Software bill
of materials.
Attestix pins every runtime dependency with lower and upper bounds to prevent silent major-version drift. A machine-readable CycloneDX 1.5 SBOM is generated by the GitHub Actions SBOM workflow on every push to main and attached as an asset to every published release. The table mirror below is a convenience reference; the authoritative artefact is the JSON.
Latest release attaches attestix-sbom.cyclonedx.json with a SHA-256 sidecar.
Runtime dependencies
| Package | Version constraint | Purpose | Licence |
|---|---|---|---|
| mcp[cli] | >= 1.8.0, < 2.0.0 | Model Context Protocol runtime and CLI | MIT |
| cryptography | >= 46.0.7, < 47.0.0 | Ed25519, PBKDF2, SHA-256 (CVE-2026-34073, CVE-2026-39892 fixes) | Apache 2.0 / BSD |
| PyJWT[crypto] | >= 2.12.0, < 3.0.0 | UCAN JWT sign and verify (CVE-2026-32597 crit header fix) | MIT |
| base58 | >= 2.1.1, < 3.0.0 | Base58 encoding for DID key methods | MIT |
| httpx | >= 0.28.0, < 0.30.0 | did:web resolution, remote verify, agent discovery | BSD-3 |
| python-dotenv | >= 1.1.0, < 2.0.0 | Environment variable loading | BSD-3 |
| nest-asyncio | >= 1.6.0, < 2.0.0 | Nested event-loop support | BSD-2 |
| python-json-logger | >= 3.3.0, < 5.0.0 | Structured JSON logging | BSD-2 |
| filelock | >= 3.13.0, < 4.0.0 | File-based concurrency locking | Unlicense |
| click | >= 8.1.0, < 9.0.0 | CLI framework | BSD-3 |
| python-multipart | >= 0.0.26, < 0.1.0 | Multipart parser (pinned >= 0.0.26 for CVE-2026-40347 DoS fix) | Apache 2.0 |
Optional extras
| Package | Version constraint | Purpose | Licence |
|---|---|---|---|
| web3 | >= 7.0.0, < 8.0.0 | EAS anchoring to Base L2 testnet (blockchain extra) | MIT |
| weasyprint | >= 62.0 | PDF report generation (reports extra) | BSD-3 |
Development dependencies
| Package | Version constraint | Purpose | Licence |
|---|---|---|---|
| pytest | >= 8.0 | Test runner | MIT |
| pytest-asyncio | >= 0.24 | Async test support | Apache 2.0 |
| pytest-cov | >= 5.0 | Coverage plugin | MIT |
| respx | >= 0.22 | HTTP mocking for httpx | BSD-3 |
| ruff | >= 0.6.0 | Lint and format | MIT |
| mypy | >= 1.11 | Type checking | MIT |
| pip-audit | >= 2.7 | Dependency vulnerability audit | Apache 2.0 |
| bandit | >= 1.7 | SAST on Python source | Apache 2.0 |
| safety | >= 3.2 | CVE scan (advisory) | MIT |
| build | >= 1.2 | PEP 517 wheel builder | MIT |
Reproduce locally
The CycloneDX SBOM can be regenerated on any developer machine. Install the project with its blockchain extra, install the sbom extra which pulls in the CycloneDX generator, then run:
pip install -e ".[blockchain,sbom]" cyclonedx-py environment --output-format json \ --output-file attestix-sbom.cyclonedx.json sha256sum attestix-sbom.cyclonedx.json
Compare the resulting SHA-256 with the .sha256 sidecar attached to the release to verify integrity. The output conforms to the CycloneDX 1.5 specification.
Every release passes pip-audit, bandit, and safety scans in CI before publish. See /security for the vulnerability disclosure log.