auths-python 0.1.0__cp38-abi3-win_amd64.whl

auths/trust.py

@@ -0,0 +1,169 @@
+from __future__ import annotations
+
+import enum
+import json
+from dataclasses import dataclass
+from typing import Optional
+
+from auths._native import (
+    get_pinned_identity as _get_pinned_identity,
+    list_pinned_identities as _list_pinned_identities,
+    pin_identity as _pin_identity,
+    remove_pinned_identity as _remove_pinned_identity,
+)
+from auths._client import _map_error
+from auths._errors import AuthsError
+
+
+class TrustLevel(enum.Enum):
+    """Trust level for a pinned identity.
+
+    Values match the Rust ``TrustLevel`` enum in ``auths-core/src/trust/pinned.rs``.
+    """
+
+    TOFU = "tofu"
+    """Accepted on first use (interactive prompt)."""
+    MANUAL = "manual"
+    """Manually pinned via CLI or ``--issuer-pk``."""
+    ORG_POLICY = "org_policy"
+    """Loaded from roots.json org policy file."""
+
+
+@dataclass
+class TrustEntry:
+    """A pinned trusted identity."""
+
+    did: str
+    label: Optional[str]
+    trust_level: str
+    first_seen: str
+    kel_sequence: Optional[int]
+    pinned_at: str
+
+    @property
+    def trust_level_enum(self) -> TrustLevel:
+        """Parse the trust_level string into a typed :class:`TrustLevel` enum."""
+        return TrustLevel(self.trust_level)
+
+
+class TrustService:
+    """Resource service for trust anchor management."""
+
+    def __init__(self, client):
+        self._client = client
+
+    def pin(
+        self,
+        did: str,
+        label: str | None = None,
+        trust_level: str = "manual",
+        repo_path: str | None = None,
+    ) -> TrustEntry:
+        """Pin an identity as trusted.
+
+        Args:
+            did: The DID to trust (`did:keri:...` or `did:key:...`).
+            label: Optional human-readable label.
+            trust_level: One of "tofu", "manual", "org_policy".
+
+        Usage:
+            entry = client.trust.pin(identity.did, label="peer")
+        """
+        rp = repo_path or self._client.repo_path
+        try:
+            did_out, lbl, tl, first_seen, kel_seq, pinned_at = _pin_identity(
+                did, rp, label, trust_level,
+            )
+            return TrustEntry(
+                did=did_out,
+                label=lbl,
+                trust_level=tl,
+                first_seen=first_seen,
+                kel_sequence=kel_seq,
+                pinned_at=pinned_at,
+            )
+        except (ValueError, RuntimeError) as exc:
+            raise _map_error(exc, default_cls=AuthsError) from exc
+
+    def remove(
+        self,
+        did: str,
+        repo_path: str | None = None,
+    ) -> None:
+        """Remove a pinned identity from the trust store.
+
+        Usage:
+            client.trust.remove(identity.did)
+        """
+        rp = repo_path or self._client.repo_path
+        try:
+            _remove_pinned_identity(did, rp)
+        except (ValueError, RuntimeError) as exc:
+            raise _map_error(exc, default_cls=AuthsError) from exc
+
+    def list(
+        self,
+        repo_path: str | None = None,
+    ) -> list[TrustEntry]:
+        """List all pinned trusted identities.
+
+        Usage:
+            entries = client.trust.list()
+        """
+        rp = repo_path or self._client.repo_path
+        try:
+            raw = _list_pinned_identities(rp)
+            data = json.loads(raw)
+            return [
+                TrustEntry(
+                    did=e["did"],
+                    label=e.get("label"),
+                    trust_level=e["trust_level"],
+                    first_seen=e["first_seen"],
+                    kel_sequence=e.get("kel_sequence"),
+                    pinned_at=e["pinned_at"],
+                )
+                for e in data
+            ]
+        except (ValueError, RuntimeError) as exc:
+            raise _map_error(exc, default_cls=AuthsError) from exc
+
+    def get(
+        self,
+        did: str,
+        repo_path: str | None = None,
+    ) -> TrustEntry | None:
+        """Look up a specific pinned identity. Returns None if not pinned.
+
+        Usage:
+            entry = client.trust.get(identity.did)
+        """
+        rp = repo_path or self._client.repo_path
+        try:
+            result = _get_pinned_identity(did, rp)
+            if result is None:
+                return None
+            did_out, lbl, tl, first_seen, kel_seq, pinned_at = result
+            return TrustEntry(
+                did=did_out,
+                label=lbl,
+                trust_level=tl,
+                first_seen=first_seen,
+                kel_sequence=kel_seq,
+                pinned_at=pinned_at,
+            )
+        except (ValueError, RuntimeError) as exc:
+            raise _map_error(exc, default_cls=AuthsError) from exc
+
+    def is_trusted(
+        self,
+        did: str,
+        repo_path: str | None = None,
+    ) -> bool:
+        """Check whether a DID is in the trust store.
+
+        Usage:
+            if client.trust.is_trusted(identity.did):
+                print("Trusted!")
+        """
+        return self.get(did, repo_path=repo_path) is not None

auths/verify.py

@@ -0,0 +1,111 @@
+"""Witness-based attestation chain verification."""
+
+from __future__ import annotations
+
+import json
+from dataclasses import dataclass
+
+from auths._native import (
+    verify_at_time,
+    verify_at_time_with_capability,
+    verify_attestation,
+    verify_attestation_with_capability,
+    verify_chain,
+    verify_chain_with_capability,
+    verify_chain_with_witnesses as _verify_chain_with_witnesses,
+    verify_device_authorization,
+)
+
+
+@dataclass
+class WitnessKey:
+    """A witness node's identity and public key."""
+
+    did: str
+    """The witness node's DID."""
+    public_key_hex: str
+    """Hex-encoded Ed25519 public key of the witness."""
+
+    def __repr__(self) -> str:
+        return f"WitnessKey(did='{self.did[:20]}...')"
+
+
+@dataclass
+class WitnessConfig:
+    """Configuration for witness quorum verification.
+
+    Examples:
+        ```python
+        config = WitnessConfig(
+            receipts=[receipt1_json, receipt2_json],
+            keys=[WitnessKey("did:key:z...", "ab12...")],
+            threshold=2,
+        )
+        ```
+    """
+
+    receipts: list[str]
+    """JSON-serialized witness receipt strings."""
+    keys: list[WitnessKey]
+    """Witness public keys to verify receipts against."""
+    threshold: int
+    """Minimum number of valid witness receipts required."""
+
+    def __post_init__(self):
+        if self.threshold < 1:
+            raise ValueError(f"threshold must be >= 1, got {self.threshold}")
+        if self.threshold > len(self.keys):
+            raise ValueError(
+                f"threshold ({self.threshold}) cannot exceed number of "
+                f"witness keys ({len(self.keys)})"
+            )
+
+
+def verify_chain_with_witnesses(
+    attestations_json: list[str],
+    root_pk_hex: str,
+    witnesses: WitnessConfig,
+):
+    """Verify an attestation chain with witness receipt quorum enforcement.
+
+    Args:
+        attestations_json: List of attestation JSON strings, ordered root-to-leaf.
+        root_pk_hex: Root identity's Ed25519 public key (hex-encoded).
+        witnesses: Witness configuration with receipts, keys, and threshold.
+
+    Returns:
+        VerificationReport with per-link results and witness quorum status.
+
+    Raises:
+        VerificationError: If the chain or witness quorum fails verification.
+
+    Examples:
+        ```python
+        report = verify_chain_with_witnesses(chain, root_key, config)
+        ```
+    """
+    keys_json = [
+        json.dumps({"did": k.did, "public_key_hex": k.public_key_hex})
+        for k in witnesses.keys
+    ]
+    return _verify_chain_with_witnesses(
+        attestations_json,
+        root_pk_hex,
+        witnesses.receipts,
+        keys_json,
+        witnesses.threshold,
+    )
+
+
+__all__ = [
+    "WitnessConfig",
+    "WitnessKey",
+    "verify_at_time",
+    "verify_at_time_with_capability",
+    "verify_attestation",
+    "verify_attestation_with_capability",
+    "verify_chain",
+    "verify_chain_with_capability",
+    "verify_chain_with_witnesses",
+    "verify_device_authorization",
+]

auths/witness.py

@@ -0,0 +1,91 @@
+from __future__ import annotations
+
+import json
+from dataclasses import dataclass
+from typing import Optional
+
+from auths._native import (
+    add_witness as _add_witness,
+    list_witnesses as _list_witnesses,
+    remove_witness as _remove_witness,
+)
+from auths._client import _map_error
+from auths._errors import AuthsError
+
+
+@dataclass
+class Witness:
+    """A configured witness endpoint."""
+
+    url: str
+    did: Optional[str]
+    label: Optional[str]
+
+
+class WitnessService:
+    """Resource service for witness configuration."""
+
+    def __init__(self, client):
+        self._client = client
+
+    def add(
+        self,
+        url: str,
+        label: str | None = None,
+        repo_path: str | None = None,
+    ) -> Witness:
+        """Add a witness URL to the identity configuration.
+
+        Args:
+            url: Witness server URL (e.g. "http://127.0.0.1:3333").
+            label: Optional human-readable label.
+
+        Usage:
+            w = client.witnesses.add("https://witness.example.com")
+        """
+        rp = repo_path or self._client.repo_path
+        try:
+            url_out, did, lbl = _add_witness(url, rp, label)
+            return Witness(url=url_out, did=did, label=lbl)
+        except (ValueError, RuntimeError) as exc:
+            raise _map_error(exc, default_cls=AuthsError) from exc
+
+    def remove(
+        self,
+        url: str,
+        repo_path: str | None = None,
+    ) -> None:
+        """Remove a witness URL from configuration.
+
+        Usage:
+            client.witnesses.remove("https://witness.example.com")
+        """
+        rp = repo_path or self._client.repo_path
+        try:
+            _remove_witness(url, rp)
+        except (ValueError, RuntimeError) as exc:
+            raise _map_error(exc, default_cls=AuthsError) from exc
+
+    def list(
+        self,
+        repo_path: str | None = None,
+    ) -> list[Witness]:
+        """List all configured witnesses.
+
+        Usage:
+            witnesses = client.witnesses.list()
+        """
+        rp = repo_path or self._client.repo_path
+        try:
+            raw = _list_witnesses(rp)
+            data = json.loads(raw)
+            return [
+                Witness(
+                    url=w["url"],
+                    did=w.get("did"),
+                    label=w.get("label"),
+                )
+                for w in data
+            ]
+        except (ValueError, RuntimeError) as exc:
+            raise _map_error(exc, default_cls=AuthsError) from exc

auths_python-0.1.0.dist-info/METADATA

@@ -0,0 +1,152 @@
+Metadata-Version: 2.4
+Name: auths-python
+Version: 0.1.0
+Classifier: Development Status :: 4 - Beta
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: Implementation :: CPython
+Classifier: Programming Language :: Rust
+Classifier: Operating System :: MacOS
+Classifier: Operating System :: Microsoft :: Windows
+Classifier: Operating System :: POSIX :: Linux
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Typing :: Typed
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Software Development :: Version Control :: Git
+Requires-Dist: pyjwt>=2.0 ; extra == 'jwt'
+Requires-Dist: cryptography>=3.0 ; extra == 'jwt'
+Provides-Extra: jwt
+Summary: Auths Python SDK - decentralized identity for developers and AI agents
+Keywords: identity,cryptography,did,signing,verification,git,keri
+License: Apache-2.0
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown; charset=UTF-8; variant=GFM
+Project-URL: Bug Tracker, https://github.com/auths-dev/auths/issues
+Project-URL: Documentation, https://docs.auths.dev
+Project-URL: Homepage, https://auths.dev
+Project-URL: Repository, https://github.com/auths-dev/auths
+
+# Auths Python SDK
+
+Decentralized identity for developers and AI agents. Sign, verify, and manage cryptographic identities with Git-native storage.
+
+## Install
+
+```bash
+pip install auths-python
+```
+
+## Quick start
+
+```python
+from auths import Auths
+
+auths = Auths()
+
+# Verify an attestation
+result = auths.verify(attestation_json=data, issuer_key=public_key_hex)
+print(result.valid)  # True
+
+# Sign bytes
+signature = auths.sign(b"hello world", private_key=secret_key_hex)
+```
+
+## Identity management
+
+```python
+from auths import Auths
+
+auths = Auths(repo_path="~/.auths")
+
+# Create a cryptographic identity
+identity = auths.identities.create(label="laptop")
+print(identity.did)  # did:keri:EBfd...
+
+# Provision an agent (for CI, MCP servers, etc.)
+agent = auths.identities.provision_agent(
+    identity.did,
+    name="deploy-bot",
+    capabilities=["sign"],
+)
+
+# Sign using the keychain-stored identity key
+sig = auths.sign_as(b"hello world", identity=identity.did)
+
+# Link and manage devices
+device = auths.devices.link(identity_did=identity.did, capabilities=["sign"])
+auths.devices.revoke(device.did, identity_did=identity.did, note="replaced")
+```
+
+## Git commit verification
+
+```python
+from auths.git import verify_commit_range
+
+result = verify_commit_range("HEAD~5..HEAD")
+for commit in result.commits:
+    print(f"{commit.commit_sha}: {'valid' if commit.is_valid else commit.error}")
+```
+
+## Capability-aware verification
+
+```python
+# Verify an attestation grants a specific capability
+result = auths.verify(attestation_json=data, issuer_key=key, required_capability="sign_commit")
+
+# Verify an entire chain grants a capability
+report = auths.verify_chain(chain, root_key, required_capability="deploy")
+```
+
+## Agent auth for MCP / AI frameworks
+
+```python
+from auths.agent import AgentAuth
+
+auth = AgentAuth(
+    bridge_url="https://bridge.example.com",
+    attestation_chain_path=".auths/agent-chain.json",
+)
+token = auth.get_token(capabilities=["read", "write"])
+```
+
+## Error handling
+
+```python
+from auths import Auths, VerificationError, NetworkError
+
+auths = Auths()
+try:
+    result = auths.verify(attestation_json=data, issuer_key=key)
+except VerificationError as e:
+    print(e.code)     # "expired_attestation"
+    print(e.message)  # "Attestation expired at 2024-01-15T..."
+except NetworkError as e:
+    if e.should_retry:
+        pass  # safe to retry
+```
+
+All errors inherit from `AuthsError` and carry `.code`, `.message`, and `.context`.
+
+## Configuration
+
+```python
+# Auto-discover (uses ~/.auths)
+auths = Auths()
+
+# Explicit repo path
+auths = Auths(repo_path="/path/to/identity-repo")
+
+# With passphrase (or set AUTHS_PASSPHRASE env var)
+auths = Auths(passphrase="my-secret")
+
+# Headless / CI mode
+# Set AUTHS_KEYCHAIN_BACKEND=file for environments without a system keychain
+```
+
+## API reference
+
+Type stubs are bundled (`py.typed` + `__init__.pyi`). Your editor will show full signatures, docstrings, and return types for all methods.
+
+## License
+
+Apache-2.0
+

auths_python-0.1.0.dist-info/RECORD

@@ -0,0 +1,28 @@
+auths/__init__.py,sha256=xvo9RtGBE676iNFg5I11KdlnXJWhapVEEsVRW3xVgz8,3956
+auths/__init__.pyi,sha256=qXSbL9GNgJcb-f1yqU-CkhiKKdIcRiIQUROQefDpdRs,18303
+auths/_client.py,sha256=vL2f2E-UF6gvIKfhsmzdrk0y6clXSg5bV7SAh0eQh4c,26469
+auths/_errors.py,sha256=deTIgyCcUB_McrhVHk-vHHzXMPMe0ft748tpqgQwgpQ,2223
+auths/_native.pyd,sha256=OcyhwpsLTdKNt9AVJK85sEqWO6AIl8v_4bZ36qAhyqw,13433856
+auths/agent.py,sha256=OWIzWdbSs7CA2hdY21BM8qZFXL-8s7ygMUdVUw8PpLw,1713
+auths/artifact.py,sha256=IbtHM6pJhxTdPkYx6k3veTVS49wQ4VI1yGtWt1cl4FE,2070
+auths/attestation_query.py,sha256=KFuGXUxcpEuXawhFVzxAiqosGRaio-GtVhcuJtx10KQ,4573
+auths/audit.py,sha256=5vQvrJU2vomIPRJeSzuHwN2lGoV696bsMWq5G-e-6Pk,7297
+auths/commit.py,sha256=a2ue91XW2mnE5xkYVB-RSNDSHgSJf8Kzo2x8-IZvvms,870
+auths/devices.py,sha256=QYjOP_fYZd2gYfe1EjPq-r-wWBT_G_zZU9xQ912RNEk,5085
+auths/doctor.py,sha256=NCbY88pJLmdSqDNISL_NBIVSGFPvG7SVj4cS9k0eWZY,3061
+auths/git.py,sha256=NXQL6DLaT0NxkvIbHXMDX2maZW1r2bFXEtCEqmUcmfc,15925
+auths/identity.py,sha256=QGf-GAODUItdUJo0dI4Lp8PXzdL3vTIvuxu-WG50gWY,7767
+auths/jwt.py,sha256=Q0_U578ncvOakYkiuZEnxW3FzPZ99IZHQB7010ubA5Y,8878
+auths/org.py,sha256=Ok_uWFZQp8EDwnffh8GS2Tg98YHWw0qCM_jbgufKp-o,10330
+auths/pairing.py,sha256=QXsFWvq-ZE1V65TbFZTbSbaP67yZ8f2Zc6eDfyW_Sko,6858
+auths/policy.py,sha256=23kXn3tmq6x2jweK5XMhAAVSZrIuICq5KVKoglhL3dw,12616
+auths/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+auths/rotation.py,sha256=fX64VxZKW7YMge8LU3OJ1LmDs5iH4acCAU1FYBH_XQk,900
+auths/sign.py,sha256=sGIiKw8MYfnP3oWbepVAUQmhExWkC0D4ZvVg7XAFQrs,200
+auths/trust.py,sha256=YbvxBkPxbu7kycJyQI_d5foyINPnP8H-AklkqqLbVuw,5108
+auths/verify.py,sha256=ymSJNcsgyknAVCA5mP05aT-jaZD1d7oAEoNHbqac31s,3110
+auths/witness.py,sha256=WvVnpZZFZCb8RygGs2ZBE6Y0pUfktwq6NN56rvT0DhI,2562
+auths_python-0.1.0.dist-info/METADATA,sha256=ZUhJJoUboVMu3nhHyOOV5iq1yXvZ9ItbyX9cbzwHfSg,4304
+auths_python-0.1.0.dist-info/WHEEL,sha256=pR3QVM8fbZ6NHAmOlF_iyjo3X1LezoW7fOuSwC4jKRw,95
+auths_python-0.1.0.dist-info/sboms/auths-python.cyclonedx.json,sha256=4o2K2EYZQEFxp5PXZZN0NOJXYclZ1uhxI5z2lvs2-0E,479513
+auths_python-0.1.0.dist-info/RECORD,,

auths_python-0.1.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: maturin (1.12.6)
+Root-Is-Purelib: false
+Tag: cp38-abi3-win_amd64