Security & Source Protection

Pytron-kit provides a multi-stage pipeline designed to protect application logic and ensure the integrity of your distributed binaries.

Source Protection Pipeline

  1. Crystal Audit (PEP 578): Traditional static analysis misses hidden imports. Pytron uses Crystal Audit to launch your app in a surveillance mode, hooking into the low-level import system (`sys.addaudithook`) to capture every specific module loaded during runtime.
  2. Defanged Execution: During the audit, destructive operations (like `os.remove`) are aggressive mocked, allowing safe "dry run" analysis of production logic.
  3. Binary Compilation (Cython): Critical modules are compiled to native machine code (`.pyd`/`.so`), making them resistant to trivial decompilation tools like `uncompyle6`.

Advanced Security Features

The Secure Pipeline (available via `--secure`) hardens your application against reverse engineering:

  • Native Bootloader: A custom Rust-based loader ("Agentic Shield") initializes the environment and launches your compiled binary, providing a secure native entry point.
  • Library Fusion: Distributed Python modules are bundled into a single `app.bundle` structure, obscuring the standard `_internal` directory layout and reducing file clutter.
  • Integrity Checks: The pipeline ensures that compiled components are correctly linked and loaded, preventing basic tampering.

Production Packaging

Pytron-kit offers tiered packaging. Note: Standard PyInstaller packaging is easily fully decompiled. For production, always use Secure or Nuitka pipelines.

bash
# Standard (Not Recommended for Commercial)
pytron package

# Secure Pipeline (Cython + Fusion)
pytron package --secure

# Native Compilation (Nuitka)
pytron package --nuitka

Code Signing

Because advanced protection uses custom bootloaders and in-memory execution, we recommend digitally signing your executables to ensure compatibility with operating system security policies.