aeoess
diff --git a/‎.github/workflows/cross-impl-jcs.yml‎
Lines changed: 95 additions & 0 deletions b/‎.github/workflows/cross-impl-jcs.yml‎
Lines changed: 95 additions & 0 deletions
diff --git a/‎tests/cross_impl/__init__.py‎ b/‎tests/cross_impl/__init__.py‎
diff --git a/‎tests/cross_impl/gen_vectors.py‎
Lines changed: 111 additions & 0 deletions b/‎tests/cross_impl/gen_vectors.py‎
Lines changed: 111 additions & 0 deletions
diff --git a/‎tests/cross_impl/jcs-test-vectors.json‎
Lines changed: 146 additions & 0 deletions b/‎tests/cross_impl/jcs-test-vectors.json‎
Lines changed: 146 additions & 0 deletions
@@ -0,0 +1,95 @@
+name: cross-impl JCS byte-match
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "src/agent_passport/canonical.py"
+      - "src/agent_passport/v2/attribution_primitive/canonical.py"
+      - "tests/cross_impl/**"
+      - ".github/workflows/cross-impl-jcs.yml"
+  pull_request:
+    branches: [main]
+    paths:
+      - "src/agent_passport/canonical.py"
+      - "src/agent_passport/v2/attribution_primitive/canonical.py"
+      - "tests/cross_impl/**"
+      - ".github/workflows/cross-impl-jcs.yml"
+  workflow_dispatch: {}
+
+jobs:
+  byte-match:
+    name: Python SDK ↔ rfc8785@0.1.4 ↔ canonicalize@3.0.0
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Setup Node (for canonicalize@3.0.0 cross-check)
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Install Python SDK + deps
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e .
+          pip install pytest "rfc8785==0.1.4"
+
+      - name: Install canonicalize@3.0.0 (Node reference)
+        run: npm install --no-save --no-audit --no-fund canonicalize@3.0.0
+
+      - name: Python test — SDK canonicalize_jcs vs rfc8785@0.1.4
+        run: pytest tests/cross_impl/test_jcs_equivalence.py -v
+
+      - name: Node test — canonicalize@3.0.0 vs pinned manifest
+        # Asserts erdtman's canonicalize@3.0.0 (npm) byte-matches the same
+        # pinned manifest the Python SDK is validated against. Mismatch here
+        # means either canonicalize@3.0.0 has shifted (which would break the
+        # TypeScript SDK's cross-impl-jcs gate downstream) or the manifest
+        # has drifted. Either signal worth surfacing as a hard CI failure.
+        run: |
+          node - <<'JS'
+          import('canonicalize').then(async (mod) => {
+            const canonicalize = mod.default;
+            const { createHash } = await import('node:crypto');
+            const { readFileSync } = await import('node:fs');
+            const m = JSON.parse(readFileSync('tests/cross_impl/jcs-test-vectors.json', 'utf8'));
+            let fail = 0;
+            for (const v of m.vectors) {
+              const bytes = canonicalize(v.input);
+              const hash = createHash('sha256').update(bytes, 'utf8').digest('hex');
+              if (bytes !== v.expected_canonical_bytes) {
+                console.log(`FAIL ${v.id}: bytes mismatch`);
+                console.log(`  pinned:        ${v.expected_canonical_bytes}`);
+                console.log(`  canonicalize:  ${bytes}`);
+                fail++;
+              }
+              if (hash !== v.expected_sha256) {
+                console.log(`FAIL ${v.id}: sha256 mismatch`);
+                console.log(`  pinned:        ${v.expected_sha256}`);
+                console.log(`  canonicalize:  ${hash}`);
+                fail++;
+              }
+            }
+            const total = m.vectors.length;
+            if (fail) {
+              console.log(`\nFAILED: ${fail} divergence(s) across ${total} vectors`);
+              process.exit(1);
+            }
+            console.log(`\nOK: canonicalize@3.0.0 byte-matches all ${total} pinned vectors`);
+          });
+          JS
+
+      - name: Three-way assertion (Python SDK ≡ rfc8785 ≡ canonicalize@3.0.0)
+        run: |
+          echo "Py test:  Python SDK canonicalize_jcs ≡ rfc8785@0.1.4"
+          echo "Node test: canonicalize@3.0.0 (erdtman, RFC 8785 author) ≡ pinned manifest"
+          echo "Pinned:    manifest pinned to rfc8785@0.1.4 + canonicalize@3.0.0 byte-match"
+          echo "Therefore Python SDK ≡ rfc8785@0.1.4 ≡ canonicalize@3.0.0 byte-for-byte."
@@ -0,0 +1,111 @@
+"""Generate pinned expected canonical bytes + SHA-256 from rfc8785@0.1.4.
+
+This produces a JSON manifest that the SDK's cross-impl test asserts against
+in BOTH TypeScript and Python. The Node-side reference (canonicalize@3.0.0)
+must produce byte-identical output; the SDK's strict-JCS impl
+(canonicalHashJCS in TS, canonicalize_jcs in Python) must too.
+"""
+import hashlib
+import json
+import sys
+
+import rfc8785
+
+VECTORS = [
+    {
+        "id": "v01-simple",
+        "description": "Simple object, no nulls — variants identical (sanity baseline).",
+        "input": {"agentId": "agent-001", "scope": "read"},
+    },
+    {
+        "id": "v02-null-preserved",
+        "description": "Null value at top level — JCS preserves, legacy strips. Divergence vector.",
+        "input": {"agentId": "agent-001", "metadata": None, "scope": "read"},
+    },
+    {
+        "id": "v03-key-order",
+        "description": "Keys MUST be sorted by Unicode code point.",
+        "input": {"zebra": 1, "alpha": 2, "middle": 3},
+    },
+    {
+        "id": "v04-nested-null",
+        "description": "Null at depth inside nested object.",
+        "input": {"outer": {"inner": None, "value": 42}, "top": "ok"},
+    },
+    {
+        "id": "v05-array-null",
+        "description": "Null elements inside arrays. Both variants preserve array nulls.",
+        "input": {"items": [1, None, 3]},
+    },
+    {
+        "id": "v06-numbers",
+        "description": "Mixed integer + signed + fractional + zero numeric serialization.",
+        "input": {"integer": 42, "negative": -7, "float": 3.14, "zero": 0},
+    },
+    {
+        "id": "v07-empties",
+        "description": "Empty object and empty array.",
+        "input": {"emptyArr": [], "emptyObj": {}},
+    },
+    {
+        "id": "v08-unicode",
+        "description": "Non-ASCII content in keys and values; UTF-8 bytes emitted literally per RFC 8785 §3.2.2.2.",
+        "input": {"name": "Тимофій", "emoji": "🔐"},
+    },
+    {
+        "id": "v09-action-ref-tuple",
+        "description": "I-D §4.1 action_ref pre-image shape — production-like input.",
+        "input": {
+            "agentId": "did:aps:z6Mkfoo",
+            "actionType": "code_execution",
+            "scopeRequired": ["commerce:read", "commerce:write"],
+            "timestamp": "2026-05-21T00:00:00Z",
+        },
+    },
+    {
+        "id": "v10-attribution-tuple",
+        "description": "ATTRIBUTION-PRIMITIVE-v1.1 §1.6 four-tuple shape with null in params.",
+        "input": {
+            "agentId": "a",
+            "actionType": "t",
+            "params": {"k": None, "v": 1},
+            "nonce": "n0",
+        },
+    },
+    {
+        "id": "v11-string-escapes",
+        "description": "Tab (U+0009) and newline (U+000A) escapes per RFC 8785 §3.2.2.2.",
+        "input": {"raw": "line1\tcol2\nline3"},
+    },
+    {
+        "id": "v12-booleans",
+        "description": "Boolean values are serialized as 'true' / 'false'.",
+        "input": {"active": True, "revoked": False},
+    },
+]
+
+
+def main():
+    out = {
+        "generator": "rfc8785@0.1.4 (Python)",
+        "spec": "RFC 8785 JSON Canonicalization Scheme (JCS)",
+        "hash": "SHA-256, lowercase hex",
+        "vectors": [],
+    }
+    for v in VECTORS:
+        canon_bytes = rfc8785.dumps(v["input"])
+        canon_str = canon_bytes.decode("utf-8") if isinstance(canon_bytes, bytes) else canon_bytes
+        digest = hashlib.sha256(canon_str.encode("utf-8")).hexdigest()
+        out["vectors"].append({
+            "id": v["id"],
+            "description": v["description"],
+            "input": v["input"],
+            "expected_canonical_bytes": canon_str,
+            "expected_sha256": digest,
+        })
+    json.dump(out, sys.stdout, indent=2, ensure_ascii=False)
+    sys.stdout.write("\n")
+
+
+if __name__ == "__main__":
+    main()
@@ -0,0 +1,146 @@
+{
+  "generator": "rfc8785@0.1.4 (Python)",
+  "spec": "RFC 8785 JSON Canonicalization Scheme (JCS)",
+  "hash": "SHA-256, lowercase hex",
+  "vectors": [
+    {
+      "id": "v01-simple",
+      "description": "Simple object, no nulls — variants identical (sanity baseline).",
+      "input": {
+        "agentId": "agent-001",
+        "scope": "read"
+      },
+      "expected_canonical_bytes": "{\"agentId\":\"agent-001\",\"scope\":\"read\"}",
+      "expected_sha256": "598fa19ccadbc8df940a9cde9bff497c094ff209818b2bc36e5fac8d5cc2f477"
+    },
+    {
+      "id": "v02-null-preserved",
+      "description": "Null value at top level — JCS preserves, legacy strips. Divergence vector.",
+      "input": {
+        "agentId": "agent-001",
+        "metadata": null,
+        "scope": "read"
+      },
+      "expected_canonical_bytes": "{\"agentId\":\"agent-001\",\"metadata\":null,\"scope\":\"read\"}",
+      "expected_sha256": "52a6250f9b8d4df9654556cb46fcf3a6b3829693643578bacfa344831cc6d99d"
+    },
+    {
+      "id": "v03-key-order",
+      "description": "Keys MUST be sorted by Unicode code point.",
+      "input": {
+        "zebra": 1,
+        "alpha": 2,
+        "middle": 3
+      },
+      "expected_canonical_bytes": "{\"alpha\":2,\"middle\":3,\"zebra\":1}",
+      "expected_sha256": "8279885d9e6f748807a4a8838376aad819aee964979d576d496aa9a67ea2bd6a"
+    },
+    {
+      "id": "v04-nested-null",
+      "description": "Null at depth inside nested object.",
+      "input": {
+        "outer": {
+          "inner": null,
+          "value": 42
+        },
+        "top": "ok"
+      },
+      "expected_canonical_bytes": "{\"outer\":{\"inner\":null,\"value\":42},\"top\":\"ok\"}",
+      "expected_sha256": "02f4d61eb43de15b3680d6c9d2e1852ba3947e78521c2ba7de8e4afb640ef043"
+    },
+    {
+      "id": "v05-array-null",
+      "description": "Null elements inside arrays. Both variants preserve array nulls.",
+      "input": {
+        "items": [
+          1,
+          null,
+          3
+        ]
+      },
+      "expected_canonical_bytes": "{\"items\":[1,null,3]}",
+      "expected_sha256": "df088e3ff71850c361e768d9ca5141426005ad9497b6d4cf6ec3e082fe663e75"
+    },
+    {
+      "id": "v06-numbers",
+      "description": "Mixed integer + signed + fractional + zero numeric serialization.",
+      "input": {
+        "integer": 42,
+        "negative": -7,
+        "float": 3.14,
+        "zero": 0
+      },
+      "expected_canonical_bytes": "{\"float\":3.14,\"integer\":42,\"negative\":-7,\"zero\":0}",
+      "expected_sha256": "35c2f03aed2d77e96b1e301c3ead65d8212d3a27f0776e9c85bb0e74414a904b"
+    },
+    {
+      "id": "v07-empties",
+      "description": "Empty object and empty array.",
+      "input": {
+        "emptyArr": [],
+        "emptyObj": {}
+      },
+      "expected_canonical_bytes": "{\"emptyArr\":[],\"emptyObj\":{}}",
+      "expected_sha256": "2e49ff7a9de29f7f42b6cfb0e7a9826b5743d888aed3029df47b773b4393d0d4"
+    },
+    {
+      "id": "v08-unicode",
+      "description": "Non-ASCII content in keys and values; UTF-8 bytes emitted literally per RFC 8785 §3.2.2.2.",
+      "input": {
+        "name": "Тимофій",
+        "emoji": "🔐"
+      },
+      "expected_canonical_bytes": "{\"emoji\":\"🔐\",\"name\":\"Тимофій\"}",
+      "expected_sha256": "f04c986f5b3862ad3c6ee7b26b54846bad39e101a27e98f72772023c40584fc6"
+    },
+    {
+      "id": "v09-action-ref-tuple",
+      "description": "I-D §4.1 action_ref pre-image shape — production-like input.",
+      "input": {
+        "agentId": "did:aps:z6Mkfoo",
+        "actionType": "code_execution",
+        "scopeRequired": [
+          "commerce:read",
+          "commerce:write"
+        ],
+        "timestamp": "2026-05-21T00:00:00Z"
+      },
+      "expected_canonical_bytes": "{\"actionType\":\"code_execution\",\"agentId\":\"did:aps:z6Mkfoo\",\"scopeRequired\":[\"commerce:read\",\"commerce:write\"],\"timestamp\":\"2026-05-21T00:00:00Z\"}",
+      "expected_sha256": "956fb10ca09e093086c856517a8f93c11416f5b84b0a01634bc5ebfff41670d3"
+    },
+    {
+      "id": "v10-attribution-tuple",
+      "description": "ATTRIBUTION-PRIMITIVE-v1.1 §1.6 four-tuple shape with null in params.",
+      "input": {
+        "agentId": "a",
+        "actionType": "t",
+        "params": {
+          "k": null,
+          "v": 1
+        },
+        "nonce": "n0"
+      },
+      "expected_canonical_bytes": "{\"actionType\":\"t\",\"agentId\":\"a\",\"nonce\":\"n0\",\"params\":{\"k\":null,\"v\":1}}",
+      "expected_sha256": "c0686ef2cbb2b1c38b149598c50a60b0c01c2fd0ef9fd35f81eabb1aced6d591"
+    },
+    {
+      "id": "v11-string-escapes",
+      "description": "Tab (U+0009) and newline (U+000A) escapes per RFC 8785 §3.2.2.2.",
+      "input": {
+        "raw": "line1\tcol2\nline3"
+      },
+      "expected_canonical_bytes": "{\"raw\":\"line1\\tcol2\\nline3\"}",
+      "expected_sha256": "87d59a36d71d2c4e2bebe9b0badb8d1e028e8b925cfdec41c824d6f874853922"
+    },
+    {
+      "id": "v12-booleans",
+      "description": "Boolean values are serialized as 'true' / 'false'.",
+      "input": {
+        "active": true,
+        "revoked": false
+      },
+      "expected_canonical_bytes": "{\"active\":true,\"revoked\":false}",
+      "expected_sha256": "9135447f8ef8e76a18f1e9b8457c3764002d36b2bf247a0f2ee9eb836dddcd4f"
+    }
+  ]
+}