From 82a87276c92bb898f39b5f06b86350fc9f7b50ee Mon Sep 17 00:00:00 2001 From: Keysat Date: Fri, 19 Jun 2026 14:04:43 -0500 Subject: [PATCH] Handoff: Go SDK v0.2.0 published + sites redeployed; Python PyPI upload pending --- AGENTS.md | 21 +++++++++++++-------- ROADMAP.md | 2 +- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index d25dd8e..d3b5622 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -73,6 +73,9 @@ Run `git remote -v` (full) and check what the branch tracks before pushing. Keysat (Grant), not Claude** — git user is `Keysat`. - Direct push to `main` + run `~/.keysat/publish.sh` is the authorized release flow until launch. +- **SDK releases are independent + manual** (no `publish.sh` equivalent): Go via a pushed + git tag (go-proxy serves from GitHub); Python via `pyproject.toml` + twine→PyPI; TS via + npm; Rust via crates.io — the operator runs each with their own registry credentials. - Never rewrite user-facing copy outside the explicit scope of a request. ## Never @@ -117,11 +120,13 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/ (DB narrows, never widens; `clamp_to_signed_ceiling`). (2) An expired/tampered self-license lingered until restart; now re-verified each refresh and demoted like revoked/suspended. Crypto + offline master key confirmed sound (no signature-forgery path). Commit messages kept **generic** per operator request. -- **Also this session — SDK offline-expiry parity resolved (source).** Python (`Verifier.verify_with_time`) + Go - (`ParseAndVerifyAt` + `ErrExpired`) now reject expired keys offline, matching Rust/TS; tests + examples + - READMEs updated, all green, pushed to GitHub + gitea. **Not yet published** to PyPI / go-proxy (→ ROADMAP). -- **Next (priority):** 1) publish Python + Go SDK releases (PyPI bump + Go semver tag) so the expiry fix reaches - consumers. 2) email Start9 re: license + 0.4.x build flow (gates registry submission). 3) eval P2 hardening - (XFF rate-limit, dep bumps, admin/public port split). 4) split `audit:read` scope. -- **Tests/build:** daemon `cargo test` green (~125 across 8 suites, incl. 5 new self-license clamp unit tests); - wrapper `tsc` clean; Python SDK pytest 14 green + Go SDK `go test` green (both incl. new expiry tests). No CI. +- **SDK offline-expiry parity resolved + Go published.** Python `Verifier.verify_with_time` + Go + `ParseAndVerifyAt`/`ErrExpired` now reject expired keys offline, matching Rust/TS (reviewer-approved). **Go + published** as tag `v0.2.0` (go-proxy). **Python `0.3.0` is ready in-repo but NOT on PyPI** — upload needs the + operator's token (no twine/creds in-session). Both public sites redeployed (landing + docs, 200). +- **Next (priority):** 1) operator uploads Python SDK `0.3.0` to PyPI (`python -m build` + `twine upload`, your + token). 2) email Start9 re: license + 0.4.x build flow (registry submission). 3) eval P2 hardening (XFF + rate-limit, dep bumps, admin/public port split). 4) split `audit:read` scope. (Nice-to-have: document the new + SDK verify methods in keysat-docs.) +- **Tests/build:** daemon `cargo test` green (~125 / 8 suites, incl. 5 new self-license clamp tests); wrapper + `tsc` clean; Python SDK pytest 14 green + Go `go test` green (both incl. new expiry tests). No CI. diff --git a/ROADMAP.md b/ROADMAP.md index ce9aa5f..3682ddd 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -91,4 +91,4 @@ Longer-term backlog. Near-term state lives in `AGENTS.md` → Current state. - Re-test `KEYSAT_INTEGRATION.md` against a fresh downstream app to confirm a clean one-shot SDK integration. - **Add an automated regression test for multi-profile webhook routing** (adjudicated 2026-06-17 → DO, low blast radius — replaces the parked "manual Zaprite sandbox pass"). The routing is a deterministic provider-id→profile primary-key lookup with an anti-forgery re-fetch backstop, so the manual sandbox ceremony isn't worth it — but the path-keyed route (`/v1/{provider}/webhook/:provider_id` → `handle_for_provider`) currently has zero automated coverage on the money path. Plan: in `tests/api.rs`, reuse the two-provider fixture (~:3958), POST a Settled webhook to `/v1/zaprite/webhook/{provider-A-id}`, assert only profile A settles (B untouched; an unknown path-id 404s). Existing mock seam, no external account, runs in `cargo test`. Effort S. -- **Publish the Python + Go SDK releases carrying offline-expiry rejection.** Code landed 2026-06-19 (Python `Verifier.verify_with_time`, Go `ParseAndVerifyAt` + `ErrExpired`, both with tests, examples, and READMEs updated, mirroring Rust/TS `verify_with_time`/`verifyWithTime`) and is pushed to GitHub + gitea — but consumers won't get it until a release: bump `pyproject.toml` + build/twine-upload to PyPI (Python); push a new semver tag (Go, proxy.golang.org picks it up). Additive, non-breaking — minor bump. Consider matching the Rust/TS SDK versions if they're being cut too. (Online `/v1/validate` already enforces expiry for every SDK, so unupgraded offline integrators are the only exposure.) +- **Upload the Python SDK `0.3.0` to PyPI** (carries the offline-expiry `verify_with_time`). The Go SDK already shipped 2026-06-19 as tag `v0.2.0` (go-proxy serves it from GitHub); Python is ready in-repo but not on PyPI — `python -m build` + `twine upload` with the operator's PyPI token (no creds in-session). `keysat-licensing-client` is not yet on PyPI, so `0.3.0` is the first upload. Additive, non-breaking. (Online `/v1/validate` already enforces expiry for every SDK, so unupgraded offline integrators are the only exposure.)