Byte-identical verifier for AgentOracle composed envelopes (JCS + Ed25519). Python sibling of @agentoracle/receipt-verify.
Project description
@agentoracle/receipt-verify (Python)
Python sibling of @agentoracle/receipt-verify (Node) and the browser bundle. Byte-identical JCS + Ed25519 verify for AgentOracle composed envelopes.
Design goal
Three implementations, one canonicalization. A receipt canonicalized in Node, Python, or the browser must produce the byte-identical string and byte-identical SHA-256. No language-specific behavior. No trusted issuer round-trip.
Install
pip install agentoracle-receipt-verify
Usage
from agentoracle_receipt_verify import verify
result = verify(envelope, jwks_by_issuer={
"https://agentoracle.co/.well-known/jwks.json": ao_jwks,
"https://agenttrust.uk/.well-known/jwks.json": at_jwks,
})
if result.valid:
print("verified — canonical:", result.canonical_sha256)
What it checks
| Invariant | Description |
|---|---|
canonical_recomputes |
JCS(payload) → SHA-256 recomputes byte-identical to claimed |
decision_ref_recomputes |
sha256(JCS(preimage)) matches published decision_ref (per invinoveritas/babyblueviper1 spec) |
decision_signer_ne_runtime |
Decision signer issuer ≠ runtime issuer (fail-closed: self-approval is void) |
all_signatures_verified |
Every JWS signature verifies against a resolvable JWK by kid |
Cross-language guarantees
The tests/ suite includes byte-identical fixtures shared with the Node reference implementation:
test_jcs_byte_identical_to_node— Python JCS output byte-matches Node output for a payload with nested objects, arrays, unicode, booleans, and integers.test_decision_ref_recompute_babyblueviper1— Python recomputes the shipped invinoveritas fixture, byte-identical to her Python and our Node.test_conformance_sample_canonical_hash— reproduces the canonical hash from AgentOracle's/v1/conformance/sampleproduction endpoint.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file agentoracle_receipt_verify-0.0.1.tar.gz.
File metadata
- Download URL: agentoracle_receipt_verify-0.0.1.tar.gz
- Upload date:
- Size: 7.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
99f4e3e8468096411a5325b812dac3471183def360cfff6af8735775311455a0
|
|
| MD5 |
5f28397c47dfe3f4f09f71bd6798f442
|
|
| BLAKE2b-256 |
62ddf11c6a7d54e67b0e98956763e981087322603242a0acdc2647d81db45b1c
|
File details
Details for the file agentoracle_receipt_verify-0.0.1-py3-none-any.whl.
File metadata
- Download URL: agentoracle_receipt_verify-0.0.1-py3-none-any.whl
- Upload date:
- Size: 6.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b00f53466fa9f7e2d6e408cea5defa4032f0185143bcb2a30b916c4354dcd106
|
|
| MD5 |
85ab4c4320694f7d3e9d35fa905d62cd
|
|
| BLAKE2b-256 |
8bb590719e3c514504dca02c583c10e380abd0487bbc1278d50e09d96c9efe07
|