sclite-core 0.2.1__tar.gz

sclite_core-0.2.1/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Ravenclaw Security Contract Layer contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

sclite_core-0.2.1/PKG-INFO

@@ -0,0 +1,266 @@
+Metadata-Version: 2.4
+Name: sclite-core
+Version: 0.2.1
+Summary: Lightweight Security Contract Layer lifecycle artifacts, validation, and cryptographic integrity chain fixtures
+Author: Krzysztof Probola
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/rozmiarD/SCLite
+Project-URL: Repository, https://github.com/rozmiarD/SCLite
+Project-URL: Issues, https://github.com/rozmiarD/SCLite/issues
+Project-URL: Changelog, https://github.com/rozmiarD/SCLite/blob/main/CHANGELOG.md
+Project-URL: Documentation, https://github.com/rozmiarD/SCLite#readme
+Keywords: security,contracts,validation,evidence,governance
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Provides-Extra: dev
+Requires-Dist: pytest<9,>=8; extra == "dev"
+Dynamic: license-file
+
+# SCLite
+
+[![CI](https://github.com/rozmiarD/SCLite/actions/workflows/ci.yml/badge.svg)](https://github.com/rozmiarD/SCLite/actions/workflows/ci.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+[![Python 3.11+](https://img.shields.io/badge/python-3.11%2B-blue.svg)](pyproject.toml)
+[![Package: sclite-core 0.2.1](https://img.shields.io/badge/package-sclite--core%200.2.1-blueviolet.svg)](pyproject.toml)
+[![JSON Schema](https://img.shields.io/badge/contracts-JSON%20Schema-informational.svg)](schemas/)
+
+Lightweight Security Contract Layer for auditable AI/security contract lifecycles.
+
+Project owner: **Krzysztof Probola**.
+
+SCLite v0.2 separates what an agent wants, what policy allows, what was approved, what was executed, and what can be proven.
+
+## Status
+
+- Version: `0.2.1`
+- Status: **draft lifecycle candidate**
+- Runtime execution: not included
+- Protocol/carrier adapters: not included
+- Integrity: canonical SHA-256 artifact descriptors + ordered hash-linked lifecycle manifest
+- Identity/PKI: not included in core
+
+SCLite v0.2 is a **contract lifecycle**, not an execution engine. Runtimes such as Ravenclaw can consume SCLite artifacts and enforce tickets, but executors, sandboxes, policy engines, raw evidence storage, agent loops, and carrier adapters stay outside this package.
+
+## Project sentence
+
+> SCLite separates what an agent wants, what policy allows, what was approved, what was executed, and what can be proven.
+
+## What problem does SCLite solve?
+
+AI-assisted security workflows often blur separate authority boundaries:
+
+1. a model proposes intent;
+2. policy/scope decides whether the request may proceed;
+3. code prepares a concrete execution shape;
+4. an auditor/reviewer approves or rejects that shape;
+5. a runtime executes or dry-runs under bounds;
+6. evidence is summarized for review.
+
+SCLite turns those steps into small schema-backed JSON artifacts and verifies their integrity locally. A reviewer can check the public-safe bundle without running live targets or reading private logs.
+
+## v0.2 canonical lifecycle
+
+```text
+intent_contract -> policy_decision -> execution_contract -> execution_ticket -> execution_receipt -> evidence_contract -> artifact_chain_manifest
+```
+
+Current v0.2 artifacts:
+
+| Artifact | Purpose |
+| --- | --- |
+| `IntentContract` | Captures what an agent/caller wants before authority exists. |
+| `PolicyDecision` v0.2 | Captures allow/deny/review policy outcome bound to intent. |
+| `ExecutionContract` | Captures the exact bounded execution shape prepared for review. |
+| `ExecutionTicket` | Captures approval for one exact execution contract under explicit bounds and validity. |
+| `ExecutionReceipt` v0.2 | Captures what an external runtime reports as executed or dry-run. |
+| `EvidenceContract` | Captures public-safe claims, non-claims, replay, verification, and evidence links. |
+| `ArtifactChainManifest` | Ordered tamper-evident hash chain over lifecycle artifacts. |
+
+Verify the lifecycle fixture:
+
+```bash
+sclite validate-chain sclite/examples/contract-lifecycle-v0.2/artifact_chain_manifest.json
+sclite verify-lifecycle sclite/examples/contract-lifecycle-v0.2/artifact_chain_manifest.json
+```
+
+`verify-lifecycle` currently uses the same verifier as `validate-chain`; the name exists because it describes the v0.2 review action more clearly.
+
+## What the verifier checks
+
+The v0.2 verifier checks more than raw hashes:
+
+- manifest paths cannot escape the artifact root;
+- artifact descriptors match canonical SHA-256 digests;
+- hash-chain links and root digest recompute correctly;
+- lifecycle artifacts appear in the canonical order;
+- policy binds the correct intent digest;
+- ticket binds the correct execution contract digest;
+- receipt binds the correct execution ticket digest;
+- evidence contract binds the correct receipt digest.
+
+## What SCLite is
+
+SCLite core is limited to:
+
+```text
+define / validate / hash / bind / redact / verify
+```
+
+It provides:
+
+- JSON schemas for lifecycle and compatibility artifacts;
+- deterministic artifact hashing helpers;
+- v0.2 lifecycle/chain verification;
+- redaction/public-snapshot helper artifacts;
+- a CLI for local validation and review fixtures;
+- legacy v0.1 compatibility fixtures and schemas.
+
+## What SCLite is not
+
+SCLite is not:
+
+- a security scanner;
+- an executor;
+- a sandbox;
+- a full policy engine;
+- an approval authority by itself;
+- an agent loop;
+- a tool wrapper package for `nmap`, `ffuf`, etc.;
+- an MCP/OpenClaw/A2A protocol replacement;
+- a proof of legal authorization;
+- a proof of live vulnerability evidence;
+- a proof of signer identity or PKI trust;
+- a tamper-proof transparency log.
+
+## Legacy v0.1 compatibility
+
+The older public-safe v0.1 proof trace remains supported:
+
+```text
+scope/input -> policy decision -> prepared execution spec -> approved execution spec -> dry-run execution receipt -> evidence summary
+```
+
+v0.1 compatibility artifacts remain available for existing integrations, including Ravenclaw public proof fixtures. New lifecycle work should use the v0.2 model.
+
+See [`SPEC.md`](SPEC.md) for the canonical model, artifact definitions, integrity chain, compatibility notes, and explicit security boundaries.
+
+## Project docs
+
+- [`PUBLIC_STATUS.md`](PUBLIC_STATUS.md) — current maturity and non-claims.
+- [`VALIDATION.md`](VALIDATION.md) — local validation and build gates.
+- [`PUBLICATION_CHECKLIST.md`](PUBLICATION_CHECKLIST.md) — release/publication checklist.
+- [`CHANGELOG.md`](CHANGELOG.md) — notable package changes.
+- [`CONTRIBUTING.md`](CONTRIBUTING.md) — contribution and boundary rules.
+- [`SECURITY.md`](SECURITY.md) — security reporting and fixture-safety policy.
+
+## Installation
+
+Once published to PyPI, the intended install path is:
+
+```bash
+pip install sclite-core
+```
+
+Install directly from GitHub:
+
+```bash
+pip install git+https://github.com/rozmiarD/SCLite.git
+```
+
+From a local checkout:
+
+```bash
+python -m venv .venv
+. .venv/bin/activate
+python -m pip install -e '.[dev]'
+```
+
+Runtime dependencies are intentionally empty. The `dev` extra installs `pytest` for local tests.
+
+## CLI quickstart
+
+Validate the v0.2 lifecycle chain:
+
+```bash
+sclite validate-chain sclite/examples/contract-lifecycle-v0.2/artifact_chain_manifest.json
+sclite verify-lifecycle sclite/examples/contract-lifecycle-v0.2/artifact_chain_manifest.json
+```
+
+Validate the legacy public-safe proof fixture:
+
+```bash
+sclite validate examples/security-contract-proof
+```
+
+Validate one artifact against a schema:
+
+```bash
+sclite validate-artifact \
+  --schema prepared_execution_spec.v0.1 \
+  examples/prepared-execution-spec/prepared_execution_spec.json
+```
+
+Hash one artifact with deterministic SCLite canonical JSON + SHA-256:
+
+```bash
+sclite hash-artifact \
+  --schema approved_execution_spec.v0.1 \
+  examples/security-contract-proof/approved_execution_spec.json
+```
+
+Generate a Scope Fidelity report from the approved spec fixture:
+
+```bash
+sclite scope-fidelity \
+  --approved-spec examples/security-contract-proof/approved_execution_spec.json \
+  --fail-on review
+```
+
+Emit a validation receipt for the proof fixture:
+
+```bash
+sclite validation-receipt examples/security-contract-proof
+```
+
+Run tests:
+
+```bash
+python -m pytest -q
+```
+
+## Python usage
+
+```python
+from sclite.integrity import verify_artifact_chain_manifest
+
+# Load artifact_chain_manifest.json as a dict and verify it against a local root.
+result = verify_artifact_chain_manifest(manifest, root=fixture_dir)
+assert result["status"] == "passed"
+```
+
+## Repository layout
+
+```text
+sclite/                         Python package
+sclite/schemas/                 Packaged schemas
+sclite/examples/contract-lifecycle-v0.2/
+examples/security-contract-proof/ Legacy v0.1 public-safe proof fixture
+schemas/                        Source schema copies
+SPEC.md                         v0.2 draft specification
+CHANGELOG.md                    Release notes
+```
+
+## License
+
+MIT. See [`LICENSE`](LICENSE).

sclite_core-0.2.1/README.md

@@ -0,0 +1,237 @@
+# SCLite
+
+[![CI](https://github.com/rozmiarD/SCLite/actions/workflows/ci.yml/badge.svg)](https://github.com/rozmiarD/SCLite/actions/workflows/ci.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+[![Python 3.11+](https://img.shields.io/badge/python-3.11%2B-blue.svg)](pyproject.toml)
+[![Package: sclite-core 0.2.1](https://img.shields.io/badge/package-sclite--core%200.2.1-blueviolet.svg)](pyproject.toml)
+[![JSON Schema](https://img.shields.io/badge/contracts-JSON%20Schema-informational.svg)](schemas/)
+
+Lightweight Security Contract Layer for auditable AI/security contract lifecycles.
+
+Project owner: **Krzysztof Probola**.
+
+SCLite v0.2 separates what an agent wants, what policy allows, what was approved, what was executed, and what can be proven.
+
+## Status
+
+- Version: `0.2.1`
+- Status: **draft lifecycle candidate**
+- Runtime execution: not included
+- Protocol/carrier adapters: not included
+- Integrity: canonical SHA-256 artifact descriptors + ordered hash-linked lifecycle manifest
+- Identity/PKI: not included in core
+
+SCLite v0.2 is a **contract lifecycle**, not an execution engine. Runtimes such as Ravenclaw can consume SCLite artifacts and enforce tickets, but executors, sandboxes, policy engines, raw evidence storage, agent loops, and carrier adapters stay outside this package.
+
+## Project sentence
+
+> SCLite separates what an agent wants, what policy allows, what was approved, what was executed, and what can be proven.
+
+## What problem does SCLite solve?
+
+AI-assisted security workflows often blur separate authority boundaries:
+
+1. a model proposes intent;
+2. policy/scope decides whether the request may proceed;
+3. code prepares a concrete execution shape;
+4. an auditor/reviewer approves or rejects that shape;
+5. a runtime executes or dry-runs under bounds;
+6. evidence is summarized for review.
+
+SCLite turns those steps into small schema-backed JSON artifacts and verifies their integrity locally. A reviewer can check the public-safe bundle without running live targets or reading private logs.
+
+## v0.2 canonical lifecycle
+
+```text
+intent_contract -> policy_decision -> execution_contract -> execution_ticket -> execution_receipt -> evidence_contract -> artifact_chain_manifest
+```
+
+Current v0.2 artifacts:
+
+| Artifact | Purpose |
+| --- | --- |
+| `IntentContract` | Captures what an agent/caller wants before authority exists. |
+| `PolicyDecision` v0.2 | Captures allow/deny/review policy outcome bound to intent. |
+| `ExecutionContract` | Captures the exact bounded execution shape prepared for review. |
+| `ExecutionTicket` | Captures approval for one exact execution contract under explicit bounds and validity. |
+| `ExecutionReceipt` v0.2 | Captures what an external runtime reports as executed or dry-run. |
+| `EvidenceContract` | Captures public-safe claims, non-claims, replay, verification, and evidence links. |
+| `ArtifactChainManifest` | Ordered tamper-evident hash chain over lifecycle artifacts. |
+
+Verify the lifecycle fixture:
+
+```bash
+sclite validate-chain sclite/examples/contract-lifecycle-v0.2/artifact_chain_manifest.json
+sclite verify-lifecycle sclite/examples/contract-lifecycle-v0.2/artifact_chain_manifest.json
+```
+
+`verify-lifecycle` currently uses the same verifier as `validate-chain`; the name exists because it describes the v0.2 review action more clearly.
+
+## What the verifier checks
+
+The v0.2 verifier checks more than raw hashes:
+
+- manifest paths cannot escape the artifact root;
+- artifact descriptors match canonical SHA-256 digests;
+- hash-chain links and root digest recompute correctly;
+- lifecycle artifacts appear in the canonical order;
+- policy binds the correct intent digest;
+- ticket binds the correct execution contract digest;
+- receipt binds the correct execution ticket digest;
+- evidence contract binds the correct receipt digest.
+
+## What SCLite is
+
+SCLite core is limited to:
+
+```text
+define / validate / hash / bind / redact / verify
+```
+
+It provides:
+
+- JSON schemas for lifecycle and compatibility artifacts;
+- deterministic artifact hashing helpers;
+- v0.2 lifecycle/chain verification;
+- redaction/public-snapshot helper artifacts;
+- a CLI for local validation and review fixtures;
+- legacy v0.1 compatibility fixtures and schemas.
+
+## What SCLite is not
+
+SCLite is not:
+
+- a security scanner;
+- an executor;
+- a sandbox;
+- a full policy engine;
+- an approval authority by itself;
+- an agent loop;
+- a tool wrapper package for `nmap`, `ffuf`, etc.;
+- an MCP/OpenClaw/A2A protocol replacement;
+- a proof of legal authorization;
+- a proof of live vulnerability evidence;
+- a proof of signer identity or PKI trust;
+- a tamper-proof transparency log.
+
+## Legacy v0.1 compatibility
+
+The older public-safe v0.1 proof trace remains supported:
+
+```text
+scope/input -> policy decision -> prepared execution spec -> approved execution spec -> dry-run execution receipt -> evidence summary
+```
+
+v0.1 compatibility artifacts remain available for existing integrations, including Ravenclaw public proof fixtures. New lifecycle work should use the v0.2 model.
+
+See [`SPEC.md`](SPEC.md) for the canonical model, artifact definitions, integrity chain, compatibility notes, and explicit security boundaries.
+
+## Project docs
+
+- [`PUBLIC_STATUS.md`](PUBLIC_STATUS.md) — current maturity and non-claims.
+- [`VALIDATION.md`](VALIDATION.md) — local validation and build gates.
+- [`PUBLICATION_CHECKLIST.md`](PUBLICATION_CHECKLIST.md) — release/publication checklist.
+- [`CHANGELOG.md`](CHANGELOG.md) — notable package changes.
+- [`CONTRIBUTING.md`](CONTRIBUTING.md) — contribution and boundary rules.
+- [`SECURITY.md`](SECURITY.md) — security reporting and fixture-safety policy.
+
+## Installation
+
+Once published to PyPI, the intended install path is:
+
+```bash
+pip install sclite-core
+```
+
+Install directly from GitHub:
+
+```bash
+pip install git+https://github.com/rozmiarD/SCLite.git
+```
+
+From a local checkout:
+
+```bash
+python -m venv .venv
+. .venv/bin/activate
+python -m pip install -e '.[dev]'
+```
+
+Runtime dependencies are intentionally empty. The `dev` extra installs `pytest` for local tests.
+
+## CLI quickstart
+
+Validate the v0.2 lifecycle chain:
+
+```bash
+sclite validate-chain sclite/examples/contract-lifecycle-v0.2/artifact_chain_manifest.json
+sclite verify-lifecycle sclite/examples/contract-lifecycle-v0.2/artifact_chain_manifest.json
+```
+
+Validate the legacy public-safe proof fixture:
+
+```bash
+sclite validate examples/security-contract-proof
+```
+
+Validate one artifact against a schema:
+
+```bash
+sclite validate-artifact \
+  --schema prepared_execution_spec.v0.1 \
+  examples/prepared-execution-spec/prepared_execution_spec.json
+```
+
+Hash one artifact with deterministic SCLite canonical JSON + SHA-256:
+
+```bash
+sclite hash-artifact \
+  --schema approved_execution_spec.v0.1 \
+  examples/security-contract-proof/approved_execution_spec.json
+```
+
+Generate a Scope Fidelity report from the approved spec fixture:
+
+```bash
+sclite scope-fidelity \
+  --approved-spec examples/security-contract-proof/approved_execution_spec.json \
+  --fail-on review
+```
+
+Emit a validation receipt for the proof fixture:
+
+```bash
+sclite validation-receipt examples/security-contract-proof
+```
+
+Run tests:
+
+```bash
+python -m pytest -q
+```
+
+## Python usage
+
+```python
+from sclite.integrity import verify_artifact_chain_manifest
+
+# Load artifact_chain_manifest.json as a dict and verify it against a local root.
+result = verify_artifact_chain_manifest(manifest, root=fixture_dir)
+assert result["status"] == "passed"
+```
+
+## Repository layout
+
+```text
+sclite/                         Python package
+sclite/schemas/                 Packaged schemas
+sclite/examples/contract-lifecycle-v0.2/
+examples/security-contract-proof/ Legacy v0.1 public-safe proof fixture
+schemas/                        Source schema copies
+SPEC.md                         v0.2 draft specification
+CHANGELOG.md                    Release notes
+```
+
+## License
+
+MIT. See [`LICENSE`](LICENSE).

sclite_core-0.2.1/pyproject.toml

@@ -0,0 +1,75 @@
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "sclite-core"
+version = "0.2.1"
+description = "Lightweight Security Contract Layer lifecycle artifacts, validation, and cryptographic integrity chain fixtures"
+readme = "README.md"
+requires-python = ">=3.11"
+license = "MIT"
+authors = [{ name = "Krzysztof Probola" }]
+keywords = ["security", "contracts", "validation", "evidence", "governance"]
+classifiers = [
+  "Development Status :: 3 - Alpha",
+  "Intended Audience :: Developers",
+  "Intended Audience :: Information Technology",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3 :: Only",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Programming Language :: Python :: 3.13",
+  "Topic :: Security",
+  "Topic :: Software Development :: Libraries :: Python Modules",
+]
+dependencies = []
+
+[project.urls]
+Homepage = "https://github.com/rozmiarD/SCLite"
+Repository = "https://github.com/rozmiarD/SCLite"
+Issues = "https://github.com/rozmiarD/SCLite/issues"
+Changelog = "https://github.com/rozmiarD/SCLite/blob/main/CHANGELOG.md"
+Documentation = "https://github.com/rozmiarD/SCLite#readme"
+
+[project.optional-dependencies]
+dev = [
+  "pytest>=8,<9",
+]
+
+[project.scripts]
+sclite = "sclite.cli:main"
+scl = "sclite.cli:main"
+
+[tool.setuptools]
+include-package-data = true
+
+[tool.setuptools.packages.find]
+where = ["."]
+include = ["sclite", "sclite.*"]
+namespaces = false
+
+[tool.setuptools.package-data]
+sclite = [
+  "schemas/*.json",
+  "examples/security-contract-proof/*.json",
+  "examples/security-contract-proof/*.md",
+  "examples/scope-fidelity-report/*.json",
+  "examples/scope-fidelity-report/*.md",
+  "examples/prepared-execution-spec/*.json",
+  "examples/prepared-execution-spec/*.md",
+  "examples/redaction-policy/*.json",
+  "examples/redaction-policy/*.md",
+  "examples/redaction-receipt/*.json",
+  "examples/redaction-receipt/*.md",
+  "examples/public-validation-surface-index/*.json",
+  "examples/public-validation-surface-index/*.md",
+  "examples/public-snapshot-manifest/*.json",
+  "examples/public-snapshot-manifest/*.md",
+  "examples/contract-lifecycle-v0.2/*.json",
+  "examples/contract-lifecycle-v0.2/*.md",
+]
+
+[tool.pytest.ini_options]
+addopts = "-q"
+testpaths = ["tests"]

sclite_core-0.2.1/sclite/__init__.py

@@ -0,0 +1,83 @@
+from __future__ import annotations
+
+__version__ = '0.2.1'
+
+from .artifacts import (
+    APPROVED_EXECUTION_SPEC_FILE,
+    APPROVED_EXECUTION_SPEC_VERSION,
+    ARTIFACT_CANONICALIZATION_VERSION,
+    ARTIFACT_HASH_ALGORITHM,
+    DEMO_PROOF_MODE,
+    EVIDENCE_BUNDLE_ARTIFACT_TYPE,
+    EVIDENCE_BUNDLE_FILE,
+    EVIDENCE_BUNDLE_SCHEMA_VERSION,
+    EVIDENCE_SUMMARY_FILE,
+    EXECUTION_RECEIPT_ARTIFACT_TYPE,
+    EXECUTION_RECEIPT_FILE,
+    POLICY_DECISION_FILE,
+    POLICY_DECISION_SCHEMA_VERSION,
+    PROOF_TRACE_FILES,
+    PUBLIC_DEMO_NON_CLAIMS,
+    PUBLIC_DEMO_TARGET_HOST,
+    REDACTED_PREPARED_EXECUTION_SPEC_FILE,
+    JsonSchemaValidationError,
+    ProofTraceInvariantError,
+    assert_public_proof_trace_artifacts,
+    build_demo_success_criteria,
+    build_evidence_bundle_artifact,
+    build_evidence_summary_markdown,
+    build_artifact_hash,
+    build_execution_receipt_artifact,
+    build_proof_trace_artifacts,
+    canonical_artifact_bytes,
+    canonicalize_artifact,
+    examples_dir,
+    load_json_schema,
+    proof_trace_manifest,
+    repo_root,
+    schema_dir,
+    artifact_sha256,
+    validate_artifact,
+    validate_json_schema_value,
+    validate_public_proof_trace_artifacts,
+    validate_schema_ref,
+    validate_trace,
+)
+from .integrity import (
+    CHAIN_CANONICALIZATION_VERSION,
+    CHAIN_HASH_ALGORITHM,
+    ChainVerificationError,
+    artifact_descriptor,
+    build_artifact_chain_manifest,
+    verify_artifact_chain_manifest,
+)
+from .redaction import (
+    REDACTION_POLICY_ARTIFACT_TYPE,
+    REDACTION_POLICY_SCHEMA_VERSION,
+    REDACTION_RECEIPT_ARTIFACT_TYPE,
+    REDACTION_RECEIPT_SCHEMA_VERSION,
+    build_default_redaction_policy,
+    build_redaction_receipt,
+    redact_prepared_spec,
+    sanitize_public_artifact,
+)
+from .scope_fidelity import (
+    SCOPE_FIDELITY_ARTIFACT_TYPE,
+    SCOPE_FIDELITY_SCHEMA_REF,
+    SCOPE_FIDELITY_SCHEMA_VERSION,
+    build_scope_fidelity_report,
+    build_scope_fidelity_report_from_approved_spec,
+    summarize_scope_fidelity,
+    validate_scope_fidelity_report,
+)
+from .surfaces import (
+    PUBLIC_SNAPSHOT_MANIFEST_ARTIFACT_TYPE,
+    PUBLIC_SNAPSHOT_MANIFEST_SCHEMA_VERSION,
+    PUBLIC_VALIDATION_SURFACE_INDEX_ARTIFACT_TYPE,
+    PUBLIC_VALIDATION_SURFACE_INDEX_SCHEMA_VERSION,
+    build_public_snapshot_manifest,
+    build_public_validation_surface_index,
+)
+from .validation import build_validation_receipt, validate_fixture_dir
+
+__all__ = [name for name in globals() if not name.startswith('_')]