diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index bc2bf28..6bde4e6 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -30,10 +30,19 @@ jobs: with: egress-policy: audit + - name: Free up disk space + run: | + sudo rm -rf /usr/share/dotnet + sudo rm -rf /usr/local/lib/android + sudo rm -rf /opt/ghc + sudo rm -rf "/usr/local/share/boost" + sudo rm -rf "$AGENT_TOOLSDIRECTORY" + - uses: actions/checkout@v4 with: fetch-depth: 0 fetch-tags: true + - name: Install uv uses: astral-sh/setup-uv@v5 with: @@ -58,8 +67,6 @@ jobs: with: path: "site/" - - - name: Generate SLSA Provenance uses: actions/attest-build-provenance@v2 with: @@ -86,7 +93,6 @@ jobs: inputs: >- dist/*.tar.gz dist/*.whl - source: false - name: Upload attestations to GitHub Release uses: softprops/action-gh-release@v2 @@ -125,6 +131,14 @@ jobs: with: egress-policy: audit + - name: Free up disk space + run: | + sudo rm -rf /usr/share/dotnet + sudo rm -rf /usr/local/lib/android + sudo rm -rf /opt/ghc + sudo rm -rf "/usr/local/share/boost" + sudo rm -rf "$AGENT_TOOLSDIRECTORY" + - uses: actions/checkout@v4 - name: Log in to GitHub Container Registry diff --git a/Dockerfile b/Dockerfile index 194ec9b..01d420d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,8 @@ FROM python:3.14-slim AS builder # Install uv COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/ -RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/* +# hadolint ignore=DL3008 +RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/* # Set the working directory WORKDIR /app diff --git a/infrastructure/packer/aws/swarm-in-a-box.pkr.hcl b/infrastructure/packer/aws/swarm-in-a-box.pkr.hcl index 25572d5..91b0213 100644 --- a/infrastructure/packer/aws/swarm-in-a-box.pkr.hcl +++ b/infrastructure/packer/aws/swarm-in-a-box.pkr.hcl @@ -64,18 +64,18 @@ build { "sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin", "sudo usermod -aG docker ubuntu", "sudo systemctl enable docker", - + "echo 'Pulling CoReason Container Images...'", "sudo docker pull ghcr.io/coreason-ai/coreason-ecosystem:latest", "sudo docker pull ghcr.io/coreason-ai/coreason-runtime:latest" ] } - + provisioner "file" { source = "../../../local/compose.yaml" destination = "/home/ubuntu/compose.yaml" } - + provisioner "shell" { inline = [ "echo 'Setting up Cold Start Kit Service...'", @@ -91,7 +91,7 @@ build { "echo 'ExecStop=/usr/bin/docker compose down' | sudo tee -a /etc/systemd/system/coreason-swarm.service", "echo '[Install]' | sudo tee -a /etc/systemd/system/coreason-swarm.service", "echo 'WantedBy=multi-user.target' | sudo tee -a /etc/systemd/system/coreason-swarm.service", - + "sudo systemctl enable coreason-swarm.service" ] } diff --git a/src/coreason_ecosystem/auth/identity_manager.py b/src/coreason_ecosystem/auth/identity_manager.py index 9e06a3c..76137cc 100644 --- a/src/coreason_ecosystem/auth/identity_manager.py +++ b/src/coreason_ecosystem/auth/identity_manager.py @@ -1,6 +1,7 @@ import os import hvac +import hvac.exceptions def get_vault_client() -> hvac.Client: @@ -32,7 +33,10 @@ def get_identity() -> dict[str, str] | None: path="coreason/identity", raise_on_deleted_version=False ) if response and "data" in response and "data" in response["data"]: - return response["data"]["data"] + data = response["data"]["data"] + if isinstance(data, dict): + return data + return None return None except Exception: return None diff --git a/src/coreason_ecosystem/auth/license_policy.rego b/src/coreason_ecosystem/auth/license_policy.rego index 5a0d6d4..ef484fe 100644 --- a/src/coreason_ecosystem/auth/license_policy.rego +++ b/src/coreason_ecosystem/auth/license_policy.rego @@ -7,7 +7,7 @@ default is_sovereign = false is_sovereign { # Verify expiration (OPA time is in nanoseconds, input.exp is usually seconds) input.exp > (time.now_ns() / 1000000000) - + # Check for specific IP sovereignty entitlement some i input.entitlements[i] == "IP_SOVEREIGNTY_EXCEPTION" diff --git a/src/coreason_ecosystem/auth/license_validator.py b/src/coreason_ecosystem/auth/license_validator.py index 356c5fe..353bd99 100644 --- a/src/coreason_ecosystem/auth/license_validator.py +++ b/src/coreason_ecosystem/auth/license_validator.py @@ -9,8 +9,10 @@ # Source Code: import os +from typing import Any import hvac +import hvac.exceptions import jwt # SOTA: In a true deployment, this would be retrieved dynamically via SPIRE Workload API. @@ -18,7 +20,7 @@ COREASON_ROOT_CA = "coreason_root_ca_public_key_placeholder" -def verify_token_signature(jwt_string: str) -> dict: +def verify_token_signature(jwt_string: str) -> dict[str, Any]: """ Mathematically verifies the Ed25519 signature of the JWT using PyJWT (SOTA). Returns the decoded payload if valid. diff --git a/src/coreason_ecosystem/daemons/chronometer.py b/src/coreason_ecosystem/daemons/chronometer.py index 1da2191..bf673db 100644 --- a/src/coreason_ecosystem/daemons/chronometer.py +++ b/src/coreason_ecosystem/daemons/chronometer.py @@ -67,7 +67,7 @@ def _has_valid_commercial_license() -> bool: ) if opa_resp.status_code == 200: result = opa_resp.json() - return result.get("result", False) + return bool(result.get("result", False)) return False except requests.exceptions.RequestException: # Fallback if OPA daemon is offline diff --git a/uv.lock b/uv.lock index 12ae9da..ec04497 100644 --- a/uv.lock +++ b/uv.lock @@ -496,7 +496,7 @@ dev = [ [package.metadata] requires-dist = [ { name = "click", specifier = ">=8.1.7" }, - { name = "coreason-manifest", specifier = ">=0.70.0" }, + { name = "coreason-manifest", specifier = ">=0.72.1" }, { name = "cryptography", specifier = ">=44.0.0" }, { name = "fastapi", specifier = ">=0.135.3" }, { name = "httpx", specifier = ">=0.27.0" }, @@ -551,7 +551,7 @@ dev = [ [[package]] name = "coreason-manifest" -version = "0.70.0" +version = "0.72.1" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "canonicaljson" }, @@ -561,9 +561,9 @@ dependencies = [ { name = "pycrdt" }, { name = "pydantic" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/b6/ea/ff853e537b3a03cd6582fca71ff8b299605940e78b2ab01f3e885ca745ea/coreason_manifest-0.70.0.tar.gz", hash = "sha256:3a72d33989d8840481aa52308057a58040b1f416307591f8c9ccdecb35ba34f1", size = 892714, upload-time = "2026-05-15T02:46:02.018Z" } +sdist = { url = "https://files.pythonhosted.org/packages/ea/79/5ac98d189dd3536a1fb6cd990de65397dba47a0adc7b13cca601a4081291/coreason_manifest-0.72.1.tar.gz", hash = "sha256:da61b0172dc768bf8616851a207d0aaa749b8a6dc068fdd0fc54cd4cdbd43620", size = 896182, upload-time = "2026-05-15T15:05:13.551Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/8b/de/02b670b4edc76eaa73a1302e9299859369ea28929522bfcb8770a297cae8/coreason_manifest-0.70.0-py3-none-any.whl", hash = "sha256:4f9c3323ade70143c318d514cbbce9889bf0a60172ca2e631afa39f85e47d440", size = 200943, upload-time = "2026-05-15T02:46:00.63Z" }, + { url = "https://files.pythonhosted.org/packages/b3/44/c2f682b413f808cf5e15af29a8a9509c0792401815ab3bc9fb7f4bf1597a/coreason_manifest-0.72.1-py3-none-any.whl", hash = "sha256:18a72c310bd6aa0cee10f9c4b16c5cac495df2880c0b0956f748249df5182fd4", size = 201700, upload-time = "2026-05-15T15:05:11.675Z" }, ] [[package]]