coreason-manifest 0.1.0__tar.gz

coreason_manifest-0.1.0/LICENSE

@@ -0,0 +1,57 @@
+# The Prosperity Public License 3.0.0
+
+Contributor: CoReason, Inc.
+
+Source Code: https://github.com/CoReason-AI/coreason_manifest
+
+## Purpose
+
+This license allows you to use and share this software for noncommercial purposes for free and to try this software for commercial purposes for thirty days.
+
+## Agreement
+
+In order to receive this license, you have to agree to its rules.  Those rules are both obligations under that agreement and conditions to your license.  Don't do anything with this software that triggers a rule you can't or won't follow.
+
+## Notices
+
+Make sure everyone who gets a copy of any part of this software from you, with or without changes, also gets the text of this license and the contributor and source code lines above.
+
+## Commercial Trial
+
+Limit your use of this software for commercial purposes to a thirty-day trial period.  If you use this software for work, your company gets one trial period for all personnel, not one trial per person.
+
+## Contributions Back
+
+Developing feedback, changes, or additions that you contribute back to the contributor on the terms of a standardized public software license such as [the Blue Oak Model License 1.0.0](https://blueoakcouncil.org/license/1.0.0), [the Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0.html), [the MIT license](https://spdx.org/licenses/MIT.html), or [the two-clause BSD license](https://spdx.org/licenses/BSD-2-Clause.html) doesn't count as use for a commercial purpose.
+
+## Personal Uses
+
+Personal use for research, experiment, and testing for the benefit of public knowledge, personal study, private entertainment, hobby projects, amateur pursuits, or religious observance, without any anticipated commercial application, doesn't count as use for a commercial purpose.
+
+## Noncommercial Organizations
+
+Use by any charitable organization, educational institution, public research organization, public safety or health organization, environmental protection organization, or government institution doesn't count as use for a commercial purpose regardless of the source of funding or obligations resulting from the funding.
+
+## Defense
+
+Don't make any legal claim against anyone accusing this software, with or without changes, alone or with other technology, of infringing any patent.
+
+## Copyright
+
+The contributor licenses you to do everything with this software that would otherwise infringe their copyright in it.
+
+## Patent
+
+The contributor licenses you to do everything with this software that would otherwise infringe any patents they can license or become able to license.
+
+## Reliability
+
+The contributor can't revoke this license.
+
+## Excuse
+
+You're excused for unknowingly breaking [Notices](#notices) if you take all practical steps to comply within thirty days of learning you broke the rule.
+
+## No Liability
+
+***As far as the law allows, this software comes as is, without any warranty or condition, and the contributor won't be liable to anyone for any damages related to this software or this license, under any kind of legal claim.***

coreason_manifest-0.1.0/NOTICE

@@ -0,0 +1,8 @@
+Copyright (c) 2025 CoReason, Inc.. All Rights Reserved
+
+This software is licensed under the Prosperity Public License 3.0.0.
+The issuer of the Prosperity Public License for this software is CoReason, Inc..
+
+For a commercial version of this software, please contact us at gowtham.rao@coreason.ai.
+
+GENESIS COMMIT: Initializing repository coreason_manifest per CoReason Clean Room Protocol PIP-001. This repository is established as an independently created De Novo development environment, commencing on 2026-01-01. I, Gowtham A Rao certify that this date is subsequent to my individual Temporal Firewall Date.

coreason_manifest-0.1.0/PKG-INFO

@@ -0,0 +1,114 @@
+Metadata-Version: 2.4
+Name: coreason_manifest
+Version: 0.1.0
+Summary: This package is the definitive source of truth. If it isn't in the manifest, it doesn't exist. If it violates the manifest, it doesn't run.
+License: # The Prosperity Public License 3.0.0
+         
+         Contributor: CoReason, Inc.
+         
+         Source Code: https://github.com/CoReason-AI/coreason_manifest
+         
+         ## Purpose
+         
+         This license allows you to use and share this software for noncommercial purposes for free and to try this software for commercial purposes for thirty days.
+         
+         ## Agreement
+         
+         In order to receive this license, you have to agree to its rules.  Those rules are both obligations under that agreement and conditions to your license.  Don't do anything with this software that triggers a rule you can't or won't follow.
+         
+         ## Notices
+         
+         Make sure everyone who gets a copy of any part of this software from you, with or without changes, also gets the text of this license and the contributor and source code lines above.
+         
+         ## Commercial Trial
+         
+         Limit your use of this software for commercial purposes to a thirty-day trial period.  If you use this software for work, your company gets one trial period for all personnel, not one trial per person.
+         
+         ## Contributions Back
+         
+         Developing feedback, changes, or additions that you contribute back to the contributor on the terms of a standardized public software license such as [the Blue Oak Model License 1.0.0](https://blueoakcouncil.org/license/1.0.0), [the Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0.html), [the MIT license](https://spdx.org/licenses/MIT.html), or [the two-clause BSD license](https://spdx.org/licenses/BSD-2-Clause.html) doesn't count as use for a commercial purpose.
+         
+         ## Personal Uses
+         
+         Personal use for research, experiment, and testing for the benefit of public knowledge, personal study, private entertainment, hobby projects, amateur pursuits, or religious observance, without any anticipated commercial application, doesn't count as use for a commercial purpose.
+         
+         ## Noncommercial Organizations
+         
+         Use by any charitable organization, educational institution, public research organization, public safety or health organization, environmental protection organization, or government institution doesn't count as use for a commercial purpose regardless of the source of funding or obligations resulting from the funding.
+         
+         ## Defense
+         
+         Don't make any legal claim against anyone accusing this software, with or without changes, alone or with other technology, of infringing any patent.
+         
+         ## Copyright
+         
+         The contributor licenses you to do everything with this software that would otherwise infringe their copyright in it.
+         
+         ## Patent
+         
+         The contributor licenses you to do everything with this software that would otherwise infringe any patents they can license or become able to license.
+         
+         ## Reliability
+         
+         The contributor can't revoke this license.
+         
+         ## Excuse
+         
+         You're excused for unknowingly breaking [Notices](#notices) if you take all practical steps to comply within thirty days of learning you broke the rule.
+         
+         ## No Liability
+         
+         ***As far as the law allows, this software comes as is, without any warranty or condition, and the contributor won't be liable to anyone for any damages related to this software or this license, under any kind of legal claim.***
+License-File: LICENSE
+License-File: NOTICE
+Author: Gowtham A Rao
+Author-email: gowtham.rao@coreason.ai
+Requires-Python: >=3.11
+Classifier: License :: Other/Proprietary License
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Operating System :: OS Independent
+Requires-Dist: jsonschema (>=4.25.1,<5.0.0)
+Requires-Dist: loguru (>=0.7.2,<0.8.0)
+Requires-Dist: pydantic (>=2.12.5,<3.0.0)
+Requires-Dist: pyyaml (>=6.0.3,<7.0.0)
+Project-URL: Documentation, https://github.com/CoReason-AI/coreason_manifest
+Project-URL: Homepage, https://github.com/CoReason-AI/coreason_manifest
+Project-URL: Repository, https://github.com/CoReason-AI/coreason_manifest
+Description-Content-Type: text/markdown
+
+# coreason-manifest
+
+This package is the definitive source of truth. If it isn't in the manifest, it doesn't exist. If it violates the manifest, it doesn't run.
+
+[![CI](https://github.com/CoReason-AI/coreason_manifest/actions/workflows/ci.yml/badge.svg)](https://github.com/CoReason-AI/coreason_manifest/actions/workflows/ci.yml)
+
+## Getting Started
+
+### Prerequisites
+
+- Python 3.12+
+- Poetry
+
+### Installation
+
+1.  Clone the repository:
+    ```sh
+    git clone https://github.com/example/example.git
+    cd my_python_project
+    ```
+2.  Install dependencies:
+    ```sh
+    poetry install
+    ```
+
+### Usage
+
+-   Run the linter:
+    ```sh
+    poetry run pre-commit run --all-files
+    ```
+-   Run the tests:
+    ```sh
+    poetry run pytest
+    ```
+

coreason_manifest-0.1.0/README.md

@@ -0,0 +1,35 @@
+# coreason-manifest
+
+This package is the definitive source of truth. If it isn't in the manifest, it doesn't exist. If it violates the manifest, it doesn't run.
+
+[![CI](https://github.com/CoReason-AI/coreason_manifest/actions/workflows/ci.yml/badge.svg)](https://github.com/CoReason-AI/coreason_manifest/actions/workflows/ci.yml)
+
+## Getting Started
+
+### Prerequisites
+
+- Python 3.12+
+- Poetry
+
+### Installation
+
+1.  Clone the repository:
+    ```sh
+    git clone https://github.com/example/example.git
+    cd my_python_project
+    ```
+2.  Install dependencies:
+    ```sh
+    poetry install
+    ```
+
+### Usage
+
+-   Run the linter:
+    ```sh
+    poetry run pre-commit run --all-files
+    ```
+-   Run the tests:
+    ```sh
+    poetry run pytest
+    ```

coreason_manifest-0.1.0/pyproject.toml

@@ -0,0 +1,71 @@
+[tool.poetry]
+name = "coreason_manifest"
+version = "0.1.0"
+description = "This package is the definitive source of truth. If it isn't in the manifest, it doesn't exist. If it violates the manifest, it doesn't run."
+authors = ["Gowtham A Rao <gowtham.rao@coreason.ai>"]
+license = "Prosperity-3.0"
+readme = "README.md"
+packages = [{include = "coreason_manifest", from = "src"}]
+
+[tool.poetry.dependencies]
+python = ">=3.12, <3.15"
+loguru = "^0.7.2"
+pydantic = "^2.12.5"
+jsonschema = "^4.25.1"
+pyyaml = "^6.0.3"
+
+[tool.poetry.group.dev.dependencies]
+pytest = "^8.2.2"
+ruff = "^0.4.8"
+pre-commit = "^3.7.1"
+pytest-cov = "^5.0.0"
+mkdocs = "^1.6.0"
+mkdocs-material = "^9.5.26"
+pydantic = "^2.12.5"
+mypy = "^1.19.1"
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"
+
+[project]
+name = "coreason_manifest"
+version = "0.1.0"
+description = "This package is the definitive source of truth. If it isn't in the manifest, it doesn't exist. If it violates the manifest, it doesn't run."
+readme = "README.md"
+requires-python = ">=3.11"
+authors = [
+    { name = "Gowtham A Rao", email = "gowtham.rao@coreason.ai" },
+]
+license = { file = "LICENSE" }
+classifiers = [
+    "License :: Other/Proprietary License",
+    "Programming Language :: Python :: 3.12",
+    "Operating System :: OS Independent",
+]
+
+[project.urls]
+Homepage = "https://github.com/CoReason-AI/coreason_manifest"
+Repository = "https://github.com/CoReason-AI/coreason_manifest"
+Documentation = "https://github.com/CoReason-AI/coreason_manifest"
+
+[tool.ruff]
+line-length = 120
+target-version = "py312"
+
+[tool.ruff.lint]
+select = ["E", "F", "B", "I"]
+ignore = []
+
+[tool.mypy]
+python_version = "3.12"
+strict = true
+ignore_missing_imports = true
+plugins = ["pydantic.mypy"]
+
+[tool.pytest.ini_options]
+addopts = "--cov=src --cov-report=term-missing --cov-fail-under=100"
+testpaths = ["tests"]
+
+[tool.coverage.run]
+omit = ["tests/*", "/tmp/*"]

coreason_manifest-0.1.0/src/coreason_manifest/__init__.py

@@ -0,0 +1,41 @@
+# Prosperity-3.0
+from .engine import ManifestConfig, ManifestEngine
+from .errors import (
+    IntegrityCompromisedError,
+    ManifestError,
+    ManifestSyntaxError,
+    PolicyViolationError,
+)
+from .integrity import IntegrityChecker
+from .loader import ManifestLoader
+from .models import (
+    AgentDefinition,
+    AgentDependencies,
+    AgentInterface,
+    AgentMetadata,
+    AgentTopology,
+    ModelConfig,
+    Step,
+)
+from .policy import PolicyEnforcer
+from .validator import SchemaValidator
+
+__all__ = [
+    "AgentDefinition",
+    "AgentDependencies",
+    "AgentInterface",
+    "AgentMetadata",
+    "AgentTopology",
+    "IntegrityChecker",
+    "IntegrityCompromisedError",
+    "ManifestConfig",
+    "ManifestEngine",
+    "ManifestError",
+    "ManifestLoader",
+    "ManifestSyntaxError",
+    "ModelConfig",
+    "PolicyEnforcer",
+    "PolicyViolationError",
+    "SchemaValidator",
+    "Step",
+]

coreason_manifest-0.1.0/src/coreason_manifest/engine.py

@@ -0,0 +1,117 @@
+# Prosperity-3.0
+from __future__ import annotations
+
+import time
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import List, Optional, Union
+
+from coreason_manifest.integrity import IntegrityChecker
+from coreason_manifest.loader import ManifestLoader
+from coreason_manifest.models import AgentDefinition
+from coreason_manifest.policy import PolicyEnforcer
+
+# Import logger from utils to ensure configuration is applied
+from coreason_manifest.utils.logger import logger
+from coreason_manifest.validator import SchemaValidator
+
+
+@dataclass
+class ManifestConfig:
+    """Configuration for the ManifestEngine."""
+
+    policy_path: Union[str, Path]
+    opa_path: str = "opa"
+    tbom_path: Optional[Union[str, Path]] = None
+    extra_data_paths: List[Union[str, Path]] = field(default_factory=list)
+
+
+class ManifestEngine:
+    """
+    The main entry point for verifying and loading Agent Manifests.
+    """
+
+    def __init__(self, config: ManifestConfig) -> None:
+        """
+        Initialize the ManifestEngine.
+
+        Args:
+            config: Configuration including policy path and OPA path.
+        """
+        self.config = config
+        self.schema_validator = SchemaValidator()
+
+        # Collect data paths
+        data_paths = list(config.extra_data_paths)
+        if config.tbom_path:
+            data_paths.append(config.tbom_path)
+
+        self.policy_enforcer = PolicyEnforcer(
+            policy_path=config.policy_path,
+            opa_path=config.opa_path,
+            data_paths=data_paths,
+        )
+
+    def load_and_validate(self, manifest_path: Union[str, Path], source_dir: Union[str, Path]) -> AgentDefinition:
+        """
+        Loads, validates, and verifies an Agent Manifest.
+
+        Steps:
+        1. Load raw YAML.
+        2. Validate against JSON Schema.
+        3. Convert to AgentDefinition Pydantic model (Normalization).
+        4. Enforce Policy (Rego).
+        5. Verify Integrity (Hash check).
+
+        Args:
+            manifest_path: Path to the agent.yaml file.
+            source_dir: Path to the source code directory.
+
+        Returns:
+            AgentDefinition: The fully validated and verified agent definition.
+
+        Raises:
+            ManifestSyntaxError: If structure or schema is invalid.
+            PolicyViolationError: If business rules are violated.
+            IntegrityCompromisedError: If source code hash does not match.
+            FileNotFoundError: If files are missing.
+        """
+        manifest_path = Path(manifest_path)
+        source_dir = Path(source_dir)
+
+        logger.info(f"Validating Agent Manifest: {manifest_path}")
+
+        # 1. Load Raw YAML
+        raw_data = ManifestLoader.load_raw_from_file(manifest_path)
+
+        # 2. Schema Validation
+        logger.debug("Running Schema Validation...")
+        self.schema_validator.validate(raw_data)
+
+        # 3. Model Conversion (Normalization)
+        logger.debug("Converting to AgentDefinition...")
+        agent_def = ManifestLoader.load_from_dict(raw_data)
+        logger.info(f"Validating Agent {agent_def.metadata.id} v{agent_def.metadata.version}")
+
+        # 4. Policy Enforcement
+        logger.debug("Enforcing Policies...")
+        # We assume policy is checked against the Normalized data (model dumped back to dict)
+        # or raw data? Standard practice: Check against normalized data to prevent bypasses.
+        # dump mode='json' converts UUIDs/Dates to strings which is what OPA expects usually.
+        normalized_data = agent_def.model_dump(mode="json")
+        start_time = time.perf_counter()
+        try:
+            self.policy_enforcer.evaluate(normalized_data)
+            duration_ms = (time.perf_counter() - start_time) * 1000
+            logger.info(f"Policy Check: Pass - {duration_ms:.2f}ms")
+        except Exception:
+            duration_ms = (time.perf_counter() - start_time) * 1000
+            logger.info(f"Policy Check: Fail - {duration_ms:.2f}ms")
+            raise
+
+        # 5. Integrity Check
+        logger.debug("Verifying Integrity...")
+        IntegrityChecker.verify(agent_def, source_dir, manifest_path=manifest_path)
+
+        logger.info("Agent validation successful.")
+        return agent_def

coreason_manifest-0.1.0/src/coreason_manifest/errors.py

@@ -0,0 +1,28 @@
+# Prosperity-3.0
+from __future__ import annotations
+
+
+class ManifestError(Exception):
+    """Base exception for coreason_manifest errors."""
+
+    pass
+
+
+class ManifestSyntaxError(ManifestError):
+    """Raised when the manifest YAML is invalid or missing required fields."""
+
+    pass
+
+
+class PolicyViolationError(ManifestError):
+    """Raised when the agent violates a compliance policy."""
+
+    def __init__(self, message: str, violations: list[str] | None = None) -> None:
+        super().__init__(message)
+        self.violations = violations or []
+
+
+class IntegrityCompromisedError(ManifestError):
+    """Raised when the source code hash does not match the manifest."""
+
+    pass

coreason_manifest-0.1.0/src/coreason_manifest/integrity.py

@@ -0,0 +1,136 @@
+# Prosperity-3.0
+from __future__ import annotations
+
+import hashlib
+import os
+from pathlib import Path
+from typing import List, Optional, Set, Union
+
+from coreason_manifest.errors import IntegrityCompromisedError
+from coreason_manifest.models import AgentDefinition
+
+
+class IntegrityChecker:
+    """
+    Component D: IntegrityChecker (The Notary).
+
+    Responsibility:
+      - Calculate the SHA256 hash of the source code directory.
+      - Compare it against the integrity_hash defined in the manifest.
+    """
+
+    IGNORED_DIRS = frozenset({".git", "__pycache__", ".venv", ".env", ".DS_Store"})
+
+    @staticmethod
+    def calculate_hash(source_dir: Union[Path, str], exclude_files: Optional[Set[Union[Path, str]]] = None) -> str:
+        """
+        Calculates a deterministic SHA256 hash of the source code directory.
+
+        It walks the directory using os.walk to efficiently prune ignored directories.
+        Sorts files by relative path, hashes each file, and then hashes the sequence.
+
+        Ignores hidden directories/files in IGNORED_DIRS.
+        Rejects symbolic links for security.
+
+        Args:
+            source_dir: The directory containing source code.
+            exclude_files: Optional set of file paths (absolute or relative to CWD) to exclude from hashing.
+
+        Returns:
+            The hex digest of the SHA256 hash.
+
+        Raises:
+            FileNotFoundError: If source_dir does not exist.
+            IntegrityCompromisedError: If a symlink is found.
+        """
+        path_obj = Path(source_dir)
+        if path_obj.is_symlink():
+            raise IntegrityCompromisedError(f"Symbolic links are forbidden: {path_obj}")
+
+        source_path = path_obj.resolve()
+        if not source_path.exists():
+            raise FileNotFoundError(f"Source directory not found: {source_path}")
+
+        # Normalize excluded files to absolute paths
+        excludes = set()
+        if exclude_files:
+            for ex_path in exclude_files:
+                excludes.add(Path(ex_path).resolve())
+
+        sha256 = hashlib.sha256()
+        file_paths: List[Path] = []
+
+        # Use os.walk for efficient traversal and pruning
+        for root, dirs, files in os.walk(source_path, topdown=True):
+            root_path = Path(root)
+
+            # Check for symlinks in directories before pruning
+            for d_name in dirs:
+                d_path = root_path / d_name
+                if d_path.is_symlink():
+                    raise IntegrityCompromisedError(f"Symbolic links are forbidden: {d_path}")  # pragma: no cover
+
+            # Prune directories efficiently using slice assignment
+            dirs[:] = [d for d in dirs if d not in IntegrityChecker.IGNORED_DIRS]
+
+            # Collect files
+            for f_name in files:
+                f_path = root_path / f_name
+
+                if f_path.is_symlink():
+                    raise IntegrityCompromisedError(f"Symbolic links are forbidden: {f_path}")
+
+                if f_name in IntegrityChecker.IGNORED_DIRS:
+                    continue
+
+                # Use resolved path for exclusion checking and inclusion
+                f_path_abs = f_path.resolve()
+                if f_path_abs in excludes:
+                    continue
+
+                file_paths.append(f_path_abs)
+
+        # Sort to ensure deterministic order
+        # Use as_posix() to ensure ASCII sorting (case-sensitive) on all platforms (Windows vs Linux)
+        file_paths.sort(key=lambda p: p.relative_to(source_path).as_posix())
+
+        for path in file_paths:
+            # Update hash with relative path to ensure structure matters
+            # Use forward slashes for cross-platform consistency
+            rel_path = path.relative_to(source_path).as_posix().encode("utf-8")
+            sha256.update(rel_path)
+
+            # Update hash with file content
+            with open(path, "rb") as f:
+                while chunk := f.read(8192):
+                    sha256.update(chunk)
+
+        return sha256.hexdigest()
+
+    @staticmethod
+    def verify(
+        agent_def: AgentDefinition,
+        source_dir: Union[Path, str],
+        manifest_path: Optional[Union[Path, str]] = None,
+    ) -> None:
+        """
+        Verifies the integrity of the source code against the manifest.
+
+        Args:
+            agent_def: The AgentDefinition containing the expected hash.
+            source_dir: The directory containing source code.
+            manifest_path: Optional path to the manifest file to exclude from hashing.
+
+        Raises:
+            IntegrityCompromisedError: If the hash does not match or is missing.
+            FileNotFoundError: If source_dir does not exist.
+        """
+        exclude_files = {manifest_path} if manifest_path else None
+
+        # agent_def.integrity_hash is now required by Pydantic model
+        calculated = IntegrityChecker.calculate_hash(source_dir, exclude_files=exclude_files)
+
+        if calculated != agent_def.integrity_hash:
+            raise IntegrityCompromisedError(
+                f"Integrity check failed. Expected {agent_def.integrity_hash}, got {calculated}"
+            )