Skip to content

Releases: jondepalma/didlite-pkg

v0.2.6

26 Feb 15:03
@jondepalma jondepalma
Immutable release. Only release title and notes can be modified.
v0.2.6
0816605
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.6 Latest
Latest

What's Changed

Fixed

  • Consistent error handling in resolve_did_to_key() (#17) — multibase.decode() exceptions are now caught and re-raised as ValueError with a clean message: "Invalid DID: failed to decode multibase string - <ExceptionType>". Internal library details no longer leak to callers.
  • Consistent error handling in from_jwk() (#18) — binascii.Error from base64.urlsafe_b64decode() is now caught and re-raised as ValueError: "Invalid JWK: failed to decode private key 'd' field - <ExceptionType>". Callers only need to handle ValueError for all JWK import errors.

Changed

  • GitHub Actions dependency updates via Dependabot (PR #60, closes #61)
    • actions/checkout: v4 → v6
    • actions/setup-python: v5 → v6
    • actions/upload-artifact: v4 → v6
    • actions/download-artifact: v4 → v7
    • codecov/codecov-action: v4 → v5

See CHANGELOG.md for full history.

⚠️ Beta Status: This release has not undergone an independent security audit. See SECURITY.md for details."

Assets 3
Loading

v0.2.5

10 Jan 04:00
@jondepalma jondepalma
Immutable release. Only release title and notes can be modified.
v0.2.5
788af74
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.5

Release v0.2.5: Repository Governance, OWASP Compliance, and PyO3 Fixes

🎯 Overview

This release enhances repository governance for public launch, adds comprehensive OWASP Password Storage compliance testing, and resolves PyO3 compatibility issues in the CI/CD pipeline.

Release Type: Minor version (backward compatible)
Status: Beta - Independent security audit pending
Python Support: 3.9, 3.10, 3.11, 3.12

✨ What's New

Repository Governance Automation

  • GitHub CODEOWNERS - Automated review request routing for security-critical components
  • Dependabot - Weekly dependency monitoring for Python packages and GitHub Actions
    • Auto-labels PRs with 'dependencies', 'security', 'ci/cd'
    • Groups minor/patch updates to reduce noise
    • Targets dev branch to maintain workflow integrity

OWASP Password Storage Compliance Testing

  • 12 new compliance tests validating PBKDF2-HMAC-SHA256 implementation
  • Tests verify:
    • ✅ 480,000 iterations (55% above OWASP 2021 minimum)
    • ✅ HMAC-SHA256 algorithm (OWASP recommended)
    • ✅ 128-bit salt length (NIST SP 800-132)
    • ✅ Salt randomness and uniqueness
    • ✅ 256-bit output length
    • ✅ Documentation accuracy (CRYPTO_RATIONALE.md, THREAT_MODEL.md)

Enhanced Testing Documentation

  • New comprehensive OWASP compliance testing section in TESTING_GUIDE.md
  • PyO3 testing best practices guide (docs/PYO3_TESTING_BEST_PRACTICES.md)
  • Updated test counts: 236 → 248 tests (+5% increase)

🐛 Bug Fixes

CI/CD Pipeline (PyO3 Compatibility)

  • Fixed PyO3 reinitialization errors in OWASP compliance tests
  • Split test suite into separate GitHub Actions jobs:
    • Main test job: All tests except OWASP compliance
    • Isolated OWASP job: Prevents cross-module PyO3 conflicts
  • Both jobs run on Python 3.9-3.12 matrix
  • Long-term fix planned for v0.3.0 (comprehensive test refactoring)

Documentation Accuracy

  • Corrected PBKDF2 iteration count in CRYPTO_RATIONALE.md and THREAT_MODEL.md
    • Documentation previously claimed 600,000 iterations (aspirational)
    • Actual implementation: 480,000 iterations (since v0.1.5)
    • No code changes - documentation-only correction
  • Fixed release script CHANGELOG duplication bug
    • Script now checks if version exists before inserting
    • Re-running no longer creates duplicate headers

📊 Test Suite Summary

Total Tests: 248 (+12 from v0.2.4)
Results: 245 passed, 3 skipped
Coverage: 95.7% overall (100% on security-critical code)
Execution Time: ~12 seconds

Test Categories:

  • Compliance: 18 tests (W3C DID, RFC 7515/7519)
  • Core: 37 tests (Identity, DID resolution, JWK/PEM)
  • Fuzzing: 32 tests (Attack scenarios, DoS prevention)
  • Integration: 5 tests (Authlib interoperability)
  • JWS: 63 tests (Token creation, verification, TTL)
  • Keystore: 49 tests (Memory, Env, File backends)
  • OWASP Compliance: 12 tests ⭐ NEW
  • Security: 32 tests (Error sanitization, input validation)

🔒 Security Enhancements

OWASP Compliance Status

  • Current: 480,000 PBKDF2 iterations
  • OWASP 2021 Minimum: 310,000 iterations ✅ Exceeds by 55%
  • OWASP 2023 Recommendation: 600,000 iterations (~80% compliant)
  • v1.0.0 Upgrade Plan: Increase to 600,000 with backward compatibility

Enhanced Security Documentation

  • Updated .github/SECURITY.md with password requirements section
  • Strong password guidance (20+ characters mandatory)
  • GPU crack time analysis for various password strengths
  • Documented upgrade path to full OWASP 2023 compliance

Supply Chain Security

  • Dependabot reduces dependency attack surface
  • Automated weekly vulnerability scanning
  • CI/CD security-scan job validates all dependencies

📝 Documentation Updates

New Documentation

  • docs/PYO3_TESTING_BEST_PRACTICES.md - Comprehensive PyO3 testing guide (272 lines)
  • .github/CODEOWNERS - Code ownership definitions
  • .github/dependabot.yml - Dependency monitoring configuration

Updated Documentation

  • docs/TESTING_GUIDE.md - Added OWASP compliance section, updated test counts
  • .github/SECURITY.md - Added password requirements and compliance status
  • README.md - Updated test coverage table to v0.2.5
  • docs/CRYPTO_RATIONALE.md - Corrected iteration count (600k → 480k)
  • docs/THREAT_MODEL.md - Corrected iteration count (600k → 480k)

Removed Documentation

  • docs/SETUP_LOCAL.md - Moved to internal docs (package now on PyPI)

🔧 Breaking Changes

None. This release is fully backward compatible with v0.2.4.

📦 Installation

pip install --upgrade didlite

Verify installation:

import didlite
print(didlite.__version__)  # Should print: 0.2.5

🔗 Resources

🙏 Acknowledgments

Special thanks to the OWASP Foundation for the Password Storage Cheat Sheet guidance and to the Python cryptography community for PyO3 compatibility best practices.

⚠️ Beta Status Reminder

This library has not undergone an independent security audit. While comprehensive internal security hardening has been completed with 23+ documented security fixes, we recommend against production use until an external audit is complete.

Use at your own risk. Report vulnerabilities to: security@didlite.io

🚀 What's Next

v0.3.0 Preview:

  • Comprehensive test refactoring (module-scoped fixtures for all FileKeyStore tests)
  • Enhanced fuzzing coverage
  • Performance benchmarks update
  • Preparation for v1.0.0 security audit

See docs/FUTURE_UPGRADES.md for the full roadmap.

🤖 Generated with Claude Code

Loading

v0.2.4

31 Dec 19:37
@jondepalma jondepalma
v0.2.4
4899b29
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.4

didlite v0.2.4 - CI/CD Pipeline and Python 3.9+ Support

This release establishes production-ready CI/CD infrastructure with OIDC authentication and resolves Python compatibility issues discovered during multi-version testing.

⚠️ Breaking Changes

Python 3.8 Support Dropped

Minimum version is now Python 3.9+ (#50)

  • Rationale: Python 3.8 reached EOL in October 2024 (no security patches)
  • Technical blocker: Type hint incompatibility (tuple[dict, dict] syntax requires PEP 585, introduced in Python 3.9)
  • Migration: Upgrade to Python 3.9 or newer

✨ New Features

CI/CD Pipeline with GitHub Actions

Automated testing on every PR/push (#50):

  • ✅ Multi-version testing (Python 3.9, 3.10, 3.11, 3.12)
  • ✅ Fuzzing tests with hypothesis (30-minute timeout in CI)
  • ✅ Security scanning with pip-audit (OSV database)
  • ✅ Code coverage reporting via Codecov

Workflows:

  • .github/workflows/test.yml - Runs on PR/push to main/dev
  • .github/workflows/publish.yml - Runs on GitHub release publication

OIDC-Authenticated PyPI Publishing

Secure publishing without API tokens (#50):

  • ✅ GitHub OIDC Trusted Publisher configuration
  • ✅ Automated build and verification with twine
  • ✅ Triggers on GitHub release publication
  • No API tokens stored - uses GitHub's cryptographic identity

Modern Python Packaging (PEP 517/518)

Complete pyproject.toml configuration (#50):

  • ✅ Centralized package metadata (keywords, classifiers, URLs)
  • ✅ Centralized pytest and coverage configuration
  • setup.py converted to minimal shim for backwards compatibility

Release Automation

scripts/release.sh for streamlined releases (#50):

  • ✅ Automated version bumping in pyproject.toml and __init__.py
  • ✅ CHANGELOG.md date stamping
  • ✅ Git tagging and push automation
  • ✅ GitHub release draft creation
  • ✅ Branch enforcement (must run on main)

Community Contribution Guidelines

Documentation for contributors (#50):

  • CONTRIBUTING.md with security hardening documentation
  • CODE_OF_CONDUCT.md (Contributor Covenant v2.0)
  • ✅ Reference to 23+ security fixes with GitHub issue links
  • ✅ Development philosophy ("lite by design")

Supply Chain Security Documentation

SLSA Level 2 compliance documented (#50):

  • ✅ Current SLSA Level 2 status in SECURITY.md
  • ✅ SLSA Level 3 roadmap for v1.0.0 (provenance, hermetic builds, dependency pinning)
  • ✅ Dependency vulnerability scanning policy (48-hour SLA for critical issues)
  • ✅ Automated pip-audit scanning on every PR

🔧 Bug Fixes

PyO3 Compatibility Fixes

Resolved reinitialization errors across all Python versions (#50):

Root Cause: PyNaCl's cryptography dependency uses PyO3 (Rust bindings), which can only initialize once per Python process. Lazy imports inside functions caused reinitialization errors in test suites.

Solution: Implemented module-level lazy singleton pattern

  • ✅ Affects: didlite/keystore.py and didlite/core.py
  • ✅ Preserves lazy loading philosophy (no imports unless FileKeyStore/PEM methods used)
  • ✅ Imports cryptography modules once per process, caches globally

Removed Deprecated Parameter

Removed deprecated backend parameter from load_pem_private_key() (#50):

  • ✅ Deprecated in cryptography v36.0.0 (November 2021)
  • ✅ Backend now auto-selected by cryptography library
  • Zero functionality changes

Python 3.9-3.12 Compatibility

All tests pass on supported versions (#50):

  • ✅ Added from __future__ import annotations for PEP 585 compatibility
  • ✅ Fixed pytest import mode conflicts with PyO3 bindings (--import-mode=importlib)
  • ✅ Removed license classifier conflict (setuptools >=77.0.0 compliance)

📊 Test Coverage

Current Coverage: 95.7% (351 statements, 336 covered, 15 missing)

Coverage by Module:

Module Coverage Status
didlite/__init__.py 100% ✅ Complete
didlite/core.py 96% ✅ All critical paths covered
didlite/jws.py 99% ✅ Algorithm confusion prevented
didlite/keystore.py 93% ✅ All storage backends validated

Why coverage decreased from v0.2.3 (97.2%):

  • Statement count increased (+30 statements) due to lazy singleton infrastructure
  • Absolute covered lines increased (+24)
  • New code is infrastructure (TYPE_CHECKING guards, singleton helpers)
  • All security-critical code remains 100% covered

Test Results: ✅ All 233 tests pass on Python 3.9, 3.10, 3.11, 3.12

📝 Documentation Updates

  • ✅ Updated test coverage metrics in README.md and docs/TESTING_GUIDE.md
  • ✅ Documented acceptable coverage gaps (TYPE_CHECKING guards, abstract methods, defensive assertions)
  • ✅ Explained infrastructure code coverage trade-offs
  • ✅ Added SLSA Level 2 compliance documentation to SECURITY.md

🔒 Security Posture

Supply Chain Security: SLSA Level 2 ✅

Compliance Details:

  • ✅ Version-controlled source (Git)
  • ✅ Scripted builds (GitHub Actions)
  • ✅ Authenticated provenance (OIDC Trusted Publisher)
  • ✅ Service-generated attestations (GitHub)

SLSA Level 3 planned for v1.0.0:

  • 🔲 Build attestation signing (Sigstore)
  • 🔲 Dependency pinning with checksums
  • 🔲 Hermetic builds (Docker)

Dependency Scanning

Automated: pip-audit runs on every PR/push
Tools: OSV database (Google Open Source Vulnerabilities)
Policy:

  • Critical vulnerabilities: 48-hour SLA
  • High severity: 7-day SLA
  • Medium/Low: Next regular release

🚀 Installation

pip install didlite==0.2.4

Requirements:

  • Python 3.9 or newer
  • Dependencies: pynacl, py-multibase, cryptography

⚠️ Beta Status

This release has not undergone an independent security audit. While we've conducted comprehensive internal security hardening with 23+ security fixes (see closed security issues), we recommend against production use until an external audit is complete. See SECURITY.md for:

  • Vulnerability reporting process
  • Security best practices
  • Threat model
  • Known limitations

📖 Full Changelog

See CHANGELOG.md for complete details.

🙏 Acknowledgments

Generated with Claude Code Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

🐛 Reporting Issues

Found a bug? Open an issue Security vulnerability? Email: security@jondepalma.com (PGP key in .github/security/)

Loading

v0.2.3 - JWS Header Enhancements and Security Hardening

31 Dec 03:10
@jondepalma jondepalma
v0.2.3
e5305a1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.3 - JWS Header Enhancements and Security Hardening

🚀 Release Highlights

This release introduces significant JWS/JWT enhancements for plugin ecosystem readiness while maintaining security and performance. One breaking change with a straightforward migration path.

⚠️ BREAKING CHANGE

verify_jws() now returns (header, payload) tuple instead of just payload

Migration

# Before (v0.2.2)
payload = verify_jws(token)

# After (v0.2.3)
header, payload = verify_jws(token)
# Or if you don't need the header:
_, payload = verify_jws(token)

Why? Access to header information (kid, alg, typ, iat) without re-parsing enables:

  • Plugin header validation
  • Fast DID routing before verification
  • Audit trail with header timestamps

📖 Migration Guide: docs/dev-design/VERIFY_JWS_CHANGE.md

✨ New Features

1. Custom JWS Headers (#43)

# Enable custom 'typ' headers for plugin ecosystems
token = create_jws(agent, payload, headers={"typ": "dpop+jwt"})
  • Use Cases: DPoP tokens, OAuth tokens, SIOP tokens
  • Protected Fields: alg, kid, iat cannot be overridden (security-critical)
  • Unblocks: didlite-ap2, didlite-oauth, didlite-siop plugins

2. Fast DID Extraction (#44)

# Extract DID without signature verification (~24x faster)
did = extract_signer_did(token)
  • Performance: 0.01ms per extraction (~190,000/sec)
  • Use Cases: Routing, logging, rate limiting before expensive verification
  • ⚠️ Security: Does NOT verify signature - always use verify_jws() for auth

3. Header Timestamp (iat) (#43)

  • Both header and payload contain iat claim
  • Enables header-based timestamp validation
  • Zero performance overhead

🔒 Security & Quality

Test Coverage: 96% → 97.2%

  • 236 tests (+135 new tests)
  • 7 categories: Compliance, Core, Fuzzing, Integration, JWS, Keystore, Security
  • 233 passed, 3 skipped

New Security Tests:

  • ✅ Missing kid header validation (prevents algorithm confusion)
  • ✅ Improved signature tampering detection
  • ✅ Future-dated token rejection (prevents replay attacks)
  • ✅ Algorithm enforcement (VULN-4, VULN-5, VULN-6)

Coverage by Module:

Module Coverage Status
didlite/core.py 98% ✅ All security-critical paths
didlite/jws.py 99% ✅ Attack prevention verified
didlite/keystore.py 95% ✅ All backends validated
Overall 97.2% ✅ Production-ready

⚡ Performance (Raspberry Pi 5)

Operation v0.2.2 v0.2.3 Change
Identity Generation 0.11ms 0.11ms Stable
Token Creation 0.13ms 0.08ms +58% faster
Token Verification 0.24ms 0.24ms Zero overhead
DID Extraction N/A 0.01ms NEW - 24x faster 🚀
Custom Headers N/A 0.08ms NEW - zero overhead

Throughput:

  • Token creation: ~13,100/sec (was ~8,300/sec)
  • DID extraction: ~190,000/sec (NEW)

🎯 Plugin Ecosystem Readiness

This release unblocks three planned plugins:

didlite-ap2 (Agent Payment Protocol)

  • Requires custom typ headers for mandate signing
  • Needs header access for payment verification

didlite-oauth (OAuth 2.0)

  • DPoP token support via custom headers
  • Fast DID extraction for token introspection

didlite-siop (Self-Issued OpenID)

  • Custom typ: "openid4vci+jwt" headers
  • Header-based timestamp validation

📦 Installation

pip install didlite==0.2.3

Upgrade from v0.2.2

pip install --upgrade didlite

Migration Steps:

  1. Update verify_jws() calls to destructure tuple: header, payload = verify_jws(token)
  2. Run tests to verify compatibility
  3. (Optional) Use new extract_signer_did() for routing/logging

📋 What's Changed

Features

  • feat: v0.2.3 - JWS header enhancements and breaking changes (#48)
    • Custom headers parameter for create_jws()
    • verify_jws() tuple return: (header, payload)
    • New extract_signer_did() helper function
    • Header timestamp (iat) inclusion

Documentation

  • docs: Update documentation for v0.2.3 breaking changes
  • docs: Update test coverage and performance metrics
  • docs: Revise package description in setup.py

Testing

  • test: Improve test coverage and reliability for security paths
    • Fixed flaky signature validation test
    • Added missing kid header security test
    • Documented cryptography OpenSSL backend issue

Full Changelog: https://github.com/jondepalma/didlite-pkg/blob/main/CHANGELOG.md

🔍 Verification

Run Tests

pip install -e ".[test]"
pytest --cov=didlite --cov-report=term-missing

# Expected: 233 passed, 3 skipped, Coverage: 97.2%

Performance Benchmarks

python -c "
import time
from didlite import AgentIdentity, create_jws, extract_signer_did

agent = AgentIdentity()
payload = {'test': 'data'}

# Benchmark token creation
start = time.time()
for _ in range(1000):
    token = create_jws(agent, payload)
print(f'Token creation: {(time.time()-start)*1000/1000:.2f}ms per token')

# Benchmark DID extraction
tokens = [create_jws(agent, payload) for _ in range(100)]
start = time.time()
for t in tokens:
    did = extract_signer_did(t)
print(f'DID extraction: {(time.time()-start)*1000/100:.2f}ms per extraction')
"

🙏 Acknowledgments

  • All security testing and validation performed with Claude Code
  • Performance benchmarks on Raspberry Pi 5 8GB

📝 Checklist

  • All tests pass (233/236, 3 skipped)
  • Coverage ≥ 95% (97.2%)
  • Performance benchmarks updated
  • Documentation comprehensive
  • Migration guide provided
  • Security regression tests added
  • Breaking changes documented

🤖 Generated with Claude Code

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

Loading

v0.2.2 - Phase 5 Security Hardening

30 Dec 03:46
@jondepalma jondepalma
v0.2.2
f3c6114
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.2 - Phase 5 Security Hardening

Release v0.2.2 - Phase 5 Security Hardening

Release Date: 2025-12-29

Overview

Version 0.2.2 represents a major security hardening milestone with 7 vulnerability fixes, comprehensive compliance testing, and robust regression test coverage. This release strengthens didlite's security posture for production edge/IoT deployments while maintaining backward compatibility.

Security Fixes

Critical Priority

VULN-1: DoS Prevention (#33)

  • Added DID length limit (128 characters) to prevent OOM attacks on edge devices
  • Type validation prevents non-string inputs from reaching decode logic
  • Protects resource-constrained IoT deployments

VULN-7: TOCTOU Race Condition (#39)

  • Fixed file permissions race condition in FileKeyStore
  • Atomic file creation with os.open(..., 0o600) prevents window of insecure permissions
  • Eliminates Time-of-Check-Time-of-Use vulnerability

High Priority

VULN-4: Algorithm Enforcement (#36)

  • Prevents "None Algorithm" JWT attack (classic security vulnerability)
  • Enforces EdDSA-only algorithm (RFC 7515 compliance)
  • Rejects algorithm substitution attempts (RS256, HS256, etc.)

VULN-6: Future-Dating Protection (#38)

  • Prevents replay attacks with pre-generated future tokens
  • 60-second clock skew tolerance for distributed systems (RFC 7519)
  • Validates iat (issued-at) claim while maintaining backward compatibility

Medium Priority

VULN-2: Base64 Padding Fix (#34)

  • Corrected base64 padding formula: "=" * (-len(data) % 4)
  • RFC 7517 compliance for JWK import
  • Fixes edge case where len % 4 == 0 incorrectly added 4 padding chars

VULN-3: Lazy Imports (#35)

  • Extended lazy imports to keystore.py
  • MemoryKeyStore and EnvKeyStore work without cryptography installed
  • Maintains "lite" philosophy for minimal edge deployments

VULN-5: Compact JSON (#37)

  • RFC 7515 compliance with compact JSON serialization
  • Uses separators=(',', ':') to eliminate whitespace
  • Standards-compliant JWS token generation

New Features

Compliance Test Suite (#40)

  • 75 new tests validating W3C DID Core and RFC JWT/JWS standards
  • Test coverage:
    • W3C DID Method compliance
    • DID Resolution specification
    • JWK format validation (RFC 7517)
    • JWS compact serialization (RFC 7515)
    • JWT claims validation (RFC 7519)

Regression Test Suite (#41-#45)

  • 19 new tests preventing vulnerability reintroduction
  • Three test classes:
    • TestPhase5CoreRegressions: 5 tests for VULN-1, VULN-2
    • TestPhase5SecurityRegressions: 9 tests for VULN-4, VULN-5, VULN-6
    • TestPhase5KeystoreRegressions: 5 tests for VULN-7 (including threading race test)

Regression Testing Strategy

  • Added comprehensive guidance to CLAUDE.md
  • When to add regression tests (5 criteria)
  • Where to add tests (file-specific)
  • Coverage goals (100% security-critical paths)

Test Suite Growth

Metric v0.2.1 v0.2.2 Change
Total Tests 101 205 +103%
Coverage 95% 96% +1%
Lines Covered - 288/299 -

New Test Categories:

  • 75 compliance tests (W3C, RFC standards)
  • 19 regression tests (Phase 5 vulnerabilities)
  • 1 threading race condition test (TOCTOU verification)

Breaking Changes

None. All changes are non-breaking security enhancements.

Upgrade Guide

Simply update your dependency:

pip install --upgrade didlite

No code changes required. All security fixes are transparent to users.

Files Changed

 CLAUDE.md                |  48 ++++++
 didlite/core.py          |  36 ++++-
 didlite/jws.py           |  30 +++-
 didlite/keystore.py      |  39 +++--
 tests/test_compliance.py | 401 +++++++++++++++++++++++++++++++++++++++++
 tests/test_core.py       | 162 +++++++++++++++++
 tests/test_jws.py        | 314 ++++++++++++++++++++++++++++++++
 tests/test_keystore.py   | 193 ++++++++++++++++++++
 9 files changed, 1209 insertions(+), 19 deletions(-)

Verification

All tests pass:

pytest -v
# 203 passed, 2 skipped in 2.15s

Coverage report:

pytest --cov=didlite --cov-report=term-missing
# TOTAL: 96% (288/299 lines)

References

  • PHASE_5_FINDINGS.md: Detailed vulnerability analysis
  • Issues #33-#39: Individual vulnerability tickets
  • Issue #40: Compliance test suite
  • Issues #41-#45: Regression test implementation
  • Issue #46: Future test coverage improvements (v0.2.3)
  • PR #45: Phase 5 implementation
  • PR #47: Release preparation

Credits

Security analysis and fixes developed in collaboration with Claude Code (claude.ai/code).

🤖 Generated with Claude Code

Loading

v0.2.1 - Critical Dependency Fix

27 Dec 04:37
@jondepalma jondepalma
v0.2.1
ccb2f24
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.1 - Critical Dependency Fix

🐛 Critical Bug Fix

This patch release fixes a critical dependency issue that prevented didlite from being imported in fresh environments.

What's Fixed

  • Added missing cryptography dependency (#30)
    • Package was importing from cryptography but not declaring it as a dependency
    • Caused ModuleNotFoundError: No module named 'cryptography' on fresh installs
    • Added cryptography>=41.0.0 to install_requires

Impact

  • Severity: CRITICAL - blocked basic usage of the package
  • Affected versions: v0.2.0 and earlier
  • Required for: PEM export/import (to_pem(), from_pem()) and keystore encryption

Upgrade Instructions

If you're upgrading from v0.2.0:

pip install --upgrade didlite

The missing cryptography dependency will be installed automatically.

Testing

✅ All 166 tests passing
✅ Verified in fresh virtual environment

Full Changelog

See CHANGELOG.md

Full Changelog: v0.2.0...v0.2.1

Loading

v0.2.0 - Security Hardening & Production Readiness

27 Dec 02:29
@jondepalma jondepalma
v0.2.0
7ff6472
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.0 - Security Hardening & Production Readiness

v0.2.0 - Security Hardening & Production Readiness

This release focuses on security improvements, standards compliance, and production readiness. All critical and high severity vulnerabilities from the security audit have been resolved.

🔒 Security Improvements

  • All critical vulnerabilities resolved (Issues #4, #5, #6, #7, #9, #10, #11, #12, #13, #14, #15, #16, #21, #25)
    • Path traversal protection implemented
    • Error message sanitization
    • Type validation for JWK/PEM imports
    • Comprehensive input validation at all boundaries
  • JWS verification now raises native exception types (#21)
    • Improved error handling with specific exception types
    • Better debuggability while maintaining security
  • Optimized fuzzing suite for resource-constrained devices (#25)
    • Configurable fuzzing intensity (10 examples for dev, 500 for CI/CD)
    • Full suite completes in ~30 seconds on Raspberry Pi 5

✨ Features from v0.1.5

  • JWK and PEM export/import support
  • TTL expiration for JWS tokens
  • Pluggable key storage (Memory, Env, File with encryption)
  • Authlib interoperability validation

📚 Documentation

  • Comprehensive security documentation (THREAT_MODEL.md, CRYPTO_RATIONALE.md)
  • Clean documentation structure for public repository
  • Fuzzing configuration guide for CI/CD
  • Testing best practices guide
  • Clear migration path to enterprise SSI

⚠️ Breaking Changes

  • verify_jws() now raises specific exception types instead of generic Exception
    • Applications should catch BadSignatureError and ValueError
    • Not a concern for first public release (no existing users)

📦 Installation

pip install didlite

🔗 Full Changelog

See CHANGELOG.md for complete details.

🙏 Acknowledgments

This release represents significant security hardening work to prepare for public launch and community adoption. Special thanks to the comprehensive security audit process that identified and resolved all critical vulnerabilities.

Repository Status: Private repository preparing for public launch in the coming week.

Security Status: All known vulnerabilities resolved. No critical or high-severity issues remaining.

Loading