CoReason-AI · gowthamrao · May 15, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -30,10 +30,19 @@ jobs:
         with:
           egress-policy: audit
 
+      - name: Free up disk space
+        run: |
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /opt/ghc
+          sudo rm -rf "/usr/local/share/boost"
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           fetch-tags: true
+
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
@@ -58,8 +67,6 @@ jobs:
         with:
           path: "site/"
 
-
-
       - name: Generate SLSA Provenance
         uses: actions/attest-build-provenance@v2
         with:
@@ -86,7 +93,6 @@ jobs:
           inputs: >-
             dist/*.tar.gz
             dist/*.whl
-          source: false
 
       - name: Upload attestations to GitHub Release
         uses: softprops/action-gh-release@v2
@@ -125,6 +131,14 @@ jobs:
         with:
           egress-policy: audit
 
+      - name: Free up disk space
+        run: |
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /opt/ghc
+          sudo rm -rf "/usr/local/share/boost"
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+
       - uses: actions/checkout@v4
 
       - name: Log in to GitHub Container Registry

diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,8 @@ FROM python:3.14-slim AS builder
 
 # Install uv
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
-RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
+# hadolint ignore=DL3008
+RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/*
 
 # Set the working directory
 WORKDIR /app

diff --git a/infrastructure/packer/aws/swarm-in-a-box.pkr.hcl b/infrastructure/packer/aws/swarm-in-a-box.pkr.hcl
@@ -64,18 +64,18 @@ build {
       "sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin",
       "sudo usermod -aG docker ubuntu",
       "sudo systemctl enable docker",
-      
+
       "echo 'Pulling CoReason Container Images...'",
       "sudo docker pull ghcr.io/coreason-ai/coreason-ecosystem:latest",
       "sudo docker pull ghcr.io/coreason-ai/coreason-runtime:latest"
     ]
   }
-  
+
   provisioner "file" {
     source      = "../../../local/compose.yaml"
     destination = "/home/ubuntu/compose.yaml"
   }
-  
+
   provisioner "shell" {
     inline = [
       "echo 'Setting up Cold Start Kit Service...'",
@@ -91,7 +91,7 @@ build {
       "echo 'ExecStop=/usr/bin/docker compose down' | sudo tee -a /etc/systemd/system/coreason-swarm.service",
       "echo '[Install]' | sudo tee -a /etc/systemd/system/coreason-swarm.service",
       "echo 'WantedBy=multi-user.target' | sudo tee -a /etc/systemd/system/coreason-swarm.service",
-      
+
       "sudo systemctl enable coreason-swarm.service"
     ]
   }

diff --git a/src/coreason_ecosystem/auth/identity_manager.py b/src/coreason_ecosystem/auth/identity_manager.py
@@ -1,6 +1,7 @@
 import os
 
 import hvac
+import hvac.exceptions
 
 
 def get_vault_client() -> hvac.Client:
@@ -32,7 +33,10 @@ def get_identity() -> dict[str, str] | None:
             path="coreason/identity", raise_on_deleted_version=False
         )
         if response and "data" in response and "data" in response["data"]:
-            return response["data"]["data"]
+            data = response["data"]["data"]
+            if isinstance(data, dict):
+                return data
+            return None
         return None
     except Exception:
         return None
diff --git a/src/coreason_ecosystem/auth/license_policy.rego b/src/coreason_ecosystem/auth/license_policy.rego
@@ -7,7 +7,7 @@ default is_sovereign = false
 is_sovereign {
     # Verify expiration (OPA time is in nanoseconds, input.exp is usually seconds)
     input.exp > (time.now_ns() / 1000000000)
-    
+
     # Check for specific IP sovereignty entitlement
     some i
     input.entitlements[i] == "IP_SOVEREIGNTY_EXCEPTION"

diff --git a/src/coreason_ecosystem/auth/license_validator.py b/src/coreason_ecosystem/auth/license_validator.py
@@ -9,16 +9,18 @@
 # Source Code: <https://github.com/CoReason-AI/coreason-ecosystem>
 
 import os
+from typing import Any
 
 import hvac
+import hvac.exceptions
 import jwt
 
 # SOTA: In a true deployment, this would be retrieved dynamically via SPIRE Workload API.
 # We mock the SPIFFE/SPIRE interaction for demonstration.
 COREASON_ROOT_CA = "coreason_root_ca_public_key_placeholder"
 
 
-def verify_token_signature(jwt_string: str) -> dict:
+def verify_token_signature(jwt_string: str) -> dict[str, Any]:
     """
     Mathematically verifies the Ed25519 signature of the JWT using PyJWT (SOTA).
     Returns the decoded payload if valid.

diff --git a/src/coreason_ecosystem/daemons/chronometer.py b/src/coreason_ecosystem/daemons/chronometer.py
@@ -67,7 +67,7 @@ def _has_valid_commercial_license() -> bool:
         )
         if opa_resp.status_code == 200:
             result = opa_resp.json()
-            return result.get("result", False)
+            return bool(result.get("result", False))
         return False
     except requests.exceptions.RequestException:
         # Fallback if OPA daemon is offline

diff --git a/uv.lock b/uv.lock