Skip to content

Python SDK surface for the recurve × auths integration (verify_bytes, ephemeral agent, DSSE signer, tlog, passphrase policy)#364

Merged
bordumb merged 5 commits into
mainfrom
dev-identityDocs
Jul 2, 2026
Merged

Python SDK surface for the recurve × auths integration (verify_bytes, ephemeral agent, DSSE signer, tlog, passphrase policy)#364
bordumb merged 5 commits into
mainfrom
dev-identityDocs

Conversation

@bordumb

@bordumb bordumb commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Adds the Python SDK surface the recurve × auths integration consumes, all additive
(new pyo3 bindings + SDK workflows; no existing behavior changed):

  • verify_bytes(message, signature, public_key) — the raw dual of sign_bytes/sign_hash
  • ephemeral in-memory agent — did:keri inception in a throwaway repo, raw-seed DSSE (no KDF, ~30ms)
  • generic DSSE in-toto Statement signer (arbitrary Statement → DSSE)
  • tlog append/prove lifted into auths-sdk + native Python tlog binding (offline inclusion proofs)
  • validate_passphrase + PASSPHRASE_MIN_LEN — expose the keychain passphrase policy for pre-flight checks

Verified by the downstream auths-curve integration suite (16/16 RED-first claims GREEN, which
rebuilds this SDK from source before probing).

🤖 Generated with Claude Code

bordumb and others added 5 commits July 2, 2026 09:09
…log binding

Move the transparency-log append/prove orchestration out of the CLI presentation
layer and into auths_sdk::workflows::transparency (append_artifact_digest /
prove_artifact_digest, beside try_cache_checkpoint). auths-transparency stays the
Core implementer; auths-cli/log.rs is now a thin wrapper, matching handle_verify.

Add a native Python binding: _native.{log_append,log_prove,log_verify_inclusion}
plus an auths.tlog wrapper. log_verify_inclusion calls
auths_verifier::verify_artifact_log_inclusion — offline, three fail-closed checks
(leaf binds the digest, Merkle proof against the signed checkpoint, checkpoint
signed by the pinned key).

9 new SDK tests cover the append/prove round-trip, tree growth, proof
re-verification, and forged/absent/wrong-key/malformed rejection. A logic-inert
#[allow(clippy::too_many_lines)] on the pre-existing sign_artifact unblocks the
crate's -D warnings clippy gate.

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
Add auths_sdk::workflows::dsse — a predicate-agnostic DSSE signer/verifier for
arbitrary in-toto Statements, reusing the generic dsse_pae + the DSSE envelope
wire type (deliberately NOT the compliance evidence-pack predicate, whose
predicate is semantically wrong for a code-correctness verdict).
sign_intoto_statement(key_storage, provider, keyid, alias, curve, statement)
signs the DSSE PAE with a keychain identity; verify_intoto_statement(envelope,
pinned_key) reads the curve in-band and returns the verified Statement offline.
5 tests: ed25519 + p256 round-trip, and tamper / wrong-key / non-in-toto rejected.

Exposed natively: _native.{dsse_sign_statement,dsse_verify_statement} plus an
auths.dsse Python wrapper (curve resolved from the keychain via
extract_public_key_bytes, never guessed). This is the F1a enabler.

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
…SSE (A2)

Add a fast agent path with no passphrase KDF. _native.create_ephemeral_agent runs
a KERI inception in a throwaway git repo and returns {did:keri, public_key,
private_key (raw seed), attestation} — no keys.enc, no keychain. It signs via the
raw seed: the existing sign_action, plus a new raw-seed DSSE path —
auths_sdk::workflows::dsse::sign_intoto_statement_with_seed (typed_sign over the
DSSE PAE, curve-agnostic via TypedSeed::from_curve) exposed as
_native.dsse_sign_statement_with_key. Both verify through the existing paths;
sign_with_seed round-trip + tamper tests added. Mints in ~30ms (was ~11s KDF).

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
_native.verify_bytes verifies a raw signature with no envelope — the dual of
sign_bytes / sign_as_agent, with the curve read from the public key. Lets a
verifier check the exact bytes a raw signer produced (e.g. recurve's stored
receipt signatures), not only action envelopes.

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
…t checks

The keychain enforces a passphrase policy (>=12 chars, >=3 of 4 character classes)
only at create_agent/create time, so callers discover the rule by trial. Expose it
up front: a thin pyo3 binding over auths_core::crypto::encryption::validate_passphrase
(no reimplementation — the rule stays in core) plus the PASSPHRASE_MIN_LEN constant,
both in auths.__all__ and the type stub. validate_passphrase raises ValueError with
the shortfall on a weak passphrase.

- packages/auths-python/src/passphrase.rs: the binding + PASSPHRASE_MIN_LEN
- src/lib.rs: register the function + constant on _native
- python/auths/__init__.py + __init__.pyi: export + type them

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auths Building Building Preview, Comment Jul 2, 2026 8:00pm

@bordumb bordumb merged commit d5d42c1 into main Jul 2, 2026
17 of 20 checks passed
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
62340fe7 ❌ Failed No signature found
84d712b8 ❌ Failed No signature found
73702991 ❌ Failed No signature found
763b9adf ❌ Failed No signature found
7523669c ❌ Failed No signature found

Result: ❌ 0/5 commits verified


How to fix

Commit 62340fe7 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant