agentauthlayer 0.1.8__tar.gz → 0.1.10__tar.gz

{agentauthlayer-0.1.8 → agentauthlayer-0.1.10}/MANIFEST.in

@@ -1,2 +1 @@
 recursive-include agent_auth/web_dist *
-include agent_auth_definitive_guide.pdf

{agentauthlayer-0.1.8 → agentauthlayer-0.1.10}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentauthlayer
-Version: 0.1.8
+Version: 0.1.10
 Summary: Library-first authentication and authorization SDK for AI agents
 Author: Vaibhav Ahluwalia
 License: MIT
@@ -32,6 +32,37 @@ Requires-Dist: email-validator
 
 Unified SDK and local control plane package for Agent Auth.
 
+## Token-first developer flow
+
+You can now create project-scoped tokens from:
+- the Project Settings page in the UI
+- the Tokens page in the UI
+- the CLI with `agentauth token create`
+
+## Runtime binding
+
+Runtime authorization now enforces stronger execution binding checks for project-scoped flows:
+- project scope mismatches are denied before policy evaluation
+- agent/principal mismatches are denied before policy evaluation
+- execution context automatically carries project, agent, and principal context into authorization checks
+
+Use the resulting token in code directly:
+
+```python
+from agent_auth.client import AuthAPIClient
+
+client = AuthAPIClient(
+    base_url="http://127.0.0.1:8002",
+    token="YOUR_PROJECT_TOKEN",
+)
+```
+
+Or store it locally for CLI + SDK reuse:
+
+```bash
+agentauth login --base-url http://127.0.0.1:8002 --token YOUR_PROJECT_TOKEN --email admin@agentauth.dev
+```
+
 `agentauthlayer` helps you:
 - start a local Agent Auth backend and UI with one command
 - authenticate once and reuse local credentials

{agentauthlayer-0.1.8 → agentauthlayer-0.1.10}/README.md

@@ -2,6 +2,37 @@
 
 Unified SDK and local control plane package for Agent Auth.
 
+## Token-first developer flow
+
+You can now create project-scoped tokens from:
+- the Project Settings page in the UI
+- the Tokens page in the UI
+- the CLI with `agentauth token create`
+
+## Runtime binding
+
+Runtime authorization now enforces stronger execution binding checks for project-scoped flows:
+- project scope mismatches are denied before policy evaluation
+- agent/principal mismatches are denied before policy evaluation
+- execution context automatically carries project, agent, and principal context into authorization checks
+
+Use the resulting token in code directly:
+
+```python
+from agent_auth.client import AuthAPIClient
+
+client = AuthAPIClient(
+    base_url="http://127.0.0.1:8002",
+    token="YOUR_PROJECT_TOKEN",
+)
+```
+
+Or store it locally for CLI + SDK reuse:
+
+```bash
+agentauth login --base-url http://127.0.0.1:8002 --token YOUR_PROJECT_TOKEN --email admin@agentauth.dev
+```
+
 `agentauthlayer` helps you:
 - start a local Agent Auth backend and UI with one command
 - authenticate once and reuse local credentials

{agentauthlayer-0.1.8 → agentauthlayer-0.1.10}/agent_auth/__init__.py

@@ -2,7 +2,7 @@
 
 from agent_auth.auth import principal_fields, principal_from_agent, principal_from_user
 from agent_auth.client import AuthAPIClient
-from agent_auth.context import AuthContext
+from agent_auth.context import AuthContext, ExecutionContext, execution_context_from_args
 from agent_auth.delegation import DelegationGrant
 from agent_auth.exceptions import (
     AgentAuthError,
@@ -30,6 +30,7 @@ __all__ = [
     "AgentPrincipal",
     "AuthAPIClient",
     "AuthContext",
+    "ExecutionContext",
     "AuthServiceError",
     "DelegationGrant",
     "InvalidTokenError",
@@ -50,6 +51,7 @@ __all__ = [
     "clear_registries",
     "list_registered_agents",
     "list_registered_tools",
+    "execution_context_from_args",
     "principal_fields",
     "principal_from_agent",
     "principal_from_user",

{agentauthlayer-0.1.8 → agentauthlayer-0.1.10}/agent_auth/cli.py

@@ -6,6 +6,7 @@ import importlib
 import json
 import sys
 import webbrowser
+from pathlib import Path
 
 import requests
 
@@ -125,33 +126,69 @@ def logout_command(args) -> int:
 
 def sync_command(args) -> int:
     clear_registries()
+
+    cwd = str(Path.cwd())
+    if cwd not in sys.path:
+        sys.path.insert(0, cwd)
+
     importlib.import_module(args.module)
 
     client = AuthAPIClient()
     tools = list_registered_tools()
     agents = list_registered_agents()
 
-    if tools:
-        client.sync_tools([
-            {'action': tool.action, 'description': tool.description}
-            for tool in tools
-        ])
+    existing_permissions = {permission['action']: permission for permission in client.list_permissions()}
+    tool_payload = [{'action': tool.action, 'description': tool.description} for tool in tools]
+    tools_to_sync = [tool for tool in tool_payload if existing_permissions.get(tool['action'], {}).get('description') != tool['description']]
+    if tools_to_sync:
+        client.sync_tools(tools_to_sync)
 
-    created_agents = []
+    agent_results = []
     for agent in agents:
-        created_agents.append(client.create_agent(
-            agent_id=agent.agent_id,
-            name=agent.name,
-            owner=agent.owner,
-            role=agent.role,
-            scopes=agent.scopes,
-            project_id=agent.project_id,
-        ))
+        target_project = args.project or agent.project_id
+        try:
+            existing = client.get_agent(agent.agent_id)
+        except AgentNotFoundError:
+            existing = None
+
+        desired = {
+            'name': agent.name,
+            'role': agent.role,
+            'scopes': list(agent.scopes),
+            'project_id': target_project,
+        }
+
+        if existing is None:
+            created = client.create_agent(
+                agent_id=agent.agent_id,
+                name=agent.name,
+                owner=agent.owner,
+                role=agent.role,
+                scopes=agent.scopes,
+                project_id=target_project,
+            )
+            agent_results.append({'agent_id': created['agent_id'], 'status': 'created'})
+            continue
+
+        changed_fields = {}
+        for field in ['name', 'role', 'project_id', 'scopes']:
+            if existing.get(field) != desired[field]:
+                changed_fields[field] = desired[field]
+
+        if changed_fields:
+            updated = client.update_agent(agent.agent_id, **changed_fields)
+            agent_results.append({'agent_id': updated['agent_id'], 'status': 'updated', 'changed_fields': sorted(changed_fields.keys())})
+        else:
+            agent_results.append({'agent_id': agent.agent_id, 'status': 'unchanged'})
 
     print(json.dumps({
         'module': args.module,
-        'synced_tools': [tool.action for tool in tools],
-        'synced_agents': [agent['agent_id'] for agent in created_agents],
+        'project': args.project,
+        'tools': {
+            'added_or_updated': [tool['action'] for tool in tools_to_sync],
+            'unchanged': [tool.action for tool in tools if tool.action not in {item['action'] for item in tools_to_sync}],
+        },
+        'agents': agent_results,
     }, indent=2))
     return 0
 
@@ -163,6 +200,41 @@ def delete_agent_command(args) -> int:
     return 0
 
 
+def project_list_command(args) -> int:
+    client = AuthAPIClient()
+    projects = client.list_projects()
+    print(json.dumps(projects, indent=2))
+    return 0
+
+
+def project_create_command(args) -> int:
+    client = AuthAPIClient()
+    project = client.create_project(args.project_id, args.name, args.description or "")
+    print(json.dumps(project, indent=2))
+    return 0
+
+
+def token_create_command(args) -> int:
+    client = AuthAPIClient()
+    token = client.create_project_token(args.project, args.name, args.scopes or [])
+    print(json.dumps(token, indent=2))
+    return 0
+
+
+def token_list_command(args) -> int:
+    client = AuthAPIClient()
+    tokens = client.list_tokens(args.subject_type)
+    print(json.dumps(tokens, indent=2))
+    return 0
+
+
+def token_revoke_command(args) -> int:
+    client = AuthAPIClient()
+    result = client.revoke_token_by_jti(args.jti)
+    print(json.dumps(result, indent=2))
+    return 0
+
+
 def ui_command(args) -> int:
     creds = load_credentials() or {}
     base_url = (args.base_url or creds.get('base_url') or DEFAULT_BASE_URL).rstrip('/')
@@ -230,8 +302,38 @@ def main():
 
     sync_parser = subparsers.add_parser('sync', help='Import a module and sync its registered tools and agents')
     sync_parser.add_argument('--module', required=True)
+    sync_parser.add_argument('--project', help='Override the project_id used when creating synced agents')
     sync_parser.set_defaults(func=sync_command)
 
+    project_parser = subparsers.add_parser('project', help='Manage projects from the CLI')
+    project_subparsers = project_parser.add_subparsers(dest='project_command')
+
+    project_list_parser = project_subparsers.add_parser('list', help='List available projects')
+    project_list_parser.set_defaults(func=project_list_command)
+
+    project_create_parser = project_subparsers.add_parser('create', help='Create a project')
+    project_create_parser.add_argument('--project-id', required=True)
+    project_create_parser.add_argument('--name', required=True)
+    project_create_parser.add_argument('--description')
+    project_create_parser.set_defaults(func=project_create_command)
+
+    token_parser = subparsers.add_parser('token', help='Manage project tokens from the CLI')
+    token_subparsers = token_parser.add_subparsers(dest='token_command')
+
+    token_create_parser = token_subparsers.add_parser('create', help='Create a project token')
+    token_create_parser.add_argument('--project', required=True)
+    token_create_parser.add_argument('--name', required=True)
+    token_create_parser.add_argument('--scope', dest='scopes', action='append', help='Scope to include. Repeat for multiple scopes.')
+    token_create_parser.set_defaults(func=token_create_command)
+
+    token_list_parser = token_subparsers.add_parser('list', help='List tokens')
+    token_list_parser.add_argument('--subject-type', choices=['user', 'agent', 'system'])
+    token_list_parser.set_defaults(func=token_list_command)
+
+    token_revoke_parser = token_subparsers.add_parser('revoke', help='Revoke a token by JTI')
+    token_revoke_parser.add_argument('--jti', required=True)
+    token_revoke_parser.set_defaults(func=token_revoke_command)
+
     delete_agent_parser = subparsers.add_parser('delete-agent', help='Delete an agent by ID')
     delete_agent_parser.add_argument('agent_id')
     delete_agent_parser.set_defaults(func=delete_agent_command)

{agentauthlayer-0.1.8 → agentauthlayer-0.1.10}/agent_auth/client.py

@@ -68,6 +68,10 @@ class AuthAPIClient:
             raise PermissionDeniedError(detail or "Permission denied")
         if response.status_code == 404 and path.startswith("/agents/"):
             raise AgentNotFoundError(detail or "Agent not found")
+        if response.status_code == 404 and path == "/agents" and detail and "Project not found" in detail:
+            raise AuthServiceError(
+                "Project not found. Create the project in the Agent Auth UI first, or update your agent's project_id to match an existing project."
+            )
         raise AuthServiceError(detail or f"Request failed with status {response.status_code}")
 
     def health(self) -> dict[str, Any]:
@@ -88,6 +92,44 @@ class AuthAPIClient:
             payload["project_id"] = project_id
         return self._request("POST", "/agents", json=payload)
 
+    def update_agent(self, agent_id: str, *, name: str | None = None, role: str | None = None, scopes: list[str] | None = None, project_id: str | None = None) -> dict[str, Any]:
+        payload: dict[str, Any] = {}
+        if name is not None:
+            payload["name"] = name
+        if role is not None:
+            payload["role"] = role
+        if scopes is not None:
+            payload["scopes"] = scopes
+        if project_id is not None:
+            payload["project_id"] = project_id
+        return self._request("PATCH", f"/agents/{agent_id}", json=payload)
+
+    def list_projects(self) -> list[dict[str, Any]]:
+        return self._request("GET", "/projects")
+
+    def create_project(self, project_id: str, name: str, description: str = "") -> dict[str, Any]:
+        return self._request(
+            "POST",
+            "/projects",
+            json={"project_id": project_id, "name": name, "description": description},
+        )
+
+    def create_project_token(self, project_id: str, name: str, scopes: list[str] | None = None) -> dict[str, Any]:
+        return self._request(
+            "POST",
+            "/tokens/project",
+            json={"project_id": project_id, "name": name, "scopes": scopes or []},
+        )
+
+    def list_tokens(self, subject_type: str | None = None) -> list[dict[str, Any]]:
+        path = "/tokens"
+        if subject_type:
+            path = f"/tokens?subject_type={subject_type}"
+        return self._request("GET", path)
+
+    def revoke_token_by_jti(self, jti: str) -> dict[str, Any]:
+        return self._request("POST", "/tokens/revoke", json={"jti": jti})
+
     def delete_agent(self, agent_id: str) -> dict[str, Any]:
         return self._request("DELETE", f"/agents/{agent_id}")
 
@@ -100,6 +142,9 @@ class AuthAPIClient:
     def sync_tools(self, permissions: list[dict[str, str]]) -> dict[str, Any]:
         return self._request("POST", "/policy/permissions/sync", json={"permissions": permissions})
 
+    def list_permissions(self) -> list[dict[str, Any]]:
+        return self._request("GET", "/policy/permissions")
+
     def evaluate(self, principal_id: str, action: str, resource: str | None = None, granted_scopes: list[str] | None = None, role: str | None = None, context: dict[str, str] | None = None) -> dict[str, Any]:
         return self._request(
             "POST",

agentauthlayer-0.1.10/agent_auth/context.py

@@ -0,0 +1,85 @@
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from typing import Any
+
+
+@dataclass(slots=True)
+class AuthContext:
+    principal_id: str
+    principal_type: str
+    jti: str
+    scopes: list[str] = field(default_factory=list)
+    role: str | None = None
+    email: str | None = None
+
+    @property
+    def subject_id(self) -> str:
+        return self.principal_id
+
+    @property
+    def subject_type(self) -> str:
+        return self.principal_type
+
+
+@dataclass(slots=True)
+class ExecutionContext:
+    principal_id: str | None = None
+    principal_type: str | None = None
+    agent_id: str | None = None
+    project_id: str | None = None
+    role: str | None = None
+    scopes: list[str] = field(default_factory=list)
+    context: dict[str, Any] = field(default_factory=dict)
+    email: str | None = None
+
+    def merged_context(self, extra: dict[str, Any] | None = None) -> dict[str, Any]:
+        merged = dict(self.context)
+        if self.project_id and 'project_id' not in merged:
+            merged['project_id'] = self.project_id
+        if self.agent_id and 'agent_id' not in merged:
+            merged['agent_id'] = self.agent_id
+        if self.principal_id and 'principal_id' not in merged:
+            merged['principal_id'] = self.principal_id
+        if self.principal_type and 'principal_type' not in merged:
+            merged['principal_type'] = self.principal_type
+        if extra:
+            merged.update(extra)
+        return merged
+
+    def project_scope(self) -> str | None:
+        for scope in self.scopes:
+            if scope.startswith('project:'):
+                return scope.split(':', 1)[1]
+        return None
+
+    def binding_mismatch_reason(self) -> str | None:
+        scoped_project = self.project_scope()
+        if self.project_id and scoped_project and self.project_id != scoped_project:
+            return f"project_scope_mismatch:{self.project_id}!={scoped_project}"
+        if self.principal_type == 'agent' and self.agent_id and self.principal_id and self.agent_id != self.principal_id:
+            return f"agent_principal_mismatch:{self.agent_id}!={self.principal_id}"
+        return None
+
+
+def execution_context_from_args(
+    *,
+    principal_id: str | None = None,
+    principal_type: str | None = None,
+    agent_id: str | None = None,
+    project_id: str | None = None,
+    role: str | None = None,
+    scopes: list[str] | None = None,
+    context: dict[str, Any] | None = None,
+    email: str | None = None,
+) -> ExecutionContext:
+    return ExecutionContext(
+        principal_id=principal_id,
+        principal_type=principal_type,
+        agent_id=agent_id,
+        project_id=project_id,
+        role=role,
+        scopes=scopes or [],
+        context=context or {},
+        email=email,
+    )

{agentauthlayer-0.1.8 → agentauthlayer-0.1.10}/agent_auth/policy.py

@@ -270,16 +270,28 @@ def require_permission(action: str, resource: str | None = None):
     def decorator(func: Callable):
         @wraps(func)
         def wrapper(*args, **kwargs):
-            agent_id = kwargs.get('agent_id') or (args[0] if args else None)
-            role = kwargs.get('role')
-            context = kwargs.get('context', {}) or {}
-            granted_scopes = kwargs.get('granted_scopes', []) or []
-            resource_value = kwargs.get('resource') or resource or '*'
+            execution_context = kwargs.get('execution_context')
+
+            if execution_context is not None:
+                mismatch = execution_context.binding_mismatch_reason()
+                if mismatch:
+                    raise PermissionError(f'Access Denied: {mismatch}')
+                principal_id = execution_context.principal_id or execution_context.agent_id
+                role = execution_context.role
+                context = execution_context.merged_context()
+                granted_scopes = execution_context.scopes or []
+                resource_value = kwargs.get('resource') or resource or '*'
+            else:
+                principal_id = kwargs.get('agent_id') or (args[0] if args else None)
+                role = kwargs.get('role')
+                context = kwargs.get('context', {}) or {}
+                granted_scopes = kwargs.get('granted_scopes', []) or []
+                resource_value = kwargs.get('resource') or resource or '*'
 
             evaluator = PolicyEvaluator()
             decision = evaluator.evaluate(
                 PolicyRequest(
-                    principal_id=agent_id or 'unknown',
+                    principal_id=principal_id or 'unknown',
                     action=action,
                     resource=resource_value,
                     granted_scopes=granted_scopes,

{agentauthlayer-0.1.8 → agentauthlayer-0.1.10}/agent_auth/server_runtime.py

@@ -21,8 +21,15 @@ def fallback_data_dir() -> Path:
     return Path.home() / ".agentauth"
 
 
+def project_dir() -> Path:
+    explicit_project_dir = os.getenv("AGENTAUTH_PROJECT_DIR")
+    if explicit_project_dir:
+        return Path(explicit_project_dir).expanduser().resolve()
+    return Path.cwd().resolve()
+
+
 def project_state_dir() -> Path:
-    return Path.cwd() / ".agentauth"
+    return project_dir() / ".agentauth"
 
 
 def local_data_dir() -> Path:
@@ -30,7 +37,7 @@ def local_data_dir() -> Path:
     if explicit_state_dir:
         return Path(explicit_state_dir).expanduser().resolve()
 
-    cwd = Path.cwd()
+    cwd = project_dir()
     if cwd.exists() and cwd.is_dir():
         return project_state_dir()
 
@@ -59,6 +66,7 @@ def ensure_local_env(host: str = DEFAULT_HOST, port: int = DEFAULT_PORT) -> dict
     env.setdefault("JWT_SECRET_KEY", f"agentauth_local_{secrets.token_urlsafe(24)}")
     env.setdefault("CORS_ORIGINS", "*")
     env.setdefault("AGENTAUTH_STATE_DIR", str(data_dir))
+    env.setdefault("AGENTAUTH_PROJECT_DIR", str(project_dir()))
     return env