Auditable random credential generator for AI agents and machine-readable pipelines (Python wrapper around the secretgenerator CLI).
Project description
secretgen (Python)
Auditable random credential generator for AI agents and machine-readable
pipelines. This Python package wraps the
secretgenerator CLI
and exposes its stable schema-v1 JSON output as Python dicts.
Install
The Python package and the CLI binary install separately:
pip install secretgen
The PyPI package is named
secretgen(notsecretgenerator) because asecret-generatorpackage already exists on PyPI; the import name matches and is alsosecretgen.
Then install the CLI once with whichever method fits your environment:
npm install -g @secretgenerator/cli
# or
brew install rafaelperoco/tap/secretgenerator
# or
go install github.com/rafaelperoco/secretgenerator/cmd/secretgenerator@latest
Quick start
import secretgen as sg
pw = sg.password(length=24, charset="alphanum-symbols-v1",
require_classes="lower,upper,digit,symbol")
print(pw["password"], "—", pw["entropy_bits"], "bits")
phrase = sg.passphrase(words=8, separator="-")
print(phrase["password"])
token = sg.api_key(length=40, prefix="sk_live")
print(token["password"])
bits = sg.entropy("Tr0ub4dor&3")["entropy_bits"]
print(f"that pasword has {bits:.1f} bits")
Every function returns a parsed schema-v1 dict with the same shape as
the CLI's --json output (see
schemas/output-v1.json).
Error handling
try:
sg.password(length=4) # below the 80-bit floor
except sg.SecretgeneratorError as e:
if e.code == "E_ENTROPY_TOO_LOW":
# Stable code; safe to branch on.
...
The code attribute exposes a stable identifier from the CLI's error
envelope (E_ENTROPY_TOO_LOW, E_CHARSET_EMPTY, E_CLASS_IMPOSSIBLE,
E_INVALID_ARGS, E_RNG_FAILURE).
Why a wrapper instead of a pure-Python implementation?
Cryptographic primitives belong in audited binaries with reproducible builds and SLSA provenance, not duplicated across language wrappers. The CLI is signed end-to-end with cosign keyless (Sigstore/Fulcio + GitHub OIDC) and ships SLSA Level 3 attestation. This wrapper is a thin transport — it parses JSON.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file secretgenerator_py-2.0.0.tar.gz.
File metadata
- Download URL: secretgenerator_py-2.0.0.tar.gz
- Upload date:
- Size: 5.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
093db6fe2d609550e6a16c0a5642512b90829787ed26f4c498372af6e8a77bbb
|
|
| MD5 |
45474b9008aaf2c0bed015cc49a81ff1
|
|
| BLAKE2b-256 |
03b10e54925cb0df19fef861c3d0bb87caf16d117f546a09cdc5ca6059ba0fba
|
File details
Details for the file secretgenerator_py-2.0.0-py3-none-any.whl.
File metadata
- Download URL: secretgenerator_py-2.0.0-py3-none-any.whl
- Upload date:
- Size: 5.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b2fc2e3d6826b85f138407248f87bc1be2b1bb92bcf257c5ca13d8645ed39ae1
|
|
| MD5 |
d0b7716c78ecac6a2ed303a3a27d49a6
|
|
| BLAKE2b-256 |
688469ffff03d620cfa332f2893d7b76afdbd1635ae1ea219ab172cb8259ef79
|
