Attesto Local Vault edge relay for proofstream source attestations
Project description
Attesto Local Vault
Attesto Local Vault is the customer-side edge relay for Attesto 2.0 proofstream source attestations. It stores queued attestations in an encrypted SQLite spool, signs outbound relay envelopes with Ed25519, and sends them to a registered Attesto Local Vault receiver endpoint.
It can also run as a customer-side proofstream witness: checkpoint progression is stored locally, accepted checkpoints are signed, and conflicting history produces fork evidence instead of advancing state.
Runtime keys are supplied by the local deployment secret manager. Private signing keys, spool encryption keys, and connector credentials are never sent to Attesto.
The runtime is intentionally idempotent on (stream_id, source_ref), rejects
payload drift for a reused source reference, recovers stale in-flight queue
items after process crashes, and only relays to HTTPS endpoints.
Delivery acknowledgements are fail-closed. Local Vault only marks a queued item
as delivered when the Attesto receiver returns a 2xx JSON receipt with a
localVaultAck whose envelopeHash matches the signed outbound envelope and
whose stream and canonical local-vault:{installation_id}:{source_ref} event
id match the receipt payload. A proxy/misroute 2xx, malformed body, or
mismatched receipt is treated as a failed attempt and remains subject to
retry/dead-letter policy.
Runtime
attesto-local-vault drain-loop is the production runner. It reads its
non-secret runtime coordinates from flags or environment variables and reads
key material only from the local deployment secret manager:
ATTESTO_LOCAL_VAULT_SPOOL_DBATTESTO_LOCAL_VAULT_INSTALLATION_IDATTESTO_LOCAL_VAULT_RELAY_URLATTESTO_LOCAL_VAULT_KEY_IDATTESTO_LOCAL_VAULT_ENCRYPTION_KEYATTESTO_LOCAL_VAULT_SIGNING_KEY
The packaged Docker image runs as a non-root user, stores the encrypted spool
under /var/lib/attesto/local-vault.sqlite3, and defaults to drain-loop.
Witness
attesto-local-vault witness-checkpoint is the production operator command for
customer-side checkpoint witnessing. It signs only monotonic progression for a
single (witness_id, tenant_id, stream_id) and returns fork evidence for stale
or conflicting checkpoint heads.
attesto-local-vault --witness-db /var/lib/attesto/local-vault-witness.sqlite3 \
witness-checkpoint \
--tenant-id ten_... \
--stream-id str_... \
--checkpoint-id chk_... \
--checkpoint-seq-no 42 \
--checkpoint-hash "$CHECKPOINT_HASH" \
--previous-checkpoint-hash "$PREVIOUS_CHECKPOINT_HASH"
Witness runtime values are read from flags or environment:
ATTESTO_LOCAL_VAULT_WITNESS_DBATTESTO_LOCAL_VAULT_WITNESS_IDset to the Attesto Local Vault installation IDATTESTO_LOCAL_VAULT_KEY_IDATTESTO_LOCAL_VAULT_SIGNING_KEY
The command output contains public key metadata, signature material, and the receipt or fork evidence. Receipts and fork evidence are both signed. It never prints the private signing key.
Submit the JSON output to the Attesto installation witness endpoint:
/v2/local-vault/installations/{installationId}/witness/checkpoints
The SaaS endpoint verifies the Local Vault public key, domain-separated signature, statement/fork hash, checkpoint binding, and monotonic witness state before persisting anything.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file attesto_local_vault-0.2.0-py3-none-any.whl.
File metadata
- Download URL: attesto_local_vault-0.2.0-py3-none-any.whl
- Upload date:
- Size: 21.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b88445e51c643ff8d0eddedded7aaf51bf8b35d0580646cdf3773b41c4851aae
|
|
| MD5 |
402733fbf93a8a36350076ebfbd6e70f
|
|
| BLAKE2b-256 |
078103725ff7e21705587a38958072d1caf61bc9747f3c9ac807317797c44f29
|