agentauthlayer 0.1.0__py3-none-any.whl

agent_auth/users.py

@@ -0,0 +1,173 @@
+from __future__ import annotations
+
+import secrets
+from dataclasses import dataclass
+from datetime import datetime, timedelta, timezone
+from typing import Protocol, TypeVar
+
+import bcrypt
+
+from agent_auth.principals import user_scopes_for_role
+
+
+UserT = TypeVar("UserT")
+InviteT = TypeVar("InviteT")
+
+DEFAULT_ADMIN_EMAIL = "admin@agentauth.dev"
+LEGACY_ADMIN_EMAIL = "admin@agent-auth.local"
+ADMIN_SCOPES = ["admin_agents", "admin_tokens", "read_audit", "admin_users"]
+
+
+class UserStore(Protocol[UserT, InviteT]):
+    def get_admin_hash(self) -> str | None:
+        ...
+
+    def set_admin_hash(self, password_hash: str) -> None:
+        ...
+
+    def create_user(self, email: str, password_hash: str, role: str, invited_by: str | None = None) -> UserT:
+        ...
+
+    def get_user_by_email(self, email: str) -> UserT | None:
+        ...
+
+    def get_user_by_id(self, user_id: str) -> UserT | None:
+        ...
+
+    def list_users(self) -> list[UserT]:
+        ...
+
+    def update_password(self, user_id: str, password_hash: str) -> UserT | None:
+        ...
+
+    def update_user(self, user_id: str, *, role: str | None = None, status: str | None = None) -> UserT | None:
+        ...
+
+    def create_invite(self, email: str, role: str, invited_by: str, invite_token: str, expires_at: datetime) -> InviteT:
+        ...
+
+    def get_invite_by_token(self, invite_token: str) -> InviteT | None:
+        ...
+
+    def list_invites(self) -> list[InviteT]:
+        ...
+
+    def mark_invite_accepted(self, invite_token: str) -> None:
+        ...
+
+
+@dataclass(frozen=True, slots=True)
+class EffectiveAccess:
+    user_id: str
+    email: str
+    role: str
+    scopes: list[str]
+    can_manage_users: bool
+    can_manage_agents: bool
+    can_manage_tokens: bool
+    can_read_audit: bool
+
+
+class CoreUserService:
+    """Core human-user identity, password, invite, and access helper logic."""
+
+    def __init__(self, store: UserStore[UserT, InviteT]):
+        self.store = store
+
+    def create_admin(self, password: str) -> UserT:
+        password_hash = self.hash_password(password)
+
+        existing_default = self.store.get_user_by_email(DEFAULT_ADMIN_EMAIL)
+        if existing_default:
+            return self.store.update_password(existing_default.user_id, password_hash) or existing_default
+
+        existing_legacy = self.store.get_user_by_email(LEGACY_ADMIN_EMAIL)
+        if existing_legacy:
+            return self.store.update_password(existing_legacy.user_id, password_hash) or existing_legacy
+
+        return self.store.create_user(DEFAULT_ADMIN_EMAIL, password_hash, "admin", invited_by="bootstrap")
+
+    def authenticate(self, email: str, password: str) -> UserT | None:
+        user = self.store.get_user_by_email(email)
+        if not user and email == DEFAULT_ADMIN_EMAIL:
+            user = self.store.get_user_by_email(LEGACY_ADMIN_EMAIL)
+        elif not user and email == LEGACY_ADMIN_EMAIL:
+            user = self.store.get_user_by_email(DEFAULT_ADMIN_EMAIL)
+        if not user or getattr(user, "status", None) != "active":
+            return None
+        if not bcrypt.checkpw(password.encode(), getattr(user, "password_hash").encode()):
+            return None
+        return user
+
+    def invite_user(self, email: str, role: str, invited_by: str, ttl_hours: int = 24) -> InviteT:
+        token = secrets.token_urlsafe(32)
+        expires_at = datetime.now(timezone.utc) + timedelta(hours=ttl_hours)
+        return self.store.create_invite(email, role, invited_by, token, expires_at)
+
+    def get_invite_status(self, invite_token: str) -> InviteT | None:
+        return self.store.get_invite_by_token(invite_token)
+
+    def claim_invite(self, invite_token: str, password: str) -> UserT | None:
+        invite = self.store.get_invite_by_token(invite_token)
+        if not invite or getattr(invite, "accepted"):
+            return None
+        expires_at = getattr(invite, "expires_at")
+        if expires_at.tzinfo is None:
+            expires_at = expires_at.replace(tzinfo=timezone.utc)
+        if expires_at <= datetime.now(timezone.utc):
+            return None
+        if self.store.get_user_by_email(getattr(invite, "email")):
+            return None
+        password_hash = self.hash_password(password)
+        user = self.store.create_user(getattr(invite, "email"), password_hash, getattr(invite, "role"), invited_by=getattr(invite, "invited_by"))
+        self.store.mark_invite_accepted(invite_token)
+        return user
+
+    def list_users(self) -> list[UserT]:
+        return self.store.list_users()
+
+    def list_invites(self) -> list[InviteT]:
+        return self.store.list_invites()
+
+    def get_user_by_id(self, user_id: str) -> UserT | None:
+        return self.store.get_user_by_id(user_id)
+
+    def get_user_by_email(self, email: str) -> UserT | None:
+        return self.store.get_user_by_email(email)
+
+    def get_current_user(self, principal_id: str | None, email: str | None) -> UserT | None:
+        if principal_id:
+            user = self.store.get_user_by_id(principal_id)
+            if user:
+                return user
+        normalized_email = email.lower() if email else None
+        if normalized_email:
+            user = self.store.get_user_by_email(normalized_email)
+            if user:
+                return user
+            if normalized_email in {DEFAULT_ADMIN_EMAIL, LEGACY_ADMIN_EMAIL}:
+                return self.store.get_user_by_email(DEFAULT_ADMIN_EMAIL) or self.store.get_user_by_email(LEGACY_ADMIN_EMAIL)
+        return None
+
+    def effective_access(self, user: UserT) -> EffectiveAccess:
+        scopes = user_scopes_for_role(getattr(user, "role"))
+        return EffectiveAccess(
+            user_id=getattr(user, "user_id"),
+            email=getattr(user, "email"),
+            role=getattr(user, "role"),
+            scopes=scopes,
+            can_manage_users="admin_users" in scopes,
+            can_manage_agents="admin_agents" in scopes,
+            can_manage_tokens="admin_tokens" in scopes,
+            can_read_audit="read_audit" in scopes,
+        )
+
+    def update_user(self, user_id: str, *, role: str | None = None, status: str | None = None) -> UserT | None:
+        return self.store.update_user(user_id, role=role, status=status)
+
+    def change_password(self, user_id: str, password: str) -> UserT | None:
+        return self.store.update_password(user_id, self.hash_password(password))
+
+    @staticmethod
+    def hash_password(password: str) -> str:
+        return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()

agentauthlayer-0.1.0.dist-info/METADATA

@@ -0,0 +1,131 @@
+Metadata-Version: 2.4
+Name: agentauthlayer
+Version: 0.1.0
+Summary: Library-first authentication and authorization SDK for AI agents
+Author: Vaibhav Ahluwalia
+License: MIT
+Project-URL: Homepage, https://github.com/VaibhavAhluwalia/Agent-Auth-
+Project-URL: Repository, https://github.com/VaibhavAhluwalia/Agent-Auth-
+Keywords: agents,auth,authorization,iam,security,sdk
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: requests>=2.31.0
+Requires-Dist: python-jose>=3.3.0
+
+# Agent Auth SDK
+
+A library-first authentication and authorization SDK for AI agents.
+
+## What this package is
+
+`agent-auth-sdk` is the reusable Python SDK layer of the Agent Auth platform. It is designed for developers who want to:
+- register agents
+- issue and verify access with the Agent Auth control plane
+- sync tool definitions
+- evaluate permissions
+- embed policy enforcement into agent runtimes
+
+This package is the **developer-facing library**, not the full FastAPI server or React admin UI.
+
+## Install
+
+```bash
+pip install agent-auth-sdk
+```
+
+For local development:
+
+```bash
+pip install -e .
+```
+
+## Quickstart
+
+```python
+from agent_auth import AuthAPIClient
+
+client = AuthAPIClient(
+    base_url="http://127.0.0.1:8002",
+    token="YOUR_ADMIN_OR_SERVICE_TOKEN",
+)
+
+agent = client.create_agent(
+    agent_id="research-bot-01",
+    name="Research Bot 01",
+    owner="vaibhav@company.com",
+    role="research_agent",
+    scopes=[],
+    project_id="ai-platform",
+)
+
+print(agent)
+```
+
+## Environment variables
+
+If you prefer, the SDK reads these automatically:
+
+```bash
+export AGENT_AUTH_URL=http://127.0.0.1:8002
+export AGENT_AUTH_TOKEN=YOUR_ADMIN_OR_SERVICE_TOKEN
+```
+
+Then:
+
+```python
+from agent_auth import AuthAPIClient
+
+client = AuthAPIClient()
+print(client.health())
+```
+
+## Common capabilities
+
+### Sync tools from code
+
+```python
+client.sync_tools([
+    {"action": "tool.search_web", "description": "Search the web"},
+    {"action": "docs.read", "description": "Read protected docs"},
+])
+```
+
+### Evaluate access
+
+```python
+decision = client.evaluate(
+    principal_id="research-bot-01",
+    action="tool.search_web",
+    resource="web/*",
+    role="research_agent",
+)
+
+print(decision)
+```
+
+## Package scope
+
+This package currently exposes the reusable SDK and policy primitives under `agent_auth/`.
+The full control plane server, admin UI, and demos remain in the same repository but are not part of the SDK package build.
+
+## Dev-ready validation checklist
+
+Before publishing, verify:
+
+```bash
+pip install -e .
+python -c "import agent_auth; print(agent_auth.__all__)"
+python -m build
+pip install dist/*.whl
+```
+
+## Repository
+
+- Source: <https://github.com/VaibhavAhluwalia/Agent-Auth->

agentauthlayer-0.1.0.dist-info/RECORD

@@ -0,0 +1,24 @@
+agent_auth/__init__.py,sha256=c1P2iMJyKefBl6iKUsdEyWtt6EmtRlNVtOzUnoXZrqI,1454
+agent_auth/__main__.py,sha256=7Hk2nPvyEFjvnclLhcq8Zw3pkyiZvhgC196qaT_ISVM,71
+agent_auth/agents.py,sha256=uk9Ai6qIvYxmvKB9VCmtAlM3HqVAgyYncmr4h_pD61k,1075
+agent_auth/audit.py,sha256=Be_opy-omGYMbUfi_trMkTAZpenxLK18vTMoQixSJyc,1399
+agent_auth/auth.py,sha256=GwflUUnmyk8faO3TylvCVLx0NdAf5RBof9v0JPuibSI,1191
+agent_auth/cli.py,sha256=iQeYtPG-CNFLEXMS8GiqAIpKHsJJCB7qSc-P6EH4VMI,1082
+agent_auth/client.py,sha256=IlFE-vZ7bP4_LNdtg8mAksDkQlqwBqVGgmehUSCwaPs,3979
+agent_auth/context.py,sha256=yxfBw9OazgywpCN7OUO3RKfJPF1-HR3YGL62jy-xWsI,455
+agent_auth/core.py,sha256=0A2-gSDDZ7djPyKoCjcukl9j3-StHqDNo0DHta0S5Iw,22897
+agent_auth/delegation.py,sha256=Q7r3bDQs78cpxtTob0E5_9cXnZMAi7sSl1yoNSE1UyE,375
+agent_auth/exceptions.py,sha256=VDyR-UD1OZTZvWcwJEaRyC738LrRu191q3q7tTfJ5tw,1465
+agent_auth/models.py,sha256=CrbxHDrPE-sNWKA5ZEAs7BCRQoPF5beod_ZDqav3cvU,1586
+agent_auth/policy.py,sha256=OA9uOp84uvoKlljOCXrEFPhO_HRCYzvNNH3IC_7W3RQ,10370
+agent_auth/policy_service.py,sha256=WZVuFBuaB947bEq5pj5FPym0ozMtFFDLWcGkQRN2OoA,6585
+agent_auth/principals.py,sha256=aSNnm3M0TqJzEjKhZn9Mz7ToYVaMYJxRuI67dApxnY4,1110
+agent_auth/registry.py,sha256=hmX91rKwZZdGhB_inr45sWJBSalBdu9ND9RgzT23FeU,2652
+agent_auth/session.py,sha256=4WrGnfVn9tFz_tqDbMt5LgqLKd_JxBKguQOzRP9LVqo,4804
+agent_auth/storage.py,sha256=96pOXbjTcRI6Nqkh1BNj7GryEhq-Xqgi9iU7R9Ul9gc,18400
+agent_auth/tokens.py,sha256=J5_a0hbbNlk9HK2BsqAN0Uoc7845owjXFBbvqqpd9go,2435
+agent_auth/users.py,sha256=HKgk_pzo8qESKlzCJdSQbWAPqoFo7UxwwV-nCfGN07U,6511
+agentauthlayer-0.1.0.dist-info/METADATA,sha256=mnRnUbxDc5abi7yf2Y7Nxlci-wZGlM4l7LtLa8nBSGE,3055
+agentauthlayer-0.1.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+agentauthlayer-0.1.0.dist-info/top_level.txt,sha256=ySYpKFR5CtHd9OgGNxTuV4-p8gpkSVJtzFCG0pzhGXw,11
+agentauthlayer-0.1.0.dist-info/RECORD,,

agentauthlayer-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

agentauthlayer-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+agent_auth