octp-python 0.2.0__py3-none-any.whl

octp/__init__.py

@@ -0,0 +1,9 @@
+"""
+OCTP — Open Contribution Trust Protocol
+Reference implementation v0.2
+
+https://github.com/openoctp/spec
+"""
+
+__version__ = "0.2.0"
+__spec_version__ = "0.1"

octp/cli/init.py

@@ -0,0 +1,54 @@
+from __future__ import annotations
+
+from pathlib import Path
+
+import typer
+from rich.console import Console
+from rich.prompt import Confirm
+
+console = Console()
+
+DEFAULT_CONFIG = """\
+[policy]
+require_envelope = true
+minimum_review_level = "moderate_review"
+block_on_failed_tests = true
+allow_unreviewed_ai = false
+
+[runners]
+test_runner = "pytest"
+static_analysis = "semgrep"
+dependency_check = "pip-audit"
+
+[identity]
+require_signed_envelope = true
+key_registry = "github"
+"""
+
+
+def init_command(
+    path: Path = typer.Argument(
+        Path("."), help="Repository path to initialise OCTP in"
+    ),
+):
+    """Initialise OCTP in a repository — creates .octp.toml"""
+
+    config_path = path / ".octp.toml"
+
+    if config_path.exists():
+        overwrite = Confirm.ask(
+            f".octp.toml already exists at {config_path}. Overwrite?"
+        )
+        if not overwrite:
+            console.print("Aborted.")
+            raise typer.Exit(0)
+
+    config_path.write_text(DEFAULT_CONFIG)
+    console.print(f"\n[green]✓[/green] Created {config_path}")
+    console.print("\nNext steps:")
+    console.print("  1. Review and adjust .octp.toml for your project")
+    console.print("  2. Run [cyan]octp sign[/cyan] before submitting a pull request")
+    console.print(
+        "  3. Add to your CONTRIBUTING.md that contributors should run octp sign"
+    )
+    console.print("\nSpec: https://github.com/openoctp/spec")

octp/cli/main.py

@@ -0,0 +1,19 @@
+import typer
+
+from octp.cli.init import init_command
+from octp.cli.sign import sign_command
+from octp.cli.verify import verify_command
+
+app = typer.Typer(
+    name="octp",
+    help="Open Contribution Trust Protocol — generate and verify trust envelopes",
+    add_completion=False,
+)
+
+app.command(name="sign")(sign_command)
+app.command(name="verify")(verify_command)
+app.command(name="init")(init_command)
+
+
+if __name__ == "__main__":
+    app()

octp/cli/sign.py

@@ -0,0 +1,133 @@
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+import typer
+from rich.console import Console
+
+from octp.core.builder import build_envelope
+from octp.git.reader import read_repo
+from octp.identity.keymanager import ensure_keypair
+from octp.identity.resolver import resolve_developer_id
+from octp.output.formatter import (
+    print_envelope_summary,
+    print_header,
+    print_success,
+    print_verification_results,
+)
+from octp.provenance.collector import collect_interactively
+from octp.verification.registry import run_all
+
+console = Console()
+
+
+def get_default_provenance() -> dict:
+    """Get default provenance data for non-interactive mode.
+
+    For OCTP project: defaults to AI-assisted with substantial review.
+    """
+    return {
+        "method": "ai_assisted_human_reviewed",
+        "ai_tools": [
+            {
+                "model": "claude-sonnet-4-6",
+                "vendor": "anthropic",
+                "version": "20260226",
+                "usage_type": "architecture_and_implementation",
+            },
+            {
+                "model": "kimi-k2.5",
+                "vendor": "moonshot",
+                "version": "20260226",
+                "usage_type": "implementation_and_scaffolding",
+            },
+        ],
+        "human_review_level": "substantial_modification",
+        "human_review_duration_minutes": None,
+        "optional_context": {},
+    }
+
+
+def is_interactive() -> bool:
+    """Check if running in an interactive terminal."""
+    return sys.stdin.isatty() and sys.stdout.isatty()
+
+
+def sign_command(
+    output: Path = typer.Option(
+        Path(".octp-envelope.json"),
+        "--output",
+        "-o",
+        help="Path to write the envelope JSON",
+    ),
+    yes: bool = typer.Option(
+        False, "--yes", "-y", help="Skip interactive prompts — use defaults"
+    ),
+    profile: str = typer.Option(
+        "full",
+        "--profile",
+        "-p",
+        help="Runner profile: fast (3-8s), full (all checks), ci, security",
+    ),
+):
+    """Generate and sign a trust envelope for the current commit."""
+
+    print_header()
+
+    # Read git state
+    try:
+        repo_info = read_repo()
+    except RuntimeError as e:
+        console.print(f"[red]Error:[/red] {e}")
+        raise typer.Exit(1)
+
+    console.print(f"\n  Repository : [cyan]{repo_info.repository}[/cyan]")
+    console.print(f"  Commit     : [cyan]{repo_info.commit_hash[:12]}[/cyan]")
+    console.print(f"  Profile    : [cyan]{profile}[/cyan]")
+
+    # Resolve identity
+    ensure_keypair()
+    developer_id = resolve_developer_id()
+    console.print(f"  Developer  : [cyan]{developer_id}[/cyan]\n")
+
+    # Run verification checks
+    check_results = run_all(repo_info.root, profile=profile)
+    print_verification_results(check_results)
+
+    # Collect provenance declaration
+    if yes:
+        # Explicit --yes flag: use defaults
+        provenance_data = get_default_provenance()
+        console.print("\n[dim]Using default provenance (non-interactive mode)[/dim]")
+    elif not is_interactive():
+        # No TTY detected: use defaults with warning
+        provenance_data = get_default_provenance()
+        console.print(
+            "\n[yellow]Warning:[/yellow] Non-interactive mode detected. "
+            "Using default provenance. Use --yes to suppress this warning."
+        )
+    else:
+        # Interactive: collect from user
+        try:
+            provenance_data = collect_interactively()
+        except Exception as e:
+            console.print(f"\n[red]Error collecting input:[/red] {e}")
+            console.print("[dim]Falling back to default provenance...[/dim]")
+            provenance_data = get_default_provenance()
+
+    # Build and sign envelope
+    envelope = build_envelope(
+        repo_info=repo_info,
+        developer_id=developer_id,
+        provenance_data=provenance_data,
+        check_results=check_results,
+    )
+
+    # Write envelope
+    envelope_json = envelope.model_dump_json(indent=2)
+    output.write_text(envelope_json)
+
+    # Print summary
+    print_envelope_summary(envelope)
+    print_success(str(output))

octp/cli/verify.py

@@ -0,0 +1,61 @@
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+import typer
+from rich.console import Console
+
+from octp.core.envelope import OCTPEnvelope
+from octp.integrity.hasher import hash_payload
+from octp.output.formatter import print_header, print_verify_result
+
+console = Console()
+
+
+def verify_command(
+    envelope_path: Path = typer.Argument(
+        ..., help="Path to the envelope JSON file to verify"
+    ),
+):
+    """Verify a trust envelope — check integrity and signature."""
+
+    print_header()
+
+    if not envelope_path.exists():
+        console.print(f"[red]Error:[/red] Envelope file not found: {envelope_path}")
+        raise typer.Exit(1)
+
+    try:
+        data = json.loads(envelope_path.read_text())
+        envelope = OCTPEnvelope.model_validate(data)
+    except Exception as e:
+        print_verify_result(False, f"Could not parse envelope: {e}")
+        raise typer.Exit(1)
+
+    if not envelope.integrity:
+        print_verify_result(False, "No integrity section found in envelope")
+        raise typer.Exit(1)
+
+    # Recompute payload hash
+    payload_dict = envelope.to_signable_dict()
+    computed_hash = hash_payload(payload_dict)
+
+    if computed_hash != envelope.integrity.payload_hash:
+        print_verify_result(
+            False, "Payload hash mismatch — envelope has been tampered with"
+        )
+        raise typer.Exit(1)
+
+    # Note: full signature verification requires public key lookup
+    # In v0.1 we verify the hash integrity and flag if signature is present
+    console.print(f"\n  Envelope   : [cyan]{envelope_path}[/cyan]")
+    console.print(f"  Developer  : [cyan]{envelope.provenance.developer_id}[/cyan]")
+    console.print(f"  Method     : [cyan]{envelope.provenance.method.value}[/cyan]")
+    console.print(f"  Commit     : [cyan]{envelope.commit_hash[:12]}[/cyan]")
+
+    print_verify_result(True)
+    console.print(
+        "\n[dim]Note: v0.1 verifies payload integrity. "
+        "Full signature verification against public key registry coming in v0.2.[/dim]"
+    )

octp/core/builder.py

@@ -0,0 +1,103 @@
+from __future__ import annotations
+
+import uuid
+from datetime import datetime, timezone
+
+from octp.core.envelope import (
+    AnalysisResult,
+    Integrity,
+    OCTPEnvelope,
+    OptionalContext,
+    Provenance,
+    Verification,
+)
+from octp.git.reader import RepoInfo
+from octp.identity.keymanager import sign_payload
+from octp.integrity.hasher import hash_payload
+from octp.verification.base import CheckResult
+
+
+def build_envelope(
+    repo_info: RepoInfo,
+    developer_id: str,
+    provenance_data: dict,
+    check_results: dict[str, CheckResult],
+) -> OCTPEnvelope:
+    """Assemble a complete signed OCTPEnvelope."""
+
+    # Build provenance
+    ai_tools = provenance_data.get("ai_tools")
+    provenance = Provenance(
+        method=provenance_data["method"],
+        ai_tools=ai_tools,
+        human_review_level=provenance_data["human_review_level"],
+        human_review_duration_minutes=provenance_data.get(
+            "human_review_duration_minutes"
+        ),
+        developer_id=developer_id,
+    )
+
+    # Build verification from check results
+    tests_result = check_results.get("pytest")
+    static_result = check_results.get("semgrep") or check_results.get("bandit")
+    deps_result = check_results.get("pip-audit")
+
+    verification = Verification(
+        tests_passed=tests_result.passed if tests_result else None,
+        test_suite_hash=tests_result.suite_hash if tests_result else None,
+        static_analysis=AnalysisResult(
+            "passed"
+            if static_result and static_result.passed
+            else "failed"
+            if static_result and not static_result.passed
+            else "skipped"
+        ),
+        static_analysis_tool=static_result.tool_name if static_result else None,
+        dependency_check=AnalysisResult(
+            "passed"
+            if deps_result and deps_result.passed
+            else "failed"
+            if deps_result and not deps_result.passed
+            else "skipped"
+        ),
+        novel_dependencies_introduced=False,  # v0.1: always false, future runner
+    )
+
+    # Build optional context
+    ctx_data = provenance_data.get("optional_context", {})
+    optional_context = (
+        OptionalContext(
+            issue_reference=ctx_data.get("issue_reference"),
+            self_assessed_confidence=ctx_data.get("self_assessed_confidence"),
+            areas_of_uncertainty=ctx_data.get("areas_of_uncertainty"),
+            time_in_codebase_minutes=ctx_data.get("time_in_codebase_minutes"),
+        )
+        if ctx_data
+        else None
+    )
+
+    # Build unsigned envelope
+    envelope = OCTPEnvelope(
+        octp_version="0.1",
+        contribution_id=str(uuid.uuid4()),
+        timestamp=datetime.now(timezone.utc),
+        repository=repo_info.repository,
+        commit_hash=repo_info.commit_hash,
+        provenance=provenance,
+        verification=verification,
+        optional_context=optional_context,
+    )
+
+    # Hash and sign
+    payload_dict = envelope.to_signable_dict()
+    payload_hash = hash_payload(payload_dict)
+    signature = sign_payload(payload_hash)
+
+    envelope.integrity = Integrity(
+        payload_hash=payload_hash,
+        developer_signature=signature,
+        signature_algorithm="ES256",
+        signed_at=datetime.now(timezone.utc),
+    )
+
+    return envelope

octp/core/envelope.py

@@ -0,0 +1,90 @@
+from __future__ import annotations
+
+from datetime import datetime
+from enum import Enum
+from typing import Optional
+
+from pydantic import BaseModel, Field
+
+
+class ProvenanceMethod(str, Enum):
+    HUMAN_ONLY = "human_only"
+    AI_ASSISTED_HUMAN_REVIEWED = "ai_assisted_human_reviewed"
+    AI_GENERATED_HUMAN_REVIEWED = "ai_generated_human_reviewed"
+    AI_GENERATED_UNREVIEWED = "ai_generated_unreviewed"
+
+
+class ReviewLevel(str, Enum):
+    NONE = "none"
+    GLANCE = "glance"
+    MODERATE = "moderate_review"
+    SUBSTANTIAL = "substantial_modification"
+    REWRITE = "complete_rewrite"
+
+
+class AnalysisResult(str, Enum):
+    PASSED = "passed"
+    FAILED = "failed"
+    SKIPPED = "skipped"
+
+
+class Confidence(str, Enum):
+    LOW = "low"
+    MEDIUM = "medium"
+    HIGH = "high"
+
+
+class AITool(BaseModel):
+    model: str
+    vendor: str
+    version: str
+    usage_type: str
+
+
+class Provenance(BaseModel):
+    method: ProvenanceMethod
+    ai_tools: Optional[list[AITool]] = None
+    human_review_level: ReviewLevel
+    human_review_duration_minutes: Optional[int] = Field(None, ge=0)
+    developer_id: str
+
+
+class Verification(BaseModel):
+    tests_passed: Optional[bool] = None  # None = not run, True = passed, False = failed
+    test_suite_hash: Optional[str] = None
+    static_analysis: AnalysisResult
+    static_analysis_tool: Optional[str] = None
+    dependency_check: AnalysisResult
+    novel_dependencies_introduced: bool
+
+
+class Integrity(BaseModel):
+    payload_hash: str
+    developer_signature: str
+    signature_algorithm: str = "ES256"
+    signed_at: datetime
+
+
+class OptionalContext(BaseModel):
+    issue_reference: Optional[str] = None
+    self_assessed_confidence: Optional[Confidence] = None
+    areas_of_uncertainty: Optional[str] = None
+    time_in_codebase_minutes: Optional[int] = Field(None, ge=0)
+
+
+class OCTPEnvelope(BaseModel):
+    octp_version: str = "0.1"
+    contribution_id: str
+    timestamp: datetime
+    repository: str
+    commit_hash: str
+    provenance: Provenance
+    verification: Verification
+    integrity: Optional[Integrity] = None
+    optional_context: Optional[OptionalContext] = None
+
+    def to_signable_dict(self) -> dict:
+        """Returns envelope as dict excluding the integrity section.
+        This is what gets hashed before signing."""
+        d = self.model_dump(mode="json", exclude={"integrity"})
+        return d

octp/core/validator.py

@@ -0,0 +1,28 @@
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+from octp.core.envelope import OCTPEnvelope
+
+
+def validate_envelope_json(data: dict) -> bool:
+    """Validate that a dict conforms to OCTP v0.1 envelope schema."""
+    try:
+        OCTPEnvelope.model_validate(data)
+        return True
+    except Exception:
+        return False
+
+
+def validate_envelope_file(path: Path) -> tuple[bool, str]:
+    """Validate an envelope file.
+    Returns (is_valid, error_message)."""
+    try:
+        data = json.loads(path.read_text())
+        OCTPEnvelope.model_validate(data)
+        return True, ""
+    except json.JSONDecodeError as e:
+        return False, f"Invalid JSON: {e}"
+    except Exception as e:
+        return False, f"Schema validation failed: {e}"

octp/git/reader.py

@@ -0,0 +1,64 @@
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+from pathlib import Path
+
+import git
+
+
+@dataclass
+class RepoInfo:
+    commit_hash: str
+    repository: str
+    branch: str
+    root: Path
+
+
+def read_repo(path: Path = Path(".")) -> RepoInfo:
+    """Read current git repository state."""
+    try:
+        repo = git.Repo(path, search_parent_directories=True)
+    except git.InvalidGitRepositoryError:
+        raise RuntimeError(
+            "Not inside a git repository. Run octp from within a git project."
+        )
+
+    commit_hash = repo.head.commit.hexsha
+
+    # Normalise remote URL to platform/org/repo format
+    repository = _parse_remote(repo)
+
+    branch = repo.active_branch.name if not repo.head.is_detached else "detached"
+    root = Path(repo.working_dir)
+
+    return RepoInfo(
+        commit_hash=commit_hash,
+        repository=repository,
+        branch=branch,
+        root=root,
+    )
+
+
+def _parse_remote(repo: git.Repo) -> str:
+    """Extract platform/org/repo from remote URL."""
+    try:
+        remote_url = repo.remotes.origin.url
+    except (AttributeError, IndexError):
+        return "unknown/unknown/unknown"
+
+    # Handle SSH: git@github.com:org/repo.git
+    ssh = re.match(r"git@([^:]+):(.+?)(?:\.git)?$", remote_url)
+    if ssh:
+        host = ssh.group(1)
+        path = ssh.group(2)
+        return f"{host}/{path}"
+
+    # Handle HTTPS: https://github.com/org/repo.git
+    https = re.match(r"https?://([^/]+)/(.+?)(?:\.git)?$", remote_url)
+    if https:
+        host = https.group(1)
+        path = https.group(2)
+        return f"{host}/{path}"
+
+    return remote_url

octp/identity/keymanager.py

@@ -0,0 +1,75 @@
+from __future__ import annotations
+
+import base64
+from pathlib import Path
+
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import ec
+
+KEYS_DIR = Path.home() / ".octp" / "keys"
+PRIVATE_KEY_FILE = KEYS_DIR / "private.pem"
+PUBLIC_KEY_FILE = KEYS_DIR / "public.pem"
+
+
+def ensure_keypair() -> None:
+    """Generate keypair if it doesn't exist."""
+    if PRIVATE_KEY_FILE.exists():
+        return
+    KEYS_DIR.mkdir(parents=True, exist_ok=True)
+    private_key = ec.generate_private_key(ec.SECP256R1())
+    public_key = private_key.public_key()
+
+    with open(PRIVATE_KEY_FILE, "wb") as f:
+        f.write(
+            private_key.private_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PrivateFormat.PKCS8,
+                encryption_algorithm=serialization.NoEncryption(),
+            )
+        )
+    PRIVATE_KEY_FILE.chmod(0o600)
+
+    with open(PUBLIC_KEY_FILE, "wb") as f:
+        f.write(
+            public_key.public_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PublicFormat.SubjectPublicKeyInfo,
+            )
+        )
+
+
+def sign_payload(payload_hash: str) -> str:
+    """Sign a payload hash with the developer's private key.
+    Returns base64-encoded signature."""
+    ensure_keypair()
+    with open(PRIVATE_KEY_FILE, "rb") as f:
+        private_key = serialization.load_pem_private_key(f.read(), password=None)
+
+    signature = private_key.sign(
+        payload_hash.encode(),
+        ec.ECDSA(hashes.SHA256()),
+    )
+    return base64.b64encode(signature).decode()
+
+
+def get_public_key_pem() -> str:
+    """Return the developer's public key in PEM format."""
+    ensure_keypair()
+    return PUBLIC_KEY_FILE.read_text()
+
+
+def verify_signature(
+    payload_hash: str, signature_b64: str, public_key_pem: str
+) -> bool:
+    """Verify a signature against a payload hash and public key."""
+    try:
+        public_key = serialization.load_pem_public_key(public_key_pem.encode())
+        signature = base64.b64decode(signature_b64)
+        public_key.verify(
+            signature,
+            payload_hash.encode(),
+            ec.ECDSA(hashes.SHA256()),
+        )
+        return True
+    except Exception:
+        return False

octp/identity/resolver.py

@@ -0,0 +1,41 @@
+from __future__ import annotations
+
+from pathlib import Path
+
+import git
+
+
+def resolve_developer_id(repo_path: Path = Path(".")) -> str:
+    """Resolve developer identity from git config."""
+    try:
+        repo = git.Repo(repo_path, search_parent_directories=True)
+        config = repo.config_reader()
+
+        # Try to get GitHub username from git config
+        try:
+            github_user = config.get_value("github", "user", default=None)
+            if github_user:
+                return f"github:{github_user}"
+        except Exception:
+            pass
+
+        # Fall back to git user email
+        try:
+            email = config.get_value("user", "email", default=None)
+            if email:
+                return f"email:{email}"
+        except Exception:
+            pass
+
+        # Fall back to git user name
+        try:
+            name = config.get_value("user", "name", default=None)
+            if name:
+                return f"git:{name}"
+        except Exception:
+            pass
+
+    except Exception:
+        pass
+
+    return "unknown"