{"id":50874518,"url":"https://github.com/bokelleher/sesame-sdk","last_synced_at":"2026-06-15T08:30:42.899Z","repository":{"id":362600237,"uuid":"1259851225","full_name":"bokelleher/sesame-sdk","owner":"bokelleher","description":"Portable SDK and conformance vectors for SESAME, the proposed SCTE 130-9 security layer for the ESAM interface: HMAC auth, channel-scoped authorization, and AES-256-GCM payload encryption over HTTP headers.","archived":false,"fork":false,"pushed_at":"2026-06-05T04:03:56.000Z","size":86,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-05T04:11:15.862Z","etag":null,"topics":["ad-insertion","aes-gcm","authentication","cryptography","esam","hmac","rust","scte","scte-130","sesame"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bokelleher.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-04T23:33:00.000Z","updated_at":"2026-06-05T04:03:59.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/bokelleher/sesame-sdk","commit_stats":null,"previous_names":["bokelleher/sesame-sdk"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/bokelleher/sesame-sdk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bokelleher%2Fsesame-sdk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bokelleher%2Fsesame-sdk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bokelleher%2Fsesame-sdk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bokelleher%2Fsesame-sdk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bokelleher","download_url":"https://codeload.github.com/bokelleher/sesame-sdk/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bokelleher%2Fsesame-sdk/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34355156,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-15T02:00:07.085Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ad-insertion","aes-gcm","authentication","cryptography","esam","hmac","rust","scte","scte-130","sesame"],"created_at":"2026-06-15T08:30:42.362Z","updated_at":"2026-06-15T08:30:42.892Z","avatar_url":"https://github.com/bokelleher.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SESAME\n\n[![CI](https://github.com/bokelleher/sesame-sdk/actions/workflows/ci.yml/badge.svg)](https://github.com/bokelleher/sesame-sdk/actions/workflows/ci.yml)\n[![crates.io](https://img.shields.io/crates/v/sesame-esam.svg?label=crates.io)](https://crates.io/crates/sesame-esam)\n[![PyPI](https://img.shields.io/pypi/v/sesame-esam?label=PyPI)](https://pypi.org/project/sesame-esam/)\n[![docs.rs](https://img.shields.io/docsrs/sesame-esam?label=docs.rs)](https://docs.rs/sesame-esam)\n[![license](https://img.shields.io/crates/l/sesame-esam.svg)](#license)\n\n**SESAME** (Secure ESAM Authentication and Message Encryption) is the proposed\nSCTE 130-9 security layer for the ESAM interface. It secures the two-party HTTP\nexchange between an ESAM client (encoder, packager, ADS) and an ESAM server\n(POIS) using three additive tiers, all carried in HTTP headers with **no change\nto any ESAM XML schema**.\n\nThis repository is the home of the standard **and** its reference\nimplementations in four languages, every one of which is proven byte-for-byte\nagainst a single shared set of conformance vectors. A signer written in any\nlanguage and a verifier written in any other interoperate exactly.\n\n| Tier | Capability | Mechanism |\n|---|---|---|\n| 0 | Unauthenticated baseline | no SESAME headers (backward compatible) |\n| 1 | Authentication + integrity | HMAC-SHA256 over a canonical signing string |\n| 2 | Channel-scoped authorization | signed `X-SESAME-Scope`, policy lookup |\n| 3 | Payload encryption | AES-256-GCM (96-bit IV, 128-bit tag) |\n\nPlus signed responses, which authenticate the POIS's conditioning decision so a\nforged or tampered blackout/avail/redirect fails verification.\n\n## Implementations\n\n| Language | Install | Source | Distribution |\n|---|---|---|---|\n| **Rust** | `cargo add sesame-esam` | [`src/`](src/) | [crates.io](https://crates.io/crates/sesame-esam) |\n| **C++** | `find_package(sesame)` (CMake / vcpkg / Conan) | [`cpp/`](cpp/) | [`cpp/`](cpp/#install-and-consume) |\n| **Python** | `pip install sesame-esam` | [`python/`](python/) | [PyPI](https://pypi.org/project/sesame-esam/) |\n| **Go** | `go get github.com/bokelleher/sesame-sdk/go` | [`go/`](go/) | Go module |\n\nThe deployed [`rust-pois`](https://github.com/bokelleher/rust-pois) POIS server\nruns SESAME in production by depending on the Rust crate, so the protocol lives\nin exactly one place per language and there is no parallel copy to drift.\n\n## The test vectors are the contract\n\n[`test-vectors/tier1.json`](test-vectors/) and\n[`test-vectors/tier3.json`](test-vectors/) are the language-neutral conformance\ncontract. They are generated from the deployed `rust-pois` implementation and\npin the exact bytes on the wire (canonical strings, HMAC signatures, GCM\nassociated data, `ciphertext||tag`). **An implementation is conformant if, and\nonly if, it reproduces every `expected_*` value byte-for-byte.** Each SDK proves\nexactly that, in CI:\n\n| | Rust | C++ | Python | Go |\n|---|---|---|---|---|\n| Conformance | `cargo test` | `ctest` | `pytest` | `go test` |\n\nSee [`SESAME.md`](SESAME.md) for the byte-exact wire format (draft v0.5),\n[`test-vectors/README.md`](test-vectors/README.md) for how to consume the\nvectors from any language, and [`CONTRIBUTING.md`](CONTRIBUTING.md) to add a new\nlanguage implementation.\n\n## Quick start (Rust)\n\n```sh\ncargo add sesame-esam   # imported as `sesame`\n```\n\nVerify an inbound request (the POIS side):\n\n```rust\nuse sesame::{verify_request, RequestContext, SesameConfig, SesameHeaders, Tier};\nuse sesame::keys::{StaticKeyProvider, HmacKey, ChannelScope};\nuse sesame::replay::InMemoryReplayCache;\nuse time::OffsetDateTime;\n\nlet provider = StaticKeyProvider::new().with_signing_key(\n    \"sas-east-01\", HmacKey(b\"shared-secret\".to_vec()),\n    ChannelScope::list([\"SportsFeed-East\"]));\nlet replay = InMemoryReplayCache::new(300);\n\nlet headers = SesameHeaders::from_lookup(|name| request_header(name));\nlet ctx = RequestContext { method: \"POST\", path: \"/esam\", target_channel: None };\n\nlet verified = verify_request(\u0026SesameConfig::default(), \u0026provider, \u0026replay,\n    \u0026ctx, \u0026headers, body_bytes, OffsetDateTime::now_utc(), Tier::One)?;\n// verified.plaintext is the ESAM XML; verified.achieved_tier / key_id / scope_channel\n# fn request_header(_: \u0026str) -\u003e Option\u003cString\u003e { None }\n# let body_bytes = b\"\";\n# Ok::\u003c(), sesame::SesameError\u003e(())\n```\n\nSign an outbound response (requires the default-on `rng` feature):\n\n```rust\nuse sesame::{sign_response, ResponseParams, SesameConfig, Tier};\n# use sesame::keys::StaticKeyProvider;\n# let provider = StaticKeyProvider::new();\nlet params = ResponseParams {\n    signing_key_id: \"pois-primary\",\n    correlation: \"ap-1:sigid-20260224-001\", // the acquisitionSignalID answered\n    scope: None, tier: Tier::One, enc_key_id: None,\n};\n// let resp = sign_response(\u0026SesameConfig::default(), \u0026provider, \u0026params, xml, now)?;\n```\n\nThe C++, Python, and Go SDKs expose the same shape (`verify_request` /\n`sign_response`, the `KeyProvider` and `ReplayCache` seams, Tier 0-3); see each\nlanguage's README for idiomatic usage.\n\n## Design\n\nCommon to every implementation:\n\n- **No I/O, no HTTP framework.** `verify_request` / `sign_response` take the\n  request parts, parsed headers, body, and `now`.\n- **The host owns the resources** via injected seams: the key directory\n  (`KeyProvider`) and the replay memory (`ReplayCache`). A single-node in-memory\n  replay cache ships; distributed stores are the host's concern.\n- **Verification is RNG-free.** Only signing needs a fresh nonce/IV (gated behind\n  the Rust `rng` feature; the other SDKs draw from the OS CSPRNG when signing).\n\n## Provenance\n\nThe Rust crate was extracted byte-for-byte from the deployed `rust-pois`\nreference implementation, which signs live ESAM traffic in production. The\ngolden vectors are generated from `rust-pois` (via\n[`tools/golden-extractor`](tools/golden-extractor/)); the C++, Python, and Go\nSDKs were then written independently and validated against those same vectors.\nFour from-scratch implementations agreeing on the wire is the strongest evidence\nthat SESAME is a real, implementable standard.\n\n## Where the open/commercial line sits\n\nThe protocol, the implementations, and the trait seams (`KeyProvider`,\n`ReplayCache`) are open. Operating SESAME at scale (a distributed replay store,\nmulti-tenant key management and rotation, audit) is left to separate operational\ntooling. The seams are the line.\n\n## Status\n\nPre-1.0 by design: the wire spec is draft v0.5, not yet a ratified SCTE\nstandard. `1.0` waits on SCTE formalization. The bar the project set for \"a real\nstandard, a second implementer can adopt it in an afternoon\" is already met four\ntimes over.\n\n## License\n\nDual-licensed under [MIT](LICENSE-MIT) or [Apache-2.0](LICENSE-APACHE) at your\noption (the Rust core was extracted from `rust-pois`, originally MIT, © POIS\nContributors). Specification text (`SESAME.md`): [`LICENSE-SPEC`](LICENSE-SPEC).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbokelleher%2Fsesame-sdk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbokelleher%2Fsesame-sdk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbokelleher%2Fsesame-sdk/lists"}