aevum-publish 0.4.0__tar.gz

aevum_publish-0.4.0/.gitignore

@@ -0,0 +1,49 @@
+# Python
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+.venv/
+*.egg-info/
+
+# Build
+dist/
+build/
+site/
+
+# Tools
+.mypy_cache/
+.ruff_cache/
+.pytest_cache/
+.hypothesis/
+.cache/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Verify scripts (run locally, never commit)
+verify_*.py
+scripts/verify_*.py
+
+# Aevum development — never commit (Phase 0+)
+aevum_principles.key
+signed_principles_draft.yaml
+tools/sign_principles.py
+
+# Private keys — never commit
+*.key
+*.pem
+
+# OpenSSF Scorecard output (Phase 0+)
+results.sarif
+verify_phase3.py
+verify_phase7.py
+verify_phase8.py
+verify_phase*.py

aevum_publish-0.4.0/PKG-INFO

@@ -0,0 +1,88 @@
+Metadata-Version: 2.4
+Name: aevum-publish
+Version: 0.4.0
+Summary: Aevum — Sigstore Rekor v2 transparency log complication.
+Project-URL: Homepage, https://aevum.build
+Project-URL: Repository, https://github.com/aevum-labs/aevum
+License: Apache-2.0
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Typing :: Typed
+Requires-Python: >=3.11
+Requires-Dist: aevum-core
+Provides-Extra: dev
+Requires-Dist: httpx>=0.27.0; extra == 'dev'
+Requires-Dist: mypy>=1.10; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.9; extra == 'dev'
+Provides-Extra: rekor
+Requires-Dist: httpx>=0.27.0; extra == 'rekor'
+Description-Content-Type: text/markdown
+
+# aevum-publish
+
+Sigstore Rekor v2 transparency log complication for Aevum.
+
+Submits periodic chain checkpoints to an external transparency log,
+enabling adversarial-resistant verification: even if an operator is
+compromised, they cannot silently replace the chain without the external
+witness detecting the discrepancy.
+
+```bash
+pip install aevum-publish[rekor]
+```
+
+```python
+from aevum.core import Engine
+from aevum.publish import PublishComplication
+
+engine = Engine()
+comp = PublishComplication(
+    rekor_url="https://rekor.sigstore.dev",  # or private Rekor
+    every_n_events=100,                      # checkpoint every 100 events
+    every_seconds=300,                       # or every 5 minutes
+)
+engine.install_complication(comp)
+engine.approve_complication("aevum-publish")
+comp.on_approved(engine)  # must be called explicitly
+# Chain now contains signed transparency.checkpoint events with Rekor inclusion proofs
+```
+
+## Checkpoint format
+
+Each checkpoint is a SHA-256 digest of:
+```json
+{"prior_hash": "...", "sequence": 42, "signer_key_id": "...", "system_time": ...}
+```
+
+Submitted to Rekor as a `hashedrekord` entry. The Rekor log index and
+inclusion proof are stored in the local sigchain as a `transparency.checkpoint`
+AuditEvent, so the chain self-documents its verification history.
+
+## Private Rekor
+
+For confidential deployments where checkpoint hashes must not be public:
+
+```python
+comp = PublishComplication(rekor_url="https://your-private-rekor.example.com")
+```
+
+## Without Rekor
+
+If `httpx` is not installed or the Rekor endpoint is unreachable, the
+complication logs a warning and continues. The Engine write path is never
+blocked.
+
+## Environment variables
+
+| Variable | Default | Description |
+|---|---|---|
+| `AEVUM_PUBLISH_EVERY_N_EVENTS` | `100` | Submit checkpoint after N events |
+| `AEVUM_PUBLISH_EVERY_SECONDS` | `300` | Submit checkpoint after N seconds |
+
+## See also
+
+- [ADR-007: Transparency log](../../docs/adrs/adr-007-transparency-log.md)
+- [Sigstore Rekor v2](https://github.com/sigstore/rekor-tiles)

aevum_publish-0.4.0/README.md

@@ -0,0 +1,65 @@
+# aevum-publish
+
+Sigstore Rekor v2 transparency log complication for Aevum.
+
+Submits periodic chain checkpoints to an external transparency log,
+enabling adversarial-resistant verification: even if an operator is
+compromised, they cannot silently replace the chain without the external
+witness detecting the discrepancy.
+
+```bash
+pip install aevum-publish[rekor]
+```
+
+```python
+from aevum.core import Engine
+from aevum.publish import PublishComplication
+
+engine = Engine()
+comp = PublishComplication(
+    rekor_url="https://rekor.sigstore.dev",  # or private Rekor
+    every_n_events=100,                      # checkpoint every 100 events
+    every_seconds=300,                       # or every 5 minutes
+)
+engine.install_complication(comp)
+engine.approve_complication("aevum-publish")
+comp.on_approved(engine)  # must be called explicitly
+# Chain now contains signed transparency.checkpoint events with Rekor inclusion proofs
+```
+
+## Checkpoint format
+
+Each checkpoint is a SHA-256 digest of:
+```json
+{"prior_hash": "...", "sequence": 42, "signer_key_id": "...", "system_time": ...}
+```
+
+Submitted to Rekor as a `hashedrekord` entry. The Rekor log index and
+inclusion proof are stored in the local sigchain as a `transparency.checkpoint`
+AuditEvent, so the chain self-documents its verification history.
+
+## Private Rekor
+
+For confidential deployments where checkpoint hashes must not be public:
+
+```python
+comp = PublishComplication(rekor_url="https://your-private-rekor.example.com")
+```
+
+## Without Rekor
+
+If `httpx` is not installed or the Rekor endpoint is unreachable, the
+complication logs a warning and continues. The Engine write path is never
+blocked.
+
+## Environment variables
+
+| Variable | Default | Description |
+|---|---|---|
+| `AEVUM_PUBLISH_EVERY_N_EVENTS` | `100` | Submit checkpoint after N events |
+| `AEVUM_PUBLISH_EVERY_SECONDS` | `300` | Submit checkpoint after N seconds |
+
+## See also
+
+- [ADR-007: Transparency log](../../docs/adrs/adr-007-transparency-log.md)
+- [Sigstore Rekor v2](https://github.com/sigstore/rekor-tiles)

aevum_publish-0.4.0/pyproject.toml

@@ -0,0 +1,62 @@
+[project]
+name = "aevum-publish"
+version = "0.4.0"
+description = "Aevum — Sigstore Rekor v2 transparency log complication."
+readme = "README.md"
+requires-python = ">=3.11"
+license = { text = "Apache-2.0" }
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: Apache Software License",
+    "Programming Language :: Python :: 3.11",
+    "Typing :: Typed",
+]
+dependencies = [
+    "aevum-core",
+]
+
+[project.optional-dependencies]
+rekor = ["httpx>=0.27.0"]
+dev = [
+    "pytest>=8.0",
+    "mypy>=1.10",
+    "ruff>=0.9",
+    "httpx>=0.27.0",
+]
+
+[project.entry-points."aevum.complications"]
+publish = "aevum.publish.complication:PublishComplication"
+
+[project.urls]
+Homepage = "https://aevum.build"
+Repository = "https://github.com/aevum-labs/aevum"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/aevum"]
+
+[tool.uv.sources]
+aevum-core = { workspace = true }
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+addopts = "--tb=short"
+pythonpath = ["src", "../../packages/aevum-core/src"]
+
+[tool.mypy]
+strict = true
+python_version = "3.11"
+mypy_path = "src"
+explicit_package_bases = true
+ignore_missing_imports = true
+
+[tool.ruff]
+line-length = 100
+
+[tool.ruff.lint]
+select = ["E", "F", "UP", "B", "SIM", "I", "ANN"]
+ignore = ["ANN401"]

aevum_publish-0.4.0/src/aevum/publish/__init__.py

@@ -0,0 +1,28 @@
+"""
+aevum.publish — Sigstore Rekor v2 transparency log complication.
+
+Submits chain checkpoints to an external transparency log, enabling
+adversarial-resistant chain verification. Without external witnessing,
+a compromised operator could silently replace the entire chain.
+
+Requires: pip install aevum-publish[rekor]  (installs httpx)
+
+Without httpx installed: importing succeeds, but checkpoint submission
+warns and skips gracefully.
+
+Usage:
+    from aevum.publish import PublishComplication
+    comp = PublishComplication(
+        rekor_url="https://rekor.sigstore.dev",  # or private Rekor
+        every_n_events=100,
+        every_seconds=300,
+    )
+    engine.install_complication(comp)
+    engine.approve_complication("aevum-publish")
+    comp.on_approved(engine)  # must be called explicitly — Engine does not auto-call
+"""
+
+from aevum.publish.complication import PublishComplication
+
+__version__ = "0.4.0"
+__all__ = ["PublishComplication"]

aevum_publish-0.4.0/src/aevum/publish/complication.py

@@ -0,0 +1,271 @@
+"""
+PublishComplication — Rekor v2 transparency log integration.
+
+ADR-007 implementation. See docs/adrs/adr-007-transparency-log.md.
+
+Lifecycle note: the Engine has no automatic on_approved callback mechanism.
+Callers must invoke comp.on_approved(engine) explicitly after
+engine.approve_complication("aevum-publish") to trigger checkpoint submission.
+This matches the pattern established by aevum-spiffe.
+"""
+
+from __future__ import annotations
+
+import hashlib
+import json
+import logging
+import os
+import threading
+import time
+from typing import Any
+
+log = logging.getLogger(__name__)
+
+_DEFAULT_REKOR_URL = "https://rekor.sigstore.dev"
+_DEFAULT_EVERY_N = int(os.environ.get("AEVUM_PUBLISH_EVERY_N_EVENTS", "100"))
+_DEFAULT_EVERY_S = int(os.environ.get("AEVUM_PUBLISH_EVERY_SECONDS", "300"))
+
+
+def _compute_checkpoint_digest(
+    sequence: int,
+    prior_hash: str,
+    signer_key_id: str,
+    system_time: int,
+) -> bytes:
+    """
+    SHA-256 digest of the canonical checkpoint record.
+
+    Using SHA-256 (not SHA3-256) because Rekor's hashedrekord spec requires SHA-256.
+    The chain's internal integrity uses SHA3-256; the external witness uses SHA-256.
+    These are separate trust layers with different hash requirements.
+    """
+    record = json.dumps(
+        {
+            "sequence": sequence,
+            "prior_hash": prior_hash,
+            "signer_key_id": signer_key_id,
+            "system_time": system_time,
+        },
+        sort_keys=True,
+        separators=(",", ":"),
+    ).encode("utf-8")
+    return hashlib.sha256(record).digest()
+
+
+class PublishComplication:
+    """
+    Transparency log complication. Submits chain checkpoints to Rekor v2.
+
+    Threshold triggers (whichever comes first):
+    - every_n_events: submit after N events are written to the chain
+    - every_seconds: submit after M seconds since last submission
+
+    Failure modes:
+    - httpx not installed: warn, skip
+    - Rekor unreachable: warn, buffer for next threshold
+    - Submission rejected: warn, log details
+
+    NEVER blocks the Engine write path. NEVER raises in lifecycle hooks.
+
+    Engine integration (no automatic lifecycle hook):
+        engine.install_complication(comp)
+        engine.approve_complication("aevum-publish")
+        comp.on_approved(engine)  # caller must invoke this explicitly
+    """
+
+    name: str = "aevum-publish"
+    version: str = "0.4.0"
+
+    def __init__(
+        self,
+        rekor_url: str | None = None,
+        every_n_events: int | None = None,
+        every_seconds: int | None = None,
+    ) -> None:
+        self._rekor_url = (rekor_url or _DEFAULT_REKOR_URL).rstrip("/")
+        self._every_n = every_n_events or _DEFAULT_EVERY_N
+        self._every_s = every_seconds or _DEFAULT_EVERY_S
+        self._engine: Any = None
+        self._events_since_checkpoint: int = 0
+        self._last_checkpoint_time: float = time.monotonic()
+        self._lock = threading.Lock()
+        self._enabled: bool = False
+
+    def manifest(self) -> dict[str, Any]:
+        return {
+            "name": self.name,
+            "version": self.version,
+            "description": "Sigstore Rekor v2 transparency log checkpoints for chain verification",
+            "capabilities": ["transparency-log"],
+            "classification_max": 0,
+            "functions": ["commit"],
+            "auth": {"scopes_required": [], "public_key": None},
+            "schema_version": "1.0",
+        }
+
+    # ── Lifecycle hook ────────────────────────────────────────────────────────
+    # Mirrors aevum-spiffe pattern: Engine does not call this automatically.
+    # Callers must invoke comp.on_approved(engine) explicitly after
+    # engine.approve_complication("aevum-publish").
+
+    def on_approved(self, engine: Any) -> None:
+        """
+        Call after engine.approve_complication("aevum-publish") to trigger
+        initial checkpoint submission and enable event counting.
+
+        The Engine does not call this automatically; callers must invoke it.
+        """
+        self._engine = engine
+        self._enabled = True
+        self._try_submit_checkpoint(reason="complication.approved")
+
+    # ── Event counting hook ───────────────────────────────────────────────────
+
+    def on_event_written(self) -> None:
+        """
+        Call after each successful event write to the chain. Checks both
+        thresholds and submits a checkpoint if either is met.
+        """
+        if not self._enabled:
+            return
+
+        with self._lock:
+            self._events_since_checkpoint += 1
+            n_trigger = self._events_since_checkpoint >= self._every_n
+            t_trigger = (time.monotonic() - self._last_checkpoint_time) >= self._every_s
+
+        if n_trigger or t_trigger:
+            reason = "n_events" if n_trigger else "interval"
+            self._try_submit_checkpoint(reason=reason)
+
+    # ── Checkpoint submission ─────────────────────────────────────────────────
+
+    def _try_submit_checkpoint(self, reason: str = "threshold") -> None:
+        """
+        Attempt to submit a checkpoint to Rekor. Silently degrades on failure.
+        Resets event counter and timer on success.
+        """
+        if self._engine is None:
+            return
+
+        try:
+            entries = self._engine.get_ledger_entries()
+        except Exception as exc:
+            log.warning("aevum-publish: could not read ledger: %s", exc)
+            return
+
+        if not entries:
+            return
+
+        last = entries[-1]
+        sequence = last.get("sequence", 0)
+        prior_hash = last.get("prior_hash", "")
+        signer_key_id = last.get("signer_key_id", "")
+        system_time = last.get("system_time", 0)
+
+        digest = _compute_checkpoint_digest(
+            sequence, prior_hash, signer_key_id, system_time
+        )
+
+        try:
+            log_index, entry_hash = self._submit_to_rekor(digest)
+        except Exception as exc:
+            log.warning(
+                "aevum-publish: checkpoint submission failed (%s). "
+                "Will retry at next threshold.",
+                exc,
+            )
+            return
+
+        self._write_checkpoint_event(
+            log_index=log_index,
+            entry_hash=entry_hash,
+            chain_sequence=sequence,
+            chain_prior_hash=prior_hash,
+            reason=reason,
+        )
+
+        with self._lock:
+            self._events_since_checkpoint = 0
+            self._last_checkpoint_time = time.monotonic()
+
+        log.info(
+            "aevum-publish: checkpoint submitted — sequence=%d rekor_index=%d",
+            sequence,
+            log_index,
+        )
+
+    def _submit_to_rekor(self, digest: bytes) -> tuple[int, str]:
+        """
+        Submit a SHA-256 digest to Rekor v2 as a hashedrekord entry.
+        Returns (log_index, entry_hash).
+        Raises ImportError if httpx not installed.
+        Raises httpx.HTTPError on submission failure.
+
+        NOTE: The format below matches the Rekor v1 hashedrekord spec. Rekor v2
+        (rekor-tiles) uses a different tile-based API; verify against
+        https://github.com/sigstore/rekor-tiles/blob/main/CLIENTS.md before
+        production use.
+        """
+        try:
+            import httpx  # noqa: PLC0415
+        except ImportError as exc:
+            raise ImportError(
+                "aevum-publish requires httpx. "
+                "Install with: pip install aevum-publish[rekor]"
+            ) from exc
+
+        digest_hex = digest.hex()
+
+        body = {
+            "apiVersion": "0.0.1",
+            "kind": "hashedrekord",
+            "spec": {
+                "data": {
+                    "hash": {
+                        "algorithm": "sha256",
+                        "value": digest_hex,
+                    }
+                },
+            },
+        }
+
+        resp = httpx.post(
+            f"{self._rekor_url}/api/v1/log/entries",
+            json=body,
+            timeout=30.0,
+        )
+        resp.raise_for_status()
+
+        data = resp.json()
+        uuid_key = next(iter(data))
+        entry = data[uuid_key]
+        log_index = int(entry.get("logIndex", entry.get("log_index", -1)))
+        return log_index, uuid_key
+
+    def _write_checkpoint_event(
+        self,
+        log_index: int,
+        entry_hash: str,
+        chain_sequence: int,
+        chain_prior_hash: str,
+        reason: str,
+    ) -> None:
+        """Write transparency.checkpoint AuditEvent to the local sigchain."""
+        try:
+            self._engine._ledger.append(
+                event_type="transparency.checkpoint",
+                payload={
+                    "rekor_log_index": log_index,
+                    "rekor_entry_hash": entry_hash,
+                    "rekor_server": self._rekor_url,
+                    "chain_sequence": chain_sequence,
+                    "chain_prior_hash": chain_prior_hash,
+                    "checkpoint_reason": reason,
+                },
+                actor="aevum-publish",
+            )
+        except Exception as exc:
+            log.error(
+                "aevum-publish: failed to write transparency.checkpoint: %s", exc
+            )

aevum_publish-0.4.0/tests/test_publish_complication.py

@@ -0,0 +1,222 @@
+"""
+Tests for PublishComplication.
+Uses mocked httpx and Engine — no real Rekor instance required.
+"""
+from __future__ import annotations
+
+import hashlib
+import json
+import sys
+import time
+import unittest.mock
+
+
+def _make_mock_engine(entries: list[dict] | None = None) -> unittest.mock.MagicMock:
+    """Minimal engine mock with configurable ledger entries."""
+    engine = unittest.mock.MagicMock()
+    engine.get_ledger_entries.return_value = entries or [
+        {
+            "sequence": 3,
+            "prior_hash": "a" * 64,
+            "signer_key_id": "test-key-id",
+            "system_time": 1746000000000000000,
+            "event_type": "session.start",
+            "actor": "aevum-core",
+        }
+    ]
+    engine._ledger.append = unittest.mock.MagicMock(return_value=None)
+    return engine
+
+
+def _make_mock_rekor_response(
+    log_index: int = 42, uuid: str = "abc123def456"
+) -> unittest.mock.MagicMock:
+    """Mock a successful Rekor submission response."""
+    mock_resp = unittest.mock.MagicMock()
+    mock_resp.status_code = 201
+    mock_resp.raise_for_status = unittest.mock.MagicMock(return_value=None)
+    mock_resp.json.return_value = {uuid: {"logIndex": log_index, "body": "..."}}
+    return mock_resp
+
+
+class TestPublishComplicationCheckpoint:
+
+    def test_on_approved_submits_initial_checkpoint(self) -> None:
+        """Approval must trigger an immediate initial checkpoint."""
+        from aevum.publish import PublishComplication
+
+        mock_engine = _make_mock_engine()
+        comp = PublishComplication(rekor_url="https://mock.rekor.test")
+        mock_resp = _make_mock_rekor_response(log_index=1, uuid="uuid-0001")
+
+        with unittest.mock.patch("httpx.post", return_value=mock_resp) as mock_post:
+            comp.on_approved(mock_engine)
+
+        mock_post.assert_called_once()
+        mock_engine._ledger.append.assert_called_once()
+        call_kwargs = mock_engine._ledger.append.call_args.kwargs
+        assert call_kwargs["event_type"] == "transparency.checkpoint"
+        assert call_kwargs["actor"] == "aevum-publish"
+        payload = call_kwargs["payload"]
+        assert payload["rekor_log_index"] == 1
+        assert payload["rekor_entry_hash"] == "uuid-0001"
+        assert payload["rekor_server"] == "https://mock.rekor.test"
+
+    def test_n_events_threshold_triggers_checkpoint(self) -> None:
+        """After N events, on_event_written must submit a checkpoint."""
+        from aevum.publish import PublishComplication
+
+        mock_engine = _make_mock_engine()
+        comp = PublishComplication(
+            rekor_url="https://mock.rekor.test",
+            every_n_events=3,
+            every_seconds=9999,
+        )
+        mock_resp = _make_mock_rekor_response()
+
+        with unittest.mock.patch("httpx.post", return_value=mock_resp) as mock_post:
+            comp.on_approved(mock_engine)     # initial checkpoint (call 1)
+            mock_post.reset_mock()
+            mock_engine._ledger.append.reset_mock()
+
+            comp.on_event_written()           # 1 of 3
+            comp.on_event_written()           # 2 of 3
+            assert not mock_post.called       # not yet
+
+            comp.on_event_written()           # 3 of 3 — threshold reached
+
+        mock_post.assert_called_once()
+        mock_engine._ledger.append.assert_called_once()
+        payload = mock_engine._ledger.append.call_args.kwargs["payload"]
+        assert payload["checkpoint_reason"] == "n_events"
+
+    def test_time_threshold_triggers_checkpoint(self) -> None:
+        """After every_seconds, on_event_written must submit a checkpoint."""
+        from aevum.publish import PublishComplication
+
+        mock_engine = _make_mock_engine()
+        comp = PublishComplication(
+            rekor_url="https://mock.rekor.test",
+            every_n_events=9999,
+            every_seconds=1,
+        )
+        mock_resp = _make_mock_rekor_response()
+
+        with unittest.mock.patch("httpx.post", return_value=mock_resp) as mock_post:
+            comp.on_approved(mock_engine)
+            mock_post.reset_mock()
+            mock_engine._ledger.append.reset_mock()
+
+            comp._last_checkpoint_time = time.monotonic() - 2.0
+            comp.on_event_written()
+
+        mock_post.assert_called_once()
+        payload = mock_engine._ledger.append.call_args.kwargs["payload"]
+        assert payload["checkpoint_reason"] == "interval"
+
+    def test_rekor_failure_does_not_raise(self) -> None:
+        """Rekor submission failure must warn and not raise."""
+        from aevum.publish import PublishComplication
+
+        mock_engine = _make_mock_engine()
+        comp = PublishComplication(
+            rekor_url="https://mock.rekor.test",
+            every_n_events=1,
+            every_seconds=9999,
+        )
+
+        import httpx
+
+        with unittest.mock.patch(
+            "httpx.post", side_effect=httpx.ConnectError("Connection refused")
+        ):
+            comp.on_approved(mock_engine)
+            comp.on_event_written()
+
+        assert mock_engine._ledger.append.call_count == 0
+
+    def test_httpx_missing_degrades_gracefully(self) -> None:
+        """Missing httpx must warn and not raise."""
+        from aevum.publish import PublishComplication
+
+        mock_engine = _make_mock_engine()
+        comp = PublishComplication()
+
+        with unittest.mock.patch.dict(sys.modules, {"httpx": None}):
+            comp.on_approved(mock_engine)
+
+        mock_engine._ledger.append.assert_not_called()
+
+    def test_checkpoint_digest_is_deterministic(self) -> None:
+        """Same inputs must always produce same digest."""
+        from aevum.publish.complication import _compute_checkpoint_digest
+
+        d1 = _compute_checkpoint_digest(42, "a" * 64, "key-id", 1746000000)
+        d2 = _compute_checkpoint_digest(42, "a" * 64, "key-id", 1746000000)
+        assert d1 == d2
+        assert len(d1) == 32  # SHA-256 = 32 bytes
+
+    def test_checkpoint_digest_uses_sha256_not_sha3(self) -> None:
+        """Rekor expects SHA-256; chain internal integrity uses SHA3-256."""
+        from aevum.publish.complication import _compute_checkpoint_digest
+
+        digest = _compute_checkpoint_digest(1, "0" * 64, "k", 0)
+        record = json.dumps(
+            {
+                "sequence": 1,
+                "prior_hash": "0" * 64,
+                "signer_key_id": "k",
+                "system_time": 0,
+            },
+            sort_keys=True,
+            separators=(",", ":"),
+        ).encode()
+        expected = hashlib.sha256(record).digest()
+        assert digest == expected
+
+    def test_rekor_url_trailing_slash_stripped(self) -> None:
+        """Trailing slash in rekor_url must not double-slash the endpoint."""
+        from aevum.publish import PublishComplication
+
+        comp = PublishComplication(rekor_url="https://rekor.example.com/")
+        assert not comp._rekor_url.endswith("/")
+
+
+class TestPublishComplicationIntegration:
+
+    def test_transparency_checkpoint_in_sigchain(self) -> None:
+        """transparency.checkpoint must be a verifiable, signed chain entry."""
+        # Phase 0 finding: Engine does not call on_approved automatically.
+        # Callers must invoke comp.on_approved(engine) explicitly after
+        # engine.approve_complication("aevum-publish"). Same pattern as aevum-spiffe.
+        sys.path.insert(0, "packages/aevum-core/src")
+        from aevum.core import Engine  # noqa: I001
+        from aevum.publish import PublishComplication
+
+        mock_resp = _make_mock_rekor_response(log_index=99, uuid="test-uuid-publish")
+
+        comp = PublishComplication(
+            rekor_url="https://mock.rekor.test",
+            every_n_events=9999,
+            every_seconds=9999,
+        )
+
+        engine = Engine()
+
+        with unittest.mock.patch("httpx.post", return_value=mock_resp):
+            engine.install_complication(comp)
+            engine.approve_complication("aevum-publish")
+            comp.on_approved(engine)  # must be called explicitly per aevum-spiffe pattern
+
+        entries = engine.get_ledger_entries()
+        event_types = [e["event_type"] for e in entries]
+
+        assert "transparency.checkpoint" in event_types, (
+            f"transparency.checkpoint not in chain. Events: {event_types}"
+        )
+        assert engine.verify_sigchain() is True
+
+        cp = next(e for e in entries if e["event_type"] == "transparency.checkpoint")
+        assert cp["payload"]["rekor_log_index"] == 99
+        assert cp["payload"]["rekor_server"] == "https://mock.rekor.test"
+        assert cp["actor"] == "aevum-publish"