repro-evidence-kit 0.4.1__tar.gz

repro_evidence_kit-0.4.1/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,27 @@
+---
+name: Bug report
+about: Report incorrect CLI, manifest, verifier, or schema behavior
+title: "bug: "
+labels: bug
+assignees: ''
+---
+
+## What happened?
+
+## Expected behavior
+
+## Reproduction steps
+
+```bash
+# commands here
+```
+
+## Environment
+
+- OS:
+- Python version:
+- repro-evidence-kit version:
+
+## Data policy confirmation
+
+- [ ] This issue does not include proprietary binaries, private datasets, credentials, sensitive logs, or target-specific private artifacts.

repro_evidence_kit-0.4.1/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,22 @@
+---
+name: Feature request
+about: Suggest a general-purpose reproducibility or evidence workflow improvement
+title: "feature: "
+labels: enhancement
+assignees: ''
+---
+
+## Problem
+
+## Proposed behavior
+
+## Example workflow
+
+```bash
+# optional commands
+```
+
+## Scope check
+
+- [ ] This feature is general-purpose and not tied to one private target or proprietary dataset.
+- [ ] This feature can be tested with synthetic or redistributable fixtures.

repro_evidence_kit-0.4.1/.github/pull_request_template.md

@@ -0,0 +1,13 @@
+## Summary
+
+## Tests
+
+- [ ] `python -m unittest discover -s tests`
+- [ ] `python -m repro_evidence_kit evidence validate examples/evidence-bundle.yaml`
+
+## Data policy
+
+- [ ] No proprietary binaries, private datasets, credentials, sensitive logs, or target-specific private artifacts are included.
+- [ ] New examples are synthetic or clearly redistributable.
+
+## Notes for maintainers

repro_evidence_kit-0.4.1/.github/workflows/ci.yml

@@ -0,0 +1,39 @@
+name: CI
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  test:
+    name: Python ${{ matrix.python-version }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ['3.10', '3.11', '3.12']
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - run: python -m pip install ".[schema]"
+      - run: python -m unittest discover -s tests
+      - run: python -m repro_evidence_kit evidence validate examples/evidence-bundle.yaml
+      - run: python -m repro_evidence_kit manifest create examples/dummy-binary -o /tmp/repro-manifest.json
+      - run: python scripts/smoke_examples.py
+      - name: Leakage audit
+        run: |
+          ! grep -RInE 'PRO7|조조전|ekd5|EEX|S_44|R_44|Phase4|Frida|xdbg|Cao Cao|save editor|game mod|/mnt/c/Users/xodnr/Desktop/new|_modding_tools' . --exclude-dir=.git --exclude=ci.yml
+
+  package:
+    name: Build package distributions
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - run: python -m pip install build twine
+      - run: python -m build
+      - run: python scripts/check_dist.py

repro_evidence_kit-0.4.1/.github/workflows/publish.yml

@@ -0,0 +1,46 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build release distributions
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - name: Confirm tag matches package version
+        run: |
+          package_version="$(python -c 'import tomllib; print(tomllib.load(open("pyproject.toml", "rb"))["project"]["version"])')"
+          test "$GITHUB_REF_NAME" = "v$package_version"
+      - run: python -m pip install build twine
+      - run: python -m build
+      - run: python scripts/check_dist.py
+      - uses: actions/upload-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+          if-no-files-found: error
+
+  publish:
+    name: Publish release to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/repro-evidence-kit
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1

repro_evidence_kit-0.4.1/.gitignore

@@ -0,0 +1,12 @@
+__pycache__/
+*.py[cod]
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+.coverage
+htmlcov/
+dist/
+build/
+*.egg-info/
+.venv/
+.DS_Store

repro_evidence_kit-0.4.1/CHANGELOG.md

@@ -0,0 +1,49 @@
+# Changelog
+
+## Unreleased
+
+## 0.4.1 - 2026-06-07
+
+- Add a Python 3.10, 3.11, and 3.12 CI matrix using non-editable package installs.
+- Add checked wheel/sdist builds and a release-triggered PyPI Trusted Publishing workflow.
+
+## 0.4.0 - 2026-06-06
+
+- Add signature sidecar JSON Schema validation and packaged-schema regression coverage.
+- Improve `evidence verify-signature` with text output, structured error details, and optional sidecar schema checks.
+- Add `evidence sign --dry-run` for non-writing sidecar previews.
+- Add sandbox required-change checks, SARIF output, and JUnit output for evidence validation.
+- Add synthetic signed-bundle examples, use-case docs, release checklist, example smoke script, and release/install smoke script.
+
+## 0.3.0 - 2026-06-05
+
+- Add `evidence sign` and `evidence verify-signature` for local `hmac-sha256` evidence-bundle sidecars.
+- Document signed-bundle boundaries: local tamper detection only, unsigned bundles remain supported, and signatures do not prove command execution or artifact semantics.
+- Add regression coverage for successful signature verification and payload-mismatch failures.
+
+## 0.2.0 - 2026-06-02
+
+- Add JUnit XML output for `verify sandbox-run` CI report consumers.
+- Add a signed evidence bundles design note that defines the sidecar-first support boundary.
+
+## 0.1.2 - 2026-06-02
+
+- Add optional JSON Schema validation for evidence bundles.
+- Add include/exclude filters for manifest creation.
+- Add Markdown output for `manifest diff` reports.
+- Document stable CLI exit-code meanings and add regression coverage.
+- Expand GitHub Actions cookbook coverage for schema-backed filtered manifest workflows.
+- Clarify source-based installation until a package index release exists.
+
+## 0.1.1 - 2026-05-31
+
+- Add Windows-style path separator normalization for manifest diff and sandbox verification.
+- Expand README maintainer positioning.
+
+## 0.1.0 - 2026-05-30
+
+- Initial release candidate.
+- Add manifest creation and diffing.
+- Add sandbox output verification.
+- Add evidence bundle validation.
+- Add synthetic examples and documentation.

repro_evidence_kit-0.4.1/CONTRIBUTING.md

@@ -0,0 +1,12 @@
+# Contributing
+
+Contributions are welcome if they keep the project general-purpose and reviewable.
+
+Do not submit proprietary binaries, copyrighted samples, private case data, credentials, or target-specific reverse-engineering artifacts. Use synthetic fixtures generated from source code whenever possible.
+
+Before opening a pull request, run:
+
+```bash
+python -m unittest discover -s tests
+python -m repro_evidence_kit evidence validate examples/evidence-bundle.yaml
+```

repro_evidence_kit-0.4.1/LICENSE

@@ -0,0 +1,17 @@
+Apache License
+Version 2.0, January 2004
+https://www.apache.org/licenses/
+
+Copyright 2026 xodnr927-byte
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

repro_evidence_kit-0.4.1/PKG-INFO

@@ -0,0 +1,153 @@
+Metadata-Version: 2.4
+Name: repro-evidence-kit
+Version: 0.4.1
+Summary: Reproducible artifact manifests, sandbox-output verification, and evidence-bundle validation.
+Project-URL: Homepage, https://github.com/xodnr927-byte/repro-evidence-kit
+Project-URL: Issues, https://github.com/xodnr927-byte/repro-evidence-kit/issues
+Author: xodnr927-byte
+License-Expression: Apache-2.0
+License-File: LICENSE
+Keywords: artifact,binary-analysis,evidence,manifest,reproducibility,sha256
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Quality Assurance
+Requires-Python: >=3.10
+Requires-Dist: pyyaml>=6.0
+Provides-Extra: dev
+Requires-Dist: jsonschema>=4.0; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Provides-Extra: schema
+Requires-Dist: jsonschema>=4.0; extra == 'schema'
+Description-Content-Type: text/markdown
+
+# repro-evidence-kit
+
+[![CI](https://github.com/xodnr927-byte/repro-evidence-kit/actions/workflows/ci.yml/badge.svg)](https://github.com/xodnr927-byte/repro-evidence-kit/actions/workflows/ci.yml)
+[![Release](https://img.shields.io/github/v/release/xodnr927-byte/repro-evidence-kit)](https://github.com/xodnr927-byte/repro-evidence-kit/releases)
+[![Python](https://img.shields.io/badge/python-3.10%2B-blue)](https://www.python.org/)
+[![License](https://img.shields.io/github/license/xodnr927-byte/repro-evidence-kit)](LICENSE)
+
+A small command-line toolkit for reproducible artifact verification in binary analysis, security research, and automation workflows.
+
+It creates hash manifests, compares experiment outputs, and validates evidence bundles so results can be reviewed without relying on private source data.
+
+## Why this matters
+
+Generated artifacts are hard to review when the only proof is a large log, a private input tree, or a verbal claim that "nothing important changed." `repro-evidence-kit` keeps the review surface small: it records byte hashes, separates expected output changes from unexpected ones, and stores enough command context for another maintainer to rerun or challenge the evidence.
+
+The project is intentionally target-neutral. It should help maintainers in CI, security research, binary-analysis, data-processing, and automation workflows without requiring them to publish proprietary samples or project-specific case files.
+
+## Use cases
+
+- Review what changed during artifact-heavy CI or release automation.
+- Verify that a sandboxed experiment only produced explicitly allowed outputs.
+- Attach compact, hash-backed evidence bundles to pull requests or research notes.
+- Keep generated reports reviewable without publishing private input data.
+
+## What this proves
+
+- File manifests prove byte identity for the files they list.
+- Manifest diffs separate expected artifact changes from unexpected ones.
+- Sandbox verification proves the observed output set stayed inside an explicit allowlist.
+- Evidence bundles preserve command context, inputs, outputs, and hashes for review.
+- Signed sidecars add local tamper detection for exact bundle bytes.
+
+## What this does not prove
+
+- Hashes do not prove that generated outputs are semantically correct.
+- A passing sandbox check does not prove that a command was safe.
+- Signed sidecars do not prove signer identity, key trust, command execution, or artifact semantics.
+- Private or proprietary inputs still require reviewer judgment outside this repository.
+
+## Features
+
+- Create deterministic SHA-256 manifests for files or filtered directory trees.
+- Diff two manifests to identify added, removed, changed, and unchanged artifacts.
+- Verify sandbox/experiment outputs against explicit allowlists, with optional JUnit XML for CI report consumers.
+- Validate simple YAML or JSON evidence bundles, with optional JSON Schema checks.
+- Sign and verify evidence bundle sidecars with a local-key tamper-detection prototype.
+- Includes only synthetic public examples.
+
+## Install
+
+Until a package index release is published, install from the repository:
+
+```bash
+pip install "git+https://github.com/xodnr927-byte/repro-evidence-kit.git@v0.4.1"
+```
+
+For local development:
+
+```bash
+python -m venv .venv
+. .venv/bin/activate
+pip install -e .
+```
+
+## Quick start
+
+```bash
+repro-evidence manifest create examples/dummy-binary -o before.json
+repro-evidence manifest diff before.json before.json
+repro-evidence evidence validate examples/evidence-bundle.yaml
+```
+
+For larger artifact trees, filter manifests with explicit include/exclude patterns:
+
+```bash
+repro-evidence manifest create artifacts --include reports --exclude "*.tmp" -o manifest.json
+```
+
+For stricter evidence-bundle checks, install the optional schema extra and validate against the checked-in JSON Schema:
+
+```bash
+pip install "repro-evidence-kit[schema] @ git+https://github.com/xodnr927-byte/repro-evidence-kit.git@v0.4.1"
+repro-evidence evidence validate examples/evidence-bundle.yaml --schema
+```
+
+
+Signed bundle sidecars are optional. For a local tamper-detection prototype, create or provide local trust material and keep it out of git:
+
+```bash
+printf 'synthetic local test key only\n' > local-test.key
+repro-evidence evidence sign examples/evidence-bundle.yaml --key local-test.key -o evidence-bundle.yaml.sig.json
+repro-evidence evidence verify-signature examples/evidence-bundle.yaml --signature evidence-bundle.yaml.sig.json --key local-test.key
+```
+
+Sandbox verification compares a baseline manifest with an after-run manifest:
+
+```bash
+repro-evidence verify sandbox-run before.json after.json --allow-added report.json
+```
+
+The command exits `0` when all changes are allowed and `1` when unexpected changes are present.
+
+## Documentation
+
+- [CLI reference](docs/cli.md)
+- [CLI exit codes](docs/cli-exit-codes.md)
+- [Tutorial](docs/tutorial.md)
+- [Evidence bundle format](docs/evidence-bundle-format.md)
+- [Use cases](docs/use-cases.md)
+- [Signed evidence bundles design note](docs/signed-bundles.md)
+- [Maintainer workflow](docs/maintainer-workflow.md)
+- [Release checklist](docs/release-checklist.md)
+- [PyPI publishing](docs/publishing.md)
+- [GitHub Actions cookbook](docs/github-actions.md) — CI recipes for validation, manifests, sandbox checks, and schema-backed filtered workflows.
+- [Design principles](docs/design-principles.md)
+- [Roadmap](ROADMAP.md)
+
+## Data policy
+
+This repository is for generic reproducibility tooling. Do not add proprietary binaries, private datasets, copyrighted samples, live credentials, forensic case data, or project-specific reverse-engineering targets. Public examples must be synthetic or clearly redistributable.
+
+## Status
+
+`0.4.x` is an early maintainer-tooling release series. The CLI and schema stay intentionally small, conservative, and synthetic-example-only.

repro_evidence_kit-0.4.1/README.md

@@ -0,0 +1,124 @@
+# repro-evidence-kit
+
+[![CI](https://github.com/xodnr927-byte/repro-evidence-kit/actions/workflows/ci.yml/badge.svg)](https://github.com/xodnr927-byte/repro-evidence-kit/actions/workflows/ci.yml)
+[![Release](https://img.shields.io/github/v/release/xodnr927-byte/repro-evidence-kit)](https://github.com/xodnr927-byte/repro-evidence-kit/releases)
+[![Python](https://img.shields.io/badge/python-3.10%2B-blue)](https://www.python.org/)
+[![License](https://img.shields.io/github/license/xodnr927-byte/repro-evidence-kit)](LICENSE)
+
+A small command-line toolkit for reproducible artifact verification in binary analysis, security research, and automation workflows.
+
+It creates hash manifests, compares experiment outputs, and validates evidence bundles so results can be reviewed without relying on private source data.
+
+## Why this matters
+
+Generated artifacts are hard to review when the only proof is a large log, a private input tree, or a verbal claim that "nothing important changed." `repro-evidence-kit` keeps the review surface small: it records byte hashes, separates expected output changes from unexpected ones, and stores enough command context for another maintainer to rerun or challenge the evidence.
+
+The project is intentionally target-neutral. It should help maintainers in CI, security research, binary-analysis, data-processing, and automation workflows without requiring them to publish proprietary samples or project-specific case files.
+
+## Use cases
+
+- Review what changed during artifact-heavy CI or release automation.
+- Verify that a sandboxed experiment only produced explicitly allowed outputs.
+- Attach compact, hash-backed evidence bundles to pull requests or research notes.
+- Keep generated reports reviewable without publishing private input data.
+
+## What this proves
+
+- File manifests prove byte identity for the files they list.
+- Manifest diffs separate expected artifact changes from unexpected ones.
+- Sandbox verification proves the observed output set stayed inside an explicit allowlist.
+- Evidence bundles preserve command context, inputs, outputs, and hashes for review.
+- Signed sidecars add local tamper detection for exact bundle bytes.
+
+## What this does not prove
+
+- Hashes do not prove that generated outputs are semantically correct.
+- A passing sandbox check does not prove that a command was safe.
+- Signed sidecars do not prove signer identity, key trust, command execution, or artifact semantics.
+- Private or proprietary inputs still require reviewer judgment outside this repository.
+
+## Features
+
+- Create deterministic SHA-256 manifests for files or filtered directory trees.
+- Diff two manifests to identify added, removed, changed, and unchanged artifacts.
+- Verify sandbox/experiment outputs against explicit allowlists, with optional JUnit XML for CI report consumers.
+- Validate simple YAML or JSON evidence bundles, with optional JSON Schema checks.
+- Sign and verify evidence bundle sidecars with a local-key tamper-detection prototype.
+- Includes only synthetic public examples.
+
+## Install
+
+Until a package index release is published, install from the repository:
+
+```bash
+pip install "git+https://github.com/xodnr927-byte/repro-evidence-kit.git@v0.4.1"
+```
+
+For local development:
+
+```bash
+python -m venv .venv
+. .venv/bin/activate
+pip install -e .
+```
+
+## Quick start
+
+```bash
+repro-evidence manifest create examples/dummy-binary -o before.json
+repro-evidence manifest diff before.json before.json
+repro-evidence evidence validate examples/evidence-bundle.yaml
+```
+
+For larger artifact trees, filter manifests with explicit include/exclude patterns:
+
+```bash
+repro-evidence manifest create artifacts --include reports --exclude "*.tmp" -o manifest.json
+```
+
+For stricter evidence-bundle checks, install the optional schema extra and validate against the checked-in JSON Schema:
+
+```bash
+pip install "repro-evidence-kit[schema] @ git+https://github.com/xodnr927-byte/repro-evidence-kit.git@v0.4.1"
+repro-evidence evidence validate examples/evidence-bundle.yaml --schema
+```
+
+
+Signed bundle sidecars are optional. For a local tamper-detection prototype, create or provide local trust material and keep it out of git:
+
+```bash
+printf 'synthetic local test key only\n' > local-test.key
+repro-evidence evidence sign examples/evidence-bundle.yaml --key local-test.key -o evidence-bundle.yaml.sig.json
+repro-evidence evidence verify-signature examples/evidence-bundle.yaml --signature evidence-bundle.yaml.sig.json --key local-test.key
+```
+
+Sandbox verification compares a baseline manifest with an after-run manifest:
+
+```bash
+repro-evidence verify sandbox-run before.json after.json --allow-added report.json
+```
+
+The command exits `0` when all changes are allowed and `1` when unexpected changes are present.
+
+## Documentation
+
+- [CLI reference](docs/cli.md)
+- [CLI exit codes](docs/cli-exit-codes.md)
+- [Tutorial](docs/tutorial.md)
+- [Evidence bundle format](docs/evidence-bundle-format.md)
+- [Use cases](docs/use-cases.md)
+- [Signed evidence bundles design note](docs/signed-bundles.md)
+- [Maintainer workflow](docs/maintainer-workflow.md)
+- [Release checklist](docs/release-checklist.md)
+- [PyPI publishing](docs/publishing.md)
+- [GitHub Actions cookbook](docs/github-actions.md) — CI recipes for validation, manifests, sandbox checks, and schema-backed filtered workflows.
+- [Design principles](docs/design-principles.md)
+- [Roadmap](ROADMAP.md)
+
+## Data policy
+
+This repository is for generic reproducibility tooling. Do not add proprietary binaries, private datasets, copyrighted samples, live credentials, forensic case data, or project-specific reverse-engineering targets. Public examples must be synthetic or clearly redistributable.
+
+## Status
+
+`0.4.x` is an early maintainer-tooling release series. The CLI and schema stay intentionally small, conservative, and synthetic-example-only.

repro_evidence_kit-0.4.1/ROADMAP.md

@@ -0,0 +1,38 @@
+# Roadmap
+
+## Recently completed
+
+These are available in `v0.4.0`:
+
+- Markdown output for `manifest diff` reports.
+- Include/exclude filters for large artifact-tree manifests.
+- Optional JSON Schema validation for evidence bundles.
+- Stable CLI exit-code documentation and regression coverage.
+- GitHub Actions cookbook and CI leakage audit.
+- Minimal signed evidence bundle sidecar prototype.
+
+- Signature sidecar JSON Schema and packaged schema regression tests.
+- Reviewer-friendly `verify-signature --format text` output and structured JSON error details.
+- `evidence sign --dry-run` for non-writing sidecar preview.
+- Synthetic signed-bundle example, release checklist, use-cases page, and example smoke script.
+- Sandbox SARIF output, required-change checks, and evidence-validation JUnit output.
+- Fresh-environment release/install smoke script for tagged source references.
+
+## Near-term polish
+
+- Keep examples synthetic-only.
+- Expand CI recipes for signed-bundle verification and example smoke checks.
+- Complete the first PyPI release after Trusted Publisher configuration.
+- Add SARIF or additional JUnit adapters only after the JSON/text contracts stay stable.
+
+## Later ideas
+
+- SARIF output for CI code-scanning integrations.
+- Richer signed bundle trust policies after the sidecar contract is stable.
+
+## Non-goals
+
+- Storing private source data.
+- Shipping proprietary binary samples.
+- Becoming a target-specific reverse-engineering framework.
+- Claiming semantic correctness from hashes alone.

repro_evidence_kit-0.4.1/SECURITY.md

@@ -0,0 +1,5 @@
+# Security policy
+
+Please do not attach private binaries, credentials, forensic datasets, or sensitive logs to public issues.
+
+If you believe the toolkit mishandles paths, hashes, evidence bundles, or generated reports in a way that could disclose sensitive data, open a private security advisory or contact the maintainer through GitHub.

repro_evidence_kit-0.4.1/docs/cli-exit-codes.md

@@ -0,0 +1,11 @@
+# CLI exit codes
+
+All commands use the same top-level exit-code contract.
+
+| Code | Meaning | Examples |
+| --- | --- | --- |
+| `0` | The command completed and the checked predicate passed. | Manifest written, manifests diffed, evidence bundle valid, signature verified. |
+| `1` | The command completed and found an expected validation or verification failure. | Invalid evidence bundle, unexpected sandbox outputs, signature mismatch, unsupported signature sidecar metadata. |
+| `2` | The command could not complete because of an input, parsing, filesystem, dependency, or runtime error. | Missing JSON file, malformed sidecar JSON, unreadable evidence file, schema validation without `jsonschema`. |
+
+Use `1` as a CI policy failure and `2` as an infrastructure or invocation failure.