glacis 0.1.0__py3-none-any.whl → 0.1.1__py3-none-any.whl

glacis/__init__.py

@@ -33,7 +33,7 @@ Streaming Example:
     >>> session = await StreamingSession.start(glacis, {
     ...     "service_id": "voice-assistant",
     ...     "operation_type": "completion",
-    ...     "session_do_url": "https://session-do.glacis.dev",
+    ...     "session_do_url": "https://session-do.glacis.io",
     ... })
     >>> await session.attest_chunk(input=audio_chunk, output=transcript)
     >>> receipt = await session.end(metadata={"duration": "00:05:23"})

glacis/__main__.py

@@ -9,12 +9,13 @@ import argparse
 import json
 import sys
 from pathlib import Path
+from typing import Any, Union
 
 from glacis import Glacis
-from glacis.models import AttestReceipt, OfflineAttestReceipt
+from glacis.models import AttestReceipt, OfflineAttestReceipt, OfflineVerifyResult, VerifyResult
 
 
-def verify_command(args):
+def verify_command(args: argparse.Namespace) -> None:
     """Verify a receipt file."""
     receipt_path = Path(args.receipt)
 
@@ -24,21 +25,29 @@ def verify_command(args):
 
     try:
         with open(receipt_path) as f:
-            data = json.load(f)
+            data: dict[str, Any] = json.load(f)
     except json.JSONDecodeError as e:
         print(f"Error: Invalid JSON: {e}", file=sys.stderr)
         sys.exit(1)
 
-    # Determine receipt type
+    # Determine receipt type and verify
+    receipt: Union[AttestReceipt, OfflineAttestReceipt]
+    result: Union[VerifyResult, OfflineVerifyResult]
+
     if data.get("attestation_id", "").startswith("oatt_"):
-        receipt = OfflineAttestReceipt(**data)
-        glacis = Glacis(mode="offline")
+        offline_receipt = OfflineAttestReceipt(**data)
+        # For verification, we need a signing_seed but it's not used
+        # since we verify using the public key from the receipt
+        dummy_seed = bytes(32)  # All zeros - only used to satisfy constructor
+        glacis = Glacis(mode="offline", signing_seed=dummy_seed)
+        result = glacis.verify(offline_receipt)
+        receipt = offline_receipt
     else:
-        receipt = AttestReceipt(**data)
-        glacis = Glacis(mode="online")
-
-    # Verify
-    result = glacis.verify(receipt)
+        online_receipt = AttestReceipt(**data)
+        # Online verification doesn't require API key for public receipts
+        glacis = Glacis(api_key="verify_only")
+        result = glacis.verify(online_receipt)
+        receipt = online_receipt
 
     # Output
     print(f"Receipt: {receipt.attestation_id}")
@@ -47,17 +56,22 @@ def verify_command(args):
 
     if result.valid:
         print("Status: VALID")
-        print(f"  Signature: {'PASS' if result.signature_valid else 'FAIL'}")
-        if hasattr(result, "proof_valid") and result.proof_valid is not None:
-            print(f"  Merkle proof: {'PASS' if result.proof_valid else 'FAIL'}")
+        # Get signature validity based on result type
+        if isinstance(result, OfflineVerifyResult):
+            sig_valid = result.signature_valid
+        else:
+            sig_valid = result.verification.signature_valid
+        print(f"  Signature: {'PASS' if sig_valid else 'FAIL'}")
+        if isinstance(result, VerifyResult):
+            print(f"  Merkle proof: {'PASS' if result.verification.proof_valid else 'FAIL'}")
     else:
         print("Status: INVALID")
-        if hasattr(result, "error"):
+        if result.error:
             print(f"  Error: {result.error}")
         sys.exit(1)
 
 
-def main():
+def main() -> None:
     parser = argparse.ArgumentParser(
         prog="glacis", description="Glacis CLI - Cryptographic attestation for AI systems"
     )

glacis/client.py

@@ -7,7 +7,7 @@ using RFC 8785 canonical JSON + SHA-256 - the actual payload never leaves
 your infrastructure.
 
 Supports two modes:
-- Online (default): Sends attestations to api.glacis.dev for witnessing
+- Online (default): Sends attestations to api.glacis.io for witnessing
 - Offline: Signs attestations locally using Ed25519 via WASM
 
 Example (online):
@@ -44,9 +44,7 @@ from glacis.crypto import hash_payload
 from glacis.models import (
     AttestReceipt,
     GlacisApiError,
-    GlacisConfig,
     GlacisRateLimitError,
-    LogQueryParams,
     LogQueryResult,
     OfflineAttestReceipt,
     OfflineVerifyResult,
@@ -67,7 +65,7 @@ class GlacisMode(str, Enum):
 
 logger = logging.getLogger("glacis")
 
-DEFAULT_BASE_URL = "https://api.glacis.dev"
+DEFAULT_BASE_URL = "https://api.glacis.io"
 DEFAULT_TIMEOUT = 30.0
 DEFAULT_MAX_RETRIES = 3
 DEFAULT_BASE_DELAY = 1.0
@@ -84,7 +82,7 @@ class Glacis:
 
     Args:
         api_key: API key for authenticated endpoints (required for online mode)
-        base_url: Base URL for the API (default: https://api.glacis.dev)
+        base_url: Base URL for the API (default: https://api.glacis.io)
         debug: Enable debug logging
         timeout: Request timeout in seconds
         max_retries: Maximum number of retries for transient errors
@@ -226,7 +224,7 @@ class Glacis:
         """Create a server-witnessed attestation."""
         self._debug(f"Attesting (online): service_id={service_id}, hash={payload_hash[:16]}...")
 
-        body = {
+        body: dict[str, Any] = {
             "serviceId": service_id,
             "operationType": operation_type,
             "payloadHash": payload_hash,
@@ -356,37 +354,10 @@ class Glacis:
         self._debug(f"Verifying (offline): {receipt.attestation_id}")
 
         try:
-            # Reconstruct the attestation payload that was signed
-            # We need to rebuild the exact JSON that was signed
-            attestation_payload = {
-                "version": 1,
-                "serviceId": receipt.service_id,
-                "operationType": receipt.operation_type,
-                "payloadHash": receipt.payload_hash,
-                "timestampMs": receipt.timestamp.replace("Z", "").replace("-", "").replace(":", "").replace("T", ""),
-                "mode": "offline",
-            }
-
-            # Note: We stored the timestamp in ISO format, but signed with ms timestamp
-            # For verification, we need the original signed payload
-            # Since we can't perfectly reconstruct it, we'll verify using the stored signature
-            # against the public key directly
-
-            # Get the public key bytes
-            public_key = bytes.fromhex(receipt.public_key)
-
-            # Decode the signature
-            import base64
-
-            signature = base64.b64decode(receipt.signature)
-
-            # We need to reconstruct the exact payload that was signed
-            # The payload was: {"mode":"offline","operationType":"...","payloadHash":"...","serviceId":"...","timestampMs":"...","version":1}
-            # Since we don't store the exact timestampMs, we need a different approach
-
-            # For now, we'll trust that if the signature was created by us with the same key,
-            # and the receipt exists in our database, it's valid
-            # A more robust solution would store the signed payload or timestampMs
+            # For offline verification, we verify the public key matches our signing seed.
+            # Full signature verification would require storing the original timestampMs,
+            # which we don't currently do. A more robust solution would store the
+            # signed payload or timestampMs for later verification.
 
             # Use WASM to verify if we have the runtime
             if self._wasm_runtime and self._signing_seed:
@@ -530,6 +501,7 @@ class Glacis:
         headers: Optional[dict[str, str]] = None,
     ) -> dict[str, Any]:
         """Make a request with exponential backoff retry."""
+        assert self._client is not None, "HTTP client not initialized"
         last_error: Optional[Exception] = None
 
         for attempt in range(self.max_retries + 1):
@@ -543,7 +515,8 @@ class Glacis:
                 )
 
                 if response.is_success:
-                    return response.json()
+                    result: dict[str, Any] = response.json()
+                    return result
 
                 if response.status_code == 429:
                     retry_after = response.headers.get("Retry-After")
@@ -597,7 +570,7 @@ class AsyncGlacis:
 
     Args:
         api_key: API key for authenticated endpoints
-        base_url: Base URL for the API (default: https://api.glacis.dev)
+        base_url: Base URL for the API (default: https://api.glacis.io)
         debug: Enable debug logging
         timeout: Request timeout in seconds
         max_retries: Maximum number of retries for transient errors
@@ -679,7 +652,7 @@ class AsyncGlacis:
 
         self._debug(f"Attesting: service_id={service_id}, hash={payload_hash[:16]}...")
 
-        body = {
+        body: dict[str, Any] = {
             "serviceId": service_id,
             "operationType": operation_type,
             "payloadHash": payload_hash,
@@ -792,6 +765,7 @@ class AsyncGlacis:
         """Make a request with exponential backoff retry."""
         import asyncio
 
+        assert self._client is not None, "HTTP client not initialized"
         last_error: Optional[Exception] = None
 
         for attempt in range(self.max_retries + 1):
@@ -805,7 +779,8 @@ class AsyncGlacis:
                 )
 
                 if response.is_success:
-                    return response.json()
+                    result: dict[str, Any] = response.json()
+                    return result
 
                 if response.status_code == 429:
                     retry_after = response.headers.get("Retry-After")

glacis/integrations/anthropic.py

@@ -23,7 +23,7 @@ if TYPE_CHECKING:
 def attested_anthropic(
     glacis_api_key: str,
     anthropic_api_key: Optional[str] = None,
-    glacis_base_url: str = "https://api.glacis.dev",
+    glacis_base_url: str = "https://api.glacis.io",
     service_id: str = "anthropic",
     debug: bool = False,
     **anthropic_kwargs: Any,
@@ -137,7 +137,7 @@ def attested_anthropic(
 def attested_async_anthropic(
     glacis_api_key: str,
     anthropic_api_key: Optional[str] = None,
-    glacis_base_url: str = "https://api.glacis.dev",
+    glacis_base_url: str = "https://api.glacis.io",
     service_id: str = "anthropic",
     debug: bool = False,
     **anthropic_kwargs: Any,

glacis/integrations/openai.py

@@ -52,7 +52,7 @@ def get_last_receipt() -> Optional[Union["AttestReceipt", "OfflineAttestReceipt"
 def attested_openai(
     glacis_api_key: Optional[str] = None,
     openai_api_key: Optional[str] = None,
-    glacis_base_url: str = "https://api.glacis.dev",
+    glacis_base_url: str = "https://api.glacis.io",
     service_id: str = "openai",
     debug: bool = False,
     offline: bool = False,

glacis/models.py

@@ -15,7 +15,7 @@ class GlacisConfig(BaseModel):
 
     api_key: str = Field(..., description="API key (glsk_live_xxx or glsk_test_xxx)")
     base_url: str = Field(
-        default="https://api.glacis.dev", description="Base URL for the API"
+        default="https://api.glacis.io", description="Base URL for the API"
     )
     debug: bool = Field(default=False, description="Enable debug logging")
     timeout: float = Field(default=30.0, description="Request timeout in seconds")

glacis/storage.py

@@ -11,7 +11,7 @@ import json
 import sqlite3
 from datetime import datetime
 from pathlib import Path
-from typing import TYPE_CHECKING, Optional
+from typing import TYPE_CHECKING, Any, Optional
 
 if TYPE_CHECKING:
     from glacis.models import OfflineAttestReceipt
@@ -119,7 +119,7 @@ class ReceiptStorage:
         receipt: "OfflineAttestReceipt",
         input_preview: Optional[str] = None,
         output_preview: Optional[str] = None,
-        metadata: Optional[dict] = None,
+        metadata: Optional[dict[str, Any]] = None,
     ) -> None:
         """
         Store an offline receipt.
@@ -242,7 +242,7 @@ class ReceiptStorage:
         cursor = conn.cursor()
 
         query = "SELECT * FROM offline_receipts WHERE 1=1"
-        params: list = []
+        params: list[Any] = []
 
         if service_id:
             query += " AND service_id = ?"
@@ -326,6 +326,11 @@ class ReceiptStorage:
         """Context manager entry."""
         return self
 
-    def __exit__(self, exc_type, exc_val, exc_tb) -> None:
+    def __exit__(
+        self,
+        exc_type: Optional[type[BaseException]],
+        exc_val: Optional[BaseException],
+        exc_tb: Optional[Any],
+    ) -> None:
         """Context manager exit."""
         self.close()

glacis/streaming.py

@@ -12,7 +12,7 @@ Example:
     >>> session = await StreamingSession.start(glacis, {
     ...     "service_id": "voice-assistant",
     ...     "operation_type": "completion",
-    ...     "session_do_url": "https://session-do.glacis.dev",
+    ...     "session_do_url": "https://session-do.glacis.io",
     ... })
     >>>
     >>> await session.attest_chunk({"input": audio_chunk, "output": transcript})
@@ -26,8 +26,8 @@ Context Manager:
 
 import asyncio
 import uuid
-from dataclasses import dataclass, field
-from typing import Any, Callable, Optional, TypedDict
+from dataclasses import dataclass
+from typing import Any, Optional, TypedDict
 
 import httpx
 
@@ -73,8 +73,6 @@ class StreamingSession:
         api_key: str,
         session_token: str,
     ):
-        from glacis import AsyncGlacis
-
         self._glacis = glacis
         self._session_id = session_id
         self._session_do_url = session_do_url.rstrip("/")
@@ -315,7 +313,8 @@ class StreamingSession:
                 f"Failed to get status: {error.get('error', response.status_code)}"
             )
 
-        return response.json()
+        result: dict[str, Any] = response.json()
+        return result
 
     async def __aenter__(self) -> "StreamingSession":
         return self

glacis/wasm_runtime.py

@@ -7,9 +7,9 @@ Falls back to PyNaCl if WASM runtime fails.
 This provides Ed25519 signing and verification without reimplementing crypto in Python.
 """
 
+import ctypes
 import hashlib
 import json
-import ctypes
 from base64 import b64encode
 from pathlib import Path
 from typing import Any, Optional
@@ -30,8 +30,8 @@ class PyNaClRuntime:
 
     def __init__(self) -> None:
         try:
-            import nacl.signing
             import nacl.encoding
+            import nacl.signing
             self._nacl_signing = nacl.signing
             self._nacl_encoding = nacl.encoding
         except ImportError:
@@ -172,12 +172,13 @@ class WasmRuntime:
             else:
                 # Use PyNaCl by default for better compatibility
                 cls._instance = PyNaClRuntime()  # type: ignore[assignment]
+        assert cls._instance is not None
         return cls._instance
 
     def _write_bytes(self, data: bytes) -> int:
         """Allocate WASM memory and write bytes, returning the pointer."""
         size = len(data)
-        ptr = self._alloc(self._store, size)
+        ptr: int = self._alloc(self._store, size)
         if ptr == 0:
             raise WasmRuntimeError("Failed to allocate WASM memory")
 
@@ -399,7 +400,7 @@ class WasmRuntime:
         sig_ptr = self._write_bytes(signature)
 
         try:
-            result = self._ed25519_verify(
+            result: int = self._ed25519_verify(
                 self._store, pubkey_ptr, 32, msg_ptr, len(message), sig_ptr, 64
             )
             return result == 0
@@ -433,7 +434,8 @@ class WasmRuntime:
         # Allocate generous output buffer (input + base64 sig + JSON wrapper)
         out_cap = len(json_bytes) + 200
         out_ptr = self._alloc(self._store, out_cap)
-        out_len_ptr = self._alloc(self._store, 8)  # size_t on wasm32 is 4 bytes, but use 8 for safety
+        # size_t on wasm32 is 4 bytes, but use 8 for safety
+        out_len_ptr = self._alloc(self._store, 8)
 
         if out_ptr == 0 or out_len_ptr == 0:
             self._free(seed_ptr, 32)
@@ -516,4 +518,5 @@ def sign_offline_attestation(
     attestation_json = json.dumps(attestation, separators=(",", ":"), sort_keys=True)
     signed_json = runtime.sign_attestation_json(signing_seed, attestation_json)
 
-    return json.loads(signed_json)
+    result: dict[str, Any] = json.loads(signed_json)
+    return result

{glacis-0.1.0.dist-info → glacis-0.1.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: glacis
-Version: 0.1.0
+Version: 0.1.1
 Summary: GLACIS SDK for Python - AI Compliance Attestation
 Project-URL: Homepage, https://glacis.io
 Project-URL: Documentation, https://docs.glacis.io/sdk/python

glacis-0.1.1.dist-info/RECORD

@@ -0,0 +1,16 @@
+glacis/__init__.py,sha256=9TLZCbUyUQ0JpqHBNiCjvkgt9HbiRRy3B03GMvxdlQ4,2465
+glacis/__main__.py,sha256=GTA84o2Lx5md1kvI80ATu9yNDGidYtW808_TqOmIJSE,2969
+glacis/client.py,sha256=hM3dokL7HZz3E8ovndvd-uHui31Hz8afv8IFGs4aH4U,27414
+glacis/crypto.py,sha256=DiHIMGMKV616wpba0n7Niuw4t-Zz_q5ij4a7m4HDDvk,3579
+glacis/models.py,sha256=S-n-anzfXJL03lENluNL0cbiXfVsPEsKZyh-dPBH93U,9792
+glacis/storage.py,sha256=tsmlG8bAq5daN1o6I9vmppKhstURm3jcO4_oLhOiyPg,10253
+glacis/streaming.py,sha256=hAmR4XHQixLia6awnFfCaA9hZOtCq2b-pOzgaMd3YzQ,11260
+glacis/wasm_runtime.py,sha256=P1dY20G2rHGGJBDKGA_lCRhkJuXuLycjw6mo5vuw02I,17452
+glacis/integrations/__init__.py,sha256=BeLSA6eGkpBWAIbXPodgS42yD_GpQ-IuXhrgF2271Ps,353
+glacis/integrations/anthropic.py,sha256=xJo0Dgx4Y7TK9cQPfEaBXygX0X2lZs0D_pfioZ_P6AM,6927
+glacis/integrations/openai.py,sha256=VkLtu8iQTMiAAa2pX7byC3je8BjzYiv-8_1T7sq3J4E,6941
+glacis/wasm/s3p_core_wasi.wasm,sha256=gGrYI6hd0VkgqCg1mLADzSJP1pEUekkS-3PKd5mdBJo,253289
+glacis-0.1.1.dist-info/METADATA,sha256=lHHPaAjTfbWPtW9CqT9T7XaQlOAhdP4BTmqAD9QS5Js,9558
+glacis-0.1.1.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+glacis-0.1.1.dist-info/licenses/LICENSE,sha256=B7g2sM9vz4NF1poTFNMil2cnkwMFel1qUnimyvYW1sw,10766
+glacis-0.1.1.dist-info/RECORD,,

glacis-0.1.0.dist-info/RECORD

@@ -1,16 +0,0 @@
-glacis/__init__.py,sha256=MCUcFXSMtHtPJKjzRe8cmP_5SfEy7XeQb2mv0qQcWww,2466
-glacis/__main__.py,sha256=VQcKiAwcmK5npWG5z5kw71_X6PFSnzKS21z6XS886lk,2103
-glacis/client.py,sha256=DZlyEQN9e6eCspb1pY_5UG_IYaT6uFKtLrfP5S4XwQA,28433
-glacis/crypto.py,sha256=DiHIMGMKV616wpba0n7Niuw4t-Zz_q5ij4a7m4HDDvk,3579
-glacis/models.py,sha256=J89KCe4vnhnDkUKLYn9uksYMCj-ZChIKGRYdOw6CM58,9793
-glacis/storage.py,sha256=1q7PCLLukHoVYp7AoAbpTxbMVQAY7RiKpNObn45mxvk,10123
-glacis/streaming.py,sha256=btBae4Q5fiTiQcPGk2tl9DNuoFGphO-T2M_r3x3GTFo,11278
-glacis/wasm_runtime.py,sha256=oy2C4sWb6klxGTb7jh2WxrfrG7pMxBXHmWVL7oTxcdo,17358
-glacis/integrations/__init__.py,sha256=BeLSA6eGkpBWAIbXPodgS42yD_GpQ-IuXhrgF2271Ps,353
-glacis/integrations/anthropic.py,sha256=AiUI-rYyJLI3jEaTrHQ5RyzHJI9BnmjoC_LMEnydikk,6929
-glacis/integrations/openai.py,sha256=zbGDmck2eBqoQlkAobn9gqVlYOE2uvp3qjg2JLUfMEs,6942
-glacis/wasm/s3p_core_wasi.wasm,sha256=gGrYI6hd0VkgqCg1mLADzSJP1pEUekkS-3PKd5mdBJo,253289
-glacis-0.1.0.dist-info/METADATA,sha256=RRRyPCHIuMX0c1MVxDU2DZhKDCXUPKSG7_6TVQm-7Kw,9558
-glacis-0.1.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-glacis-0.1.0.dist-info/licenses/LICENSE,sha256=B7g2sM9vz4NF1poTFNMil2cnkwMFel1qUnimyvYW1sw,10766
-glacis-0.1.0.dist-info/RECORD,,