From 3b2567c0617dc0bd10076edf181de3c2a429faa1 Mon Sep 17 00:00:00 2001 From: Nathan Gillett Date: Sat, 30 May 2026 17:20:36 -0500 Subject: [PATCH] Pivot to MIT and standard OSS contribution docs --- .../workflows/security-advisory-publish.yml | 25 --- CONTRIBUTING.md | 58 ++---- LICENSE | 197 ++---------------- NOTICE | 16 +- README.md | 56 +---- SECURITY.md | 29 +-- TRADEMARK.md | 34 +-- pyproject.toml | 2 +- 8 files changed, 61 insertions(+), 356 deletions(-) delete mode 100644 .github/workflows/security-advisory-publish.yml diff --git a/.github/workflows/security-advisory-publish.yml b/.github/workflows/security-advisory-publish.yml deleted file mode 100644 index 7741cc5..0000000 --- a/.github/workflows/security-advisory-publish.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: security-advisory-publish - -on: - workflow_dispatch: - inputs: - ghsa_id: - description: Published GHSA id (GHSA-xxxx-xxxx-xxxx) - required: true - type: string - cve_id: - description: Optional CVE id assigned via GitHub-as-CNA - required: false - type: string - -permissions: - contents: read - security-events: read - -jobs: - verify-osv-mirror: - uses: IntentProof/intentproof-infra/.github/workflows/security-advisory-publish.yml@064f4a1fb91998960343fb14cb912cbbd6c4cd82 - with: - ghsa_id: ${{ inputs.ghsa_id }} - cve_id: ${{ inputs.cve_id }} - secrets: inherit diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d490a60..990c7c9 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,54 +1,24 @@ # Contributing to intentproof-sdk-python -Thanks for your interest in IntentProof. +Thank you for helping improve IntentProof. -## Issues welcome +## How to help -Please report bugs, API gaps, and conformance findings via -[GitHub Issues](https://github.com/IntentProof/intentproof-sdk-python/issues). -That is the primary way to help right now. +We welcome [GitHub Issues](https://github.com/IntentProof/intentproof-sdk-python/issues) +and pull requests. -We do **not** accept unsolicited pull requests from outside the -maintainer team. If you are a customer or partner with a change that -must land upstream, contact IntentProof, Inc. before opening a PR. +- **Small fixes:** open a PR with a short summary and test plan. +- **API or signing behavior changes:** discuss in an issue first; they must stay + aligned with [`intentproof-spec`](https://github.com/IntentProof/intentproof-spec) + golden vectors. -Maintainer commits use the Developer Certificate of Origin (DCO) below. +## Pull requests -## Developer Certificate of Origin (DCO) - -Merged commits in this repository use the -[Developer Certificate of Origin 1.1](https://developercertificate.org/). - -Every commit must carry a `Signed-off-by:` trailer matching the -author email. The easiest way to do this is to pass `-s` to `git -commit`: - -```bash -git commit -s -m "..." -``` - -You can also retroactively sign off the last commit with: - -```bash -git commit --amend --no-edit -s -``` - -Then force-push the amended branch: - -```bash -git push --force-with-lease -``` - -Commits that do not include a valid `Signed-off-by` trailer will -be rejected by CI. - -## Trademark - -"IntentProof" and "Verified by IntentProof" are trademarks of -IntentProof, Inc. Apache 2.0 grants a copyright license; it does not grant a -trademark license. See [`TRADEMARK.md`](TRADEMARK.md). +- Run `pytest` before opening. +- Cross-language behavior changes may need matching updates in spec fixtures + and sibling SDKs. ## License -By contributing as a maintainer, you agree your commits are licensed -under the Apache License 2.0 (see `LICENSE`). +By contributing, you agree your contributions are licensed under the MIT +License (see `LICENSE`). diff --git a/LICENSE b/LICENSE index d9a10c0..3b1bd74 100644 --- a/LICENSE +++ b/LICENSE @@ -1,176 +1,21 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS +MIT License + +Copyright (c) 2026 Nathan Gillett + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to do so, subject to the +following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/NOTICE b/NOTICE index b5665fd..0e1e882 100644 --- a/NOTICE +++ b/NOTICE @@ -1,16 +1,4 @@ IntentProof Python SDK -Copyright 2026 IntentProof, Inc. +Copyright (c) 2026 Nathan Gillett -This product includes software developed at IntentProof, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. +Licensed under the MIT License (see LICENSE). diff --git a/README.md b/README.md index 8359cdc..df96c07 100644 --- a/README.md +++ b/README.md @@ -2,18 +2,13 @@ [![CI](https://github.com/IntentProof/intentproof-sdk-python/actions/workflows/ci.yml/badge.svg)](https://github.com/IntentProof/intentproof-sdk-python/actions/workflows/ci.yml) -Python SDK for emitting signed IntentProof execution events. +Python SDK for signing IntentProof execution events locally. -## Who uses this +## Use -Python application authors who need the same wrap/exporter/outbox contract as -the Node and Go SDKs for signed execution events. - -## Status - -Early scaffolding repo for IntentProof's Python SDK. Tracks the -Node SDK's wrap()/exporter/outbox contract so a Python application -can emit and verify the same signed execution events. +- `wrap()` / exporter / outbox aligned with the Node and Go SDKs +- Ed25519 signing and canonical JSON +- No hosted ingest required for local capture and bundle export ## Install @@ -21,50 +16,21 @@ can emit and verify the same signed execution events. pip install intentproof ``` -For development in this repository: +Development: ```bash pip install -e ".[dev]" -``` - -## Verify - -Cross-language signing fixtures in CI match -[`intentproof-spec`](https://github.com/IntentProof/intentproof-spec) golden -vectors. Run `pytest` locally before publishing. - -## Test - -```bash pytest -bash ./scripts/run-coverage-gate.sh ``` -Tiered coverage: **90%** total and **95%** on `src/intentproof/` (see -`scripts/README-coverage-tiers.md`). - -## Release - -PyPI packages are published from maintainer release workflows in -[`intentproof-tools`](https://github.com/IntentProof/intentproof-tools) using -Sigstore-attested artifacts. See -[`docs/release-signing.md`](https://github.com/IntentProof/intentproof-tools/blob/main/docs/release-signing.md). - -## Documentation hub - -Per-repo README files plus -[`intentproof-infra`](https://github.com/IntentProof/intentproof-infra) for -self-host install and image verification. Docs site deferred — see -[`docs-hub-decision.md`](https://github.com/IntentProof/intentproof-infra/blob/main/docs/docs-hub-decision.md). +Golden vectors: [`intentproof-spec`](https://github.com/IntentProof/intentproof-spec). ## Support -Report bugs, API gaps, and conformance findings via -[GitHub Issues](https://github.com/IntentProof/intentproof-sdk-python/issues). -See [`CONTRIBUTING.md`](CONTRIBUTING.md). Security reports: -[`SECURITY.md`](SECURITY.md). +[GitHub Issues](https://github.com/IntentProof/intentproof-sdk-python/issues) — +see [CONTRIBUTING.md](CONTRIBUTING.md). Security: +[SECURITY.md](SECURITY.md). ## License -Apache License 2.0 — see [`LICENSE`](LICENSE), [`NOTICE`](NOTICE), and -[`TRADEMARK.md`](TRADEMARK.md). +MIT — see [LICENSE](LICENSE) and [TRADEMARK.md](TRADEMARK.md). diff --git a/SECURITY.md b/SECURITY.md index e2435fe..fff366a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,26 +1,9 @@ -# Security Policy +# Security -## Reporting A Vulnerability +Report suspected vulnerabilities to `security@intentproof.io` or open a +private [GitHub Security Advisory](https://github.com/IntentProof/intentproof-sdk-python/security/advisories/new) +on this repository. -Report suspected vulnerabilities to `security@intentproof.io`. If you need to -share sensitive details before a public encryption key is published, open a -private GitHub Security Advisory draft in this repository or send an initial -unclassified message to arrange a secure channel. +Do not post exploit details on public issues. -Please include: - -- Affected package, SDK API, signing path, outbox behavior, distribution - artifact, or workflow. -- Impact and exploitation conditions. -- Reproduction steps or proof-of-concept details when safe to share. -- Whether the issue is already public or shared with anyone else. - -## Response Process - -IntentProof follows the coordinated security-release process published in -[`IntentProof/intentproof-infra`](https://github.com/IntentProof/intentproof-infra/blob/main/SECURITY-POLICY.md). -That policy defines severity tiers, SLAs, embargo handling, public disclosure, -and dependency-scanning rules. - -Do not report security vulnerabilities through public GitHub Issues unless the -issue is already public and contains no sensitive exploitation detail. +This is an OSS project without a paid security SLA. diff --git a/TRADEMARK.md b/TRADEMARK.md index 0833611..3c736df 100644 --- a/TRADEMARK.md +++ b/TRADEMARK.md @@ -1,31 +1,9 @@ -# IntentProof Trademark Policy +# Trademark notice -**IntentProof** and **Verified by IntentProof** are trademarks of -IntentProof, Inc. +"IntentProof" is the project name for this open-source work. -The Apache License 2.0 grants a copyright license for the code in this -repository. It does **not** grant a trademark license. +The MIT License grants copyright permission for the code; it does **not** +grant trademark rights. Do not imply endorsement, sponsorship, or certification +by the maintainer. -## Permitted use - -You may use the name **IntentProof** in plain text to describe -compatibility with or use of this open-source software, provided you do -not imply endorsement, sponsorship, or certification by IntentProof, Inc. - -## Not permitted without written permission - -- Using IntentProof trademarks in your product, company, or project name. -- Displaying the **Verified by IntentProof** certification mark or any - IntentProof logo except as authorized in a written agreement. -- Suggesting that IntentProof, Inc. certifies or warrantees your deployment - solely because you use this software. - -## Certification mark - -Operational use of the **Verified by IntentProof** certification mark is -governed by a separate certification policy before certificate issuance -ships. Contact `security@intentproof.io` for questions. - -## Questions - -Trademark or certification-mark questions: `security@intentproof.io`. +See [CONTRIBUTING.md](CONTRIBUTING.md) for how to report issues. diff --git a/pyproject.toml b/pyproject.toml index e67696f..802933c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -7,7 +7,7 @@ name = "intentproof" version = "0.1.0" description = "Python SDK for signed IntentProof execution events" readme = "README.md" -license = {text = "Apache-2.0"} +license = {text = "MIT"} requires-python = ">=3.9" authors = [{name = "IntentProof"}] keywords = ["intentproof", "provenance", "sdk"]