feat: paper v0.3.0 update, SBOM pipeline, and v0.3.0 blog post#63
Merged
Conversation
Three tracks wrapped into one release PR. ## Paper (paper/attestix-paper.tex) Section-by-section reconciliation against the v0.3.0 codebase, followed by adversarial peer-review revisions. Combined changes: Front matter: - Abstract test count 284 -> 358 (267 functional + 91 conformance). - Contributions list gains the three production framework integrations (LangChain, OpenAI Agents SDK, CrewAI), plus the GitHub Actions CI/CD pipeline and the coordinated security-hardening batch. - Related Work softens the "first integrated" claim to "first to integrate DID/VC + EU AI Act + MCP in a single open-source MCP server" and cites prior work as targeting subsets. - New Section 1.A: explicit threat model and scope (in/out, trust root, key-compromise treatment, reliance on upstream cryptography library for constant-time Ed25519). System: - Cryptographic foundation now clarifies Ed25519 timing resistance is inherited from the cryptography library at the pinned version. - Delegation layer details the two v0.3.0 auth-bypass invariants (recursive parent validation, capability subset enforcement). - Compliance section: Article 43 Annex III differentiation is explicit (Point 1 blocked from self-assessment; Points 2-8 permit internal control per Article 43(2)). Previous blanket-reject bug called out as a v0.3.0 correction. - Compliance automation paragraph classifies each article as Enforced / Recorded / Tracked / Generated so readers can tell what Attestix actually does vs what it records. - Hash chain formula now uses RFC 8785 JCS explicitly and removes chain_hash/signature fields from the canonicalised entry. Services + security: - New Framework Integrations subsection covering LangChain, OpenAI Agents SDK, CrewAI, plus example-only Dify, Google ADK, Semantic Kernel, Strands. - Security Measures expanded with constant-time verification source, delegation integrity, file permissions, dependency CVE pins, GDPR 17 boundary (technical cascade only). - "Production integrations" language softened throughout to "framework integrations" + "reference implementations" and acknowledged as CI-validated but not load-tested. Evaluation: - Test count updated to 358 in every section. - Reference-hardware note for performance numbers (CI runner, 2 vCPU, Docker-confined). Variance disclosed qualitatively; no single-run percentiles claimed. - Explicit "no baseline comparison" paragraph: prior work lacks comparable numbers, re-implementing them is out of scope. - New Continuous Integration and Security Audits subsection. - New Framework Integration Validation subsection with the 4-step per-framework test protocol. - Standards coverage table: RFC 8785 shown as exercised by every VC/audit test; RFC 6962 by dedicated Merkle unit tests; EU AI Act rows show enforce/record/track/generate; EAS row qualified as Base Sepolia testnet. Limitations + conclusion: - Explicit scope boundaries for EU AI Act (data-plane evidence, not legal guarantor) and GDPR (technical cascade only). - Cryptographic migration limitation for post-quantum. - Framework integrations called out as not yet load-tested in production. - Conclusion drops "first" claim. ## Blog (website/content/v0-3-0-ships-real-framework-integrations.mdx) New post announcing v0.3.0: framework integrations with code snippets, security hardening batch with the four ATX-* IDs, CI/CD pipeline, dependency pins with CVE rationale, EAS schema and Annex III fixes, what comes next. Tone matches the existing four posts; no em/en dashes; Base L2 qualified as testnet throughout. ## SBOM (pyproject.toml + .github/workflows/sbom.yml + /sbom page) - pyproject.toml adds a new `sbom` optional-dependency group pinned to `cyclonedx-bom>=5.0.0,<6.0.0`; also added to `dev`. - New .github/workflows/sbom.yml runs on push to main, on release published, and via workflow_dispatch. Installs the package with the blockchain extra plus cyclonedx-bom, generates a CycloneDX JSON SBOM via `cyclonedx-py environment`, validates JSON, computes SHA-256 sidecar, uploads both as a 30-day workflow artefact, and (on release events) attaches both to the GitHub release. - /sbom page gains an authoritative-artefact callout with a download button pointing at the latest release, a reproduce- locally pre block showing the exact `pip install .[blockchain,sbom]` + `cyclonedx-py environment` + `sha256sum` sequence, and a link to the CycloneDX 1.5 specification. Copy softened so the site no longer claims the SBOM is always attached; it now reads as "generated by the workflow and attached to every published release". No commit of SBOM JSON to the repo (avoids merge conflicts; GitHub release asset is the authoritative source).
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 37 minutes and 15 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (5)
Note
|
Deploying attestix with
|
| Latest commit: |
2a84d65
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://8db2baa5.attestix.pages.dev |
| Branch Preview URL: | https://feat-paper-v030-update-and-s.attestix.pages.dev |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three parallel tracks bundled: paper update per code reality + peer review, a new blog post for v0.3.0 ship, and a real CycloneDX SBOM generation pipeline.
Paper
Section-by-section reconciliation against v0.3.0 codebase (agents P1/P2/P3), followed by adversarial reviewer revisions. Headline changes: test count 358, new threat model section, framework integrations subsection, security measures expanded, Annex III differentiation clarified, EU AI Act automation classified as enforced vs recorded vs tracked vs generated, GDPR 17 boundary explicit, post-quantum listed in limitations, 'first integrated' claim softened to the composition claim. See commit body for the full changelog.
Blog
New post at /blog/v0-3-0-ships-real-framework-integrations announcing v0.3.0 with framework snippets, security batch, CI/CD, and dependency pins. Matches existing tone.
SBOM
sbomextra pinningcyclonedx-bom>=5.0.0,<6.0.0cyclonedx-py environment, validates JSON, computes SHA-256 sidecar, uploads 30-day artefact + attaches to releaseDeferred