spec: formalize Kest v0.3.0 specification in versioned spec/ folder#4
Merged
spec: formalize Kest v0.3.0 specification in versioned spec/ folder#4
Conversation
- Move SPEC.md → spec/SPEC-v0.3.0.md (versioned filename for future revisions)
- Add spec/README.md as a version index table
- Add website/scripts/sync-spec.sh to automate sync to website content
- Update website/moon.yml build input to track spec/SPEC-v0.3.0.md
- Update website/content/design/07_kest_spec_v0.3.0.md (regenerated)
- Add prominent spec link in README.md (badges section)
Spec changes in this session:
- F-TS-02: ORIGIN_TRUST_MAP defaults are mandatory; custom mappings are allowed
- F-AE-13: policy_context MUST be present in every KestEntry (deviations auditable)
- F-CP-02/03: interceptor and propagator are deployment-agnostic (in-process or sidecar)
- F-CP-04: claim-check TTL risk noted; OTel collector rehydration processor recommended
- F-TE-04: lineage visualiser demoted to SHOULD; output format left to implementer
- §5.1: added mechanism descriptions for SPIREProvider, AWSWorkloadIdentity,
OIDCIdentity, and BedrockAgentIdentity with authoritative references
Contributor
🔍 Site Preview Deployed
|
…e, policy_context Rust layer (models.rs, lib.rs): - Add schema_version, KestRuntime, PolicyContext, PolicyDeviation to KestEntry - Expose policy_context getter via PyO3 bridge (accepts dict, returns dict) - All serialized entries now carry runtime + policy_context (F-AE-05/06/13) Python layer (models.py): - MAX_BAGGAGE_SIZE set to 4096 (F-CP-04) - Remove silent .mock-sig. / .pending. bypass in PassportVerifier - Add register_origin_trust() with protection of mandatory defaults (F-TS-02) - Export register_origin_trust from kest.core public API Python layer (decorators.py): - Add _uuid7() — spec-compliant UUID v7 generator (F-AE-04) - Both sync and async wrappers now use _uuid7() for entry_id - self_score now correctly sourced from ORIGIN_TRUST_MAP for non-root nodes (F-TS-03) - policy_context (with tier lists + deviations=[]) passed to every KestEntry - Remove debug print() calls from both wrappers Tests: - models_test.py: 29 new normative tests (all green) - local_test.py: assert proper base64url signature structure, not .mock-sig. - logic_test.py: assert valid JWS compact structure, not mock-sig string count All 120 unit tests passing.
Root causes and fixes:
- OPA policy: revert trust_score thresholds to 0-100 integer scale
matching ORIGIN_TRUST_MAP (was incorrectly changed to 0.0-1.0 float)
- Lab audit file path: /app/ → /workspace/app/ to match docker-compose
bind-mount working directory
- Security halt test: capture passport from inside decorated function
scope (decorator detaches context in finally block)
- JWS parsing: use split('.', maxsplit=2) to handle EdDSA signatures
containing dots in the signature segment
- Keycloak/Gateway skip markers: add requires_keycloak/requires_gateway
for graceful degradation when services are unavailable
- Cedar policy path: use /workspace/app/cedar/policies in containers
- moon.yml: add health checks for hop1, kest-agent, kest-gateway before
running test suite
- Promoted Spec v0.3.0 to standalone sidebar section - Implemented mobile-first responsive design with expandable code/image blocks - Fixed duplicate headers and description extraction in MDX templates - Updated trust degradation diagram with mathematically accurate visual - Enhanced code blocks with full-screen expand and responsive copy buttons - Replaced hero image with cyberpunk-themed asset
eterna2
added a commit
that referenced
this pull request
Apr 25, 2026
…endencies (#103) This commit updates several dependencies to address known security vulnerabilities: - aiohttp: 3.13.3 -> 3.13.4 (Fixes #19-28) - cryptography: 46.0.5 -> 46.0.7 (Fixes #17, #29) - requests: 2.32.5 -> 2.33.0 (Fixes #16) - Pygments: 2.19.2 -> 2.20.0 (Fixes #4, #18) - PyJWT: 2.11.0 -> 2.12.1 (Fixes #1) - postcss: 8.4.31 -> 8.5.10 (Fixes #40) - uuid: 11.1.0 -> 14.0.0 (Fixes #39) Verified with moon run kest-core-python:test and moon run website:build.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Formalizes the Kest v0.3.0 specification as a language-agnostic, normative document and moves it to a dedicated versioned
spec/folder.Changes
Repository structure
SPEC.md(root) →spec/SPEC-v0.3.0.md(versioned; future revisions get their own files)spec/README.md— version index tablewebsite/scripts/sync-spec.sh— automates sync to website docs on every buildwebsite/moon.yml— build input updated to trackspec/SPEC-v0.3.0.mdREADME.md— prominent spec link added below badgesSpecification updates (this session)
policy_contextMUST be present in every signed KestEntry;deviations[]always required