actproof 0.2.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,295 @@
1
+ Metadata-Version: 2.4
2
+ Name: actproof
3
+ Version: 0.2.0
4
+ Summary: Verifiable receipts of regulated acts. Canonical JSON (RFC 8785), RFC 3161 trusted timestamps, Algorand ARC-2 anchoring, independent verification.
5
+ Project-URL: Homepage, https://github.com/deyan-paroushev/actproof-py
6
+ Project-URL: Documentation, https://github.com/deyan-paroushev/actproof-py/tree/main/docs
7
+ Project-URL: Issues, https://github.com/deyan-paroushev/actproof-py/issues
8
+ Project-URL: Source, https://github.com/deyan-paroushev/actproof-py
9
+ Project-URL: Changelog, https://github.com/deyan-paroushev/actproof-py/blob/main/CHANGELOG.md
10
+ Project-URL: Security, https://github.com/deyan-paroushev/actproof-py/blob/main/SECURITY.md
11
+ Project-URL: Catalogue, https://github.com/deyan-paroushev/actproof-events
12
+ Author-email: Deyan Paroushev <deyan@advisa.tech>
13
+ Maintainer-email: Deyan Paroushev <deyan@advisa.tech>
14
+ License: MIT License
15
+
16
+ Copyright (c) 2026 Deyan Paroushev
17
+
18
+ Permission is hereby granted, free of charge, to any person obtaining a copy
19
+ of this software and associated documentation files (the "Software"), to deal
20
+ in the Software without restriction, including without limitation the rights
21
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
22
+ copies of the Software, and to permit persons to whom the Software is
23
+ furnished to do so, subject to the following conditions:
24
+
25
+ The above copyright notice and this permission notice shall be included in all
26
+ copies or substantial portions of the Software.
27
+
28
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
29
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
30
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
31
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
32
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
33
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
34
+ SOFTWARE.
35
+ License-File: LICENSE
36
+ Keywords: algorand,attestation,canonical-json,compliance,evidence,governance,receipts,rfc-3161,rfc-8785,scitt,timestamping,transparency,verification
37
+ Classifier: Development Status :: 3 - Alpha
38
+ Classifier: Intended Audience :: Developers
39
+ Classifier: Intended Audience :: Information Technology
40
+ Classifier: Intended Audience :: Legal Industry
41
+ Classifier: License :: OSI Approved :: MIT License
42
+ Classifier: Operating System :: OS Independent
43
+ Classifier: Programming Language :: Python :: 3
44
+ Classifier: Programming Language :: Python :: 3.10
45
+ Classifier: Programming Language :: Python :: 3.11
46
+ Classifier: Programming Language :: Python :: 3.12
47
+ Classifier: Topic :: Office/Business
48
+ Classifier: Topic :: Security :: Cryptography
49
+ Classifier: Topic :: System :: Archiving
50
+ Classifier: Typing :: Typed
51
+ Requires-Python: >=3.10
52
+ Requires-Dist: click<9.0,>=8.1
53
+ Requires-Dist: cryptography<46.0,>=42.0
54
+ Requires-Dist: py-algorand-sdk<3.0,>=2.6.1
55
+ Requires-Dist: requests<3.0,>=2.32.0
56
+ Requires-Dist: rfc8785<0.2,>=0.1.4
57
+ Requires-Dist: tsp-client==0.2.1
58
+ Provides-Extra: dev
59
+ Requires-Dist: mypy>=1.10; extra == 'dev'
60
+ Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
61
+ Requires-Dist: pytest-cov>=5.0; extra == 'dev'
62
+ Requires-Dist: pytest>=8.0; extra == 'dev'
63
+ Requires-Dist: ruff>=0.4; extra == 'dev'
64
+ Requires-Dist: types-requests; extra == 'dev'
65
+ Provides-Extra: docs
66
+ Requires-Dist: mkdocs-material>=9.5; extra == 'docs'
67
+ Requires-Dist: mkdocs>=1.6; extra == 'docs'
68
+ Provides-Extra: gcp
69
+ Requires-Dist: google-cloud-kms<4.0,>=2.0; extra == 'gcp'
70
+ Requires-Dist: google-crc32c<2.0,>=1.5; extra == 'gcp'
71
+ Description-Content-Type: text/markdown
72
+
73
+ # actproof
74
+
75
+ Verifiable receipts of regulated acts. Canonical JSON (RFC 8785), RFC 3161
76
+ trusted timestamps, Algorand ARC-2 anchoring, independent verification by
77
+ any party with a Python install.
78
+
79
+ `actproof` produces cryptographic receipts that any third party can verify
80
+ without trusting the issuing platform. A receipt binds: the regulated act
81
+ being recorded (from the `actproof-events` catalogue), the canonical JSON
82
+ of the issuer's evidence, a qualified timestamp from a trusted timestamp
83
+ authority, and a transaction on the Algorand public ledger that carries
84
+ the same hash. The verifier reproduces the bytes locally and confirms each
85
+ binding.
86
+
87
+ ## What actproof does not claim
88
+
89
+ The substrate creates verifiable evidence trails. It does not:
90
+
91
+ * **make documents compliant** with any regulation.
92
+ * **certify compliance** or guarantee regulatory acceptance by any authority.
93
+ * **prove legal sufficiency** of any document. Legal sufficiency is determined
94
+ by the relevant authority, not by `actproof`.
95
+ * **verify the truthfulness** of the source documents the issuer submits.
96
+ The verifier confirms integrity, timing, issuer signature, catalogue
97
+ classification, and ledger anchor. Underlying document truth is the
98
+ issuer's responsibility.
99
+
100
+ See [SECURITY.md](SECURITY.md) for the full scope and out-of-scope statement.
101
+
102
+ ## What actproof does
103
+
104
+ ```
105
+ ┌─────────────────┐
106
+ │ JSON manifest │ ← act_type_id from actproof-events catalogue
107
+ │ (your event) │ claim block + evidence + recipients + issuer
108
+ └────────┬────────┘
109
+
110
+ │ 1. canonicalize per RFC 8785 (deterministic bytes)
111
+ │ 2. SHA-256 → manifest_hash
112
+
113
+ ┌─────────────────┐ ┌──────────────────┐
114
+ │ manifest_hash │ ──→ │ RFC 3161 token │ ← QuoVadis / Sectigo /
115
+ │ (32 bytes) │ │ from a QTSP │ Belgium / Izenpe /
116
+ └────────┬────────┘ └──────────────────┘ DigiCert / freetsa
117
+ │ │
118
+ │ ┌─────────────────┘
119
+ │ │
120
+ ▼ ▼
121
+ ┌─────────────────────────────────────────┐
122
+ │ Algorand transaction (mainnet) │
123
+ │ note: actproof:j{"h":...,"t":...} │
124
+ │ txid: ABCDEF... (52 base32 chars) │
125
+ │ sender = receiver = signer's address │
126
+ │ amount: 0 │
127
+ └────────┬────────────────────────────────┘
128
+
129
+
130
+
131
+ ┌─────────────────────────────────────────┐
132
+ │ Receipt JSON │
133
+ │ manifest (full) │
134
+ │ manifest_hash │
135
+ │ anchor (txid, block_round, network) │
136
+ │ trusted_timestamp (TSA token) │
137
+ │ receipt_profile = actproof-jcs-v1 │
138
+ └─────────────────────────────────────────┘
139
+ ```
140
+
141
+ Any verifier with the receipt can independently confirm: the manifest was
142
+ canonicalized correctly, its hash matches the on-chain note bytes, the
143
+ RFC 3161 token timestamps that hash, the manifest validates against the
144
+ catalogue at the named commit. No trust in the issuing platform is needed.
145
+
146
+ ## Install
147
+
148
+ ```bash
149
+ pip install actproof
150
+ ```
151
+
152
+ For production anchoring with Google Cloud KMS (Ed25519 keys held in
153
+ HSM-backed KMS, never exposed to process memory):
154
+
155
+ ```bash
156
+ pip install 'actproof[gcp]'
157
+ ```
158
+
159
+ ## Quick start (CLI)
160
+
161
+ ```bash
162
+ # Verify a receipt end-to-end (no platform trust needed)
163
+ actproof verify receipt.json \
164
+ --catalogue ./actproof-events/catalogue/acts \
165
+ --git-commit a1b2c3d4... \
166
+ --source-uri https://github.com/deyan-paroushev/actproof-events
167
+
168
+ # Validate a manifest against a local checkout of actproof-events
169
+ actproof validate manifest.json \
170
+ --catalogue ./actproof-events/catalogue/acts \
171
+ --git-commit a1b2c3d4... \
172
+ --source-uri https://github.com/deyan-paroushev/actproof-events
173
+
174
+ # Anchor a manifest in draft mode (no submission, just build the note)
175
+ export ACTPROOF_MNEMONIC="your 25-word algorand mnemonic"
176
+ actproof anchor manifest.json \
177
+ --mode draft \
178
+ --output receipt.json \
179
+ --skip-timestamp
180
+ ```
181
+
182
+ Mnemonic in env var only; the CLI does NOT accept mnemonics via
183
+ command-line args (they would leak to shell history and the kernel
184
+ process table).
185
+
186
+ ## Quick start (Python API)
187
+
188
+ ```python
189
+ import actproof
190
+
191
+ # Load the actproof-events catalogue at a pinned git commit.
192
+ cat = actproof.load_catalogue(
193
+ acts_path="./actproof-events/catalogue/acts",
194
+ source_uri="https://github.com/deyan-paroushev/actproof-events",
195
+ git_commit="a1b2c3d4...",
196
+ )
197
+ nis2 = cat.get("op:eu.nis2.art20.management_body_approval.v1")
198
+
199
+ # Build a manifest.
200
+ manifest = actproof.build_manifest(
201
+ act_type_id=nis2.act_type_id,
202
+ catalogue_entry_version=nis2.version,
203
+ catalogue_source_uri=cat.source_uri,
204
+ catalogue_git_commit=cat.git_commit,
205
+ catalogue_entry_hash=nis2.entry_hash,
206
+ catalogue_schema_hash=cat.schema_hash,
207
+ issuer_org_name="Acme AD",
208
+ issuer_authority_label="Management Body",
209
+ title="NIS2 Article 20 approval, May 2026",
210
+ claim={...}, # per the catalogue entry's claim_schema
211
+ evidence=[...], # files with their hashes
212
+ recipients=[...],
213
+ issued_at="2026-05-14T08:23:11Z",
214
+ )
215
+
216
+ # Validate the manifest before anchoring.
217
+ issues = actproof.validate_manifest(manifest, cat)
218
+ assert not issues, issues
219
+
220
+ # Get an RFC 3161 timestamp.
221
+ result = actproof.acquire_timestamp_token(
222
+ actproof.hash_manifest(manifest)
223
+ )
224
+ token = result.token
225
+
226
+ # Anchor (DRAFT mode here; switch to DEMO or PRODUCTION for real).
227
+ import os
228
+ signer = actproof.MnemonicSigner(os.environ["ACTPROOF_MNEMONIC"])
229
+ anchor = actproof.anchor_manifest(
230
+ actproof.hash_manifest(manifest),
231
+ signer=signer,
232
+ mode=actproof.AnchorMode.DRAFT,
233
+ )
234
+
235
+ # Build and write the receipt.
236
+ receipt = actproof.build_receipt(
237
+ manifest=manifest,
238
+ anchor=anchor,
239
+ trusted_timestamp=token,
240
+ )
241
+ actproof.write_receipt("receipt.json", receipt)
242
+
243
+ # Anyone with the receipt can verify it.
244
+ loaded = actproof.read_receipt("receipt.json")
245
+ result = actproof.verify_receipt(loaded, catalogue=cat)
246
+ print(f"Verification: {'OK' if result.ok else 'FAIL'}")
247
+ for check in result.checks:
248
+ print(f" {check.name}: {check.status.value}")
249
+ ```
250
+
251
+ ## Architecture
252
+
253
+ actproof composes five published standards rather than inventing new ones:
254
+
255
+ * **RFC 8785** (JSON Canonicalization Scheme) for deterministic manifest
256
+ bytes. Same manifest, anywhere, produces the same bytes, produces the
257
+ same hash. Verifiers re-derive the canonical form from the receipt's
258
+ embedded manifest.
259
+
260
+ * **RFC 3161** (Time-Stamp Protocol) for qualified timestamps. The default
261
+ chain falls over six TSAs in priority order: four EU-qualified
262
+ candidates (Sectigo Qualified, QuoVadis EU, Izenpe, Belgium TSA), then
263
+ two public fallbacks (DigiCert, freetsa.org).
264
+
265
+ * **ARC-2** (Algorand Application Reference Convention 2) for the on-chain
266
+ note format. Disclosed-mode JSON payload after the `actproof:j` prefix.
267
+ Single SHA-256 anchor today; the format is forward-compatible with
268
+ Merkle-batched anchors for higher-throughput scenarios.
269
+
270
+ * **actproof-events catalogue** (sibling repository) for the regulatory
271
+ act types. Each act type has a JSON schema for its claim block, a list
272
+ of regulatory citations, a list of evidence labels, and a signature
273
+ policy. Versioned, git-pinned, immutable per commit.
274
+
275
+ * **RFC 9943 / IETF SCITT** (Supply Chain Integrity, Transparency, and
276
+ Trust) reserved for a v2 wire format. The receipt's `receipt_profile`
277
+ discriminator (`actproof-jcs-v1` today) lets verifiers route to the
278
+ v2 parser when COSE_Sign1 + SCITT Transparent Statement becomes
279
+ standardised.
280
+
281
+ ## What's NOT in v0.1.0
282
+
283
+ * **EU Trusted List chain validation** for RFC 3161 tokens. The current
284
+ verifier checks the token is well-formed and self-consistent; full
285
+ chain validation against EUTL is v0.2.x.
286
+ * **Conformance test vectors** for cross-implementation interop. The
287
+ conformance suite lands in v0.3.0.
288
+ * **GitHub Action wrapper** for one-call anchoring from a CI step. Lands
289
+ in v0.2.0.
290
+ * **Worked examples** for NIS2, EUDR, and software-release use cases.
291
+ Land in v0.2.0.
292
+
293
+ ## License
294
+
295
+ MIT. The actproof-events catalogue is CC0 / Apache-2.0.
@@ -0,0 +1,18 @@
1
+ actproof/__init__.py,sha256=LIiR1U7t3hPzrciapikELuBGMXOXAuk61lHtiU2kRpY,7563
2
+ actproof/anchor.py,sha256=RYoDPoiRvq3l1ykjidKKJPkm8tukt5vyqaAIIZ_28gs,23396
3
+ actproof/canonical.py,sha256=UlrJPN9KRGjORZttIivpYX0HjqMeLrBR8zjsfoQmP9Q,15082
4
+ actproof/catalogue.py,sha256=xEGd9v3VW7Z6EiX9bY6eEN51qeFchEC6YRXMdltk6L4,45336
5
+ actproof/cli.py,sha256=9xO8YrgrAyEl70bGJ91VPeZzWO1CsKQ83Y-WB-JMYtk,20747
6
+ actproof/manifest.py,sha256=0V0ONc6GuJrIw9-lZOCORP-MOQOD8MKrdR3R_tojDBs,28212
7
+ actproof/receipt.py,sha256=3vhhbRPXUwLwKWimo-gJlMFV3vgEVR6LYWf8c_l_14A,26345
8
+ actproof/timestamp.py,sha256=3QmffxbRv7qtnf28vyjj5AKpc2GRw1f2GHg_YazaEE4,20856
9
+ actproof/verify.py,sha256=QEFqIqS8mGB2_0RlhIDCyYzVkOJxRANPKznqR-e4ZC4,26845
10
+ actproof/signers/__init__.py,sha256=8-cGeGUOuyrW6cqKj8t8swQUYsCK-UL_FcFgDPb5ua0,3185
11
+ actproof/signers/google_kms.py,sha256=cR5S1x1m68iRncyJL_3Yf0-K8KV4asXPFf2PkKkDm1A,17427
12
+ actproof/signers/interface.py,sha256=Mvl-i_dj6xugMTwqu_9aPSn66AZIxQgt2p8derA1bXQ,13285
13
+ actproof/signers/mnemonic.py,sha256=qQomLMt_lS3ZSFtYLsXdabJGNsFNiwYxuW5M2lrw80s,5227
14
+ actproof-0.2.0.dist-info/METADATA,sha256=UVHGifHOX4mrJ-6ug2ffiRi4eOH8OMSLPfrr7V6iPbo,12632
15
+ actproof-0.2.0.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
16
+ actproof-0.2.0.dist-info/entry_points.txt,sha256=4q1X32ggbln8Q_3uUGVYV8hQsAcgRpX5zGb0JL1uEZ0,47
17
+ actproof-0.2.0.dist-info/licenses/LICENSE,sha256=wMfX-xIRONYxaaF3R-WXtbJbLsa_0xffKoPTztfgcTc,1072
18
+ actproof-0.2.0.dist-info/RECORD,,
@@ -0,0 +1,4 @@
1
+ Wheel-Version: 1.0
2
+ Generator: hatchling 1.29.0
3
+ Root-Is-Purelib: true
4
+ Tag: py3-none-any
@@ -0,0 +1,2 @@
1
+ [console_scripts]
2
+ actproof = actproof.cli:main
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Deyan Paroushev
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.