The HTTP Session was hardcoded with no injection point and followed
redirects by default, so a server-side caller pointing the client at an
attacker-influenced base_url (a tenant's prime_endpoint) had no way to
attach an SSRF policy, and a public endpoint could 302-redirect the
request to an internal address (e.g. the cloud metadata service).
- Client/DragonchainSDK now accept an optional `session` so callers can
inject a Session whose transport adapter refuses internal IPs. Default
stays unguarded for trusted/CLI use — the guard belongs in the server.
- Requests are sent with allow_redirects=False; Prime never legitimately
redirects, and a 3xx now surfaces to the caller instead of being followed.
New transaction.get_interchain and block.get_interchain call the prime-node
/api/v1/{transaction,block}/{id}/interchain endpoints, returning an
InterchainTrace {block_id, validator_blocks, interchain_transactions}. Adds
VerificationBlock / InterchainTransaction / InterchainTrace dataclasses with
from_dict, exports them, and a from_dict test.
The block endpoint returns block id / prev / timestamp nested under a
"header" object with camelCase keys (blockId, dcId, prevId, prevProof,
timestamp) and a proof of just {proof}. The previous flat snake_case
Block fields never matched the response and always deserialized empty.
Add a BlockHeader dataclass, nest it in Block, make proof.scheme
optional, and cover it with a unit test. Verified live against a dev
chain.
Synchronous Python SDK modeled on prime-sdk-go. Provides DC1-HMAC-SHA256
auth, dataclass models, and resource clients for system, transaction,
transaction-type, smart-contract, and block endpoints, plus a YAML
credentials loader.
