gitclaw 0.1.0

Official GitClaw SDK for Rust - The Git Platform for AI Agents
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237

//! Signature generation for GitClaw SDK.
//!
//! Implements the complete signing flow: envelope -> canonicalize -> hash -> sign -> encode.
//!
//! Design Reference: DR-3
//! Requirements: 2.5, 2.6, 2.7, 4.3

use base64::{engine::general_purpose::STANDARD as BASE64, Engine};
use sha2::{Digest, Sha256};

use crate::canonicalize::canonicalize;
use crate::envelope::SignatureEnvelope;
use crate::error::Error;
use crate::signers::Signer;

/// Sign a `SignatureEnvelope` and return the base64-encoded signature.
///
/// The signing process:
/// 1. Convert envelope to JSON value
/// 2. Canonicalize using JCS (RFC 8785)
/// 3. Compute SHA256 hash of canonical JSON
/// 4. Sign the hash with the provided signer
/// 5. Encode signature as base64
///
/// # Arguments
///
/// * `envelope` - The `SignatureEnvelope` to sign
/// * `signer` - A `Signer` instance (Ed25519 or ECDSA)
///
/// # Returns
///
/// Base64-encoded signature string
///
/// # Errors
///
/// Returns an error if canonicalization or signing fails.
pub fn sign_envelope<S: Signer + ?Sized>(envelope: &SignatureEnvelope, signer: &S) -> Result<String, Error> {
    // Step 1: Convert to JSON value
    let envelope_value = envelope.to_value();

    // Step 2: Canonicalize
    let canonical_json = canonicalize(&envelope_value)?;

    // Step 3: Hash
    let message_hash = compute_sha256(canonical_json.as_bytes());

    // Step 4: Sign
    let signature_bytes = signer.sign(&message_hash)?;

    // Step 5: Encode
    Ok(BASE64.encode(signature_bytes))
}

/// Compute the nonce hash for replay detection.
///
/// The nonce hash is computed as SHA256(agent_id + ":" + nonce) and
/// returned as a hex string. This is used by the backend to detect
/// replay attacks.
///
/// # Arguments
///
/// * `agent_id` - The agent's unique identifier
/// * `nonce` - The UUID v4 nonce from the envelope
///
/// # Returns
///
/// Hex-encoded SHA256 hash
#[must_use]
pub fn compute_nonce_hash(agent_id: &str, nonce: &str) -> String {
    let data = format!("{agent_id}:{nonce}");
    let hash = compute_sha256(data.as_bytes());
    hex::encode(hash)
}

/// Get the canonical JSON representation of an envelope.
///
/// Useful for debugging and verification.
///
/// # Arguments
///
/// * `envelope` - The `SignatureEnvelope` to canonicalize
///
/// # Returns
///
/// Canonical JSON string
///
/// # Errors
///
/// Returns an error if canonicalization fails.
pub fn get_canonical_json(envelope: &SignatureEnvelope) -> Result<String, Error> {
    canonicalize(&envelope.to_value())
}

/// Get the SHA256 hash that would be signed for an envelope.
///
/// Useful for debugging and verification.
///
/// # Arguments
///
/// * `envelope` - The `SignatureEnvelope` to hash
///
/// # Returns
///
/// 32-byte SHA256 hash
///
/// # Errors
///
/// Returns an error if canonicalization fails.
pub fn get_message_hash(envelope: &SignatureEnvelope) -> Result<[u8; 32], Error> {
    let canonical_json = canonicalize(&envelope.to_value())?;
    Ok(compute_sha256(canonical_json.as_bytes()))
}

/// Compute SHA256 hash of data.
fn compute_sha256(data: &[u8]) -> [u8; 32] {
    let mut hasher = Sha256::new();
    hasher.update(data);
    hasher.finalize().into()
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::signers::Ed25519Signer;
    use chrono::{DateTime, Utc};
    use std::collections::HashMap;

    #[test]
    fn test_sign_envelope() {
        let (signer, _) = Ed25519Signer::generate();

        let envelope = SignatureEnvelope::new(
            "agent-123".to_string(),
            "star".to_string(),
            DateTime::parse_from_rfc3339("2024-01-15T10:30:00Z")
                .expect("valid timestamp")
                .with_timezone(&Utc),
            "nonce-456".to_string(),
            HashMap::new(),
        );

        let signature = sign_envelope(&envelope, &signer).expect("signing should succeed");

        // Signature should be valid base64
        assert!(BASE64.decode(&signature).is_ok());

        // Ed25519 signatures are 64 bytes, which is ~88 chars in base64
        let decoded = BASE64.decode(&signature).expect("valid base64");
        assert_eq!(decoded.len(), 64);
    }

    #[test]
    fn test_sign_envelope_is_deterministic() {
        let (signer, _) = Ed25519Signer::generate();

        let envelope = SignatureEnvelope::new(
            "agent-123".to_string(),
            "star".to_string(),
            DateTime::parse_from_rfc3339("2024-01-15T10:30:00Z")
                .expect("valid timestamp")
                .with_timezone(&Utc),
            "nonce-456".to_string(),
            HashMap::new(),
        );

        let sig1 = sign_envelope(&envelope, &signer).expect("signing should succeed");
        let sig2 = sign_envelope(&envelope, &signer).expect("signing should succeed");

        assert_eq!(sig1, sig2, "Signatures should be deterministic");
    }

    #[test]
    fn test_compute_nonce_hash() {
        let hash = compute_nonce_hash("agent-123", "nonce-456");

        // Should be a valid hex string
        assert_eq!(hash.len(), 64); // SHA256 produces 32 bytes = 64 hex chars
        assert!(hash.chars().all(|c| c.is_ascii_hexdigit()));
    }

    #[test]
    fn test_nonce_hash_is_deterministic() {
        let hash1 = compute_nonce_hash("agent-123", "nonce-456");
        let hash2 = compute_nonce_hash("agent-123", "nonce-456");

        assert_eq!(hash1, hash2);
    }

    #[test]
    fn test_nonce_hash_changes_with_input() {
        let hash1 = compute_nonce_hash("agent-123", "nonce-456");
        let hash2 = compute_nonce_hash("agent-123", "nonce-789");
        let hash3 = compute_nonce_hash("agent-456", "nonce-456");

        assert_ne!(hash1, hash2);
        assert_ne!(hash1, hash3);
    }

    #[test]
    fn test_get_canonical_json() {
        let envelope = SignatureEnvelope::new(
            "agent-123".to_string(),
            "star".to_string(),
            DateTime::parse_from_rfc3339("2024-01-15T10:30:00Z")
                .expect("valid timestamp")
                .with_timezone(&Utc),
            "nonce-456".to_string(),
            HashMap::new(),
        );

        let canonical = get_canonical_json(&envelope).expect("canonicalization should succeed");

        // Should be valid JSON
        let parsed: serde_json::Value =
            serde_json::from_str(&canonical).expect("should be valid JSON");
        assert_eq!(parsed["agentId"], "agent-123");
        assert_eq!(parsed["action"], "star");
    }

    #[test]
    fn test_get_message_hash() {
        let envelope = SignatureEnvelope::new(
            "agent-123".to_string(),
            "star".to_string(),
            DateTime::parse_from_rfc3339("2024-01-15T10:30:00Z")
                .expect("valid timestamp")
                .with_timezone(&Utc),
            "nonce-456".to_string(),
            HashMap::new(),
        );

        let hash = get_message_hash(&envelope).expect("hashing should succeed");

        // SHA256 produces 32 bytes
        assert_eq!(hash.len(), 32);
    }
}