derivepassphrase.git

@@ -179,3 +179,27 @@ code.doc-symbol-module::after {

   color: inherit;

   border-bottom: 1px dotted currentcolor;

 }

+

+/* Source code blocks (admonitions). */

+:root {

+  --md-admonition-icon--mkdocstrings-source: url('data:image/svg+xml;charset=utf-8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M15.22 4.97a.75.75 0 0 1 1.06 0l6.5 6.5a.75.75 0 0 1 0 1.06l-6.5 6.5a.749.749 0 0 1-1.275-.326.75.75 0 0 1 .215-.734L21.19 12l-5.97-5.97a.75.75 0 0 1 0-1.06m-6.44 0a.75.75 0 0 1 0 1.06L2.81 12l5.97 5.97a.749.749 0 0 1-.326 1.275.75.75 0 0 1-.734-.215l-6.5-6.5a.75.75 0 0 1 0-1.06l6.5-6.5a.75.75 0 0 1 1.06 0"/></svg>')

+}

+.md-typeset .admonition.mkdocstrings-source,

+.md-typeset details.mkdocstrings-source {

+  border: none;

+  padding: 0;

+}

+.md-typeset .admonition.mkdocstrings-source:focus-within,

+.md-typeset details.mkdocstrings-source:focus-within {

+  box-shadow: none;

+}

+.md-typeset .mkdocstrings-source > .admonition-title,

+.md-typeset .mkdocstrings-source > summary {

+  background-color: inherit;

+}

+.md-typeset .mkdocstrings-source > .admonition-title::before,

+.md-typeset .mkdocstrings-source > summary::before {

+  background-color: var(--md-default-fg-color);

+  -webkit-mask-image: var(--md-admonition-icon--mkdocstrings-source);

+          mask-image: var(--md-admonition-icon--mkdocstrings-source);

+}

@@ -2851,7 +2851,7 @@

     <div class="doc doc-contents ">

-        <p>A [<code>TypeVar</code>][] for classes implementing the [<code>Buffer</code>][] interface.</p>

+        <p>A <a class="autorefs autorefs-external" href="https://docs.python.org/3/library/typing.html#typing.TypeVar"><code>TypeVar</code></a> for classes implementing the <a class="autorefs autorefs-external" href="https://typing-extensions.readthedocs.io/en/latest/index.html#typing_extensions.Buffer"><code>Buffer</code></a> interface.</p>

 <details class="warning" open>

@@ -4181,7 +4187,13 @@ the JSON value that was cleaned up.</p>

             <td>

               <div class="doc-md-description">

                 <p>List identities.  Expecting

-[<code>SSH_AGENT.IDENTITIES_ANSWER</code>][].</p>

+<a class="autorefs autorefs-internal" title="            IDENTITIES_ANSWER

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="#derivepassphrase._types.SSH_AGENT.IDENTITIES_ANSWER"><code>SSH_AGENT.IDENTITIES_ANSWER</code></a>.</p>

               </div>

             </td>

           </tr>

@@ -4198,7 +4210,13 @@ the JSON value that was cleaned up.</p>

             </td>

             <td>

               <div class="doc-md-description">

-                <p>Sign data.  Expecting [<code>SSH_AGENT.SIGN_RESPONSE</code>][].</p>

+                <p>Sign data.  Expecting <a class="autorefs autorefs-internal" title="            SIGN_RESPONSE

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="#derivepassphrase._types.SSH_AGENT.SIGN_RESPONSE"><code>SSH_AGENT.SIGN_RESPONSE</code></a>.</p>

               </div>

             </td>

           </tr>

@@ -4267,9 +4285,27 @@ the JSON value that was cleaned up.</p>

             <td>

               <div class="doc-md-description">

                 <p>Issue a named request that isn&rsquo;t part of the core agent

-protocol.  Expecting [<code>SSH_AGENT.EXTENSION_RESPONSE</code>][] or

-[<code>SSH_AGENT.EXTENSION_FAILURE</code>][] if the named request is

-supported, [<code>SSH_AGENT.FAILURE</code>][] otherwise.</p>

+protocol.  Expecting <a class="autorefs autorefs-internal" title="            EXTENSION_RESPONSE

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="#derivepassphrase._types.SSH_AGENT.EXTENSION_RESPONSE"><code>SSH_AGENT.EXTENSION_RESPONSE</code></a> or

+<a class="autorefs autorefs-internal" title="            EXTENSION_FAILURE

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="#derivepassphrase._types.SSH_AGENT.EXTENSION_FAILURE"><code>SSH_AGENT.EXTENSION_FAILURE</code></a> if the named request is

+supported, <a class="autorefs autorefs-internal" title="            FAILURE

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="#derivepassphrase._types.SSH_AGENT.FAILURE"><code>SSH_AGENT.FAILURE</code></a> otherwise.</p>

               </div>

             </td>

           </tr>

@@ -4529,7 +4566,13 @@ supported, [<code>SSH_AGENT.FAILURE</code>][] otherwise.</p>

             </td>

             <td>

               <div class="doc-md-description">

-                <p>Successful answer to [<code>SSH_AGENTC.REQUEST_IDENTITIES</code>][].</p>

+                <p>Successful answer to <a class="autorefs autorefs-internal" title="            REQUEST_IDENTITIES

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="#derivepassphrase._types.SSH_AGENTC.REQUEST_IDENTITIES"><code>SSH_AGENTC.REQUEST_IDENTITIES</code></a>.</p>

               </div>

             </td>

           </tr>

@@ -4546,7 +4589,13 @@ supported, [<code>SSH_AGENT.FAILURE</code>][] otherwise.</p>

             </td>

             <td>

               <div class="doc-md-description">

-                <p>Successful answer to [<code>SSH_AGENTC.SIGN_REQUEST</code>][].</p>

+                <p>Successful answer to <a class="autorefs autorefs-internal" title="            SIGN_REQUEST

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="#derivepassphrase._types.SSH_AGENTC.SIGN_REQUEST"><code>SSH_AGENTC.SIGN_REQUEST</code></a>.</p>

               </div>

             </td>

           </tr>

@@ -4563,7 +4612,13 @@ supported, [<code>SSH_AGENT.FAILURE</code>][] otherwise.</p>

             </td>

             <td>

               <div class="doc-md-description">

-                <p>Unsuccessful answer to [<code>SSH_AGENTC.EXTENSION</code>][].</p>

+                <p>Unsuccessful answer to <a class="autorefs autorefs-internal" title="            EXTENSION

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="#derivepassphrase._types.SSH_AGENTC.EXTENSION"><code>SSH_AGENTC.EXTENSION</code></a>.</p>

               </div>

             </td>

           </tr>

@@ -4580,7 +4635,13 @@ supported, [<code>SSH_AGENT.FAILURE</code>][] otherwise.</p>

             </td>

             <td>

               <div class="doc-md-description">

-                <p>Successful answer to [<code>SSH_AGENTC.EXTENSION</code>][].</p>

+                <p>Successful answer to <a class="autorefs autorefs-internal" title="            EXTENSION

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="#derivepassphrase._types.SSH_AGENTC.EXTENSION"><code>SSH_AGENTC.EXTENSION</code></a>.</p>

               </div>

             </td>

           </tr>

@@ -6319,7 +6388,7 @@ check for <a class="autorefs autorefs-external" href="https://docs.python.org/3/

 <p>Needed for compatibility with vault(1), which sometimes uses only

 truthiness checks.</p>

 <p>If vault(1) considered <code>obj</code> to be valid, then after clean up,

-<code>obj</code> will be valid as per [<code>validate_vault_config</code>][].</p>

+<code>obj</code> will be valid as per <a class="autorefs autorefs-internal" title="            validate_vault_config" href="#derivepassphrase._types.validate_vault_config"><code>validate_vault_config</code></a>.</p>

 <p><span class="doc-section-title">Parameters:</span></p>

@@ -2375,7 +2377,7 @@

             <td>

               <div class="doc-md-description">

                 <p>The path to the vault configuration file or directory.

-If not given, then query [<code>get_vault_path</code>][] for the

+If not given, then query <a class="autorefs autorefs-internal" title="            get_vault_path" href="#derivepassphrase.exporter.get_vault_path"><code>get_vault_path</code></a> for the

 correct value.</p>

               </div>

             </td>

@@ -2395,7 +2397,7 @@ correct value.</p>

                 <p>Encryption key/password for the configuration file or

 directory, usually the username, or passed via the

 <code>VAULT_KEY</code> environment variable.  If not given, then

-query [<code>get_vault_key</code>][] for the value.</p>

+query <a class="autorefs autorefs-internal" title="            get_vault_key" href="#derivepassphrase.exporter.get_vault_key"><code>get_vault_key</code></a> for the value.</p>

               </div>

             </td>

             <td>

@@ -2770,7 +2772,7 @@ manually to the correct value.</p>

     <div class="doc doc-contents ">

         <p>Export the full vault-native configuration stored in <code>path</code>.</p>

-<p>See [<code>ExportVaultConfigDataFunction</code>][] for an explanation of the

+<p>See <a class="autorefs autorefs-internal" title="            ExportVaultConfigDataFunction" href="#derivepassphrase.exporter.ExportVaultConfigDataFunction"><code>ExportVaultConfigDataFunction</code></a> for an explanation of the

 call signature, and the exceptions to expect.</p>

@@ -2806,7 +2808,7 @@ slots) and provides an impure quasi-filesystem interface.  Each hash

 table entry is separately encrypted and authenticated.  James Coglan

 designed this format to avoid concurrent write issues when updating or

 synchronizing the vault configuration with e.g. a cloud service.</p>

-<p>The public interface is the [<code>export_storeroom_data</code>][] function.

+<p>The public interface is the <a class="autorefs autorefs-internal" title="            export_storeroom_data" href="#derivepassphrase.exporter.storeroom.export_storeroom_data"><code>export_storeroom_data</code></a> function.

 Multiple <em>non-public</em> functions are additionally documented here for

 didactical and educational reasons, but they are not part of the module

 API, are subject to change without notice (including removal), and

@@ -2849,7 +2851,7 @@ should <em>not</em> be used or relied on.</p>

     <div class="doc doc-contents ">

         <p>Export the full configuration stored in the storeroom.</p>

-<p>See [<code>exporter.ExportVaultConfigDataFunction</code>][] for an explanation

+<p>See <a class="autorefs autorefs-internal" title="            ExportVaultConfigDataFunction" href="#derivepassphrase.exporter.ExportVaultConfigDataFunction"><code>exporter.ExportVaultConfigDataFunction</code></a> for an explanation

 of the call signature, and the exceptions to expect.</p>

@@ -3061,7 +3063,7 @@ blocksize, in this case, the PKCS7 padding always is <code>b'\x10' * 16</code>.<

               <div class="doc-md-description">

                 <p>The encryption and signing keys for the master keys data.

 These should have previously been derived via the

-[<code>_derive_master_keys_keys</code>][] function.</p>

+<a class="autorefs autorefs-internal" title="            _derive_master_keys_keys" href="#derivepassphrase.exporter.storeroom._derive_master_keys_keys"><code>_derive_master_keys_keys</code></a> function.</p>

               </div>

             </td>

             <td>

@@ -3212,7 +3214,7 @@ blocksize, in this case, the PKCS7 padding always is <code>b'\x10' * 16</code>.<

             <td>

               <div class="doc-md-description">

                 <p>The master keys.  Presumably these have previously been

-obtained via the [<code>_decrypt_master_keys_data</code>][] function.</p>

+obtained via the <a class="autorefs autorefs-internal" title="            _decrypt_master_keys_data" href="#derivepassphrase.exporter.storeroom._decrypt_master_keys_data"><code>_decrypt_master_keys_data</code></a> function.</p>

               </div>

             </td>

             <td>

@@ -3359,7 +3361,7 @@ MAC can be verified before attempting to decrypt the payload.</p>

             <td>

               <div class="doc-md-description">

                 <p>The bucket item&rsquo;s session keys.  Presumably these have

-previously been obtained via the [<code>_decrypt_session_keys</code>][]

+previously been obtained via the <a class="autorefs autorefs-internal" title="            _decrypt_session_keys" href="#derivepassphrase.exporter.storeroom._decrypt_session_keys"><code>_decrypt_session_keys</code></a>

 function.</p>

               </div>

             </td>

@@ -3496,7 +3498,7 @@ removal.</p>

             <td>

               <div class="doc-md-description">

                 <p>The master keys.  Presumably these have previously been

-obtained via the [<code>_decrypt_master_keys_data</code>][] function.</p>

+obtained via the <a class="autorefs autorefs-internal" title="            _decrypt_master_keys_data" href="#derivepassphrase.exporter.storeroom._decrypt_master_keys_data"><code>_decrypt_master_keys_data</code></a> function.</p>

               </div>

             </td>

             <td>

@@ -3635,7 +3637,7 @@ removal.</p>

             <td>

               <div class="doc-md-description">

                 <p>The master keys.  Presumably these have previously been

-obtained via the [<code>_decrypt_master_keys_data</code>][] function.</p>

+obtained via the <a class="autorefs autorefs-internal" title="            _decrypt_master_keys_data" href="#derivepassphrase.exporter.storeroom._decrypt_master_keys_data"><code>_decrypt_master_keys_data</code></a> function.</p>

               </div>

             </td>

             <td>

@@ -3762,7 +3764,7 @@ structures, so they are <em>not</em> compatible.  v0.2 additionally contains

 cryptographic weaknesses (API misuse of a key derivation function, and

 a low-entropy method of generating initialization vectors for CBC block

 encryption mode) and should thus be avoided if possible.</p>

-<p>The public interface is the [<code>export_vault_native_data</code>][] function.

+<p>The public interface is the <a class="autorefs autorefs-internal" title="            export_vault_native_data" href="#derivepassphrase.exporter.vault_native.export_vault_native_data"><code>export_vault_native_data</code></a> function.

 Multiple <em>non-public</em> classes are additionally documented here for

 didactical and educational reasons, but they are not part of the module

 API, are subject to change without notice (including removal), and

@@ -3852,7 +3855,7 @@ here.</p>

               <div class="doc-md-description">

                 <p>The vault master key/master passphrase the file is

 encrypted with.  Must be non-empty.  See

-[<code>exporter.get_vault_key</code>][] for details.</p>

+<a class="autorefs autorefs-internal" title="            get_vault_key" href="#derivepassphrase.exporter.get_vault_key"><code>exporter.get_vault_key</code></a> for details.</p>

 <p>If this is a text string, then the UTF-8 encoding of the

 string is used as the binary password.</p>

               </div>

@@ -3989,7 +3992,13 @@ unexpected extra contents, or invalid padding.)</p>

     <div class="doc doc-contents ">

         <p>Generate a key from a password.</p>

-<p>Uses PBKDF2 with HMAC-SHA1, with [vault.Vault.UUID][] as a fixed

+<p>Uses PBKDF2 with HMAC-SHA1, with <a class="autorefs autorefs-internal" title="            UUID

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="../derivepassphrase.vault/#derivepassphrase.vault.Vault.UUID">vault.Vault.UUID</a> as a fixed

 salt value.</p>

@@ -4156,7 +4165,12 @@ parser.</p>

         <p>Derive the signing and encryption keys.</p>

 <p>This is a bookkeeping method.  The actual work is done in

-[<code>_generate_keys</code>][].</p>

+<a class="autorefs autorefs-internal" title="            _generate_keys

+

+

+  

+      abstractmethod

+  " href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._generate_keys"><code>_generate_keys</code></a>.</p>

     </div>

@@ -4320,8 +4334,8 @@ version-specific.  The default implementation raises an error.</p>

     <div class="doc doc-contents ">

         <p>Return the decrypted vault configuration.</p>

-<p>Requires [<code>_parse_contents</code>][] and [<code>_derive_keys</code>][] to have

-run, and relies on [<code>_check_signature</code>][] for tampering

+<p>Requires <a class="autorefs autorefs-internal" title="            _parse_contents" href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._parse_contents"><code>_parse_contents</code></a> and <a class="autorefs autorefs-internal" title="            _derive_keys" href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._derive_keys"><code>_derive_keys</code></a> to have

+run, and relies on <a class="autorefs autorefs-internal" title="            _check_signature" href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._check_signature"><code>_check_signature</code></a> for tampering

 detection.</p>

@@ -4474,14 +4489,25 @@ strength is half of this value.)</p>

         <p>Derive the signing and encryption keys, and set the key sizes.</p>

 <p>Version 0.3 vault configurations use a constant key size; see

-[<code>KEY_SIZE</code>][].  The encryption and signing keys differ in how

+<a class="autorefs autorefs-internal" title="            KEY_SIZE

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="#derivepassphrase.exporter.vault_native.VaultNativeV03ConfigParser.KEY_SIZE"><code>KEY_SIZE</code></a>.  The encryption and signing keys differ in how

 many rounds of PBKDF2 they use (100 and 200, respectively).</p>

 <details class="danger" open>

   <summary>Insecure use of cryptography</summary>

   <p>This function makes use of the insecure function

-[<code>VaultNativeConfigParser._pbkdf2</code>][], without any attempts

+<a class="autorefs autorefs-internal" title="            _pbkdf2

+

+

+  

+      staticmethod

+  " href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._pbkdf2"><code>VaultNativeConfigParser._pbkdf2</code></a>, without any attempts

 at mitigating its insecurity.  It further uses <code>_pbkdf2</code>

 with the low iteration count of 100 and 200 rounds, which is

 <em>drastically</em> insufficient to defend against password

@@ -4676,7 +4703,12 @@ iteration count.</p>

 <details class="danger" open>

   <summary>Insecure use of cryptography</summary>

   <p>This function makes use of the insecure function

-[<code>VaultNativeConfigParser._pbkdf2</code>][], without any attempts

+<a class="autorefs autorefs-internal" title="            _pbkdf2

+

+

+  

+      staticmethod

+  " href="#derivepassphrase.exporter.vault_native.VaultNativeConfigParser._pbkdf2"><code>VaultNativeConfigParser._pbkdf2</code></a>, without any attempts

 at mitigating its insecurity.  It further uses <code>_pbkdf2</code>

 with the low iteration count of 16 rounds, which is

 <em>drastically</em> insufficient to defend against password

@@ -4873,7 +4905,7 @@ determined attackers!</p>

     <div class="doc doc-contents ">

         <p>Export the full configuration stored in vault native format.</p>

-<p>See [<code>exporter.ExportVaultConfigDataFunction</code>][] for an explanation

+<p>See <a class="autorefs autorefs-internal" title="            ExportVaultConfigDataFunction" href="#derivepassphrase.exporter.ExportVaultConfigDataFunction"><code>exporter.ExportVaultConfigDataFunction</code></a> for an explanation

 of the call signature, and the exceptions to expect.</p>

@@ -1499,7 +1499,7 @@ served.  The sequin module is used in Coglan’s “vault” module

 deterministic, stateless password manager that recomputes passwords

 instead of storing them), and this reimplementation is used for

 a similar purpose.</p>

-<p>The main API is the [<code>Sequin</code>][] class, which is thoroughly documented.</p>

+<p>The main API is the <a class="autorefs autorefs-internal" title="            Sequin" href="#derivepassphrase.sequin.Sequin"><code>Sequin</code></a> class, which is thoroughly documented.</p>

@@ -1885,8 +1888,20 @@

         <p>A bare-bones SSH agent client supporting signing and key listing.</p>

 <p>The main use case is requesting the agent sign some data, after

 checking that the necessary key is already loaded.</p>

-<p>The main fleshed out methods are [<code>list_keys</code>][] and [<code>sign</code>][],

-which implement the [<code>REQUEST_IDENTITIES</code>][_types.SSH_AGENTC.REQUEST_IDENTITIES] and [<code>SIGN_REQUEST</code>][_types.SSH_AGENTC.SIGN_REQUEST] requests.  If you <em>really</em> wanted

+<p>The main fleshed out methods are <a class="autorefs autorefs-internal" title="            list_keys" href="#derivepassphrase.ssh_agent.SSHAgentClient.list_keys"><code>list_keys</code></a> and <a class="autorefs autorefs-internal" title="            sign" href="#derivepassphrase.ssh_agent.SSHAgentClient.sign"><code>sign</code></a>,

+which implement the <a class="autorefs autorefs-internal" title="            REQUEST_IDENTITIES

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="../derivepassphrase._types/#derivepassphrase._types.SSH_AGENTC.REQUEST_IDENTITIES"><code>REQUEST_IDENTITIES</code></a> and <a class="autorefs autorefs-internal" title="            SIGN_REQUEST

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="../derivepassphrase._types/#derivepassphrase._types.SSH_AGENTC.SIGN_REQUEST"><code>SIGN_REQUEST</code></a> requests.  If you <em>really</em> wanted

 to, there is enough infrastructure in place to issue other requests

 as defined in the protocol—it’s merely the wrapper functions and

 the protocol numbers table that are missing.</p>

@@ -3132,7 +3147,7 @@ any of them.</p>

             <td>

               <div class="doc-md-description">

                 <p>The public SSH key to sign the payload with, in the same

-format as returned by, e.g., the [<code>list_keys</code>][] method.

+format as returned by, e.g., the <a class="autorefs autorefs-internal" title="            list_keys" href="#derivepassphrase.ssh_agent.SSHAgentClient.list_keys"><code>list_keys</code></a> method.

 The corresponding private key must have previously been

 loaded into the agent to successfully issue a signature.</p>

               </div>

@@ -3186,7 +3201,7 @@ real-world usage is currently implemented.)</p>

             </td>

             <td>

               <div class="doc-md-description">

-                <p>If true, check beforehand (via [<code>list_keys</code>][]) if the

+                <p>If true, check beforehand (via <a class="autorefs autorefs-internal" title="            list_keys" href="#derivepassphrase.ssh_agent.SSHAgentClient.list_keys"><code>list_keys</code></a>) if the

 corresponding key has been loaded into the agent.</p>

               </div>

             </td>

@@ -1634,7 +1635,7 @@ kept secret.  The implementation is compatible with <a href="https://www.npmjs.c

 detail</a> in his blog post on said topic: A principally

 infinite bit stream is obtained by running a key-derivation function

 on the master passphrase and the service name, then this bit stream

-is fed into a [sequin.Sequin][] to generate random numbers in the

+is fed into a <a class="autorefs autorefs-internal" title="            Sequin" href="../derivepassphrase.sequin/#derivepassphrase.sequin.Sequin">sequin.Sequin</a> to generate random numbers in the

 correct range, and finally these random numbers select passphrase

 characters until the desired length is reached.</p>

@@ -2003,7 +2004,13 @@ string is used.</p>

             <td>

               <div class="doc-md-description">

                 <p>A vault service name.  Will be suffixed with the

-[<code>UUID</code>][], and then used as the salt value for

+<a class="autorefs autorefs-internal" title="            UUID

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="#derivepassphrase.vault.Vault.UUID"><code>UUID</code></a>, and then used as the salt value for

 PBKDF2.  If a string, then the UTF-8 encoding of the

 string is used.</p>

               </div>

@@ -2369,7 +2376,13 @@ restricted to the indicated SSH agent).</p>

         <p>Obtain the master passphrase from a configured SSH key.</p>

 <p>vault allows the usage of certain SSH keys to derive a master

-passphrase, by signing the vault [<code>UUID</code>][] with the SSH key.

+passphrase, by signing the vault <a class="autorefs autorefs-internal" title="            UUID

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="#derivepassphrase.vault.Vault.UUID"><code>UUID</code></a> with the SSH key.

 The key type must ensure that signatures are deterministic

 (perhaps only in conjunction with the given SSH agent).</p>

@@ -2411,7 +2424,12 @@ The key type must ensure that signatures are deterministic

             <td>

               <div class="doc-md-description">

                 <p>An optional connection hint to the SSH agent.  See

-[<code>ssh_agent.SSHAgentClient.ensure_agent_subcontext</code>][].</p>

+<a class="autorefs autorefs-internal" title="            ensure_agent_subcontext

+

+

+  

+      classmethod

+  " href="../derivepassphrase.ssh_agent/#derivepassphrase.ssh_agent.SSHAgentClient.ensure_agent_subcontext"><code>ssh_agent.SSHAgentClient.ensure_agent_subcontext</code></a>.</p>

               </div>

             </td>

             <td>

@@ -2437,7 +2455,13 @@ The key type must ensure that signatures are deterministic

             </td>

             <td>

               <div class="doc-md-description">

-                <p>The signature of the vault [<code>UUID</code>][] under this key,

+                <p>The signature of the vault <a class="autorefs autorefs-internal" title="            UUID

+

+

+  

+      class-attribute

+      instance-attribute

+  " href="#derivepassphrase.vault.Vault.UUID"><code>UUID</code></a> under this key,

 unframed but encoded in base64.</p>

               </div>

             </td>