agentauthlayer 0.1.10__tar.gz → 0.1.12__tar.gz

{agentauthlayer-0.1.10 → agentauthlayer-0.1.12}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentauthlayer
-Version: 0.1.10
+Version: 0.1.12
 Summary: Library-first authentication and authorization SDK for AI agents
 Author: Vaibhav Ahluwalia
 License: MIT
@@ -26,6 +26,7 @@ Requires-Dist: bcrypt==4.0.1
 Requires-Dist: python-multipart
 Requires-Dist: httpx
 Requires-Dist: sqlalchemy
+Requires-Dist: psycopg2-binary
 Requires-Dist: email-validator
 
 # agentauthlayer
@@ -39,12 +40,19 @@ You can now create project-scoped tokens from:
 - the Tokens page in the UI
 - the CLI with `agentauth token create`
 
+These tokens support one visible token model with richer internal semantics:
+- `purpose=sync` for registration and sync flows
+- `purpose=runtime` for runtime execution flows
+- `purpose=automation` for service or CI style automation
+- optional `agent_id` binding for runtime-oriented tokens
+
 ## Runtime binding
 
 Runtime authorization now enforces stronger execution binding checks for project-scoped flows:
 - project scope mismatches are denied before policy evaluation
 - agent/principal mismatches are denied before policy evaluation
-- execution context automatically carries project, agent, and principal context into authorization checks
+- execution context automatically carries project, agent, principal, and token-purpose context into authorization checks
+- runtime-bound tokens now carry first-class `project_id`, `agent_id`, and `purpose` fields, with scope-based fallback for older tokens
 
 Use the resulting token in code directly:
 
@@ -63,6 +71,30 @@ Or store it locally for CLI + SDK reuse:
 agentauth login --base-url http://127.0.0.1:8002 --token YOUR_PROJECT_TOKEN --email admin@agentauth.dev
 ```
 
+### Create a bound runtime token from the CLI
+
+```bash
+agentauth token create \
+  --project ai-platform \
+  --name research-runtime-token \
+  --purpose runtime \
+  --agent-id research-agent-01 \
+  --scope docs.read
+```
+
+Then use it directly in code:
+
+```python
+from agent_auth import AuthAPIClient
+
+client = AuthAPIClient(token="YOUR_RUNTIME_TOKEN")
+ctx = client.execution_context()
+
+print(ctx.project_id)
+print(ctx.agent_id)
+print(ctx.context.get("token_purpose"))
+```
+
 `agentauthlayer` helps you:
 - start a local Agent Auth backend and UI with one command
 - authenticate once and reuse local credentials

{agentauthlayer-0.1.10 → agentauthlayer-0.1.12}/README.md

@@ -9,12 +9,19 @@ You can now create project-scoped tokens from:
 - the Tokens page in the UI
 - the CLI with `agentauth token create`
 
+These tokens support one visible token model with richer internal semantics:
+- `purpose=sync` for registration and sync flows
+- `purpose=runtime` for runtime execution flows
+- `purpose=automation` for service or CI style automation
+- optional `agent_id` binding for runtime-oriented tokens
+
 ## Runtime binding
 
 Runtime authorization now enforces stronger execution binding checks for project-scoped flows:
 - project scope mismatches are denied before policy evaluation
 - agent/principal mismatches are denied before policy evaluation
-- execution context automatically carries project, agent, and principal context into authorization checks
+- execution context automatically carries project, agent, principal, and token-purpose context into authorization checks
+- runtime-bound tokens now carry first-class `project_id`, `agent_id`, and `purpose` fields, with scope-based fallback for older tokens
 
 Use the resulting token in code directly:
 
@@ -33,6 +40,30 @@ Or store it locally for CLI + SDK reuse:
 agentauth login --base-url http://127.0.0.1:8002 --token YOUR_PROJECT_TOKEN --email admin@agentauth.dev
 ```
 
+### Create a bound runtime token from the CLI
+
+```bash
+agentauth token create \
+  --project ai-platform \
+  --name research-runtime-token \
+  --purpose runtime \
+  --agent-id research-agent-01 \
+  --scope docs.read
+```
+
+Then use it directly in code:
+
+```python
+from agent_auth import AuthAPIClient
+
+client = AuthAPIClient(token="YOUR_RUNTIME_TOKEN")
+ctx = client.execution_context()
+
+print(ctx.project_id)
+print(ctx.agent_id)
+print(ctx.context.get("token_purpose"))
+```
+
 `agentauthlayer` helps you:
 - start a local Agent Auth backend and UI with one command
 - authenticate once and reuse local credentials

{agentauthlayer-0.1.10 → agentauthlayer-0.1.12}/agent_auth/__init__.py

@@ -2,7 +2,7 @@
 
 from agent_auth.auth import principal_fields, principal_from_agent, principal_from_user
 from agent_auth.client import AuthAPIClient
-from agent_auth.context import AuthContext, ExecutionContext, execution_context_from_args
+from agent_auth.context import AuthContext, ExecutionContext, execution_context_from_args, execution_context_from_token_payload
 from agent_auth.delegation import DelegationGrant
 from agent_auth.exceptions import (
     AgentAuthError,
@@ -52,6 +52,7 @@ __all__ = [
     "list_registered_agents",
     "list_registered_tools",
     "execution_context_from_args",
+    "execution_context_from_token_payload",
     "principal_fields",
     "principal_from_agent",
     "principal_from_user",

{agentauthlayer-0.1.10 → agentauthlayer-0.1.12}/agent_auth/cli.py

@@ -216,7 +216,13 @@ def project_create_command(args) -> int:
 
 def token_create_command(args) -> int:
     client = AuthAPIClient()
-    token = client.create_project_token(args.project, args.name, args.scopes or [])
+    token = client.create_project_token(
+        args.project,
+        args.name,
+        args.scopes or [],
+        purpose=args.purpose,
+        agent_id=args.agent_id,
+    )
     print(json.dumps(token, indent=2))
     return 0
 
@@ -324,6 +330,8 @@ def main():
     token_create_parser.add_argument('--project', required=True)
     token_create_parser.add_argument('--name', required=True)
     token_create_parser.add_argument('--scope', dest='scopes', action='append', help='Scope to include. Repeat for multiple scopes.')
+    token_create_parser.add_argument('--purpose', default='sync', choices=['sync', 'runtime', 'automation'], help='Intended token purpose.')
+    token_create_parser.add_argument('--agent-id', help='Optional runtime agent binding for runtime-oriented tokens.')
     token_create_parser.set_defaults(func=token_create_command)
 
     token_list_parser = token_subparsers.add_parser('list', help='List tokens')

{agentauthlayer-0.1.10 → agentauthlayer-0.1.12}/agent_auth/client.py

@@ -1,11 +1,13 @@
 from __future__ import annotations
 
+import base64
+import json
 import os
 from typing import Any
 
 import requests
 
-from agent_auth.context import AuthContext
+from agent_auth.context import AuthContext, ExecutionContext, execution_context_from_token_payload
 from agent_auth.credentials import load_credentials
 from agent_auth.exceptions import (
     AgentNotFoundError,
@@ -40,6 +42,21 @@ class AuthAPIClient:
             headers["Authorization"] = f"Bearer {self.token}"
         return headers
 
+    def decode_token(self, token: str | None = None) -> dict[str, Any] | None:
+        raw = token or self.token
+        if not raw:
+            return None
+        try:
+            parts = raw.split('.')
+            if len(parts) != 3:
+                return None
+            payload = parts[1]
+            padding = '=' * (-len(payload) % 4)
+            decoded = base64.urlsafe_b64decode(payload + padding)
+            return json.loads(decoded.decode('utf-8'))
+        except Exception:
+            return None
+
     def _request(self, method: str, path: str, json: dict[str, Any] | None = None) -> Any:
         response = requests.request(
             method,
@@ -114,12 +131,33 @@ class AuthAPIClient:
             json={"project_id": project_id, "name": name, "description": description},
         )
 
-    def create_project_token(self, project_id: str, name: str, scopes: list[str] | None = None) -> dict[str, Any]:
-        return self._request(
-            "POST",
-            "/tokens/project",
-            json={"project_id": project_id, "name": name, "scopes": scopes or []},
-        )
+    def create_project_token(
+        self,
+        project_id: str,
+        name: str,
+        scopes: list[str] | None = None,
+        *,
+        purpose: str = "sync",
+        agent_id: str | None = None,
+    ) -> dict[str, Any]:
+        payload: dict[str, Any] = {
+            "project_id": project_id,
+            "name": name,
+            "scopes": scopes or [],
+            "purpose": purpose,
+        }
+        if agent_id:
+            payload["agent_id"] = agent_id
+        return self._request("POST", "/tokens/project", json=payload)
+
+    def create_sync_token(self, project_id: str, name: str = "project-sync-token", scopes: list[str] | None = None) -> dict[str, Any]:
+        return self.create_project_token(project_id, name, scopes or ["admin_agents", "admin_tokens"], purpose="sync")
+
+    def create_runtime_token(self, project_id: str, agent_id: str, name: str = "project-runtime-token", scopes: list[str] | None = None) -> dict[str, Any]:
+        return self.create_project_token(project_id, name, scopes or ["docs.read"], purpose="runtime", agent_id=agent_id)
+
+    def create_automation_token(self, project_id: str, name: str = "project-automation-token", scopes: list[str] | None = None) -> dict[str, Any]:
+        return self.create_project_token(project_id, name, scopes or ["admin_agents"], purpose="automation")
 
     def list_tokens(self, subject_type: str | None = None) -> list[dict[str, Any]]:
         path = "/tokens"
@@ -145,6 +183,52 @@ class AuthAPIClient:
     def list_permissions(self) -> list[dict[str, Any]]:
         return self._request("GET", "/policy/permissions")
 
+    def explain_token(self, token: str | None = None) -> dict[str, Any]:
+        payload = self.decode_token(token)
+        if not payload:
+            raise InvalidTokenError("Unable to decode token")
+        scopes = list(payload.get("scopes") or [])
+        project_id = payload.get("project_id")
+        agent_id = payload.get("agent_id")
+        purpose = payload.get("purpose")
+        if not project_id:
+            project_id = next((scope.split(":", 1)[1] for scope in scopes if isinstance(scope, str) and scope.startswith("project:")), None)
+        if not agent_id:
+            agent_id = next((scope.split(":", 1)[1] for scope in scopes if isinstance(scope, str) and scope.startswith("agent:")), None)
+        if not purpose:
+            purpose = next((scope.split(":", 1)[1] for scope in scopes if isinstance(scope, str) and scope.startswith("purpose:")), None)
+        return {
+            "principal_id": payload.get("sub") or payload.get("principal_id"),
+            "principal_type": payload.get("principal_type") or payload.get("subject_type") or payload.get("sub_type"),
+            "role": payload.get("role"),
+            "email": payload.get("email"),
+            "purpose": purpose,
+            "project_id": project_id,
+            "agent_id": agent_id,
+            "scopes": scopes,
+            "auth_source": self.auth_source,
+        }
+
+    def execution_context(self, *, agent_id: str | None = None, role: str | None = None, context: dict[str, Any] | None = None, require_runtime_binding: bool = False) -> ExecutionContext:
+        if not self.token:
+            raise InvalidTokenError("No token available to derive execution context")
+        payload = self.decode_token(self.token)
+        if not payload:
+            raise InvalidTokenError("Unable to decode token for execution context")
+        ctx = execution_context_from_token_payload(payload, agent_id=agent_id, role=role, context=context)
+        if require_runtime_binding:
+            token_info = self.explain_token()
+            if token_info.get("purpose") != "runtime":
+                raise InvalidTokenError("Token is not bound for runtime usage")
+            if not ctx.project_id:
+                raise InvalidTokenError("Runtime token is missing project binding")
+            if not ctx.agent_id:
+                raise InvalidTokenError("Runtime token is missing agent binding")
+        return ctx
+
+    def runtime_context(self, *, context: dict[str, Any] | None = None, role: str | None = None) -> ExecutionContext:
+        return self.execution_context(context=context, role=role, require_runtime_binding=True)
+
     def evaluate(self, principal_id: str, action: str, resource: str | None = None, granted_scopes: list[str] | None = None, role: str | None = None, context: dict[str, str] | None = None) -> dict[str, Any]:
         return self._request(
             "POST",

{agentauthlayer-0.1.10 → agentauthlayer-0.1.12}/agent_auth/context.py

@@ -83,3 +83,44 @@ def execution_context_from_args(
         context=context or {},
         email=email,
     )
+
+
+def execution_context_from_token_payload(payload: dict[str, Any], *, agent_id: str | None = None, role: str | None = None, context: dict[str, Any] | None = None) -> ExecutionContext:
+    scopes = list(payload.get('scopes') or [])
+
+    project_id = payload.get('project_id') or payload.get('bound_project_id')
+    if project_id is None:
+        for scope in scopes:
+            if isinstance(scope, str) and scope.startswith('project:'):
+                project_id = scope.split(':', 1)[1]
+                break
+
+    principal_id = payload.get('sub') or payload.get('principal_id')
+    principal_type = payload.get('principal_type') or payload.get('subject_type') or payload.get('sub_type')
+
+    derived_agent_id = agent_id
+    if derived_agent_id is None and principal_type == 'agent':
+        derived_agent_id = principal_id
+    if derived_agent_id is None:
+        derived_agent_id = payload.get('agent_id') or payload.get('bound_agent_id')
+    if derived_agent_id is None:
+        for scope in scopes:
+            if isinstance(scope, str) and scope.startswith('agent:'):
+                derived_agent_id = scope.split(':', 1)[1]
+                break
+
+    base_context = dict(context or {})
+    token_purpose = payload.get('purpose') or payload.get('token_purpose')
+    if token_purpose and 'token_purpose' not in base_context:
+        base_context['token_purpose'] = token_purpose
+
+    return ExecutionContext(
+        principal_id=principal_id,
+        principal_type=principal_type,
+        agent_id=derived_agent_id,
+        project_id=project_id,
+        role=role or payload.get('role'),
+        scopes=scopes,
+        context=base_context,
+        email=payload.get('email'),
+    )

{agentauthlayer-0.1.10 → agentauthlayer-0.1.12}/agent_auth/principals.py

@@ -15,6 +15,9 @@ class Principal:
     email: str | None = None
     owner: str | None = None
     status: str | None = None
+    token_purpose: str | None = None
+    bound_project_id: str | None = None
+    bound_agent_id: str | None = None
 
 
 @dataclass(slots=True)

{agentauthlayer-0.1.10 → agentauthlayer-0.1.12}/agent_auth/session.py

@@ -121,6 +121,12 @@ class PrincipalTokenService:
             "email": principal.email,
             "exp": expires_at,
         }
+        if principal.token_purpose:
+            payload["purpose"] = principal.token_purpose
+        if principal.bound_project_id:
+            payload["project_id"] = principal.bound_project_id
+        if principal.bound_agent_id:
+            payload["agent_id"] = principal.bound_agent_id
         if token_type:
             payload["type"] = token_type
         token = jwt.encode(payload, self.settings.secret_key, algorithm=self.settings.algorithm)

{agentauthlayer-0.1.10 → agentauthlayer-0.1.12}/agent_auth/users.py

@@ -129,6 +129,9 @@ class CoreUserService:
     def list_invites(self) -> list[InviteT]:
         return self.store.list_invites()
 
+    def get_user_by_email(self, email: str) -> UserT | None:
+        return self.store.get_user_by_email(email)
+
     def get_user_by_id(self, user_id: str) -> UserT | None:
         return self.store.get_user_by_id(user_id)