Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Code of Conduct

This project adopts the Contributor Covenant, version 2.1, as its code of conduct:
https://www.contributor-covenant.org/version/2/1/code_of_conduct/

All contributors, maintainers, and participants are expected to follow it. By
participating, you agree to help keep this a welcoming, respectful community.

## Reporting

To report a concern, contact the maintainers privately at info@vibetensor.com.
All reports are reviewed and handled confidentially.

Translations of the full text are available at
https://www.contributor-covenant.org/translations/.
38 changes: 38 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Contributing to the Attestix Go verifier

Thanks for your interest. This is the Go port of the Attestix offline
verifier, part of the [Attestix](https://github.com/VibeTensor/attestix) project.

## Getting started

1. Fork and clone the repository.
2. Build and run the tests:

```
go test ./...
```

## Conformance (required)

Every verifier port MUST reproduce the shared cross-language conformance vectors
from the core repo at
[`spec/verify/v1`](https://github.com/VibeTensor/attestix/tree/main/spec/verify/v1).
Run the conformance suite before opening a pull request: a change that diverges
from the shared `vectors.json` will not be accepted.

## Pull requests

- Branch from `main` and keep each PR focused.
- Use conventional commit messages (`fix:`, `feat:`, `docs:`, `test:`, `chore:`).
- Make sure the full test suite passes and add tests for new behaviour.
- Avoid unrelated formatting churn.

## Reporting issues

Open an issue with a minimal reproduction. For security issues, follow
[SECURITY.md](SECURITY.md) instead of filing a public issue.

## License

By contributing you agree that your contributions are licensed under the
Apache License 2.0, the same license as this repository.
10 changes: 5 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
[![Go Reference](https://pkg.go.dev/badge/github.com/VibeTensor/attestix-go.svg)](https://pkg.go.dev/github.com/VibeTensor/attestix-go)
[![Go Report Card](https://goreportcard.com/badge/github.com/VibeTensor/attestix-go)](https://goreportcard.com/report/github.com/VibeTensor/attestix-go)

Offline verifier — in pure Go, no Python runtime, no network for credentials
Offline verifier (pure Go, no Python runtime, no network) for credentials
and delegations issued by the [Attestix](https://github.com/VibeTensor/attestix)
Python core. Verify Ed25519 W3C Verifiable Credentials, `did:key` identities, and
UCAN delegation chains anywhere Go runs: agent runtimes, MCP servers, Kubernetes
Expand Down Expand Up @@ -48,7 +48,7 @@ func main() {
```

`Verify()` is the AND of `SignatureValid`, `NotExpired`, and `NotRevoked`
(plus a structural check) exactly the reference verdict.
(plus a structural check), exactly the reference verdict.

## API

Expand Down Expand Up @@ -80,7 +80,7 @@ practical JCS subset that differs from RFC 8785 in two load-bearing ways:

Otherwise: keys sorted by Unicode code point, separators `","` / `":"` with no
whitespace, raw UTF-8 output (no `\uXXXX` escapes). `Canonicalize` reproduces
this exactly see [`canonical.go`](canonical.go) and the `canon-001` vector.
this exactly: see [`canonical.go`](canonical.go) and the `canon-001` vector.

Other contract details mirrored here: VC signatures cover every top-level field
**except** `proof` and `credentialStatus`; `proofValue` is base64url **with**
Expand All @@ -103,8 +103,8 @@ go test ./...
```

The suite loads `testdata/vectors.json` and asserts every conformance vector
(canonicalization byte-match, did:key decode, VC verify valid / tampered /
expired, and UCAN chain valid attenuation / escalation).
(canonicalization byte-match, did:key decode, VC verify: valid / tampered /
expired, and UCAN chain: valid attenuation / escalation).

## License

Expand Down
26 changes: 26 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Security Policy

## Supported versions

This is a verifier for [Attestix](https://github.com/VibeTensor/attestix) and
tracks the Attestix core 0.4.x release line. Security fixes land on the latest
released version.

| Version | Supported |
|---|---|
| 0.4.x | yes |
| < 0.4 | no |

## Reporting a vulnerability

Please do NOT open a public issue for security vulnerabilities.

Report privately by either:

- opening a GitHub Security Advisory on this repository
(https://github.com/VibeTensor/attestix-go/security/advisories/new), or
- emailing info@vibetensor.com.

Include a description, affected versions, and a reproduction if possible. We
follow coordinated disclosure: we acknowledge the report, work on a fix, and
credit you (unless you prefer otherwise) when the fix ships.
Loading