11import jwt
22import time
3- import json
43import hashlib
54import os
65from typing import Dict , Any , Optional
@@ -13,13 +12,17 @@ class AttestationGuard:
1312 def __init__ (self , secret_key : str = None , allow_insecure : bool = False ):
1413 self .secret = secret_key or os .environ .get ("QWED_ATTESTATION_SECRET" )
1514 if not self .secret :
16- if allow_insecure or os .environ .get ("QWED_DEV_MODE" ) == "1" :
17- # deepcode ignore HardcodedSecret: Dev-mode fallback, only active with explicit opt-in
18- self .secret = "dev-secret-insecure"
19- else :
20- raise ValueError ("QWED_ATTESTATION_SECRET required. Set allow_insecure=True for dev mode." )
15+ raise ValueError (
16+ "QWED_ATTESTATION_SECRET required. Refusing insecure fallback secret."
17+ )
2118
22- def sign_verification (self , input_query : str , guard_result : Dict [str , Any ], engine : str = "QWED-Deterministic-v1" ) -> str :
19+ def sign_verification (
20+ self ,
21+ input_query : str ,
22+ guard_result : Dict [str , Any ],
23+ engine : str = "QWED-Deterministic-v1" ,
24+ timestamp : Optional [float ] = None ,
25+ ) -> str :
2326 """
2427 Creates a JWT attesting that a specific verification occurred.
2528 Source: QWED Features list.
@@ -28,7 +31,7 @@ def sign_verification(self, input_query: str, guard_result: Dict[str, Any], engi
2831 query_hash = hashlib .sha256 (input_query .encode ('utf-8' )).hexdigest ()
2932
3033 payload = {
31- "timestamp" : time .time (),
34+ "timestamp" : time .time () if timestamp is None else timestamp ,
3235 "query_hash" : query_hash ,
3336 "verification_result" : guard_result .get ("verified" , False ),
3437 "engine" : engine ,
0 commit comments