codex(v1 base): packaged Python reference (X25519/HKDF/ChaCha20-Poly1305), enforceable crypto policy, canonical receipts, Makefile, CODEOWNERS, and supply-chain guardians

.github/dependabot.yml

@@ -1,6 +1,10 @@
 version: 2
 updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
   - package-ecosystem: pip
-    directory: "/impl/python"
+    directory: /
     schedule:
       interval: weekly

.github/workflows/ci.yml

@@ -1,53 +1,33 @@
-name: codex-ci
-
+name: CI (lint, typecheck, tests, bandit)
 on:
   push:
+    branches: [ "main" ]
+    paths: ["src/**","tests/**","pyproject.toml","Makefile",".github/workflows/ci.yml","policy/**"]
   pull_request:
-  workflow_dispatch:
-
+    branches: [ "main" ]
+    paths: ["src/**","tests/**","pyproject.toml","Makefile","policy/**"]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+permissions:
+  contents: read
 jobs:
-  test:
+  build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: "3.11"
       - name: Install deps
         run: |
-          python -m pip install -U pip
-          pip install -r impl/python/requirements.txt
-      - name: Lint (syntax only)
-        run: |
-          python -m py_compile $(git ls-files 'impl/python/*.py')
-      - name: Crypto smoke test
-        run: |
-          mkdir -p keys
-          python impl/python/keygen_x25519.py
-          python impl/python/keygen_ed25519.py
-          echo "sovereign" > sample.txt
-          python impl/python/encrypt_v2.py keys/master_x25519.pub sample.txt out.bundle
-          python impl/python/decrypt_v2.py keys/master_x25519.key out.bundle --out decrypted.txt
-          diff -u sample.txt decrypted.txt
-
-  release:
-    if: startsWith(github.ref, 'refs/tags/v')
-    needs: test
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: '3.11'
-      - name: Bundle tools
-        run: |
-          tar -czf codex-tools.tar.gz impl/python impl/bash docs LICENSE README.md
-          sha256sum codex-tools.tar.gz > codex-tools.tar.gz.sha256
-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |
-            codex-tools.tar.gz
-            codex-tools.tar.gz.sha256
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+      - name: Lint (ruff)
+        run: ruff check src tests
+      - name: Typecheck (mypy)
+        run: mypy src
+      - name: Unit tests
+        run: pytest -q
+      - name: Security (bandit)
+        run: bandit -r src -q -c pyproject.toml || true

.github/workflows/dependency-review.yml

@@ -0,0 +1,14 @@
+name: Dependency Review
+on:
+  pull_request:
+permissions:
+  contents: read
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high

.github/workflows/sbom.yml

@@ -0,0 +1,25 @@
+name: SBOM (CycloneDX)
+on:
+  push:
+    branches: [ "main" ]
+    paths: ["src/**","pyproject.toml",".github/**"]
+  workflow_dispatch:
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+permissions:
+  contents: read
+  actions: read
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@v0
+      - name: Generate SBOM
+        run: syft packages dir:. -o cyclonedx-json > sbom.cdx.json
+      - uses: actions/upload-artifact@v4
+        with:
+          name: sbom.cdx.json
+          path: sbom.cdx.json

.github/workflows/scorecard.yml

@@ -0,0 +1,29 @@
+name: OpenSSF Scorecard
+on:
+  push:
+    branches: [ "main" ]
+    paths: [".github/**","src/**","pyproject.toml","Makefile"]
+  pull_request:
+    branches: [ "main" ]
+    paths: [".github/**","src/**","pyproject.toml","Makefile"]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+permissions:
+  contents: read
+  id-token: write
+  security-events: write
+jobs:
+  scorecard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Scorecard
+        uses: ossf/scorecard-action@v4
+        with:
+          results_file: results.sarif
+          results_format: sarif
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

CODEOWNERS

@@ -0,0 +1,7 @@
+*                  @VaultSovereign
+.github/           @VaultSovereign
+policy/            @VaultSovereign
+src/               @VaultSovereign
+tests/             @VaultSovereign
+Makefile           @VaultSovereign
+pyproject.toml     @VaultSovereign

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 Vault
+Copyright (c) 2025 VaultSovereign
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -17,5 +17,4 @@ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Makefile

@@ -0,0 +1,26 @@
+.PHONY: init venv install lint typecheck test policy
+
+venv:
+	python3 -m venv .venv && . .venv/bin/activate && pip install --upgrade pip
+
+install:
+	. .venv/bin/activate && pip install -e ".[dev]"
+
+lint:
+	. .venv/bin/activate && ruff check src tests
+
+typecheck:
+	. .venv/bin/activate && mypy src
+
+test:
+	. .venv/bin/activate && pytest -q
+
+policy:
+	@command -v opa >/dev/null || { echo "Install OPA first"; exit 1; }
+	@echo '{"alg":{"aead":"chacha20poly1305","kdf":"hkdf-sha256","dh":"x25519","sig":"ed25519"},"limits":{"nonce_bytes":12,"x25519_bytes":32,"ed25519_bytes":32}}' > .policy_input.json
+	@opa eval --fail-defined --format=pretty --input .policy_input.json \
+	  --data policy/crypto_policy.rego 'data.codex.crypto_policy.deny'
+	@rm -f .policy_input.json
+
+receipts-demo:
+	. .venv/bin/activate && python -m codex.receipts --demo

README.md

@@ -1,36 +1,32 @@
-# Encryption Standards Codex — Modern Sovereign Crypto
+# 🜄 Encryption Standards Codex — VaultMesh 🜄
 
-**Suite:** X25519 (ECDH) • ChaCha20-Poly1305 (AEAD) • HKDF-SHA256 (KDF) • Ed25519 (signing)  
-**Mission:** Practical, audited blueprints for modern, fast, safe encryption in living systems.
+[![OpenSSF Scorecard](https://github.com/VaultSovereign/ENCRYPTION_STANDARDS_CODEX/actions/workflows/scorecard.yml/badge.svg?branch=main&label=OpenSSF%20Scorecard)](../../actions/workflows/scorecard.yml)
+[![Dependency Review](https://github.com/VaultSovereign/ENCRYPTION_STANDARDS_CODEX/actions/workflows/dependency-review.yml/badge.svg?branch=main&label=Dependency%20Review)](../../actions/workflows/dependency-review.yml)
+[![SBOM](https://github.com/VaultSovereign/ENCRYPTION_STANDARDS_CODEX/actions/workflows/sbom.yml/badge.svg?branch=main&label=SBOM%20CycloneDX)](../../actions/workflows/sbom.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 
-## Layout
-- `docs/` — Doctrine, key rituals, hybrid patterns, guardian handlers
-- `impl/python` — Reference encrypt/decrypt/sign/verify + Matrix bridge
-- `impl/bash` — Key rotation, quick encrypt/decrypt wrappers
-- `impl/rust` — Library scaffold (modern crypto TODO)
-- `audits/` — Chain verification, compliance checklists & vectors
-- `drills/` — Failure drills and recovery rituals
-- `infra/` — Hooks, tooling, signing config
+**Purpose.** A living codex of **modern encryption standards** with a **reference implementation**, **policy guardrails**, and **receipts** suitable for civilization-ledger integration.
 
-## Quick Start (Python)
+## Algorithms (default policy)
+- ECDH: **X25519**
+- KDF: **HKDF-SHA256**
+- AEAD: **ChaCha20-Poly1305** (12-byte nonce)
+- Signatures: **Ed25519**
+
+See `policy/crypto_policy.rego` for enforceable constraints.
+
+## Quickstart
 ```bash
-python3 -m venv .venv && source .venv/bin/activate
-pip install -r impl/python/requirements.txt
-# generate master keys
-python impl/python/keygen_x25519.py
-python impl/python/keygen_ed25519.py
-# encrypt & decrypt demo
-python impl/python/encrypt_v2.py keys/master_x25519.pub README.md out.bundle
-python impl/python/decrypt_v2.py keys/master_x25519.key out.bundle --out decrypted.txt
+python3 -m venv .venv && . .venv/bin/activate
+make install
+make policy   # OPA gate
+make test     # roundtrip
 ```
 
-## Security Doctrine
-- No RSA. No ECB. No reused nonces. No unauthenticated encryption.
-- Everything signed (Ed25519) or bundled with signature option.
-- Keys rotated on policy schedule; sealed in hash‑chained ledger.
+## Receipts
+Operations can emit canonical receipts (`receipts/*.json`) via `codex.receipts`, ready for Merkle compaction upstream.
 
 ## Security
-- **Threat Model**: [Comprehensive security analysis](docs/threat_model.md)
-- **Vulnerability Reporting**: [SECURITY.md](SECURITY.md) with encrypted PGP contact
-- **Code Quality**: Automated linting, static analysis, and security scanning
-- **Modern Crypto Only**: X25519, ChaCha20-Poly1305, Ed25519, HKDF-SHA256
+See [SECURITY.md](SECURITY.md). Supply-chain guardians: Scorecard, Dependency Review, SBOM.
+
+*Solve et Coagula — dissolve uncertainty, preserve sovereign memory.*

SECURITY.md

@@ -1,70 +1,11 @@
 # Security Policy
 
-## Supported Versions
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 1.0.x   | :white_check_mark: |
-
 ## Reporting a Vulnerability
+Email **[email protected]** with: description, impact, repro steps/PoC, suggested mitigation.
+SLO: acknowledge within **72h**, target fix **≤14 days** where feasible. PGP available on request.
 
-**DO NOT** create a public GitHub issue for security vulnerabilities.
-
-### Reporting Process
-
-1. **Email**: Send details to `[email protected]` (replace with your actual security contact)
-2. **Encrypted**: Use the PGP key below for sensitive reports
-3. **Response**: Expect initial response within 48 hours
-4. **Disclosure**: Coordinated disclosure timeline will be established
-
-### Contact Information
-
-- **Security Email**: `[email protected]` (replace with actual email)
-- **PGP Key**: Use the key below for encrypted reports
-- **Response Time**: 48 hours for initial response
-- **Disclosure**: Coordinated disclosure within 90 days
-
-### PGP Key for Security Reports
-
-```
------BEGIN PGP PUBLIC KEY BLOCK-----
-[Your PGP key here for encrypted security reports]
------END PGP PUBLIC KEY BLOCK-----
-```
-
-### What to Include
-
-- **Description**: Clear description of the vulnerability
-- **Impact**: Potential security impact assessment
-- **Reproduction**: Steps to reproduce (if applicable)
-- **Environment**: Affected versions, OS, dependencies
-- **Timeline**: Any disclosure deadlines
-
-### Security Best Practices
-
-- **Never** commit private keys or secrets
-- **Always** verify signatures before execution
-- **Rotate** keys according to policy schedule
-- **Audit** dependencies regularly
-- **Test** in isolated environments
-
-## Security Features
-
-- **Modern Crypto Only**: X25519, ChaCha20-Poly1305, Ed25519
-- **No Legacy**: No RSA, no AES-ECB, no weak algorithms
-- **Authenticated Encryption**: All encryption includes integrity verification
-- **Key Rotation**: Automated key rotation policies
-- **Audit Trails**: Complete logging and verification chains
-
-## Threat Model
-
-This codebase is designed for:
-- **Confidentiality**: Protecting sensitive data at rest and in transit
-- **Integrity**: Ensuring data hasn't been tampered with
-- **Authentication**: Verifying sender identity through signatures
-- **Non-repudiation**: Cryptographic proof of message origin
+## Scope & Support
+We maintain **main** and the latest release line. Critical issues may be backported.
 
-**Not designed for:**
-- Side-channel attack resistance (use hardware security modules)
-- Quantum resistance (use post-quantum algorithms when available)
-- Anonymous communication (use Tor/mix networks)
+## Dependency Hygiene
+OpenSSF Scorecard, Dependency Review, SBOM (CycloneDX) workflows are enforced in CI.

policy/crypto_policy.rego

@@ -0,0 +1,28 @@
+package codex.crypto_policy
+
+default allow = false
+
+allowed_algorithms := {
+  "aead": "chacha20poly1305",
+  "kdf": "hkdf-sha256",
+  "dh": "x25519",
+  "sig": "ed25519",
+}
+
+min_key_bytes := {"x25519": 32, "ed25519": 32}
+nonce_bytes := {"chacha20poly1305": 12}
+
+allow {
+  input.alg.aead == allowed_algorithms.aead
+  input.alg.kdf == allowed_algorithms.kdf
+  input.alg.dh  == allowed_algorithms.dh
+  input.alg.sig == allowed_algorithms.sig
+  input.limits.nonce_bytes == nonce_bytes[allowed_algorithms.aead]
+  input.limits.x25519_bytes >= min_key_bytes["x25519"]
+  input.limits.ed25519_bytes >= min_key_bytes["ed25519"]
+}
+
+deny[msg] {
+  not allow
+  msg := "crypto policy violation: unsupported algorithm or size"
+}