TESC — Temporal Escrow Smart Contract #135
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # +++PetzoldSequence[DRP-GHA-TESC-004] | |
| # Architecture: Temporal Escrow Smart Contract | |
| # Topology Class: Temporal Anchor × State Reader × Conditional Emission | |
| # Escrow Semantics: HOLD state invariant until off-chain oracle confirms release condition | |
| name: "TESC — Temporal Escrow Smart Contract" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| operation: | |
| description: "DEPOSIT | VERIFY | RELEASE" | |
| required: true | |
| type: choice | |
| options: [DEPOSIT, VERIFY, RELEASE] | |
| payload_b64: | |
| description: "Base64-encoded escrow payload JSON (for DEPOSIT)" | |
| type: string | |
| unlock_token: | |
| description: "HMAC-SHA256 unlock token (for RELEASE)" | |
| type: string | |
| oracle_url: | |
| description: "External condition oracle endpoint URL (for RELEASE)" | |
| type: string | |
| schedule: | |
| - cron: "0 */6 * * *" # Integrity heartbeat every 6 hours | |
| env: | |
| ESCROW_ARTIFACT_NAME: "tesc-escrow-payload-v1" | |
| ESCROW_HMAC_KEY_SECRET: "TESC_SIGNING_KEY" | |
| jobs: | |
| tesc-operation: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Route TESC operation | |
| id: route | |
| run: | | |
| if [ "${{ github.event_name }}" == "schedule" ]; then | |
| echo "op=VERIFY" >> $GITHUB_OUTPUT | |
| else | |
| echo "op=${{ inputs.operation }}" >> $GITHUB_OUTPUT | |
| fi | |
| # === DEPOSIT: Lock payload into temporal escrow === | |
| - name: "[DEPOSIT] Create and sign escrow payload" | |
| if: steps.route.outputs.op == 'DEPOSIT' | |
| run: | | |
| python3 << 'EOF' | |
| import json, hashlib, hmac, base64, os, datetime | |
| payload_b64 = "${{ inputs.payload_b64 }}" | |
| payload_bytes = base64.b64decode(payload_b64) | |
| payload = json.loads(payload_bytes) | |
| signing_key = os.environ.get('TESC_SIGNING_KEY', 'default-dev-key-replace-in-prod').encode() | |
| escrow_manifest = { | |
| "version": "TESC-2026", | |
| "deposited_at": datetime.datetime.utcnow().isoformat() + "Z", | |
| "depositor": "${{ github.actor }}", | |
| "payload": payload, | |
| "status": "LOCKED", | |
| "integrity": None, | |
| "unlock_conditions": { | |
| "requires_oracle": bool("${{ inputs.oracle_url }}"), | |
| "oracle_url": "${{ inputs.oracle_url }}", | |
| "max_lock_duration_hours": 720, | |
| } | |
| } | |
| # HMAC-SHA256 integrity seal | |
| manifest_bytes = json.dumps({k: v for k, v in escrow_manifest.items() if k != 'integrity'}, sort_keys=True).encode() | |
| seal = hmac.new(signing_key, manifest_bytes, hashlib.sha256).hexdigest() | |
| escrow_manifest['integrity'] = seal | |
| with open('escrow_manifest.json', 'w') as f: | |
| json.dump(escrow_manifest, f, indent=2) | |
| print(f"Escrow sealed. HMAC: {seal[:16]}...") | |
| print(f"Status: LOCKED | Depositor: {escrow_manifest['depositor']}") | |
| EOF | |
| env: | |
| TESC_SIGNING_KEY: ${{ secrets.TESC_SIGNING_KEY }} | |
| - name: "[DEPOSIT] Upload escrow to temporal artifact store" | |
| if: steps.route.outputs.op == 'DEPOSIT' | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: ${{ env.ESCROW_ARTIFACT_NAME }} | |
| path: escrow_manifest.json | |
| retention-days: 30 | |
| # === VERIFY: Heartbeat integrity check (cron-triggered) === | |
| - name: "[VERIFY] Download escrow artifact" | |
| if: steps.route.outputs.op == 'VERIFY' | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: ${{ env.ESCROW_ARTIFACT_NAME }} | |
| path: ./escrow | |
| continue-on-error: true | |
| - name: "[VERIFY] Validate temporal invariance" | |
| if: steps.route.outputs.op == 'VERIFY' | |
| run: | | |
| python3 << 'EOF' | |
| import json, hashlib, hmac, os, sys | |
| from pathlib import Path | |
| escrow_path = Path('./escrow/escrow_manifest.json') | |
| if not escrow_path.exists(): | |
| print("No active escrow. Heartbeat skipped.") | |
| sys.exit(0) | |
| with open(escrow_path) as f: | |
| manifest = json.load(f) | |
| signing_key = os.environ.get('TESC_SIGNING_KEY', 'default-dev-key-replace-in-prod').encode() | |
| stored_seal = manifest.pop('integrity') | |
| manifest_bytes = json.dumps(manifest, sort_keys=True).encode() | |
| computed_seal = hmac.new(signing_key, manifest_bytes, hashlib.sha256).hexdigest() | |
| if stored_seal != computed_seal: | |
| print(f"::error::TESC INTEGRITY VIOLATION DETECTED! Escrow payload has been tampered.") | |
| print(f"Expected: {stored_seal[:16]}... | Got: {computed_seal[:16]}...") | |
| sys.exit(1) | |
| print(f"Temporal invariance confirmed. Seal: {stored_seal[:16]}...") | |
| print(f"Status: {manifest.get('status')} | Deposited: {manifest.get('deposited_at')}") | |
| EOF | |
| env: | |
| TESC_SIGNING_KEY: ${{ secrets.TESC_SIGNING_KEY }} | |
| # === RELEASE: Oracle-verified escrow release === | |
| - name: "[RELEASE] Verify oracle condition and unlock token" | |
| if: steps.route.outputs.op == 'RELEASE' | |
| run: | | |
| python3 << 'EOF' | |
| import json, hashlib, hmac, os, urllib.request, sys | |
| oracle_url = "${{ inputs.oracle_url }}" | |
| unlock_token = "${{ inputs.unlock_token }}" | |
| signing_key = os.environ.get('TESC_SIGNING_KEY', 'default-dev-key').encode() | |
| # Verify oracle condition | |
| if oracle_url: | |
| try: | |
| with urllib.request.urlopen(oracle_url, timeout=10) as resp: | |
| oracle_response = json.loads(resp.read()) | |
| condition_met = oracle_response.get('release_authorized', False) | |
| print(f"Oracle response: {oracle_response}") | |
| except Exception as e: | |
| print(f"::error::Oracle unreachable: {e}") | |
| sys.exit(1) | |
| else: | |
| # Direct token-only release | |
| condition_met = True | |
| if not condition_met: | |
| print("::error::Oracle condition NOT met. Escrow remains locked.") | |
| sys.exit(1) | |
| # Validate HMAC unlock token against escrow content | |
| expected_token = hmac.new(signing_key, b"RELEASE_AUTHORIZED", hashlib.sha256).hexdigest() | |
| if not hmac.compare_digest(unlock_token.strip(), expected_token): | |
| print("::error::Invalid unlock token. Escrow remains locked.") | |
| sys.exit(1) | |
| print("RELEASE AUTHORIZED: Oracle condition met + token verified.") | |
| with open(os.environ['GITHUB_OUTPUT'], 'a') as gh: | |
| gh.write("release_authorized=true\n") | |
| EOF | |
| env: | |
| TESC_SIGNING_KEY: ${{ secrets.TESC_SIGNING_KEY }} | |
| - name: "[RELEASE] Execute escrowed deployment payload" | |
| if: steps.route.outputs.op == 'RELEASE' && steps.verify-oracle.outputs.release_authorized == 'true' | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: ${{ env.ESCROW_ARTIFACT_NAME }} | |
| path: ./escrow-release | |
| - name: "[RELEASE] Trigger deployment from escrow payload" | |
| if: steps.route.outputs.op == 'RELEASE' | |
| uses: actions/github-script@v9 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| try { | |
| const manifest = JSON.parse(fs.readFileSync('./escrow-release/escrow_manifest.json')); | |
| await github.rest.repos.createDeployment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| ref: manifest.payload.target_ref || 'main', | |
| environment: manifest.payload.environment || 'production', | |
| description: `TESC Release: ${manifest.deposited_at}`, | |
| auto_merge: false, | |
| required_contexts: [] | |
| }); | |
| console.log('Temporal escrow released. Deployment initiated.'); | |
| } catch(e) { | |
| core.warning(`Deployment payload missing or invalid: ${e.message}`); | |
| } |