Skip to main content

Byte-identical verifier for AgentOracle composed envelopes (JCS + Ed25519). Python sibling of @agentoracle/receipt-verify.

Project description

@agentoracle/receipt-verify (Python)

Python sibling of @agentoracle/receipt-verify (Node) and the browser bundle. Byte-identical JCS + Ed25519 verify for AgentOracle composed envelopes.

Design goal

Three implementations, one canonicalization. A receipt canonicalized in Node, Python, or the browser must produce the byte-identical string and byte-identical SHA-256. No language-specific behavior. No trusted issuer round-trip.

Install

pip install agentoracle-receipt-verify

Usage

from agentoracle_receipt_verify import verify

result = verify(envelope, jwks_by_issuer={
    "https://agentoracle.co/.well-known/jwks.json": ao_jwks,
    "https://agenttrust.uk/.well-known/jwks.json": at_jwks,
})

if result.valid:
    print("verified — canonical:", result.canonical_sha256)

What it checks

Invariant Description
canonical_recomputes JCS(payload) → SHA-256 recomputes byte-identical to claimed
decision_ref_recomputes sha256(JCS(preimage)) matches published decision_ref (per invinoveritas/babyblueviper1 spec)
decision_signer_ne_runtime Decision signer issuer ≠ runtime issuer (fail-closed: self-approval is void)
all_signatures_verified Every JWS signature verifies against a resolvable JWK by kid

Cross-language guarantees

The tests/ suite includes byte-identical fixtures shared with the Node reference implementation:

  • test_jcs_byte_identical_to_node — Python JCS output byte-matches Node output for a payload with nested objects, arrays, unicode, booleans, and integers.
  • test_decision_ref_recompute_babyblueviper1 — Python recomputes the shipped invinoveritas fixture, byte-identical to her Python and our Node.
  • test_conformance_sample_canonical_hash — reproduces the canonical hash from AgentOracle's /v1/conformance/sample production endpoint.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

agentoracle_receipt_verify-0.0.1.tar.gz (7.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

agentoracle_receipt_verify-0.0.1-py3-none-any.whl (6.4 kB view details)

Uploaded Python 3

File details

Details for the file agentoracle_receipt_verify-0.0.1.tar.gz.

File metadata

File hashes

Hashes for agentoracle_receipt_verify-0.0.1.tar.gz
Algorithm Hash digest
SHA256 99f4e3e8468096411a5325b812dac3471183def360cfff6af8735775311455a0
MD5 5f28397c47dfe3f4f09f71bd6798f442
BLAKE2b-256 62ddf11c6a7d54e67b0e98956763e981087322603242a0acdc2647d81db45b1c

See more details on using hashes here.

File details

Details for the file agentoracle_receipt_verify-0.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for agentoracle_receipt_verify-0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 b00f53466fa9f7e2d6e408cea5defa4032f0185143bcb2a30b916c4354dcd106
MD5 85ab4c4320694f7d3e9d35fa905d62cd
BLAKE2b-256 8bb590719e3c514504dca02c583c10e380abd0487bbc1278d50e09d96c9efe07

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page