JCS conformance: canonical_hash_hex now uses strict RFC 8785 (mirrors SDK 2.6.0-alpha.4)

Tymofiii · Tymofiii · commit fc88ea930b9a · 2026-05-21T11:06:15.000-07:00
The Python SDK's compute_attribution_action_ref() hashes via canonical_hash_hex,
which was using the legacy null-stripping canonicalize() instead of strict
RFC 8785 canonicalize_jcs(). This is the Python mirror of today's TypeScript SDK
fix (commit 3f63268 on agent-passport-system).

Per draft-pidlisnyi-aps-01 §4.1 and ATTRIBUTION-PRIMITIVE-v1.1 §1.6, action_ref
must follow strict RFC 8785 JCS. Cross-verified against erdtman/canonicalize@3.0.0
and rfc8785@0.1.4 in the TypeScript SDK; Python uses the in-process
canonicalize_jcs() implementation which is byte-identical to those references.

Tests: 518 passed, 1 skipped, 6 xfailed. Zero fixture changes required (no
production pre-image ever contained a null-valued key at the canonicalization
layer). Cross-language attribution settlement fixtures all byte-match unchanged.

Known gap, scheduled for v3.0: hash_axis_leaf (Merkle) and envelope_bytes
(signing envelope) still use legacy canonicalize() to preserve partner byte-match
fixtures. v3.0 migration will coordinate fixture rotation across partners.

Version: 2.4.0a2 -&gt; 2.4.0a3
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "agent-passport-system"
-version = "2.4.0a2"
+version = "2.4.0a3"
 description = "Python SDK for the Agent Passport System. Identity, delegation, governance, data source registration, training attribution, per-period attribution settlement, mutual authentication, evidentiary type safety, Wave 1 accountability primitives (action, authority-boundary, custody, contestability, bundle), Cognitive Attestation, Instruction Provenance Receipts. Cross-language parity with agent-passport-system npm v2.6.0-alpha.3 verified by byte-identical canonical JSON fixtures."
 readme = "README.md"
 license = "Apache-2.0"
diff --git a/src/agent_passport/v2/attribution_primitive/canonical.py b/src/agent_passport/v2/attribution_primitive/canonical.py
@@ -9,7 +9,7 @@
 from datetime import datetime, timezone
 from typing import Any, List, Union
 
-from ...canonical import canonicalize
+from ...canonical import canonicalize, canonicalize_jcs
 from .types import (
     AttributionAxes,
     ComputeAxisEntry,
@@ -133,7 +133,18 @@ def hash_node(left: bytes, right: bytes) -> bytes:
 
 
 def canonical_hash_hex(obj: Any) -> str:
-    return hashlib.sha256(canonicalize(obj).encode("utf-8")).hexdigest()
+    """SHA-256 hex over strict RFC 8785 JCS canonicalization.
+
+    Used for action_ref computation per draft-pidlisnyi-aps-01 §4.1 and
+    ATTRIBUTION-PRIMITIVE-v1.1 §1.6. Cross-verified against the TypeScript
+    SDK's canonicalHashJCS, erdtman/canonicalize@3.0.0, and rfc8785@0.1.4.
+
+    For Merkle leaf hashing (hash_axis_leaf) and signing envelope serialization
+    (envelope_bytes), the legacy canonicalize() is still in use — those paths
+    are scheduled for coordinated rotation in v3.0 because flipping them
+    changes bytes across the existing partner fixture corpus.
+    """
+    return hashlib.sha256(canonicalize_jcs(obj).encode("utf-8")).hexdigest()
 
 
 def envelope_bytes(env) -> str:
