fix(attest): correct single-upstream fingerprint keying before tagging v0.43.0

[vaaraio]

What this is

v0.43.0 merged to main in #168 but was never tagged, so PyPI, the GH Release, and the registry slots never fired. Before finishing the tag I found two correctness bugs in the merged attestation code, plus a stale plugin marketplace ref. This lands the fixes so the published v0.43.0 is correct from the first tag, rather than shipping a broken artifact and chasing it with a v0.43.1.

Fixes

Single-upstream fingerprint keying. A named single upstream (--upstream NAME=CMD) collapses into the "default" slot inside VaaraMCPProxy, and _REQUEST_UPSTREAM resolves to "default" at runtime. The attestation emitter was keyed on the operator-supplied name, so fingerprint_for("default") missed the precomputed command hash and emitted a cmd:sha256:unknown-default placeholder for the documented NAME=CMD form. _attest_upstreams_for_slots now keys the emitter the way the proxy slots upstreams. Multi-upstream fan-out keeps the operator names.

Reject non-P-256 EC signing keys. ES256 emits a fixed 32-byte r||s, so a non-secp256r1 curve would be mislabeled ES256 and then silently fail to sign (the emit path swallows signing errors). The key loader now rejects it up front with a clear AttestConfigError.

Chore

Marketplace ref. .claude-plugin/marketplace.json had been stale at v0.41.0 across v0.42.0 and v0.43.0, pinning plugin installs two releases back. Bumped to v0.43.0.

Tests

5 new tests: slot-keying (named-single collapses to default, multi preserved), curve validation (P-384 rejected, P-256 accepted), and an end-to-end fingerprint check. Affected suites: 61 passed, ruff clean.

[coderabbitai]

Warning

Review limit reached

@vaaraio, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 6 minutes and 21 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 70458077-389f-4d6a-bea0-d485af5aaa21

📥 Commits

Reviewing files that changed from the base of the PR and between dfba0f0 and eb91644.

📒 Files selected for processing (5)

• .claude-plugin/marketplace.json
• src/vaara/integrations/_mcp_attest.py
• src/vaara/integrations/mcp_proxy.py
• tests/test_integrations_mcp_proxy.py
• tests/test_integrations_mcp_proxy_attest.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/attest-slot-keying-v043

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}