feat: add decryption and refactoring

Author: eznix86

.github/workflows/test.yml

@@ -40,6 +40,8 @@ jobs:
       - name: Run linter
         run: uv run ruff check kseal/ tests/
 
+      - name: Run pyright
+        run: uv run basedpyright kseal/ tests/
   coverage:
     runs-on: ubuntu-latest
 

Makefile

@@ -11,6 +11,7 @@ coverage:
 
 lint:
 	@uv run ruff check .
+	@uv run basedpyright kseal/
 
 format:
 	@uv run ruff format .

README.md

@@ -5,7 +5,7 @@
 [![License](https://img.shields.io/github/license/eznix86/kseal)](LICENSE)
 [![Tests](https://github.com/eznix86/kseal/actions/workflows/test.yml/badge.svg)](https://github.com/eznix86/kseal/actions/workflows/test.yml)
 
-A kubeseal companion CLI for viewing, exporting, and encrypting Kubernetes Secrets.
+A kubeseal companion CLI for viewing, exporting, encrypting, and **offline decrypting** Kubernetes Secrets.
 
 ## Installation
 
@@ -33,20 +33,25 @@ pip install kseal
 ### Requirements
 
 - Python 3.12+
-- Kubernetes cluster access
+- Kubernetes cluster access (not required for offline decryption)
 - Sealed Secrets controller installed in cluster
 
 ## Quick Start
 
 ```bash
-# View a decrypted secret
+# View a decrypted secret (requires cluster access)
 kseal cat secrets/app.yaml
 
 # Export all secrets to files
 kseal export --all
 
 # Encrypt a plaintext secret
 kseal encrypt secret.yaml -o sealed.yaml
+
+# Offline decryption (no cluster access needed)
+kseal export-keys                              # Backup keys while you have access
+kseal decrypt sealed.yaml                      # Decrypt using local keys
+kseal decrypt-all --in-place                   # Decrypt all SealedSecrets
 ```
 
 ## Commands
@@ -89,8 +94,59 @@ kseal encrypt secret.yaml
 # To file
 kseal encrypt secret.yaml -o sealed.yaml
 
-# Replace original
-kseal encrypt secret.yaml --replace
+# Replace original file
+kseal encrypt secret.yaml --in-place
+```
+
+### `kseal export-keys`
+
+Export sealed-secrets private keys from cluster for offline decryption.
+
+```bash
+# Export to default location
+kseal export-keys                      # → .kseal-keys/
+
+# Custom output directory
+kseal export-keys -o ./backup
+
+# From different namespace
+kseal export-keys -n kube-system
+```
+
+### `kseal decrypt`
+
+Decrypt a SealedSecret using local private keys (no cluster access needed).
+
+```bash
+# Using keys from default location
+kseal decrypt sealed.yaml
+
+# Using specific key file
+kseal decrypt sealed.yaml --private-key ./key.pem
+
+# From stdin
+cat sealed.yaml | kseal decrypt
+
+# Filter keys by pattern
+kseal decrypt sealed.yaml --private-keys-regex "2025"
+```
+
+### `kseal decrypt-all`
+
+Decrypt all SealedSecrets in a directory using local private keys.
+
+```bash
+# Search current directory, output to stdout
+kseal decrypt-all
+
+# Search specific directory
+kseal decrypt-all ./manifests
+
+# Replace files in-place
+kseal decrypt-all --in-place
+
+# Custom keys location
+kseal decrypt-all --private-keys-path ./backup
 ```
 
 ### `kseal init`
@@ -160,9 +216,10 @@ kseal automatically manages kubeseal binary versions:
 
 ## Security
 
-- Add `.unsealed/` to your `.gitignore`
-- Never commit plaintext secrets to version control
-- Requires cluster access to decrypt secrets
+- Add `.unsealed/` and `.kseal-keys/` to your `.gitignore`
+- Never commit plaintext secrets or private keys to version control
+- Store exported keys securely (e.g., password manager, encrypted backup)
+- Offline decryption with `kseal decrypt` requires the private keys - keep them safe
 
 ## Contributing
 

kseal/binary.py

@@ -1,5 +1,7 @@
 """Kubeseal binary management - download and version handling."""
 
+from __future__ import annotations
+
 import platform
 import shutil
 import stat
@@ -20,14 +22,17 @@
 from rich.status import Status
 
 from .config import get_version as get_config_version
+from .github import get_latest_version
 from .settings import add_downloaded_version, get_default_version
 
-GITHUB_API_URL = "https://api.github.com/repos/bitnami-labs/sealed-secrets/releases/latest"
 DOWNLOAD_URL_TEMPLATE = (
     "https://github.com/bitnami-labs/sealed-secrets/releases/download/"
     "v{version}/kubeseal-{version}-{os}-{arch}.tar.gz"
 )
 
+# Re-export for backwards compatibility
+__all__ = ["get_latest_version"]
+
 
 def get_default_binary_dir() -> Path:
     """Get the default directory for kubeseal binaries."""
@@ -89,15 +94,6 @@ def detect_arch() -> str:
     raise RuntimeError(f"Unsupported architecture: {machine}")
 
 
-def get_latest_version() -> str:
-    """Fetch the latest kubeseal version from GitHub API."""
-    response = httpx.get(GITHUB_API_URL, follow_redirects=True, timeout=30)
-    response.raise_for_status()
-    data = response.json()
-    tag = data["tag_name"]
-    return tag.lstrip("v")
-
-
 def get_version() -> str:
     """Get the kubeseal version to use.
 
@@ -135,7 +131,7 @@ def download_kubeseal(version: str, target_path: Path) -> None:
         tarball_path = Path(tmpdir) / "kubeseal.tar.gz"
 
         with httpx.stream("GET", url, follow_redirects=True, timeout=60) as response:
-            response.raise_for_status()
+            _ = response.raise_for_status()
             total_size = int(response.headers.get("content-length", 0))
 
             with Progress(
@@ -149,8 +145,8 @@ def download_kubeseal(version: str, target_path: Path) -> None:
 
                 with open(tarball_path, "wb") as f:
                     for chunk in response.iter_bytes():
-                        f.write(chunk)
-                        progress.update(task, advance=len(chunk))
+                        _ = f.write(chunk)
+                        _ = progress.update(task, advance=len(chunk))
 
         with Status("[bold blue]Extracting...[/]", console=console):
             with tarfile.open(tarball_path, "r:gz") as tar:
@@ -163,7 +159,7 @@ def download_kubeseal(version: str, target_path: Path) -> None:
                     raise RuntimeError("kubeseal binary not found in tarball")
 
             extracted_binary = Path(tmpdir) / "kubeseal"
-            extracted_binary.rename(target_path)
+            _ = extracted_binary.rename(target_path)
 
     target_path.chmod(target_path.stat().st_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)