epi-recorder 2.1.1__py3-none-any.whl → 2.1.2__py3-none-any.whl

epi_core/__init__.py

@@ -2,7 +2,7 @@
 EPI Core - Core data structures, serialization, and container management.
 """
 
-__version__ = "2.1.0"
+__version__ = "2.1.1"
 
 from epi_core.schemas import ManifestModel, StepModel
 from epi_core.serialize import get_canonical_hash

epi_core/container.py

@@ -80,6 +80,8 @@ class EPIContainer:
         # Read template and assets
         template_html = template_path.read_text(encoding="utf-8")
         app_js = app_js_path.read_text(encoding="utf-8") if app_js_path.exists() else ""
+        crypto_js_path = viewer_static_dir / "crypto.js"
+        crypto_js = crypto_js_path.read_text(encoding="utf-8") if crypto_js_path.exists() else ""
         css_styles = css_path.read_text(encoding="utf-8") if css_path.exists() else ""
         
         # Read steps from steps.jsonl
@@ -112,10 +114,16 @@ class EPIContainer:
             f'<style>{css_styles}</style>'
         )
         
-        # Inline app.js
+        # Inline crypto.js and app.js
+        js_content = ""
+        if crypto_js:
+            js_content += f"<script>{crypto_js}</script>\n"
+        if app_js:
+            js_content += f"<script>{app_js}</script>"
+            
         html_with_js = html_with_css.replace(
             '<script src="app.js"></script>',
-            f'<script>{app_js}</script>'
+            js_content
         )
         
         return html_with_js

epi_core/schemas.py

@@ -18,7 +18,7 @@ class ManifestModel(BaseModel):
     """
     
     spec_version: str = Field(
-        default="1.0-keystone",
+        default="1.1-json",
         description="EPI specification version"
     )
     
@@ -47,6 +47,11 @@ class ManifestModel(BaseModel):
         description="Mapping of file paths to their SHA-256 hashes for integrity verification"
     )
     
+    public_key: Optional[str] = Field(
+        default=None,
+        description="Hex-encoded public key used for verification"
+    )
+    
     signature: Optional[str] = Field(
         default=None,
         description="Ed25519 signature of the canonical CBOR hash of this manifest (excluding signature field)"

epi_core/serialize.py

@@ -87,27 +87,56 @@ def get_canonical_hash(model: BaseModel, exclude_fields: set[str] | None = None)
         else:
             return value
     
+    # Normalize datetime and UUID fields to strings
     model_dict = normalize_value(model_dict)
     
     if exclude_fields:
         for field in exclude_fields:
             model_dict.pop(field, None)
-    
+
+    # JSON Canonicalization for Spec v1.1+
+    # Check if model has spec_version and if it indicates JSON usage
+    # We default to CBOR for backward compatibility
+    
+    use_json = False
+    
+    # Check spec_version in model or dict
+    spec_version = model_dict.get("spec_version")
+    if spec_version and (spec_version.startswith("1.1") or "json" in spec_version):
+        use_json = True
+        
+    if use_json:
+        return _get_json_canonical_hash(model_dict)
+    else:
+        return _get_cbor_canonical_hash(model_dict)
+
+
+def _get_json_canonical_hash(data: Any) -> str:
+    """Compute canonical SHA-256 hash using JSON (RFC 8785 style)."""
+    import json
+    
+    # Dump to JSON with sorted keys and no whitespace
+    json_bytes = json.dumps(
+        data,
+        sort_keys=True,
+        separators=(',', ':'),
+        ensure_ascii=False
+    ).encode("utf-8")
+    
+    return hashlib.sha256(json_bytes).hexdigest()
+
+
+def _get_cbor_canonical_hash(data: Any) -> str:
+    """Compute canonical SHA-256 hash using CBOR (Legacy v1.0)."""
     # Encode to canonical CBOR
-    # canonical=True ensures:
-    # - Keys are sorted lexicographically
-    # - Minimal encoding is used
-    # - Deterministic representation
     cbor_bytes = cbor2.dumps(
-        model_dict,
+        data,
         canonical=True,
         default=_cbor_default_encoder
     )
     
     # Compute SHA-256 hash
-    hash_obj = hashlib.sha256(cbor_bytes)
-    
-    return hash_obj.hexdigest()
+    return hashlib.sha256(cbor_bytes).hexdigest()
 
 
 def verify_hash(model: BaseModel, expected_hash: str, exclude_fields: set[str] | None = None) -> bool:

epi_core/trust.py

@@ -53,6 +53,16 @@ def sign_manifest(
         SigningError: If signing fails
     """
     try:
+        # Derive public key and add to manifest
+        public_key_obj = private_key.public_key()
+        public_key_hex = public_key_obj.public_bytes(
+            encoding=serialization.Encoding.Raw,
+            format=serialization.PublicFormat.Raw
+        ).hex()
+        
+        # We must update the manifest BEFORE hashing so the public key is signed
+        manifest.public_key = public_key_hex
+
         # Compute canonical hash (excluding signature field)
         manifest_hash = get_canonical_hash(manifest, exclude_fields={"signature"})
         hash_bytes = bytes.fromhex(manifest_hash)

epi_recorder/__init__.py

@@ -4,7 +4,7 @@ EPI Recorder - Runtime interception and workflow capture.
 Python API for recording AI workflows with cryptographic verification.
 """
 
-__version__ = "2.1.0"
+__version__ = "2.1.1"
 
 # Export Python API
 from epi_recorder.api import (