Summary
The server exposes signed audit bundles over HTTP:
GET /sessions/:id/audit-bundle (src/server.js:542)
GET /workflows/:traceId/audit-bundle (src/server.js:580)
Both return 503 when AUDIT_SIGNING_SECRET is unset.
All three SDKs already have the verify half of the workflow (verifyAuditBundle / verify_audit_bundle / VerifyAuditBundle — present in sdks/python/aep/_audit.py, sdks/go/aep/audit.go, sdks/node/src/index.ts), but none of the SDK clients have a fetch method to pull a bundle. So there's no clean fetch-then-verify round-trip from the SDKs today.
Scope
Add client methods to fetch both bundle types, in every SDK, including the async clients:
- Python —
get_session_audit_bundle / get_workflow_audit_bundle on AEPClient (sdks/python/aep/client.py) and AsyncAEPClient (sdks/python/aep/async_client.py).
- Go —
GetSessionAuditBundle / GetWorkflowAuditBundle on Client (sdks/go/aep/client.go) and AsyncClient (sdks/go/aep/async_client.go).
- Node —
getSessionAuditBundle / getWorkflowAuditBundle on the client (sdks/node/src/client.ts).
Each method should surface the 503 (signing not configured) and 404 (scope not found) cases as clear errors, consistent with the SDK's existing error handling.
Acceptance criteria
Pointers
src/server.js:542 / :580 — the two endpoints (note the 503 gate)
sdks/python/aep/_audit.py, sdks/go/aep/audit.go, sdks/node/src/index.ts — the existing verify primitives this pairs with
Tagged help wanted — touches all three SDKs incl. async surfaces.
Summary
The server exposes signed audit bundles over HTTP:
GET /sessions/:id/audit-bundle(src/server.js:542)GET /workflows/:traceId/audit-bundle(src/server.js:580)Both return
503whenAUDIT_SIGNING_SECRETis unset.All three SDKs already have the verify half of the workflow (
verifyAuditBundle/verify_audit_bundle/VerifyAuditBundle— present insdks/python/aep/_audit.py,sdks/go/aep/audit.go,sdks/node/src/index.ts), but none of the SDK clients have a fetch method to pull a bundle. So there's no clean fetch-then-verify round-trip from the SDKs today.Scope
Add client methods to fetch both bundle types, in every SDK, including the async clients:
get_session_audit_bundle/get_workflow_audit_bundleonAEPClient(sdks/python/aep/client.py) andAsyncAEPClient(sdks/python/aep/async_client.py).GetSessionAuditBundle/GetWorkflowAuditBundleonClient(sdks/go/aep/client.go) andAsyncClient(sdks/go/aep/async_client.go).getSessionAuditBundle/getWorkflowAuditBundleon the client (sdks/node/src/client.ts).Each method should surface the
503(signing not configured) and404(scope not found) cases as clear errors, consistent with the SDK's existing error handling.Acceptance criteria
verify*round-trip works end-to-end (ideally shown in a test or example).503/404handled with informative errors.Pointers
src/server.js:542/:580— the two endpoints (note the503gate)sdks/python/aep/_audit.py,sdks/go/aep/audit.go,sdks/node/src/index.ts— the existing verify primitives this pairs withTagged
help wanted— touches all three SDKs incl. async surfaces.