sphragis 0.0.1 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c42aaaa6c03beb1f59d52fb1199d1d2e698cedc948c1090fd15ab220380d66c5
-  data.tar.gz: af16ca3d9aa7dbad982c4cf996bbda71bf42400ddd81b5598d25150e2723aa58
+  metadata.gz: caec4dd49336ccfbe8798f7285269be90871d5032986e352a2242b90111a597e
+  data.tar.gz: 3e2a6a7a8feaa2e9243578532e41a4f57c301ce20a58136435d6f6335824f822
 SHA512:
-  metadata.gz: 3ad587b5f0a3bfdb3ee7f24ea1ba193d09f42896042eeacfdb61222ca1f3decafb0144f41f696291707ab68c0cf05a34cc379be9929acd8db5c09f10995853e4
-  data.tar.gz: 4578175283a882a5fc14e53b1951cc9bd8e8a141db71d262d317f529c96f706fc6d7c6f182f897533d12706d379c83337722d30bb2f4d08e9738b81109ba76e1
+  metadata.gz: f8e03224faf76f6b4a9bdad2753c0f600616703eddb36d36fb09c96117942e8f6a44c0f88a005412f82dd2bd38d78defa7e1e810160ac62c554f117f092b5f5f
+  data.tar.gz: 3bf5ab5f54e3ab0da195df9866964a0b48e8f3e648947f56d2c8a8f0faf887cdff41706bdb78fa5d57b12c96b62601a446db8366d0cbb27e0b38bfa8d630fdf0

data/.github/workflows/test.yml

@@ -0,0 +1,42 @@
+name: Test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    name: Ruby ${{ matrix.ruby }} / Rails ${{ matrix.rails }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - ruby: "3.2"
+            gemfile: gemfiles/rails_61.gemfile
+            rails: "6.1"
+          - ruby: "3.2"
+            gemfile: gemfiles/rails_72.gemfile
+            rails: "7.2"
+          - ruby: "3.2"
+            gemfile: gemfiles/rails_80.gemfile
+            rails: "8.0"
+          - ruby: "3.2"
+            gemfile: gemfiles/rails_81.gemfile
+            rails: "8.1"
+
+    env:
+      BUNDLE_GEMFILE: ${{ matrix.gemfile }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Run tests
+        run: bundle exec rake test

data/.ruby-version

@@ -0,0 +1 @@
+3.2.9

data/CHANGELOG.md

@@ -7,18 +7,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.1.0] - 2026-03-01
+
 ### Added
 - Initial release of Sphragis (Σφραγίς) - Digital PDF Signatures for Rails
 - Multi-provider architecture supporting:
   - Fortify WebCrypto (FREE open-source, hardware tokens)
   - Harica (FREE for Greek academic institutions, eIDAS qualified)
   - Itsme (template for free e-signature services)
+- **ISO 32000-compliant PDF signing** via easy_code_sign native backend
+  - Real CMS/PKCS#7 signatures embedded in PDF (adbe.pkcs7.detached)
+  - Harica cloud path: full-document signing via rsign-api.harica.gr DSA API
+  - Local path (Fortify, Itsme): sign_bytes(hash) callback → NativeSigner embeds CMS
+  - Fully MIT-licensed dependency chain — no AGPL (HexaPDF) required
 - Rails Engine with interactive PDF signature placement
 - PDF.js-based viewer with drag-and-drop signature positioning
 - Provider factory pattern for easy extension
 - Configuration system with environment variable support
-- Comprehensive documentation suite
-- Logo design inspired by ancient Greek σφραγιδόλιθοι (sealstones)
+- CI matrix: Rails 6.1, 7.2, 8.0, 8.1
 - Complete test suite (Minitest)
 - RuboCop code quality checks
 - Bundler-audit security scanning
@@ -29,8 +35,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - FORTIFY_WEBCRYPTO.md for Fortify setup
 - LICENSING_SUMMARY.md for cost breakdown
 - MULTIPLE_PROVIDERS.md for multi-provider usage
-- LOGO.md for branding guidelines
-- LOGO_FILES.md for logo assets reference
 
 ## Notes
 
@@ -57,6 +61,9 @@ See README.md for details on FREE eIDAS qualified certificates.
 - `Security` - Security fixes and improvements
 - `Documentation` - Documentation changes
 
+[Unreleased]: https://github.com/mpantel/sphragis/compare/v0.1.0...HEAD
+[0.1.0]: https://github.com/mpantel/sphragis/releases/tag/v0.1.0
+
 ### Disclaimer
 
 > **⚠️ EARLY DEVELOPMENT VERSION**

data/CLAUDE.md

@@ -0,0 +1,50 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Sphragis is a Ruby gem (Rails Engine) providing multi-provider PDF digital signatures. It targets Greek academic institutions (free via Harica) and commercial use (Fortify hardware tokens). Early development — provider integrations currently use simulated/placeholder implementations.
+
+## Commands
+
+```bash
+bundle exec rake test          # Run full test suite (Minitest)
+bundle exec ruby -Ilib:test test/sphragis/test_pdf_signer.rb  # Run single test file
+bundle exec rubocop            # Lint
+bundle exec bundle-audit check # Security audit
+bundle exec rake build         # Build gem
+```
+
+## Architecture
+
+**Rails Engine** (`Sphragis::Engine`) mounted at a user-chosen path (e.g., `/signatures`). Isolates namespace.
+
+**Provider pattern** — all signing goes through `Providers::BaseProvider` (abstract):
+- `FortifyProvider` — PKCS#11 hardware token signing (simulated)
+- `FortifyWebcryptoProvider` — Fortify WebCrypto bridge REST API (simulated, most complete API sketch)
+- `HaricaProvider` — Harica cloud CA REST API (simulated)
+- `ItsmeProvider` — template/example provider (simulated)
+
+Providers are lazily `require_relative`'d by `ProviderFactory.create(:name)`. The factory reads global config to build provider instances.
+
+**Key flow**: `PdfSigner.new(path, opts)` → `ProviderFactory.create` → `provider.connect` → `provider.sign(data)` → writes `_signed.pdf` + `_signature.json` sidecar.
+
+**Configuration**: `Sphragis.configure { |c| ... }` block populating `Sphragis::Configuration`. Defaults from ENV vars. Reset with `Sphragis.reset_configuration!` (used in test setup).
+
+**Controller**: `DocumentsController` handles preview/view/sign/validate_placement. Preview renders PDF.js UI for drag-and-drop signature placement.
+
+## Conventions
+
+- `frozen_string_literal: true` on all Ruby files
+- RuboCop with `rubocop-rails` and `rubocop-minitest` plugins
+- Double-quoted strings (`Style/StringLiterals: double_quotes`)
+- Max line length 120, method length 25, class length 150, AbcSize 20
+- Tests use Minitest + Mocha for mocking; test helper resets config and creates temp PDFs via Prawn
+- Ruby >= 3.2, Rails >= 6.1 < 8.0
+
+## Test Setup
+
+Tests auto-reset `Sphragis.configuration` in `setup`. `create_test_pdf` generates a 2-page PDF in `test/fixtures/`. Teardown cleans `*_signed.pdf` and `*_signature.json` artifacts.
+
+Most provider tests configure Fortify credentials since it's the default provider. To test other providers, configure the appropriate credentials and pass `provider: :harica` (etc.) in options.

data/README.md

@@ -272,6 +272,9 @@ bundle exec rubocop
 
 # Security audit
 bundle exec bundle-audit check
+
+# Static security analysis
+bundle exec rake brakeman
 ```
 
 ## Documentation
@@ -280,6 +283,7 @@ bundle exec bundle-audit check
 - [FORTIFY_WEBCRYPTO.md](doc/FORTIFY_WEBCRYPTO.md) - Fortify setup guide
 - [LICENSING_SUMMARY.md](doc/LICENSING_SUMMARY.md) - Complete cost breakdown
 - [MULTIPLE_PROVIDERS.md](doc/MULTIPLE_PROVIDERS.md) - Multi-provider usage
+- [DSS_FUTURE.md](doc/DSS_FUTURE.md) - EU Digital Signature Service (future provider)
 - [LOGO.md](doc/LOGO.md) - Logo design and branding
 
 ## Logo & Branding
@@ -310,7 +314,7 @@ See [LOGO.md](doc/LOGO.md) for design details.
 
 **Planned:**
 - 🔄 Production testing and hardening
-- 🔄 Additional provider support
+- 🔄 Additional provider support (DSS for institutional batch signing)
 - 🔄 Batch signing operations
 - 🔄 Signature verification
 - 🔄 Audit logging
@@ -356,7 +360,7 @@ MIT License - See [LICENSE](LICENSE) for details.
 
 **Sphragis is an independent open-source project.** We are NOT affiliated with, endorsed by, or sponsored by any of the third-party providers, services, or products mentioned in this documentation, including but not limited to:
 
-- Peculiar Ventures (Fortify) • Harica • Yubico (YubiKey) • Nitrokey • ItsMe • OpenSC Project • Any certificate authorities or hardware manufacturers
+- Peculiar Ventures (Fortify) • Harica • Yubico (YubiKey) • Nitrokey • ItsMe • OpenSC Project • EU Digital Signature Service (DSS) • European Commission • Any certificate authorities or hardware manufacturers
 
 All trademarks and product names are property of their respective owners. This gem provides integration code only. Users are responsible for complying with third-party terms of service and any associated costs.
 

data/Rakefile

@@ -5,4 +5,22 @@ require "minitest/test_task"
 
 Minitest::TestTask.create
 
+# Brakeman security scanner
+begin
+  require "brakeman"
+
+  desc "Run Brakeman security scanner"
+  task :brakeman do
+    require "brakeman"
+    result = Brakeman.run(
+      app_path: ".",
+      print_report: true,
+      config_file: "config/brakeman.yml"
+    )
+    exit Brakeman::Warnings_Found_Exit_Code if result.filtered_warnings.any?
+  end
+rescue LoadError
+  # Brakeman not available
+end
+
 task default: :test

data/config/brakeman.yml

@@ -0,0 +1,43 @@
+# Brakeman configuration for Sphragis
+# https://brakemanscanner.org/docs/options/
+
+# Application path (default: ".")
+app_path: "."
+
+# Rails engine mode
+rails_engines: true
+
+# Output format (can be: text, html, json, markdown, csv, tabs, etc.)
+output_format: text
+
+# Minimum confidence level (1-3, where 1 is low confidence, 3 is high)
+min_confidence: 2
+
+# Exit with error code if warnings are found
+exit_on_warn: false
+
+# Ignore specific warnings by fingerprint
+# Run `brakeman -I` to add warnings to ignore
+# ignore_file: config/brakeman.ignore
+
+# Check specific paths
+# path: .
+
+# Skip certain checks
+# skip_checks:
+#   - SQL
+#   - LinkTo
+
+# Only run certain checks
+# run_checks:
+#   - SQL
+#   - CrossSiteScripting
+
+# Treat all warnings as errors for CI (optional)
+# ensure_latest: true
+
+# Show context around warnings
+# limit: 100
+
+# Rails version (auto-detected from Gemfile.lock)
+# rails_version: 7.0

data/demo/Gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+gem 'sinatra'
+gem 'sinatra-contrib'
+gem 'puma'
+gem 'sphragis', path: '..'

data/demo/Gemfile.lock

@@ -0,0 +1,271 @@
+PATH
+  remote: ..
+  specs:
+    sphragis (0.0.1)
+      pdf-reader (~> 2.0)
+      prawn (~> 2.4)
+      rails (>= 6.1, < 8.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    Ascii85 (2.0.1)
+    actioncable (7.1.5.2)
+      actionpack (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
+      nio4r (~> 2.0)
+      websocket-driver (>= 0.6.1)
+      zeitwerk (~> 2.6)
+    actionmailbox (7.1.5.2)
+      actionpack (= 7.1.5.2)
+      activejob (= 7.1.5.2)
+      activerecord (= 7.1.5.2)
+      activestorage (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
+      mail (>= 2.7.1)
+      net-imap
+      net-pop
+      net-smtp
+    actionmailer (7.1.5.2)
+      actionpack (= 7.1.5.2)
+      actionview (= 7.1.5.2)
+      activejob (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
+      mail (~> 2.5, >= 2.5.4)
+      net-imap
+      net-pop
+      net-smtp
+      rails-dom-testing (~> 2.2)
+    actionpack (7.1.5.2)
+      actionview (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actiontext (7.1.5.2)
+      actionpack (= 7.1.5.2)
+      activerecord (= 7.1.5.2)
+      activestorage (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
+      globalid (>= 0.6.0)
+      nokogiri (>= 1.8.5)
+    actionview (7.1.5.2)
+      activesupport (= 7.1.5.2)
+      builder (~> 3.1)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activejob (7.1.5.2)
+      activesupport (= 7.1.5.2)
+      globalid (>= 0.3.6)
+    activemodel (7.1.5.2)
+      activesupport (= 7.1.5.2)
+    activerecord (7.1.5.2)
+      activemodel (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
+      timeout (>= 0.4.0)
+    activestorage (7.1.5.2)
+      actionpack (= 7.1.5.2)
+      activejob (= 7.1.5.2)
+      activerecord (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
+      marcel (~> 1.0)
+    activesupport (7.1.5.2)
+      base64
+      benchmark (>= 0.3)
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
+      minitest (>= 5.1)
+      mutex_m
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0)
+    afm (1.0.0)
+    base64 (0.3.0)
+    benchmark (0.5.0)
+    bigdecimal (3.3.1)
+    builder (3.3.0)
+    concurrent-ruby (1.3.5)
+    connection_pool (2.5.4)
+    crass (1.0.6)
+    date (3.4.1)
+    drb (2.2.3)
+    erb (5.1.1)
+    erubi (1.13.1)
+    globalid (1.3.0)
+      activesupport (>= 6.1)
+    hashery (2.1.2)
+    i18n (1.14.7)
+      concurrent-ruby (~> 1.0)
+    io-console (0.8.1)
+    irb (1.15.2)
+      pp (>= 0.6.0)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
+    logger (1.7.0)
+    loofah (2.24.1)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
+    mail (2.8.1)
+      mini_mime (>= 0.1.1)
+      net-imap
+      net-pop
+      net-smtp
+    marcel (1.1.0)
+    matrix (0.4.3)
+    mini_mime (1.1.5)
+    minitest (5.26.0)
+    multi_json (1.17.0)
+    mustermann (3.0.4)
+      ruby2_keywords (~> 0.0.1)
+    mutex_m (0.3.0)
+    net-imap (0.5.12)
+      date
+      net-protocol
+    net-pop (0.1.2)
+      net-protocol
+    net-protocol (0.2.2)
+      timeout
+    net-smtp (0.5.1)
+      net-protocol
+    nio4r (2.7.4)
+    nokogiri (1.18.10-aarch64-linux-gnu)
+      racc (~> 1.4)
+    nokogiri (1.18.10-aarch64-linux-musl)
+      racc (~> 1.4)
+    nokogiri (1.18.10-arm-linux-gnu)
+      racc (~> 1.4)
+    nokogiri (1.18.10-arm-linux-musl)
+      racc (~> 1.4)
+    nokogiri (1.18.10-arm64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.18.10-x86_64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.18.10-x86_64-linux-gnu)
+      racc (~> 1.4)
+    nokogiri (1.18.10-x86_64-linux-musl)
+      racc (~> 1.4)
+    pdf-core (0.10.0)
+    pdf-reader (2.15.0)
+      Ascii85 (>= 1.0, < 3.0, != 2.0.0)
+      afm (>= 0.2.1, < 2)
+      hashery (~> 2.0)
+      ruby-rc4
+      ttfunk
+    pp (0.6.3)
+      prettyprint
+    prawn (2.5.0)
+      matrix (~> 0.4)
+      pdf-core (~> 0.10.0)
+      ttfunk (~> 1.8)
+    prettyprint (0.2.0)
+    psych (5.2.6)
+      date
+      stringio
+    puma (7.1.0)
+      nio4r (~> 2.0)
+    racc (1.8.1)
+    rack (3.2.3)
+    rack-protection (4.2.1)
+      base64 (>= 0.1.0)
+      logger (>= 1.6.0)
+      rack (>= 3.0.0, < 4)
+    rack-session (2.1.1)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0)
+    rack-test (2.2.0)
+      rack (>= 1.3)
+    rackup (2.2.1)
+      rack (>= 3)
+    rails (7.1.5.2)
+      actioncable (= 7.1.5.2)
+      actionmailbox (= 7.1.5.2)
+      actionmailer (= 7.1.5.2)
+      actionpack (= 7.1.5.2)
+      actiontext (= 7.1.5.2)
+      actionview (= 7.1.5.2)
+      activejob (= 7.1.5.2)
+      activemodel (= 7.1.5.2)
+      activerecord (= 7.1.5.2)
+      activestorage (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
+      bundler (>= 1.15.0)
+      railties (= 7.1.5.2)
+    rails-dom-testing (2.3.0)
+      activesupport (>= 5.0.0)
+      minitest
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.6.2)
+      loofah (~> 2.21)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
+    railties (7.1.5.2)
+      actionpack (= 7.1.5.2)
+      activesupport (= 7.1.5.2)
+      irb
+      rackup (>= 1.0.0)
+      rake (>= 12.2)
+      thor (~> 1.0, >= 1.2.2)
+      zeitwerk (~> 2.6)
+    rake (13.3.0)
+    rdoc (6.15.0)
+      erb
+      psych (>= 4.0.0)
+      tsort
+    reline (0.6.2)
+      io-console (~> 0.5)
+    ruby-rc4 (0.1.5)
+    ruby2_keywords (0.0.5)
+    securerandom (0.4.1)
+    sinatra (4.2.1)
+      logger (>= 1.6.0)
+      mustermann (~> 3.0)
+      rack (>= 3.0.0, < 4)
+      rack-protection (= 4.2.1)
+      rack-session (>= 2.0.0, < 3)
+      tilt (~> 2.0)
+    sinatra-contrib (4.2.1)
+      multi_json (>= 0.0.2)
+      mustermann (~> 3.0)
+      rack-protection (= 4.2.1)
+      sinatra (= 4.2.1)
+      tilt (~> 2.0)
+    stringio (3.1.7)
+    thor (1.4.0)
+    tilt (2.6.1)
+    timeout (0.4.3)
+    tsort (0.2.0)
+    ttfunk (1.8.0)
+      bigdecimal (~> 3.1)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+    websocket-driver (0.8.0)
+      base64
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.5)
+    zeitwerk (2.7.3)
+
+PLATFORMS
+  aarch64-linux-gnu
+  aarch64-linux-musl
+  arm-linux-gnu
+  arm-linux-musl
+  arm64-darwin
+  x86_64-darwin
+  x86_64-linux-gnu
+  x86_64-linux-musl
+
+DEPENDENCIES
+  puma
+  sinatra
+  sinatra-contrib
+  sphragis!
+
+BUNDLED WITH
+   2.7.2