Revocation¶
Certificate Revocation List (CRL) for agent manifests. See Tutorial: Revocation and key rotation for usage examples.
Signing and verification¶
sign_revocation(manifest_id: str, reason: str, revoked_by: str, keypair: Ed25519KeyPair) -> SignedRevocationRecord
Create and sign a revocation record.
Verify the signature on a signed revocation record.
Raises:
| Type | Description |
|---|---|
InvalidSignature | If verification fails or revocation_signature is absent/null (CRL-001). |
Record types¶
Bases: BaseModel
A revocation record signed by the revoking authority.
The signature covers the canonical form of the record fields, binding the revocation to a specific manifest and authority.
CRL storage¶
Append-only JSON-Lines CRL backed by a local file.
Each line in the file is a JSON-serialized SignedRevocationRecord. The file is append-only — records are never deleted.
For production, replace with a database-backed store and serve the CRL at /.well-known/agent-manifest/revocation.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
path | str | Path | Path to the CRL file. Resolved and confined at construction. | required |
trusted_signer_key | Optional[bytes] | Raw Ed25519 public key bytes of the authority whose signatures are accepted on load. When provided, records with invalid or absent signatures are skipped (REVOC-003). When None, signatures are not verified (development mode only). | None |
FastAPI router¶
Return a FastAPI router serving the CRL at /.well-known endpoints.