Skip to main content

Shared types, Charter schema, signing, and SARIF emit for BlastContain tools

Project description

blastcontain-core

Shared types, Charter schema, audit-packet signing, and SARIF emit for the BlastContain tool family.

pip install blastcontain-core

What's in here

Module Purpose
blastcontain_core.models Severity, ScanStatus, InfraFinding, ScanResult
blastcontain_core.constants MIT_RISK_MAP — finding_type → MIT AI Risk taxonomy
blastcontain_core.charter CharterSchema, DelegationRules, HitlConfig, RemediationProof
blastcontain_core.signing Ed25519 + HMAC packet signing and verification
blastcontain_core.sarif SARIF 2.1.0 output for GitHub/GitLab/IDEs
blastcontain_core.ignore .blastcontainignore pattern loader

Who uses this

Pre-release note: these repositories and PyPI packages are not published yet. The links above are the planned canonical locations and will 404 until the first public release; blastcontain-verify ships first, with drill and discovery following once they have implementations. Until then, build from the local blastcontain-oss/ working tree.

If you're writing a third-party BlastContain tool, depend on this package and your output will be wire-compatible with the rest of the ecosystem.

Signing an audit packet

from blastcontain_core.signing import sign_packet, verify_packet
from datetime import datetime, timezone

payload = {"agent_id": "my-agent", "environment": "prod", "findings": []}
signed_at = datetime.now(timezone.utc).isoformat()

signature = sign_packet(payload, signed_at=signed_at)
packet = {"schema_version": "1.1", "packet": payload, "signature": signature}

# Anyone with the public key (or the HMAC secret) can verify
assert verify_packet(packet) is True

Signing key sources, in priority order:

  1. BLASTCONTAIN_SIGNING_KEY_PATH — path to a PEM-encoded Ed25519 private key (preferred)
  2. BLASTCONTAIN_SIGNING_KEY_PEM — PEM contents as a string
  3. BLASTCONTAIN_SIGNING_KEY — arbitrary HMAC secret (fallback)
  4. None — defaults to local-verify-default HMAC with a stderr warning

Generate a real Ed25519 key:

openssl genpkey -algorithm Ed25519 -out blastcontain-signing.key
chmod 600 blastcontain-signing.key
export BLASTCONTAIN_SIGNING_KEY_PATH=$PWD/blastcontain-signing.key
export BLASTCONTAIN_SIGNING_KEY_ID=ed25519-prod-2026-q2

Writing a local Charter

# charter.yaml
agent_id: my-agent
environment: prod
version: "1.0"
trust_tier: 1
permitted_tools:
  - search_knowledge_base
  - get_ticket_status
delegation_rules:
  max_chain_depth: 0
  require_parent_approval: true
hitl_config:
  required_for: ["destructive_apis"]
  timeout_sec: 600
from blastcontain_core.charter import load_charter

charter = load_charter("./charter.yaml")
assert "search_knowledge_base" in charter.permitted_tools

SARIF output

from blastcontain_core.sarif import write_sarif
write_sarif(scan_result, "scan.sarif", tool_name="my-tool", tool_version="1.0.0")

Upload to GitHub Code Scanning in your CI:

- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: scan.sarif

License

Apache 2.0 — see also NOTICE for third-party attribution.

Contributing

See CONTRIBUTING.md. All contributions require a DCO sign-off (git commit -s).

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

blastcontain_core-0.2.0.tar.gz (26.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

blastcontain_core-0.2.0-py3-none-any.whl (23.1 kB view details)

Uploaded Python 3

File details

Details for the file blastcontain_core-0.2.0.tar.gz.

File metadata

  • Download URL: blastcontain_core-0.2.0.tar.gz
  • Upload date:
  • Size: 26.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for blastcontain_core-0.2.0.tar.gz
Algorithm Hash digest
SHA256 af1ce6f33a36c7bd67860b30df2110461e5a2a0db20c14105288bce7701d33c0
MD5 ac391b3239dfbad28122f7ec442aa865
BLAKE2b-256 3b441820b36ab8af82e5513a0cf8d2bfea03d3f0b877d9b2f8632084a1085a25

See more details on using hashes here.

Provenance

The following attestation bundles were made for blastcontain_core-0.2.0.tar.gz:

Publisher: release.yml on gdeudney/blastcontain-oss

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file blastcontain_core-0.2.0-py3-none-any.whl.

File metadata

File hashes

Hashes for blastcontain_core-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 de14a3fc462d9b3300199c20e212a3fa053569568033e91b69b40ab16baeb540
MD5 df0f0a2aa7e62d1281c83e21b7154def
BLAKE2b-256 93b9eba5e3bfb74ed60e19de70c1e6ffba5f72f18fa155deb5d67e318fdd872a

See more details on using hashes here.

Provenance

The following attestation bundles were made for blastcontain_core-0.2.0-py3-none-any.whl:

Publisher: release.yml on gdeudney/blastcontain-oss

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page