pyproject.toml

[build-system]
# Build-time dependencies (PEP 518).  These versions are floors enforced
# by setup.py's preflight check (D-9).
#
# - setuptools >= 70.0.0 (D-8/D-9): older releases — particularly Debian's
#   patched 68.x — fail bdist_wheel with `AttributeError: install_layout`.
#   70.0.0 also closes GHSA-cx63-2mw6-8hw5 and 78.1.1 closes PYSEC-2025-49,
#   so we float to >=78.1.1 to take both fixes.
# - wheel >= 0.47.0 (D-8): closes GHSA-8rrh-rw8j-w5fx.
# - cmake: required to auto-build the native C cryptographic library during
#   `pip install .` — the CMakeBuild command in setup.py invokes cmake.
# - numpy, Cython: required to build the math_engine extension; failures
#   here are now FATAL unless AMA_NO_CYTHON=1 (D-4).  Users on pure-Python
#   environments are still supported via the opt-out env var.
requires = [
    "setuptools>=78.1.1",
    "wheel>=0.47.0",
    "cmake>=4.3.2",
    "Cython>=3.2.5",
    "numpy>=1.24.0",
]
build-backend = "setuptools.build_meta"

[project]
name = "ama-cryptography"
version = "3.2.0"
description = "Quantum-resistant cryptographic protection system for helical mathematical Omni-Codes"
readme = "README.md"
license = {text = "Apache-2.0"}
authors = [
    {name = "Andrew E. A.", email = "steel.sa.llc@gmail.com"}
]
maintainers = [
    {name = "Steel Security Advisors LLC", email = "steel.sa.llc@gmail.com"}
]
keywords = [
    "cryptography",
    "quantum-resistant",
    "post-quantum-cryptography",
    "dilithium",
    "ml-dsa",
    "kyber",
    "ml-kem",
    "sphincs",
    "ed25519",
    "aes-gcm",
    "sha3",
    "hmac",
    "pqc",
    "security",
    "integrity-protection",
    "digital-signatures"
]
classifiers = [
    "Development Status :: 5 - Production/Stable",
    "Intended Audience :: Developers",
    "Intended Audience :: Science/Research",
    "License :: OSI Approved :: Apache Software License",
    "Operating System :: OS Independent",
    "Programming Language :: C",
    "Programming Language :: Cython",
    "Programming Language :: Python :: 3",
    "Programming Language :: Python :: 3.9",
    "Programming Language :: Python :: 3.10",
    "Programming Language :: Python :: 3.11",
    "Programming Language :: Python :: 3.12",
    "Programming Language :: Python :: 3.13",
    "Topic :: Security :: Cryptography",
    "Topic :: Software Development :: Libraries :: Python Modules",
    "Typing :: Typed"
]
requires-python = ">=3.9"
dependencies = []

[project.optional-dependencies]
math = [
    # NumPy/Cython for the optional math_engine Cython extension.
    # Not required for core cryptographic operations.
    # Install with: pip install "ama-cryptography[math]"
    "numpy>=1.24.0,<3.0.0",
    "Cython>=3.2.5",
]
monitoring = [
    # NumPy/SciPy for mathematical monitoring (equations, double_helix_engine)
    # Install with: pip install "ama-cryptography[monitoring]"
    "numpy>=1.24.0,<3.0.0",
    "scipy>=1.7.0",
]
legacy = [
    # PyCA cryptography is NOT a runtime fallback — INVARIANT-1 prohibits a
    # PyCA dependency in the production code path, and the runtime tree
    # imports nothing from this package.  This extra exists solely so that
    # downstream tests and benchmark scripts (tests/test_aes_gcm_native.py,
    # tests/test_hkdf_sha3_256.py, tests/test_ed25519_native.py, and
    # benchmarks/comparative_benchmark.py) which cross-check our native
    # primitives against an independent reference implementation can be
    # installed with one extra:
    #   pip install "ama-cryptography[legacy]"
    #
    # Production deployments do NOT need this extra; do not install it
    # unless you are reproducing the native-vs-pyca cross-checks.
    #
    # Floor is 46.0.7 to clear the open CVEs against earlier majors:
    #   GHSA-h4gh-qq45-vh27 / CVE-2024-26130   — fixed in 42.0.4
    #   CVE-2024-0727 (PKCS12 OOB read)        — fixed in 42.0.2
    #   CVE-2023-50782 (Bleichenbacher timing) — fixed in 42.0.0
    #   CVE-2026-26007                          — fixed in 46.0.5
    #   CVE-2026-34073                          — fixed in 46.0.6
    # Manual bump because dependabot.yml carries a `version-update:
    # semver-major` ignore on this package; security fixes that span
    # majors (41 → 46) cannot land via the bot.  Re-evaluate the ignore
    # rule when the next major ships if a CVE follows.
    "cryptography>=46.0.7",
]
hsm = [
    # PKCS#11 support for hardware security modules
    "PyKCS11>=1.5.18",
]
benchmark = [
    # Peer cryptographic libraries for benchmarks/comparative_benchmark.py.
    # These are BENCHMARK-ONLY comparison targets — not production
    # dependencies. INVARIANT-1 ("zero external crypto dependencies")
    # applies to the production library; this extra exists purely so that
    # `pip install ama-cryptography[benchmark]` brings in the peer
    # implementations needed to reproduce the numbers in
    # benchmark-report.md.  Mirrors benchmarks/requirements-bench.txt.
    # Install with: pip install "ama-cryptography[benchmark]"
    "pynacl>=1.5.0",
    "liboqs-python>=0.10.0",
    # Same 46.0.7 floor as [legacy] above — closes CVE-2026-26007 /
    # -34073 that 42.x still has open. Mirrors the bump in
    # benchmarks/requirements-bench.txt.
    "cryptography>=46.0.7",
]
docs = [
    "sphinx>=7.4.7",
    "sphinx-rtd-theme>=3.1.0",
    "sphinx-autodoc-typehints>=2.3.0",
]
dev = [
    "pytest>=7.0.0",
    "pytest-cov>=4.0.0",
    "pytest-timeout>=2.1.0",
    "pytest-benchmark>=4.0.0",
    "pytest-xdist>=3.0.0",
    "hypothesis>=6.0.0",
    # Black 26.3.1 contains the GHSA-fc3w-v5rg-v7q6 fix and requires Python
    # 3.10+, so do not install a vulnerable 3.9-only fallback.
    "black>=26.3.1; python_version >= '3.10'",
    "ruff>=0.15.15",
    "mypy>=1.9.0",
    "bandit>=1.7.0",
    # `safety` was removed in v3.2.0: it was a dev-deps inventory entry
    # that NO CI workflow ever invoked.  Vulnerability scanning is
    # already covered by `pip-audit` (run with `--strict --requirement
    # requirements-lock.txt` in both .github/workflows/ci-build-test.yml
    # ::security and .github/workflows/security.yml::security-audit), so
    # `safety` was pure transitive surface area.  Its dep closure
    # (`nltk` + `joblib` in particular) carried two known CVEs with no
    # upstream fix versions — joblib PYSEC-2024-277 (disputed
    # NumpyArrayWrapper deserialization, only used during caching of
    # trusted content) and nltk PYSEC-2026-97 (filestring() file-read,
    # unreachable from AMA which never imports nltk).  Removing
    # `safety` deletes the chain entirely rather than annotating an
    # ignore-list — INVARIANT-14 hygiene + INVARIANT-1 zero-runtime-dep
    # posture both improve.
    "Cython>=3.2.5",
    "numpy>=1.24.0",
    "scipy>=1.11.0",
]
# Umbrella extra — aggregates the non-overlapping extras above via PEP 508
# self-reference so a single `pip install ama-cryptography[all]` pulls in
# the full developer / benchmark / docs / math stack.
all = [
    "ama-cryptography[math]",
    "ama-cryptography[monitoring]",
    "ama-cryptography[legacy]",
    "ama-cryptography[hsm]",
    "ama-cryptography[benchmark]",
    "ama-cryptography[docs]",
    "ama-cryptography[dev]",
]

[project.urls]
Homepage = "https://github.com/Steel-SecAdv-LLC/AMA-Cryptography"
Documentation = "https://github.com/Steel-SecAdv-LLC/AMA-Cryptography/blob/main/README.md"
Repository = "https://github.com/Steel-SecAdv-LLC/AMA-Cryptography"
Issues = "https://github.com/Steel-SecAdv-LLC/AMA-Cryptography/issues"

[tool.setuptools.package-data]
ama_cryptography = [
    "_integrity_digest.txt",
    # Pinned NIST ACVP-Server vectors used by FIPS 140-3 POST.
    # Verify-only KATs keep module-import latency under the 2000ms budget
    # while still exercising the full FIPS 205 SHAKE-128s code path.
    "_post_kats/*.json",
]

# Ruff configuration — replaces flake8, isort
[tool.ruff]
target-version = "py39"
line-length = 100

[tool.ruff.lint]
select = [
    "E",   # pycodestyle errors
    "W",   # pycodestyle warnings
    "F",   # pyflakes
    "I",   # isort
    "B",   # flake8-bugbear
    "C4",  # flake8-comprehensions
    "C90", # mccabe complexity (replaces flake8 --max-complexity)
    "UP",  # pyupgrade
    "S",   # flake8-bandit (security)
    "N",   # pep8-naming
    "RUF", # ruff-specific rules
]
ignore = []  # Do not add ignores without a comment explaining why.

[tool.ruff.lint.per-file-ignores]
# assert is valid in pytest tests; hardcoded passwords are test fixtures;
# subprocess calls are tested intentionally; Unicode in test docstrings is fine;
# uppercase vars used for crypto constants in test data;
# E722: bare except required to catch pyo3_runtime.PanicException (BaseException subclass)
"tests/*" = [
    "S101", "S105", "S106", "S603", "S607",
    "RUF001", "RUF002", "RUF003",
    "N801", "N806",
    "E722",
]
# test_fuzzing.py: E402 is architecturally required — Hypothesis settings profiles
# must be registered and loaded BEFORE importing the test subjects, or the @given
# decorator picks up the wrong profile.  Moving these imports to the top of the
# file would break profile selection in CI vs local development.
"tests/test_fuzzing.py" = ["E402"]
# ama_cryptography/ uses intentional patterns that must not be changed:
#   N803/N806: uppercase variable names for crypto constants (e.g. R, S, A, K)
#   RUF001/RUF002/RUF003: Unicode symbols in docstrings/comments (σ, ✓, etc.)
#   S101: assert used in internal validation
#   S106/S107: hardcoded defaults for optional password parameters
#   E501: long lines in crypto constant definitions
#   B028: no-explicit-stacklevel in warnings (existing pattern)
#   RUF012: mutable class defaults (dataclass pattern)
#   N818: exception naming convention (existing names)
#   UP015: redundant open modes (existing pattern)
#   RUF010: explicit f-string type conversion (existing pattern)
#   RUF022: unsorted __all__ (existing order is logical, not alphabetical)
#   RUF100: unused noqa directives (will be cleaned separately)
# SECURITY: S110 (bare except:pass) and B904 (raise-without-from) are NOT
# suppressed — crypto code must propagate exceptions with full context.
"ama_cryptography/*" = [
    "N803", "N806", "N818",
    "RUF001", "RUF002", "RUF003", "RUF010", "RUF012", "RUF022", "RUF100",
    "S101", "S106", "S107",
    "E402", "E501",
    "B028",
    "UP006", "UP015", "UP035",  # UP006/UP035: deprecated typing imports (existing pattern)
]
# _build_sign.py intentionally keeps Optional[...] annotations for Python 3.9
# parser compatibility; PEP 604 `X | None` syntax is not valid on 3.9.
"ama_cryptography/_build_sign.py" = ["UP045"]
# ama_cryptography/legacy_compat.py — ported from code_guardian_secure.py
#   UP007/UP045: PEP 604 union syntax (existing pattern)
#   S310/S603: URL open and subprocess calls in security tooling
#   UP012: unnecessary UTF-8 encoding argument
"ama_cryptography/legacy_compat.py" = [
    "N803", "N806", "N818",
    "RUF001", "RUF002", "RUF003", "RUF010", "RUF012", "RUF022", "RUF100",
    "S101", "S106", "S107",
    "E402", "E501",
    "B028",
    "S310", "S603",
    "UP006", "UP007", "UP012", "UP015", "UP035", "UP045",
]
# tools/monitoring/ama_cryptography_monitor.py — production monitoring module with same conventions
"tools/monitoring/ama_cryptography_monitor.py" = [
    "I001", "N806",
    "RUF003", "RUF022", "RUF023",
    "UP006", "UP015", "UP035",
]
"ama_cryptography/monitoring.py" = [
    "I001", "N806",
    "RUF003", "RUF022", "RUF023",
    "UP006", "UP015", "UP035",
]
# Demo script for the monitoring module
"tools/monitoring/ama_cryptography_monitor_demo.py" = ["B007", "RUF001"]
# Benchmark and tooling scripts — not part of the core library
# benchmarks/benchmark_suite.py: E402 because psutil optional-import block precedes ama_cryptography imports
"benchmarks/benchmark_suite.py" = ["C901", "UP006", "UP035", "E501", "E402"]  # C901: generate_markdown complexity
"setup.py" = ["E501", "RUF005", "S603", "S607"]
# benchmarks/* — chart generation and bench-harness scripts:
#   C901: matplotlib chart builders unavoidably exceed McCabe complexity (many panels, axes, annotations).
#   RUF001: chart captions and axis labels use the Unicode multiplication sign (×) and Greek letters intentionally.
#   E402/E501/F541/I001/RUF059/RUF100/UP006/UP035: same legacy-formatting / typing-imports patterns the
#         rest of the codebase carries (see "ama_cryptography/*" header above).
#   S603/S607: subprocess calls with bare executable name (git, cmake, ...) are intentional in benchmark tooling.
"benchmarks/*" = [
    "C901",
    "E402", "E501", "F541", "I001",
    "RUF001", "RUF059", "RUF100",
    "S603", "S607",
    "UP006", "UP035",
]
# examples/**  (double-star) is required — scripts live in examples/python/
"examples/**" = [
    "B007", "B904",
    "E402",
    "RUF001", "RUF059", "RUF100",
    "S106",
    "UP006", "UP035",
]
"tools/*" = [
    "B007", "B904",
    "C408", "C901",
    "E501",
    "I001",
    "RUF059",
    "S603", "S607",
]

# mccabe complexity threshold (replaces flake8 --max-complexity=15)
[tool.ruff.lint.mccabe]
max-complexity = 15

# Black configuration
[tool.black]
line-length = 100
target-version = ["py39", "py310", "py311", "py312"]
skip-string-normalization = false

# MyPy configuration — strict mode
[tool.mypy]
python_version = "3.9"
strict = true
disallow_untyped_defs = true
disallow_any_generics = true
warn_return_any = true
warn_unused_ignores = true
warn_redundant_casts = true
disallow_untyped_calls = true
disallow_incomplete_defs = true
check_untyped_defs = true
no_implicit_optional = true
show_error_codes = true

# Per-module overrides for third-party stubs that do not exist.
[[tool.mypy.overrides]]
module = [
    "hypothesis.*",
    "scipy.*",
    "numpy.*",
    "pytest_benchmark.*",
    "pytest.*",
    "pytest",
    "_pytest.*",
    "rfc3161ng.*",
    "nacl.*",
    "Crypto.*",
    "PyKCS11.*",
    "oqs.*",
    "cryptography.*",
]
ignore_missing_imports = true


# Cython extension modules — no .py source or PEP 561 stubs.
[[tool.mypy.overrides]]
module = "ama_cryptography.hmac_binding"
ignore_missing_imports = true

# ama_cryptography_monitor — compatibility shim for production monitoring.
# ama_cryptography.monitoring / tools.monitoring.ama_cryptography_monitor —
# production monitoring, relax generic-type-arg.
# NOTE: ama_cryptography.* is NOT blanket-relaxed. Only specific modules that
# have pre-existing bare generic annotations (dict, list, tuple without type
# params) are individually listed here. New modules must use strict generics.
[[tool.mypy.overrides]]
module = [
    "ama_cryptography_monitor",
    "ama_cryptography.monitoring",
    "tools.monitoring.ama_cryptography_monitor",
    "ama_cryptography.pqc_backends",
    "ama_cryptography.crypto_api",
    "ama_cryptography.adaptive_posture",
]
disallow_any_generics = false

# tests/ — pytest decorators (@pytest.fixture, @pytest.mark.*) are untyped;
# relax decorator and call strictness for test modules.
[[tool.mypy.overrides]]
module = "tests.*"
disallow_untyped_decorators = false
disallow_untyped_calls = false

[[tool.mypy.overrides]]
module = "tests.test_crypto_api"
disable_error_code = ["abstract"]

[[tool.mypy.overrides]]
module = "tests.test_crypto_import_paths"
disable_error_code = ["override"]

[[tool.mypy.overrides]]
module = "tests.test_key_management_comprehensive"
disable_error_code = ["attr-defined"]

# test_hkdf_sha3_256 uses a try/except pattern for optional cryptography imports.
# When cryptography IS installed (CI), the type: ignore comments are unused;
# when it is NOT installed (local dev), mypy needs them.  Suppress the clash.
[[tool.mypy.overrides]]
module = "tests.test_hkdf_sha3_256"
warn_unused_ignores = false

# Pytest configuration (consolidated from pytest.ini)
[tool.pytest.ini_options]
minversion = "7.0"
addopts = "-ra --strict-markers --strict-config --showlocals --tb=short"
testpaths = [
    "tests",
]
python_files = [
    "test_*.py",
    "*_test.py",
]
python_classes = ["Test*"]
python_functions = ["test_*"]
markers = [
    "slow: marks tests as slow (deselect with '-m \"not slow\"')",
    "quantum: marks tests that require quantum-resistant libraries",
    "integration: marks integration tests",
    "fips: marks FIPS 140-3 self-test and compliance tests",
    "smoke: marks smoke tests that verify no exception is raised",
]
filterwarnings = [
    "error",
    "ignore::DeprecationWarning",
    "ignore::PendingDeprecationWarning",
    # Allow native-backend-unavailable warnings during import (expected in CI
    # when the C library is not built).
    "default:.*native.*backend.*not available:UserWarning",
    # NOTE: the SecurityWarning filter is registered programmatically in
    # tests/conftest.py via pytest_configure(). Registering it here would
    # import ``ama_cryptography.exceptions`` during pytest's initial
    # conftest loading — before coverage starts — artificially dropping
    # exceptions.py coverage to 0%.
]

# Coverage configuration
[tool.coverage.run]
source = ["."]
omit = [
    "*/tests/*",
    "*/test_*.py",
    "*/__pycache__/*",
    "*/venv/*",
    "*/.venv/*",
]

[tool.coverage.report]
precision = 2
exclude_lines = [
    "pragma: no cover",
    "def __repr__",
    "raise AssertionError",
    # NOTE: raise NotImplementedError is NOT excluded — unimplemented code
    # (e.g. secure_mlock, secure_munlock) must show as a coverage gap so
    # it's visible, not hidden.
    "if __name__ == .__main__.:",
    "if TYPE_CHECKING:",
    "if typing.TYPE_CHECKING:",
]