obfy 0.1.0

Clean-room Python code-protection tool.

Obfy

A clean-room Python code-protection tool written in Rust: AST obfuscation plus bytecode encryption with a native loader — and a fully auditable supply chain.

The deliverable is not just "an obfuscator." It is an obfuscator whose entire provenance we can show a customer.

What it does

• AST obfuscation — --level 0–5: strip docstrings/comments, mangle string literals, inject dead code, rename identifiers (function-local and cross-module), and natively compile eligible functions to a clean-room bytecode VM so their CPython bytecode never ships. The --level flag is the sophistication dial — higher levels do strictly more:

  --level	Adds (each level includes the ones below it)
  0	none — compiled, marshalled, encrypted as-is
  1	strip docstrings
  2	+ string mangling + dead code
  3	+ local (function-scope) rename
  4	+ cross-module public-name rename
  5	+ native function compilation (CPython bytecode never ships)

• Bytecode encryption + native loader: compile → marshal → AES-256-GCM encrypt; a PyO3 import hook decrypts in memory at import time. This is the core of the product.

• Licensing: expiry dates and machine/MAC binding, enforced by the loader.

• Supply chain: vendored + audited deps, reproducible builds, and an SBOM shipped with every release.

Honest posture — read this

Python obfuscation is deterrence, not encryption-grade security. CPython must eventually execute real bytecode, so a skilled attacker who controls the runtime can recover code objects. Obfy stops casual copying and raises the cost for everyone else; it does not replace legal protection for sensitive IP. More on what each level does and what it does not guarantee: Obfuscation levels — honest posture.

Install

pip install obfy

Requires CPython 3.10–3.13 on macOS (Apple Silicon or Intel), Linux (x86_64 / aarch64), or Windows (x64). Build with the same Python version you ship for — the marshal/bytecode format is version-specific. pip install obfy gives you the obfy CLI and bundles the native runtime that gets packaged into your protected output; there is nothing else to install.

Quick start

Protect a project — one command in, a drop-in replacement out:

obfy build --src ./myproject --out ./dist --python python3

This protects the whole tree — every .py under --src is discovered recursively, obfuscated, compiled, marshalled, and AES-256-GCM encrypted. ./dist is a 1:1 mirror of ./myproject where each .py is a tiny self-activating stub, the real code lives encrypted in ./dist/__obfy__/*.obfy, non-.py files are copied across, and the native runtime is bundled in — nothing extra to install.

Heads-up — secrets: every non-.py file under --src is copied into the dist so the output runs in place. If --src is a repo root, files like .env or keys get copied too. Point --src at your code package (e.g. ./app), or build from a code-only staging tree.

Run it exactly as you ran the original — no sys.path edits, no manual bootstrap:

python ./dist/run.py

See the tutorial for a full walkthrough, and packaging for PyInstaller.

Documentation

Full documentation lives at docs.camouflage.network/obfy:

• Introduction · Installation · Tutorial · Deploying
• Guides: Obfuscation levels · Licensing · Seats & devices · Packaging · Troubleshooting

Building from source

Contributors and anyone building the toolchain themselves (the published wheels already contain everything an end user needs):

# The CLI:
cargo build --release                  # -> target/release/obfy

# The native runtime, into the interpreter you ship for:
pip install maturin
maturin develop --release              # installs obfy_runtime into the active venv

Build the runtime with the same Python version you will run the protected code on. Project provenance, dependency vetting, and the PyArmor comparison live under docs/.

License

Proprietary, source-available — see LICENSE.md. © 2026 Camouflage Networks Inc.