Metadata-Version: 2.4
Name: obfy
Version: 0.1.0
License-File: LICENSE.md
Summary: Clean-room Python code-protection tool.
License: LicenseRef-Camouflage-Source-Available; see LICENSE.md (proprietary, source-
	available)
Requires-Python: >=3.10
Description-Content-Type: text/markdown; charset=UTF-8; variant=GFM
Project-URL: Homepage, https://obfy.io
Project-URL: Repository, https://github.com/obfy/obfy

# Obfy

[![PyPI version](https://img.shields.io/pypi/v/obfy.svg?color=blue)](https://pypi.org/project/obfy/)
[![Python versions](https://img.shields.io/pypi/pyversions/obfy.svg)](https://pypi.org/project/obfy/)
[![License: Source-Available](https://img.shields.io/badge/license-source--available-blue.svg)](https://github.com/obfy/obfy/blob/main/LICENSE.md)
[![CI](https://github.com/obfy/obfy/actions/workflows/ci.yml/badge.svg)](https://github.com/obfy/obfy/actions/workflows/ci.yml)
[![Docs](https://img.shields.io/badge/docs-camouflage.network-blue.svg)](https://docs.camouflage.network/obfy/introduction)

A clean-room Python code-protection tool written in Rust: AST obfuscation plus
bytecode encryption with a native loader — and a **fully auditable supply chain**.

> The deliverable is not just "an obfuscator." It is an obfuscator whose entire
> provenance we can show a customer.

## What it does

- **AST obfuscation — `--level 0–5`:** strip docstrings/comments, mangle string
  literals, inject dead code, rename identifiers (function-local and cross-module),
  and natively compile eligible functions to a clean-room bytecode VM so their
  CPython bytecode never ships. The `--level` flag is the **sophistication dial** —
  higher levels do strictly more:

  | `--level` | Adds (each level includes the ones below it) |
  |-----------|----------------------------------------------|
  | `0` | none — compiled, marshalled, encrypted as-is |
  | `1` | strip docstrings |
  | `2` | + string mangling + dead code |
  | `3` | + local (function-scope) rename |
  | `4` | + cross-module public-name rename |
  | `5` | + native function compilation (CPython bytecode never ships) |

- **Bytecode encryption + native loader:** compile → marshal → AES-256-GCM encrypt;
  a PyO3 import hook decrypts in memory at import time. This is the core of the product.
- **Licensing:** expiry dates and machine/MAC binding, enforced by the loader.
- **Supply chain:** vendored + audited deps, reproducible builds, and an SBOM shipped
  with every release.

## Honest posture — read this

Python obfuscation is **deterrence, not encryption-grade security**. CPython must
eventually execute real bytecode, so a skilled attacker who controls the runtime can
recover code objects. Obfy stops casual copying and raises the cost for everyone else;
it does not replace legal protection for sensitive IP. More on what each level does
and what it does not guarantee:
[Obfuscation levels — honest posture](https://docs.camouflage.network/obfy/guides/obfuscation-levels#honest-posture).

## Install

```sh
pip install obfy
```

Requires **CPython 3.10–3.13** on macOS (Apple Silicon or Intel), Linux
(x86_64 / aarch64), or Windows (x64). Build with the **same Python version** you ship
for — the marshal/bytecode format is version-specific. `pip install obfy` gives you the
`obfy` CLI and bundles the native runtime that gets packaged into your protected output;
there is nothing else to install.

## Quick start

Protect a project — one command in, a drop-in replacement out:

```sh
obfy build --src ./myproject --out ./dist --python python3
```

This protects the **whole tree** — every `.py` under `--src` is discovered recursively,
obfuscated, compiled, marshalled, and AES-256-GCM encrypted. `./dist` is a **1:1 mirror**
of `./myproject` where each `.py` is a tiny self-activating stub, the real code lives
encrypted in `./dist/__obfy__/*.obfy`, non-`.py` files are copied across, and the native
runtime is bundled in — nothing extra to install.

> **Heads-up — secrets:** every non-`.py` file under `--src` is copied into the dist so
> the output runs in place. If `--src` is a repo root, files like `.env` or keys get
> copied too. Point `--src` at your code package (e.g. `./app`), or build from a
> code-only staging tree.

Run it exactly as you ran the original — no `sys.path` edits, no manual bootstrap:

```sh
python ./dist/run.py
```

See the [tutorial](https://docs.camouflage.network/obfy/tutorial) for a full walkthrough,
and [packaging](https://docs.camouflage.network/obfy/guides/packaging) for PyInstaller.

## Documentation

Full documentation lives at **[docs.camouflage.network/obfy](https://docs.camouflage.network/obfy/introduction)**:

- [Introduction](https://docs.camouflage.network/obfy/introduction) ·
  [Installation](https://docs.camouflage.network/obfy/installation) ·
  [Tutorial](https://docs.camouflage.network/obfy/tutorial) ·
  [Deploying](https://docs.camouflage.network/obfy/deploying)
- Guides:
  [Obfuscation levels](https://docs.camouflage.network/obfy/guides/obfuscation-levels) ·
  [Licensing](https://docs.camouflage.network/obfy/guides/licensing) ·
  [Seats & devices](https://docs.camouflage.network/obfy/guides/seats-and-devices) ·
  [Packaging](https://docs.camouflage.network/obfy/guides/packaging) ·
  [Troubleshooting](https://docs.camouflage.network/obfy/guides/troubleshooting)

## Building from source

Contributors and anyone building the toolchain themselves (the published wheels already
contain everything an end user needs):

```sh
# The CLI:
cargo build --release                  # -> target/release/obfy

# The native runtime, into the interpreter you ship for:
pip install maturin
maturin develop --release              # installs obfy_runtime into the active venv
```

Build the runtime with the **same Python version** you will run the protected code on.
Project provenance, dependency vetting, and the PyArmor comparison live under
[docs/](https://github.com/obfy/obfy/tree/main/docs).

## License

Proprietary, source-available — see
[LICENSE.md](https://github.com/obfy/obfy/blob/main/LICENSE.md). © 2026 Camouflage Networks Inc.

