Metadata-Version: 2.4
Name: ghostseal
Version: 1.0.0
Summary: Canonical cryptographic primitives for the GhostLogic stack (Tier 1).
Project-URL: Specification, https://github.com/adam-scott-thomas/ghostlogic-spec/blob/main/ghostseal-v1-spec.md
Author: GhostLogic
License: Proprietary
Keywords: canonical-serialization,ed25519,forensics,hmac
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security :: Cryptography
Requires-Python: >=3.10
Requires-Dist: cryptography>=3.4
Provides-Extra: dev
Requires-Dist: httpx>=0.24; extra == 'dev'
Requires-Dist: mypy>=1.10; extra == 'dev'
Requires-Dist: pytest>=8; extra == 'dev'
Requires-Dist: ruff>=0.5; extra == 'dev'
Provides-Extra: legacy
Requires-Dist: httpx>=0.24; extra == 'legacy'
Description-Content-Type: text/markdown

# ghostseal

Canonical cryptographic primitives for the GhostLogic stack — Tier 1.

This package is the single source of cryptographic truth that
LEDGER_PROTOCOL.md anchors to. Every implementation that ingests into
Blackbox (logicd, node-agent-watchdog, future agents in other runtimes)
calls into ghostseal for canonical serialization, hashing, sealing, and
signing. Byte-equality across language runtimes is the load-bearing
guarantee (cross-impl item 106) — if two impls compute different
canonical bytes for the same logical object, ghostseal is wrong, not the
caller.

## Specification

Authoritative contract lives at
`/home/contact/ghostlogic-spec/ghostseal-v1-spec.md`. This package is
the Python implementation of that spec; the Node parity package
`@ghostlogic/ghostseal` is the sibling implementation.

## Status

Phase 1 (the public surface from §3 plus a conformance corpus per §10) —
in progress. See [PROGRESS.md](./PROGRESS.md).

## Non-goals

- ghostseal does NOT do HTTP. The legacy 0.1.0 `SealClient` is retained
  under `ghostseal.legacy` but new callers ship via their own HTTP path.
- ghostseal does NOT manage secrets at rest. Callers pass keys in; key
  storage (keyring, env, file) is the caller's concern.
- ghostseal does NOT define wire schemas beyond what sealing requires.
