v0.2.1 — Idempotent re-encryption and safer key handling
Improvements
Idempotent re-encryption — dotseal edit and append-to-.env.enc workflows now preserve ciphertext for unchanged values, so git diffs show only what actually changed. If you save without edits, the file is left untouched.
reencrypt_text()/reencrypt_text_asymmetric()— new library API for the same behaviordotseal encryptstill skips values already encrypted with the same key; refuses outright if existing ciphertext was made with a different key or the file is asymmetric (decrypt with the old key first, then encrypt with the new one)
Safer key resolution
--key-file/--private-key-file— explicit key file paths; a requested file that does not exist is an error (never silently overridden by env vars)KeyManagementError— raised when key material does not match the file's recorded fingerprint
Parser & tooling
- Inline comments on env entries are preserved through encrypt/decrypt/re-encrypt cycles
.gitignoreauto-add respects negation (!) and simple globsdotseal edit— if re-encryption fails, offers to re-open the editor; otherwise keeps your edits in the0600temp file and prints its path
Notes
- Symmetric and asymmetric modes are unchanged aside from the safer encrypt/edit behavior above.
- Runtime dependency is now
cryptography>=42,<49(was pinned to48.0.1) to avoid version conflicts for library consumers. - README and
uv.lockare synced with the existing Python 3.9 minimum (required bycryptography48+). - VS Code / Cursor extension: use
ext-v0.1.1or later for matching edit/re-encrypt behavior. Compatibility is by on-disk file format (v=1/v=2), not package version alone.