fix(streaming-auth): sign with empty body hash for chunked MPack push

For chunked streaming push (Content-Type: application/x-muse-mpack), the full request body cannot be hashed before sending starts. Switch body_bytes from h_frame to None (→ SHA256("") in canonical MSign message). Body integrity is provided by: - H frame embedded Ed25519 (push intent: branch, n_objects, head, force) - Content-addressing on each O frame (sha256: OIDs self-verify) - E frame counts (cross-check objects/commits match H claims) MSign still covers identity + replay via method/host/path/ts.

Pass Content-Type via extra_headers so it is sent even with body_bytes=None. Update test_mpack_chunked_push.py to assert body_bytes=None (not H frame).

sha256:122622005b2dd8f04585a02475954cb1936e73e2c4a04ea58a0a3f6ee3a29e7e sha

sha256:1c08072d0d612e8ee8687845d596d81b6d4472704a004a32b7d39c348b3f8787 parent

sha256:eb1cf66b071afec0cdc6fdbf858af10c0a8545fc38a1cb8945ef273c4e31ffe3 snapshot

← Older Oldest on dev

All commits

Newer → Latest on dev

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:122622005b2dd8f04585a02475954cb1936e73e2c4a04ea58a0a3f6ee3a29e7e --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump BREAKING

Agent claude-code

Breaking

muse/core/transport.py::HttpTransport

Signature Cryptographically verified

Snapshot

ID sha256:eb1cf66b071afec0cdc6fdbf858af10c0a8545fc38a1cb8945ef273c4e31ffe3

Files 0

Browse tree at this commit →

Commit

SHA sha256:122622005b2dd8f04585a02475954cb1936e73e2c4a04ea58a0a3f6ee3a29e7e

Parent

sha256:1c08072d0d612e8ee8687845d596d81b6d4472704a004a32b7d39c348b3f8787

Branch dev