Metadata-Version: 2.4
Name: gaas-spec
Version: 0.1.0
Summary: Reference validator, signer, and verifier for the auth.md governance file convention (spec 0.1)
Project-URL: Homepage, https://github.com/H2OmAI/authmd
Project-URL: Specification, https://github.com/H2OmAI/authmd
Project-URL: Repository, https://github.com/H2OmAI/gaas
Author-email: H2Om <sdk@gaas.is>
License-Expression: Apache-2.0
Keywords: agents,ai,auth.md,gaas,governance,policy-as-code
Classifier: Development Status :: 4 - Beta
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Typing :: Typed
Requires-Python: >=3.11
Requires-Dist: cryptography>=43.0.0
Requires-Dist: jsonschema>=4.21.0
Requires-Dist: pyyaml>=6.0.0
Provides-Extra: dev
Requires-Dist: pytest>=8.3.0; extra == 'dev'
Description-Content-Type: text/markdown

# gaas-spec

Reference validator, signer, and verifier for the **auth.md governance file convention** — spec 0.1.

The convention: a `.gaas/` directory (`auth.md`, `policy.md`, `audit.md`, `escalation.md`, `attestation.sig`) declaring how an AI agent is governed — readable by people, validated and enforced by machines, signed like a release. Spec, schemas, and conformance fixtures: **[github.com/H2OmAI/authmd](https://github.com/H2OmAI/authmd)**.

Local-only: no network, no API key. Suitable for CI.

## Install

```bash
pip install gaas-spec
```

## CLI

```bash
gaas validate            # validate ./.gaas (or: gaas validate path/to/repo)
gaas sign --key org-key.pem --key-id acme-2026
gaas verify --pub acme-2026=org-pub.pem
```

`validate` exits non-zero with findings when the bundle doesn't conform — wire it straight into CI. `sign` refuses non-conforming bundles. `verify` checks every file hash against the attestation manifest before checking signatures, so a tampered bundle fails loudly.

## Library

```python
from gaas_spec import parse_bundle, validate, sign, verify

bundle = parse_bundle(".")           # finds ./.gaas
findings = validate(bundle)          # [] means conforming
attestation = sign(bundle, private_key_pem, key_id="acme-2026", signer="org")
results = verify(bundle, attestation, {"acme-2026": public_key_pem})
```

## Conformance

This package vendors the spec repo's fixtures and runs them in its test suite — it is the reference implementation and must agree with the fixtures at all times. Signing is ES256 (ECDSA P-256 + SHA-256) over an RFC 8785 canonical-JSON manifest hash, per SPEC-attestation.md.

## License

Apache-2.0. The spec text itself is CC BY 4.0 at the spec repo.
