auths-python 0.1.0__tar.gz

auths_python-0.1.0/Cargo.toml

@@ -0,0 +1,94 @@
+[workspace]
+resolver = "3"
+members = [
+  "crates/auths",
+  "crates/auths-core",
+  "crates/auths-cli",
+  "crates/auths-id",
+  "crates/auths-index",
+  "crates/auths-policy",
+  "crates/auths-verifier",
+  "crates/auths-telemetry",
+  "crates/auths-crypto",
+  "crates/auths-sdk",
+  "crates/auths-infra-git",
+  "crates/auths-infra-http",
+  "crates/auths-storage",
+  "crates/auths-transparency",
+  "crates/auths-keri",
+  "crates/auths-jwt",
+  "crates/auths-mcp-server",
+  "crates/auths-pairing-daemon",
+  "crates/auths-pairing-protocol",
+  "crates/auths-radicle",
+  "crates/auths-scim",
+  "crates/auths-utils",
+  "crates/auths-oidc-port",
+  "crates/xtask", "crates/auths-api",
+]
+
+[workspace.package]
+version = "0.0.1-rc.10"
+license = "Apache-2.0"
+rust-version = "1.93"
+repository = "https://github.com/auths-dev/auths"
+homepage = "https://github.com/auths-dev/auths"
+
+[workspace.dependencies]
+tokio = { version = "1", features = ["full"] }
+bs58 = "0.5.1"
+ring = "0.17.14"
+base64 = "0.22.1"
+thiserror = "2"
+uuid = { version = "1", features = ["v4"] }
+git2 = { version = "0.20.4", default-features = false, features = ["vendored-libgit2"] }
+glob = "0.3"
+parking_lot = "0.12"
+schemars = "0.8"
+subtle = "2.6"
+zeroize = { version = "1.8.1", features = ["serde", "derive"] }
+# Exact pin: canonicalization changes silently break all existing attestation signatures.
+json-canon = "=0.1.3"
+
+auths-core = { path = "crates/auths-core", version = "0.0.1-rc.9" }
+auths-id = { path = "crates/auths-id", version = "0.0.1-rc.9" }
+auths-verifier = { path = "crates/auths-verifier", version = "0.0.1-rc.9", default-features = false }
+auths-policy = { path = "crates/auths-policy", version = "0.0.1-rc.9" }
+auths-index = { path = "crates/auths-index", version = "0.0.1-rc.9" }
+auths-telemetry = { path = "crates/auths-telemetry", version = "0.0.1-rc.9" }
+auths-crypto = { path = "crates/auths-crypto", version = "0.0.1-rc.9", default-features = false }
+auths-sdk = { path = "crates/auths-sdk", version = "0.0.1-rc.9" }
+auths-infra-git = { path = "crates/auths-infra-git", version = "0.0.1-rc.9" }
+auths-infra-http = { path = "crates/auths-infra-http", version = "0.0.1-rc.9" }
+auths-jwt = { path = "crates/auths-jwt", version = "0.0.1-rc.9" }
+auths-pairing-daemon = { path = "crates/auths-pairing-daemon", version = "0.0.1-rc.9" }
+auths-pairing-protocol = { path = "crates/auths-pairing-protocol", version = "0.0.1-rc.9" }
+auths-storage = { path = "crates/auths-storage", version = "0.0.1-rc.9" }
+auths-transparency = { path = "crates/auths-transparency", version = "0.0.1-rc.9", default-features = false }
+auths-utils = { path = "crates/auths-utils", version = "0.0.1-rc.9" }
+insta = { version = "1", features = ["json"] }
+
+# Compile crypto-heavy crates with optimizations even in dev/test builds.
+# Without this, Argon2id key derivation (m=64 MiB, t=3) takes ~5-10s per
+# call in unoptimized builds, causing E2E test timeouts on CI runners.
+
+[profile.dev.package.argon2]
+opt-level = 3
+[profile.dev.package.chacha20poly1305]
+opt-level = 3
+[profile.dev.package.aes-gcm]
+opt-level = 3
+[profile.dev.package.ring]
+opt-level = 3
+
+[workspace.lints.clippy]
+unwrap_used = "deny"
+expect_used = "deny"
+print_stdout = "deny"
+print_stderr = "deny"
+exit = "deny"
+dbg_macro = "deny"
+disallowed_methods = "deny"
+
+[workspace.lints.rustdoc]
+broken_intra_doc_links = "deny"

auths_python-0.1.0/PKG-INFO

@@ -0,0 +1,152 @@
+Metadata-Version: 2.4
+Name: auths-python
+Version: 0.1.0
+Classifier: Development Status :: 4 - Beta
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: Implementation :: CPython
+Classifier: Programming Language :: Rust
+Classifier: Operating System :: MacOS
+Classifier: Operating System :: Microsoft :: Windows
+Classifier: Operating System :: POSIX :: Linux
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Typing :: Typed
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Software Development :: Version Control :: Git
+Requires-Dist: pyjwt>=2.0 ; extra == 'jwt'
+Requires-Dist: cryptography>=3.0 ; extra == 'jwt'
+Provides-Extra: jwt
+Summary: Auths Python SDK - decentralized identity for developers and AI agents
+Keywords: identity,cryptography,did,signing,verification,git,keri
+License: Apache-2.0
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown; charset=UTF-8; variant=GFM
+Project-URL: Bug Tracker, https://github.com/auths-dev/auths/issues
+Project-URL: Documentation, https://docs.auths.dev
+Project-URL: Homepage, https://auths.dev
+Project-URL: Repository, https://github.com/auths-dev/auths
+
+# Auths Python SDK
+
+Decentralized identity for developers and AI agents. Sign, verify, and manage cryptographic identities with Git-native storage.
+
+## Install
+
+```bash
+pip install auths-python
+```
+
+## Quick start
+
+```python
+from auths import Auths
+
+auths = Auths()
+
+# Verify an attestation
+result = auths.verify(attestation_json=data, issuer_key=public_key_hex)
+print(result.valid)  # True
+
+# Sign bytes
+signature = auths.sign(b"hello world", private_key=secret_key_hex)
+```
+
+## Identity management
+
+```python
+from auths import Auths
+
+auths = Auths(repo_path="~/.auths")
+
+# Create a cryptographic identity
+identity = auths.identities.create(label="laptop")
+print(identity.did)  # did:keri:EBfd...
+
+# Provision an agent (for CI, MCP servers, etc.)
+agent = auths.identities.provision_agent(
+    identity.did,
+    name="deploy-bot",
+    capabilities=["sign"],
+)
+
+# Sign using the keychain-stored identity key
+sig = auths.sign_as(b"hello world", identity=identity.did)
+
+# Link and manage devices
+device = auths.devices.link(identity_did=identity.did, capabilities=["sign"])
+auths.devices.revoke(device.did, identity_did=identity.did, note="replaced")
+```
+
+## Git commit verification
+
+```python
+from auths.git import verify_commit_range
+
+result = verify_commit_range("HEAD~5..HEAD")
+for commit in result.commits:
+    print(f"{commit.commit_sha}: {'valid' if commit.is_valid else commit.error}")
+```
+
+## Capability-aware verification
+
+```python
+# Verify an attestation grants a specific capability
+result = auths.verify(attestation_json=data, issuer_key=key, required_capability="sign_commit")
+
+# Verify an entire chain grants a capability
+report = auths.verify_chain(chain, root_key, required_capability="deploy")
+```
+
+## Agent auth for MCP / AI frameworks
+
+```python
+from auths.agent import AgentAuth
+
+auth = AgentAuth(
+    bridge_url="https://bridge.example.com",
+    attestation_chain_path=".auths/agent-chain.json",
+)
+token = auth.get_token(capabilities=["read", "write"])
+```
+
+## Error handling
+
+```python
+from auths import Auths, VerificationError, NetworkError
+
+auths = Auths()
+try:
+    result = auths.verify(attestation_json=data, issuer_key=key)
+except VerificationError as e:
+    print(e.code)     # "expired_attestation"
+    print(e.message)  # "Attestation expired at 2024-01-15T..."
+except NetworkError as e:
+    if e.should_retry:
+        pass  # safe to retry
+```
+
+All errors inherit from `AuthsError` and carry `.code`, `.message`, and `.context`.
+
+## Configuration
+
+```python
+# Auto-discover (uses ~/.auths)
+auths = Auths()
+
+# Explicit repo path
+auths = Auths(repo_path="/path/to/identity-repo")
+
+# With passphrase (or set AUTHS_PASSPHRASE env var)
+auths = Auths(passphrase="my-secret")
+
+# Headless / CI mode
+# Set AUTHS_KEYCHAIN_BACKEND=file for environments without a system keychain
+```
+
+## API reference
+
+Type stubs are bundled (`py.typed` + `__init__.pyi`). Your editor will show full signatures, docstrings, and return types for all methods.
+
+## License
+
+Apache-2.0
+

auths_python-0.1.0/README.md

@@ -0,0 +1,124 @@
+# Auths Python SDK
+
+Decentralized identity for developers and AI agents. Sign, verify, and manage cryptographic identities with Git-native storage.
+
+## Install
+
+```bash
+pip install auths-python
+```
+
+## Quick start
+
+```python
+from auths import Auths
+
+auths = Auths()
+
+# Verify an attestation
+result = auths.verify(attestation_json=data, issuer_key=public_key_hex)
+print(result.valid)  # True
+
+# Sign bytes
+signature = auths.sign(b"hello world", private_key=secret_key_hex)
+```
+
+## Identity management
+
+```python
+from auths import Auths
+
+auths = Auths(repo_path="~/.auths")
+
+# Create a cryptographic identity
+identity = auths.identities.create(label="laptop")
+print(identity.did)  # did:keri:EBfd...
+
+# Provision an agent (for CI, MCP servers, etc.)
+agent = auths.identities.provision_agent(
+    identity.did,
+    name="deploy-bot",
+    capabilities=["sign"],
+)
+
+# Sign using the keychain-stored identity key
+sig = auths.sign_as(b"hello world", identity=identity.did)
+
+# Link and manage devices
+device = auths.devices.link(identity_did=identity.did, capabilities=["sign"])
+auths.devices.revoke(device.did, identity_did=identity.did, note="replaced")
+```
+
+## Git commit verification
+
+```python
+from auths.git import verify_commit_range
+
+result = verify_commit_range("HEAD~5..HEAD")
+for commit in result.commits:
+    print(f"{commit.commit_sha}: {'valid' if commit.is_valid else commit.error}")
+```
+
+## Capability-aware verification
+
+```python
+# Verify an attestation grants a specific capability
+result = auths.verify(attestation_json=data, issuer_key=key, required_capability="sign_commit")
+
+# Verify an entire chain grants a capability
+report = auths.verify_chain(chain, root_key, required_capability="deploy")
+```
+
+## Agent auth for MCP / AI frameworks
+
+```python
+from auths.agent import AgentAuth
+
+auth = AgentAuth(
+    bridge_url="https://bridge.example.com",
+    attestation_chain_path=".auths/agent-chain.json",
+)
+token = auth.get_token(capabilities=["read", "write"])
+```
+
+## Error handling
+
+```python
+from auths import Auths, VerificationError, NetworkError
+
+auths = Auths()
+try:
+    result = auths.verify(attestation_json=data, issuer_key=key)
+except VerificationError as e:
+    print(e.code)     # "expired_attestation"
+    print(e.message)  # "Attestation expired at 2024-01-15T..."
+except NetworkError as e:
+    if e.should_retry:
+        pass  # safe to retry
+```
+
+All errors inherit from `AuthsError` and carry `.code`, `.message`, and `.context`.
+
+## Configuration
+
+```python
+# Auto-discover (uses ~/.auths)
+auths = Auths()
+
+# Explicit repo path
+auths = Auths(repo_path="/path/to/identity-repo")
+
+# With passphrase (or set AUTHS_PASSPHRASE env var)
+auths = Auths(passphrase="my-secret")
+
+# Headless / CI mode
+# Set AUTHS_KEYCHAIN_BACKEND=file for environments without a system keychain
+```
+
+## API reference
+
+Type stubs are bundled (`py.typed` + `__init__.pyi`). Your editor will show full signatures, docstrings, and return types for all methods.
+
+## License
+
+Apache-2.0

auths_python-0.1.0/crates/auths-core/Cargo.toml

@@ -0,0 +1,108 @@
+[package]
+name = "auths-core"
+version.workspace = true
+edition = "2024"
+authors = ["bordumb <bordumbb@gmail.com>"]
+description = "Core cryptography and keychain integration for Auths"
+publish = true
+license.workspace = true
+repository.workspace = true
+homepage.workspace = true
+documentation = "https://docs.rs/auths-core"
+readme = "README.md"
+keywords = ["cryptography", "keychain", "ed25519", "ssh", "identity"]
+categories = ["cryptography", "authentication"]
+
+[lib]
+crate-type = ["rlib", "staticlib"]
+
+[dependencies]
+chacha20poly1305 = { version = "0.10", features = ["std"] }
+log = "0.4"
+once_cell = "1.19"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+toml = "1.0"
+ssh-agent-lib = "0.5.1"
+ssh-key = { version = "0.6.7", features = ["ed25519"] }
+thiserror.workspace = true
+tokio = { version = "1", features = ["full"] }
+async-trait = "0.1"
+zeroize.workspace = true
+aes-gcm = "0.10.3"
+sha2 = "0.10.8"
+argon2 = "0.5"
+libc = "0.2.171"
+rand = "0.8"
+base64.workspace = true
+byteorder = "1.5.0"
+dirs = "6.0.0"
+multibase = "0.9.1"
+auths-crypto = { workspace = true, features = ["native"] }
+auths-pairing-protocol = { workspace = true }
+blake3 = "1.5"
+parking_lot.workspace = true
+subtle.workspace = true
+pkcs8 = "0.10.2"
+hex = "0.4.3"
+tempfile = "3.19.1"
+chrono = { version = "0.4", features = ["serde"] }
+qrcode = "0.14"
+schemars.workspace = true
+x25519-dalek = { version = "2", features = ["static_secrets"] }
+
+auths-verifier = { workspace = true, features = ["native"] }
+url = { version = "2", features = ["serde"] }
+uuid.workspace = true
+
+# Optional secp256k1/BIP340 Schnorr support for Nostr
+k256 = { version = "0.13", features = ["schnorr"], optional = true }
+
+# Optional PKCS#11 HSM support
+cryptoki = { version = "0.12", optional = true }
+
+# Optional witness server dependencies
+axum = { version = "0.8", optional = true }
+tower = { version = "0.5", features = ["util"], optional = true }
+tower-http = { version = "0.6", features = ["trace"], optional = true }
+sqlite = { version = "0.32", features = ["bundled"], optional = true }
+axum-server = { version = "0.7", features = ["tls-rustls"], optional = true }
+
+# macOS/iOS keychain dependencies
+[target.'cfg(any(target_os = "macos", target_os = "ios"))'.dependencies]
+core-foundation = "0.9"
+security-framework = { version = "2.10", features = ["OSX_10_15"] }
+security-framework-sys = "2.9"
+
+[target.'cfg(target_os = "linux")'.dependencies]
+secret-service = { version = "5.0", features = ["rt-tokio-crypto-rust"], optional = true }
+
+[target.'cfg(target_os = "windows")'.dependencies]
+windows = { version = "0.58", features = ["Security_Credentials", "Foundation_Collections"], optional = true }
+
+[dev-dependencies]
+ring.workspace = true
+anyhow = "1.0"
+assert_matches = "1.5.0"
+auths-verifier = { workspace = true, features = ["test-utils"] }
+criterion = { version = "0.5", features = ["html_reports"] }
+mockall = "0.13.1"
+rand = "0.8"
+tokio = { version = "1", features = ["full"] }
+[[bench]]
+name = "crypto"
+harness = false
+
+[features]
+default = []
+test-utils = ["auths-crypto/test-utils"]
+keychain-linux-secretservice = ["dep:secret-service"]
+keychain-windows = ["dep:windows"]
+keychain-file-fallback = []
+crypto-secp256k1 = ["dep:k256"]
+keychain-pkcs11 = ["dep:cryptoki"]
+witness-server = ["dep:axum", "dep:tower", "dep:tower-http", "dep:sqlite"]
+tls = ["dep:axum-server", "witness-server"]
+
+[lints]
+workspace = true

auths_python-0.1.0/crates/auths-core/README.md

@@ -0,0 +1,29 @@
+# auths-core
+
+Core cryptography and keychain integration for Auths.
+
+## Features
+
+- Ed25519 key generation and signing
+- Platform keychain support (macOS, Linux, Windows)
+- Secure key storage with encryption
+
+## Platform Support
+
+- macOS/iOS: Security Framework
+- Linux: Secret Service (optional)
+- Windows: Credential Manager (optional)
+
+## Usage
+
+```rust
+use auths_core::{Keychain, KeyPair};
+
+let keychain = Keychain::new()?;
+let keypair = KeyPair::generate()?;
+keychain.store("my-key", &keypair)?;
+```
+
+## License
+
+MIT OR Apache-2.0

auths_python-0.1.0/crates/auths-core/benches/crypto.rs

@@ -0,0 +1,127 @@
+//! Benchmarks for cryptographic operations in auths-core.
+//!
+//! Run with: cargo bench --package auths_core
+#![allow(clippy::unwrap_used, clippy::expect_used)]
+
+use auths_core::crypto::signer::{SeedSignerKey, SignerKey, decrypt_keypair, encrypt_keypair};
+use criterion::{BenchmarkId, Criterion, Throughput, black_box, criterion_group, criterion_main};
+use ring::rand::SystemRandom;
+use ring::signature::{Ed25519KeyPair, KeyPair};
+
+/// Generate a test Ed25519 keypair for benchmarking (ring, for encrypt/decrypt benches).
+fn generate_test_keypair() -> Ed25519KeyPair {
+    let rng = SystemRandom::new();
+    let pkcs8 = Ed25519KeyPair::generate_pkcs8(&rng).expect("key generation should succeed");
+    Ed25519KeyPair::from_pkcs8(pkcs8.as_ref()).expect("parsing should succeed")
+}
+
+/// Generate a SeedSignerKey for benchmarking the SignerKey trait.
+fn generate_test_signer() -> SeedSignerKey {
+    let (seed, pubkey) = auths_core::crypto::provider_bridge::generate_ed25519_keypair_sync()
+        .expect("keypair generation should succeed");
+    SeedSignerKey::new(seed, pubkey)
+}
+
+/// Benchmark Ed25519 keypair generation.
+fn bench_key_generation(c: &mut Criterion) {
+    let rng = SystemRandom::new();
+
+    c.bench_function("ed25519_key_generation", |b| {
+        b.iter(|| {
+            let pkcs8 =
+                Ed25519KeyPair::generate_pkcs8(&rng).expect("key generation should succeed");
+            Ed25519KeyPair::from_pkcs8(pkcs8.as_ref()).expect("parsing should succeed")
+        })
+    });
+}
+
+/// Benchmark Ed25519 signing with different message sizes.
+fn bench_sign(c: &mut Criterion) {
+    let keypair = generate_test_keypair();
+
+    let mut group = c.benchmark_group("ed25519_sign");
+
+    for size in [64, 256, 1024, 4096, 16384].iter() {
+        let data = vec![0u8; *size];
+
+        group.throughput(Throughput::Bytes(*size as u64));
+        group.bench_with_input(BenchmarkId::from_parameter(size), size, |b, _| {
+            b.iter(|| keypair.sign(black_box(&data)))
+        });
+    }
+
+    group.finish();
+}
+
+/// Benchmark Ed25519 signature verification with different message sizes.
+fn bench_verify(c: &mut Criterion) {
+    use ring::signature::{ED25519, UnparsedPublicKey};
+
+    let keypair = generate_test_keypair();
+    let public_key_bytes = keypair.public_key().as_ref();
+
+    let mut group = c.benchmark_group("ed25519_verify");
+
+    for size in [64, 256, 1024, 4096, 16384].iter() {
+        let data = vec![0u8; *size];
+        let signature = keypair.sign(&data);
+
+        group.throughput(Throughput::Bytes(*size as u64));
+        group.bench_with_input(BenchmarkId::from_parameter(size), size, |b, _| {
+            b.iter(|| {
+                let public_key = UnparsedPublicKey::new(&ED25519, public_key_bytes);
+                public_key
+                    .verify(black_box(&data), black_box(signature.as_ref()))
+                    .expect("verification should succeed")
+            })
+        });
+    }
+
+    group.finish();
+}
+
+/// Benchmark key encryption (encrypt_keypair).
+fn bench_key_encryption(c: &mut Criterion) {
+    // Generate a sample PKCS#8 key
+    let rng = SystemRandom::new();
+    let pkcs8 = Ed25519KeyPair::generate_pkcs8(&rng).expect("key generation should succeed");
+    let passphrase = "Bench-P@ss12345!";
+
+    c.bench_function("key_encryption", |b| {
+        b.iter(|| encrypt_keypair(black_box(pkcs8.as_ref()), black_box(passphrase)))
+    });
+}
+
+/// Benchmark key decryption (decrypt_keypair).
+fn bench_key_decryption(c: &mut Criterion) {
+    // Generate and encrypt a sample key
+    let rng = SystemRandom::new();
+    let pkcs8 = Ed25519KeyPair::generate_pkcs8(&rng).expect("key generation should succeed");
+    let passphrase = "Bench-P@ss12345!";
+    let encrypted = encrypt_keypair(pkcs8.as_ref(), passphrase).expect("encryption should succeed");
+
+    c.bench_function("key_decryption", |b| {
+        b.iter(|| decrypt_keypair(black_box(&encrypted), black_box(passphrase)))
+    });
+}
+
+/// Benchmark signing through the SignerKey trait.
+fn bench_signer_trait(c: &mut Criterion) {
+    let signer = generate_test_signer();
+    let data = vec![0u8; 1024];
+
+    c.bench_function("signer_trait_sign_1kb", |b| {
+        b.iter(|| SignerKey::sign(&signer, black_box(&data)))
+    });
+}
+
+criterion_group!(
+    benches,
+    bench_key_generation,
+    bench_sign,
+    bench_verify,
+    bench_key_encryption,
+    bench_key_decryption,
+    bench_signer_trait,
+);
+criterion_main!(benches);

auths_python-0.1.0/crates/auths-core/cbindgen.toml

@@ -0,0 +1,14 @@
+language = "C"
+
+include_guard = "MOBILE_SSH_AGENT_H"
+
+[defines]
+"__APPLE__" = "APPLE"
+
+[parse]
+parse_deps = false
+clean = true
+
+[export]
+include = ["ffi_*", "TAG_LEN", "NONCE_LEN", "SALT_LEN", "SYMMETRIC_KEY_LEN"]
+prefix = ""