aems-agent 0.2.0__tar.gz

aems_agent-0.2.0/.github/workflows/build.yml

@@ -0,0 +1,271 @@
+name: Build AEMS Agent
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version tag (for manual runs)"
+        required: false
+        default: "dev"
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  build-windows:
+    runs-on: windows-latest
+    env:
+      WIN_CODESIGN_CERT_PFX_BASE64: ${{ secrets.WIN_CODESIGN_CERT_PFX_BASE64 }}
+      WIN_CODESIGN_CERT_PASSWORD: ${{ secrets.WIN_CODESIGN_CERT_PASSWORD }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install dependencies
+        run: |
+          pip install pyinstaller
+          pip install -e ".[dev]"
+
+      - name: Install NSIS
+        run: choco install nsis -y
+
+      - name: Add NSIS to PATH
+        run: echo "C:\Program Files (x86)\NSIS" >> $env:GITHUB_PATH
+
+      - name: Build with PyInstaller and NSIS installer
+        run: python packaging/build.py --platform windows
+
+      - name: Verify installer exists
+        run: |
+          if (Test-Path "dist\aems-agent-setup.exe") {
+            Write-Host "Installer built: dist\aems-agent-setup.exe"
+            (Get-Item "dist\aems-agent-setup.exe").Length
+          } else {
+            Write-Host "::warning::Installer not found. Running NSIS directly..."
+            & "C:\Program Files (x86)\NSIS\makensis.exe" /DDIST_DIR=dist\aems-agent /DOUTPUT_DIR=dist packaging\windows\installer.nsi
+          }
+
+      - name: Check Windows signing credentials
+        id: win_sign_check
+        run: |
+          if ($env:WIN_CODESIGN_CERT_PFX_BASE64 -and $env:WIN_CODESIGN_CERT_PASSWORD) {
+            echo "available=true" >> $env:GITHUB_OUTPUT
+            Write-Host "Code signing credentials found, will sign installer."
+          } else {
+            echo "available=false" >> $env:GITHUB_OUTPUT
+            Write-Host "::warning::Code signing credentials not configured. Installer will be unsigned."
+          }
+
+      - name: Sign Windows installer (Authenticode)
+        if: steps.win_sign_check.outputs.available == 'true'
+        run: |
+          $pfxPath = Join-Path $env:RUNNER_TEMP "codesign.pfx"
+          [IO.File]::WriteAllBytes($pfxPath, [Convert]::FromBase64String($env:WIN_CODESIGN_CERT_PFX_BASE64))
+          $signtool = (Get-Command signtool.exe).Source
+          & $signtool sign /fd SHA256 /f $pfxPath /p $env:WIN_CODESIGN_CERT_PASSWORD /tr http://timestamp.digicert.com /td SHA256 dist\aems-agent-setup.exe
+          & $signtool verify /pa /v dist\aems-agent-setup.exe
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: aems-agent-windows
+          path: |
+            dist/aems-agent-setup.exe
+            dist/aems-agent/
+
+  build-macos:
+    runs-on: macos-latest
+    env:
+      MACOS_CERT_P12_BASE64: ${{ secrets.MACOS_CERT_P12_BASE64 }}
+      MACOS_CERT_PASSWORD: ${{ secrets.MACOS_CERT_PASSWORD }}
+      MACOS_DEVELOPER_IDENTITY: ${{ secrets.MACOS_DEVELOPER_IDENTITY }}
+      APPLE_ID: ${{ secrets.APPLE_ID }}
+      APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+      APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install dependencies
+        run: |
+          pip install pyinstaller
+          pip install -e ".[dev]"
+
+      - name: Build with PyInstaller
+        run: python packaging/build.py --platform macos
+
+      - name: Check macOS signing credentials
+        id: mac_sign_check
+        run: |
+          ALL_PRESENT=true
+          for v in MACOS_CERT_P12_BASE64 MACOS_CERT_PASSWORD MACOS_DEVELOPER_IDENTITY APPLE_ID APPLE_APP_SPECIFIC_PASSWORD APPLE_TEAM_ID; do
+            if [ -z "${!v}" ]; then
+              ALL_PRESENT=false
+              break
+            fi
+          done
+          echo "available=$ALL_PRESENT" >> "$GITHUB_OUTPUT"
+          if [ "$ALL_PRESENT" = "false" ]; then
+            echo "::warning::macOS signing/notarization credentials not configured. DMG will be unsigned."
+          else
+            echo "Signing credentials found, will sign and notarize."
+          fi
+
+      - name: Import Developer ID certificate
+        if: steps.mac_sign_check.outputs.available == 'true'
+        run: |
+          KEYCHAIN_PATH="$RUNNER_TEMP/aems-signing.keychain-db"
+          KEYCHAIN_PASSWORD="$(openssl rand -hex 16)"
+          CERT_PATH="$RUNNER_TEMP/developer_id.p12"
+          python - <<'PY'
+          import base64
+          import os
+          from pathlib import Path
+
+          data = os.environ["MACOS_CERT_P12_BASE64"]
+          out = Path(os.environ["RUNNER_TEMP"]) / "developer_id.p12"
+          out.write_bytes(base64.b64decode(data))
+          PY
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security list-keychains -d user -s "$KEYCHAIN_PATH"
+          security default-keychain -s "$KEYCHAIN_PATH"
+          security import "$CERT_PATH" -k "$KEYCHAIN_PATH" -P "$MACOS_CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+      - name: Sign macOS app bundle and DMG
+        if: steps.mac_sign_check.outputs.available == 'true'
+        run: |
+          codesign --force --deep --options runtime --timestamp --sign "$MACOS_DEVELOPER_IDENTITY" "dist/AEMS Agent.app"
+          codesign --verify --deep --strict --verbose=2 "dist/AEMS Agent.app"
+          codesign --force --timestamp --sign "$MACOS_DEVELOPER_IDENTITY" "dist/AEMS-Agent.dmg"
+          codesign --verify --verbose=2 "dist/AEMS-Agent.dmg"
+
+      - name: Notarize and staple macOS DMG
+        if: steps.mac_sign_check.outputs.available == 'true'
+        run: |
+          xcrun notarytool submit "dist/AEMS-Agent.dmg" \
+            --apple-id "$APPLE_ID" \
+            --password "$APPLE_APP_SPECIFIC_PASSWORD" \
+            --team-id "$APPLE_TEAM_ID" \
+            --wait
+          xcrun stapler staple "dist/AEMS-Agent.dmg"
+          spctl --assess --type open --context context:primary-signature --verbose=4 "dist/AEMS-Agent.dmg"
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: aems-agent-macos
+          path: |
+            dist/AEMS-Agent.dmg
+            dist/AEMS Agent.app/
+
+  build-linux:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install dependencies
+        run: |
+          pip install pyinstaller
+          pip install -e ".[dev]"
+
+      - name: Build with PyInstaller
+        run: python packaging/build.py --platform linux
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: aems-agent-linux
+          path: dist/aems-agent/
+
+  release:
+    needs: [build-windows, build-macos, build-linux]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts/
+
+      - name: Collect release assets
+        id: assets
+        run: |
+          ASSETS=""
+
+          if [ -f artifacts/aems-agent-windows/aems-agent-setup.exe ]; then
+            ASSETS="$ASSETS artifacts/aems-agent-windows/aems-agent-setup.exe"
+          fi
+          if [ -f artifacts/aems-agent-macos/AEMS-Agent.dmg ]; then
+            ASSETS="$ASSETS artifacts/aems-agent-macos/AEMS-Agent.dmg"
+          fi
+          if [ -d artifacts/aems-agent-linux ]; then
+            tar -czf artifacts/aems-agent-linux.tar.gz -C artifacts aems-agent-linux
+            ASSETS="$ASSETS artifacts/aems-agent-linux.tar.gz"
+          fi
+
+          : > artifacts/sha256sums.txt
+          for f in $ASSETS; do
+            sha256sum "$f" >> artifacts/sha256sums.txt
+          done
+
+          VERSION="${GITHUB_REF#refs/tags/v}"
+          cat > artifacts/release-manifest.json <<EOF
+          {
+            "name": "aems-agent",
+            "version": "${VERSION}",
+            "generated_at_utc": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
+            "checksum_file": "sha256sums.txt"
+          }
+          EOF
+
+          ASSETS="$ASSETS artifacts/sha256sums.txt artifacts/release-manifest.json"
+          ASSETS=$(echo "$ASSETS" | xargs)
+          echo "files=$ASSETS" >> "$GITHUB_OUTPUT"
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.7.0
+
+      - name: Sign release manifest (keyless)
+        run: |
+          cosign sign-blob --yes artifacts/release-manifest.json \
+            --output-signature artifacts/release-manifest.sig \
+            --output-certificate artifacts/release-manifest.pem
+
+      - name: Append signature assets
+        id: signed_assets
+        run: |
+          FILES="${{ steps.assets.outputs.files }} artifacts/release-manifest.sig artifacts/release-manifest.pem"
+          FILES=$(echo "$FILES" | xargs)
+          echo "files=$FILES" >> "$GITHUB_OUTPUT"
+
+      - name: Create Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          VERSION="${GITHUB_REF#refs/tags/v}"
+          gh release create "v${VERSION}" \
+            --title "AEMS Agent v${VERSION}" \
+            --notes "AEMS Local Bridge Agent v${VERSION} - Windows (.exe), macOS (.dmg), Linux (.tar.gz), plus signed manifest/checksums." \
+            ${{ steps.signed_assets.outputs.files }}

aems_agent-0.2.0/.github/workflows/ci.yml

@@ -0,0 +1,47 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+        python-version: ['3.10', '3.11', '3.12']
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Run tests
+        run: python -m pytest -v --tb=short
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Check formatting (black)
+        run: black --check src/ tests/
+
+      - name: Lint (ruff)
+        run: ruff check src/ tests/

aems_agent-0.2.0/.gitignore

@@ -0,0 +1,41 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+*.egg-info/
+*.egg
+dist/
+build/
+.eggs/
+
+# Virtual environments
+venv/
+.venv/
+ENV/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.mypy_cache/
+
+# PyInstaller
+*.spec.bak
+
+# Logs
+*.log
+
+# Config (user-specific)
+config/

aems_agent-0.2.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 AEMS Team
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

aems_agent-0.2.0/PKG-INFO

@@ -0,0 +1,161 @@
+Metadata-Version: 2.4
+Name: aems-agent
+Version: 0.2.0
+Summary: AEMS Local Bridge Agent — local filesystem access for exam PDFs
+Author: AEMS Team
+License: MIT
+License-File: LICENSE
+Requires-Python: >=3.10
+Requires-Dist: cryptography>=43.0.0
+Requires-Dist: fastapi>=0.104.0
+Requires-Dist: httpx>=0.25.0
+Requires-Dist: pydantic>=2.0.0
+Requires-Dist: pyjwt[crypto]>=2.9.0
+Requires-Dist: typer>=0.9.0
+Requires-Dist: uvicorn[standard]>=0.24.0
+Provides-Extra: dev
+Requires-Dist: black>=23.0.0; extra == 'dev'
+Requires-Dist: httpx>=0.25.0; extra == 'dev'
+Requires-Dist: mypy>=1.5.0; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.23.0; extra == 'dev'
+Requires-Dist: pytest-cov>=4.1.0; extra == 'dev'
+Requires-Dist: pytest>=7.4.0; extra == 'dev'
+Requires-Dist: ruff>=0.1.0; extra == 'dev'
+Provides-Extra: tray
+Requires-Dist: pillow>=10.0.0; extra == 'tray'
+Requires-Dist: pystray>=0.19.0; extra == 'tray'
+Description-Content-Type: text/markdown
+
+# AEMS Local Bridge Agent
+
+A lightweight companion service that runs on `localhost` and provides REST API access to the local filesystem, enabling the [AEMS](https://github.com/artkula/aems) web app to read/write exam PDFs to a user-chosen folder.
+
+## Installation
+
+### pip (recommended for development)
+
+```bash
+pip install aems-agent
+```
+
+### Binary installers
+
+Download pre-built installers from [Releases](https://github.com/artkula/aems-agent/releases):
+
+| Platform | File | Notes |
+|----------|------|-------|
+| Windows | `aems-agent-setup.exe` | Installs to `%LOCALAPPDATA%\AEMS Agent` |
+| macOS | `AEMS-Agent.dmg` | Drag to Applications |
+| Linux | `aems-agent-linux.tar.gz` | Extract and run `./aems-agent run` |
+
+## Usage
+
+```bash
+# Start the agent (default: http://127.0.0.1:61234)
+aems-agent run
+
+# Start with system tray icon
+aems-agent run --tray
+
+# Custom port/host
+aems-agent run --port 9000 --host 0.0.0.0
+
+# Enforce runtime license policy
+aems-agent run --license-policy warn
+aems-agent run --license-policy soft-block
+aems-agent run --license-policy hard-block
+
+# Show auth token
+aems-agent token
+
+# Set exam storage directory
+aems-agent set-path /path/to/exams
+
+# Show config directory location
+aems-agent config-dir
+
+# Store a license JWT token
+aems-agent license-store "<jwt-token>"
+
+# Validate token signature + claims + heartbeat
+aems-agent license-check \
+  --license-url https://license.domain.com \
+  --issuer https://license.domain.com \
+  --audience aems-agent
+```
+
+## Configuration
+
+Config files are stored in a platform-specific directory:
+
+| Platform | Path |
+|----------|------|
+| Windows | `%APPDATA%\AEMS\agent\` |
+| macOS | `~/.config/aems/agent/` |
+| Linux | `~/.config/aems/agent/` (or `$XDG_CONFIG_HOME/aems/agent/`) |
+
+Files:
+- `config.json` - storage path, port, allowed origins, license settings
+- `auth_token` - bearer token for API authentication
+- `license.jwt` - stored license token
+- `agent.log` - rotating log file
+
+Runtime license policy modes:
+- `warn`: agent starts and logs validation failures.
+- `soft-block`: agent starts in limited mode when license is invalid. Write operations (`PUT/DELETE /files/*`, `PUT /config/path`) are blocked until license becomes valid again.
+- `hard-block`: startup fails and exits non-zero when license is invalid/revoked/grace-expired; runtime checks also terminate the process non-zero on hard-block failures.
+
+## API Endpoints
+
+| Method | Path | Auth | Description |
+|--------|------|------|-------------|
+| GET | `/status` | No | Alive check |
+| GET | `/health` | Yes | Detailed health with disk info |
+| GET/PUT | `/config/path` | Yes | Get/set storage path |
+| GET | `/files/{assignment_id}` | Yes | List submissions |
+| GET/PUT/DELETE | `/files/{aid}/{sid}` | Yes | Manage submission PDFs |
+| GET/PUT | `/files/{aid}/{sid}/annotated` | Yes | Manage annotated PDFs |
+| POST | `/pair/initiate` | No | Start browser pairing |
+| POST | `/pair/complete` | No | Complete pairing |
+
+## Development
+
+```bash
+git clone https://github.com/artkula/aems-agent.git
+cd aems-agent
+python -m pip install -e ".[dev]"
+python -m pytest -v
+```
+
+## Release Trust and Verification
+
+Release pipeline:
+- `.github/workflows/build.yml`
+- Windows tagged releases are Authenticode-signed.
+- macOS tagged releases are code-signed, notarized, and stapled.
+- `release-manifest.json` and `sha256sums.txt` are signed with cosign as supplemental integrity proof.
+
+Verification examples:
+
+Windows:
+```powershell
+Get-AuthenticodeSignature .\aems-agent-setup.exe | Format-List
+```
+
+macOS:
+```bash
+codesign --verify --deep --strict --verbose=2 "AEMS Agent.app"
+spctl --assess --type open --context context:primary-signature --verbose=4 "AEMS-Agent.dmg"
+```
+
+Cosign manifest verification:
+```bash
+cosign verify-blob \
+  --certificate release-manifest.pem \
+  --signature release-manifest.sig \
+  release-manifest.json
+```
+
+## License
+
+MIT

aems_agent-0.2.0/README.md

@@ -0,0 +1,133 @@
+# AEMS Local Bridge Agent
+
+A lightweight companion service that runs on `localhost` and provides REST API access to the local filesystem, enabling the [AEMS](https://github.com/artkula/aems) web app to read/write exam PDFs to a user-chosen folder.
+
+## Installation
+
+### pip (recommended for development)
+
+```bash
+pip install aems-agent
+```
+
+### Binary installers
+
+Download pre-built installers from [Releases](https://github.com/artkula/aems-agent/releases):
+
+| Platform | File | Notes |
+|----------|------|-------|
+| Windows | `aems-agent-setup.exe` | Installs to `%LOCALAPPDATA%\AEMS Agent` |
+| macOS | `AEMS-Agent.dmg` | Drag to Applications |
+| Linux | `aems-agent-linux.tar.gz` | Extract and run `./aems-agent run` |
+
+## Usage
+
+```bash
+# Start the agent (default: http://127.0.0.1:61234)
+aems-agent run
+
+# Start with system tray icon
+aems-agent run --tray
+
+# Custom port/host
+aems-agent run --port 9000 --host 0.0.0.0
+
+# Enforce runtime license policy
+aems-agent run --license-policy warn
+aems-agent run --license-policy soft-block
+aems-agent run --license-policy hard-block
+
+# Show auth token
+aems-agent token
+
+# Set exam storage directory
+aems-agent set-path /path/to/exams
+
+# Show config directory location
+aems-agent config-dir
+
+# Store a license JWT token
+aems-agent license-store "<jwt-token>"
+
+# Validate token signature + claims + heartbeat
+aems-agent license-check \
+  --license-url https://license.domain.com \
+  --issuer https://license.domain.com \
+  --audience aems-agent
+```
+
+## Configuration
+
+Config files are stored in a platform-specific directory:
+
+| Platform | Path |
+|----------|------|
+| Windows | `%APPDATA%\AEMS\agent\` |
+| macOS | `~/.config/aems/agent/` |
+| Linux | `~/.config/aems/agent/` (or `$XDG_CONFIG_HOME/aems/agent/`) |
+
+Files:
+- `config.json` - storage path, port, allowed origins, license settings
+- `auth_token` - bearer token for API authentication
+- `license.jwt` - stored license token
+- `agent.log` - rotating log file
+
+Runtime license policy modes:
+- `warn`: agent starts and logs validation failures.
+- `soft-block`: agent starts in limited mode when license is invalid. Write operations (`PUT/DELETE /files/*`, `PUT /config/path`) are blocked until license becomes valid again.
+- `hard-block`: startup fails and exits non-zero when license is invalid/revoked/grace-expired; runtime checks also terminate the process non-zero on hard-block failures.
+
+## API Endpoints
+
+| Method | Path | Auth | Description |
+|--------|------|------|-------------|
+| GET | `/status` | No | Alive check |
+| GET | `/health` | Yes | Detailed health with disk info |
+| GET/PUT | `/config/path` | Yes | Get/set storage path |
+| GET | `/files/{assignment_id}` | Yes | List submissions |
+| GET/PUT/DELETE | `/files/{aid}/{sid}` | Yes | Manage submission PDFs |
+| GET/PUT | `/files/{aid}/{sid}/annotated` | Yes | Manage annotated PDFs |
+| POST | `/pair/initiate` | No | Start browser pairing |
+| POST | `/pair/complete` | No | Complete pairing |
+
+## Development
+
+```bash
+git clone https://github.com/artkula/aems-agent.git
+cd aems-agent
+python -m pip install -e ".[dev]"
+python -m pytest -v
+```
+
+## Release Trust and Verification
+
+Release pipeline:
+- `.github/workflows/build.yml`
+- Windows tagged releases are Authenticode-signed.
+- macOS tagged releases are code-signed, notarized, and stapled.
+- `release-manifest.json` and `sha256sums.txt` are signed with cosign as supplemental integrity proof.
+
+Verification examples:
+
+Windows:
+```powershell
+Get-AuthenticodeSignature .\aems-agent-setup.exe | Format-List
+```
+
+macOS:
+```bash
+codesign --verify --deep --strict --verbose=2 "AEMS Agent.app"
+spctl --assess --type open --context context:primary-signature --verbose=4 "AEMS-Agent.dmg"
+```
+
+Cosign manifest verification:
+```bash
+cosign verify-blob \
+  --certificate release-manifest.pem \
+  --signature release-manifest.sig \
+  release-manifest.json
+```
+
+## License
+
+MIT