Add credential obfuscation system

- build-obfuscated.sh: XOR encryption with random 256-bit key
- obfuscation/obfuscation.go: Runtime de-obfuscation package
- OBFUSCATION.md: Documentation and security comparison
- Prevents casual extraction with 'strings' command
- Medium security: Good for personal use, env vars for production

tools/go/obfuscation/obfuscation.go

@@ -0,0 +1,55 @@
+package main
+
+import (
+	"encoding/base64"
+	"fmt"
+)
+
+// Build-time obfuscated credentials
+var (
+	ObfuscatedServer   string
+	ObfuscatedUser     string
+	ObfuscatedPassword string
+	ObfuscationKey    string
+)
+
+// DeobfuscateString reverses the XOR obfuscation applied at build time
+func DeobfuscateString(obfuscatedBase64, key string) (string, error) {
+	// Decode base64
+	obfuscated, err := base64.StdEncoding.DecodeString(obfuscatedBase64)
+	if err != nil {
+		return "", fmt.Errorf("failed to decode obfuscated string: %w", err)
+	}
+
+	// XOR de-obfuscation
+	result := make([]byte, len(obfuscated))
+	keyBytes := []byte(key)
+	keyLen := len(keyBytes)
+
+	for i := 0; i < len(obfuscated); i++ {
+		result[i] = obfuscated[i] ^ keyBytes[i%keyLen]
+	}
+
+	return string(result), nil
+}
+
+// GetDeobfuscatedCredentials returns the actual credentials
+// This is called at runtime to retrieve and de-obfuscate credentials
+func GetDeobfuscatedCredentials() (server, user, password string, err error) {
+	server, err := DeobfuscateString(ObfuscatedServer, ObfuscationKey)
+	if err != nil {
+		return "", "", "", fmt.Errorf("failed to de-obfuscate server: %w", err)
+	}
+
+	user, err := DeobfuscateString(ObfuscatedUser, ObfuscationKey)
+	if err != nil {
+		return "", "", "", fmt.Errorf("failed to de-obfuscate user: %w", err)
+	}
+
+	password, err := DeobfuscateString(ObfuscatedPassword, ObfuscationKey)
+	if err != nil {
+		return "", "", "", fmt.Errorf("failed to de-obfuscate password: %w", err)
+	}
+
+	return server, user, password, nil
+}