opa-ruby 0.1.0 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6938bad1dc3db52fbac52f2a3c9df453fb03a9d61f937a33f3280d4fb258fb46
-  data.tar.gz: 25d52c72af1b58ff16e44f20bd4c49e955cfaa4f01a0002faea1498ac1ee2d2e
+  metadata.gz: cccc1723c3c1dc4be0dbc948517ec75ffead77445b2702ad1ef5f49eb84ebdaf
+  data.tar.gz: bdacfda13309b7e4ba9763365440394a60f68b3668c4d33161ded7772209e53c
 SHA512:
-  metadata.gz: b7b3dc7a81c10bfc9e397bf94e4cf206a254db500a82040e4babedc36904cc9d9c42b806f93f69361efe544c16dcdd844a8f72c55e03df8fc5dbc25d0cabbf5b
-  data.tar.gz: de0c56f213ecc9bb17edbb4d8bdd26323b5afe33bc71d98c4dfccb001578496f9d98a90ee7d13d936b04fe356105ed57356500552a340882a6c697216b8e97da
+  metadata.gz: 69061c10291cff9451a6d4cef0b5af43855b9da12034af01717f74af06e14cbbcc7da0c6e67e1bd08065e31c341d9fd25dc4283f29eb073d6a2e52aa1b551c26
+  data.tar.gz: 4f90b867a07ad4258d9b7e64262781e8afacfeecc5881983352e51e6329ffe88ae71e091f368784563fea99f3ce68a98231d23df6c1bf166e2b4193a4428bef8

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Steve Hannah
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,121 @@
+# opa-ruby
+
+A Ruby library and CLI for building, signing, and verifying [Open Prompt Archive (OPA)](https://github.com/shannah/opa-spec) files.
+
+OPA archives are ZIP-based packages that bundle AI agent prompts with session history, data assets, and execution metadata into portable, distributable archives.
+
+## Installation
+
+Add to your Gemfile:
+
+```ruby
+gem "opa-ruby"
+```
+
+Or install directly:
+
+```bash
+gem install opa-ruby
+```
+
+**Zero external dependencies** — uses only Ruby stdlib (`zlib`, `openssl`).
+
+## Library Usage
+
+### Creating an archive
+
+```ruby
+require "opa"
+
+archive = OPA::Archive.new
+archive.manifest["Title"] = "My Task"
+archive.manifest["Execution-Mode"] = "batch"
+archive.prompt = "Summarize the attached data."
+archive.add_data("report.csv", File.read("report.csv"))
+
+archive.write("my_task.opa")
+```
+
+### Signing an archive
+
+```ruby
+key  = OpenSSL::PKey::RSA.new(File.read("key.pem"))
+cert = OpenSSL::X509::Certificate.new(File.read("cert.pem"))
+
+archive = OPA::Archive.new
+archive.prompt = "Do the thing."
+archive.sign(key, cert, algorithm: "SHA-256")
+archive.write("signed.opa")
+```
+
+Supported digest algorithms: SHA-256, SHA-384, SHA-512. MD5 and SHA-1 are rejected per spec.
+
+### Reading and verifying an archive
+
+```ruby
+verifier = OPA::Verifier.new("signed.opa")
+
+verifier.signed?            # => true
+verifier.prompt             # => "Do the thing."
+verifier.manifest["Title"]  # => "My Task"
+verifier.data_entries       # => { "data/report.csv" => "..." }
+
+# Verify signature (raises OPA::SignatureError on failure)
+cert = OpenSSL::X509::Certificate.new(File.read("cert.pem"))
+verifier.verify!(certificate: cert)
+```
+
+## CLI Usage
+
+The `opa` command provides three subcommands:
+
+### pack
+
+Create an OPA archive from a prompt file.
+
+```bash
+opa pack prompt.md                                  # basic archive
+opa pack prompt.md -t "My Task" -o task.opa         # with title and output path
+opa pack prompt.md -d data.csv -d config.json       # with data files
+opa pack prompt.md -s session.json                  # with session history
+opa pack prompt.md -k key.pem -c cert.pem           # signed archive
+opa pack prompt.md -k key.pem -c cert.pem --algorithm SHA-512
+```
+
+### verify
+
+Verify a signed archive's integrity.
+
+```bash
+opa verify archive.opa                    # verify using embedded certificate
+opa verify archive.opa -c cert.pem       # verify against a specific certificate
+```
+
+### inspect
+
+Display archive metadata and contents.
+
+```bash
+opa inspect archive.opa
+```
+
+## Core Classes
+
+| Class | Purpose |
+|---|---|
+| `OPA::Archive` | Builds `.opa` ZIP archives with manifest, prompt, data, and session entries |
+| `OPA::Verifier` | Reads archives, extracts entries, and verifies signatures |
+| `OPA::Signer` | JAR-format signing (SIGNATURE.SF + PKCS#7 block) |
+| `OPA::Manifest` | META-INF/MANIFEST.MF parser and generator |
+| `OPA::CLI` | Command-line interface |
+
+## Development
+
+```bash
+bundle install
+rake spec
+```
+
+## License
+
+MIT

data/lib/opa/archive.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "zip"
 require "digest"
 
 module OPA
@@ -51,51 +50,42 @@ module OPA
     private
 
     def write_to_stream(io)
-      buffer = StringIO.new
-      build_zip(buffer)
-      io.write(buffer.string)
-    end
+      zip = ZipIO::Writer.new
 
-    def build_zip(io)
-      Zip::OutputStream.write_buffer(io) do |zip|
-        # Compute digests for all entries if signing
-        entry_digests = {}
-        @entries.each do |path, content|
-          data = content.is_a?(IO) ? content.read : content
-          entry_digests[path] = data
-        end
+      # Resolve all entry content
+      entry_data = {}
+      @entries.each do |path, content|
+        entry_data[path] = content.is_a?(IO) ? content.read : content
+      end
 
-        # Build manifest with digests if signing
-        if @signer
-          entry_digests.each do |path, data|
-            digest = @signer.digest(data)
-            @manifest.add_entry(path, { "#{@signer.digest_name}-Digest" => digest })
-          end
+      # Build manifest with digests if signing
+      if @signer
+        entry_data.each do |path, data|
+          digest = @signer.digest(data)
+          @manifest.add_entry(path, { "#{@signer.digest_name}-Digest" => digest })
         end
+      end
 
-        manifest_content = @manifest.to_s
+      manifest_content = @manifest.to_s
 
-        # Write manifest
-        zip.put_next_entry("META-INF/MANIFEST.MF")
-        zip.write(manifest_content)
+      # Write manifest
+      zip.add_entry("META-INF/MANIFEST.MF", manifest_content)
 
-        # Write signature files if signing
-        if @signer
-          sf_content = @signer.signature_file(manifest_content)
-          zip.put_next_entry("META-INF/SIGNATURE.SF")
-          zip.write(sf_content)
+      # Write signature files if signing
+      if @signer
+        sf_content = @signer.signature_file(manifest_content)
+        zip.add_entry("META-INF/SIGNATURE.SF", sf_content)
 
-          sig_block = @signer.signature_block(sf_content)
-          zip.put_next_entry("META-INF/SIGNATURE#{@signer.block_extension}")
-          zip.write(sig_block)
-        end
+        sig_block = @signer.signature_block(sf_content)
+        zip.add_entry("META-INF/SIGNATURE#{@signer.block_extension}", sig_block)
+      end
 
-        # Write all content entries
-        entry_digests.each do |path, data|
-          zip.put_next_entry(path)
-          zip.write(data)
-        end
+      # Write all content entries
+      entry_data.each do |path, data|
+        zip.add_entry(path, data)
       end
+
+      io.write(zip.to_bytes)
     end
   end
 end

data/lib/opa/verifier.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "zip"
 require "openssl"
 require "base64"
 require "digest"
@@ -16,11 +15,12 @@ module OPA
 
     def initialize(io_or_path)
       @raw_entries = {}
-      if io_or_path.is_a?(String)
-        File.open(io_or_path, "rb") { |f| read_zip(f) }
-      else
-        read_zip(io_or_path)
-      end
+      data = if io_or_path.is_a?(String)
+               File.binread(io_or_path)
+             else
+               io_or_path.read
+             end
+      read_zip(data)
     end
 
     def signed?
@@ -98,15 +98,11 @@ module OPA
 
     private
 
-    def read_zip(io)
-      data = io.read
-      Zip::InputStream.open(StringIO.new(data)) do |zip|
-        while (entry = zip.get_next_entry)
-          next if entry.directory?
-          path = entry.name
-          validate_path!(path)
-          @raw_entries[path] = zip.read
-        end
+    def read_zip(data)
+      entries = ZipIO::Reader.read(data)
+      entries.each do |path, content|
+        validate_path!(path)
+        @raw_entries[path] = content
       end
 
       manifest_content = @raw_entries["META-INF/MANIFEST.MF"]

data/lib/opa/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OPA
-  VERSION = "0.1.0"
+  VERSION = "0.1.3"
 end

data/lib/opa/zip_io.rb

@@ -0,0 +1,153 @@
+# frozen_string_literal: true
+
+require "zlib"
+require "stringio"
+
+module OPA
+  # Minimal ZIP writer and reader using only Ruby stdlib (zlib).
+  # Supports the subset of ZIP needed for OPA/JAR archives: stored and
+  # deflated entries, no ZIP64 or encryption.
+  module ZipIO
+    # Builds a ZIP archive in memory and returns the bytes.
+    class Writer
+      Entry = Struct.new(:name, :data, :crc32, :compressed, :offset)
+
+      def initialize
+        @entries = []
+      end
+
+      def add_entry(name, data)
+        data = data.b
+        crc32 = Zlib.crc32(data)
+        deflater = Zlib::Deflate.new(Zlib::DEFAULT_COMPRESSION, -Zlib::MAX_WBITS)
+        compressed = deflater.deflate(data, Zlib::FINISH)
+        deflater.close
+        @entries << Entry.new(name, data, crc32, compressed, nil)
+      end
+
+      def to_bytes
+        io = StringIO.new
+        io.set_encoding(Encoding::BINARY)
+
+        # Write local file headers + data
+        @entries.each do |entry|
+          entry.offset = io.pos
+          write_local_header(io, entry)
+          io.write(entry.compressed)
+        end
+
+        # Central directory
+        cd_offset = io.pos
+        @entries.each { |entry| write_cd_header(io, entry) }
+        cd_size = io.pos - cd_offset
+
+        # End of central directory
+        write_eocd(io, @entries.size, cd_size, cd_offset)
+
+        io.string
+      end
+
+      private
+
+      def write_local_header(io, entry)
+        name_bytes = entry.name.b
+        io.write([0x04034b50].pack("V"))          # signature
+        io.write([20].pack("v"))                   # version needed
+        io.write([0].pack("v"))                    # flags
+        io.write([8].pack("v"))                    # compression: deflate
+        io.write([0, 0].pack("vv"))                # mod time, mod date
+        io.write([entry.crc32].pack("V"))          # crc32
+        io.write([entry.compressed.bytesize].pack("V")) # compressed size
+        io.write([entry.data.bytesize].pack("V"))  # uncompressed size
+        io.write([name_bytes.bytesize].pack("v"))  # name length
+        io.write([0].pack("v"))                    # extra length
+        io.write(name_bytes)
+      end
+
+      def write_cd_header(io, entry)
+        name_bytes = entry.name.b
+        io.write([0x02014b50].pack("V"))           # signature
+        io.write([20].pack("v"))                   # version made by
+        io.write([20].pack("v"))                   # version needed
+        io.write([0].pack("v"))                    # flags
+        io.write([8].pack("v"))                    # compression: deflate
+        io.write([0, 0].pack("vv"))                # mod time, mod date
+        io.write([entry.crc32].pack("V"))          # crc32
+        io.write([entry.compressed.bytesize].pack("V")) # compressed size
+        io.write([entry.data.bytesize].pack("V"))  # uncompressed size
+        io.write([name_bytes.bytesize].pack("v"))  # name length
+        io.write([0].pack("v"))                    # extra length
+        io.write([0].pack("v"))                    # comment length
+        io.write([0].pack("v"))                    # disk number
+        io.write([0].pack("v"))                    # internal attrs
+        io.write([0].pack("V"))                    # external attrs
+        io.write([entry.offset].pack("V"))         # local header offset
+        io.write(name_bytes)
+      end
+
+      def write_eocd(io, count, cd_size, cd_offset)
+        io.write([0x06054b50].pack("V"))           # signature
+        io.write([0].pack("v"))                    # disk number
+        io.write([0].pack("v"))                    # cd disk number
+        io.write([count].pack("v"))                # entries on this disk
+        io.write([count].pack("v"))                # total entries
+        io.write([cd_size].pack("V"))              # cd size
+        io.write([cd_offset].pack("V"))            # cd offset
+        io.write([0].pack("v"))                    # comment length
+      end
+    end
+
+    # Reads entries from a ZIP archive.
+    class Reader
+      ParsedEntry = Struct.new(:name, :data)
+
+      def self.read(data)
+        data = data.b
+        entries = {}
+
+        # Find end of central directory record
+        eocd_pos = data.rindex([0x06054b50].pack("V"))
+        raise "Invalid ZIP: no EOCD record" unless eocd_pos
+
+        cd_size = data[eocd_pos + 12, 4].unpack1("V")
+        cd_offset = data[eocd_pos + 16, 4].unpack1("V")
+        entry_count = data[eocd_pos + 10, 2].unpack1("v")
+
+        # Parse central directory to get entry metadata
+        pos = cd_offset
+        entry_count.times do
+          sig = data[pos, 4].unpack1("V")
+          raise "Invalid CD entry signature" unless sig == 0x02014b50
+
+          compression = data[pos + 10, 2].unpack1("v")
+          crc32 = data[pos + 16, 4].unpack1("V")
+          comp_size = data[pos + 20, 4].unpack1("V")
+          uncomp_size = data[pos + 24, 4].unpack1("V")
+          name_len = data[pos + 28, 2].unpack1("v")
+          extra_len = data[pos + 30, 2].unpack1("v")
+          comment_len = data[pos + 32, 2].unpack1("v")
+          local_offset = data[pos + 42, 4].unpack1("V")
+          name = data[pos + 46, name_len].force_encoding("UTF-8")
+
+          # Read from local file header to get actual data
+          local_name_len = data[local_offset + 26, 2].unpack1("v")
+          local_extra_len = data[local_offset + 28, 2].unpack1("v")
+          data_start = local_offset + 30 + local_name_len + local_extra_len
+          raw = data[data_start, comp_size]
+
+          content = case compression
+                    when 0 then raw
+                    when 8 then Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(raw)
+                    else raise "Unsupported compression method: #{compression}"
+                    end
+
+          entries[name] = content.force_encoding("UTF-8")
+
+          pos += 46 + name_len + extra_len + comment_len
+        end
+
+        entries
+      end
+    end
+  end
+end

data/lib/opa.rb

@@ -2,6 +2,7 @@
 
 require_relative "opa/version"
 require_relative "opa/manifest"
+require_relative "opa/zip_io"
 require_relative "opa/archive"
 require_relative "opa/signer"
 require_relative "opa/verifier"

metadata

@@ -1,34 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: opa-ruby
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.3
 platform: ruby
 authors:
-- OPA Ruby Contributors
+- Steve Hannah
+autorequire:
 bindir: bin
 cert_chain: []
 date: 2026-03-08 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: rubyzip
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '2.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '2.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -59,11 +40,15 @@ dependencies:
         version: '13.0'
 description: Provides tools for building, signing, and verifying OPA archives — portable
   ZIP-based packages for AI agent prompts, session history, and data assets.
+email:
+- steve@weblite.ca
 executables:
 - opa
 extensions: []
 extra_rdoc_files: []
 files:
+- LICENSE
+- README.md
 - bin/opa
 - lib/opa.rb
 - lib/opa/archive.rb
@@ -72,10 +57,12 @@ files:
 - lib/opa/signer.rb
 - lib/opa/verifier.rb
 - lib/opa/version.rb
+- lib/opa/zip_io.rb
 homepage: https://github.com/shannah/opa-ruby
 licenses:
 - MIT
 metadata: {}
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -90,7 +77,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.3
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: A Ruby library for generating Open Prompt Archive (OPA) files
 test_files: []