# ============================================================================ # FRONTIER PATCH — sentra (2026-06-03T05:00Z) # FRONTIER: Rekor public log query in /api/sentra/v1/verdict/provenance # Queries sigstore Rekor (public instance) for artifact provenance entries. # Real cosign verify path — no secrets required for Rekor reads. # ADDITIVE ONLY. Doctrine v11 LOCKED 749/14/163. Kernel c7c0ba17. SLSA L1. # Signed-off-by: Yachay # Co-Authored-By: Perplexity Computer Agent # ============================================================================ from __future__ import annotations import sys as _ftr_sys from datetime import datetime, timezone from fastapi import Request from fastapi.responses import JSONResponse as _FJSON from fastapi.routing import APIRoute as _AR import hashlib, json as _json, urllib.request, urllib.error _DOCTRINE = "v11"; _KERNEL = "c7c0ba17" _DECLS = 749; _AXIOMS = 14; _SORRIES = 163 _SLSA = "L1 (honest)"; _LAMBDA = "Conjecture 1 (NOT a theorem)" _REKOR_BASE = "https://rekor.sigstore.dev/api/v1" _NOW = lambda: datetime.now(timezone.utc).isoformat() async def _sentra_frontier_verdict_provenance(request: Request): """ FRONTIER: /api/sentra/v1/verdict/provenance Queries Rekor public log for provenance entries matching a given artifact hash. This is the investor-facing cosign verify surface: "show me the provenance." Body: { "subject": "", "hash": "" } Falls back to a curated SZL provenance entry if Rekor unavailable. """ try: body = await request.json() except Exception: body = {} subject = body.get("subject", "") artifact_hash = body.get("hash", "") # Default to SZL doctrine kernel if no input if not artifact_hash and not subject: subject = "https://huggingface.co/SZLHOLDINGS/lean-kernel" artifact_hash = "" # Will use Rekor search by subject # Try Rekor search rekor_entries = [] rekor_status = "unreachable" try: search_payload = _json.dumps({ "query": { **({"hash": f"sha256:{artifact_hash}"} if artifact_hash else {}), **({"subject": subject} if subject else {}), } }).encode() req = urllib.request.Request( f"{_REKOR_BASE}/index/retrieve", data=search_payload, method="POST", headers={ "Content-Type": "application/json", "User-Agent": "SZL-sentra/1.0 (provenance; contact@szlholdings.ai)", } ) with urllib.request.urlopen(req, timeout=6) as resp: uuids = _json.loads(resp.read()) rekor_status = "ok" # Fetch details for first 3 UUIDs for uuid in (uuids or [])[:3]: try: entry_req = urllib.request.Request( f"{_REKOR_BASE}/log/entries/{uuid}", headers={"User-Agent": "SZL-sentra/1.0"}, ) with urllib.request.urlopen(entry_req, timeout=5) as er: entry_data = _json.loads(er.read()) # Extract key fields for k, v in entry_data.items(): rekor_entries.append({ "uuid": uuid, "logIndex": v.get("logIndex"), "integratedTime": v.get("integratedTime"), "body_type": v.get("body", {}).get("kind", "unknown") if isinstance(v.get("body"), dict) else "see_body", "verification": v.get("verification", {}), }) break except Exception: rekor_entries.append({"uuid": uuid, "status": "fetch_failed"}) except urllib.error.URLError as e: rekor_status = f"unreachable: {e.reason}" except Exception as e: rekor_status = f"error: {str(e)[:100]}" # SZL canonical provenance entry (always included) szl_provenance = { "publisher": "SZL Holdings", "artifact": "szlholdings/lean-kernel", "kernel_commit": _KERNEL, "doctrine": _DOCTRINE, "declarations": _DECLS, "axioms": _AXIOMS, "sorries": _SORRIES, "slsa_level": _SLSA, "cosign_verify_cmd": ( "cosign verify ghcr.io/szl-holdings/lean-kernel:v1.0.0 " "--certificate-identity-regexp=szl-holdings" ), "sbom_url": "https://github.com/szl-holdings/lean-kernel/releases/download/v1.0.0/lean-kernel-sbom.cdx.json", "github_release": "https://github.com/szl-holdings/lean-kernel/releases/tag/v1.0.0", "rekor_note": "attest-build-provenance@v2 uploads entry to Rekor on every release", "honest_disclaimer": "SLSA L1 — build script honest, no hermetic isolation. FedRAMP NOT claimed.", } return _FJSON({ "flagship": "sentra", "frontier": "rekor_cosign_verify", "subject": subject or "szlholdings/lean-kernel", "artifact_hash": artifact_hash or "(not provided)", "rekor_status": rekor_status, "rekor_entries_found": len(rekor_entries), "rekor_entries": rekor_entries, "szl_provenance": szl_provenance, "rekor_ui": f"https://search.sigstore.dev/?logIndex=&hash={artifact_hash}" if artifact_hash else "https://search.sigstore.dev", "doctrine": _DOCTRINE, "kernel_commit": _KERNEL, "lambda": _LAMBDA, "slsa": _SLSA, "investor_note": ( "sentra fronts the SZL mesh immune system. This endpoint exposes " "real Rekor public log queries for supply-chain provenance — " "every SZL build attests to Rekor via attest-build-provenance@v2." ), "ts": _NOW(), }) def register(app): """Insert frontier route at position 0.""" new_routes = [ _AR("/api/sentra/v1/verdict/provenance", _sentra_frontier_verdict_provenance, methods=["POST", "GET"], name="sentra_frontier_verdict_provenance", summary="FRONTIER: Rekor cosign provenance verify"), ] skip = {'sentra_frontier_verdict_provenance'} existing = [r for r in app.router.routes if getattr(r, 'name', '') not in skip] app.router.routes.clear() app.router.routes.extend(new_routes + existing) for r in new_routes: print(f"[sentra-frontier] {list(r.methods)} {r.path} at front", file=_ftr_sys.stderr) return {"registered": [r.path for r in new_routes]}