agent-sleuth 0.0.1__py3-none-any.whl

agent_sleuth/__init__.py

@@ -0,0 +1,35 @@
+"""Agent Sleuth — prevents untrusted data from triggering consequential actions in your agent.
+
+In-process information-flow-control for LLM agents. Value-level provenance lineage tracked
+at the tool-I/O boundary: deterministic, classifier-free, zero extra LLM calls on the
+common path. See AGENT_SLEUTH_ARCHITECTURE.MD.
+"""
+
+from .core.errors import TaintViolationError
+from .core.policy import IFCPolicy
+from .core.values import TaintedValue, Trust
+from .engine import Engine
+from .runtime import Sleuth
+
+__all__ = [
+    "Sleuth",
+    "Engine",
+    "Trust",
+    "TaintedValue",
+    "IFCPolicy",
+    "TaintViolationError",
+    "tracked_tool",
+]
+
+try:
+    from importlib.metadata import version as _version
+    __version__ = _version("agent_sleuth")
+except Exception:
+    __version__ = "0.0.1"
+
+
+def tracked_tool(engine, name=None):
+    """Decorator factory for raw tools (re-exported from adapters.decorator)."""
+    from .adapters.decorator import tracked_tool as _tt
+
+    return _tt(engine, name=name)

agent_sleuth/adapters/__init__.py

@@ -0,0 +1,5 @@
+"""Framework adapters. Translate framework callbacks into core Engine calls."""
+
+from .decorator import tracked_tool
+
+__all__ = ["tracked_tool"]

agent_sleuth/adapters/decorator.py

@@ -0,0 +1,56 @@
+"""adapters/decorator.py — @tracked_tool for raw/custom agents (§4.9, v0 step 1).
+
+Wraps a plain tool function so that, with no agent framework, every call runs the ingress
+lineage check (raise in enforce, log in audit) and every return is fingerprinted + labeled.
+
+Usage::
+
+    sleuth = Sleuth(agent=None, ...)        # owns the engine
+    fetch_url = sleuth.track(fetch_url)     # or: @sleuth.tracked_tool
+    send_email = sleuth.track(send_email)
+
+The standalone ``tracked_tool(engine)`` decorator factory is also exported for users who
+construct an Engine directly.
+"""
+
+from __future__ import annotations
+
+import functools
+import inspect
+from typing import Any, Callable
+
+from ..engine import Engine
+
+
+def _call_args(fn: Callable, args: tuple, kwargs: dict) -> dict[str, Any]:
+    """Best-effort bind positional+keyword args into a name->value dict for the checker."""
+    try:
+        bound = inspect.signature(fn).bind_partial(*args, **kwargs)
+        bound.apply_defaults()
+        return dict(bound.arguments)
+    except (TypeError, ValueError):
+        # Fall back to kwargs plus positional-by-index.
+        merged = dict(kwargs)
+        for i, a in enumerate(args):
+            merged[f"arg{i}"] = a
+        return merged
+
+
+def tracked_tool(engine: Engine, name: str | None = None) -> Callable[[Callable], Callable]:
+    """Decorator factory: bind a tool function to an Engine for ingress/egress tracking."""
+
+    def decorate(fn: Callable) -> Callable:
+        tool_name = name or getattr(fn, "__name__", "tool")
+
+        @functools.wraps(fn)
+        def wrapper(*args: Any, **kwargs: Any) -> Any:
+            call_args = _call_args(fn, args, kwargs)
+            engine.on_tool_call(tool_name, call_args)  # may raise in enforce mode
+            result = fn(*args, **kwargs)
+            engine.on_tool_result(tool_name, result)
+            return result
+
+        wrapper.__sleuth_tool_name__ = tool_name  # type: ignore[attr-defined]
+        return wrapper
+
+    return decorate

agent_sleuth/adapters/langchain.py

@@ -0,0 +1,121 @@
+"""adapters/langchain.py — the LangChain interception layer (§4.6).
+
+Integration is a ``BaseCallbackHandler`` the developer passes in — zero changes to their
+agent. ``on_tool_end`` fingerprints + labels output (egress); ``on_tool_start`` runs the
+ingress lineage check (enforce raises, audit logs).
+
+LangChain is imported lazily so ``core/`` and the rest of the library stay dependency-free
+(§11.3, Friction 3 §6). If langchain-core is not installed, importing the handler raises a
+clear error; the rest of agent_sleuth still works.
+
+Stability hazard (§4.6, §6): pin to the stable callback interface; the core engine is
+framework-agnostic so adding CrewAI / ADK / raw agents never touches the engine.
+"""
+
+from __future__ import annotations
+
+import json
+from typing import Any
+from uuid import UUID
+
+from ..engine import Engine
+
+try:  # pragma: no cover - import shim
+    from langchain_core.callbacks import BaseCallbackHandler
+
+    _HAS_LANGCHAIN = True
+except Exception:  # pragma: no cover
+    _HAS_LANGCHAIN = False
+
+    class BaseCallbackHandler:  # type: ignore[no-redef]
+        """Fallback base so the module imports without langchain-core installed."""
+
+
+def _parse_input(input_str: str, inputs: dict[str, Any] | None) -> dict[str, Any]:
+    """Resolve a tool's call args from LangChain's on_tool_start payload.
+
+    Newer LangChain passes structured ``inputs``; older versions pass an ``input_str``
+    (often a JSON object, sometimes a bare string). Handle both.
+    """
+    if inputs:
+        return dict(inputs)
+    s = (input_str or "").strip()
+    if s[:1] in ("{", "["):
+        try:
+            parsed = json.loads(s)
+            if isinstance(parsed, dict):
+                return parsed
+        except (ValueError, TypeError):
+            pass
+    return {"input": input_str}
+
+
+def _extract_content(output: Any) -> Any:
+    """LangChain may wrap output in a ToolMessage; pull the content if present."""
+    return getattr(output, "content", output)
+
+
+class IFCCallbackHandler(BaseCallbackHandler):
+    """Sync LangChain callback handler driving the Sleuth engine at the tool boundary."""
+
+    def __init__(self, engine: Engine):
+        if not _HAS_LANGCHAIN:
+            raise ImportError(
+                "IFCCallbackHandler requires langchain-core. "
+                "Install with: pip install 'agent_sleuth[langchain]'"
+            )
+        self.engine = engine
+        # Map LangChain run_id -> tool name so on_tool_end knows which tool produced output.
+        self._run_tools: dict[UUID, str] = {}
+
+    def _start(self, serialized, input_str, run_id, inputs):
+        name = (serialized or {}).get("name", "tool")
+        if run_id is not None:
+            self._run_tools[run_id] = name
+        self.engine.on_tool_call(name, _parse_input(input_str, inputs))
+
+    def _end(self, output, run_id, kwargs):
+        name = self._run_tools.pop(run_id, None) if run_id is not None else None
+        name = name or kwargs.get("name") or "tool"
+        self.engine.on_tool_result(name, _extract_content(output))
+
+    # --- ingress -----------------------------------------------------------------
+    def on_tool_start(
+        self,
+        serialized: dict[str, Any],
+        input_str: str,
+        *,
+        run_id: UUID | None = None,
+        inputs: dict[str, Any] | None = None,
+        **kwargs: Any,
+    ) -> None:
+        # Raises TaintViolationError in enforce mode to halt the call.
+        self._start(serialized, input_str, run_id, inputs)
+
+    # --- egress ------------------------------------------------------------------
+    def on_tool_end(self, output: Any, *, run_id: UUID | None = None, **kwargs: Any) -> None:
+        self._end(output, run_id, kwargs)
+
+
+class AsyncIFCCallbackHandler(IFCCallbackHandler):
+    """Async LangChain callback handler. Delegates to the same synchronous core (§ async).
+
+    The engine's work is pure-Python and non-blocking, so async callbacks simply await the
+    shared sync logic.
+    """
+
+    async def on_tool_start(  # type: ignore[override]
+        self,
+        serialized: dict[str, Any],
+        input_str: str,
+        *,
+        run_id: UUID | None = None,
+        inputs: dict[str, Any] | None = None,
+        **kwargs: Any,
+    ) -> None:
+        self._start(serialized, input_str, run_id, inputs)
+
+    async def on_tool_end(  # type: ignore[override]
+        self, output: Any, *, run_id: UUID | None = None, **kwargs: Any
+    ) -> None:
+        self._end(output, run_id, kwargs)

agent_sleuth/config.py

@@ -0,0 +1,51 @@
+"""config.py — optional YAML config loading (§4, §12).
+
+Produces an IFCPolicy from a YAML file; falls back to name-based defaults when absent.
+PyYAML is an optional dependency: ``pip install 'agent_sleuth[config]'``.
+
+Example config::
+
+    mode: audit
+    untrusted_sources: [read_email, fetch_url, search_web]
+    consequential_actions: [send_email, write_file, post_slack]
+    destination_allowlist: [me@myco.com]
+    destination_fields:
+        post_slack: channel
+    strict: false
+"""
+
+from __future__ import annotations
+
+from pathlib import Path
+from typing import Any
+
+from .core.policy import IFCPolicy
+
+
+def policy_from_dict(data: dict[str, Any]) -> IFCPolicy:
+    return IFCPolicy(
+        untrusted_sources=list(data.get("untrusted_sources", []) or []),
+        consequential_actions=list(data.get("consequential_actions", []) or []),
+        destination_allowlist=list(data.get("destination_allowlist", []) or []),
+        destination_fields=dict(data.get("destination_fields", {}) or {}),
+        mode=data.get("mode", "audit"),
+        strict=bool(data.get("strict", False)),
+        use_name_heuristics=bool(data.get("use_name_heuristics", True)),
+    )
+
+
+def load_policy(path: str | Path) -> IFCPolicy:
+    """Load an IFCPolicy from a YAML file. Returns name-based defaults if the file is
+    missing. Raises ImportError if PyYAML is not installed and a real file is present."""
+    p = Path(path)
+    if not p.exists():
+        return IFCPolicy.from_defaults()
+    try:
+        import yaml
+    except ImportError as e:  # pragma: no cover
+        raise ImportError(
+            "Loading a config file requires PyYAML. "
+            "Install with: pip install 'agent_sleuth[config]'"
+        ) from e
+    data = yaml.safe_load(p.read_text()) or {}
+    return policy_from_dict(data)

agent_sleuth/core/__init__.py

@@ -0,0 +1,23 @@
+"""Framework-agnostic core engine. Never imports an agent framework (§11.3)."""
+
+from .errors import TaintViolationError
+from .fingerprint import extract_values, fingerprint, normalize
+from .lineage import Violation, check
+from .policy import IFCPolicy
+from .store import TaintStore
+from .trace import render
+from .values import TaintedValue, Trust
+
+__all__ = [
+    "TaintViolationError",
+    "extract_values",
+    "fingerprint",
+    "normalize",
+    "Violation",
+    "check",
+    "IFCPolicy",
+    "TaintStore",
+    "render",
+    "TaintedValue",
+    "Trust",
+]

agent_sleuth/core/errors.py

@@ -0,0 +1,15 @@
+"""core/errors.py — exceptions."""
+
+from __future__ import annotations
+
+from .lineage import Violation
+
+
+class TaintViolationError(Exception):
+    """Raised (enforce mode only) when a consequential sink call carries untrusted-origin
+    data to a non-allowlisted destination. Carries the Violation and its rendered trace."""
+
+    def __init__(self, violation: Violation, rendered: str):
+        self.violation = violation
+        self.rendered = rendered
+        super().__init__(rendered)

agent_sleuth/core/fingerprint.py

@@ -0,0 +1,145 @@
+"""core/fingerprint.py — turning tool outputs into trackable values (§4.2).
+
+This is the heart of the value-level approach. On every tool return we extract the
+*specific values* worth tracking rather than labeling the whole blob:
+
+- Structured returns (dict / list / JSON-string) are tracked per-field.
+- Free text is indexed by high-value extractables (emails, URLs, tokens, phones, IDs)
+  pulled with regex, plus the whole normalized blob as a coarse substring candidate.
+
+Matching is deterministic and classifier-free (design principle §11.1): no model is ever
+asked "is this an injection?". The only question is "did this exact untrusted-origin value
+appear in a sink argument?".
+"""
+
+from __future__ import annotations
+
+import hashlib
+import json
+import re
+import time
+from typing import Any
+
+from .values import TaintedValue, Trust
+
+# Minimum length (in characters) for a substring/extractable to count as a trackable
+# "value". Too short → spurious matches; this is the §12 open decision, resolved at 6.
+MIN_VALUE_LEN = 6
+
+# Ordered extractable inventory (§4.2, §12). Order matters: more specific patterns first
+# so e.g. a token inside a URL is captured by the URL rule. Each entry is (kind, regex).
+_EXTRACTABLE_PATTERNS: list[tuple[str, re.Pattern[str]]] = [
+    ("url", re.compile(r"https?://[^\s<>\"')]+", re.IGNORECASE)),
+    ("email", re.compile(r"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}")),
+    ("token", re.compile(r"\b(?:sk|pk|ghp|gho|ghs|xox[baprs])[-_][A-Za-z0-9_-]{8,}\b")),
+    ("uuid", re.compile(r"\b[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-"
+                        r"[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\b")),
+    # Long hex / base64-ish secret blobs (API keys, hashes) — >= 20 chars.
+    ("secret", re.compile(r"\b[A-Za-z0-9+/=_-]{20,}\b")),
+    ("phone", re.compile(r"\+?\d[\d\s().-]{7,}\d")),
+]
+
+# Kinds whose values are case-insensitive identifiers and may be casefolded when
+# normalized. Free text keeps its original case to avoid over-matching.
+_CASEFOLD_KINDS = {"email", "url", "uuid"}
+
+_WS = re.compile(r"\s+")
+
+
+def normalize(s: str, *, casefold: bool = False) -> str:
+    """Normalize a string for content-addressing: trim, collapse whitespace runs."""
+    out = _WS.sub(" ", s.strip())
+    return out.casefold() if casefold else out
+
+
+def fingerprint(s: str, *, casefold: bool = False) -> str:
+    """Content-addressed key for a value: SHA-256 of its normalized form."""
+    return hashlib.sha256(normalize(s, casefold=casefold).encode("utf-8")).hexdigest()
+
+
+def _flatten(obj: Any, prefix: str = "") -> list[tuple[str, Any]]:
+    """Yield (field_path, leaf_value) for a nested dict/list structure."""
+    leaves: list[tuple[str, Any]] = []
+    if isinstance(obj, dict):
+        for k, v in obj.items():
+            path = f"{prefix}.{k}" if prefix else str(k)
+            leaves.extend(_flatten(v, path))
+    elif isinstance(obj, (list, tuple)):
+        for i, v in enumerate(obj):
+            leaves.extend(_flatten(v, f"{prefix}[{i}]"))
+    else:
+        leaves.append((prefix, obj))
+    return leaves
+
+
+def _coerce_structured(output: Any) -> Any | None:
+    """Return a dict/list if output is one (or a JSON string encoding one), else None."""
+    if isinstance(output, (dict, list, tuple)):
+        return output
+    if isinstance(output, str):
+        text = output.strip()
+        if text[:1] in ("{", "["):
+            try:
+                return json.loads(text)
+            except (ValueError, TypeError):
+                return None
+    return None
+
+
+def extract_values(
+    output: Any,
+    *,
+    source: str,
+    trust: Trust,
+    trace_id: str,
+    step: int | None = None,
+) -> list[TaintedValue]:
+    """Extract the specific trackable values from a tool's output.
+
+    Structured outputs are tracked per leaf field; free text is indexed by regex
+    extractables (plus the whole normalized blob). Returns one TaintedValue per value.
+    """
+    now = time.time()
+    values: list[TaintedValue] = []
+    seen: set[str] = set()
+
+    def add(val: Any, field_path: str | None) -> None:
+        if val is None:
+            return
+        text = val if isinstance(val, str) else str(val)
+        if len(normalize(text)) < MIN_VALUE_LEN:
+            return
+        fp = fingerprint(text)
+        if fp in seen:
+            return
+        seen.add(fp)
+        values.append(
+            TaintedValue(
+                value=text,
+                trust=trust,
+                source=source,
+                trace_id=trace_id,
+                created_at=now,
+                field_path=field_path,
+                step=step,
+            )
+        )
+
+    structured = _coerce_structured(output)
+    if structured is not None:
+        for path, leaf in _flatten(structured):
+            add(leaf, path or None)
+            # Leaf strings may themselves embed extractables (e.g. a body field).
+            if isinstance(leaf, str):
+                for _kind, pat in _EXTRACTABLE_PATTERNS:
+                    for m in pat.findall(leaf):
+                        add(m, path or None)
+    else:
+        text = output if isinstance(output, str) else str(output)
+        for _kind, pat in _EXTRACTABLE_PATTERNS:
+            for m in pat.findall(text):
+                add(m, None)
+        # Coarse fallback: the whole normalized blob, for verbatim substring lineage.
+        add(text, None)
+
+    return values

agent_sleuth/core/lineage.py

@@ -0,0 +1,128 @@
+"""core/lineage.py — the matching engine (§4.5).
+
+Given a pending sink call (tool name + arguments) and the provenance store, decide whether
+the call carries untrusted-origin values to a non-allowlisted destination. The check is
+deterministic: verbatim substring match or structured-field equality against untrusted
+fingerprints — never an LLM judging intent (§11.1).
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Any
+
+from .fingerprint import MIN_VALUE_LEN, fingerprint, normalize
+from .policy import IFCPolicy
+from .store import TaintStore
+
+
+@dataclass
+class Violation:
+    """A detected untrusted-origin → sink flow, carrying the full lineage chain."""
+
+    sink_tool: str
+    sink_field: str | None
+    sink_arg_value: str
+    matched_value: str
+    source_tool: str
+    source_step: int | None
+    source_field_path: str | None
+    destination: str | None
+    mode: str
+    reason: str = "untrusted-origin value reached a consequential sink"
+    blocked: bool = False
+
+    def to_dict(self) -> dict[str, Any]:
+        return {
+            "sink_tool": self.sink_tool,
+            "sink_field": self.sink_field,
+            "sink_arg_value": self.sink_arg_value,
+            "matched_value": self.matched_value,
+            "source_tool": self.source_tool,
+            "source_step": self.source_step,
+            "source_field_path": self.source_field_path,
+            "destination": self.destination,
+            "mode": self.mode,
+            "reason": self.reason,
+            "blocked": self.blocked,
+        }
+
+
+def _iter_arg_values(args: dict[str, Any]) -> list[tuple[str, str]]:
+    """Flatten sink args into (field_name, text) pairs for matching."""
+    out: list[tuple[str, str]] = []
+
+    def rec(field_name: str, val: Any) -> None:
+        if isinstance(val, dict):
+            for k, v in val.items():
+                rec(f"{field_name}.{k}" if field_name else str(k), v)
+        elif isinstance(val, (list, tuple)):
+            for i, v in enumerate(val):
+                rec(f"{field_name}[{i}]", v)
+        elif val is not None:
+            out.append((field_name, val if isinstance(val, str) else str(val)))
+
+    for k, v in args.items():
+        rec(k, v)
+    return out
+
+
+def check(
+    tool_name: str,
+    args: dict[str, Any],
+    store: TaintStore,
+    policy: IFCPolicy,
+    query: str | None = None,
+) -> Violation | None:
+    """Run the v0 lineage algorithm. Returns a Violation or None (allow)."""
+    # 1. Not consequential → allow.
+    if not policy.is_consequential(tool_name):
+        return None
+
+    # 2. Destination allowlisted (config) or in trusted query → allow.
+    destination = policy.resolve_destination(tool_name, args)
+    if policy.is_allowed_destination(destination, query):
+        return None
+
+    arg_values = _iter_arg_values(args)
+    untrusted = store.untrusted_values()
+
+    # 3. For each value in the sink args, test value-lineage against untrusted fingerprints.
+    for tv in untrusted:
+        src_text = tv.value if isinstance(tv.value, str) else str(tv.value)
+        src_fp = fingerprint(src_text)
+        src_norm = normalize(src_text)
+        if len(src_norm) < MIN_VALUE_LEN:
+            continue
+        for field_name, arg_text in arg_values:
+            arg_norm = normalize(arg_text)
+            # Structured-field equality (exact) or verbatim substring containment.
+            if fingerprint(arg_text) == src_fp or src_norm in arg_norm:
+                return Violation(
+                    sink_tool=tool_name,
+                    sink_field=field_name,
+                    sink_arg_value=arg_text,
+                    matched_value=src_text,
+                    source_tool=tv.source,
+                    source_step=tv.step,
+                    source_field_path=tv.field_path,
+                    destination=destination,
+                    mode=policy.mode,
+                )
+
+    # 5. Strict / run-level mode: no untrusted value present but run is tainted → violation.
+    if policy.strict and store.is_run_tainted():
+        return Violation(
+            sink_tool=tool_name,
+            sink_field=None,
+            sink_arg_value="",
+            matched_value="(run-level taint)",
+            source_tool="(run)",
+            source_step=None,
+            source_field_path=None,
+            destination=destination,
+            mode=policy.mode,
+            reason="strict mode: consequential sink fired in a tainted run",
+        )
+
+    return None

agent_sleuth/core/policy.py

@@ -0,0 +1,106 @@
+"""core/policy.py — the policy (§4.4).
+
+Classifies tools as untrusted sources / consequential sinks, resolves a sink's destination
+field, and decides whether a destination is allowed (configurable allowlist + the §13
+implicit "appears verbatim in the trusted query" notion).
+
+Defaults from tool-name conventions make config trivial (Friction 1, §6): most developers
+never touch the lists.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from typing import Any
+
+from .fingerprint import normalize
+
+# Name-based heuristics (§4.4). A tool counts as the category if its name contains any keyword.
+UNTRUSTED_KEYWORDS = ("read", "fetch", "search", "get", "browse", "retrieve", "load")
+CONSEQUENTIAL_KEYWORDS = ("send", "write", "delete", "post", "update", "create", "execute", "run")
+
+# Default destination-field map (tool name substring -> arg field holding the destination).
+DEFAULT_DESTINATION_FIELDS: dict[str, str] = {
+    "send_email": "to",
+    "email": "to",
+    "http_post": "url",
+    "post": "url",
+    "write_file": "path",
+    "write": "path",
+    "slack": "channel",
+}
+
+# Field-name heuristics tried (in order) when no explicit map entry matches.
+DESTINATION_FIELD_HEURISTICS = ("to", "recipient", "recipients", "url", "endpoint",
+                                "path", "channel", "destination", "dest", "address")
+
+
+def _matches_keyword(tool_name: str, keywords: tuple[str, ...]) -> bool:
+    name = tool_name.lower()
+    return any(k in name for k in keywords)
+
+
+@dataclass
+class IFCPolicy:
+    untrusted_sources: list[str] = field(default_factory=list)
+    consequential_actions: list[str] = field(default_factory=list)
+    destination_allowlist: list[str] = field(default_factory=list)
+    destination_fields: dict[str, str] = field(default_factory=dict)
+    mode: str = "audit"  # "audit" | "enforce" | "confirm"
+    strict: bool = False  # run-level taint enforcement (coarse, §4.3)
+    use_name_heuristics: bool = True
+
+    def is_untrusted_source(self, tool_name: str) -> bool:
+        if tool_name in self.untrusted_sources:
+            return True
+        if self.use_name_heuristics and _matches_keyword(tool_name, UNTRUSTED_KEYWORDS):
+            return True
+        return False
+
+    def is_consequential(self, tool_name: str) -> bool:
+        if tool_name in self.consequential_actions:
+            return True
+        if self.use_name_heuristics and _matches_keyword(tool_name, CONSEQUENTIAL_KEYWORDS):
+            return True
+        return False
+
+    def resolve_destination(self, tool_name: str, args: dict[str, Any]) -> str | None:
+        """Identify the destination value in a sink call's args.
+
+        Tries the explicit destination_fields map (default + developer overrides), then
+        the field-name heuristics.
+        """
+        merged = {**DEFAULT_DESTINATION_FIELDS, **self.destination_fields}
+        # Exact tool match first, then substring match on tool name.
+        for key in (tool_name, *(k for k in merged if k in tool_name.lower())):
+            fieldname = merged.get(key)
+            if fieldname and fieldname in args:
+                return _as_text(args[fieldname])
+        for fieldname in DESTINATION_FIELD_HEURISTICS:
+            if fieldname in args:
+                return _as_text(args[fieldname])
+        return None
+
+    def is_allowed_destination(self, dest: str | None, query: str | None = None) -> bool:
+        """A destination is allowed if it is on the configurable allowlist (§4.4) or
+        appears verbatim in the trusted query (§13 implicit notion)."""
+        if not dest:
+            return False
+        norm_dest = normalize(dest, casefold=True)
+        for allowed in self.destination_allowlist:
+            if normalize(allowed, casefold=True) == norm_dest:
+                return True
+        if query and norm_dest and norm_dest in normalize(query, casefold=True):
+            return True
+        return False
+
+    @classmethod
+    def from_defaults(cls, mode: str = "audit") -> "IFCPolicy":
+        """Policy driven purely by name heuristics + empty allowlist."""
+        return cls(mode=mode, use_name_heuristics=True)
+
+
+def _as_text(v: Any) -> str:
+    if isinstance(v, (list, tuple)):
+        return ", ".join(str(x) for x in v)
+    return str(v)

agent_sleuth/core/store.py

@@ -0,0 +1,85 @@
+"""core/store.py — the provenance store (§4.3).
+
+Holds labels and lineage across tool calls *within a single agent run*. The LLM's context
+window is stateful, so the label store must match that statefulness. Two levels of
+granularity, both implemented:
+
+1. Value-level lineage (primary, the wedge): content-addressed fingerprint -> TaintedValue.
+2. Run-level taint (coarse fallback / strict mode): once any untrusted data enters the run,
+   the whole run is considered tainted.
+
+``reset()`` is called at the start of every run — taint does not bleed across independent
+agent invocations.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+from .fingerprint import fingerprint
+from .values import TaintedValue, Trust
+
+
+@dataclass
+class StoreEvent:
+    """An ordered record of one tool's labeled output, for trace rendering."""
+
+    step: int
+    source: str
+    trust: Trust
+    values: list[TaintedValue]
+
+
+class TaintStore:
+    def __init__(self) -> None:
+        self._store: dict[str, TaintedValue] = {}
+        self._run_taint_level: Trust = Trust.TRUSTED
+        self._events: list[StoreEvent] = []
+        self._step: int = 0
+
+    def next_step(self) -> int:
+        """Advance and return the current tool-call step index (1-based)."""
+        self._step += 1
+        return self._step
+
+    @property
+    def step(self) -> int:
+        return self._step
+
+    def label(self, values: list[TaintedValue], *, source: str, trust: Trust) -> None:
+        """Record a tool's extracted values into the store and the event log."""
+        for v in values:
+            fp = fingerprint(v.value if isinstance(v.value, str) else str(v.value))
+            # First writer wins for a given fingerprint, but untrusted always dominates
+            # (conservative: a value seen as untrusted stays untrusted).
+            existing = self._store.get(fp)
+            if existing is None or (existing.trust == Trust.TRUSTED and v.is_tainted()):
+                self._store[fp] = v
+        if trust == Trust.UNTRUSTED:
+            self._run_taint_level = Trust.UNTRUSTED
+        self._events.append(
+            StoreEvent(step=values[0].step if values else self._step,
+                       source=source, trust=trust, values=values)
+        )
+
+    def get(self, fp: str) -> TaintedValue | None:
+        return self._store.get(fp)
+
+    def untrusted_values(self) -> list[TaintedValue]:
+        return [v for v in self._store.values() if v.is_tainted()]
+
+    def get_run_trust(self) -> Trust:
+        return self._run_taint_level
+
+    def is_run_tainted(self) -> bool:
+        return self._run_taint_level == Trust.UNTRUSTED
+
+    def events(self) -> list[StoreEvent]:
+        return list(self._events)
+
+    def reset(self) -> None:
+        """Fresh taint state per run."""
+        self._store.clear()
+        self._run_taint_level = Trust.TRUSTED
+        self._events.clear()
+        self._step = 0

agent_sleuth/core/trace.py

@@ -0,0 +1,49 @@
+"""core/trace.py — the "why blocked" provenance trace (§4.7).
+
+This is not a nice-to-have, it is the marketing (§8). On every violation we render the
+lineage chain from source to sink in a form that is genuinely readable and shareable. A
+screenshot of a caught attack is the entire early growth strategy.
+"""
+
+from __future__ import annotations
+
+from .lineage import Violation
+
+
+def _short(s: str, limit: int = 80) -> str:
+    s = s.replace("\n", " ").strip()
+    return s if len(s) <= limit else s[: limit - 1] + "…"
+
+
+def render(violation: Violation) -> str:
+    """Render a violation as a readable source→sink lineage chain."""
+    v = violation
+    verb = "BLOCKED" if v.blocked else "WOULD BLOCK"
+
+    src = v.source_tool
+    if v.source_step is not None:
+        src += f" (step {v.source_step}, untrusted)"
+    else:
+        src += " (untrusted)"
+    if v.source_field_path:
+        src += f" field {v.source_field_path}"
+
+    sink_field = v.sink_field or "?"
+    lineage = (f"{v.source_tool}"
+               + (f" (step {v.source_step})" if v.source_step is not None else "")
+               + f" → value \"{_short(v.matched_value)}\""
+               + f" → {v.sink_tool}.{sink_field}")
+
+    action = "blocked, call halted" if v.blocked else "logged (audit mode), call allowed"
+
+    lines = [
+        f"{verb}: {v.sink_tool}() called with tainted inputs",
+        f"  Taint source: {src}",
+        f"  Injected value detected in argument: {sink_field}=\"{_short(v.sink_arg_value)}\"",
+        f"  Lineage: {lineage}",
+    ]
+    if v.destination:
+        lines.append(f"  Destination: {_short(v.destination)} (not allowlisted)")
+    lines.append(f"  Reason: {v.reason}")
+    lines.append(f"  Action: {action}")
+    return "\n".join(lines)

agent_sleuth/core/values.py

@@ -0,0 +1,43 @@
+"""core/values.py — the atom.
+
+Every piece of data the system tracks is a labeled value (§4.1).
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from enum import Enum
+from typing import Any
+
+
+class Trust(Enum):
+    TRUSTED = "trusted"
+    UNTRUSTED = "untrusted"
+
+
+@dataclass
+class TaintedValue:
+    """A single tracked value plus its provenance label.
+
+    Attributes:
+        value: the raw extracted value (string for free-text extractables, or the
+            leaf value for structured returns).
+        trust: TRUSTED or UNTRUSTED.
+        source: which tool produced this value.
+        trace_id: id that ties this value to a lineage across hops.
+        created_at: wall-clock time the value was recorded (ordering / display).
+        field_path: for structured returns, the path to the leaf (e.g.
+            ``results[0].email``). ``None`` for free-text extractables.
+        step: the tool-call step index within the run (for "fetch_url at step 2").
+    """
+
+    value: Any
+    trust: Trust
+    source: str
+    trace_id: str
+    created_at: float
+    field_path: str | None = None
+    step: int | None = None
+
+    def is_tainted(self) -> bool:
+        return self.trust == Trust.UNTRUSTED

agent_sleuth/engine.py

@@ -0,0 +1,84 @@
+"""engine.py — framework-agnostic ingress/egress glue shared by all adapters.
+
+The adapters (decorator, LangChain callback, future MCP proxy) are thin: they translate
+framework events into two calls on the Engine:
+
+- ``on_tool_call(name, args)`` — ingress: lineage-check a pending sink call. Raises in
+  enforce mode, records a (non-blocking) violation in audit mode.
+- ``on_tool_result(name, output)`` — egress: fingerprint + label the tool output.
+
+The Engine owns no framework imports, keeping ``core/`` and this glue dependency-free.
+"""
+
+from __future__ import annotations
+
+import logging
+from typing import Any, Callable
+
+from .core.errors import TaintViolationError
+from .core.fingerprint import extract_values
+from .core.lineage import Violation, check
+from .core.policy import IFCPolicy
+from .core.store import TaintStore
+from .core.trace import render
+from .core.values import Trust
+
+logger = logging.getLogger("agent_sleuth")
+
+
+class Engine:
+    def __init__(self, policy: IFCPolicy, store: TaintStore):
+        self.policy = policy
+        self.store = store
+        self.violations: list[Violation] = []
+        self.query: str | None = None
+        self.confirm_callback: Callable[[Violation, str], bool] | None = None
+
+    def set_query(self, query: str | None) -> None:
+        self.query = query
+
+    def on_tool_call(self, name: str, args: dict[str, Any]) -> Violation | None:
+        """Ingress check for a pending tool call. Returns the Violation if one fired."""
+        violation = check(name, args, self.store, self.policy, self.query)
+        if violation is None:
+            return None
+
+        if self.policy.mode == "enforce":
+            violation.blocked = True
+            rendered = render(violation)
+            self.violations.append(violation)
+            logger.warning(rendered)
+            raise TaintViolationError(violation, rendered)
+
+        if self.policy.mode == "confirm":
+            rendered = render(violation)
+            allow = True
+            if self.confirm_callback is not None:
+                allow = bool(self.confirm_callback(violation, rendered))
+            violation.blocked = not allow
+            self.violations.append(violation)
+            logger.warning(rendered)
+            if not allow:
+                raise TaintViolationError(violation, rendered)
+            return violation
+
+        # audit (default): log + record, never block.
+        violation.blocked = False
+        rendered = render(violation)
+        self.violations.append(violation)
+        logger.info(rendered)
+        return violation
+
+    def on_tool_result(self, name: str, output: Any, *, trace_id: str | None = None) -> None:
+        """Egress: fingerprint + label a tool's output."""
+        trust = Trust.UNTRUSTED if self.policy.is_untrusted_source(name) else Trust.TRUSTED
+        step = self.store.next_step()
+        values = extract_values(
+            output,
+            source=name,
+            trust=trust,
+            trace_id=trace_id or f"{name}:{step}",
+            step=step,
+        )
+        if values:
+            self.store.label(values, source=name, trust=trust)

agent_sleuth/runtime.py

@@ -0,0 +1,107 @@
+"""runtime.py — Sleuth, the public developer-facing API (§4.8).
+
+The single thing the developer imports. Constructs the policy (from explicit lists or
+name-based defaults), owns the store and engine, resets per run, and exposes ``violations``
+and ``report()``.
+
+Three-line integration (§0)::
+
+    from agent_sleuth import Sleuth
+
+    agent = Sleuth(agent=your_agent, untrusted=[...], consequential=[...], mode="audit")
+    result = agent.run("summarize my emails and send a report to my boss")
+    print(agent.report())
+"""
+
+from __future__ import annotations
+
+from typing import Any, Callable
+
+from .core.errors import TaintViolationError
+from .core.lineage import Violation
+from .core.policy import IFCPolicy
+from .core.store import TaintStore
+from .core.trace import render
+from .engine import Engine
+
+
+class Sleuth:
+    def __init__(
+        self,
+        agent: Any = None,
+        untrusted: list[str] | None = None,
+        consequential: list[str] | None = None,
+        destinations: list[str] | None = None,
+        mode: str = "audit",
+        policy: IFCPolicy | None = None,
+        strict: bool = False,
+        confirm_callback: Callable[[Violation, str], bool] | None = None,
+    ):
+        if policy is not None:
+            self.policy = policy
+        elif untrusted is None and consequential is None:
+            # Pure name-based defaults (§4.4): most developers never touch the lists.
+            self.policy = IFCPolicy.from_defaults(mode=mode)
+            self.policy.destination_allowlist = destinations or []
+            self.policy.strict = strict
+        else:
+            self.policy = IFCPolicy(
+                untrusted_sources=untrusted or [],
+                consequential_actions=consequential or [],
+                destination_allowlist=destinations or [],
+                mode=mode,
+                strict=strict,
+            )
+        self.store = TaintStore()
+        self.engine = Engine(self.policy, self.store)
+        self.engine.confirm_callback = confirm_callback
+        self.agent = agent
+
+    # --- adapter wiring ----------------------------------------------------------
+    @property
+    def handler(self):
+        """A fresh LangChain callback handler bound to this Sleuth's engine."""
+        from .adapters.langchain import IFCCallbackHandler
+
+        return IFCCallbackHandler(self.engine)
+
+    def track(self, fn: Callable, name: str | None = None) -> Callable:
+        """Wrap a raw tool function with @tracked_tool bound to this engine."""
+        from .adapters.decorator import tracked_tool
+
+        return tracked_tool(self.engine, name=name)(fn)
+
+    # --- run ---------------------------------------------------------------------
+    def run(self, query: str, **kwargs: Any) -> Any:
+        """Reset taint state, stash the trusted query, run the wrapped agent under the
+        callback handler. Catches TaintViolationError in enforce/confirm and returns its
+        rendered trace so the caller sees a clean blocked result."""
+        self.reset(query)
+        if self.agent is None:
+            raise ValueError("Sleuth.run requires an agent; for raw tools use .track().")
+        try:
+            callbacks = kwargs.pop("callbacks", []) or []
+            callbacks = [*callbacks, self.handler]
+            return self.agent.run(query, callbacks=callbacks, **kwargs)
+        except TaintViolationError as e:
+            return e.rendered
+
+    def reset(self, query: str | None = None) -> None:
+        """Fresh taint state per run (§4.3). Optionally set the trusted query."""
+        self.store.reset()
+        self.engine.violations = []
+        self.engine.set_query(query)
+
+    # --- reporting ---------------------------------------------------------------
+    @property
+    def violations(self) -> list[dict]:
+        return [v.to_dict() for v in self.engine.violations]
+
+    def report(self) -> str:
+        """Human-readable summary: '✓ none' or enumerated rendered traces."""
+        vs = self.engine.violations
+        if not vs:
+            return "Agent Sleuth: ✓ no violations detected."
+        header = f"Agent Sleuth: {len(vs)} violation(s) detected\n"
+        body = "\n\n".join(render(v) for v in vs)
+        return header + "\n" + body

agent_sleuth-0.0.1.dist-info/METADATA

@@ -0,0 +1,159 @@
+Metadata-Version: 2.4
+Name: agent_sleuth
+Version: 0.0.1
+Summary: Prevents untrusted data from triggering consequential actions in your agent.
+Project-URL: Homepage, https://github.com/Behuve-Labs/agent-sleuth
+Project-URL: Source, https://github.com/Behuve-Labs/agent-sleuth
+Project-URL: Issues, https://github.com/Behuve-Labs/agent-sleuth/issues
+Author: Arnav Tripathy, Noah Wong
+License: Copyright 2026 Behuve
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+License-File: LICENSE.md
+Keywords: agent,ifc,llm,prompt-injection,security,taint
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.10
+Provides-Extra: agentdojo
+Requires-Dist: agentdojo; extra == 'agentdojo'
+Provides-Extra: config
+Requires-Dist: pyyaml>=6.0; extra == 'config'
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0; extra == 'dev'
+Requires-Dist: pyyaml>=6.0; extra == 'dev'
+Requires-Dist: ruff>=0.1; extra == 'dev'
+Provides-Extra: langchain
+Requires-Dist: langchain-core>=0.1; extra == 'langchain'
+Description-Content-Type: text/markdown
+
+# Agent Sleuth
+
+> **Prevents untrusted data from triggering consequential actions in your agent.**
+
+Agent Sleuth is an in-process **information-flow-control (IFC)** library for LLM agents. It
+stops untrusted data (web pages, email bodies, tool outputs, retrieved documents) from
+driving **consequential actions** (sending email, writing files, posting to external
+services).
+
+The mechanism is **value-level provenance lineage tracked at the tool-I/O boundary** — *not*
+taint-tracking through the model's forward pass. When an untrusted tool returns data, we
+fingerprint the specific values in it. When a later consequential ("sink") call's arguments
+carry those fingerprinted values — verbatim or via structured-field tracking — that is a
+**deterministic, classifier-free provenance edge**. A small policy fires: untrusted-origin
+value reaching a non-allowlisted external sink → **block or confirm**.
+
+- **Deterministic, not a classifier.** The guarantee is a value-lineage match, never an LLM judging intent.
+- **Zero extra LLM calls** on the common path.
+- **Drop-in.** Three lines, zero changes to your agent.
+- **Audit-mode first.** Observe for a week, then switch to enforce.
+
+## Install
+
+```bash
+pip install agent_sleuth                 # core, zero agent-framework deps
+pip install 'agent_sleuth[langchain]'    # + LangChain callback handler
+pip install 'agent_sleuth[config]'       # + YAML config loading
+pip install 'agent_sleuth[dev]'          # + pytest/ruff
+```
+
+## Three-line integration (raw / custom agent)
+
+```python
+from agent_sleuth import Sleuth
+
+sleuth = Sleuth(
+    untrusted=["read_email", "fetch_url", "search_web"],
+    consequential=["send_email", "write_file", "post_slack"],
+    destinations=["me@myco.com"],   # your own channels = trusted egress
+    mode="audit",                   # → "enforce" once you trust it
+)
+sleuth.reset(query="summarize my emails and send a report to my boss")
+
+# wrap your tools (or pass sleuth.handler to a LangChain agent — see below)
+fetch_url  = sleuth.track(fetch_url)
+send_email = sleuth.track(send_email)
+
+# ... run your agent ...
+print(sleuth.report())
+```
+
+You can also skip the explicit lists entirely — `Sleuth()` uses **name-based defaults**
+(tools containing `read/fetch/search/get/...` are untrusted; `send/write/post/delete/...`
+are consequential).
+
+## LangChain (zero changes to your agent)
+
+```python
+from agent_sleuth import Sleuth
+
+sleuth = Sleuth(agent=your_langchain_agent, mode="audit")
+result = sleuth.run("summarize my emails and send a report to my boss")
+print(sleuth.report())
+```
+
+`Sleuth.run()` resets taint state, stashes the trusted query, and attaches the
+`IFCCallbackHandler` to your agent — no edits to your chain.
+
+## What a caught attack looks like
+
+```
+BLOCKED: send_email() called with tainted inputs
+  Taint source: fetch_url (step 2, untrusted)
+  Injected value detected in argument: to="attacker@evil.com"
+  Lineage: fetch_url (step 2) → value "attacker@evil.com" → send_email.to
+  Destination: attacker@evil.com (not allowlisted)
+  Reason: untrusted-origin value reached a consequential sink
+  Action: blocked, call halted
+```
+
+## Modes
+
+- `audit` (default): detect + log + render the trace; **never block**.
+- `enforce`: raise `TaintViolationError` and halt the offending sink call.
+- `confirm`: surface the violation to a callback for an allow/deny decision before dispatch.
+
+## Honest coverage envelope (v0)
+
+> Sound on the verbatim/structured-exfil class. Zero extra LLM calls on the common path.
+> Drop-in. **Laundering** (base64/paraphrase of a secret) and **pure control-flow hijack**
+> (a sink call whose arguments carry no untrusted bytes) are explicitly **out of scope for
+> v0** — documented non-goals, not bugs. Control-flow integrity (the plan-allowlist) and a
+> configurable allow/denylist with deny-over-allow precedence land in v1.
+
+| Attack class | v0 |
+|---|---|
+| Verbatim exfiltration (untrusted value appears literally in sink arg) | ✅ deterministic |
+| Structured exfiltration (untrusted field → sink field) | ✅ deterministic |
+| Legit egress to your own channel (destination allowlist) | ✅ allowed (no false positive) |
+| Control-flow hijack (out-of-plan sink, no untrusted bytes) | ❌ v1 (plan-allowlist) |
+| Laundering (base64 / paraphrase / transform) | ❌ v2+ (opt-in quarantine) |
+
+## Benchmark
+
+```bash
+PYTHONPATH=. python benchmarks/agentdojo/run.py
+```
+
+A self-contained reproduction of AgentDojo-style indirect-injection tasks (real AgentDojo
+needs a live LLM + API keys; see the harness docstring for the thin real-AgentDojo wiring).
+Reports ASR (attack success rate) and utility per mode.
+
+## Develop
+
+```bash
+pip install -e '.[dev,langchain,config]'
+pytest
+```
+
+See `AGENT_SLEUTH_ARCHITECTURE.MD` for the full design.

agent_sleuth-0.0.1.dist-info/RECORD

@@ -0,0 +1,19 @@
+agent_sleuth/__init__.py,sha256=ZQUbSwTbc96_-wzW4qPOE7sb5-NJMoGYdnN-oy29j64,1006
+agent_sleuth/config.py,sha256=S_icJkR2rIfCWmentRiJKFTc_jMHH77y1Kaf70MBS7o,1802
+agent_sleuth/engine.py,sha256=AbW_xt2z-A3oSY8N5HpuaGcplSDIzNtfkj9Acdagd0s,3133
+agent_sleuth/runtime.py,sha256=f3A69_IkFvZn-Rpo6GdpFTkFtVl4Uiwrmy-asKOq-bs,4230
+agent_sleuth/adapters/__init__.py,sha256=LsR9CMsfGuTwZei_94AU75631HPTim3lS_K9BI7EJ7c,145
+agent_sleuth/adapters/decorator.py,sha256=mbPZFi5rYMV-dNuSs-jNnLs5cT8a-JiKQycsbSGCJ0U,1994
+agent_sleuth/adapters/langchain.py,sha256=VmUpzwvF0cEkDtGUWIivdfy5SxRVykB87y3y87fvbYM,4477
+agent_sleuth/core/__init__.py,sha256=XQvlguubplmW9nZAP1cGYno-GCMmxRr3CctK_Pt7RGg,562
+agent_sleuth/core/errors.py,sha256=1Nz0gWSpUbAvbxMAwYyf9aOS7mVItfDeIkDVKBz3o9k,492
+agent_sleuth/core/fingerprint.py,sha256=xxHn8EApmIpNtHdQU3jE2ZnhHvisk-YdV-YcL5i4p_E,5362
+agent_sleuth/core/lineage.py,sha256=3jWBBBbSkEdbbUdlO5eIfHW58r9Bb-VSxpTLOE5xd78,4494
+agent_sleuth/core/policy.py,sha256=1SSzsBPqHOApmuKtwHUFpJzUNL8DWQ0EnGryMkERTzY,4277
+agent_sleuth/core/store.py,sha256=ANwViiuf1uPrim7K8riHUKgkmO72wGgrQu3UyzhNjuc,2915
+agent_sleuth/core/trace.py,sha256=E0vj_y6DEwFfV4cBlCKt0kt2zEWd_rdSTHjWUPI5hXQ,1757
+agent_sleuth/core/values.py,sha256=9AsinGk489IdAjQlfwh0s1z9kveDO1NN9pmWI6iR2SU,1228
+agent_sleuth-0.0.1.dist-info/METADATA,sha256=LsP9cZ1_njB8Qc_604QzJLRe7CWbfiuu00RI63OFdg4,7236
+agent_sleuth-0.0.1.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+agent_sleuth-0.0.1.dist-info/licenses/LICENSE.md,sha256=EW1yJhY8iaGX_uf56XtYlaL_iRqdBqlMVcO8SEPDzlE,1053
+agent_sleuth-0.0.1.dist-info/RECORD,,

agent_sleuth-0.0.1.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.30.1
+Root-Is-Purelib: true
+Tag: py3-none-any

agent_sleuth-0.0.1.dist-info/licenses/LICENSE.md

@@ -0,0 +1,7 @@
+Copyright 2026 Behuve
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.