opa-ruby 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6938bad1dc3db52fbac52f2a3c9df453fb03a9d61f937a33f3280d4fb258fb46
+  data.tar.gz: 25d52c72af1b58ff16e44f20bd4c49e955cfaa4f01a0002faea1498ac1ee2d2e
+SHA512:
+  metadata.gz: b7b3dc7a81c10bfc9e397bf94e4cf206a254db500a82040e4babedc36904cc9d9c42b806f93f69361efe544c16dcdd844a8f72c55e03df8fc5dbc25d0cabbf5b
+  data.tar.gz: de0c56f213ecc9bb17edbb4d8bdd26323b5afe33bc71d98c4dfccb001578496f9d98a90ee7d13d936b04fe356105ed57356500552a340882a6c697216b8e97da

data/bin/opa

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "opa/cli"
+
+exit OPA::CLI.new(ARGV).run

data/lib/opa/archive.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+require "zip"
+require "digest"
+
+module OPA
+  # Builds OPA archive (.opa) files.
+  # An OPA archive is a ZIP file containing a manifest, prompt file,
+  # and optional session history and data assets.
+  class Archive
+    attr_reader :manifest
+
+    def initialize
+      @manifest = Manifest.new
+      @entries = {} # path => content (String or IO)
+    end
+
+    def prompt=(content)
+      prompt_path = @manifest["Prompt-File"] || "prompt.md"
+      @entries[prompt_path] = content
+    end
+
+    def add_data(path, content)
+      full_path = "data/#{path}"
+      @entries[full_path] = content
+    end
+
+    def add_session(content)
+      session_path = @manifest["Session-File"] || "session/history.json"
+      @entries[session_path] = content
+    end
+
+    def add_entry(path, content)
+      @entries[path] = content
+    end
+
+    # Sign the archive with a private key and certificate.
+    # Must be called before #write.
+    def sign(private_key, certificate, algorithm: "SHA-256")
+      @signer = Signer.new(private_key, certificate, algorithm: algorithm)
+    end
+
+    def write(io_or_path)
+      if io_or_path.is_a?(String)
+        File.open(io_or_path, "wb") { |f| write_to_stream(f) }
+      else
+        write_to_stream(io_or_path)
+      end
+    end
+
+    private
+
+    def write_to_stream(io)
+      buffer = StringIO.new
+      build_zip(buffer)
+      io.write(buffer.string)
+    end
+
+    def build_zip(io)
+      Zip::OutputStream.write_buffer(io) do |zip|
+        # Compute digests for all entries if signing
+        entry_digests = {}
+        @entries.each do |path, content|
+          data = content.is_a?(IO) ? content.read : content
+          entry_digests[path] = data
+        end
+
+        # Build manifest with digests if signing
+        if @signer
+          entry_digests.each do |path, data|
+            digest = @signer.digest(data)
+            @manifest.add_entry(path, { "#{@signer.digest_name}-Digest" => digest })
+          end
+        end
+
+        manifest_content = @manifest.to_s
+
+        # Write manifest
+        zip.put_next_entry("META-INF/MANIFEST.MF")
+        zip.write(manifest_content)
+
+        # Write signature files if signing
+        if @signer
+          sf_content = @signer.signature_file(manifest_content)
+          zip.put_next_entry("META-INF/SIGNATURE.SF")
+          zip.write(sf_content)
+
+          sig_block = @signer.signature_block(sf_content)
+          zip.put_next_entry("META-INF/SIGNATURE#{@signer.block_extension}")
+          zip.write(sig_block)
+        end
+
+        # Write all content entries
+        entry_digests.each do |path, data|
+          zip.put_next_entry(path)
+          zip.write(data)
+        end
+      end
+    end
+  end
+end

data/lib/opa/cli.rb

@@ -0,0 +1,210 @@
+# frozen_string_literal: true
+
+require "optparse"
+require "opa"
+
+module OPA
+  class CLI
+    COMMANDS = %w[pack verify inspect].freeze
+
+    def initialize(argv)
+      @argv = argv.dup
+    end
+
+    def run
+      if @argv.empty? || %w[-h --help help].include?(@argv.first)
+        print_usage
+        return 0
+      end
+
+      if %w[-v --version].include?(@argv.first)
+        $stdout.puts "opa-ruby #{OPA::VERSION}"
+        return 0
+      end
+
+      command = @argv.shift
+      unless COMMANDS.include?(command)
+        $stderr.puts "Unknown command: #{command}"
+        $stderr.puts "Run 'opa --help' for usage."
+        return 1
+      end
+
+      send("run_#{command}")
+    rescue StandardError => e
+      $stderr.puts "Error: #{e.message}"
+      1
+    end
+
+    private
+
+    def run_pack
+      options = { title: nil, data: [], session: nil, key: nil, cert: nil, algorithm: "SHA-256", output: nil }
+
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: opa pack PROMPT_FILE [options]"
+        opts.on("-o", "--output FILE", "Output .opa file (default: <prompt_basename>.opa)") { |v| options[:output] = v }
+        opts.on("-t", "--title TITLE", "Archive title") { |v| options[:title] = v }
+        opts.on("-d", "--data FILE", "Add a data file (repeatable)") { |v| options[:data] << v }
+        opts.on("-s", "--session FILE", "Session history JSON file") { |v| options[:session] = v }
+        opts.on("-k", "--key FILE", "Private key PEM file for signing") { |v| options[:key] = v }
+        opts.on("-c", "--cert FILE", "Certificate PEM file for signing") { |v| options[:cert] = v }
+        opts.on("--algorithm ALG", "Digest algorithm (SHA-256, SHA-384, SHA-512)") { |v| options[:algorithm] = v }
+      end
+      parser.parse!(@argv)
+
+      prompt_file = @argv.shift
+      unless prompt_file
+        $stderr.puts parser.help
+        return 1
+      end
+
+      unless File.exist?(prompt_file)
+        $stderr.puts "Prompt file not found: #{prompt_file}"
+        return 1
+      end
+
+      archive = Archive.new
+      archive.manifest["Prompt-File"] = File.basename(prompt_file)
+      archive.manifest["Created-By"] = "opa-ruby/#{OPA::VERSION}"
+      archive.manifest["Title"] = options[:title] if options[:title]
+      archive.prompt = File.read(prompt_file)
+
+      options[:data].each do |data_file|
+        unless File.exist?(data_file)
+          $stderr.puts "Data file not found: #{data_file}"
+          return 1
+        end
+        archive.add_data(File.basename(data_file), File.read(data_file))
+      end
+
+      if options[:session]
+        unless File.exist?(options[:session])
+          $stderr.puts "Session file not found: #{options[:session]}"
+          return 1
+        end
+        archive.add_session(File.read(options[:session]))
+      end
+
+      if options[:key] || options[:cert]
+        unless options[:key] && options[:cert]
+          $stderr.puts "Both --key and --cert are required for signing."
+          return 1
+        end
+        key = OpenSSL::PKey.read(File.read(options[:key]))
+        cert = OpenSSL::X509::Certificate.new(File.read(options[:cert]))
+        archive.sign(key, cert, algorithm: options[:algorithm])
+      end
+
+      output = options[:output] || File.basename(prompt_file, File.extname(prompt_file)) + ".opa"
+      archive.write(output)
+      $stdout.puts "Created #{output}"
+      0
+    end
+
+    def run_verify
+      options = { cert: nil }
+
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: opa verify ARCHIVE [options]"
+        opts.on("-c", "--cert FILE", "Certificate PEM file to verify against") { |v| options[:cert] = v }
+      end
+      parser.parse!(@argv)
+
+      archive_file = @argv.shift
+      unless archive_file
+        $stderr.puts parser.help
+        return 1
+      end
+
+      unless File.exist?(archive_file)
+        $stderr.puts "Archive not found: #{archive_file}"
+        return 1
+      end
+
+      verifier = Verifier.new(archive_file)
+
+      unless verifier.signed?
+        $stderr.puts "Archive is not signed."
+        return 1
+      end
+
+      cert = nil
+      if options[:cert]
+        cert = OpenSSL::X509::Certificate.new(File.read(options[:cert]))
+      end
+
+      verifier.verify!(certificate: cert)
+      $stdout.puts "Signature valid."
+      0
+    rescue SignatureError => e
+      $stderr.puts "Verification failed: #{e.message}"
+      1
+    end
+
+    def run_inspect
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: opa inspect ARCHIVE"
+      end
+      parser.parse!(@argv)
+
+      archive_file = @argv.shift
+      unless archive_file
+        $stderr.puts parser.help
+        return 1
+      end
+
+      unless File.exist?(archive_file)
+        $stderr.puts "Archive not found: #{archive_file}"
+        return 1
+      end
+
+      verifier = Verifier.new(archive_file)
+      manifest = verifier.manifest
+
+      $stdout.puts "Archive: #{archive_file}"
+      $stdout.puts "Signed: #{verifier.signed? ? "yes" : "no"}"
+      $stdout.puts ""
+      $stdout.puts "Manifest Attributes:"
+      manifest.main_attributes.each do |key, value|
+        $stdout.puts "  #{key}: #{value}"
+      end
+
+      if manifest.entries.any?
+        $stdout.puts ""
+        $stdout.puts "Entries:"
+        manifest.entries.each_key do |name|
+          $stdout.puts "  #{name}"
+        end
+      end
+
+      prompt = verifier.prompt
+      if prompt
+        $stdout.puts ""
+        $stdout.puts "Prompt:"
+        prompt.each_line.first(5).each { |l| $stdout.puts "  #{l}" }
+        $stdout.puts "  ..." if prompt.lines.size > 5
+      end
+
+      0
+    end
+
+    def print_usage
+      $stdout.puts <<~USAGE
+        opa-ruby #{OPA::VERSION} - Open Prompt Archive tool
+
+        Usage: opa <command> [options]
+
+        Commands:
+          pack      Create an OPA archive from a prompt file
+          verify    Verify a signed OPA archive
+          inspect   Show archive contents and metadata
+
+        Options:
+          -v, --version    Show version
+          -h, --help       Show this help
+
+        Run 'opa <command> --help' for command-specific options.
+      USAGE
+    end
+  end
+end

data/lib/opa/manifest.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+module OPA
+  # Represents a META-INF/MANIFEST.MF file in JAR/OPA format.
+  # Handles parsing and generating manifest content with main attributes
+  # and per-entry sections (used for signing digests).
+  class Manifest
+    MAIN_ATTRS_ORDER = %w[
+      Manifest-Version OPA-Version Prompt-File Title Description
+      Created-By Created-At Agent-Hint Execution-Mode Session-File
+      Data-Root Schema-Extensions
+    ].freeze
+
+    LINE_WIDTH = 72
+
+    attr_reader :main_attributes, :entries
+
+    def initialize
+      @main_attributes = {
+        "Manifest-Version" => "1.0",
+        "OPA-Version" => OPA::OPA_VERSION
+      }
+      @entries = {} # name => { attr => value }
+    end
+
+    def []=(key, value)
+      @main_attributes[key] = value
+    end
+
+    def [](key)
+      @main_attributes[key]
+    end
+
+    def add_entry(name, attributes = {})
+      @entries[name] = attributes
+    end
+
+    def to_s
+      lines = []
+
+      # Main section - ordered attributes first, then any extras
+      ordered_keys = MAIN_ATTRS_ORDER & @main_attributes.keys
+      extra_keys = @main_attributes.keys - MAIN_ATTRS_ORDER
+      (ordered_keys + extra_keys).each do |key|
+        lines << wrap_line("#{key}: #{@main_attributes[key]}")
+      end
+      lines << ""
+
+      # Per-entry sections
+      @entries.each do |name, attrs|
+        lines << wrap_line("Name: #{name}")
+        attrs.each do |key, value|
+          lines << wrap_line("#{key}: #{value}")
+        end
+        lines << ""
+      end
+
+      lines.join("\n")
+    end
+
+    def self.parse(text)
+      manifest = new
+      sections = text.split(/\n(?=Name: )/m)
+
+      # Parse main section
+      main_section = sections.shift || ""
+      parse_section(main_section).each do |key, value|
+        manifest[key] = value
+      end
+
+      # Parse entry sections
+      sections.each do |section|
+        attrs = parse_section(section)
+        name = attrs.delete("Name")
+        manifest.add_entry(name, attrs) if name
+      end
+
+      manifest
+    end
+
+    private
+
+    def wrap_line(line)
+      return line if line.bytesize <= LINE_WIDTH
+
+      result = line.byteslice(0, LINE_WIDTH)
+      pos = LINE_WIDTH
+      while pos < line.bytesize
+        chunk = line.byteslice(pos, LINE_WIDTH - 1)
+        result += "\n #{chunk}"
+        pos += LINE_WIDTH - 1
+      end
+      result
+    end
+
+    def self.parse_section(text)
+      # Unfold continuation lines (lines starting with a single space)
+      unfolded = text.gsub(/\n /, "")
+      attrs = {}
+      unfolded.each_line do |line|
+        line = line.chomp
+        next if line.empty?
+        if line =~ /\A([A-Za-z0-9_-]+):\s*(.*)\z/
+          attrs[Regexp.last_match(1)] = Regexp.last_match(2)
+        end
+      end
+      attrs
+    end
+  end
+end

data/lib/opa/signer.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "base64"
+require "digest"
+
+module OPA
+  # Signs OPA archives using JAR-format digital signatures.
+  # Produces META-INF/SIGNATURE.SF and a signature block file (.RSA, .DSA, or .EC).
+  class Signer
+    SUPPORTED_DIGESTS = {
+      "SHA-256" => OpenSSL::Digest::SHA256,
+      "SHA-384" => OpenSSL::Digest::SHA384,
+      "SHA-512" => OpenSSL::Digest::SHA512
+    }.freeze
+
+    REJECTED_DIGESTS = %w[MD5 SHA-1].freeze
+
+    attr_reader :digest_name
+
+    def initialize(private_key, certificate, algorithm: "SHA-256")
+      raise ArgumentError, "Digest #{algorithm} is not allowed" if REJECTED_DIGESTS.include?(algorithm)
+      raise ArgumentError, "Unsupported digest: #{algorithm}" unless SUPPORTED_DIGESTS.key?(algorithm)
+
+      @private_key = private_key
+      @certificate = certificate
+      @digest_name = algorithm
+      @digest_class = SUPPORTED_DIGESTS[algorithm]
+    end
+
+    # Compute the Base64-encoded digest of data.
+    def digest(data)
+      Base64.strict_encode64(@digest_class.digest(data))
+    end
+
+    # Generate the SIGNATURE.SF content from manifest content.
+    # Contains a digest of the entire manifest and per-entry section digests.
+    def signature_file(manifest_content)
+      lines = []
+      lines << "Signature-Version: 1.0"
+      lines << "#{@digest_name}-Digest-Manifest: #{digest(manifest_content)}"
+      lines << ""
+
+      # Compute per-entry section digests
+      sections = extract_entry_sections(manifest_content)
+      sections.each do |name, section_text|
+        lines << "Name: #{name}"
+        lines << "#{@digest_name}-Digest: #{digest(section_text)}"
+        lines << ""
+      end
+
+      lines.join("\n")
+    end
+
+    # Create the PKCS#7 signature block over the SF content.
+    def signature_block(sf_content)
+      flags = OpenSSL::PKCS7::BINARY | OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::NOSMIMECAP
+      pkcs7 = OpenSSL::PKCS7.sign(@certificate, @private_key, sf_content, [], flags)
+      pkcs7.to_der
+    end
+
+    # File extension for the signature block based on key type.
+    def block_extension
+      case @private_key
+      when OpenSSL::PKey::RSA then ".RSA"
+      when OpenSSL::PKey::DSA then ".DSA"
+      when OpenSSL::PKey::EC then ".EC"
+      else ".RSA"
+      end
+    end
+
+    private
+
+    # Extract individual entry sections from manifest text.
+    # Each section starts with "Name: " and ends at the next blank line.
+    def extract_entry_sections(manifest_content)
+      sections = {}
+      # Split on double newline to get sections, keep the trailing newline
+      parts = manifest_content.split(/(?=Name: )/m)
+      parts.each do |part|
+        next unless part.start_with?("Name: ")
+        name_line = part.lines.first.chomp
+        name = name_line.sub(/\AName: /, "")
+        # Section text includes the trailing newline (important for digest)
+        sections[name] = part
+      end
+      sections
+    end
+  end
+end

data/lib/opa/verifier.rb

@@ -0,0 +1,209 @@
+# frozen_string_literal: true
+
+require "zip"
+require "openssl"
+require "base64"
+require "digest"
+
+module OPA
+  # Reads and verifies OPA archives.
+  # Supports signature verification using JAR-format signing.
+  class Verifier
+    SUPPORTED_DIGESTS = Signer::SUPPORTED_DIGESTS
+    REJECTED_DIGESTS = Signer::REJECTED_DIGESTS
+
+    attr_reader :manifest, :entries
+
+    def initialize(io_or_path)
+      @raw_entries = {}
+      if io_or_path.is_a?(String)
+        File.open(io_or_path, "rb") { |f| read_zip(f) }
+      else
+        read_zip(io_or_path)
+      end
+    end
+
+    def signed?
+      @raw_entries.key?("META-INF/SIGNATURE.SF")
+    end
+
+    # Verify the archive signature. Returns true if valid.
+    # Raises OPA::SignatureError on failure.
+    def verify!(certificate: nil)
+      raise SignatureError, "Archive is not signed" unless signed?
+
+      sf_content = @raw_entries["META-INF/SIGNATURE.SF"]
+      sf_attrs = parse_sf(sf_content)
+
+      # Find and verify the signature block
+      block_entry = find_signature_block
+      raise SignatureError, "No signature block file found" unless block_entry
+
+      block_data = @raw_entries[block_entry]
+      verify_pkcs7_signature(block_data, sf_content, certificate)
+
+      # Verify manifest digest
+      manifest_content = @raw_entries["META-INF/MANIFEST.MF"]
+      digest_name = detect_digest_algorithm(sf_attrs[:main])
+      verify_digest(digest_name, manifest_content, sf_attrs[:main]["#{digest_name}-Digest-Manifest"],
+                    "Manifest digest mismatch")
+
+      # Verify individual entry digests
+      sf_attrs[:entries].each do |name, attrs|
+        entry_digest_name = detect_digest_algorithm(attrs)
+        manifest_section = extract_manifest_section(manifest_content, name)
+        raise SignatureError, "No manifest section for #{name}" unless manifest_section
+
+        verify_digest(entry_digest_name, manifest_section, attrs["#{entry_digest_name}-Digest"],
+                      "Section digest mismatch for #{name}")
+      end
+
+      # Verify manifest entry digests against actual content
+      @manifest.entries.each do |name, attrs|
+        entry_digest_name = detect_digest_algorithm(attrs)
+        next unless entry_digest_name
+
+        expected = attrs["#{entry_digest_name}-Digest"]
+        next unless expected
+
+        actual_content = @raw_entries[name]
+        raise SignatureError, "Missing entry: #{name}" unless actual_content
+
+        verify_digest(entry_digest_name, actual_content, expected,
+                      "Content digest mismatch for #{name}")
+      end
+
+      true
+    end
+
+    # Read a specific entry from the archive.
+    def read_entry(path)
+      @raw_entries[path]
+    end
+
+    def prompt
+      prompt_path = @manifest["Prompt-File"] || "prompt.md"
+      @raw_entries[prompt_path]
+    end
+
+    def session
+      session_path = @manifest["Session-File"] || "session/history.json"
+      @raw_entries[session_path]
+    end
+
+    def data_entries
+      prefix = @manifest["Data-Root"] || "data/"
+      @raw_entries.select { |k, _| k.start_with?(prefix) }
+    end
+
+    private
+
+    def read_zip(io)
+      data = io.read
+      Zip::InputStream.open(StringIO.new(data)) do |zip|
+        while (entry = zip.get_next_entry)
+          next if entry.directory?
+          path = entry.name
+          validate_path!(path)
+          @raw_entries[path] = zip.read
+        end
+      end
+
+      manifest_content = @raw_entries["META-INF/MANIFEST.MF"]
+      raise "Missing META-INF/MANIFEST.MF" unless manifest_content
+
+      @manifest = Manifest.parse(manifest_content)
+    end
+
+    def validate_path!(path)
+      raise SignatureError, "Path traversal detected: #{path}" if path.include?("..") || path.start_with?("/")
+    end
+
+    def find_signature_block
+      %w[.RSA .DSA .EC].each do |ext|
+        key = "META-INF/SIGNATURE#{ext}"
+        return key if @raw_entries.key?(key)
+      end
+      nil
+    end
+
+    def verify_pkcs7_signature(block_data, sf_content, certificate)
+      pkcs7 = OpenSSL::PKCS7.new(block_data)
+
+      store = OpenSSL::X509::Store.new
+      if certificate
+        store.add_cert(certificate)
+      else
+        # Extract the certificate from the PKCS7 structure
+        pkcs7.certificates&.each { |c| store.add_cert(c) }
+      end
+
+      flags = OpenSSL::PKCS7::BINARY | OpenSSL::PKCS7::NOVERIFY
+      flags = OpenSSL::PKCS7::BINARY if certificate
+
+      unless pkcs7.verify(certificate ? [certificate] : [], store, sf_content, flags)
+        raise SignatureError, "Digital signature verification failed"
+      end
+    end
+
+    def parse_sf(content)
+      main_attrs = {}
+      entries = {}
+
+      sections = content.split(/(?=Name: )/m)
+      main_section = sections.shift || ""
+
+      main_section.each_line do |line|
+        line = line.chomp
+        next if line.empty?
+        if line =~ /\A([A-Za-z0-9_-]+):\s*(.*)\z/
+          main_attrs[Regexp.last_match(1)] = Regexp.last_match(2)
+        end
+      end
+
+      sections.each do |section|
+        attrs = {}
+        name = nil
+        section.each_line do |line|
+          line = line.chomp
+          next if line.empty?
+          if line =~ /\A([A-Za-z0-9_-]+):\s*(.*)\z/
+            key, val = Regexp.last_match(1), Regexp.last_match(2)
+            if key == "Name"
+              name = val
+            else
+              attrs[key] = val
+            end
+          end
+        end
+        entries[name] = attrs if name
+      end
+
+      { main: main_attrs, entries: entries }
+    end
+
+    def detect_digest_algorithm(attrs)
+      SUPPORTED_DIGESTS.each_key do |name|
+        return name if attrs.any? { |k, _| k.include?(name) }
+      end
+      raise SignatureError, "No supported digest algorithm found"
+    end
+
+    def verify_digest(algorithm, data, expected_b64, message)
+      raise SignatureError, "Rejected digest algorithm: #{algorithm}" if REJECTED_DIGESTS.include?(algorithm)
+
+      digest_class = SUPPORTED_DIGESTS[algorithm]
+      raise SignatureError, "Unsupported digest: #{algorithm}" unless digest_class
+
+      actual = Base64.strict_encode64(digest_class.digest(data))
+      raise SignatureError, "#{message}: expected #{expected_b64}, got #{actual}" unless actual == expected_b64
+    end
+
+    def extract_manifest_section(manifest_content, name)
+      parts = manifest_content.split(/(?=Name: )/m)
+      parts.find { |p| p.start_with?("Name: #{name}\n") || p.start_with?("Name: #{name}\r\n") }
+    end
+  end
+
+  class SignatureError < StandardError; end
+end

data/lib/opa/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module OPA
+  VERSION = "0.1.0"
+end

data/lib/opa.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require_relative "opa/version"
+require_relative "opa/manifest"
+require_relative "opa/archive"
+require_relative "opa/signer"
+require_relative "opa/verifier"
+
+module OPA
+  OPA_VERSION = "0.1"
+end

metadata

@@ -0,0 +1,96 @@
+--- !ruby/object:Gem::Specification
+name: opa-ruby
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- OPA Ruby Contributors
+bindir: bin
+cert_chain: []
+date: 2026-03-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rubyzip
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+description: Provides tools for building, signing, and verifying OPA archives — portable
+  ZIP-based packages for AI agent prompts, session history, and data assets.
+executables:
+- opa
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/opa
+- lib/opa.rb
+- lib/opa/archive.rb
+- lib/opa/cli.rb
+- lib/opa/manifest.rb
+- lib/opa/signer.rb
+- lib/opa/verifier.rb
+- lib/opa/version.rb
+homepage: https://github.com/shannah/opa-ruby
+licenses:
+- MIT
+metadata: {}
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.3
+specification_version: 4
+summary: A Ruby library for generating Open Prompt Archive (OPA) files
+test_files: []