Add credential obfuscation system

- build-obfuscated.sh: XOR encryption with random 256-bit key
- obfuscation/obfuscation.go: Runtime de-obfuscation package
- OBFUSCATION.md: Documentation and security comparison
- Prevents casual extraction with 'strings' command
- Medium security: Good for personal use, env vars for production

build-obfuscated.sh

@@ -0,0 +1,115 @@
+#!/bin/bash
+# Credential Obfuscation Build Script
+# Encrypts credentials and embeds them in Go binaries
+# Usage: ./build-obfuscated.sh <server-url> <username> <password>
+
+set -e
+
+if [ $# -ne 3 ]; then
+  echo "Usage: $0 <server-url> <username> <password>"
+  exit 1
+fi
+
+SERVER_URL="$1"
+USERNAME="$2"
+PASSWORD="$3"
+
+# Generate a random obfuscation key (64 hex chars)
+OBFUSCATION_KEY=$(openssl rand -hex 32)
+
+echo "Building with obfuscated credentials..."
+echo "Server: $SERVER_URL"
+echo "User: $USERNAME"
+echo "Password: ${PASSWORD:0:10}..."
+echo "Obfuscation Key: ${OBFUSCATION_KEY:0:16}..."
+echo ""
+
+# Function to obfuscate a string using XOR
+obfuscate_string() {
+  local input="$1"
+  local key="$2"
+  local result=""
+  local key_len=${#key}
+
+  for ((i=0; i<${#input}; i++)); do
+    # Get character from input and key
+    input_char="${input:$i:1}"
+    key_char="${key:$((i % key_len)):1}"
+
+    # Get ASCII values
+    input_val=$(printf '%d' "'$input_char")
+    key_val=$(printf '%d' "'$key_char")
+
+    # XOR and convert back to char
+    xor_val=$((input_val ^ key_val))
+    xor_char=$(printf "\\$(printf '%03o' $xor_val)")
+
+    result+="$xor_char"
+  done
+
+  # Base64 encode the result for safe embedding
+  echo -n "$result" | base64 -w0
+}
+
+# Obfuscate credentials
+OBFUSCATED_SERVER=$(obfuscate_string "$SERVER_URL" "$OBFUSCATION_KEY")
+OBFUSCATED_USER=$(obfuscate_string "$USERNAME" "$OBFUSCATION_KEY")
+OBFUSCATED_PASSWORD=$(obfuscate_string "$PASSWORD" "$OBFUSCATION_KEY")
+
+# Build function
+build_tool() {
+  local tool_name="$1"
+  local tool_dir="$2"
+
+  echo "Building $tool_name..."
+
+  cd "$tool_dir"
+
+  # Build with obfuscated credentials and de-obfuscation key
+  go build \
+    -ldflags="-X main.ObfuscatedServer=$OBFUSCATED_SERVER \
+               -X main.ObfuscatedUser=$OBFUSCATED_USER \
+               -X main.ObfuscatedPassword=$OBFUSCATED_PASSWORD \
+               -X main.ObfuscationKey=$OBFUSCATION_KEY" \
+    -o ~/bin/"$tool_name" .
+
+  echo "✓ $tool_name built successfully"
+}
+
+# Build nextcloud-client
+build_tool "nextcloud-client" "$SCRIPT_DIR/tools/go/nextcloud-client"
+
+# Build nextcloud-contacts
+build_tool "nextcloud-contacts" "$SCRIPT_DIR/tools/go/nextcloud-contacts"
+
+# Build nextcloud-calendar
+build_tool "nextcloud-calendar" "$SCRIPT_DIR/tools/go/nextcloud-calendar"
+
+# Build nextcloud-mail
+build_tool "nextcloud-mail" "$SCRIPT_DIR/tools/go/nextcloud-mail"
+
+echo ""
+echo "All tools built with obfuscated credentials!"
+echo ""
+echo "Obfuscation Details:"
+echo "  Method: XOR cipher with random 256-bit key"
+echo "  Key: $OBFUSCATION_KEY"
+echo "  Encoded: Base64 for safe Go embedding"
+echo ""
+echo "Security Notes:"
+echo "  ✓ Credentials are XOR encrypted with unique key"
+echo "  ✓ Key changes on every build"
+echo "  ✓ strings command shows only base64 gibberish"
+echo "  ✓ Runtime de-obfuscation happens in memory"
+echo ""
+echo "Binaries installed at:"
+echo "  ~/bin/nextcloud-client"
+echo "  ~/bin/nextcloud-contacts"
+echo "  ~/bin/nextcloud-calendar"
+echo "  ~/bin/nextcloud-mail"
+echo ""
+echo "⚠️  Security Level: Medium"
+echo "  This prevents casual extraction, but a determined attacker"
+echo "  with knowledge of the de-obfuscation code could reverse it."
+echo "  For production use, consider stronger encryption or environment"
+echo "  variables for sensitive credentials."