Harden crypto fallbacks and expand local/CI test coverage

Author: rsgalloway

.github/workflows/tests.yml

@@ -8,11 +8,12 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
+        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
-          python-version: "3.11"
+          python-version: ${{ matrix.python-version }}
       - run: python -m pip install --upgrade pip
       - run: pip install pytest
       - run: pip install -e .

CHANGELOG.md

@@ -10,11 +10,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.0.2] - 2026-04-01
 
 ### Changed
-- add a `make pytest` target that installs the package in editable mode before running the test suite
+- add a self-contained `make test` target that installs `pytest` and the package in editable mode before running the test suite
+- mark `all` as a phony Make target to avoid filename collisions
 
 ### Fixed
 - remove `return` statements from `finally` blocks in encryption helpers to avoid newer Python `SyntaxWarning`s
-- harden optional `cryptography` imports so missing crypto dependencies do not break exception handling paths
+- harden optional `cryptography` imports with a decorator-based availability guard so missing crypto dependencies raise a clear runtime error instead of `NoneType` failures
 
 ---
 

Makefile

@@ -36,13 +36,9 @@ build: clean
 # Combined target to build for both platforms
 all: build
 
-# Test target to verify the build
-test:
-	$(ENVSTACK_CMD) -- ls -al
-	${ENVSTACK_CMD} -- which python
-
 # Run the pytest suite from an editable install, matching CI behavior
-pytest:
+test:
+	python -m pip install pytest
 	python -m pip install -e .
 	pytest tests -q
 
@@ -56,4 +52,4 @@ install: build
 	dist --force --yes
 
 # Phony targets
-.PHONY: build dryrun install clean test pytest
+.PHONY: all build dryrun install clean test pytest

lib/envstack/encrypt.py

@@ -38,11 +38,13 @@
 import os
 import secrets
 from base64 import b64decode, b64encode
+from functools import wraps
 
 from envstack.logger import log
 
 # cryptography and _rust dependency may not be available everywhere
 # ImportError: DLL load failed while importing _rust: Module not found.
+CRYPTOGRAPHY_AVAILABLE = False
 Fernet = None
 InvalidToken = type("InvalidToken", (Exception,), {})
 InvalidTag = type("InvalidTag", (Exception,), {})
@@ -55,10 +57,23 @@
     from cryptography.exceptions import InvalidTag
     from cryptography.hazmat.primitives import padding
     from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+    CRYPTOGRAPHY_AVAILABLE = True
 except ImportError as err:
     log.debug("cryptography module not available: %s", err)
 
 
+def require_cryptography(func):
+    """Guard crypto-backed functions when cryptography is unavailable."""
+
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        if not CRYPTOGRAPHY_AVAILABLE:
+            raise RuntimeError("cryptography support is not available")
+        return func(*args, **kwargs)
+
+    return wrapper
+
+
 class Base64Encryptor(object):
     """Encrypt and decrypt secrets using base64 encoding."""
 
@@ -90,6 +105,7 @@ def __init__(self, key: str = None, env: dict = os.environ):
             self.key = self.get_key(env)
 
     @classmethod
+    @require_cryptography
     def generate_key(csl):
         """Generate a new 256-bit encryption key."""
         if Fernet:
@@ -110,6 +126,7 @@ def get_key(self, env: dict = os.environ):
             return Fernet(key)
         return key
 
+    @require_cryptography
     def encrypt(self, data: str):
         """Encrypt a secret using Fernet.
 
@@ -129,6 +146,7 @@ def encrypt(self, data: str):
             log.error("unhandled error: %s", e)
         return results
 
+    @require_cryptography
     def decrypt(self, data: str):
         """Decrypt a secret using Fernet.
 
@@ -158,6 +176,7 @@ def __init__(self, key: str = None, env: dict = os.environ):
             self.key = self.get_key(env)
 
     @classmethod
+    @require_cryptography
     def generate_key(csl):
         """Generate a new 256-bit encryption key."""
         key = secrets.token_bytes(32)
@@ -176,6 +195,7 @@ def get_key(self, env: dict = os.environ):
                 raise ValueError("invalid base64 encoding: %s" % e)
         return key
 
+    @require_cryptography
     def encrypt_data(self, secret: str):
         """Encrypt a secret using AES-GCM.
 
@@ -194,6 +214,7 @@ def encrypt_data(self, secret: str):
             "tag": b64encode(encryptor.tag).decode(),
         }
 
+    @require_cryptography
     def decrypt_data(self, encrypted_data: dict):
         """Decrypt a secret using AES-GCM.
 
@@ -252,6 +273,7 @@ def decrypt(self, data: str):
         return data
 
 
+@require_cryptography
 def pad_data(data: str):
     """Pad data to be block-aligned for AES encryption.
 
@@ -262,6 +284,7 @@ def pad_data(data: str):
     return padder.update(str(data).encode()) + padder.finalize()
 
 
+@require_cryptography
 def unpad_data(data: dict):
     """Unpad data after decryption.