tripwire-server 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/LICENSE +21 -0
- data/README.md +99 -0
- data/lib/tripwire/server/client.rb +265 -0
- data/lib/tripwire/server/errors.rb +21 -0
- data/lib/tripwire/server/sealed_token.rb +76 -0
- data/lib/tripwire/server/types.rb +5 -0
- data/lib/tripwire/server/version.rb +5 -0
- data/lib/tripwire/server.rb +19 -0
- data/spec/LICENSE +21 -0
- data/spec/README.md +129 -0
- data/spec/fixtures/errors/invalid-api-key.json +10 -0
- data/spec/fixtures/errors/missing-api-key.json +10 -0
- data/spec/fixtures/errors/not-found.json +10 -0
- data/spec/fixtures/errors/validation-error.json +21 -0
- data/spec/fixtures/public-api/fingerprints/detail.json +40 -0
- data/spec/fixtures/public-api/fingerprints/list.json +31 -0
- data/spec/fixtures/public-api/sessions/detail.json +47 -0
- data/spec/fixtures/public-api/sessions/list.json +33 -0
- data/spec/fixtures/public-api/teams/api-key-create.json +18 -0
- data/spec/fixtures/public-api/teams/api-key-list.json +23 -0
- data/spec/fixtures/public-api/teams/api-key-revoke.json +3 -0
- data/spec/fixtures/public-api/teams/api-key-rotate.json +18 -0
- data/spec/fixtures/public-api/teams/team-create.json +11 -0
- data/spec/fixtures/public-api/teams/team-update.json +11 -0
- data/spec/fixtures/public-api/teams/team.json +11 -0
- data/spec/fixtures/sealed-token/invalid.json +4 -0
- data/spec/fixtures/sealed-token/vector.v1.json +41 -0
- data/spec/openapi.json +1435 -0
- data/spec/sealed-token.md +95 -0
- metadata +73 -0
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
# Sealed Token Specification
|
|
2
|
+
|
|
3
|
+
Tripwire sealed tokens are encrypted server handoff payloads returned by `Tripwire.getSession()`.
|
|
4
|
+
|
|
5
|
+
This document is the language-agnostic contract for verifying those tokens in public server SDKs.
|
|
6
|
+
|
|
7
|
+
## Overview
|
|
8
|
+
|
|
9
|
+
- Input: a base64-encoded sealed token string
|
|
10
|
+
- Output: a JSON payload describing the scored Tripwire result for the current action
|
|
11
|
+
- Confidentiality and integrity: AES-256-GCM
|
|
12
|
+
- Compression: zlib deflate/inflate
|
|
13
|
+
|
|
14
|
+
## Payload format
|
|
15
|
+
|
|
16
|
+
After base64 decoding, the byte layout is:
|
|
17
|
+
|
|
18
|
+
- `version` - 1 byte
|
|
19
|
+
- `nonce` - 12 bytes
|
|
20
|
+
- `ciphertext` - variable length
|
|
21
|
+
- `tag` - 16 bytes
|
|
22
|
+
|
|
23
|
+
Current version:
|
|
24
|
+
|
|
25
|
+
- `0x01`
|
|
26
|
+
|
|
27
|
+
Reject any token whose version byte is not `0x01`.
|
|
28
|
+
|
|
29
|
+
## Secret normalization
|
|
30
|
+
|
|
31
|
+
The verifier accepts either:
|
|
32
|
+
|
|
33
|
+
- a plaintext Tripwire secret key, such as `sk_live_...`
|
|
34
|
+
- or the corresponding lowercase SHA-256 hex digest
|
|
35
|
+
|
|
36
|
+
Normalization rules:
|
|
37
|
+
|
|
38
|
+
- If the supplied secret matches `/^[0-9a-f]{64}$/i`, treat it as the secret hash and lowercase it
|
|
39
|
+
- Otherwise compute the SHA-256 hex digest of the supplied secret key
|
|
40
|
+
|
|
41
|
+
## Key derivation
|
|
42
|
+
|
|
43
|
+
Derive the AES key as:
|
|
44
|
+
|
|
45
|
+
- `sha256(normalized_secret + "\0sealed-results")`
|
|
46
|
+
|
|
47
|
+
Use the raw 32-byte digest as the AES-256-GCM key.
|
|
48
|
+
|
|
49
|
+
## Verification steps
|
|
50
|
+
|
|
51
|
+
1. Base64 decode the token
|
|
52
|
+
2. Parse the version byte, nonce, ciphertext, and tag
|
|
53
|
+
3. Normalize the caller's secret material
|
|
54
|
+
4. Derive the AES-256-GCM key
|
|
55
|
+
5. Decrypt using:
|
|
56
|
+
- algorithm: `aes-256-gcm`
|
|
57
|
+
- nonce: parsed 12-byte nonce
|
|
58
|
+
- tag: parsed 16-byte authentication tag
|
|
59
|
+
6. Inflate the decrypted bytes with zlib
|
|
60
|
+
7. Parse the inflated UTF-8 JSON payload
|
|
61
|
+
|
|
62
|
+
Any failure in decoding, parsing, authentication, decompression, or JSON parsing must be treated as verification failure.
|
|
63
|
+
|
|
64
|
+
## Payload shape
|
|
65
|
+
|
|
66
|
+
The decrypted JSON payload currently includes:
|
|
67
|
+
|
|
68
|
+
- `eventId`
|
|
69
|
+
- `sessionId`
|
|
70
|
+
- `verdict`
|
|
71
|
+
- `score`
|
|
72
|
+
- `manipulationScore`
|
|
73
|
+
- `manipulationVerdict`
|
|
74
|
+
- `evaluationDuration`
|
|
75
|
+
- `scoredAt`
|
|
76
|
+
- `metadata`
|
|
77
|
+
- `signals`
|
|
78
|
+
- `categoryScores`
|
|
79
|
+
- `botAttribution`
|
|
80
|
+
- `visitorId`
|
|
81
|
+
- `visitorIdConfidence`
|
|
82
|
+
- `embedContext`
|
|
83
|
+
- `phase`
|
|
84
|
+
- `provisional`
|
|
85
|
+
|
|
86
|
+
Public SDKs should treat the payload as forward-compatible:
|
|
87
|
+
|
|
88
|
+
- preserve unknown fields
|
|
89
|
+
- do not require fields beyond the documented stable surface
|
|
90
|
+
|
|
91
|
+
## Fixtures
|
|
92
|
+
|
|
93
|
+
Golden vectors live under `fixtures/sealed-token/`.
|
|
94
|
+
|
|
95
|
+
Every language SDK must verify the shared vectors successfully and reject the invalid vectors it ships with.
|
metadata
ADDED
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: tripwire-server
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.1.0
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- ABXY Labs
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2026-03-25 00:00:00.000000000 Z
|
|
12
|
+
dependencies: []
|
|
13
|
+
description: Customer-facing Ruby SDK for Tripwire Sessions, Fingerprints, Teams,
|
|
14
|
+
and sealed token verification.
|
|
15
|
+
email:
|
|
16
|
+
- support@tripwire.com
|
|
17
|
+
executables: []
|
|
18
|
+
extensions: []
|
|
19
|
+
extra_rdoc_files: []
|
|
20
|
+
files:
|
|
21
|
+
- LICENSE
|
|
22
|
+
- README.md
|
|
23
|
+
- lib/tripwire/server.rb
|
|
24
|
+
- lib/tripwire/server/client.rb
|
|
25
|
+
- lib/tripwire/server/errors.rb
|
|
26
|
+
- lib/tripwire/server/sealed_token.rb
|
|
27
|
+
- lib/tripwire/server/types.rb
|
|
28
|
+
- lib/tripwire/server/version.rb
|
|
29
|
+
- spec/LICENSE
|
|
30
|
+
- spec/README.md
|
|
31
|
+
- spec/fixtures/errors/invalid-api-key.json
|
|
32
|
+
- spec/fixtures/errors/missing-api-key.json
|
|
33
|
+
- spec/fixtures/errors/not-found.json
|
|
34
|
+
- spec/fixtures/errors/validation-error.json
|
|
35
|
+
- spec/fixtures/public-api/fingerprints/detail.json
|
|
36
|
+
- spec/fixtures/public-api/fingerprints/list.json
|
|
37
|
+
- spec/fixtures/public-api/sessions/detail.json
|
|
38
|
+
- spec/fixtures/public-api/sessions/list.json
|
|
39
|
+
- spec/fixtures/public-api/teams/api-key-create.json
|
|
40
|
+
- spec/fixtures/public-api/teams/api-key-list.json
|
|
41
|
+
- spec/fixtures/public-api/teams/api-key-revoke.json
|
|
42
|
+
- spec/fixtures/public-api/teams/api-key-rotate.json
|
|
43
|
+
- spec/fixtures/public-api/teams/team-create.json
|
|
44
|
+
- spec/fixtures/public-api/teams/team-update.json
|
|
45
|
+
- spec/fixtures/public-api/teams/team.json
|
|
46
|
+
- spec/fixtures/sealed-token/invalid.json
|
|
47
|
+
- spec/fixtures/sealed-token/vector.v1.json
|
|
48
|
+
- spec/openapi.json
|
|
49
|
+
- spec/sealed-token.md
|
|
50
|
+
homepage: https://github.com/abxy-labs/tripwire-server-ruby
|
|
51
|
+
licenses:
|
|
52
|
+
- MIT
|
|
53
|
+
metadata: {}
|
|
54
|
+
post_install_message:
|
|
55
|
+
rdoc_options: []
|
|
56
|
+
require_paths:
|
|
57
|
+
- lib
|
|
58
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
59
|
+
requirements:
|
|
60
|
+
- - ">="
|
|
61
|
+
- !ruby/object:Gem::Version
|
|
62
|
+
version: 2.6.0
|
|
63
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
64
|
+
requirements:
|
|
65
|
+
- - ">="
|
|
66
|
+
- !ruby/object:Gem::Version
|
|
67
|
+
version: '0'
|
|
68
|
+
requirements: []
|
|
69
|
+
rubygems_version: 3.5.22
|
|
70
|
+
signing_key:
|
|
71
|
+
specification_version: 4
|
|
72
|
+
summary: Official Tripwire Ruby server SDK
|
|
73
|
+
test_files: []
|