys are stored in
+`secrets/<environment>.master.key` and `secrets/<environment>.readonly.key`.
+The encrypted file is generated by the tool and should not be edited by hand. It
+contains a signed encrypted payload similar to:
+
+```json
+{
+  "version": 2,
+  "payload": "gAAAAAB...",
+  "signature": "..."
+}
+```
+
+## Django Usage
+
+Add `secure_credentials_kit` to your `INSTALLED_APPS` in `settings.py`:
+
+```python
+INSTALLED_APPS = [
+    ...
+    'secure_credentials_kit',
+    ...
+]
+```
+
+You can also use Django management commands:
+
+```sh
+python manage.py credentials_generate_key <environment>
+```
+
+```sh
+python manage.py credentials_generate_key <environment> --role readonly
+```
+
+```sh
+python manage.py credentials_edit <environment>
+```
+
+To load the credentials in your Django app:
+
+```python
+from secure_credentials_kit.secrets_loader import decrypt_credentials
+credentials = decrypt_credentials("environment")
+```
+
+Where `credentials` is an instance of class `CredentialsContainer` containing the decrypted credentials.
+
+## FastAPI Usage
+
+Load credentials into FastAPI application state:
+
+```python
+from fastapi import Depends, FastAPI
+from secure_credentials_kit.fastapi import (
+    credentials_dependency,
+    setup_secure_credentials_kit,
+)
+
+app = FastAPI()
+setup_secure_credentials_kit(app, "production")
+
+
+@app.get("/settings")
+def settings(credentials=Depends(credentials_dependency())):
+    return {"api_host": credentials.get("api_host")}
+```
+
+If no environment is passed to `setup_secure_credentials_kit`, the helper checks
+`SECURE_CREDENTIALS_KIT_ENV`, `FASTAPI_ENV`, `ENV`, then falls back to `development`.
+
+## Accessing Credentials
+
+To access a credential:
+
+```python
+credentials.get('key')
+```
+
+or
+
+```python
+credentials.dig('key', 'subkey')
+```
+
+for complex nested credentials.

secure_credentials_kit-0.1.0/README.md

@@ -0,0 +1,197 @@
+# Secure Credentials Kit
+
+A secure, encrypted credentials system for Django and FastAPI, inspired by Rails credentials.
+
+## Features
+- Environment-specific encrypted credentials
+- Framework-neutral CLI for generating and editing encrypted credentials
+- Master keys for editing credentials and read-only keys for application runtime access
+- Django management commands
+- FastAPI helpers for loading credentials into application state
+
+## Installation
+
+The PyPI distribution, Python package, and CLI are all named for Secure
+Credentials Kit:
+
+- Distribution: `secure-credentials-kit`
+- Python package: `secure_credentials_kit`
+- CLI: `secure-credentials-kit`
+
+Supported versions:
+
+- Python 3.10, 3.11, 3.12, 3.13, and 3.14
+- Django 5.2 LTS and Django 6.0
+
+For Django:
+
+```sh
+pip install "secure-credentials-kit[django]"
+```
+
+For FastAPI:
+
+```sh
+pip install "secure-credentials-kit[fastapi]"
+```
+
+## Local Development
+
+This project uses `pyproject.toml` for package metadata and uv for local
+dependency management.
+
+Install uv, then create a development environment:
+
+```sh
+uv sync
+```
+
+Install framework extras when you need to test integrations:
+
+```sh
+uv sync --extra django
+uv sync --extra fastapi
+```
+
+Run tests:
+
+```sh
+uv run python -m unittest discover -v
+```
+
+Build the package:
+
+```sh
+uv run python -m build
+```
+
+## Credentials Files
+
+Add secret keys to `.gitignore`:
+
+```sh
+echo "secrets/*.key" >> .gitignore
+```
+
+Generate a new key:
+
+```sh
+secure-credentials-kit generate-key <environment>
+```
+
+This creates two keys:
+
+- `secrets/<environment>.master.key` can decrypt, edit, encrypt, and sign credentials.
+- `secrets/<environment>.readonly.key` can decrypt and verify credentials, but cannot produce accepted credential updates.
+
+You can regenerate a read-only key from an existing master key:
+
+```sh
+secure-credentials-kit generate-key <environment> --role readonly
+```
+
+Edit encrypted credentials:
+
+```sh
+secure-credentials-kit edit <environment>
+```
+
+Editing requires `secrets/<environment>.master.key`. Applications should normally
+run with only `secrets/<environment>.readonly.key`.
+
+The editor opens the decrypted YAML. The YAML root must be a mapping:
+
+```yaml
+SOME_ENV_VAR: secret-value
+database:
+  url: postgres://user:password@localhost:5432/app
+api:
+  token: token-value
+```
+
+Credentials are stored in `secrets/<environment>.yml.enc`, and keys are stored in
+`secrets/<environment>.master.key` and `secrets/<environment>.readonly.key`.
+The encrypted file is generated by the tool and should not be edited by hand. It
+contains a signed encrypted payload similar to:
+
+```json
+{
+  "version": 2,
+  "payload": "gAAAAAB...",
+  "signature": "..."
+}
+```
+
+## Django Usage
+
+Add `secure_credentials_kit` to your `INSTALLED_APPS` in `settings.py`:
+
+```python
+INSTALLED_APPS = [
+    ...
+    'secure_credentials_kit',
+    ...
+]
+```
+
+You can also use Django management commands:
+
+```sh
+python manage.py credentials_generate_key <environment>
+```
+
+```sh
+python manage.py credentials_generate_key <environment> --role readonly
+```
+
+```sh
+python manage.py credentials_edit <environment>
+```
+
+To load the credentials in your Django app:
+
+```python
+from secure_credentials_kit.secrets_loader import decrypt_credentials
+credentials = decrypt_credentials("environment")
+```
+
+Where `credentials` is an instance of class `CredentialsContainer` containing the decrypted credentials.
+
+## FastAPI Usage
+
+Load credentials into FastAPI application state:
+
+```python
+from fastapi import Depends, FastAPI
+from secure_credentials_kit.fastapi import (
+    credentials_dependency,
+    setup_secure_credentials_kit,
+)
+
+app = FastAPI()
+setup_secure_credentials_kit(app, "production")
+
+
+@app.get("/settings")
+def settings(credentials=Depends(credentials_dependency())):
+    return {"api_host": credentials.get("api_host")}
+```
+
+If no environment is passed to `setup_secure_credentials_kit`, the helper checks
+`SECURE_CREDENTIALS_KIT_ENV`, `FASTAPI_ENV`, `ENV`, then falls back to `development`.
+
+## Accessing Credentials
+
+To access a credential:
+
+```python
+credentials.get('key')
+```
+
+or
+
+```python
+credentials.dig('key', 'subkey')
+```
+
+for complex nested credentials.

secure_credentials_kit-0.1.0/pyproject.toml

@@ -0,0 +1,52 @@
+[build-system]
+requires = ["setuptools>=61", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "secure-credentials-kit"
+version = "0.1.0"
+description = "A secure encrypted credentials system for Django and FastAPI, inspired by Rails credentials"
+readme = "README.md"
+requires-python = ">=3.10,<3.15"
+license = "MIT"
+license-files = ["LICENSE"]
+keywords = ["django", "fastapi", "credentials", "encryption", "security"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Intended Audience :: Developers",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Framework :: Django",
+    "Framework :: FastAPI",
+    "Topic :: Security",
+]
+dependencies = [
+    "cryptography>=41.0.0",
+    "pyyaml>=6.0",
+]
+
+[project.optional-dependencies]
+django = ["Django>=5.2,<6.1"]
+fastapi = ["fastapi>=0.100.0"]
+
+[project.scripts]
+secure-credentials-kit = "secure_credentials_kit.cli:main"
+secure-credentials-kit-edit = "secure_credentials_kit.cli:edit_main"
+secure-credentials-kit-generate-key = "secure_credentials_kit.cli:generate_key_main"
+
+[project.urls]
+Homepage = "https://github.com/lexpank/django-secure-credentials-kit"
+Issues = "https://github.com/lexpank/django-secure-credentials-kit/issues"
+
+[tool.setuptools.packages.find]
+exclude = ["tests", "examples"]
+
+[dependency-groups]
+dev = [
+    "build>=1.2.0",
+    "twine>=6.0.0",
+]

secure_credentials_kit-0.1.0/secure_credentials_kit/cli.py

@@ -0,0 +1,105 @@
+import argparse
+
+from secure_credentials_kit.credentials import edit_credentials, generate_credentials_key
+
+
+def print_key_paths(env: str, key_paths: dict) -> None:
+    for role, key_path in key_paths.items():
+        print(f"{role.title()} key for {env} has been generated and saved to {key_path}")
+
+
+def generate_key_main(argv=None) -> int:
+    parser = argparse.ArgumentParser(
+        description="Generate an encryption key for secure credentials."
+    )
+    parser.add_argument("env", help="Environment name")
+    parser.add_argument("--secrets-dir", default="secrets", help="Credentials directory")
+    parser.add_argument(
+        "--role",
+        choices=["all", "master", "readonly"],
+        default="all",
+        help="Key role to generate",
+    )
+    args = parser.parse_args(argv)
+
+    try:
+        key_paths = generate_credentials_key(args.env, args.secrets_dir, args.role)
+    except (FileExistsError, FileNotFoundError, PermissionError, ValueError) as exc:
+        print(exc)
+        return 1
+
+    print_key_paths(args.env, key_paths)
+    return 0
+
+
+def edit_main(argv=None) -> int:
+    parser = argparse.ArgumentParser(description="Edit encrypted secure credentials.")
+    parser.add_argument("env", help="Environment name")
+    parser.add_argument("--secrets-dir", default="secrets", help="Credentials directory")
+    parser.add_argument("--editor", help="Editor command to use")
+    args = parser.parse_args(argv)
+
+    try:
+        encrypted_path = edit_credentials(args.env, args.secrets_dir, args.editor)
+    except (FileNotFoundError, PermissionError, ValueError) as exc:
+        print(exc)
+        return 1
+
+    print(f"Data has been encrypted and saved to {encrypted_path}")
+    return 0
+
+
+def main(argv=None) -> int:
+    parser = argparse.ArgumentParser(prog="secure-credentials-kit")
+    subparsers = parser.add_subparsers(dest="command", required=True)
+
+    generate_parser = subparsers.add_parser(
+        "generate-key",
+        help="Generate an encryption key for an environment.",
+    )
+    generate_parser.add_argument("env", help="Environment name")
+    generate_parser.add_argument(
+        "--secrets-dir",
+        default="secrets",
+        help="Credentials directory",
+    )
+    generate_parser.add_argument(
+        "--role",
+        choices=["all", "master", "readonly"],
+        default="all",
+        help="Key role to generate",
+    )
+
+    edit_parser = subparsers.add_parser(
+        "edit",
+        help="Edit encrypted credentials for an environment.",
+    )
+    edit_parser.add_argument("env", help="Environment name")
+    edit_parser.add_argument(
+        "--secrets-dir",
+        default="secrets",
+        help="Credentials directory",
+    )
+    edit_parser.add_argument("--editor", help="Editor command to use")
+
+    args = parser.parse_args(argv)
+
+    if args.command == "generate-key":
+        try:
+            key_paths = generate_credentials_key(args.env, args.secrets_dir, args.role)
+        except (FileExistsError, FileNotFoundError, PermissionError, ValueError) as exc:
+            print(exc)
+            return 1
+        print_key_paths(args.env, key_paths)
+        return 0
+
+    if args.command == "edit":
+        try:
+            encrypted_path = edit_credentials(args.env, args.secrets_dir, args.editor)
+        except (FileNotFoundError, PermissionError, ValueError) as exc:
+            print(exc)
+            return 1
+        print(f"Data has been encrypted and saved to {encrypted_path}")
+        return 0
+
+    return 1