rio-receipt-protocol 2.2.0__tar.gz

rio_receipt_protocol-2.2.0/PKG-INFO

@@ -0,0 +1,121 @@
+Metadata-Version: 2.4
+Name: rio-receipt-protocol
+Version: 2.2.0
+Summary: Cryptographic proof for AI actions. Generate tamper-evident receipts, maintain hash-chained ledgers, and verify AI action audit trails. Zero dependencies.
+Author: RIO Protocol Contributors
+License: MIT OR Apache-2.0
+Project-URL: Homepage, https://rioprotocol-q9cry3ny.manus.space
+Project-URL: Repository, https://github.com/bkr1297-RIO/rio-receipt-protocol
+Project-URL: Issues, https://github.com/bkr1297-RIO/rio-receipt-protocol/issues
+Project-URL: Changelog, https://github.com/bkr1297-RIO/rio-receipt-protocol/blob/main/CHANGELOG.md
+Keywords: ai-governance,ai-receipts,cryptographic-proof,tamper-evident,hash-chain,ledger,ai-audit,ai-safety,sha256,ed25519,openai,anthropic,langchain,ai-agent,compliance,audit-trail
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Classifier: Typing :: Typed
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Provides-Extra: signing
+Requires-Dist: pynacl>=1.5.0; extra == "signing"
+
+# rio-receipt-protocol
+
+Cryptographic proof for AI actions. Open standard. **Zero required dependencies.**
+
+Generate tamper-evident receipts, maintain hash-chained ledgers, and verify AI action audit trails — all with nothing more than the Python standard library.
+
+## Installation
+
+```bash
+pip install rio-receipt-protocol
+```
+
+For Ed25519 signature support (optional):
+
+```bash
+pip install rio-receipt-protocol[signing]
+```
+
+## Quick Start
+
+```python
+from rio_receipt_protocol import (
+    hash_intent, hash_execution, generate_receipt, verify_receipt, create_ledger
+)
+
+# 1. Hash the intent
+intent_hash = hash_intent(
+    intent_id="i-001",
+    action="send_email",
+    agent_id="agent-1",
+    parameters={"to": "user@example.com", "subject": "Hello"},
+    timestamp="2026-04-01T00:00:00.000Z",
+)
+
+# 2. Hash the execution
+execution_hash = hash_execution(
+    intent_id="i-001",
+    action="send_email",
+    result="sent",
+    connector="smtp",
+    timestamp="2026-04-01T00:00:01.000Z",
+)
+
+# 3. Generate a receipt
+receipt = generate_receipt(
+    intent_hash=intent_hash,
+    execution_hash=execution_hash,
+    intent_id="i-001",
+    action="send_email",
+    agent_id="agent-1",
+)
+
+# 4. Verify it
+result = verify_receipt(receipt)
+assert result["valid"] is True
+
+# 5. Append to a tamper-evident ledger
+ledger = create_ledger()
+entry = ledger.append(
+    intent_id="i-001",
+    action="send_email",
+    agent_id="agent-1",
+    status="executed",
+    detail="Email sent",
+    receipt_hash=receipt["hash_chain"]["receipt_hash"],
+)
+
+# 6. Verify the chain
+chain = ledger.verify_chain()
+assert chain["valid"] is True
+```
+
+## API Reference
+
+The Python package mirrors the Node.js API exactly:
+
+| Function | Description |
+|---|---|
+| `sha256(data)` | SHA-256 hash of a string |
+| `hash_intent(...)` | Hash an intent object |
+| `hash_execution(...)` | Hash an execution record |
+| `hash_governance(...)` | Hash a governance decision (optional) |
+| `hash_authorization(...)` | Hash an authorization record (optional) |
+| `generate_receipt(...)` | Generate a v2.2 receipt |
+| `verify_receipt(receipt)` | Verify a receipt's hash chain |
+| `create_ledger(file_path=None)` | Create a tamper-evident ledger |
+| `verify_receipt_standalone(receipt)` | Independent receipt verification |
+| `verify_chain(entries)` | Verify a ledger hash chain |
+| `verify_receipt_batch(receipts)` | Batch-verify multiple receipts |
+
+## License
+
+Dual-licensed under MIT and Apache 2.0.

rio_receipt_protocol-2.2.0/README.md

@@ -0,0 +1,93 @@
+# rio-receipt-protocol
+
+Cryptographic proof for AI actions. Open standard. **Zero required dependencies.**
+
+Generate tamper-evident receipts, maintain hash-chained ledgers, and verify AI action audit trails — all with nothing more than the Python standard library.
+
+## Installation
+
+```bash
+pip install rio-receipt-protocol
+```
+
+For Ed25519 signature support (optional):
+
+```bash
+pip install rio-receipt-protocol[signing]
+```
+
+## Quick Start
+
+```python
+from rio_receipt_protocol import (
+    hash_intent, hash_execution, generate_receipt, verify_receipt, create_ledger
+)
+
+# 1. Hash the intent
+intent_hash = hash_intent(
+    intent_id="i-001",
+    action="send_email",
+    agent_id="agent-1",
+    parameters={"to": "user@example.com", "subject": "Hello"},
+    timestamp="2026-04-01T00:00:00.000Z",
+)
+
+# 2. Hash the execution
+execution_hash = hash_execution(
+    intent_id="i-001",
+    action="send_email",
+    result="sent",
+    connector="smtp",
+    timestamp="2026-04-01T00:00:01.000Z",
+)
+
+# 3. Generate a receipt
+receipt = generate_receipt(
+    intent_hash=intent_hash,
+    execution_hash=execution_hash,
+    intent_id="i-001",
+    action="send_email",
+    agent_id="agent-1",
+)
+
+# 4. Verify it
+result = verify_receipt(receipt)
+assert result["valid"] is True
+
+# 5. Append to a tamper-evident ledger
+ledger = create_ledger()
+entry = ledger.append(
+    intent_id="i-001",
+    action="send_email",
+    agent_id="agent-1",
+    status="executed",
+    detail="Email sent",
+    receipt_hash=receipt["hash_chain"]["receipt_hash"],
+)
+
+# 6. Verify the chain
+chain = ledger.verify_chain()
+assert chain["valid"] is True
+```
+
+## API Reference
+
+The Python package mirrors the Node.js API exactly:
+
+| Function | Description |
+|---|---|
+| `sha256(data)` | SHA-256 hash of a string |
+| `hash_intent(...)` | Hash an intent object |
+| `hash_execution(...)` | Hash an execution record |
+| `hash_governance(...)` | Hash a governance decision (optional) |
+| `hash_authorization(...)` | Hash an authorization record (optional) |
+| `generate_receipt(...)` | Generate a v2.2 receipt |
+| `verify_receipt(receipt)` | Verify a receipt's hash chain |
+| `create_ledger(file_path=None)` | Create a tamper-evident ledger |
+| `verify_receipt_standalone(receipt)` | Independent receipt verification |
+| `verify_chain(entries)` | Verify a ledger hash chain |
+| `verify_receipt_batch(receipts)` | Batch-verify multiple receipts |
+
+## License
+
+Dual-licensed under MIT and Apache 2.0.

rio_receipt_protocol-2.2.0/pyproject.toml

@@ -0,0 +1,45 @@
+[build-system]
+requires = ["setuptools>=68.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "rio-receipt-protocol"
+version = "2.2.0"
+description = "Cryptographic proof for AI actions. Generate tamper-evident receipts, maintain hash-chained ledgers, and verify AI action audit trails. Zero dependencies."
+readme = "README.md"
+license = {text = "MIT OR Apache-2.0"}
+requires-python = ">=3.9"
+authors = [
+    {name = "RIO Protocol Contributors"}
+]
+keywords = [
+    "ai-governance", "ai-receipts", "cryptographic-proof", "tamper-evident",
+    "hash-chain", "ledger", "ai-audit", "ai-safety", "sha256", "ed25519",
+    "openai", "anthropic", "langchain", "ai-agent", "compliance", "audit-trail",
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "License :: OSI Approved :: Apache Software License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Security :: Cryptography",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+    "Typing :: Typed",
+]
+
+[project.urls]
+Homepage = "https://rioprotocol-q9cry3ny.manus.space"
+Repository = "https://github.com/bkr1297-RIO/rio-receipt-protocol"
+Issues = "https://github.com/bkr1297-RIO/rio-receipt-protocol/issues"
+Changelog = "https://github.com/bkr1297-RIO/rio-receipt-protocol/blob/main/CHANGELOG.md"
+
+[project.optional-dependencies]
+signing = ["pynacl>=1.5.0"]
+
+[tool.setuptools.packages.find]
+include = ["rio_receipt_protocol*"]

rio_receipt_protocol-2.2.0/rio_receipt_protocol/__init__.py

@@ -0,0 +1,26 @@
+"""
+RIO Receipt Protocol — Python Implementation (v2.2)
+
+Cryptographic proof for AI actions. Open standard. Zero required dependencies.
+"""
+
+__version__ = "2.2.0"
+
+from .receipts import (
+    sha256, hash_intent, hash_execution, hash_governance, hash_authorization,
+    generate_receipt, verify_receipt,
+    generate_keypair, sign_receipt,
+)
+from .ledger import GENESIS_HASH, create_ledger
+from .verifier import (
+    verify_receipt_standalone, verify_chain,
+    verify_receipt_against_ledger, verify_receipt_batch,
+)
+
+__all__ = [
+    "sha256", "hash_intent", "hash_execution", "hash_governance", "hash_authorization",
+    "generate_receipt", "verify_receipt",
+    "generate_keypair", "sign_receipt",
+    "GENESIS_HASH", "create_ledger",
+    "verify_receipt_standalone", "verify_chain", "verify_receipt_against_ledger", "verify_receipt_batch",
+]

rio_receipt_protocol-2.2.0/rio_receipt_protocol/ledger.py

@@ -0,0 +1,106 @@
+"""
+RIO Receipt Protocol — Tamper-Evident Ledger
+
+Zero external dependencies beyond the Python standard library.
+"""
+
+import json
+import os
+import uuid
+from datetime import datetime, timezone
+
+from .receipts import sha256
+
+GENESIS_HASH = "0000000000000000000000000000000000000000000000000000000000000000"
+
+
+def _canonicalize(entry: dict) -> str:
+    return json.dumps(
+        {"entry_id": entry["entry_id"], "prev_hash": entry["prev_hash"],
+         "timestamp": entry["timestamp"], "intent_id": entry["intent_id"],
+         "action": entry["action"], "agent_id": entry["agent_id"],
+         "status": entry["status"], "detail": entry["detail"],
+         "receipt_hash": entry.get("receipt_hash"),
+         "authorization_hash": entry.get("authorization_hash"),
+         "intent_hash": entry.get("intent_hash")},
+        separators=(",", ":"), ensure_ascii=False,
+    )
+
+
+class Ledger:
+    def __init__(self, file_path: str = None):
+        self._entries = []
+        self._current_hash = GENESIS_HASH
+        self._file_path = file_path
+        if file_path and os.path.exists(file_path):
+            try:
+                with open(file_path, "r", encoding="utf-8") as f:
+                    self._entries = json.load(f)
+                if self._entries:
+                    self._current_hash = self._entries[-1]["ledger_hash"]
+            except Exception:
+                self._entries = []
+                self._current_hash = GENESIS_HASH
+
+    def _persist(self):
+        if not self._file_path:
+            return
+        os.makedirs(os.path.dirname(self._file_path) or ".", exist_ok=True)
+        with open(self._file_path, "w", encoding="utf-8") as f:
+            json.dump(self._entries, f, indent=2, ensure_ascii=False)
+
+    def append(self, intent_id: str, action: str, agent_id: str, status: str, detail: str,
+               receipt_hash: str = None, authorization_hash: str = None, intent_hash: str = None) -> dict:
+        prev_hash = self._current_hash
+        now = datetime.now(timezone.utc)
+        timestamp = now.strftime("%Y-%m-%dT%H:%M:%S.") + f"{now.microsecond // 1000:03d}Z"
+        entry = {
+            "entry_id": str(uuid.uuid4()), "prev_hash": prev_hash, "ledger_hash": None,
+            "timestamp": timestamp, "intent_id": intent_id, "action": action,
+            "agent_id": agent_id, "status": status, "detail": detail,
+            "receipt_hash": receipt_hash, "authorization_hash": authorization_hash,
+            "intent_hash": intent_hash,
+        }
+        entry["ledger_hash"] = sha256(_canonicalize(entry))
+        self._current_hash = entry["ledger_hash"]
+        self._entries.append(entry)
+        self._persist()
+        return entry
+
+    def verify_chain(self) -> dict:
+        if not self._entries:
+            return {"valid": True, "entries_checked": 0, "first_invalid": None}
+        prev = GENESIS_HASH
+        for i, e in enumerate(self._entries):
+            if e["prev_hash"] != prev:
+                return {"valid": False, "entries_checked": i + 1, "first_invalid": i,
+                        "reason": f"Entry {i} prev_hash mismatch. Expected: {prev}, Got: {e['prev_hash']}"}
+            computed = sha256(_canonicalize(e))
+            if computed != e["ledger_hash"]:
+                return {"valid": False, "entries_checked": i + 1, "first_invalid": i,
+                        "reason": f"Entry {i} hash mismatch. Computed: {computed}, Stored: {e['ledger_hash']}"}
+            prev = e["ledger_hash"]
+        return {"valid": True, "entries_checked": len(self._entries), "first_invalid": None}
+
+    def get_entries(self, limit: int = 100, offset: int = 0) -> list:
+        return self._entries[offset:offset + limit]
+
+    def get_entries_by_intent(self, intent_id: str) -> list:
+        return [e for e in self._entries if e["intent_id"] == intent_id]
+
+    def get_entry_count(self) -> int:
+        return len(self._entries)
+
+    def get_current_hash(self) -> str:
+        return self._current_hash
+
+    def get_latest_entry(self) -> dict:
+        return self._entries[-1] if self._entries else None
+
+    def export(self) -> list:
+        return json.loads(json.dumps(self._entries))
+
+
+def create_ledger(file_path: str = None) -> Ledger:
+    """Create a new Ledger instance."""
+    return Ledger(file_path=file_path)

rio_receipt_protocol-2.2.0/rio_receipt_protocol/receipts.py

@@ -0,0 +1,247 @@
+"""
+RIO Receipt Protocol — Receipt Generation and Verification
+
+Zero external dependencies beyond the Python standard library.
+"""
+
+import hashlib
+import json
+import uuid
+from datetime import datetime, timezone
+
+
+def sha256(data: str) -> str:
+    """Compute SHA-256 hash of a string. Returns 64-char lowercase hex."""
+    return hashlib.sha256(data.encode("utf-8")).hexdigest()
+
+
+def hash_intent(intent_id: str, action: str, agent_id: str, parameters: dict, timestamp: str) -> str:
+    """Hash an intent object using canonical field order."""
+    canonical = json.dumps(
+        {"intent_id": intent_id, "action": action, "agent_id": agent_id,
+         "parameters": parameters, "timestamp": timestamp},
+        separators=(",", ":"), ensure_ascii=False,
+    )
+    return sha256(canonical)
+
+
+def hash_execution(intent_id: str, action: str, result: object, connector: str, timestamp: str) -> str:
+    """Hash an execution record using canonical field order."""
+    canonical = json.dumps(
+        {"intent_id": intent_id, "action": action, "result": result,
+         "connector": connector, "timestamp": timestamp},
+        separators=(",", ":"), ensure_ascii=False,
+    )
+    return sha256(canonical)
+
+
+def hash_governance(intent_id: str, status: str, risk_level: str, requires_approval: bool, checks: list) -> str:
+    """Hash a governance decision. Optional — only for governed receipts."""
+    canonical = json.dumps(
+        {"intent_id": intent_id, "status": status, "risk_level": risk_level,
+         "requires_approval": requires_approval, "checks": checks},
+        separators=(",", ":"), ensure_ascii=False,
+    )
+    return sha256(canonical)
+
+
+def hash_authorization(intent_id: str, decision: str, authorized_by: str, timestamp: str, conditions=None) -> str:
+    """Hash an authorization record. Optional — only for governed receipts."""
+    canonical = json.dumps(
+        {"intent_id": intent_id, "decision": decision, "authorized_by": authorized_by,
+         "timestamp": timestamp, "conditions": conditions},
+        separators=(",", ":"), ensure_ascii=False,
+    )
+    return sha256(canonical)
+
+
+def _build_chain_order(data: dict) -> list:
+    order = ["intent_hash"]
+    if data.get("governance_hash"):
+        order.append("governance_hash")
+    if data.get("authorization_hash"):
+        order.append("authorization_hash")
+    order.append("execution_hash")
+    order.append("receipt_hash")
+    return order
+
+
+def generate_receipt(
+    intent_hash: str, execution_hash: str, intent_id: str, action: str, agent_id: str,
+    governance_hash: str = None, authorization_hash: str = None,
+    authorized_by: str = None, receipt_type: str = None,
+    ingestion: dict = None, identity_binding: dict = None,
+) -> dict:
+    """Generate a RIO Receipt (v2.2)."""
+    receipt_id = str(uuid.uuid4())
+    now = datetime.now(timezone.utc)
+    timestamp = now.strftime("%Y-%m-%dT%H:%M:%S.") + f"{now.microsecond // 1000:03d}Z"
+
+    is_governed = bool(governance_hash and authorization_hash)
+    if receipt_type is None:
+        receipt_type = "governed_action" if is_governed else "action"
+
+    data = {"intent_hash": intent_hash, "execution_hash": execution_hash,
+            "governance_hash": governance_hash, "authorization_hash": authorization_hash}
+    chain_order = _build_chain_order(data)
+
+    receipt_content = {"receipt_id": receipt_id}
+    for field in chain_order:
+        if field != "receipt_hash":
+            receipt_content[field] = data[field]
+    receipt_content["timestamp"] = timestamp
+    receipt_hash = sha256(json.dumps(receipt_content, separators=(",", ":"), ensure_ascii=False))
+
+    receipt = {
+        "receipt_id": receipt_id, "receipt_type": receipt_type,
+        "intent_id": intent_id, "action": action, "agent_id": agent_id,
+        "authorized_by": authorized_by, "timestamp": timestamp,
+        "hash_chain": {
+            "intent_hash": intent_hash, "governance_hash": governance_hash,
+            "authorization_hash": authorization_hash, "execution_hash": execution_hash,
+            "receipt_hash": receipt_hash,
+        },
+        "verification": {
+            "algorithm": "SHA-256", "chain_length": len(chain_order), "chain_order": chain_order,
+        },
+    }
+
+    if ingestion:
+        receipt["ingestion"] = {
+            "source": ingestion.get("source"), "channel": ingestion.get("channel"),
+            "source_message_id": ingestion.get("source_message_id"),
+            "timestamp": ingestion.get("timestamp", timestamp),
+        }
+    if identity_binding:
+        receipt["identity_binding"] = {
+            "signer_id": identity_binding.get("signer_id"),
+            "public_key_hex": identity_binding.get("public_key_hex"),
+            "signature_payload_hash": identity_binding.get("signature_payload_hash"),
+            "verification_method": identity_binding.get("verification_method"),
+            "ed25519_signed": identity_binding.get("ed25519_signed", False),
+        }
+
+    return receipt
+
+
+def verify_receipt(receipt: dict) -> dict:
+    """Verify a receipt by recomputing the receipt hash from its components."""
+    chain_order = receipt.get("verification", {}).get("chain_order",
+        ["intent_hash", "execution_hash", "receipt_hash"])
+
+    receipt_content = {"receipt_id": receipt["receipt_id"]}
+    for field in chain_order:
+        if field != "receipt_hash":
+            receipt_content[field] = receipt["hash_chain"][field]
+    receipt_content["timestamp"] = receipt["timestamp"]
+
+    computed_hash = sha256(json.dumps(receipt_content, separators=(",", ":"), ensure_ascii=False))
+    stored_hash = receipt["hash_chain"]["receipt_hash"]
+
+    return {
+        "valid": computed_hash == stored_hash,
+        "computed_hash": computed_hash, "stored_hash": stored_hash,
+        "receipt_id": receipt["receipt_id"],
+        "receipt_type": receipt.get("receipt_type", "action"),
+    }
+
+
+# ─── Ed25519 Signing (optional — requires no external dependencies) ──────────
+
+def generate_keypair() -> dict:
+    """
+    Generate an Ed25519 keypair using Python's standard library (3.12+)
+    or PyNaCl as fallback.
+
+    Returns dict with: private_key_hex, public_key_hex, private_key_obj
+    """
+    try:
+        # Python 3.12+ has Ed25519 in the standard library
+        from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
+        from cryptography.hazmat.primitives.serialization import (
+            Encoding, NoEncryption, PrivateFormat, PublicFormat,
+        )
+        private_key = Ed25519PrivateKey.generate()
+        private_bytes = private_key.private_bytes(
+            Encoding.Raw, PrivateFormat.Raw, NoEncryption(),
+        )
+        public_bytes = private_key.public_key().public_bytes(
+            Encoding.Raw, PublicFormat.Raw,
+        )
+        return {
+            "private_key_hex": private_bytes.hex(),
+            "public_key_hex": public_bytes.hex(),
+            "private_key_obj": private_key,
+        }
+    except ImportError:
+        pass
+
+    try:
+        from nacl.signing import SigningKey
+        from nacl.encoding import HexEncoder
+        signing_key = SigningKey.generate()
+        return {
+            "private_key_hex": signing_key.encode(HexEncoder).decode(),
+            "public_key_hex": signing_key.verify_key.encode(HexEncoder).decode(),
+            "private_key_obj": signing_key,
+        }
+    except ImportError:
+        raise ImportError(
+            "Ed25519 signing requires either 'cryptography' or 'PyNaCl'. "
+            "Install one: pip install cryptography  OR  pip install pynacl"
+        )
+
+
+def sign_receipt(receipt: dict, private_key_obj, public_key_hex: str, signer_id: str) -> dict:
+    """
+    Sign a receipt with Ed25519.
+
+    The signed payload is the UTF-8 encoding of the 64-character hex
+    receipt_hash string (per spec Section 4.2). The signature is stored
+    in identity_binding.signature_hex as a lowercase hex string.
+
+    This function mutates the receipt in place and also returns it.
+
+    Args:
+        receipt: A generated RIO Receipt (must have hash_chain.receipt_hash)
+        private_key_obj: Ed25519 private key object (from generate_keypair)
+        public_key_hex: 64-char hex-encoded public key
+        signer_id: Identifier of the signing authority
+    """
+    receipt_hash = receipt.get("hash_chain", {}).get("receipt_hash", "")
+    if not receipt_hash or len(receipt_hash) != 64:
+        raise ValueError("Cannot sign: receipt has no valid receipt_hash")
+
+    payload = receipt_hash.encode("utf-8")
+
+    # Try cryptography library first, then PyNaCl
+    try:
+        from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
+        if isinstance(private_key_obj, Ed25519PrivateKey):
+            signature_bytes = private_key_obj.sign(payload)
+            signature_hex = signature_bytes.hex()
+        else:
+            raise TypeError("Not a cryptography key")
+    except (ImportError, TypeError):
+        from nacl.signing import SigningKey
+        if isinstance(private_key_obj, SigningKey):
+            signed = private_key_obj.sign(payload)
+            signature_hex = signed.signature.hex()
+        else:
+            raise TypeError(
+                "private_key_obj must be an Ed25519PrivateKey (cryptography) "
+                "or SigningKey (PyNaCl)"
+            )
+
+    from datetime import datetime, timezone
+    receipt["identity_binding"] = {
+        "signer_id": signer_id,
+        "public_key_hex": public_key_hex,
+        "signature_hex": signature_hex,
+        "signature_payload_hash": receipt_hash,
+        "signed_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%S.") +
+                     f"{datetime.now(timezone.utc).microsecond // 1000:03d}Z",
+        "verification_method": "ed25519-nacl",
+        "ed25519_signed": True,
+    }
+    return receipt

rio_receipt_protocol-2.2.0/rio_receipt_protocol/verifier.py

@@ -0,0 +1,128 @@
+"""
+RIO Receipt Protocol — Standalone Verifier
+
+Zero external dependencies beyond the Python standard library.
+"""
+
+import re
+import json
+
+from .receipts import sha256
+
+GENESIS_HASH = "0000000000000000000000000000000000000000000000000000000000000000"
+_HEX64 = re.compile(r"^[a-f0-9]{64}$")
+
+
+def verify_receipt_standalone(receipt: dict) -> dict:
+    """Verify a single RIO Receipt (proof-layer or governed)."""
+    errors = []
+    if not receipt.get("receipt_id"):
+        errors.append("Missing receipt_id")
+    if not receipt.get("timestamp"):
+        errors.append("Missing timestamp")
+    if not receipt.get("hash_chain"):
+        errors.append("Missing hash_chain")
+    if not receipt.get("hash_chain"):
+        return {"valid": False, "receipt_id": receipt.get("receipt_id", "unknown"), "errors": errors}
+
+    hc = receipt["hash_chain"]
+    for field in ("intent_hash", "execution_hash", "receipt_hash"):
+        if not hc.get(field):
+            errors.append(f"Missing hash_chain.{field}")
+        elif not _HEX64.match(hc[field]):
+            errors.append(f"Invalid hash format for hash_chain.{field}")
+    for field in ("governance_hash", "authorization_hash"):
+        val = hc.get(field)
+        if val is not None and val and not _HEX64.match(val):
+            errors.append(f"Invalid hash format for hash_chain.{field}")
+    if errors:
+        return {"valid": False, "receipt_id": receipt.get("receipt_id", "unknown"), "errors": errors}
+
+    chain_order = receipt.get("verification", {}).get("chain_order",
+        ["intent_hash", "execution_hash", "receipt_hash"])
+    receipt_content = {"receipt_id": receipt["receipt_id"]}
+    for field in chain_order:
+        if field != "receipt_hash":
+            receipt_content[field] = hc[field]
+    receipt_content["timestamp"] = receipt["timestamp"]
+    computed_hash = sha256(json.dumps(receipt_content, separators=(",", ":"), ensure_ascii=False))
+    stored_hash = hc["receipt_hash"]
+
+    verification = receipt.get("verification", {})
+    if verification.get("algorithm") and verification["algorithm"] != "SHA-256":
+        errors.append(f"Unexpected algorithm: {verification['algorithm']}")
+    if verification.get("chain_length") is not None and verification["chain_length"] != len(chain_order):
+        errors.append(f"chain_length {verification['chain_length']} != chain_order length {len(chain_order)}")
+
+    hash_valid = computed_hash == stored_hash
+    if not hash_valid:
+        errors.append(f"Receipt hash mismatch: computed {computed_hash}, stored {stored_hash}")
+
+    return {
+        "valid": hash_valid and len(errors) == 0,
+        "receipt_id": receipt["receipt_id"],
+        "receipt_type": receipt.get("receipt_type", "action"),
+        "computed_hash": computed_hash, "stored_hash": stored_hash,
+        "chain_length": len(chain_order), "errors": errors,
+    }
+
+
+def verify_chain(entries: list) -> dict:
+    """Verify a ledger hash chain."""
+    if not isinstance(entries, list):
+        return {"valid": False, "entries_checked": 0, "first_invalid": None, "reason": "Input is not a list"}
+    if not entries:
+        return {"valid": True, "entries_checked": 0, "first_invalid": None}
+    prev = GENESIS_HASH
+    for i, e in enumerate(entries):
+        if e.get("prev_hash") != prev:
+            return {"valid": False, "entries_checked": i + 1, "first_invalid": i,
+                    "reason": f"Entry {i} ({e.get('entry_id')}) prev_hash mismatch."}
+        canonical = json.dumps(
+            {"entry_id": e["entry_id"], "prev_hash": e["prev_hash"],
+             "timestamp": e["timestamp"], "intent_id": e["intent_id"],
+             "action": e["action"], "agent_id": e["agent_id"],
+             "status": e["status"], "detail": e["detail"],
+             "receipt_hash": e.get("receipt_hash"),
+             "authorization_hash": e.get("authorization_hash"),
+             "intent_hash": e.get("intent_hash")},
+            separators=(",", ":"), ensure_ascii=False,
+        )
+        computed = sha256(canonical)
+        if computed != e.get("ledger_hash"):
+            return {"valid": False, "entries_checked": i + 1, "first_invalid": i,
+                    "reason": f"Entry {i} ({e.get('entry_id')}) hash mismatch."}
+        prev = e["ledger_hash"]
+    return {"valid": True, "entries_checked": len(entries), "first_invalid": None, "chain_tip": prev}
+
+
+def verify_receipt_against_ledger(receipt: dict, ledger_entry: dict) -> dict:
+    """Cross-verify a receipt against its ledger entry."""
+    receipt_result = verify_receipt_standalone(receipt)
+    errors = list(receipt_result["errors"])
+    if ledger_entry.get("receipt_hash") != receipt["hash_chain"]["receipt_hash"]:
+        errors.append("Ledger entry receipt_hash does not match receipt")
+    if ledger_entry.get("intent_id") != receipt.get("intent_id"):
+        errors.append("Intent ID mismatch")
+    if ledger_entry.get("intent_hash") and ledger_entry["intent_hash"] != receipt["hash_chain"]["intent_hash"]:
+        errors.append("Intent hash mismatch")
+    return {
+        "valid": receipt_result["valid"] and len(errors) == len(receipt_result["errors"]),
+        "receipt_id": receipt["receipt_id"],
+        "entry_id": ledger_entry.get("entry_id"),
+        "receipt_valid": receipt_result["valid"],
+        "cross_references_valid": len(errors) == len(receipt_result["errors"]),
+        "errors": errors,
+    }
+
+
+def verify_receipt_batch(receipts: list) -> dict:
+    """Verify multiple receipts in batch."""
+    results = [verify_receipt_standalone(r) for r in receipts]
+    valid_count = sum(1 for r in results if r["valid"])
+    return {
+        "total": len(receipts), "valid": valid_count,
+        "invalid": len(results) - valid_count,
+        "all_valid": all(r["valid"] for r in results),
+        "results": results,
+    }

rio_receipt_protocol-2.2.0/rio_receipt_protocol.egg-info/PKG-INFO

@@ -0,0 +1,121 @@
+Metadata-Version: 2.4
+Name: rio-receipt-protocol
+Version: 2.2.0
+Summary: Cryptographic proof for AI actions. Generate tamper-evident receipts, maintain hash-chained ledgers, and verify AI action audit trails. Zero dependencies.
+Author: RIO Protocol Contributors
+License: MIT OR Apache-2.0
+Project-URL: Homepage, https://rioprotocol-q9cry3ny.manus.space
+Project-URL: Repository, https://github.com/bkr1297-RIO/rio-receipt-protocol
+Project-URL: Issues, https://github.com/bkr1297-RIO/rio-receipt-protocol/issues
+Project-URL: Changelog, https://github.com/bkr1297-RIO/rio-receipt-protocol/blob/main/CHANGELOG.md
+Keywords: ai-governance,ai-receipts,cryptographic-proof,tamper-evident,hash-chain,ledger,ai-audit,ai-safety,sha256,ed25519,openai,anthropic,langchain,ai-agent,compliance,audit-trail
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Classifier: Typing :: Typed
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Provides-Extra: signing
+Requires-Dist: pynacl>=1.5.0; extra == "signing"
+
+# rio-receipt-protocol
+
+Cryptographic proof for AI actions. Open standard. **Zero required dependencies.**
+
+Generate tamper-evident receipts, maintain hash-chained ledgers, and verify AI action audit trails — all with nothing more than the Python standard library.
+
+## Installation
+
+```bash
+pip install rio-receipt-protocol
+```
+
+For Ed25519 signature support (optional):
+
+```bash
+pip install rio-receipt-protocol[signing]
+```
+
+## Quick Start
+
+```python
+from rio_receipt_protocol import (
+    hash_intent, hash_execution, generate_receipt, verify_receipt, create_ledger
+)
+
+# 1. Hash the intent
+intent_hash = hash_intent(
+    intent_id="i-001",
+    action="send_email",
+    agent_id="agent-1",
+    parameters={"to": "user@example.com", "subject": "Hello"},
+    timestamp="2026-04-01T00:00:00.000Z",
+)
+
+# 2. Hash the execution
+execution_hash = hash_execution(
+    intent_id="i-001",
+    action="send_email",
+    result="sent",
+    connector="smtp",
+    timestamp="2026-04-01T00:00:01.000Z",
+)
+
+# 3. Generate a receipt
+receipt = generate_receipt(
+    intent_hash=intent_hash,
+    execution_hash=execution_hash,
+    intent_id="i-001",
+    action="send_email",
+    agent_id="agent-1",
+)
+
+# 4. Verify it
+result = verify_receipt(receipt)
+assert result["valid"] is True
+
+# 5. Append to a tamper-evident ledger
+ledger = create_ledger()
+entry = ledger.append(
+    intent_id="i-001",
+    action="send_email",
+    agent_id="agent-1",
+    status="executed",
+    detail="Email sent",
+    receipt_hash=receipt["hash_chain"]["receipt_hash"],
+)
+
+# 6. Verify the chain
+chain = ledger.verify_chain()
+assert chain["valid"] is True
+```
+
+## API Reference
+
+The Python package mirrors the Node.js API exactly:
+
+| Function | Description |
+|---|---|
+| `sha256(data)` | SHA-256 hash of a string |
+| `hash_intent(...)` | Hash an intent object |
+| `hash_execution(...)` | Hash an execution record |
+| `hash_governance(...)` | Hash a governance decision (optional) |
+| `hash_authorization(...)` | Hash an authorization record (optional) |
+| `generate_receipt(...)` | Generate a v2.2 receipt |
+| `verify_receipt(receipt)` | Verify a receipt's hash chain |
+| `create_ledger(file_path=None)` | Create a tamper-evident ledger |
+| `verify_receipt_standalone(receipt)` | Independent receipt verification |
+| `verify_chain(entries)` | Verify a ledger hash chain |
+| `verify_receipt_batch(receipts)` | Batch-verify multiple receipts |
+
+## License
+
+Dual-licensed under MIT and Apache 2.0.

rio_receipt_protocol-2.2.0/rio_receipt_protocol.egg-info/SOURCES.txt

@@ -0,0 +1,12 @@
+README.md
+pyproject.toml
+rio_receipt_protocol/__init__.py
+rio_receipt_protocol/ledger.py
+rio_receipt_protocol/receipts.py
+rio_receipt_protocol/verifier.py
+rio_receipt_protocol.egg-info/PKG-INFO
+rio_receipt_protocol.egg-info/SOURCES.txt
+rio_receipt_protocol.egg-info/dependency_links.txt
+rio_receipt_protocol.egg-info/requires.txt
+rio_receipt_protocol.egg-info/top_level.txt
+tests/test_conformance.py

rio_receipt_protocol-2.2.0/rio_receipt_protocol.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

rio_receipt_protocol-2.2.0/rio_receipt_protocol.egg-info/requires.txt

@@ -0,0 +1,3 @@
+
+[signing]
+pynacl>=1.5.0

rio_receipt_protocol-2.2.0/rio_receipt_protocol.egg-info/top_level.txt

@@ -0,0 +1 @@
+rio_receipt_protocol

rio_receipt_protocol-2.2.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

rio_receipt_protocol-2.2.0/tests/test_conformance.py

@@ -0,0 +1,211 @@
+"""
+RIO Receipt Protocol v2.2 — Python Conformance Tests
+
+Mirrors the Node.js conformance test suite (tests/conformance.test.mjs).
+Tests proof-layer receipts, governed receipts, hash integrity, ledger
+operations, cross-verification, batch verification, mixed types, and
+optional extensions.
+"""
+
+import sys
+import os
+import re
+import copy
+
+# Add parent to path for imports
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), "..")))
+
+from rio_receipt_protocol import (
+    sha256,
+    hash_intent,
+    hash_execution,
+    hash_governance,
+    hash_authorization,
+    generate_receipt,
+    verify_receipt,
+    create_ledger,
+    verify_receipt_standalone,
+    verify_chain,
+    verify_receipt_against_ledger,
+    verify_receipt_batch,
+    GENESIS_HASH,
+)
+
+passed = 0
+failed = 0
+total = 0
+HEX64 = re.compile(r"^[a-f0-9]{64}$")
+
+
+def test(name, condition):
+    global passed, failed, total
+    total += 1
+    if condition:
+        passed += 1
+        print(f"  \033[32m✓\033[0m {name}")
+    else:
+        failed += 1
+        print(f"  \033[31m✗\033[0m {name}")
+
+
+def section(name):
+    print(f"\n{name}")
+
+
+INTENT = {
+    "intent_id": "test-intent-001",
+    "action": "send_email",
+    "agent_id": "test-agent-001",
+    "parameters": {"to": "user@example.com", "subject": "Test"},
+    "timestamp": "2026-04-01T00:00:00.000Z",
+}
+EXECUTION = {
+    "intent_id": "test-intent-001",
+    "action": "send_email",
+    "result": "sent",
+    "connector": "smtp",
+    "timestamp": "2026-04-01T00:00:01.000Z",
+}
+GOVERNANCE = {
+    "intent_id": "test-intent-001",
+    "status": "approved",
+    "risk_level": "low",
+    "requires_approval": False,
+    "checks": ["policy_check", "rate_limit"],
+}
+AUTHORIZATION = {
+    "intent_id": "test-intent-001",
+    "decision": "approved",
+    "authorized_by": "HUMAN:admin@example.com",
+    "timestamp": "2026-04-01T00:00:00.500Z",
+    "conditions": None,
+}
+
+section("1. Proof-Layer Receipt Generation")
+intent_hash = hash_intent(**INTENT)
+execution_hash = hash_execution(**EXECUTION)
+proof_receipt = generate_receipt(
+    intent_hash=intent_hash, execution_hash=execution_hash,
+    intent_id=INTENT["intent_id"], action=INTENT["action"], agent_id=INTENT["agent_id"],
+)
+test("generates a proof-layer receipt with 3-hash chain", proof_receipt["verification"]["chain_length"] == 3)
+test("proof-layer receipt has all required core fields",
+     all(proof_receipt.get(f) is not None for f in
+         ["receipt_id", "receipt_type", "intent_id", "action", "agent_id", "timestamp", "hash_chain", "verification"]))
+test("proof-layer chain_order is [intent_hash, execution_hash, receipt_hash]",
+     proof_receipt["verification"]["chain_order"] == ["intent_hash", "execution_hash", "receipt_hash"])
+test("proof-layer receipt self-verifies", verify_receipt(proof_receipt)["valid"])
+test("proof-layer receipt verifies with standalone verifier", verify_receipt_standalone(proof_receipt)["valid"])
+
+section("2. Governed Receipt Generation (Extension)")
+governance_hash = hash_governance(**GOVERNANCE)
+authorization_hash = hash_authorization(**AUTHORIZATION)
+governed_receipt = generate_receipt(
+    intent_hash=intent_hash, execution_hash=execution_hash,
+    governance_hash=governance_hash, authorization_hash=authorization_hash,
+    intent_id=INTENT["intent_id"], action=INTENT["action"], agent_id=INTENT["agent_id"],
+    authorized_by="HUMAN:admin@example.com",
+)
+test("generates a governed receipt with 5-hash chain", governed_receipt["verification"]["chain_length"] == 5)
+test("governed receipt chain_order has all 5 fields in order",
+     governed_receipt["verification"]["chain_order"] == [
+         "intent_hash", "governance_hash", "authorization_hash", "execution_hash", "receipt_hash"])
+test("governed receipt self-verifies", verify_receipt(governed_receipt)["valid"])
+test("governed receipt verifies with standalone verifier", verify_receipt_standalone(governed_receipt)["valid"])
+
+section("3. Hash Integrity")
+test("SHA-256 produces 64-char hex string", bool(HEX64.match(sha256("test"))))
+test("SHA-256 is deterministic", sha256("hello") == sha256("hello"))
+test("SHA-256 is collision-resistant (different inputs = different hashes)", sha256("input_a") != sha256("input_b"))
+test("all receipt hashes are valid 64-char hex",
+     all(HEX64.match(v) for k, v in proof_receipt["hash_chain"].items() if v is not None))
+tampered = copy.deepcopy(proof_receipt)
+tampered["hash_chain"]["intent_hash"] = "a" * 64
+test("tampered receipt fails verification", not verify_receipt(tampered)["valid"])
+test("tampered receipt fails standalone verification", not verify_receipt_standalone(tampered)["valid"])
+
+section("4. Ledger Operations")
+ledger = create_ledger()
+test("ledger starts empty with genesis hash",
+     ledger.get_entry_count() == 0 and ledger.get_current_hash() == GENESIS_HASH)
+entry1 = ledger.append(
+    intent_id=INTENT["intent_id"], action=INTENT["action"], agent_id=INTENT["agent_id"],
+    status="executed", detail="Email sent successfully",
+    receipt_hash=proof_receipt["hash_chain"]["receipt_hash"],
+)
+test("append creates a valid entry with correct prev_hash",
+     entry1["prev_hash"] == GENESIS_HASH and bool(HEX64.match(entry1["ledger_hash"])))
+entry2 = ledger.append(
+    intent_id="test-intent-002", action="schedule_meeting", agent_id=INTENT["agent_id"],
+    status="executed", detail="Meeting scheduled",
+)
+test("chain links correctly across multiple entries", entry2["prev_hash"] == entry1["ledger_hash"])
+test("ledger chain verifies with standalone verifier", ledger.verify_chain()["valid"])
+entries = ledger.export()
+entries[0]["detail"] = "TAMPERED"
+test("tampered ledger entry breaks chain verification", not verify_chain(entries)["valid"])
+
+section("5. Cross-Verification (Receipt and Ledger)")
+test("receipt cross-verifies against matching ledger entry",
+     verify_receipt_against_ledger(proof_receipt, entry1)["valid"])
+test("mismatched receipt/ledger fails cross-verification",
+     not verify_receipt_against_ledger(proof_receipt, entry2)["valid"])
+
+section("6. Batch Verification")
+test("batch verifies multiple valid receipts",
+     verify_receipt_batch([proof_receipt, governed_receipt])["all_valid"])
+tampered2 = copy.deepcopy(governed_receipt)
+tampered2["hash_chain"]["receipt_hash"] = "a" * 64
+batch_tampered = verify_receipt_batch([proof_receipt, tampered2])
+test("batch detects tampered receipt among valid ones",
+     not batch_tampered["all_valid"] and batch_tampered["valid"] == 1)
+
+section("7. Mixed Receipt Types (Proof-Layer + Governed)")
+test("batch verifies mix of proof-layer and governed receipts",
+     verify_receipt_batch([proof_receipt, governed_receipt])["all_valid"])
+mixed_ledger = create_ledger()
+mixed_ledger.append(intent_id=INTENT["intent_id"], action=INTENT["action"],
+                    agent_id=INTENT["agent_id"], status="executed",
+                    detail="Proof-layer receipt", receipt_hash=proof_receipt["hash_chain"]["receipt_hash"])
+mixed_ledger.append(intent_id=INTENT["intent_id"], action=INTENT["action"],
+                    agent_id=INTENT["agent_id"], status="executed",
+                    detail="Governed receipt", receipt_hash=governed_receipt["hash_chain"]["receipt_hash"])
+test("ledger accepts both proof-layer and governed receipts", mixed_ledger.verify_chain()["valid"])
+
+section("8. Optional Extensions")
+ingestion_receipt = generate_receipt(
+    intent_hash=intent_hash, execution_hash=execution_hash,
+    intent_id=INTENT["intent_id"], action=INTENT["action"], agent_id=INTENT["agent_id"],
+    ingestion={"source": "api", "channel": "POST /intent", "source_message_id": "msg-123"},
+)
+test("receipt with ingestion provenance",
+     verify_receipt(ingestion_receipt)["valid"] and ingestion_receipt.get("ingestion") is not None)
+identity_receipt = generate_receipt(
+    intent_hash=intent_hash, execution_hash=execution_hash,
+    intent_id=INTENT["intent_id"], action=INTENT["action"], agent_id=INTENT["agent_id"],
+    identity_binding={"signer_id": "human-root", "public_key_hex": "a" * 64,
+                      "signature_payload_hash": "b" * 64, "verification_method": "ed25519-nacl",
+                      "ed25519_signed": True},
+)
+test("receipt with identity binding",
+     verify_receipt(identity_receipt)["valid"] and identity_receipt.get("identity_binding") is not None)
+plain_receipt = generate_receipt(
+    intent_hash=intent_hash, execution_hash=execution_hash,
+    intent_id=INTENT["intent_id"], action=INTENT["action"], agent_id=INTENT["agent_id"],
+)
+test("receipt without optional extensions still verifies", verify_receipt(plain_receipt)["valid"])
+
+print()
+print("=" * 60)
+print("RIO Receipt Protocol v2.2 Python Conformance Results")
+print("=" * 60)
+print(f"  Total:  {total}")
+print(f"  Passed: {passed}")
+if failed:
+    print(f"  Failed: {failed}")
+print("=" * 60)
+if failed == 0:
+    print("\u2713 CONFORMANT \u2014 All tests passed")
+else:
+    print("\u2717 NON-CONFORMANT \u2014 Some tests failed")
+    sys.exit(1)