gabriel / muse public
test_provenance.py python
204 lines 7.5 KB
Raw
sha256:660fcac1df3ab28f61862e961890bd2ca8b754fa0242079d93ca1e25037ec8a6 chore(tests): add docstring to tests/__init__.py so rc14 tr… Human 26 days ago
1 """Tests for muse.core.provenance — AgentIdentity, Ed25519 signing."""
2
3 import base64
4 import datetime
5
6 import pytest
7 from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
8 from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
9
10 from muse.core.provenance import (
11 AgentIdentity,
12 encode_public_key,
13 make_agent_identity,
14 provenance_payload,
15 public_key_fingerprint,
16 sign_commit_ed25519,
17 sign_commit_record,
18 verify_commit_ed25519,
19 )
20 from muse.core.store import CommitRecord
21
22
23 def _gen_key() -> Ed25519PrivateKey:
24 return Ed25519PrivateKey.generate()
25
26
27 def _pub_bytes(key: Ed25519PrivateKey) -> bytes:
28 return key.public_key().public_bytes(Encoding.Raw, PublicFormat.Raw)
29
30
31 # ---------------------------------------------------------------------------
32 # AgentIdentity factory
33 # ---------------------------------------------------------------------------
34
35
36 class TestMakeAgentIdentity:
37 def test_required_fields_present(self) -> None:
38 identity = make_agent_identity(
39 agent_id="test-agent",
40 model_id="gpt-5",
41 toolchain_id="muse-v2",
42 )
43 assert identity["agent_id"] == "test-agent"
44 assert identity.get("model_id") == "gpt-5"
45 assert identity.get("toolchain_id") == "muse-v2"
46
47 def test_prompt_hash_is_hex(self) -> None:
48 identity = make_agent_identity(
49 agent_id="a",
50 model_id="m",
51 toolchain_id="t",
52 prompt="system: you are a music agent",
53 )
54 prompt_hash = identity.get("prompt_hash", "")
55 assert isinstance(prompt_hash, str)
56 assert len(prompt_hash) == 64
57 assert all(c in "0123456789abcdef" for c in prompt_hash)
58
59 def test_no_prompt_gives_no_hash_key(self) -> None:
60 identity = make_agent_identity(agent_id="a", model_id="m", toolchain_id="t")
61 assert identity.get("prompt_hash", "") == ""
62
63 def test_execution_context_hash_populated(self) -> None:
64 identity = make_agent_identity(
65 agent_id="a",
66 model_id="m",
67 toolchain_id="t",
68 execution_context='{"env": "ci", "version": "1.2.3"}',
69 )
70 ec_hash = identity.get("execution_context_hash", "")
71 assert isinstance(ec_hash, str)
72 assert len(ec_hash) == 64
73
74
75 # ---------------------------------------------------------------------------
76 # Ed25519 signing / verification
77 # ---------------------------------------------------------------------------
78
79
80 class TestEd25519Signing:
81 def test_sign_and_verify_succeed(self) -> None:
82 key = _gen_key()
83 payload = provenance_payload("abc123def456" * 4)
84 sig = sign_commit_ed25519(payload, key)
85 pub_bytes = _pub_bytes(key)
86 assert verify_commit_ed25519(payload, sig, pub_bytes)
87
88 def test_wrong_key_fails(self) -> None:
89 key1 = _gen_key()
90 key2 = _gen_key()
91 payload = provenance_payload("abc123")
92 sig = sign_commit_ed25519(payload, key1)
93 assert not verify_commit_ed25519(payload, sig, _pub_bytes(key2))
94
95 def test_wrong_payload_fails(self) -> None:
96 key = _gen_key()
97 sig = sign_commit_ed25519(provenance_payload("commit-a"), key)
98 assert not verify_commit_ed25519(provenance_payload("commit-b"), sig, _pub_bytes(key))
99
100 def test_tampered_signature_fails(self) -> None:
101 key = _gen_key()
102 payload = provenance_payload("abc")
103 sig = sign_commit_ed25519(payload, key)
104 # Flip a byte in the middle of the base64url string.
105 sig_bytes = bytearray(base64.urlsafe_b64decode(sig + "=="))
106 sig_bytes[32] ^= 0xFF
107 tampered = base64.urlsafe_b64encode(bytes(sig_bytes)).rstrip(b"=").decode()
108 assert not verify_commit_ed25519(payload, tampered, _pub_bytes(key))
109
110 def test_signature_is_base64url_string(self) -> None:
111 key = _gen_key()
112 sig = sign_commit_ed25519(provenance_payload("test-commit"), key)
113 assert isinstance(sig, str)
114 # Ed25519 signature is 64 bytes → 86 base64url chars (no padding)
115 assert len(sig) == 86
116
117 def test_empty_signature_fails(self) -> None:
118 key = _gen_key()
119 assert not verify_commit_ed25519(provenance_payload("x"), "", _pub_bytes(key))
120
121 def test_garbage_signature_fails(self) -> None:
122 key = _gen_key()
123 assert not verify_commit_ed25519(provenance_payload("x"), "!!not-base64!!", _pub_bytes(key))
124
125 def test_truncated_signature_fails(self) -> None:
126 key = _gen_key()
127 payload = provenance_payload("commit-x")
128 sig = sign_commit_ed25519(payload, key)
129 assert not verify_commit_ed25519(payload, sig[:40], _pub_bytes(key))
130
131 def test_different_keys_produce_different_sigs(self) -> None:
132 key1 = _gen_key()
133 key2 = _gen_key()
134 payload = provenance_payload("same-commit")
135 assert sign_commit_ed25519(payload, key1) != sign_commit_ed25519(payload, key2)
136
137
138 # ---------------------------------------------------------------------------
139 # Public key helpers
140 # ---------------------------------------------------------------------------
141
142
143 class TestPublicKeyHelpers:
144 def test_fingerprint_is_16_hex_chars(self) -> None:
145 key = _gen_key()
146 fp = public_key_fingerprint(_pub_bytes(key))
147 assert isinstance(fp, str)
148 assert len(fp) == 16
149 assert all(c in "0123456789abcdef" for c in fp)
150
151 def test_fingerprint_is_deterministic(self) -> None:
152 key = _gen_key()
153 pub = _pub_bytes(key)
154 assert public_key_fingerprint(pub) == public_key_fingerprint(pub)
155
156 def test_different_keys_different_fingerprints(self) -> None:
157 k1, k2 = _gen_key(), _gen_key()
158 assert public_key_fingerprint(_pub_bytes(k1)) != public_key_fingerprint(_pub_bytes(k2))
159
160 def test_encode_public_key_returns_32_bytes_and_b64(self) -> None:
161 key = _gen_key()
162 raw_bytes, b64 = encode_public_key(key)
163 assert len(raw_bytes) == 32
164 assert isinstance(b64, str)
165 # No padding
166 assert "=" not in b64
167 # Decodes back to same bytes
168 assert base64.urlsafe_b64decode(b64 + "=") == raw_bytes
169
170
171 # ---------------------------------------------------------------------------
172 # sign_commit_record
173 # ---------------------------------------------------------------------------
174
175
176 class TestSignCommitRecord:
177 def test_sign_commit_record_returns_three_tuple(self) -> None:
178 key = _gen_key()
179 commit_id = "deadbeef" * 8
180 result = sign_commit_record(commit_id, "test-agent", key)
181 assert result is not None
182 sig, pub_b64, fprint = result
183 assert sig != ""
184 assert pub_b64 != ""
185 assert len(fprint) == 16
186
187 def test_sign_commit_record_verifiable(self) -> None:
188 key = _gen_key()
189 commit_id = "cafebabe" * 8
190 agent_id = "verify-agent"
191 result = sign_commit_record(commit_id, agent_id, key, model_id="claude-sonnet-4-6")
192 assert result is not None
193 sig, pub_b64, _ = result
194 pub_bytes = base64.urlsafe_b64decode(pub_b64 + "=")
195 payload = provenance_payload(commit_id, agent_id=agent_id, model_id="claude-sonnet-4-6")
196 assert verify_commit_ed25519(payload, sig, pub_bytes)
197
198 def test_sign_commit_record_public_key_matches_private(self) -> None:
199 key = _gen_key()
200 result = sign_commit_record("aabbccdd" * 8, "agent", key)
201 assert result is not None
202 _, pub_b64, _ = result
203 raw, expected_b64 = encode_public_key(key)
204 assert pub_b64 == expected_b64
File History 5 commits
sha256:660fcac1df3ab28f61862e961890bd2ca8b754fa0242079d93ca1e25037ec8a6 chore(tests): add docstring to tests/__init__.py so rc14 tr… Human 26 days ago
sha256:d8316ffae901be06347e16ab55be11868eb519dd16ade3e8aa16a99e662f7e62 baseline: rc14 re-baseline after rc3 store corruption recovery Human patch 26 days ago
sha256:50d413a635f57761c3fce1f70251b957b6423821525bf330747ef4007339222e Merge branch 'dev' into main Human 29 days ago
sha256:fb67fed5a4d3e40de84bdd163de94ef1386570bef1dd1a020a732c8a038962ce Merge branch 'dev' into main Human 48 days ago
sha256:1c4b3e3a9a1f300774c3ee662b572a698d5fd405bf765a71e6011a2e9c3eaaaa feat: Muse — version control for the agent era Human 100 days ago