Python SDK surface for the recurve × auths integration (verify_bytes, ephemeral agent, DSSE signer, tlog, passphrase policy)#364
Merged
Conversation
…log binding
Move the transparency-log append/prove orchestration out of the CLI presentation
layer and into auths_sdk::workflows::transparency (append_artifact_digest /
prove_artifact_digest, beside try_cache_checkpoint). auths-transparency stays the
Core implementer; auths-cli/log.rs is now a thin wrapper, matching handle_verify.
Add a native Python binding: _native.{log_append,log_prove,log_verify_inclusion}
plus an auths.tlog wrapper. log_verify_inclusion calls
auths_verifier::verify_artifact_log_inclusion — offline, three fail-closed checks
(leaf binds the digest, Merkle proof against the signed checkpoint, checkpoint
signed by the pinned key).
9 new SDK tests cover the append/prove round-trip, tree growth, proof
re-verification, and forged/absent/wrong-key/malformed rejection. A logic-inert
#[allow(clippy::too_many_lines)] on the pre-existing sign_artifact unblocks the
crate's -D warnings clippy gate.
Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
Add auths_sdk::workflows::dsse — a predicate-agnostic DSSE signer/verifier for
arbitrary in-toto Statements, reusing the generic dsse_pae + the DSSE envelope
wire type (deliberately NOT the compliance evidence-pack predicate, whose
predicate is semantically wrong for a code-correctness verdict).
sign_intoto_statement(key_storage, provider, keyid, alias, curve, statement)
signs the DSSE PAE with a keychain identity; verify_intoto_statement(envelope,
pinned_key) reads the curve in-band and returns the verified Statement offline.
5 tests: ed25519 + p256 round-trip, and tamper / wrong-key / non-in-toto rejected.
Exposed natively: _native.{dsse_sign_statement,dsse_verify_statement} plus an
auths.dsse Python wrapper (curve resolved from the keychain via
extract_public_key_bytes, never guessed). This is the F1a enabler.
Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
…SSE (A2)
Add a fast agent path with no passphrase KDF. _native.create_ephemeral_agent runs
a KERI inception in a throwaway git repo and returns {did:keri, public_key,
private_key (raw seed), attestation} — no keys.enc, no keychain. It signs via the
raw seed: the existing sign_action, plus a new raw-seed DSSE path —
auths_sdk::workflows::dsse::sign_intoto_statement_with_seed (typed_sign over the
DSSE PAE, curve-agnostic via TypedSeed::from_curve) exposed as
_native.dsse_sign_statement_with_key. Both verify through the existing paths;
sign_with_seed round-trip + tamper tests added. Mints in ~30ms (was ~11s KDF).
Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
_native.verify_bytes verifies a raw signature with no envelope — the dual of sign_bytes / sign_as_agent, with the curve read from the public key. Lets a verifier check the exact bytes a raw signer produced (e.g. recurve's stored receipt signatures), not only action envelopes. Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Anchor-Seq: 1
…t checks The keychain enforces a passphrase policy (>=12 chars, >=3 of 4 character classes) only at create_agent/create time, so callers discover the rule by trial. Expose it up front: a thin pyo3 binding over auths_core::crypto::encryption::validate_passphrase (no reimplementation — the rule stays in core) plus the PASSPHRASE_MIN_LEN constant, both in auths.__all__ and the type stub. validate_passphrase raises ValueError with the shortfall on a weak passphrase. - packages/auths-python/src/passphrase.rs: the binding + PASSPHRASE_MIN_LEN - src/lib.rs: register the function + constant on _native - python/auths/__init__.py + __init__.pyi: export + type them Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Anchor-Seq: 1
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Auths Commit Verification
Result: ❌ 0/5 commits verified How to fixCommit 1. Install auths macOS: 2. One-time setup (creates your identity and configures Git) auths init3. Sign this branch and push auths sign origin/main..HEAD
git push --force-with-leaseFor CI to verify the signer, commit an identity bundle: auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the Python SDK surface the recurve × auths integration consumes, all additive
(new pyo3 bindings + SDK workflows; no existing behavior changed):
Verified by the downstream auths-curve integration suite (16/16 RED-first claims GREEN, which
rebuilds this SDK from source before probing).
🤖 Generated with Claude Code