feat: devex help, add Makefile, ruff, pre-commit, and modernize CI#801
Closed
OutThisLife wants to merge 1 commit into
Closed
feat: devex help, add Makefile, ruff, pre-commit, and modernize CI#801OutThisLife wants to merge 1 commit into
OutThisLife wants to merge 1 commit into
Conversation
Contributor
|
Closing — the tooling additions (Makefile, ruff config, pre-commit, CI) have merit, but this PR bundles them with mass reformatting of 104 source files (~21k lines of churn). That's not something we want right now:
If you'd like to resubmit the tooling-only pieces (Makefile, pyproject.toml ruff config, .editorconfig, .pre-commit-config.yaml, CI modernization) as a separate PR without any source file formatting changes, we'd be happy to review that. The ruff config can exist in pyproject.toml for contributors to use locally without enforcing a mass reformat. Thanks for the effort @OutThisLife — the Makefile and CI improvements are genuinely useful, just need to be decoupled from the formatting pass. |
Collaborator
Author
|
reopened w/o formatting included, that can be another pass #969 |
lmsanch
added a commit
to lmsanch/hermes-agent
that referenced
this pull request
Apr 22, 2026
…play protection (NousResearch#718) (#6) Operationalizes the A2A cryptographic identity spec in docs/strategic/A2A_CRYPTO_IDENTITY.md (filed as toryx-private#820). This is the module downstream issues NousResearch#801, NousResearch#802, and NousResearch#812 integrate against; it replaces the env-var trust shim in research_mcp whitelist. New module `tools/agent_identity.py`: - generate_identity(profile_name, force=False) Writes an Ed25519 private key (PKCS8 PEM) to ~/.hermes/profiles/<profile>/keys/ed25519_private.pem (chmod 600) and registers the raw public key in ~/.hermes/identity_registry.yaml. Refuses overwrite without force=True so rotation is explicit. - sign_envelope(profile_name, recipient, body, host=None) Canonical-JSON envelope per spec §4: sender_agent, sender_host, recipient_agent, nonce (128 bit hex), timestamp (ISO8601 UTC), body_sha256, body, signature. Signature covers everything except the signature field itself. - verify_envelope(envelope) Per spec §5 verification flow: missing-fields check → timestamp window (5 min) → body_sha256 integrity → nonce LRU replay (10k entries) → pubkey lookup → Ed25519 verify. On ANY failure returns non-valid result — callers drop silently, no reply (prevents loop amplification + reply-ack exfil per NousResearch#716 lessons). - canonical_json(obj) Exposed utility — sorted keys, UTF-8, no whitespace. Same shape as the toryx-openratings anchor payload canonical form. Tests: - Round-trip sign/verify - Replay rejection (same nonce twice) - Timestamp-out-of-window rejection - Unknown sender rejection - Bad signature rejection - Tampered body rejection (body_sha256 integrity catch) - Missing fields rejection - Canonical JSON is deterministic across key orderings - Two-agent talk (cross-identity verification) - Nonce LRU eviction semantics Not in scope (v2): - Key rotation with 30-day pubkey overlap - HSM-backed private key storage - Transport bindings (telegram X-header, email header, consult_colleague inline field) — those land in each platform adapter Closes lmsanch/toryx-private#718
1 task
lmsanch
added a commit
to lmsanch/hermes-agent
that referenced
this pull request
May 23, 2026
…play protection (NousResearch#718) (#6) Operationalizes the A2A cryptographic identity spec in docs/strategic/A2A_CRYPTO_IDENTITY.md (filed as toryx-private#820). This is the module downstream issues NousResearch#801, NousResearch#802, and NousResearch#812 integrate against; it replaces the env-var trust shim in research_mcp whitelist. New module `tools/agent_identity.py`: - generate_identity(profile_name, force=False) Writes an Ed25519 private key (PKCS8 PEM) to ~/.hermes/profiles/<profile>/keys/ed25519_private.pem (chmod 600) and registers the raw public key in ~/.hermes/identity_registry.yaml. Refuses overwrite without force=True so rotation is explicit. - sign_envelope(profile_name, recipient, body, host=None) Canonical-JSON envelope per spec §4: sender_agent, sender_host, recipient_agent, nonce (128 bit hex), timestamp (ISO8601 UTC), body_sha256, body, signature. Signature covers everything except the signature field itself. - verify_envelope(envelope) Per spec §5 verification flow: missing-fields check → timestamp window (5 min) → body_sha256 integrity → nonce LRU replay (10k entries) → pubkey lookup → Ed25519 verify. On ANY failure returns non-valid result — callers drop silently, no reply (prevents loop amplification + reply-ack exfil per NousResearch#716 lessons). - canonical_json(obj) Exposed utility — sorted keys, UTF-8, no whitespace. Same shape as the toryx-openratings anchor payload canonical form. Tests: - Round-trip sign/verify - Replay rejection (same nonce twice) - Timestamp-out-of-window rejection - Unknown sender rejection - Bad signature rejection - Tampered body rejection (body_sha256 integrity catch) - Missing fields rejection - Canonical JSON is deterministic across key orderings - Two-agent talk (cross-identity verification) - Nonce LRU eviction semantics Not in scope (v2): - Key rotation with 30-day pubkey overlap - HSM-backed private key storage - Transport bindings (telegram X-header, email header, consult_colleague inline field) — those land in each platform adapter Closes lmsanch/toryx-private#718
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Adds a proper dev toolchain — Makefile command surface, ruff formatting/linting,
pre-commit hooks, and modernized CI. Contributors now run
make setup+make checkinstead of memorizing ad-hoc commands.
Related Issue
N/A — devex improvement
Type of Change
Changes Made
Makefile— setup, sync, clean, lint, fmt, check, test, test-fast, test-watch, dev-cli, dev-gatewaypyproject.toml— ruff config (lint rules, isort, per-file ignores), dev deps (ruff, pre-commit, watchfiles).pre-commit-config.yaml— ruff lint/format + hygiene hooks.editorconfig— 4-space Python, 2-space YAML, tabs for Makefile, LF.github/workflows/tests.yml— split into lint (uvx ruff, zero-install) + test (uv cache) jobs.gitignore— deduplicated and organizedREADME.md,CONTRIBUTING.md,AGENTS.md, website docs, PR template, platform guide — standardized onmakecommandstools/delegate_tool.py— fixedcallable | None→Callable | None(runtime crash on 3.11)batch_runner.py— addedfrom __future__ import annotationsforLock | Nonegateway/__init__.py— fixed SessionResetPolicy import (was importing from wrong module)How to Test
make setupfrom a fresh clonemake check— lint + test should both passmake dev-cli— verify file-watch restart worksChecklist
Code
make checkand all checks passDocumentation & Housekeeping