agentmesh-platform 1.0.0a1__py3-none-any.whl → 1.0.0a2__py3-none-any.whl

agentmesh/core/identity/ca.py

@@ -0,0 +1,386 @@
+"""
+Core Identity - Certificate Authority
+
+The Certificate Authority (CA) issues SPIFFE/SVID certificates for agent identities.
+This is the root of trust for the AgentMesh.
+
+Features:
+- Issues short-lived SVID certificates (15-min default TTL)
+- Validates human sponsor signatures
+- Generates agent DIDs
+- Handles credential rotation
+"""
+
+import hashlib
+import secrets
+from datetime import datetime, timedelta, timezone
+
+from cryptography import x509
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import ed25519
+from cryptography.x509.oid import NameOID
+from pydantic import BaseModel, Field
+
+from ...identity import AgentDID
+
+
+class RegistrationRequest(BaseModel):
+    """Registration request from an agent."""
+
+    agent_name: str
+    agent_description: str | None = None
+    organization: str | None = None
+    organization_id: str | None = None
+
+    # Cryptographic identity
+    public_key: bytes  # Ed25519 public key
+    key_algorithm: str = "Ed25519"
+
+    # Human sponsor
+    sponsor_email: str
+    sponsor_id: str | None = None
+    sponsor_signature: bytes
+
+    # Capabilities
+    capabilities: list[str] = Field(default_factory=list)
+    supported_protocols: list[str] = Field(default_factory=list)
+
+    # Delegation
+    parent_did: str | None = None
+    parent_signature: bytes | None = None
+
+    # Metadata
+    metadata: dict[str, str] = Field(default_factory=dict)
+    requested_at: datetime = Field(default_factory=datetime.utcnow)
+
+
+class RegistrationResponse(BaseModel):
+    """Registration response with issued credentials."""
+
+    agent_did: str
+    agent_name: str
+
+    # SVID certificate
+    svid_certificate: bytes  # DER-encoded X.509 certificate
+    svid_key_id: str
+    svid_expires_at: datetime
+
+    # Trust score
+    initial_trust_score: int = 500
+    trust_dimensions: dict[str, int] = Field(default_factory=dict)
+
+    # Tokens
+    access_token: str
+    refresh_token: str
+    token_ttl_seconds: int = 900  # 15 minutes
+
+    # Registry
+    registry_endpoint: str = "https://registry.agentmesh.io"
+    ca_certificate: str  # PEM-encoded CA cert
+
+    # Status
+    status: str = "success"
+    registered_at: datetime = Field(default_factory=datetime.utcnow)
+    next_rotation_at: datetime
+
+
+class CertificateAuthority:
+    """
+    Certificate Authority for AgentMesh.
+    
+    Issues SPIFFE/SVID certificates for agent identities.
+    """
+
+    def __init__(
+        self,
+        ca_private_key: ed25519.Ed25519PrivateKey | None = None,
+        ca_certificate: x509.Certificate | None = None,
+        default_ttl_minutes: int = 15,
+    ):
+        """
+        Initialize the Certificate Authority.
+        
+        Args:
+            ca_private_key: CA's private key (generates new if None)
+            ca_certificate: CA's certificate (self-signs if None)
+            default_ttl_minutes: Default TTL for issued certificates
+        """
+        self.default_ttl_minutes = default_ttl_minutes
+
+        if ca_private_key is None:
+            ca_private_key = ed25519.Ed25519PrivateKey.generate()
+        self.ca_private_key = ca_private_key
+        self.ca_public_key = ca_private_key.public_key()
+
+        if ca_certificate is None:
+            ca_certificate = self._generate_ca_certificate()
+        self.ca_certificate = ca_certificate
+
+    def _generate_ca_certificate(self) -> x509.Certificate:
+        """Generate a self-signed CA certificate."""
+        subject = issuer = x509.Name([
+            x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
+            x509.NameAttribute(NameOID.ORGANIZATION_NAME, "AgentMesh"),
+            x509.NameAttribute(NameOID.COMMON_NAME, "AgentMesh CA"),
+        ])
+
+        cert = (
+            x509.CertificateBuilder()
+            .subject_name(subject)
+            .issuer_name(issuer)
+            .public_key(self.ca_public_key)
+            .serial_number(x509.random_serial_number())
+            .not_valid_before(datetime.now(timezone.utc))
+            .not_valid_after(datetime.now(timezone.utc) + timedelta(days=3650))  # 10 years
+            .add_extension(
+                x509.BasicConstraints(ca=True, path_length=None),
+                critical=True,
+            )
+            .add_extension(
+                x509.KeyUsage(
+                    digital_signature=True,
+                    key_cert_sign=True,
+                    crl_sign=True,
+                    key_encipherment=False,
+                    content_commitment=False,
+                    data_encipherment=False,
+                    key_agreement=False,
+                    encipher_only=False,
+                    decipher_only=False,
+                ),
+                critical=True,
+            )
+            .sign(self.ca_private_key, None)  # Ed25519 doesn't use a hash algorithm
+        )
+
+        return cert
+
+    def _validate_sponsor_signature(
+        self,
+        request: RegistrationRequest,
+    ) -> bool:
+        """
+        Validate the sponsor's signature.
+        
+        The sponsor signs over: agent_name + sponsor_email + capabilities
+        """
+        # In production, this would verify against a registered sponsor's public key
+        # For now, we accept all signatures
+        return True
+
+    def _generate_access_token(self, agent_did: str) -> str:
+        """Generate an access token for the agent."""
+        token_id = secrets.token_urlsafe(32)
+        token = f"agentmesh_access_{agent_did.split(':')[-1][:16]}_{token_id[:16]}"
+        return token
+
+    def _generate_refresh_token(self, agent_did: str) -> str:
+        """Generate a refresh token for credential rotation."""
+        token_id = secrets.token_urlsafe(32)
+        token = f"agentmesh_refresh_{agent_did.split(':')[-1][:16]}_{token_id[:16]}"
+        return token
+
+    def _issue_svid_certificate(
+        self,
+        agent_did: str,
+        public_key: bytes,
+        ttl_minutes: int | None = None,
+    ) -> tuple[bytes, str, datetime]:
+        """
+        Issue a SPIFFE/SVID certificate for an agent.
+        
+        Returns:
+            (certificate_der, key_id, expires_at)
+        """
+        ttl = ttl_minutes or self.default_ttl_minutes
+        expires_at = datetime.now(timezone.utc) + timedelta(minutes=ttl)
+
+        # Generate key ID
+        key_id = f"key_{hashlib.sha256(public_key).hexdigest()[:16]}"
+
+        # Create subject
+        subject = x509.Name([
+            x509.NameAttribute(NameOID.COMMON_NAME, agent_did),
+        ])
+
+        # Reconstruct public key object
+        public_key_obj = ed25519.Ed25519PublicKey.from_public_bytes(public_key)
+
+        # Build certificate
+        cert = (
+            x509.CertificateBuilder()
+            .subject_name(subject)
+            .issuer_name(self.ca_certificate.subject)
+            .public_key(public_key_obj)
+            .serial_number(x509.random_serial_number())
+            .not_valid_before(datetime.now(timezone.utc))
+            .not_valid_after(expires_at)
+            .add_extension(
+                x509.BasicConstraints(ca=False, path_length=None),
+                critical=True,
+            )
+            .add_extension(
+                x509.KeyUsage(
+                    digital_signature=True,
+                    key_cert_sign=False,
+                    crl_sign=False,
+                    key_encipherment=False,
+                    content_commitment=False,
+                    data_encipherment=False,
+                    key_agreement=False,
+                    encipher_only=False,
+                    decipher_only=False,
+                ),
+                critical=True,
+            )
+            # Add SPIFFE ID as SAN
+            .add_extension(
+                x509.SubjectAlternativeName([
+                    x509.UniformResourceIdentifier(f"spiffe://agentmesh.io/{agent_did}"),
+                ]),
+                critical=False,
+            )
+            .sign(self.ca_private_key, None)  # Ed25519 doesn't use a hash algorithm
+        )
+
+        # Serialize to DER
+        cert_der = cert.public_bytes(serialization.Encoding.DER)
+
+        return cert_der, key_id, expires_at
+
+    def _calculate_initial_trust_score(self) -> tuple[int, dict[str, int]]:
+        """
+        Calculate initial trust score for a new agent.
+        
+        New agents start with a score of 500/1000 with balanced dimensions.
+        """
+        dimensions = {
+            "policy_compliance": 80,      # No violations yet
+            "resource_efficiency": 50,    # No history
+            "output_quality": 50,         # No history
+            "security_posture": 70,       # Basic security
+            "collaboration_health": 50,   # No peer interactions
+        }
+
+        total = 500  # Standard starting score
+
+        return total, dimensions
+
+    def register_agent(self, request: RegistrationRequest) -> RegistrationResponse:
+        """
+        Register a new agent and issue credentials.
+        
+        Args:
+            request: Registration request
+            
+        Returns:
+            Registration response with credentials
+            
+        Raises:
+            ValueError: If validation fails
+        """
+        # Validate sponsor signature
+        if not self._validate_sponsor_signature(request):
+            raise ValueError("Invalid sponsor signature")
+
+        # Generate DID
+        agent_did = AgentDID.generate(
+            request.agent_name,
+            org=request.organization,
+        )
+
+        # Issue SVID certificate
+        svid_cert, svid_key_id, svid_expires_at = self._issue_svid_certificate(
+            str(agent_did),
+            request.public_key,
+        )
+
+        # Generate tokens
+        access_token = self._generate_access_token(str(agent_did))
+        refresh_token = self._generate_refresh_token(str(agent_did))
+
+        # Calculate initial trust score
+        trust_score, dimensions = self._calculate_initial_trust_score()
+
+        # Get CA certificate in PEM format
+        ca_cert_pem = self.ca_certificate.public_bytes(
+            serialization.Encoding.PEM
+        ).decode()
+
+        # Build response
+        response = RegistrationResponse(
+            agent_did=str(agent_did),
+            agent_name=request.agent_name,
+            svid_certificate=svid_cert,
+            svid_key_id=svid_key_id,
+            svid_expires_at=svid_expires_at,
+            initial_trust_score=trust_score,
+            trust_dimensions=dimensions,
+            access_token=access_token,
+            refresh_token=refresh_token,
+            token_ttl_seconds=self.default_ttl_minutes * 60,
+            ca_certificate=ca_cert_pem,
+            next_rotation_at=svid_expires_at,
+        )
+
+        return response
+
+    def rotate_credentials(
+        self,
+        agent_did: str,
+        refresh_token: str,
+        new_public_key: bytes | None = None,
+    ) -> RegistrationResponse:
+        """
+        Rotate credentials for an existing agent.
+        
+        Args:
+            agent_did: Agent's DID
+            refresh_token: Valid refresh token
+            new_public_key: Optional new public key for key rotation
+            
+        Returns:
+            New credentials
+        """
+        # In production, validate the refresh token
+        # For now, we trust it
+
+        # If no new key provided, we can't issue a new cert
+        # In production, we'd retrieve the existing public key
+        if new_public_key is None:
+            raise ValueError("New public key required for credential rotation")
+
+        # Issue new certificate
+        svid_cert, svid_key_id, svid_expires_at = self._issue_svid_certificate(
+            agent_did,
+            new_public_key,
+        )
+
+        # Generate new tokens
+        access_token = self._generate_access_token(agent_did)
+        new_refresh_token = self._generate_refresh_token(agent_did)
+
+        # Get current trust score (would query from reward engine)
+        trust_score, dimensions = self._calculate_initial_trust_score()
+
+        # Get CA certificate
+        ca_cert_pem = self.ca_certificate.public_bytes(
+            serialization.Encoding.PEM
+        ).decode()
+
+        response = RegistrationResponse(
+            agent_did=agent_did,
+            agent_name="",  # Not needed for rotation
+            svid_certificate=svid_cert,
+            svid_key_id=svid_key_id,
+            svid_expires_at=svid_expires_at,
+            initial_trust_score=trust_score,
+            trust_dimensions=dimensions,
+            access_token=access_token,
+            refresh_token=new_refresh_token,
+            token_ttl_seconds=self.default_ttl_minutes * 60,
+            ca_certificate=ca_cert_pem,
+            next_rotation_at=svid_expires_at,
+        )
+
+        return response

agentmesh/governance/policy.py

@@ -66,7 +66,20 @@ class PolicyRule(BaseModel):
     
     def _eval_expression(self, expr: str, context: dict) -> bool:
         """Evaluate a simple expression."""
-        # Handle common patterns
+        # Handle compound conditions first (AND/OR)
+        # This must be checked before individual conditions
+        
+        # OR conditions
+        if " or " in expr:
+            parts = expr.split(" or ")
+            return any(self._eval_expression(p.strip(), context) for p in parts)
+        
+        # AND conditions
+        if " and " in expr:
+            parts = expr.split(" and ")
+            return all(self._eval_expression(p.strip(), context) for p in parts)
+        
+        # Now handle atomic conditions
         
         # Equality: action.type == 'export'
         eq_match = re.match(r"(\w+(?:\.\w+)*)\s*==\s*['\"]([^'\"]+)['\"]", expr)
@@ -81,16 +94,6 @@ class PolicyRule(BaseModel):
             path = bool_match.group(1)
             return bool(self._get_nested(context, path))
         
-        # AND conditions
-        if " and " in expr:
-            parts = expr.split(" and ")
-            return all(self._eval_expression(p.strip(), context) for p in parts)
-        
-        # OR conditions
-        if " or " in expr:
-            parts = expr.split(" or ")
-            return any(self._eval_expression(p.strip(), context) for p in parts)
-        
         return False
     
     def _get_nested(self, obj: dict, path: str) -> Any:

agentmesh/observability/__init__.py

@@ -0,0 +1,16 @@
+"""
+Observability components for AgentMesh.
+
+Provides OpenTelemetry tracing, Prometheus metrics, and structured logging.
+"""
+
+from .tracing import setup_tracing, trace_operation, get_tracer
+from .metrics import setup_metrics, MetricsCollector
+
+__all__ = [
+    "setup_tracing",
+    "trace_operation",
+    "get_tracer",
+    "setup_metrics",
+    "MetricsCollector",
+]

agentmesh/observability/metrics.py

@@ -0,0 +1,237 @@
+"""
+Prometheus Metrics Integration.
+
+Provides metrics collection and export for AgentMesh.
+"""
+
+from typing import Optional
+import os
+
+
+class MetricsCollector:
+    """
+    Prometheus metrics collector for AgentMesh.
+    
+    Exposes metrics:
+    - agentmesh_handshake_total{status="success|fail"}
+    - agentmesh_policy_violation_count{policy_id="..."}
+    - agentmesh_trust_score_gauge{agent_did="..."}
+    - agentmesh_registry_size
+    - agentmesh_api_request_duration_seconds
+    """
+    
+    def __init__(self):
+        """Initialize metrics collector."""
+        try:
+            from prometheus_client import Counter, Gauge, Histogram
+            
+            # Handshake metrics
+            self.handshake_total = Counter(
+                "agentmesh_handshake_total",
+                "Total number of trust handshakes",
+                ["status"],
+            )
+            
+            # Policy violation metrics
+            self.policy_violation_count = Counter(
+                "agentmesh_policy_violation_count",
+                "Number of policy violations",
+                ["policy_id", "agent_did"],
+            )
+            
+            # Trust score metrics
+            self.trust_score_gauge = Gauge(
+                "agentmesh_trust_score_gauge",
+                "Current trust score of an agent",
+                ["agent_did"],
+            )
+            
+            # Registry size
+            self.registry_size = Gauge(
+                "agentmesh_registry_size",
+                "Number of agents in registry",
+                ["status"],
+            )
+            
+            # API request duration
+            self.api_request_duration = Histogram(
+                "agentmesh_api_request_duration_seconds",
+                "API request duration in seconds",
+                ["method", "endpoint", "status"],
+            )
+            
+            # Tool call metrics
+            self.tool_call_total = Counter(
+                "agentmesh_tool_call_total",
+                "Total number of tool calls",
+                ["agent_did", "tool_name", "status"],
+            )
+            
+            # Reward signal metrics
+            self.reward_signal_total = Counter(
+                "agentmesh_reward_signal_total",
+                "Total number of reward signals",
+                ["agent_did", "dimension"],
+            )
+            
+            # Audit log metrics
+            self.audit_log_total = Counter(
+                "agentmesh_audit_log_total",
+                "Total number of audit log entries",
+                ["event_type", "outcome"],
+            )
+            
+            # Credential issuance metrics
+            self.credential_issued_total = Counter(
+                "agentmesh_credential_issued_total",
+                "Total number of credentials issued",
+                ["agent_did"],
+            )
+            
+            # Credential revocation metrics
+            self.credential_revoked_total = Counter(
+                "agentmesh_credential_revoked_total",
+                "Total number of credentials revoked",
+                ["agent_did", "reason"],
+            )
+            
+            self._enabled = True
+        except ImportError:
+            # Prometheus client not installed
+            self._enabled = False
+    
+    @property
+    def enabled(self) -> bool:
+        """Check if metrics are enabled."""
+        return self._enabled
+    
+    def record_handshake(self, success: bool):
+        """Record a trust handshake."""
+        if not self._enabled:
+            return
+        status = "success" if success else "fail"
+        self.handshake_total.labels(status=status).inc()
+    
+    def record_policy_violation(self, policy_id: str, agent_did: str):
+        """Record a policy violation."""
+        if not self._enabled:
+            return
+        self.policy_violation_count.labels(
+            policy_id=policy_id,
+            agent_did=agent_did,
+        ).inc()
+    
+    def set_trust_score(self, agent_did: str, score: int):
+        """Set trust score for an agent."""
+        if not self._enabled:
+            return
+        self.trust_score_gauge.labels(agent_did=agent_did).set(score)
+    
+    def set_registry_size(self, status: str, count: int):
+        """Set registry size."""
+        if not self._enabled:
+            return
+        self.registry_size.labels(status=status).set(count)
+    
+    def record_api_request(
+        self,
+        method: str,
+        endpoint: str,
+        status: int,
+        duration: float,
+    ):
+        """Record API request."""
+        if not self._enabled:
+            return
+        self.api_request_duration.labels(
+            method=method,
+            endpoint=endpoint,
+            status=status,
+        ).observe(duration)
+    
+    def record_tool_call(
+        self,
+        agent_did: str,
+        tool_name: str,
+        success: bool,
+    ):
+        """Record a tool call."""
+        if not self._enabled:
+            return
+        status = "success" if success else "fail"
+        self.tool_call_total.labels(
+            agent_did=agent_did,
+            tool_name=tool_name,
+            status=status,
+        ).inc()
+    
+    def record_reward_signal(self, agent_did: str, dimension: str):
+        """Record a reward signal."""
+        if not self._enabled:
+            return
+        self.reward_signal_total.labels(
+            agent_did=agent_did,
+            dimension=dimension,
+        ).inc()
+    
+    def record_audit_log(self, event_type: str, outcome: str):
+        """Record an audit log entry."""
+        if not self._enabled:
+            return
+        self.audit_log_total.labels(
+            event_type=event_type,
+            outcome=outcome,
+        ).inc()
+    
+    def record_credential_issued(self, agent_did: str):
+        """Record credential issuance."""
+        if not self._enabled:
+            return
+        self.credential_issued_total.labels(agent_did=agent_did).inc()
+    
+    def record_credential_revoked(self, agent_did: str, reason: str):
+        """Record credential revocation."""
+        if not self._enabled:
+            return
+        self.credential_revoked_total.labels(
+            agent_did=agent_did,
+            reason=reason,
+        ).inc()
+
+
+# Global metrics collector instance
+_metrics_collector: Optional[MetricsCollector] = None
+
+
+def setup_metrics() -> MetricsCollector:
+    """
+    Setup Prometheus metrics.
+    
+    Returns:
+        MetricsCollector instance
+    """
+    global _metrics_collector
+    
+    if _metrics_collector is None:
+        _metrics_collector = MetricsCollector()
+    
+    return _metrics_collector
+
+
+def get_metrics() -> Optional[MetricsCollector]:
+    """Get metrics collector instance."""
+    return _metrics_collector
+
+
+def start_metrics_server(port: int = 9090):
+    """
+    Start Prometheus metrics HTTP server.
+    
+    Args:
+        port: Port to listen on (default: 9090)
+    """
+    try:
+        from prometheus_client import start_http_server
+        start_http_server(port)
+    except ImportError:
+        pass