Fix the three red binding/pages CI workflows (all pre-existing)

python-binding, wasm-binding, and pages had been red since the bindings
landed (2026-05-20) — none related to the 0.5 crypto work. Root causes:

Code drift vs the current pqf-reader API (the real CI compile errors):
- Both bindings referenced a removed `Header.alg` field. The reader
  validates then discards the alg identifiers, so a parsed header is
  guaranteed conformant. Expose them as canonical pub consts
  (ALG_AEAD/COMBINER/KDF/KEM/SIG) from pqf-reader and have both bindings
  report those — single source of truth, no re-drift.
- wasm: chunk_size is u64 (cast to u32 for the JS view).
- python: SignerEntry fields are ed25519_pub/mldsa87_pub, not
  classical_pub/pqc_pub (kept the spec-named dict keys).

Build-config fixes:
- wasm: aes-gcm pulls getrandom 0.2, which needs the "js" feature on
  wasm32-unknown-unknown.
- python: pyo3 0.22 gates the &PyDict/&PyBytes GIL-ref API this binding
  uses behind the "gil-refs" feature.
- python: pyproject license pointed at ../../LICENSE (outside the project);
  newer maturin rejects it — use the SPDX `license = "MIT"` string.
- python-binding.yml: `maturin develop` needs an active virtualenv; create
  and activate one (cross-platform). Also update the smoke-test combiner
  assertion to pqf1-bind-extract-v1.

Verified locally: reader conformance still 47/47; wasm builds for
wasm32-unknown-unknown; python `maturin develop` + smoke parses and
decrypts TV-001 (4291 bytes) under the new bind-extract crypto.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: systemslibrarian

.github/workflows/python-binding.yml

@@ -46,17 +46,16 @@ jobs:
             impl/rust/pqf-reader/target
           key: ${{ runner.os }}-py${{ matrix.python }}-cargo-${{ hashFiles('bindings/python/Cargo.toml', 'impl/rust/pqf-reader/Cargo.toml') }}
 
-      - name: Install maturin
-        run: pip install --upgrade pip maturin
-
-      - name: Build + install the binding into the venv
-        working-directory: bindings/python
-        run: maturin develop --release
-
-      - name: Smoke test (import + parse a vector)
+      - name: Build binding + smoke test (in a venv)
         working-directory: bindings/python
         shell: bash
         run: |
+          # maturin develop requires an active virtualenv; create and activate
+          # one (cross-platform: bin/ on unix, Scripts/ on windows runners).
+          python -m venv .venv
+          if [ -f .venv/bin/activate ]; then source .venv/bin/activate; else source .venv/Scripts/activate; fi
+          python -m pip install --upgrade pip maturin
+          maturin develop --release
           python - <<'PY'
           import pqf, json, pathlib
           repo = pathlib.Path("../..").resolve()
@@ -65,7 +64,7 @@ jobs:
           blob = path.read_bytes()
           header = pqf.parse_header(blob)
           assert header["alg"]["kem"] == "x25519+ml-kem-1024", header
-          assert header["alg"]["combiner"] == "pqf1-concat-extract-v1"
+          assert header["alg"]["combiner"] == "pqf1-bind-extract-v1"
           assert len(header["recipients"]) >= 1
           print("OK: pqf.parse_header round-trips on TV-001")
 

bindings/python/.gitignore

@@ -0,0 +1,3 @@
+/target
+Cargo.lock
+.venv/

bindings/python/Cargo.toml

@@ -13,5 +13,7 @@ crate-type = ["cdylib"]
 path = "src/lib.rs"
 
 [dependencies]
-pyo3 = { version = "0.22", features = ["extension-module", "abi3-py38"] }
+# gil-refs re-enables the deprecated &PyDict / &PyBytes GIL-ref API this
+# binding is written against (PyDict::new, PyBytes::new, &'py PyDict returns).
+pyo3 = { version = "0.22", features = ["extension-module", "abi3-py38", "gil-refs"] }
 pqf-reader = { path = "../../impl/rust/pqf-reader" }

bindings/python/pyproject.toml

@@ -7,15 +7,14 @@ name = "pqf"
 version = "0.1.0"
 description = "Python bindings for the PQF (PostQuantum.FileFormat) Rust reader"
 requires-python = ">=3.8"
-license = { file = "../../LICENSE" }
+license = "MIT"
 authors = [
     { name = "Paul Clark", email = "systemslibrarian@gmail.com" }
 ]
 keywords = ["post-quantum", "cryptography", "file-format", "hybrid", "ml-kem", "ml-dsa"]
 classifiers = [
     "Development Status :: 3 - Alpha",
     "Intended Audience :: Developers",
-    "License :: OSI Approved :: MIT License",
     "Programming Language :: Python :: 3",
     "Programming Language :: Rust",
     "Topic :: Security :: Cryptography",

bindings/python/src/lib.rs

@@ -16,7 +16,10 @@
 //!     identity = pqf.Identity.from_manifest("id-a", pub_b64, x25519_b64, mlkem_b64)
 //!     plaintext = pqf.decrypt(open("a.pqf","rb").read(), identity)
 
-use pqf_reader::{decrypt as rust_decrypt, parse as rust_parse, Identity as RustIdentity};
+use pqf_reader::{
+    decrypt as rust_decrypt, parse as rust_parse, Identity as RustIdentity, ALG_AEAD, ALG_COMBINER,
+    ALG_KDF, ALG_KEM, ALG_SIG,
+};
 use pyo3::exceptions::{PyRuntimeError, PyValueError};
 use pyo3::prelude::*;
 use pyo3::types::{PyBytes, PyDict, PyList};
@@ -51,12 +54,15 @@ fn parse_header<'py>(py: Python<'py>, file_bytes: &[u8]) -> PyResult<&'py PyDict
     let h = &parsed.header;
     let out = PyDict::new(py);
 
+    // A parsed header is guaranteed to carry exactly the v1 algorithm
+    // identifiers (the reader refuses anything else), so report them from the
+    // reader's canonical constants rather than re-reading the header.
     let alg = PyDict::new(py);
-    alg.set_item("aead", &h.alg.aead)?;
-    alg.set_item("combiner", &h.alg.combiner)?;
-    alg.set_item("kdf", &h.alg.kdf)?;
-    alg.set_item("kem", &h.alg.kem)?;
-    alg.set_item("sig", &h.alg.sig)?;
+    alg.set_item("aead", ALG_AEAD)?;
+    alg.set_item("combiner", ALG_COMBINER)?;
+    alg.set_item("kdf", ALG_KDF)?;
+    alg.set_item("kem", ALG_KEM)?;
+    alg.set_item("sig", ALG_SIG)?;
     out.set_item("alg", alg)?;
 
     out.set_item("chunk_size", h.chunk_size)?;
@@ -71,8 +77,8 @@ fn parse_header<'py>(py: Python<'py>, file_bytes: &[u8]) -> PyResult<&'py PyDict
 
     if let Some(signer) = &h.signer {
         let s = PyDict::new(py);
-        s.set_item("classical_pub", PyBytes::new(py, &signer.classical_pub))?;
-        s.set_item("pqc_pub", PyBytes::new(py, &signer.pqc_pub))?;
+        s.set_item("classical_pub", PyBytes::new(py, &signer.ed25519_pub))?;
+        s.set_item("pqc_pub", PyBytes::new(py, &signer.mldsa87_pub))?;
         out.set_item("signer", s)?;
     } else {
         out.set_item("signer", py.None())?;

bindings/wasm/.gitignore

@@ -0,0 +1,3 @@
+/target
+Cargo.lock
+pkg/

bindings/wasm/Cargo.toml

@@ -17,6 +17,9 @@ serde = { version = "1", features = ["derive"] }
 serde-wasm-bindgen = "0.6"
 pqf-reader = { path = "../../impl/rust/pqf-reader" }
 console_error_panic_hook = { version = "0.1", optional = true }
+# aes-gcm (via the reader) pulls getrandom 0.2; the wasm32-unknown-unknown
+# target needs its "js" backend explicitly enabled to build.
+getrandom = { version = "0.2", features = ["js"] }
 
 [features]
 default = ["console_error_panic_hook"]

bindings/wasm/src/lib.rs

@@ -7,7 +7,10 @@
 //! payload. See demo/index.html for a minimal "paste a file, see the
 //! header" page that loads them directly.
 
-use pqf_reader::{decrypt as rust_decrypt, parse as rust_parse, Identity as RustIdentity};
+use pqf_reader::{
+    decrypt as rust_decrypt, parse as rust_parse, Identity as RustIdentity, ALG_AEAD, ALG_COMBINER,
+    ALG_KDF, ALG_KEM, ALG_SIG,
+};
 use serde::Serialize;
 use wasm_bindgen::prelude::*;
 
@@ -46,14 +49,17 @@ pub fn parse_header(file_bytes: &[u8]) -> Result<JsValue, JsError> {
     let parsed = rust_parse(file_bytes).map_err(map_err)?;
     let h = &parsed.header;
     let js = HeaderJs {
+        // A parsed header is guaranteed to carry exactly the v1 algorithm
+        // identifiers (the reader refuses anything else), so report them from
+        // the reader's canonical constants rather than re-reading the header.
         alg: AlgJs {
-            aead: h.alg.aead.clone(),
-            combiner: h.alg.combiner.clone(),
-            kdf: h.alg.kdf.clone(),
-            kem: h.alg.kem.clone(),
-            sig: h.alg.sig.clone(),
+            aead: ALG_AEAD.to_string(),
+            combiner: ALG_COMBINER.to_string(),
+            kdf: ALG_KDF.to_string(),
+            kem: ALG_KEM.to_string(),
+            sig: ALG_SIG.to_string(),
         },
-        chunk_size: h.chunk_size,
+        chunk_size: h.chunk_size as u32,
         created: h.created.clone(),
         file_id_hex: hex_lower(&h.file_id),
         recipient_count: h.recipients.len(),

impl/rust/pqf-reader/src/header.rs

@@ -21,12 +21,23 @@ const KNOWN_TOP_FIELDS: &[&str] = &[
     "signer",
 ];
 
+// The exact algorithm identifiers a conformant PQF v1 header carries. A
+// successfully parsed `Header` is guaranteed to match these (the parser refuses
+// any other values), so consumers that want to display the algorithm suite can
+// rely on these constants instead of re-deriving — and stay in sync if the
+// suite ever changes. Exposed via the crate root.
+pub const ALG_AEAD: &str = "aes-256-gcm-chunked";
+pub const ALG_COMBINER: &str = "pqf1-bind-extract-v1";
+pub const ALG_KDF: &str = "hkdf-sha256";
+pub const ALG_KEM: &str = "x25519+ml-kem-1024";
+pub const ALG_SIG: &str = "ed25519+ml-dsa-87";
+
 const ALG_REQUIRED: &[(&str, &str)] = &[
-    ("aead", "aes-256-gcm-chunked"),
-    ("combiner", "pqf1-bind-extract-v1"),
-    ("kdf", "hkdf-sha256"),
-    ("kem", "x25519+ml-kem-1024"),
-    ("sig", "ed25519+ml-dsa-87"),
+    ("aead", ALG_AEAD),
+    ("combiner", ALG_COMBINER),
+    ("kdf", ALG_KDF),
+    ("kem", ALG_KEM),
+    ("sig", ALG_SIG),
 ];
 
 const RECIPIENT_FIELDS: &[&str] = &["classical_epk", "pqc_ct", "wrapped_dek", "wrapped_dek_nonce"];

impl/rust/pqf-reader/src/lib.rs

@@ -24,6 +24,8 @@ pub mod identity;
 pub mod reader;
 
 pub use error::{PqfError, RefusalReason, Result};
-pub use header::{Header, RecipientEntry, SignerEntry};
+pub use header::{
+    Header, RecipientEntry, SignerEntry, ALG_AEAD, ALG_COMBINER, ALG_KDF, ALG_KEM, ALG_SIG,
+};
 pub use identity::Identity;
 pub use reader::{decrypt, parse, ParsedFile};