kekkai-cli 1.0.0__py3-none-any.whl

kekkai_core/docker/signing.py

@@ -0,0 +1,135 @@
+"""Docker image signing and verification with Cosign."""
+
+import os
+import subprocess
+from pathlib import Path
+
+
+class CosignError(Exception):
+    """Raised when Cosign operations fail."""
+
+
+def sign_image(
+    image: str,
+    key_path: Path | None = None,
+    password: str | None = None,
+) -> bool:
+    """
+    Sign Docker image with Cosign.
+
+    Args:
+        image: Docker image to sign (e.g., 'kademoslabs/kekkai:latest')
+        key_path: Path to Cosign private key (optional, uses keyless if None)
+        password: Password for private key (optional)
+
+    Returns:
+        True if signing succeeded
+
+    Raises:
+        CosignError: If signing fails
+    """
+    cmd = ["cosign", "sign", "--yes"]
+
+    if key_path:
+        cmd.extend(["--key", str(key_path)])
+
+    cmd.append(image)
+
+    try:
+        env = {}
+        if password:
+            env["COSIGN_PASSWORD"] = password
+
+        result = subprocess.run(
+            cmd,
+            capture_output=True,
+            text=True,
+            check=True,
+            timeout=120,
+            env={**os.environ, **env} if env else None,
+        )
+        return result.returncode == 0
+
+    except subprocess.CalledProcessError as e:
+        raise CosignError(f"Image signing failed: {e.stderr}") from e
+    except subprocess.TimeoutExpired as e:
+        raise CosignError("Image signing timed out after 120s") from e
+
+
+def verify_signature(
+    image: str,
+    key_path: Path | None = None,
+) -> bool:
+    """
+    Verify Docker image signature with Cosign.
+
+    Args:
+        image: Docker image to verify (e.g., 'kademoslabs/kekkai:latest')
+        key_path: Path to Cosign public key (optional, uses keyless if None)
+
+    Returns:
+        True if signature is valid
+
+    Raises:
+        CosignError: If verification fails
+    """
+    cmd = ["cosign", "verify"]
+
+    if key_path:
+        cmd.extend(["--key", str(key_path)])
+
+    cmd.append(image)
+
+    try:
+        result = subprocess.run(
+            cmd,
+            capture_output=True,
+            text=True,
+            check=False,  # Don't raise on non-zero exit
+            timeout=120,
+        )
+        return result.returncode == 0
+
+    except subprocess.TimeoutExpired as e:
+        raise CosignError("Signature verification timed out after 120s") from e
+
+
+def generate_keypair(output_dir: Path) -> tuple[Path, Path]:
+    """
+    Generate Cosign keypair.
+
+    Args:
+        output_dir: Directory to store keys
+
+    Returns:
+        Tuple of (private_key_path, public_key_path)
+
+    Raises:
+        CosignError: If key generation fails
+    """
+    output_dir.mkdir(parents=True, exist_ok=True)
+
+    private_key = output_dir / "cosign.key"
+    public_key = output_dir / "cosign.pub"
+
+    cmd = ["cosign", "generate-key-pair"]
+
+    try:
+        subprocess.run(
+            cmd,
+            capture_output=True,
+            text=True,
+            check=True,
+            cwd=str(output_dir),
+            timeout=60,
+        )
+
+        if not private_key.exists() or not public_key.exists():
+            raise CosignError("Key generation succeeded but keys not found")
+
+        return (private_key, public_key)
+
+    except subprocess.CalledProcessError as e:
+        raise CosignError(f"Key generation failed: {e.stderr}") from e
+    except subprocess.TimeoutExpired as e:
+        raise CosignError("Key generation timed out after 60s") from e

kekkai_core/redaction.py

@@ -0,0 +1,84 @@
+from __future__ import annotations
+
+import re
+
+# Conservative redaction: hide common token/secret patterns while preserving debugging structure.
+_SECRET_PATTERNS: list[re.Pattern[str]] = [
+    re.compile(r"(?i)(api[_-]?key|token|secret|password)\s*[:=]\s*([^\s,;]+)"),
+    re.compile(r"(?i)\b(bearer)\s+([a-z0-9\-\._~\+\/]+=*)"),
+]
+
+# Extended patterns for comprehensive secret detection
+_EXTENDED_PATTERNS: list[re.Pattern[str]] = [
+    # AWS keys
+    re.compile(r"\b(AKIA[0-9A-Z]{16})\b"),
+    re.compile(r"(?i)(aws[_-]?secret[_-]?access[_-]?key)\s*[:=]\s*([A-Za-z0-9/+=]{40})"),
+    # GitHub tokens
+    re.compile(r"\b(ghp_[A-Za-z0-9]{36})\b"),
+    re.compile(r"\b(gho_[A-Za-z0-9]{36})\b"),
+    re.compile(r"\b(github_pat_[A-Za-z0-9_]{22,})\b"),
+    # GitLab tokens
+    re.compile(r"\b(glpat-[A-Za-z0-9\-_]{20,})\b"),
+    # Slack tokens
+    re.compile(r"\b(xox[baprs]-[A-Za-z0-9\-]+)\b"),
+    # Stripe keys
+    re.compile(r"\b(sk_(?:live|test)_[A-Za-z0-9]{24,})\b"),
+    re.compile(r"\b(pk_(?:live|test)_[A-Za-z0-9]{24,})\b"),
+    # Private key headers
+    re.compile(r"-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----"),
+    # JWT tokens (simplified)
+    re.compile(r"\beyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*\b"),
+]
+
+
+def redact(text: str) -> str:
+    """Redact likely secrets from a string (best-effort, non-destructive)."""
+    redacted = text
+    for pat in _SECRET_PATTERNS:
+        redacted = pat.sub(lambda m: f"{m.group(1)} [REDACTED]", redacted)
+    return redacted
+
+
+def redact_extended(text: str) -> str:
+    """Redact secrets using both core and extended patterns.
+
+    Includes AWS, GitHub, GitLab, Slack, Stripe tokens, private keys, and JWTs.
+    """
+    result = redact(text)
+    for pat in _EXTENDED_PATTERNS:
+        result = pat.sub("[REDACTED]", result)
+    return result
+
+
+def detect_secrets(text: str) -> list[str]:
+    """Detect types of secrets present in text without returning values.
+
+    Returns list of pattern names/descriptions found.
+    """
+    found: list[str] = []
+
+    # Check core patterns
+    for pat in _SECRET_PATTERNS:
+        if pat.search(text):
+            found.append("credential_pattern")
+
+    # Check extended patterns with descriptions
+    pattern_names = [
+        ("aws_key", _EXTENDED_PATTERNS[0]),
+        ("aws_secret", _EXTENDED_PATTERNS[1]),
+        ("github_token", _EXTENDED_PATTERNS[2]),
+        ("github_oauth", _EXTENDED_PATTERNS[3]),
+        ("github_pat", _EXTENDED_PATTERNS[4]),
+        ("gitlab_token", _EXTENDED_PATTERNS[5]),
+        ("slack_token", _EXTENDED_PATTERNS[6]),
+        ("stripe_secret", _EXTENDED_PATTERNS[7]),
+        ("stripe_publishable", _EXTENDED_PATTERNS[8]),
+        ("private_key", _EXTENDED_PATTERNS[9]),
+        ("jwt_token", _EXTENDED_PATTERNS[10]),
+    ]
+
+    for name, pat in pattern_names:
+        if pat.search(text):
+            found.append(name)
+
+    return list(set(found))  # Dedupe

kekkai_core/slsa/__init__.py

@@ -0,0 +1,13 @@
+"""SLSA Level 3 provenance verification for kekkai releases."""
+
+from kekkai_core.slsa.verify import (
+    AttestationError,
+    ProvenanceResult,
+    verify_provenance,
+)
+
+__all__ = [
+    "AttestationError",
+    "ProvenanceResult",
+    "verify_provenance",
+]

kekkai_core/slsa/verify.py

@@ -0,0 +1,121 @@
+"""SLSA provenance verification using slsa-verifier."""
+
+from __future__ import annotations
+
+import json
+import subprocess
+from dataclasses import dataclass
+from pathlib import Path
+
+
+class AttestationError(Exception):
+    """Raised when attestation verification fails."""
+
+
+@dataclass
+class ProvenanceResult:
+    """Result of SLSA provenance verification."""
+
+    verified: bool
+    builder_id: str | None = None
+    source_repo: str | None = None
+    commit_sha: str | None = None
+    error: str | None = None
+
+
+def verify_provenance(
+    artifact_path: Path,
+    provenance_path: Path,
+    expected_repo: str = "kademoslabs/kekkai",
+) -> ProvenanceResult:
+    """
+    Verify SLSA provenance for an artifact.
+
+    Args:
+        artifact_path: Path to the artifact to verify
+        provenance_path: Path to the provenance attestation file
+        expected_repo: Expected GitHub repository (owner/repo)
+
+    Returns:
+        ProvenanceResult with verification status and metadata
+
+    Raises:
+        AttestationError: If verification encounters an unrecoverable error
+    """
+    if not artifact_path.exists():
+        return ProvenanceResult(
+            verified=False,
+            error=f"Artifact not found: {artifact_path}",
+        )
+
+    if not provenance_path.exists():
+        return ProvenanceResult(
+            verified=False,
+            error=f"Provenance file not found: {provenance_path}",
+        )
+
+    try:
+        result = subprocess.run(
+            [
+                "slsa-verifier",  # nosec B607 - trusted binary
+                "verify-artifact",
+                str(artifact_path),
+                "--provenance-path",
+                str(provenance_path),
+                "--source-uri",
+                f"github.com/{expected_repo}",
+            ],
+            capture_output=True,
+            text=True,
+            timeout=60,
+        )
+
+        if result.returncode != 0:
+            return ProvenanceResult(
+                verified=False,
+                error=result.stderr.strip() or "Verification failed",
+            )
+
+        # Parse provenance for metadata
+        provenance_data = _parse_provenance(provenance_path)
+
+        return ProvenanceResult(
+            verified=True,
+            builder_id=provenance_data.get("builder_id"),
+            source_repo=provenance_data.get("source_repo"),
+            commit_sha=provenance_data.get("commit_sha"),
+        )
+
+    except subprocess.TimeoutExpired:
+        return ProvenanceResult(
+            verified=False,
+            error="Verification timed out after 60s",
+        )
+    except FileNotFoundError:
+        return ProvenanceResult(
+            verified=False,
+            error="slsa-verifier not found. Install: https://github.com/slsa-framework/slsa-verifier",
+        )
+    except Exception as e:
+        raise AttestationError(f"Unexpected error during verification: {e}") from e
+
+
+def _parse_provenance(provenance_path: Path) -> dict[str, str | None]:
+    """Extract metadata from provenance file."""
+    try:
+        data = json.loads(provenance_path.read_text())
+
+        # Handle SLSA provenance format
+        predicate = data.get("predicate", {})
+        invocation = predicate.get("invocation", {})
+        config_source = invocation.get("configSource", {})
+
+        builder = predicate.get("builder", {})
+
+        return {
+            "builder_id": builder.get("id"),
+            "source_repo": config_source.get("uri"),
+            "commit_sha": config_source.get("digest", {}).get("sha1"),
+        }
+    except (json.JSONDecodeError, KeyError):
+        return {}

kekkai_core/windows/__init__.py

@@ -0,0 +1,29 @@
+"""Windows distribution integration for Kekkai.
+
+This module provides utilities for Windows package managers:
+- Scoop manifest generation and validation
+- PowerShell installer script generation
+- Windows-specific validation (Python version, PATH)
+"""
+
+from kekkai_core.windows.installer import (
+    generate_installer_script,
+    generate_uninstaller_script,
+)
+from kekkai_core.windows.scoop import (
+    generate_scoop_manifest,
+    validate_scoop_manifest,
+)
+from kekkai_core.windows.validators import (
+    validate_python_version,
+    validate_windows_path,
+)
+
+__all__ = [
+    "generate_scoop_manifest",
+    "validate_scoop_manifest",
+    "generate_installer_script",
+    "generate_uninstaller_script",
+    "validate_python_version",
+    "validate_windows_path",
+]