release v2.0.0: version bump, bundle isolation fix, crypto fallback

- Version 2.0.0b1 → 2.0.0
- Fix: encrypted node code scrub no longer mutates caller's bundle dict
  (tracked via _scrubbed set instead of node["code"] = None)
- Add [crypto] optional dependency for pure-Python fallback
- Clear error message when both C extension and cryptography are missing
- .DS_Store in .gitignore

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: desty2k

.gitignore

@@ -120,3 +120,6 @@ dmypy.json
 
 # uv
 uv.lock
+
+# macOS
+.DS_Store

paker/__init__.py

@@ -47,7 +47,7 @@
     "ImportErrorPolicy", "AsFileStrategy", "NativeLoaderPolicy",
     "DiskPolicy", "virtual_fs", "__version__",
 ]
-__version__ = "2.0.0b1"
+__version__ = "2.0.0"
 
 
 class ImportErrorPolicy(enum.Enum):

paker/_crypto.py

@@ -199,7 +199,14 @@ def scrub(obj) -> None:
 
 def _aes_ctr_fallback(key: bytes, nonce: bytes, data: bytes) -> bytes:
     """Pure-Python AES-CTR fallback when the C extension is not compiled."""
-    from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+    try:
+        from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+    except ImportError:
+        raise ImportError(
+            "paker's C extension (_paker_crypto) is not available and the "
+            "pure-Python fallback requires the 'cryptography' package. "
+            "Install it with: pip install paker[crypto]"
+        ) from None
     cipher = Cipher(algorithms.AES(key), modes.CTR(nonce))
     decryptor = cipher.decryptor()
     return decryptor.update(data) + decryptor.finalize()

paker/importers/jsonimporter.py

@@ -71,6 +71,7 @@ def __init__(
         self._as_file_strategy: AsFileStrategy = resolve_strategy(as_file_strategy)
         self._owns_virtual_fs = False
         self._module_cache: dict[str, object] = {}
+        self._scrubbed: set[str] = set()
         self._logger = logging.getLogger(self.__class__.__name__)
         self._context_stack: list[str] = []
         sys.meta_path.insert(0, self)
@@ -176,11 +177,7 @@ def exec_module(self, module):
             )
 
         if encrypted:
-            # Stop the bundle from retaining the ciphertext for this module
-            # once it's been decrypted and executed. Re-imports rely on
-            # ``sys.modules`` caching; the loader itself won't be asked to
-            # decrypt this module again.
-            node["code"] = None
+            self._scrubbed.add(fullname)
         self._module_cache[fullname] = module
         self._logger.info("%s imported successfully", fullname)
 

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "paker"
-version = "2.0.0b1"
+version = "2.0.0"
 description = "Encrypted in-memory Python package loader"
 readme = "README.md"
 license = "MIT"
@@ -28,6 +28,9 @@ classifiers = [
 ]
 keywords = ["python", "package-loader", "in-memory", "encrypted", "native-extensions", "memfd", "code-protection", "bundle", "zero-disk", "importlib"]
 
+[project.optional-dependencies]
+crypto = ["cryptography>=41.0"]
+
 [project.scripts]
 paker = "paker.__main__:main_entry"
 

tests/test_crypto.py

@@ -318,7 +318,8 @@ def test_scrub_after_import(self):
         imp = JsonImporter(data, key=KEY)
         import scrub_test
         assert scrub_test.SCRUBBED is True
-        assert data["scrub_test"]["code"] is None
+        assert "scrub_test" in imp._scrubbed
+        assert data["scrub_test"]["code"] is not None
         imp.unload()
 
     def test_encrypted_pyc_module(self):