fix(security): add cryptography dependency and fix test location for CI

CuriousHet · CuriousHet · commit 92fd47e55848 · 2026-03-30T10:43:00.000+05:30
diff --git a/packages/agent-os/modules/nexus/pyproject.toml b/packages/agent-os/modules/nexus/pyproject.toml
@@ -26,6 +26,7 @@ dependencies = [
     "structlog>=24.1.0",
     "aiohttp>=3.13.3",
     "inter-agent-trust-protocol>=0.4.0",
+    "cryptography>=41.0.0",
 ]
 
 [project.urls]
diff --git a/packages/agent-os/tests/nexus/test_crypto.py b/packages/agent-os/tests/nexus/test_crypto.py
@@ -0,0 +1,67 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+import pytest
+from pydantic import BaseModel
+from datetime import datetime, timezone
+from .. import crypto
+
+class MockModel(BaseModel):
+    name: str
+    value: int
+    timestamp: datetime
+    signature: str = ""
+
+def test_canonical_payload_stability():
+    """Ensure dict and pydantic models produce same canonical output."""
+    ts = datetime(2024, 1, 1, tzinfo=timezone.utc)
+    data_dict = {"name": "test", "value": 42, "timestamp": ts, "signature": "ignore-me"}
+    data_model = MockModel(name="test", value=42, timestamp=ts, signature="ignore-me")
+    
+    payload1 = crypto.canonical_payload(data_dict)
+    payload2 = crypto.canonical_payload(data_model)
+    
+    assert payload1 == payload2
+    # Check that signature field is excluded
+    assert b"ignore-me" not in payload1
+    # Check that keys are sorted (name before value)
+    assert payload1.find(b"name") < payload1.find(b"value")
+
+def test_sign_and_verify_roundtrip():
+    """Test full sign/verify cycle."""
+    priv, pub_str = crypto.generate_keypair()
+    data = {"agent_did": "did:nexus:test", "action": "register"}
+    
+    sig_hex = crypto.sign_data(priv, data)
+    assert len(sig_hex) == 128  # 64 bytes hex encoded
+    
+    # Should not raise
+    crypto.verify_signature(pub_str, sig_hex, data)
+
+def test_verify_fails_on_tamper():
+    """Test that tampered data fails verification."""
+    priv, pub_str = crypto.generate_keypair()
+    data = {"agent_did": "did:nexus:test", "action": "register"}
+    sig_hex = crypto.sign_data(priv, data)
+    
+    tampered_data = {"agent_did": "did:nexus:EVIL", "action": "register"}
+    
+    with pytest.raises(crypto.SignatureVerificationError):
+        crypto.verify_signature(pub_str, sig_hex, tampered_data)
+
+def test_verify_fails_on_wrong_key():
+    """Test that verification fails with a different key."""
+    priv1, pub_str1 = crypto.generate_keypair()
+    priv2, pub_str2 = crypto.generate_keypair()
+    
+    data = {"agent_did": "did:nexus:test"}
+    sig_hex = crypto.sign_data(priv1, data)
+    
+    with pytest.raises(crypto.SignatureVerificationError):
+        crypto.verify_signature(pub_str2, sig_hex, data)
+
+def test_decode_error():
+    """Test behavior with malformed hex."""
+    _, pub_str = crypto.generate_keypair()
+    with pytest.raises(crypto.SignatureDecodeError):
+        crypto.verify_signature(pub_str, "not-a-hex-string", {"data": 1})
diff --git a/packages/agent-os/tests/nexus/test_proof_of_outcome.py b/packages/agent-os/tests/nexus/test_proof_of_outcome.py
@@ -0,0 +1,52 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+import pytest
+from nexus.escrow import ProofOfOutcome, EscrowManager
+from nexus.reputation import ReputationEngine
+from nexus import crypto
+
+@pytest.fixture
+def reputation_engine():
+    return ReputationEngine(trust_threshold=500)
+
+@pytest.fixture
+def escrow_manager(reputation_engine):
+    em = EscrowManager(reputation_engine=reputation_engine)
+    em.add_credits("did:nexus:requester-agent", 1000)
+    return em
+
+@pytest.fixture
+def proof_of_outcome(escrow_manager):
+    return ProofOfOutcome(escrow_manager=escrow_manager)
+
+@pytest.mark.asyncio
+async def test_create_escrow_with_signing(proof_of_outcome, escrow_manager):
+    priv, pub = crypto.generate_keypair()
+    
+    # Create escrow with signing
+    receipt = await proof_of_outcome.create_escrow(
+        requester_did="did:nexus:requester-agent",
+        provider_did="did:nexus:provider-agent",
+        task_hash="abc123def456",
+        credits=100,
+        private_key=priv
+    )
+    
+    assert receipt.requester_signature is not None
+    # Verify the signature matches
+    crypto.verify_signature(pub, receipt.requester_signature, receipt.request)
+
+@pytest.mark.asyncio
+async def test_create_escrow_legacy_signature(proof_of_outcome):
+    # Create escrow WITHOUT signing (legacy mode)
+    receipt = await proof_of_outcome.create_escrow(
+        requester_did="did:nexus:requester-agent",
+        provider_did="did:nexus:provider-agent",
+        task_hash="abc123def456",
+        credits=100
+    )
+    
+    # Legacy signature should be in the expected format: sig_{requester_did}_{task_hash[:8]}
+    expected_sig = "sig_did:nexus:requester-agent_abc123de"
+    assert receipt.requester_signature == expected_sig
diff --git a/packages/agent-os/tests/nexus/test_registry.py b/packages/agent-os/tests/nexus/test_registry.py

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ dependencies = [`
`26`	`26`	`"structlog>=24.1.0",`
`27`	`27`	`"aiohttp>=3.13.3",`
`28`	`28`	`"inter-agent-trust-protocol>=0.4.0",`
	`29`	`+ "cryptography>=41.0.0",`
`29`	`30`	`]`
`30`	`31`
`31`	`32`	`[project.urls]`