3tears-registry 0.14.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- 3tears_registry-0.14.0/.gitignore +216 -0
- 3tears_registry-0.14.0/LICENSE +21 -0
- 3tears_registry-0.14.0/PKG-INFO +89 -0
- 3tears_registry-0.14.0/README.md +72 -0
- 3tears_registry-0.14.0/pyproject.toml +34 -0
- 3tears_registry-0.14.0/src/threetears/registry/__init__.py +68 -0
- 3tears_registry-0.14.0/src/threetears/registry/__main__.py +7 -0
- 3tears_registry-0.14.0/src/threetears/registry/auth.py +180 -0
- 3tears_registry-0.14.0/src/threetears/registry/catalog.py +565 -0
- 3tears_registry-0.14.0/src/threetears/registry/config.py +200 -0
- 3tears_registry-0.14.0/src/threetears/registry/discovery.py +290 -0
- 3tears_registry-0.14.0/src/threetears/registry/entities.py +56 -0
- 3tears_registry-0.14.0/src/threetears/registry/health.py +366 -0
- 3tears_registry-0.14.0/src/threetears/registry/heartbeat_collection.py +357 -0
- 3tears_registry-0.14.0/src/threetears/registry/l1_cache.py +202 -0
- 3tears_registry-0.14.0/src/threetears/registry/proxy.py +1045 -0
- 3tears_registry-0.14.0/src/threetears/registry/py.typed +0 -0
- 3tears_registry-0.14.0/src/threetears/registry/rbac_authorizer.py +239 -0
- 3tears_registry-0.14.0/src/threetears/registry/rbac_stack.py +410 -0
- 3tears_registry-0.14.0/src/threetears/registry/registration.py +466 -0
- 3tears_registry-0.14.0/src/threetears/registry/routing.py +63 -0
- 3tears_registry-0.14.0/src/threetears/registry/server.py +627 -0
- 3tears_registry-0.14.0/tests/__init__.py +0 -0
- 3tears_registry-0.14.0/tests/enforcement/__init__.py +0 -0
- 3tears_registry-0.14.0/tests/enforcement/test_no_hardcoded_timeouts.py +217 -0
- 3tears_registry-0.14.0/tests/integration/__init__.py +0 -0
- 3tears_registry-0.14.0/tests/integration/test_heartbeat_collection.py +442 -0
- 3tears_registry-0.14.0/tests/unit/__init__.py +0 -0
- 3tears_registry-0.14.0/tests/unit/registry/__init__.py +0 -0
- 3tears_registry-0.14.0/tests/unit/registry/_dispatch_auth.py +160 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_auth_wire_fields.py +90 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_catalog.py +839 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_discovery.py +358 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_health.py +585 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_identity_verification.py +1140 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_multi_pod.py +551 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_proxy.py +738 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_proxy_pending_endpoint.py +244 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_rbac_authorizer.py +561 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_rbac_stack.py +343 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_readiness.py +69 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_registration.py +428 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_registration_barrier.py +511 -0
- 3tears_registry-0.14.0/tests/unit/registry/test_routing.py +131 -0
|
@@ -0,0 +1,216 @@
|
|
|
1
|
+
# Byte-compiled / optimized / DLL files
|
|
2
|
+
__pycache__/
|
|
3
|
+
*.py[codz]
|
|
4
|
+
*$py.class
|
|
5
|
+
|
|
6
|
+
# C extensions
|
|
7
|
+
*.so
|
|
8
|
+
|
|
9
|
+
# Distribution / packaging
|
|
10
|
+
.Python
|
|
11
|
+
build/
|
|
12
|
+
develop-eggs/
|
|
13
|
+
dist/
|
|
14
|
+
downloads/
|
|
15
|
+
eggs/
|
|
16
|
+
.eggs/
|
|
17
|
+
lib/
|
|
18
|
+
lib64/
|
|
19
|
+
parts/
|
|
20
|
+
sdist/
|
|
21
|
+
var/
|
|
22
|
+
wheels/
|
|
23
|
+
share/python-wheels/
|
|
24
|
+
*.egg-info/
|
|
25
|
+
.installed.cfg
|
|
26
|
+
*.egg
|
|
27
|
+
MANIFEST
|
|
28
|
+
|
|
29
|
+
# PyInstaller
|
|
30
|
+
# Usually these files are written by a python script from a template
|
|
31
|
+
# before PyInstaller builds the exe, so as to inject date/other infos into it.
|
|
32
|
+
*.manifest
|
|
33
|
+
*.spec
|
|
34
|
+
|
|
35
|
+
# Installer logs
|
|
36
|
+
pip-log.txt
|
|
37
|
+
pip-delete-this-directory.txt
|
|
38
|
+
|
|
39
|
+
# Unit test / coverage reports
|
|
40
|
+
htmlcov/
|
|
41
|
+
.tox/
|
|
42
|
+
.nox/
|
|
43
|
+
.coverage
|
|
44
|
+
.coverage.*
|
|
45
|
+
.cache
|
|
46
|
+
nosetests.xml
|
|
47
|
+
coverage.xml
|
|
48
|
+
*.cover
|
|
49
|
+
*.py.cover
|
|
50
|
+
.hypothesis/
|
|
51
|
+
.pytest_cache/
|
|
52
|
+
cover/
|
|
53
|
+
|
|
54
|
+
# Translations
|
|
55
|
+
*.mo
|
|
56
|
+
*.pot
|
|
57
|
+
|
|
58
|
+
# Django stuff:
|
|
59
|
+
*.log
|
|
60
|
+
local_settings.py
|
|
61
|
+
db.sqlite3
|
|
62
|
+
db.sqlite3-journal
|
|
63
|
+
|
|
64
|
+
# Flask stuff:
|
|
65
|
+
instance/
|
|
66
|
+
.webassets-cache
|
|
67
|
+
|
|
68
|
+
# Scrapy stuff:
|
|
69
|
+
.scrapy
|
|
70
|
+
|
|
71
|
+
# Sphinx documentation
|
|
72
|
+
docs/_build/
|
|
73
|
+
|
|
74
|
+
# PyBuilder
|
|
75
|
+
.pybuilder/
|
|
76
|
+
target/
|
|
77
|
+
|
|
78
|
+
# Jupyter Notebook
|
|
79
|
+
.ipynb_checkpoints
|
|
80
|
+
|
|
81
|
+
# IPython
|
|
82
|
+
profile_default/
|
|
83
|
+
ipython_config.py
|
|
84
|
+
|
|
85
|
+
# pyenv
|
|
86
|
+
# For a library or package, you might want to ignore these files since the code is
|
|
87
|
+
# intended to run in multiple environments; otherwise, check them in:
|
|
88
|
+
# .python-version
|
|
89
|
+
|
|
90
|
+
# pipenv
|
|
91
|
+
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
|
|
92
|
+
# However, in case of collaboration, if having platform-specific dependencies or dependencies
|
|
93
|
+
# having no cross-platform support, pipenv may install dependencies that don't work, or not
|
|
94
|
+
# install all needed dependencies.
|
|
95
|
+
#Pipfile.lock
|
|
96
|
+
|
|
97
|
+
# UV
|
|
98
|
+
# Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
|
|
99
|
+
# This is especially recommended for binary packages to ensure reproducibility, and is more
|
|
100
|
+
# commonly ignored for libraries.
|
|
101
|
+
#uv.lock
|
|
102
|
+
|
|
103
|
+
# poetry
|
|
104
|
+
# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
|
|
105
|
+
# This is especially recommended for binary packages to ensure reproducibility, and is more
|
|
106
|
+
# commonly ignored for libraries.
|
|
107
|
+
# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
|
|
108
|
+
#poetry.lock
|
|
109
|
+
#poetry.toml
|
|
110
|
+
|
|
111
|
+
# pdm
|
|
112
|
+
# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
|
|
113
|
+
# pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
|
|
114
|
+
# https://pdm-project.org/en/latest/usage/project/#working-with-version-control
|
|
115
|
+
#pdm.lock
|
|
116
|
+
#pdm.toml
|
|
117
|
+
.pdm-python
|
|
118
|
+
.pdm-build/
|
|
119
|
+
|
|
120
|
+
# pixi
|
|
121
|
+
# Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
|
|
122
|
+
#pixi.lock
|
|
123
|
+
# Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
|
|
124
|
+
# in the .venv directory. It is recommended not to include this directory in version control.
|
|
125
|
+
.pixi
|
|
126
|
+
|
|
127
|
+
# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
|
|
128
|
+
__pypackages__/
|
|
129
|
+
|
|
130
|
+
# Celery stuff
|
|
131
|
+
celerybeat-schedule
|
|
132
|
+
celerybeat.pid
|
|
133
|
+
|
|
134
|
+
# SageMath parsed files
|
|
135
|
+
*.sage.py
|
|
136
|
+
|
|
137
|
+
# Environments
|
|
138
|
+
.env
|
|
139
|
+
.envrc
|
|
140
|
+
.venv
|
|
141
|
+
env/
|
|
142
|
+
venv/
|
|
143
|
+
ENV/
|
|
144
|
+
env.bak/
|
|
145
|
+
venv.bak/
|
|
146
|
+
|
|
147
|
+
# Spyder project settings
|
|
148
|
+
.spyderproject
|
|
149
|
+
.spyproject
|
|
150
|
+
|
|
151
|
+
# Rope project settings
|
|
152
|
+
.ropeproject
|
|
153
|
+
|
|
154
|
+
# mkdocs documentation
|
|
155
|
+
/site
|
|
156
|
+
|
|
157
|
+
# mypy
|
|
158
|
+
.mypy_cache/
|
|
159
|
+
.dmypy.json
|
|
160
|
+
dmypy.json
|
|
161
|
+
|
|
162
|
+
# Pyre type checker
|
|
163
|
+
.pyre/
|
|
164
|
+
|
|
165
|
+
# pytype static type analyzer
|
|
166
|
+
.pytype/
|
|
167
|
+
|
|
168
|
+
# Cython debug symbols
|
|
169
|
+
cython_debug/
|
|
170
|
+
|
|
171
|
+
# PyCharm
|
|
172
|
+
# JetBrains specific template is maintained in a separate JetBrains.gitignore that can
|
|
173
|
+
# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
|
|
174
|
+
# and can be added to the global gitignore or merged into this file. For a more nuclear
|
|
175
|
+
# option (not recommended) you can uncomment the following to ignore the entire idea folder.
|
|
176
|
+
#.idea/
|
|
177
|
+
|
|
178
|
+
# Abstra
|
|
179
|
+
# Abstra is an AI-powered process automation framework.
|
|
180
|
+
# Ignore directories containing user credentials, local state, and settings.
|
|
181
|
+
# Learn more at https://abstra.io/docs
|
|
182
|
+
.abstra/
|
|
183
|
+
|
|
184
|
+
# Visual Studio Code
|
|
185
|
+
# Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore
|
|
186
|
+
# that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
|
|
187
|
+
# and can be added to the global gitignore or merged into this file. However, if you prefer,
|
|
188
|
+
# you could uncomment the following to ignore the entire vscode folder
|
|
189
|
+
# .vscode/
|
|
190
|
+
|
|
191
|
+
# Ruff stuff:
|
|
192
|
+
.ruff_cache/
|
|
193
|
+
|
|
194
|
+
# PyPI configuration file
|
|
195
|
+
.pypirc
|
|
196
|
+
|
|
197
|
+
# Cursor
|
|
198
|
+
# Cursor is an AI-powered code editor. `.cursorignore` specifies files/directories to
|
|
199
|
+
# exclude from AI features like autocomplete and code analysis. Recommended for sensitive data
|
|
200
|
+
# refer to https://docs.cursor.com/context/ignore-files
|
|
201
|
+
.cursorignore
|
|
202
|
+
.cursorindexingignore
|
|
203
|
+
|
|
204
|
+
# Marimo
|
|
205
|
+
marimo/_static/
|
|
206
|
+
marimo/_lsp/
|
|
207
|
+
__marimo__/
|
|
208
|
+
|
|
209
|
+
# Claude Code local state
|
|
210
|
+
.claude/
|
|
211
|
+
|
|
212
|
+
# prawduct session evidence (local governance artifacts, never shipped)
|
|
213
|
+
.prawduct/
|
|
214
|
+
|
|
215
|
+
# macOS folder metadata
|
|
216
|
+
.DS_Store
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Mark Pace
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: 3tears-registry
|
|
3
|
+
Version: 0.14.0
|
|
4
|
+
Summary: MCP-compatible tool registry for 3tears tool system
|
|
5
|
+
Project-URL: Repository, https://github.com/pacepace/3tears
|
|
6
|
+
Author: pace
|
|
7
|
+
License-Expression: MIT
|
|
8
|
+
License-File: LICENSE
|
|
9
|
+
Requires-Python: >=3.14
|
|
10
|
+
Requires-Dist: 3tears
|
|
11
|
+
Requires-Dist: 3tears-agent-acl>=0.1.0
|
|
12
|
+
Requires-Dist: 3tears-agent-tools>=0.5.0
|
|
13
|
+
Requires-Dist: 3tears-nats
|
|
14
|
+
Requires-Dist: 3tears-observe
|
|
15
|
+
Requires-Dist: nats-py>=2.0
|
|
16
|
+
Description-Content-Type: text/markdown
|
|
17
|
+
|
|
18
|
+
# 3tears Registry
|
|
19
|
+
|
|
20
|
+
MCP-compatible tool registry for the 3tears tool system. Routes tool calls between agents and tool pods via NATS request/reply.
|
|
21
|
+
|
|
22
|
+
Part of the [3tears](https://github.com/pacepace/3tears) framework.
|
|
23
|
+
|
|
24
|
+
## Components
|
|
25
|
+
|
|
26
|
+
- **`ToolCatalog`** -- in-memory index of registered tool pods, backed by a NATS KV bucket for recovery across restarts.
|
|
27
|
+
- **`RegistrationHandler`** -- subscribes to `{ns}.tools.register` and mutates the catalog.
|
|
28
|
+
- **`HeartbeatMonitor`** -- sweeps pods whose heartbeats fell behind the timeout and evicts their endpoints.
|
|
29
|
+
- **`DiscoveryHandler`** -- serves `{ns}.tools.discover` for pod-readiness polling.
|
|
30
|
+
- **`CallProxy`** -- the hot path. Subscribes to `{ns}.tools.call`, authorizes via `AgentToolAuthorizer`, selects an endpoint via the configured `RoutingStrategy`, and forwards the call to the tool pod via NATS request/reply with identity + correlation carried through the `CallContext` envelope.
|
|
31
|
+
- **`RegistryRbacStack`** -- self-contained rbac surface the standalone server constructs against the connected NATS client: NATS-proxy `NamespaceCollection` + four rbac metadata Collections + `AclCache` + invalidation subscribers. The `_run_server()` entry point uses this to wire `RbacEvaluatorAuthorizer` without any host-application loaders, so a standalone server no longer defaults to deny-all.
|
|
32
|
+
|
|
33
|
+
## Authorization
|
|
34
|
+
|
|
35
|
+
Tool dispatch authorization lives behind the `AgentToolAuthorizer` protocol. Implementations receive the calling agent id, the invoking user id (from `CallContext.user_id`), and the fully qualified tool name, and return a boolean decision.
|
|
36
|
+
|
|
37
|
+
Production deployments wire `RbacEvaluatorAuthorizer` (in `threetears.registry.rbac_authorizer`) which delegates to the unified rbac evaluator from `threetears.agent.acl`:
|
|
38
|
+
|
|
39
|
+
- The platform-side `ToolNamespaceEmitter` listens on `{ns}.tools.register` and upserts a `platform.namespaces` row of type `tool` per tool in every `RegistrationManifest`. The canonical `name` shape is `tools.<sanitized-mcp-name>.<sanitized-version>` (per `build_namespace_name`); `metadata` carries the pre-sanitized natural-identity fields `mcp_name` / `mcp_version` / `pod_id` so downstream pattern matching (the access materializer's agent.yaml `access.tools` patterns) does not need to reverse the sanitization rules.
|
|
40
|
+
- The authorizer resolves the tool namespace via an injected `NamespaceCollection`. The signature is `is_authorized(agent_id, user_id, tool_name, tool_version)`. The implementation builds the canonical lookup key via `build_namespace_name(PLURAL_PREFIX_TOOL, tool_name, tool_version)` rather than passing the raw `mcp_name` directly, so the lookup matches the row the emitter wrote.
|
|
41
|
+
- `evaluate_decision` resolves the two-sided grant chain: user side (groups the invoking user is in) intersected with agent side (groups the calling agent is in, short-circuited by namespace ownership). The decision is cached in `threetears.agent.acl.AclCache` with TTL + fine-grained invalidation; cross-process rbac mutations purge the cache promptly via the `acl.{membership,assignment,role}.invalidate` subjects the `RegistryRbacStack` subscribes to on startup.
|
|
42
|
+
|
|
43
|
+
Defense in depth: when `user_id=None` (tool dispatch without user identity) the authorizer denies unconditionally. When the namespace Collection's `get_by_name` returns `None` (tool registered but namespace row not yet visible) it denies. This catches registration races rather than defaulting to allow.
|
|
44
|
+
|
|
45
|
+
Platform-built-in tools land with `owner_agent_id=NULL, customer_id=NULL`. There is no implicit "anyone can call" behaviour for them. Grants are managed via explicit assignments on the platform-seeded `ToolCaller` role (same pattern as shared-type workspaces).
|
|
46
|
+
|
|
47
|
+
`RbacEvaluatorAuthorizer` is the only authorizer the production server wires: no dual-enforcement window, no back-compat aliases. The declarative `access.tools` expression on `agent.yaml` stays as operator-facing syntax and is translated to RBAC assignments at bootstrap.
|
|
48
|
+
|
|
49
|
+
## Dev-mode authorizers
|
|
50
|
+
|
|
51
|
+
`AllowAllAuthorizer` permits every dispatch unconditionally, enabled by `THREETEARS_REGISTRY_ALLOW_ALL_TOOLS=true`. Use only in local dev containers when an explicit RBAC bypass is needed.
|
|
52
|
+
|
|
53
|
+
`DenyAllAuthorizer` refuses every dispatch. Available as a panic-button kill switch via `THREETEARS_REGISTRY_FORCE_DENY_ALL=true`. It is also the millisecond-window placeholder the server holds *before* the rbac stack is wired against the live NATS client during `serve()`.
|
|
54
|
+
|
|
55
|
+
## Standalone entry point
|
|
56
|
+
|
|
57
|
+
```bash
|
|
58
|
+
python -m threetears.registry
|
|
59
|
+
```
|
|
60
|
+
|
|
61
|
+
Reads `THREETEARS_NATS_URL` (defaults to `nats://localhost:4222`) and `THREETEARS_NATS_SUBJECT_NAMESPACE` (the NATS subject namespace).
|
|
62
|
+
|
|
63
|
+
By default the entry point wires `RbacEvaluatorAuthorizer` against a self-contained `RegistryRbacStack` (NATS-proxy `NamespaceCollection` + four rbac metadata Collections + `AclCache` + invalidation subscribers). The proxy collections read through the platform broker's `system.platform.rbac` carve-out, so no direct DB credentials are needed. The registry is self-sufficient in any deployment with a reachable platform broker. Optional knobs:
|
|
64
|
+
|
|
65
|
+
- `THREETEARS_REGISTRY_ALLOW_ALL_TOOLS=true` -- bypass the rbac stack entirely (dev only).
|
|
66
|
+
- `THREETEARS_REGISTRY_FORCE_DENY_ALL=true` -- kill switch for misconfigured deployments.
|
|
67
|
+
- `THREETEARS_REGISTRY_ACL_TTL_SECONDS` -- override the AclCache TTL (default 60s).
|
|
68
|
+
|
|
69
|
+
Dispatch flow:
|
|
70
|
+
|
|
71
|
+
```mermaid
|
|
72
|
+
sequenceDiagram
|
|
73
|
+
participant Agent
|
|
74
|
+
participant Registry
|
|
75
|
+
participant RbacStack
|
|
76
|
+
participant PlatformBroker
|
|
77
|
+
participant ToolPod
|
|
78
|
+
|
|
79
|
+
Agent->>Registry: ProxyCallRequest(tool_name, tool_version, context.user_id)
|
|
80
|
+
Registry->>RbacStack: is_authorized(agent_id, user_id, tool_name, tool_version)
|
|
81
|
+
RbacStack->>RbacStack: build_namespace_name(PLURAL_PREFIX_TOOL, tool_name, tool_version)
|
|
82
|
+
RbacStack->>PlatformBroker: NamespaceCollection.get_by_name (system.platform.rbac proxy)
|
|
83
|
+
PlatformBroker-->>RbacStack: tool namespace row
|
|
84
|
+
RbacStack->>RbacStack: evaluate_decision (user ∩ agent grants)
|
|
85
|
+
RbacStack-->>Registry: True / False
|
|
86
|
+
Registry->>ToolPod: forward call (CallContext echoed)
|
|
87
|
+
ToolPod-->>Registry: CallResponse
|
|
88
|
+
Registry-->>Agent: ProxyCallResponse
|
|
89
|
+
```
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
# 3tears Registry
|
|
2
|
+
|
|
3
|
+
MCP-compatible tool registry for the 3tears tool system. Routes tool calls between agents and tool pods via NATS request/reply.
|
|
4
|
+
|
|
5
|
+
Part of the [3tears](https://github.com/pacepace/3tears) framework.
|
|
6
|
+
|
|
7
|
+
## Components
|
|
8
|
+
|
|
9
|
+
- **`ToolCatalog`** -- in-memory index of registered tool pods, backed by a NATS KV bucket for recovery across restarts.
|
|
10
|
+
- **`RegistrationHandler`** -- subscribes to `{ns}.tools.register` and mutates the catalog.
|
|
11
|
+
- **`HeartbeatMonitor`** -- sweeps pods whose heartbeats fell behind the timeout and evicts their endpoints.
|
|
12
|
+
- **`DiscoveryHandler`** -- serves `{ns}.tools.discover` for pod-readiness polling.
|
|
13
|
+
- **`CallProxy`** -- the hot path. Subscribes to `{ns}.tools.call`, authorizes via `AgentToolAuthorizer`, selects an endpoint via the configured `RoutingStrategy`, and forwards the call to the tool pod via NATS request/reply with identity + correlation carried through the `CallContext` envelope.
|
|
14
|
+
- **`RegistryRbacStack`** -- self-contained rbac surface the standalone server constructs against the connected NATS client: NATS-proxy `NamespaceCollection` + four rbac metadata Collections + `AclCache` + invalidation subscribers. The `_run_server()` entry point uses this to wire `RbacEvaluatorAuthorizer` without any host-application loaders, so a standalone server no longer defaults to deny-all.
|
|
15
|
+
|
|
16
|
+
## Authorization
|
|
17
|
+
|
|
18
|
+
Tool dispatch authorization lives behind the `AgentToolAuthorizer` protocol. Implementations receive the calling agent id, the invoking user id (from `CallContext.user_id`), and the fully qualified tool name, and return a boolean decision.
|
|
19
|
+
|
|
20
|
+
Production deployments wire `RbacEvaluatorAuthorizer` (in `threetears.registry.rbac_authorizer`) which delegates to the unified rbac evaluator from `threetears.agent.acl`:
|
|
21
|
+
|
|
22
|
+
- The platform-side `ToolNamespaceEmitter` listens on `{ns}.tools.register` and upserts a `platform.namespaces` row of type `tool` per tool in every `RegistrationManifest`. The canonical `name` shape is `tools.<sanitized-mcp-name>.<sanitized-version>` (per `build_namespace_name`); `metadata` carries the pre-sanitized natural-identity fields `mcp_name` / `mcp_version` / `pod_id` so downstream pattern matching (the access materializer's agent.yaml `access.tools` patterns) does not need to reverse the sanitization rules.
|
|
23
|
+
- The authorizer resolves the tool namespace via an injected `NamespaceCollection`. The signature is `is_authorized(agent_id, user_id, tool_name, tool_version)`. The implementation builds the canonical lookup key via `build_namespace_name(PLURAL_PREFIX_TOOL, tool_name, tool_version)` rather than passing the raw `mcp_name` directly, so the lookup matches the row the emitter wrote.
|
|
24
|
+
- `evaluate_decision` resolves the two-sided grant chain: user side (groups the invoking user is in) intersected with agent side (groups the calling agent is in, short-circuited by namespace ownership). The decision is cached in `threetears.agent.acl.AclCache` with TTL + fine-grained invalidation; cross-process rbac mutations purge the cache promptly via the `acl.{membership,assignment,role}.invalidate` subjects the `RegistryRbacStack` subscribes to on startup.
|
|
25
|
+
|
|
26
|
+
Defense in depth: when `user_id=None` (tool dispatch without user identity) the authorizer denies unconditionally. When the namespace Collection's `get_by_name` returns `None` (tool registered but namespace row not yet visible) it denies. This catches registration races rather than defaulting to allow.
|
|
27
|
+
|
|
28
|
+
Platform-built-in tools land with `owner_agent_id=NULL, customer_id=NULL`. There is no implicit "anyone can call" behaviour for them. Grants are managed via explicit assignments on the platform-seeded `ToolCaller` role (same pattern as shared-type workspaces).
|
|
29
|
+
|
|
30
|
+
`RbacEvaluatorAuthorizer` is the only authorizer the production server wires: no dual-enforcement window, no back-compat aliases. The declarative `access.tools` expression on `agent.yaml` stays as operator-facing syntax and is translated to RBAC assignments at bootstrap.
|
|
31
|
+
|
|
32
|
+
## Dev-mode authorizers
|
|
33
|
+
|
|
34
|
+
`AllowAllAuthorizer` permits every dispatch unconditionally, enabled by `THREETEARS_REGISTRY_ALLOW_ALL_TOOLS=true`. Use only in local dev containers when an explicit RBAC bypass is needed.
|
|
35
|
+
|
|
36
|
+
`DenyAllAuthorizer` refuses every dispatch. Available as a panic-button kill switch via `THREETEARS_REGISTRY_FORCE_DENY_ALL=true`. It is also the millisecond-window placeholder the server holds *before* the rbac stack is wired against the live NATS client during `serve()`.
|
|
37
|
+
|
|
38
|
+
## Standalone entry point
|
|
39
|
+
|
|
40
|
+
```bash
|
|
41
|
+
python -m threetears.registry
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
Reads `THREETEARS_NATS_URL` (defaults to `nats://localhost:4222`) and `THREETEARS_NATS_SUBJECT_NAMESPACE` (the NATS subject namespace).
|
|
45
|
+
|
|
46
|
+
By default the entry point wires `RbacEvaluatorAuthorizer` against a self-contained `RegistryRbacStack` (NATS-proxy `NamespaceCollection` + four rbac metadata Collections + `AclCache` + invalidation subscribers). The proxy collections read through the platform broker's `system.platform.rbac` carve-out, so no direct DB credentials are needed. The registry is self-sufficient in any deployment with a reachable platform broker. Optional knobs:
|
|
47
|
+
|
|
48
|
+
- `THREETEARS_REGISTRY_ALLOW_ALL_TOOLS=true` -- bypass the rbac stack entirely (dev only).
|
|
49
|
+
- `THREETEARS_REGISTRY_FORCE_DENY_ALL=true` -- kill switch for misconfigured deployments.
|
|
50
|
+
- `THREETEARS_REGISTRY_ACL_TTL_SECONDS` -- override the AclCache TTL (default 60s).
|
|
51
|
+
|
|
52
|
+
Dispatch flow:
|
|
53
|
+
|
|
54
|
+
```mermaid
|
|
55
|
+
sequenceDiagram
|
|
56
|
+
participant Agent
|
|
57
|
+
participant Registry
|
|
58
|
+
participant RbacStack
|
|
59
|
+
participant PlatformBroker
|
|
60
|
+
participant ToolPod
|
|
61
|
+
|
|
62
|
+
Agent->>Registry: ProxyCallRequest(tool_name, tool_version, context.user_id)
|
|
63
|
+
Registry->>RbacStack: is_authorized(agent_id, user_id, tool_name, tool_version)
|
|
64
|
+
RbacStack->>RbacStack: build_namespace_name(PLURAL_PREFIX_TOOL, tool_name, tool_version)
|
|
65
|
+
RbacStack->>PlatformBroker: NamespaceCollection.get_by_name (system.platform.rbac proxy)
|
|
66
|
+
PlatformBroker-->>RbacStack: tool namespace row
|
|
67
|
+
RbacStack->>RbacStack: evaluate_decision (user ∩ agent grants)
|
|
68
|
+
RbacStack-->>Registry: True / False
|
|
69
|
+
Registry->>ToolPod: forward call (CallContext echoed)
|
|
70
|
+
ToolPod-->>Registry: CallResponse
|
|
71
|
+
Registry-->>Agent: ProxyCallResponse
|
|
72
|
+
```
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
[build-system]
|
|
2
|
+
requires = ["hatchling"]
|
|
3
|
+
build-backend = "hatchling.build"
|
|
4
|
+
|
|
5
|
+
[project]
|
|
6
|
+
name = "3tears-registry"
|
|
7
|
+
version = "0.14.0"
|
|
8
|
+
description = "MCP-compatible tool registry for 3tears tool system"
|
|
9
|
+
readme = "README.md"
|
|
10
|
+
requires-python = ">=3.14"
|
|
11
|
+
authors = [{name = "pace"}]
|
|
12
|
+
license = "MIT"
|
|
13
|
+
license-files = ["LICENSE"]
|
|
14
|
+
dependencies = [
|
|
15
|
+
"3tears",
|
|
16
|
+
"3tears-agent-acl>=0.1.0",
|
|
17
|
+
"3tears-agent-tools>=0.5.0",
|
|
18
|
+
"3tears-nats",
|
|
19
|
+
"3tears-observe",
|
|
20
|
+
"nats-py>=2.0",
|
|
21
|
+
]
|
|
22
|
+
|
|
23
|
+
[project.urls]
|
|
24
|
+
Repository = "https://github.com/pacepace/3tears"
|
|
25
|
+
|
|
26
|
+
[tool.hatch.build.targets.wheel]
|
|
27
|
+
packages = ["src/threetears"]
|
|
28
|
+
|
|
29
|
+
[tool.uv.sources]
|
|
30
|
+
3tears = { workspace = true }
|
|
31
|
+
3tears-agent-acl = { workspace = true }
|
|
32
|
+
3tears-agent-tools = { workspace = true }
|
|
33
|
+
3tears-nats = { workspace = true }
|
|
34
|
+
3tears-observe = { workspace = true }
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
"""3tears-registry: MCP-compatible tool registry for 3tears tool system."""
|
|
2
|
+
|
|
3
|
+
from __future__ import annotations
|
|
4
|
+
|
|
5
|
+
# Version derived from pyproject.toml so the metadata is the single
|
|
6
|
+
# source of truth -- a future release that bumps pyproject without
|
|
7
|
+
# updating ``__init__.py`` can't drift the runtime ``__version__``.
|
|
8
|
+
# The except guard handles the rare case where the package isn't
|
|
9
|
+
# installed via importlib.metadata (e.g. running directly from a
|
|
10
|
+
# checked-out source tree without ``uv sync``); the fallback keeps
|
|
11
|
+
# imports working but reports ``unknown`` rather than crashing.
|
|
12
|
+
from importlib.metadata import PackageNotFoundError as _PackageNotFoundError
|
|
13
|
+
from importlib.metadata import version as _version
|
|
14
|
+
|
|
15
|
+
try:
|
|
16
|
+
__version__ = _version("3tears-registry")
|
|
17
|
+
except _PackageNotFoundError: # pragma: no cover - dev fallback
|
|
18
|
+
__version__ = "unknown"
|
|
19
|
+
|
|
20
|
+
from threetears.registry.auth import (
|
|
21
|
+
AgentToolAuthorizer,
|
|
22
|
+
AllowAllAuthorizer,
|
|
23
|
+
DenyAllAuthorizer,
|
|
24
|
+
ToolPodAuth,
|
|
25
|
+
ToolPodAuthenticator,
|
|
26
|
+
)
|
|
27
|
+
from threetears.registry.catalog import CatalogEntry, ToolCatalog, ToolEndpoint
|
|
28
|
+
from threetears.registry.discovery import DiscoveryHandler
|
|
29
|
+
from threetears.registry.entities import HeartbeatEntity
|
|
30
|
+
from threetears.registry.health import HeartbeatSubscriber
|
|
31
|
+
from threetears.registry.heartbeat_collection import HeartbeatCollection
|
|
32
|
+
from threetears.registry.l1_cache import (
|
|
33
|
+
REGISTRY_L1_METADATA,
|
|
34
|
+
REGISTRY_L1_TABLE_NAMES,
|
|
35
|
+
create_registry_l1_backend,
|
|
36
|
+
pod_heartbeats_table,
|
|
37
|
+
)
|
|
38
|
+
from threetears.registry.proxy import CallProxy
|
|
39
|
+
from threetears.registry.rbac_authorizer import RbacEvaluatorAuthorizer
|
|
40
|
+
from threetears.registry.registration import RegistrationHandler, RegistrationResponse
|
|
41
|
+
from threetears.registry.routing import LeastConnectionsStrategy, RoutingStrategy
|
|
42
|
+
from threetears.registry.server import RegistryServer
|
|
43
|
+
|
|
44
|
+
__all__ = [
|
|
45
|
+
"AgentToolAuthorizer",
|
|
46
|
+
"AllowAllAuthorizer",
|
|
47
|
+
"CallProxy",
|
|
48
|
+
"CatalogEntry",
|
|
49
|
+
"DenyAllAuthorizer",
|
|
50
|
+
"DiscoveryHandler",
|
|
51
|
+
"HeartbeatCollection",
|
|
52
|
+
"HeartbeatEntity",
|
|
53
|
+
"HeartbeatSubscriber",
|
|
54
|
+
"LeastConnectionsStrategy",
|
|
55
|
+
"REGISTRY_L1_METADATA",
|
|
56
|
+
"REGISTRY_L1_TABLE_NAMES",
|
|
57
|
+
"RbacEvaluatorAuthorizer",
|
|
58
|
+
"RegistrationHandler",
|
|
59
|
+
"RegistrationResponse",
|
|
60
|
+
"RegistryServer",
|
|
61
|
+
"RoutingStrategy",
|
|
62
|
+
"ToolCatalog",
|
|
63
|
+
"ToolEndpoint",
|
|
64
|
+
"ToolPodAuth",
|
|
65
|
+
"ToolPodAuthenticator",
|
|
66
|
+
"create_registry_l1_backend",
|
|
67
|
+
"pod_heartbeats_table",
|
|
68
|
+
]
|