From 9f9b153cd86a7187cf5650f2ff9a82e40f3603d2 Mon Sep 17 00:00:00 2001 From: ascender1729 Date: Tue, 16 Jun 2026 18:58:16 +0530 Subject: [PATCH 1/2] docs: remove em/en-dashes from README prose (cross-repo modernization) Prose-only copy cleanup, no code changes. Part of the Attestix cross-repo modernization pass (em/en-dash removal; version refs verified current). --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index b3eac35..7450b44 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ [![Go Reference](https://pkg.go.dev/badge/github.com/VibeTensor/attestix-go.svg)](https://pkg.go.dev/github.com/VibeTensor/attestix-go) [![Go Report Card](https://goreportcard.com/badge/github.com/VibeTensor/attestix-go)](https://goreportcard.com/report/github.com/VibeTensor/attestix-go) -Offline verifier — in pure Go, no Python runtime, no network — for credentials +Offline verifier (pure Go, no Python runtime, no network) for credentials and delegations issued by the [Attestix](https://github.com/VibeTensor/attestix) Python core. Verify Ed25519 W3C Verifiable Credentials, `did:key` identities, and UCAN delegation chains anywhere Go runs: agent runtimes, MCP servers, Kubernetes @@ -48,7 +48,7 @@ func main() { ``` `Verify()` is the AND of `SignatureValid`, `NotExpired`, and `NotRevoked` -(plus a structural check) — exactly the reference verdict. +(plus a structural check), exactly the reference verdict. ## API @@ -80,7 +80,7 @@ practical JCS subset that differs from RFC 8785 in two load-bearing ways: Otherwise: keys sorted by Unicode code point, separators `","` / `":"` with no whitespace, raw UTF-8 output (no `\uXXXX` escapes). `Canonicalize` reproduces -this exactly — see [`canonical.go`](canonical.go) and the `canon-001` vector. +this exactly: see [`canonical.go`](canonical.go) and the `canon-001` vector. Other contract details mirrored here: VC signatures cover every top-level field **except** `proof` and `credentialStatus`; `proofValue` is base64url **with** @@ -103,8 +103,8 @@ go test ./... ``` The suite loads `testdata/vectors.json` and asserts every conformance vector -(canonicalization byte-match, did:key decode, VC verify — valid / tampered / -expired, and UCAN chain — valid attenuation / escalation). +(canonicalization byte-match, did:key decode, VC verify: valid / tampered / +expired, and UCAN chain: valid attenuation / escalation). ## License From 2427548158172702c4a2b58fc1e08c607273dcaa Mon Sep 17 00:00:00 2001 From: ascender1729 Date: Tue, 16 Jun 2026 19:31:31 +0530 Subject: [PATCH 2/2] chore: add CODE_OF_CONDUCT, CONTRIBUTING, SECURITY (repo hygiene) Community-health files matching the CNCF/OpenSSF standard: Contributor Covenant 2.1 (linked), a language-tailored contributing guide pointing at the shared conformance vectors, and a coordinated-disclosure security policy. --- CODE_OF_CONDUCT.md | 15 +++++++++++++++ CONTRIBUTING.md | 38 ++++++++++++++++++++++++++++++++++++++ SECURITY.md | 26 ++++++++++++++++++++++++++ 3 files changed, 79 insertions(+) create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 SECURITY.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..c093093 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,15 @@ +# Code of Conduct + +This project adopts the Contributor Covenant, version 2.1, as its code of conduct: +https://www.contributor-covenant.org/version/2/1/code_of_conduct/ + +All contributors, maintainers, and participants are expected to follow it. By +participating, you agree to help keep this a welcoming, respectful community. + +## Reporting + +To report a concern, contact the maintainers privately at info@vibetensor.com. +All reports are reviewed and handled confidentially. + +Translations of the full text are available at +https://www.contributor-covenant.org/translations/. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..248c4cc --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,38 @@ +# Contributing to the Attestix Go verifier + +Thanks for your interest. This is the Go port of the Attestix offline +verifier, part of the [Attestix](https://github.com/VibeTensor/attestix) project. + +## Getting started + +1. Fork and clone the repository. +2. Build and run the tests: + + ``` + go test ./... + ``` + +## Conformance (required) + +Every verifier port MUST reproduce the shared cross-language conformance vectors +from the core repo at +[`spec/verify/v1`](https://github.com/VibeTensor/attestix/tree/main/spec/verify/v1). +Run the conformance suite before opening a pull request: a change that diverges +from the shared `vectors.json` will not be accepted. + +## Pull requests + +- Branch from `main` and keep each PR focused. +- Use conventional commit messages (`fix:`, `feat:`, `docs:`, `test:`, `chore:`). +- Make sure the full test suite passes and add tests for new behaviour. +- Avoid unrelated formatting churn. + +## Reporting issues + +Open an issue with a minimal reproduction. For security issues, follow +[SECURITY.md](SECURITY.md) instead of filing a public issue. + +## License + +By contributing you agree that your contributions are licensed under the +Apache License 2.0, the same license as this repository. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..c124c74 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,26 @@ +# Security Policy + +## Supported versions + +This is a verifier for [Attestix](https://github.com/VibeTensor/attestix) and +tracks the Attestix core 0.4.x release line. Security fixes land on the latest +released version. + +| Version | Supported | +|---|---| +| 0.4.x | yes | +| < 0.4 | no | + +## Reporting a vulnerability + +Please do NOT open a public issue for security vulnerabilities. + +Report privately by either: + +- opening a GitHub Security Advisory on this repository + (https://github.com/VibeTensor/attestix-go/security/advisories/new), or +- emailing info@vibetensor.com. + +Include a description, affected versions, and a reproduction if possible. We +follow coordinated disclosure: we acknowledge the report, work on a fix, and +credit you (unless you prefer otherwise) when the fix ships.