auxly-cli 1.0.21__tar.gz

auxly_cli-1.0.21/PKG-INFO

@@ -0,0 +1,42 @@
+Metadata-Version: 2.4
+Name: auxly-cli
+Version: 1.0.21
+Summary: Local-first unified memory system for AI agents — downloads the signature-verified auxly binary.
+Author-email: "Tzamun Arabia IT Co." <hi@auxly.io>
+License: MIT
+Project-URL: Homepage, https://auxly.io
+Project-URL: Repository, https://github.com/Tzamun-Arabia-IT-Co/auxly-memory-cli
+Project-URL: Issues, https://github.com/Tzamun-Arabia-IT-Co/auxly-memory-cli/issues
+Keywords: auxly,ai,memory,mcp,cli,agents
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+Requires-Dist: cryptography>=3.4
+
+# auxly-cli
+
+Local-first unified memory system for AI agents. This package installs a thin
+launcher that downloads the prebuilt [`auxly`](https://auxly.io) binary for your
+platform on first run and verifies it against the project's **minisign-signed**
+checksum manifest.
+
+```bash
+pip install auxly-cli
+auxly --help
+```
+
+## How it works
+
+- `pip install auxly-cli` installs a small pure-Python package (one wheel, all
+  platforms).
+- The first time you run `auxly`, it downloads `auxly-<os>-<arch>` from the GitHub
+  release matching this package's version, fetches the signed
+  `auxly-<version>-checksums.txt` + `.minisig`, verifies the **minisign signature**
+  against the pinned public key, checks the binary's **SHA-256** against the signed
+  manifest, then caches and execs it. Later runs use the cache.
+
+Set `AUXLY_REQUIRE_SIGNATURE=1` to hard-fail if a signed manifest is unavailable.
+The cache lives under `$XDG_CACHE_HOME/auxly` (or `~/.cache/auxly`).
+
+Supported: macOS / Linux / Windows on x64 / arm64. Python ≥ 3.8.
+
+License: MIT · <https://github.com/Tzamun-Arabia-IT-Co/auxly-memory-cli>

auxly_cli-1.0.21/README.md

@@ -0,0 +1,28 @@
+# auxly-cli
+
+Local-first unified memory system for AI agents. This package installs a thin
+launcher that downloads the prebuilt [`auxly`](https://auxly.io) binary for your
+platform on first run and verifies it against the project's **minisign-signed**
+checksum manifest.
+
+```bash
+pip install auxly-cli
+auxly --help
+```
+
+## How it works
+
+- `pip install auxly-cli` installs a small pure-Python package (one wheel, all
+  platforms).
+- The first time you run `auxly`, it downloads `auxly-<os>-<arch>` from the GitHub
+  release matching this package's version, fetches the signed
+  `auxly-<version>-checksums.txt` + `.minisig`, verifies the **minisign signature**
+  against the pinned public key, checks the binary's **SHA-256** against the signed
+  manifest, then caches and execs it. Later runs use the cache.
+
+Set `AUXLY_REQUIRE_SIGNATURE=1` to hard-fail if a signed manifest is unavailable.
+The cache lives under `$XDG_CACHE_HOME/auxly` (or `~/.cache/auxly`).
+
+Supported: macOS / Linux / Windows on x64 / arm64. Python ≥ 3.8.
+
+License: MIT · <https://github.com/Tzamun-Arabia-IT-Co/auxly-memory-cli>

auxly_cli-1.0.21/auxly_cli/__init__.py

@@ -0,0 +1,5 @@
+"""auxly-cli — local-first unified memory for AI agents (binary wrapper)."""
+
+from ._runner import __version__, main
+
+__all__ = ["main", "__version__"]

auxly_cli-1.0.21/auxly_cli/_runner.py

@@ -0,0 +1,118 @@
+"""auxly console-script entry point.
+
+The wheel ships only this thin Python package; the actual auxly binary is
+downloaded + verified on FIRST RUN into a per-user cache, then exec'd. Subsequent
+runs use the cache. This keeps the wheel pure-Python (one wheel, all platforms)
+while still verifying the minisign signature like the native installers do.
+"""
+
+from __future__ import annotations
+
+import os
+import platform
+import stat
+import sys
+import urllib.request
+from pathlib import Path
+
+from ._verify import manifest_has_hash, sha256_hex, verify_minisign
+
+REPO = "Tzamun-Arabia-IT-Co/auxly-memory-cli"
+__version__ = "1.0.21"
+
+
+def _target() -> tuple[str, str]:
+    sys_map = {"darwin": "darwin", "linux": "linux", "windows": "windows"}
+    machine = platform.machine().lower()
+    arch_map = {"x86_64": "amd64", "amd64": "amd64", "arm64": "arm64", "aarch64": "arm64"}
+    osname = sys_map.get(platform.system().lower())
+    arch = arch_map.get(machine)
+    if not osname or not arch:
+        raise SystemExit(f"auxly: unsupported platform {platform.system()}/{machine}")
+    ext = ".exe" if osname == "windows" else ""
+    return f"auxly-{osname}-{arch}{ext}", ext
+
+
+def _cache_dir() -> Path:
+    base = os.environ.get("XDG_CACHE_HOME") or os.path.join(Path.home(), ".cache")
+    root = Path(base) / "auxly"
+    d = root / __version__
+    d.mkdir(parents=True, exist_ok=True)
+    # Restrict to the owner so another local user can't pre-place / swap the cached
+    # binary that we exec (the cached copy is run without re-fetching the manifest).
+    for p in (root, d):
+        try:
+            os.chmod(p, 0o700)
+        except OSError:
+            pass
+    return d
+
+
+def _fetch(url: str) -> bytes:
+    req = urllib.request.Request(url, headers={"User-Agent": "auxly-pip-installer"})
+    with urllib.request.urlopen(req) as resp:  # nosec - https only, verified below
+        return resp.read()
+
+
+def _download_and_verify(dest: Path, bin_name: str) -> None:
+    base = f"https://github.com/{REPO}/releases/download/v{__version__}"
+    manifest_name = f"auxly-{__version__}-checksums.txt"
+    sys.stderr.write(f"auxly: downloading {bin_name} (v{__version__})…\n")
+    binary = _fetch(f"{base}/{bin_name}")
+
+    # Every release this wrapper targets (it is version-locked to a release tag)
+    # ships a signed manifest, so verification is REQUIRED by default — a missing or
+    # junk manifest aborts rather than running an unverified binary.
+    # AUXLY_ALLOW_UNSIGNED=1 relaxes this for emergencies.
+    allow_unsigned = os.environ.get("AUXLY_ALLOW_UNSIGNED") == "1"
+    try:
+        manifest = _fetch(f"{base}/{manifest_name}").decode("utf-8")
+        sig = _fetch(f"{base}/{manifest_name}.minisig").decode("utf-8")
+    except Exception as e:  # noqa: BLE001
+        if not allow_unsigned:
+            raise SystemExit(
+                f"auxly: signed manifest unavailable ({e}) and verification is required "
+                "— set AUXLY_ALLOW_UNSIGNED=1 only if you accept an unverified install"
+            )
+        sys.stderr.write(f"auxly: AUXLY_ALLOW_UNSIGNED=1 — installing unverified ({e})\n")
+        manifest = sig = None
+
+    if manifest and sig:
+        import re
+
+        if not re.search(r"^[0-9a-f]{64}\s+\S", manifest, re.MULTILINE):
+            if not allow_unsigned:
+                raise SystemExit("auxly: fetched manifest is not a checksums file — refusing")
+            sys.stderr.write("auxly: AUXLY_ALLOW_UNSIGNED=1 — manifest not a checksums file; unverified\n")
+        else:
+            verify_minisign(manifest.encode("utf-8"), sig)  # raises on failure
+            if not manifest_has_hash(manifest, sha256_hex(binary)):
+                raise SystemExit("auxly: binary SHA-256 not in signed manifest — refusing")
+            sys.stderr.write("auxly: signature + checksum verified ✔\n")
+
+    tmp = dest.with_suffix(dest.suffix + ".tmp")
+    tmp.write_bytes(binary)
+    tmp.chmod(tmp.stat().st_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
+    os.replace(tmp, dest)
+
+
+def _binary_path() -> Path:
+    bin_name, ext = _target()
+    dest = _cache_dir() / f"auxly{ext}"
+    if not dest.exists() or dest.stat().st_size == 0:
+        _download_and_verify(dest, bin_name)
+    return dest
+
+
+def main() -> None:
+    binary = _binary_path()
+    args = [str(binary), *sys.argv[1:]]
+    if os.name == "nt":
+        import subprocess
+
+        sys.exit(subprocess.run(args).returncode)
+    os.execv(str(binary), args)  # replace this process on POSIX
+
+
+if __name__ == "__main__":
+    main()

auxly_cli-1.0.21/auxly_cli/_verify.py

@@ -0,0 +1,93 @@
+"""Minisign + SHA-256 verification for the auxly pip wrapper.
+
+Mirrors npm/lib/verify.js and internal/update/verify.go: the release CI signs the
+checksum manifest with minisign (prehashed "ED" mode = ed25519 over BLAKE2b-512).
+We verify that signature against the PINNED public key, plus the SHA-256 integrity
+of the downloaded binary against the signed manifest.
+"""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
+
+# Pinned minisign public key (base64). MUST match internal/update/verify.go.
+PUBKEY_B64 = "RWQfIGHWpXR4MtPvcbWwN1J7mx9FGsCaHMmdIpGMZAKDvmILC2Of5Q/K"
+
+
+def sha256_hex(data: bytes) -> str:
+    return hashlib.sha256(data).hexdigest()
+
+
+def manifest_has_hash(manifest_text: str, hash_hex: str) -> bool:
+    """True if hash_hex is the first whitespace-delimited field of any line
+    (full field match, never a substring)."""
+    want = hash_hex.lower()
+    for line in manifest_text.splitlines():
+        parts = line.strip().split()
+        if parts and parts[0].lower() == want:
+            return True
+    return False
+
+
+def _ed25519_ok(pub_raw: bytes, message: bytes, sig: bytes) -> bool:
+    try:
+        Ed25519PublicKey.from_public_bytes(pub_raw).verify(sig, message)
+        return True
+    except InvalidSignature:
+        return False
+
+
+def verify_minisign(file_bytes: bytes, minisig_text: str) -> str:
+    """Verify a minisign signature over file_bytes using the pinned key.
+
+    Verifies BOTH the file signature and the global (trusted-comment) signature,
+    exactly as the minisign CLI does. Raises ValueError on any failure; returns
+    the trusted comment on success.
+    """
+    pub = base64.b64decode(PUBKEY_B64)
+    if len(pub) != 42:
+        raise ValueError("pinned public key malformed")
+    pub_keyid = pub[2:10]
+    pub_raw = pub[10:42]
+
+    lines = minisig_text.split("\n")
+    if len(lines) < 4:
+        raise ValueError("minisig truncated")
+
+    sig_blob = base64.b64decode(lines[1].strip())
+    if len(sig_blob) != 74:
+        raise ValueError("minisig signature block malformed")
+    algo = sig_blob[0:2]
+    sig_keyid = sig_blob[2:10]
+    sig = sig_blob[10:74]
+    if sig_keyid != pub_keyid:
+        raise ValueError("minisign key id mismatch")
+
+    if algo == b"ED":
+        message = hashlib.blake2b(file_bytes, digest_size=64).digest()  # prehashed
+    elif algo == b"Ed":
+        message = file_bytes  # legacy
+    else:
+        raise ValueError(f"unsupported minisign algorithm {algo!r}")
+
+    if not _ed25519_ok(pub_raw, message, sig):
+        raise ValueError("minisign file signature is INVALID")
+
+    # Global signature binds the trusted comment to the signature.
+    trusted_line = lines[2]
+    global_sig = base64.b64decode(lines[3].strip())
+    if len(global_sig) != 64:
+        raise ValueError("minisig global signature malformed")
+    prefix = "trusted comment:"
+    idx = trusted_line.find(prefix)
+    trusted_comment = trusted_line[idx + len(prefix):] if idx >= 0 else ""
+    if trusted_comment[:1].isspace():  # strip the single separator space
+        trusted_comment = trusted_comment[1:]
+    global_msg = sig + trusted_comment.encode("utf-8")
+    if not _ed25519_ok(pub_raw, global_msg, global_sig):
+        raise ValueError("minisign trusted-comment signature is INVALID")
+    return trusted_comment

auxly_cli-1.0.21/auxly_cli.egg-info/PKG-INFO

@@ -0,0 +1,42 @@
+Metadata-Version: 2.4
+Name: auxly-cli
+Version: 1.0.21
+Summary: Local-first unified memory system for AI agents — downloads the signature-verified auxly binary.
+Author-email: "Tzamun Arabia IT Co." <hi@auxly.io>
+License: MIT
+Project-URL: Homepage, https://auxly.io
+Project-URL: Repository, https://github.com/Tzamun-Arabia-IT-Co/auxly-memory-cli
+Project-URL: Issues, https://github.com/Tzamun-Arabia-IT-Co/auxly-memory-cli/issues
+Keywords: auxly,ai,memory,mcp,cli,agents
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+Requires-Dist: cryptography>=3.4
+
+# auxly-cli
+
+Local-first unified memory system for AI agents. This package installs a thin
+launcher that downloads the prebuilt [`auxly`](https://auxly.io) binary for your
+platform on first run and verifies it against the project's **minisign-signed**
+checksum manifest.
+
+```bash
+pip install auxly-cli
+auxly --help
+```
+
+## How it works
+
+- `pip install auxly-cli` installs a small pure-Python package (one wheel, all
+  platforms).
+- The first time you run `auxly`, it downloads `auxly-<os>-<arch>` from the GitHub
+  release matching this package's version, fetches the signed
+  `auxly-<version>-checksums.txt` + `.minisig`, verifies the **minisign signature**
+  against the pinned public key, checks the binary's **SHA-256** against the signed
+  manifest, then caches and execs it. Later runs use the cache.
+
+Set `AUXLY_REQUIRE_SIGNATURE=1` to hard-fail if a signed manifest is unavailable.
+The cache lives under `$XDG_CACHE_HOME/auxly` (or `~/.cache/auxly`).
+
+Supported: macOS / Linux / Windows on x64 / arm64. Python ≥ 3.8.
+
+License: MIT · <https://github.com/Tzamun-Arabia-IT-Co/auxly-memory-cli>

auxly_cli-1.0.21/auxly_cli.egg-info/SOURCES.txt

@@ -0,0 +1,11 @@
+README.md
+pyproject.toml
+auxly_cli/__init__.py
+auxly_cli/_runner.py
+auxly_cli/_verify.py
+auxly_cli.egg-info/PKG-INFO
+auxly_cli.egg-info/SOURCES.txt
+auxly_cli.egg-info/dependency_links.txt
+auxly_cli.egg-info/entry_points.txt
+auxly_cli.egg-info/requires.txt
+auxly_cli.egg-info/top_level.txt

auxly_cli-1.0.21/auxly_cli.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

auxly_cli-1.0.21/auxly_cli.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+auxly = auxly_cli._runner:main

auxly_cli-1.0.21/auxly_cli.egg-info/requires.txt

@@ -0,0 +1 @@
+cryptography>=3.4

auxly_cli-1.0.21/auxly_cli.egg-info/top_level.txt

@@ -0,0 +1 @@
+auxly_cli

auxly_cli-1.0.21/pyproject.toml

@@ -0,0 +1,25 @@
+[build-system]
+requires = ["setuptools>=61"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "auxly-cli"
+version = "1.0.21"
+description = "Local-first unified memory system for AI agents — downloads the signature-verified auxly binary."
+readme = "README.md"
+requires-python = ">=3.8"
+license = { text = "MIT" }
+authors = [{ name = "Tzamun Arabia IT Co.", email = "hi@auxly.io" }]
+keywords = ["auxly", "ai", "memory", "mcp", "cli", "agents"]
+dependencies = ["cryptography>=3.4"]
+
+[project.urls]
+Homepage = "https://auxly.io"
+Repository = "https://github.com/Tzamun-Arabia-IT-Co/auxly-memory-cli"
+Issues = "https://github.com/Tzamun-Arabia-IT-Co/auxly-memory-cli/issues"
+
+[project.scripts]
+auxly = "auxly_cli._runner:main"
+
+[tool.setuptools]
+packages = ["auxly_cli"]

auxly_cli-1.0.21/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+