superencryptx 0.1.0__py3-none-any.whl

superencrypt/__init__.py

@@ -0,0 +1,2 @@
+__all__ = ["__version__"]
+__version__ = "0.1.0"

superencrypt/__main__.py

@@ -0,0 +1,5 @@
+from .cli import main
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

superencrypt/cli.py

@@ -0,0 +1,110 @@
+from __future__ import annotations
+
+import argparse
+import sys
+from pathlib import Path
+from typing import List
+
+from .crypto import Crypto
+from .scanner import scan_repo, iter_repo_files
+from .transform import encrypt_file, decrypt_file
+
+
+DEFAULT_KEY_FILE = ".superencrypt.key"
+
+
+def _load_key_from_args(args: argparse.Namespace) -> bytes:
+    if args.key:
+        return args.key.encode("utf-8")
+    if args.key_file:
+        return Path(args.key_file).read_bytes().strip()
+    raise SystemExit("Missing key: provide --key or --key-file")
+
+
+def _write_key_file(path: Path, key: bytes) -> None:
+    path.write_bytes(key + b"\n")
+
+
+def cmd_scan(args: argparse.Namespace) -> int:
+    root = Path(args.root).resolve()
+    findings = scan_repo(root)
+    if not findings:
+        print("No secrets found.")
+        return 0
+    for finding in findings:
+        rel = finding.path.relative_to(root)
+        key = finding.key or "secret"
+        print(f"{rel}:{finding.line_number} {key}={finding.value}")
+    print(f"\nFound {len(findings)} potential secrets.")
+    return 1
+
+
+def cmd_encrypt(args: argparse.Namespace) -> int:
+    root = Path(args.root).resolve()
+    if args.key or args.key_file:
+        key = _load_key_from_args(args)
+    else:
+        key = Crypto.generate_key()
+        print(key.decode("utf-8"))
+        _write_key_file(Path(DEFAULT_KEY_FILE), key)
+    crypto = Crypto(key)
+
+    changed_files: List[Path] = []
+    for path in iter_repo_files(root):
+        result = encrypt_file(path, crypto)
+        if result.changed:
+            changed_files.append(result.path)
+    if changed_files:
+        print(f"Encrypted {len(changed_files)} files.")
+    else:
+        print("No changes made.")
+    return 0
+
+
+def cmd_decrypt(args: argparse.Namespace) -> int:
+    root = Path(args.root).resolve()
+    key = _load_key_from_args(args)
+    crypto = Crypto(key)
+
+    changed_files: List[Path] = []
+    for path in iter_repo_files(root):
+        result = decrypt_file(path, crypto)
+        if result.changed:
+            changed_files.append(result.path)
+    if changed_files:
+        print(f"Decrypted {len(changed_files)} files.")
+    else:
+        print("No changes made.")
+    return 0
+
+
+def build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(prog="superencrypt")
+    parser.add_argument("--root", default=".", help="Root directory to scan")
+
+    subparsers = parser.add_subparsers(dest="command", required=True)
+
+    scan_parser = subparsers.add_parser("scan", help="Scan repo for secrets")
+    scan_parser.set_defaults(func=cmd_scan)
+
+    encrypt_parser = subparsers.add_parser("encrypt", help="Encrypt secrets in-place")
+    encrypt_parser.add_argument("--key", help="Base64 key string")
+    encrypt_parser.add_argument("--key-file", help="Path to key file")
+    encrypt_parser.set_defaults(func=cmd_encrypt)
+
+    decrypt_parser = subparsers.add_parser("decrypt", help="Decrypt secrets in-place")
+    decrypt_parser.add_argument("--key", help="Base64 key string")
+    decrypt_parser.add_argument("--key-file", help="Path to key file")
+    decrypt_parser.set_defaults(func=cmd_decrypt)
+
+    return parser
+
+
+def main() -> int:
+    parser = build_parser()
+    args = parser.parse_args()
+    return args.func(args)
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

superencrypt/crypto.py

@@ -0,0 +1,52 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Optional
+
+from cryptography.fernet import Fernet, InvalidToken
+
+
+ENC_PREFIX = "ENC["
+ENC_SUFFIX = "]"
+
+
+@dataclass(frozen=True)
+class EncryptionResult:
+    token: str
+
+
+class CryptoError(RuntimeError):
+    pass
+
+
+class Crypto:
+    def __init__(self, key: bytes):
+        self._fernet = Fernet(key)
+
+    @staticmethod
+    def generate_key() -> bytes:
+        return Fernet.generate_key()
+
+    def encrypt(self, plaintext: str) -> EncryptionResult:
+        token = self._fernet.encrypt(plaintext.encode("utf-8")).decode("utf-8")
+        return EncryptionResult(token=token)
+
+    def decrypt(self, token: str) -> str:
+        try:
+            return self._fernet.decrypt(token.encode("utf-8")).decode("utf-8")
+        except InvalidToken as exc:
+            raise CryptoError("Invalid decryption key or token") from exc
+
+
+def is_encrypted_value(value: str) -> bool:
+    return value.startswith(ENC_PREFIX) and value.endswith(ENC_SUFFIX)
+
+
+def wrap_encrypted(token: str) -> str:
+    return f"{ENC_PREFIX}{token}{ENC_SUFFIX}"
+
+
+def unwrap_encrypted(value: str) -> Optional[str]:
+    if not is_encrypted_value(value):
+        return None
+    return value[len(ENC_PREFIX) : -len(ENC_SUFFIX)]

superencrypt/scanner.py

@@ -0,0 +1,133 @@
+from __future__ import annotations
+
+import os
+import re
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Iterable, Iterator, List, Optional
+
+
+SKIP_DIRS = {
+    ".git",
+    ".hg",
+    ".svn",
+    "node_modules",
+    "dist",
+    "build",
+    ".venv",
+    "venv",
+    "__pycache__",
+}
+
+SKIP_FILES = {
+    ".superencrypt.key",
+}
+
+ENV_FILE_PATTERNS = (
+    ".env",
+    ".env.",
+    ".envrc",
+)
+
+SENSITIVE_KEYWORDS = re.compile(
+    r"(?i)(password|passwd|secret|token|api[_-]?key|access[_-]?key|private[_-]?key|db[_-]?user|database[_-]?user)"
+)
+
+
+@dataclass
+class Finding:
+    path: Path
+    line_number: int
+    key: Optional[str]
+    value: str
+
+
+@dataclass
+class SecretPattern:
+    name: str
+    regex: re.Pattern
+    group: int
+
+
+SECRET_PATTERNS: List[SecretPattern] = [
+    SecretPattern(
+        name="aws_access_key_id",
+        regex=re.compile(r"\b(AKIA[0-9A-Z]{16})\b"),
+        group=1,
+    ),
+    SecretPattern(
+        name="aws_secret_access_key",
+        regex=re.compile(r"(?i)aws_secret_access_key\s*[:=]\s*([A-Za-z0-9/+=]{40})"),
+        group=1,
+    ),
+    SecretPattern(
+        name="generic_assignment",
+        regex=re.compile(r"(?i)(password|passwd|secret|token|api[_-]?key)\s*[:=]\s*([\w\-./+=:@]+)"),
+        group=2,
+    ),
+]
+
+
+def _is_env_file(path: Path) -> bool:
+    name = path.name
+    if name == ".env" or name.startswith(".env.") or name.endswith(".env"):
+        return True
+    return name in ENV_FILE_PATTERNS
+
+
+def _is_binary(data: bytes) -> bool:
+    return b"\x00" in data
+
+
+def iter_repo_files(root: Path) -> Iterator[Path]:
+    for dirpath, dirnames, filenames in os.walk(root):
+        dirnames[:] = [d for d in dirnames if d not in SKIP_DIRS]
+        for filename in filenames:
+            if filename in SKIP_FILES:
+                continue
+            yield Path(dirpath) / filename
+
+
+def scan_env_file(path: Path) -> List[Finding]:
+    findings: List[Finding] = []
+    text = path.read_text(encoding="utf-8", errors="ignore")
+    for idx, line in enumerate(text.splitlines(), start=1):
+        stripped = line.strip()
+        if not stripped or stripped.startswith("#"):
+            continue
+        if stripped.startswith("export "):
+            stripped = stripped[len("export ") :]
+        if "=" not in stripped:
+            continue
+        key, value = stripped.split("=", 1)
+        key = key.strip()
+        value = value.strip().strip('"').strip("'")
+        if SENSITIVE_KEYWORDS.search(key):
+            findings.append(Finding(path=path, line_number=idx, key=key, value=value))
+    return findings
+
+
+def scan_file_for_patterns(path: Path) -> List[Finding]:
+    data = path.read_bytes()
+    if _is_binary(data):
+        return []
+    text = data.decode("utf-8", errors="ignore")
+    findings: List[Finding] = []
+    for idx, line in enumerate(text.splitlines(), start=1):
+        for pattern in SECRET_PATTERNS:
+            match = pattern.regex.search(line)
+            if not match:
+                continue
+            value = match.group(pattern.group)
+            findings.append(Finding(path=path, line_number=idx, key=pattern.name, value=value))
+    return findings
+
+
+def scan_repo(root: Path) -> List[Finding]:
+    findings: List[Finding] = []
+    for path in iter_repo_files(root):
+        if _is_env_file(path):
+            findings.extend(scan_env_file(path))
+            continue
+        findings.extend(scan_file_for_patterns(path))
+    return findings

superencrypt/transform.py

@@ -0,0 +1,143 @@
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Iterable, List
+
+from .crypto import Crypto, is_encrypted_value, wrap_encrypted, unwrap_encrypted
+from .scanner import SECRET_PATTERNS, SENSITIVE_KEYWORDS, _is_env_file, _is_binary
+
+
+@dataclass
+class TransformResult:
+    path: Path
+    changed: bool
+
+
+def _encrypt_env_lines(text: str, crypto: Crypto) -> str:
+    lines = text.splitlines()
+    changed = False
+    for idx, line in enumerate(lines):
+        stripped = line.strip()
+        if not stripped or stripped.startswith("#"):
+            continue
+        export_prefix = ""
+        if stripped.startswith("export "):
+            export_prefix = "export "
+            stripped = stripped[len("export ") :]
+        if "=" not in stripped:
+            continue
+        key, value = stripped.split("=", 1)
+        key = key.strip()
+        raw_value = value.strip()
+        quote = ""
+        if raw_value.startswith(('"', "'")) and raw_value.endswith(('"', "'")):
+            quote = raw_value[0]
+            raw_value = raw_value[1:-1]
+        if not SENSITIVE_KEYWORDS.search(key):
+            continue
+        if is_encrypted_value(raw_value):
+            continue
+        token = crypto.encrypt(raw_value).token
+        new_value = wrap_encrypted(token)
+        if quote:
+            new_value = f"{quote}{new_value}{quote}"
+        lines[idx] = f"{export_prefix}{key}={new_value}"
+        changed = True
+    return "\n".join(lines) + ("\n" if text.endswith("\n") else "")
+
+
+def _decrypt_env_lines(text: str, crypto: Crypto) -> str:
+    lines = text.splitlines()
+    for idx, line in enumerate(lines):
+        stripped = line.strip()
+        if not stripped or stripped.startswith("#"):
+            continue
+        export_prefix = ""
+        if stripped.startswith("export "):
+            export_prefix = "export "
+            stripped = stripped[len("export ") :]
+        if "=" not in stripped:
+            continue
+        key, value = stripped.split("=", 1)
+        key = key.strip()
+        raw_value = value.strip()
+        quote = ""
+        if raw_value.startswith(('"', "'")) and raw_value.endswith(('"', "'")):
+            quote = raw_value[0]
+            raw_value = raw_value[1:-1]
+        token = unwrap_encrypted(raw_value)
+        if token is None:
+            continue
+        plaintext = crypto.decrypt(token)
+        new_value = plaintext
+        if quote:
+            new_value = f"{quote}{new_value}{quote}"
+        lines[idx] = f"{export_prefix}{key}={new_value}"
+    return "\n".join(lines) + ("\n" if text.endswith("\n") else "")
+
+
+def _encrypt_generic(text: str, crypto: Crypto) -> str:
+    changed = False
+
+    def replacer(match: re.Match) -> str:
+        nonlocal changed
+        for pattern in SECRET_PATTERNS:
+            inner = pattern.regex.search(match.group(0))
+            if inner:
+                value = inner.group(pattern.group)
+                if is_encrypted_value(value):
+                    return match.group(0)
+                token = crypto.encrypt(value).token
+                replaced = match.group(0).replace(value, wrap_encrypted(token), 1)
+                changed = True
+                return replaced
+        return match.group(0)
+
+    result = text
+    for pattern in SECRET_PATTERNS:
+        result = pattern.regex.sub(lambda m: replacer(m), result)
+    return result
+
+
+def _decrypt_generic(text: str, crypto: Crypto) -> str:
+    def replacer(match: re.Match) -> str:
+        value = match.group(0)
+        token = unwrap_encrypted(value)
+        if token is None:
+            return value
+        plaintext = crypto.decrypt(token)
+        return plaintext
+
+    return re.sub(r"ENC\[[^\]]+\]", replacer, text)
+
+
+def encrypt_file(path: Path, crypto: Crypto) -> TransformResult:
+    data = path.read_bytes()
+    if _is_binary(data):
+        return TransformResult(path=path, changed=False)
+    text = data.decode("utf-8", errors="ignore")
+    if _is_env_file(path):
+        new_text = _encrypt_env_lines(text, crypto)
+    else:
+        new_text = _encrypt_generic(text, crypto)
+    changed = new_text != text
+    if changed:
+        path.write_text(new_text, encoding="utf-8")
+    return TransformResult(path=path, changed=changed)
+
+
+def decrypt_file(path: Path, crypto: Crypto) -> TransformResult:
+    data = path.read_bytes()
+    if _is_binary(data):
+        return TransformResult(path=path, changed=False)
+    text = data.decode("utf-8", errors="ignore")
+    if _is_env_file(path):
+        new_text = _decrypt_env_lines(text, crypto)
+    else:
+        new_text = _decrypt_generic(text, crypto)
+    changed = new_text != text
+    if changed:
+        path.write_text(new_text, encoding="utf-8")
+    return TransformResult(path=path, changed=changed)

superencryptx-0.1.0.dist-info/METADATA

@@ -0,0 +1,116 @@
+Metadata-Version: 2.4
+Name: superencryptx
+Version: 0.1.0
+Summary: Scan a repo for secrets and encrypt/decrypt them in-place.
+Author: Superencrypt Contributors
+License: MIT License
+        
+        Copyright (c) 2026 Superencrypt Contributors
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+        
+Project-URL: Homepage, https://example.com/superencrypt
+Project-URL: Repository, https://example.com/superencrypt
+Project-URL: Issues, https://example.com/superencrypt/issues
+Keywords: secrets,encryption,git,security,cli
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Version Control
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cryptography>=41.0.0
+Dynamic: license-file
+
+# superencrypt
+
+CLI to scan a repo for secrets (including env files), encrypt them in-place, and decrypt them later using a key.
+
+## Why
+
+`superencrypt` helps you keep accidental secrets out of your repo history by encrypting sensitive values in-place while keeping files versionable.
+
+## Install
+
+```bash
+pip install superencryptx
+```
+
+### No venv (recommended)
+
+```bash
+pipx install superencryptx
+```
+
+### System install (no venv)
+
+```bash
+python3 -m pip install --user superencryptx
+```
+
+## Quick start
+
+```bash
+# Encrypt in-place (generates a key, prints it, and writes .superencrypt.key)
+superencrypt encrypt
+
+# Decrypt in-place (use in CI/CD pipelines)
+superencrypt decrypt --key-file .superencrypt.key
+```
+
+## Usage
+
+```bash
+# Encrypt in-place (generates a key, prints it, and writes .superencrypt.key)
+superencrypt encrypt
+
+# Decrypt in-place (provide key or key file)
+superencrypt decrypt --key-file .superencrypt.key
+
+# Scan only (no changes)
+superencrypt scan
+```
+
+## Pipeline example
+
+```bash
+export SUPERENCRYPT_KEY="$(cat .superencrypt.key)"
+superencrypt decrypt --key "$SUPERENCRYPT_KEY"
+```
+
+## Notes
+
+- Encrypted values are stored as `ENC[<token>]`.
+- Key file `.superencrypt.key` should be protected and not committed.
+ - Use `scan` first to review matches.
+
+## Development
+
+```bash
+python -m venv .venv
+source .venv/bin/activate
+pip install -e .
+```

superencryptx-0.1.0.dist-info/RECORD

@@ -0,0 +1,12 @@
+superencrypt/__init__.py,sha256=tXbRXsO0NE_UV1kIHiZTTQQH0fj0U2KoxxNusu_gzrM,48
+superencrypt/__main__.py,sha256=PSQ4rpL0dG6f-qH4N7H-gD9igQkdHzH4yVZDcW8lfZo,80
+superencrypt/cli.py,sha256=CbrCvNQaSwk20MgJ_xUHBFbI65XFVI7_pPbj9i1Orio,3311
+superencrypt/crypto.py,sha256=eFS0TJwrSaMjHvTVmffZmbKBLb6jbpWXFCKCTGNmnU8,1274
+superencrypt/scanner.py,sha256=wbmoXWStPRbiNoXdYgV065EzWa42yM2FA3jUW27tI5Y,3449
+superencrypt/transform.py,sha256=YHIiXZI7gLnQHvivska32ebLJDr5Fn_tjaVj5hCRsys,4789
+superencryptx-0.1.0.dist-info/licenses/LICENSE,sha256=igcdaUQXkh4o1sJMU-uvtT-yp4jPqKuQDs4ado9qL9E,1082
+superencryptx-0.1.0.dist-info/METADATA,sha256=dW2RW-94YzHYPFxkzSdgNjhrpoMuJK9Rbt5wamEU9uA,3636
+superencryptx-0.1.0.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+superencryptx-0.1.0.dist-info/entry_points.txt,sha256=IzMqSqTogHYApIGSkg9S4wB_OysvTo7fwKcJb6INDLs,55
+superencryptx-0.1.0.dist-info/top_level.txt,sha256=w2hHm19sEIAkucCExR6tZ_JBIUaGbv3LkhZc66kjsCI,13
+superencryptx-0.1.0.dist-info/RECORD,,

superencryptx-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.10.2)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

superencryptx-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+superencrypt = superencrypt.cli:main

superencryptx-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Superencrypt Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

superencryptx-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+superencrypt