cloudmorph-tessera 0.1.1__py3-none-any.whl

cloudmorph_tessera-0.1.1.dist-info/METADATA

@@ -0,0 +1,307 @@
+Metadata-Version: 2.4
+Name: cloudmorph-tessera
+Version: 0.1.1
+Summary: The open-source MCP firewall for AI agents
+Author-email: CloudMorph AI <oss@cloudmorph.io>
+License: Apache-2.0
+Project-URL: Homepage, https://github.com/CloudMorphAI/cloudmorph-tessera
+Project-URL: Repository, https://github.com/CloudMorphAI/cloudmorph-tessera
+Project-URL: Documentation, https://cloudmorph.ai/docs
+Project-URL: Changelog, https://github.com/CloudMorphAI/cloudmorph-tessera/blob/main/CHANGELOG.md
+Project-URL: Issues, https://github.com/CloudMorphAI/cloudmorph-tessera/issues
+Keywords: mcp,model-context-protocol,firewall,security,policy-as-code,ai-agents,audit,cursor,claude-code
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: System Administrators
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: System :: Networking :: Firewalls
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.12
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: fastapi==0.136.1
+Requires-Dist: uvicorn[standard]==0.46.0
+Requires-Dist: httpx==0.28.1
+Requires-Dist: pydantic==2.12.5
+Requires-Dist: typer==0.25.1
+Requires-Dist: regex==2026.4.4
+Requires-Dist: watchdog==6.0.0
+Requires-Dist: PyYAML==6.0.3
+Provides-Extra: dev
+Requires-Dist: pytest==9.0.3; extra == "dev"
+Requires-Dist: pytest-asyncio==1.3.0; extra == "dev"
+Requires-Dist: pytest-cov==7.1.0; extra == "dev"
+Requires-Dist: hypothesis==6.152.4; extra == "dev"
+Requires-Dist: ruff==0.15.12; extra == "dev"
+Requires-Dist: mypy==1.20.2; extra == "dev"
+Requires-Dist: pre-commit==4.6.0; extra == "dev"
+Requires-Dist: httpx==0.28.1; extra == "dev"
+Requires-Dist: respx==0.23.1; extra == "dev"
+Requires-Dist: tzdata==2026.2; extra == "dev"
+Requires-Dist: jsonschema==4.23.0; extra == "dev"
+Requires-Dist: bandit==1.9.4; extra == "dev"
+Requires-Dist: pip-audit==2.10.0; extra == "dev"
+Requires-Dist: cyclonedx-bom==7.3.0; extra == "dev"
+Provides-Extra: runtime
+Requires-Dist: fastapi==0.136.1; extra == "runtime"
+Requires-Dist: uvicorn[standard]==0.46.0; extra == "runtime"
+Requires-Dist: httpx==0.28.1; extra == "runtime"
+Requires-Dist: pydantic==2.12.5; extra == "runtime"
+Requires-Dist: typer==0.25.1; extra == "runtime"
+Requires-Dist: regex==2026.4.4; extra == "runtime"
+Requires-Dist: watchdog==6.0.0; extra == "runtime"
+Requires-Dist: PyYAML==6.0.3; extra == "runtime"
+Dynamic: license-file
+
+# Tessera
+
+<!-- mcp-name: io.github.CloudMorphAI/tessera -->
+
+**The open-source MCP firewall for AI agents**
+
+**See Tessera block a destructive Cursor action in 60 seconds → [cursor-hooks recipe](recipes/cursor-hooks.md)**
+
+[![PyPI version](https://img.shields.io/pypi/v/cloudmorph-tessera.svg)](https://pypi.org/project/cloudmorph-tessera/)
+[![Python versions](https://img.shields.io/pypi/pyversions/cloudmorph-tessera.svg)](https://pypi.org/project/cloudmorph-tessera/)
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://github.com/CloudMorphAI/cloudmorph-tessera/blob/main/LICENSE)
+[![Docker](https://img.shields.io/badge/docker-ghcr.io%2Fcloudmorphai%2Ftessera-blue.svg)](https://ghcr.io/cloudmorphai/tessera)
+[![Docker pulls](https://img.shields.io/docker/pulls/cloudmorphai/tessera.svg)](https://github.com/CloudMorphAI/cloudmorph-tessera/pkgs/container/tessera)
+
+---
+
+## Why Tessera
+
+AI agents calling MCP tools can delete production data, exfiltrate secrets, and exceed cost caps — all in a single tool call your code never explicitly authorized. Tessera is an HTTP proxy that sits between the agent and every MCP server; every `tools/call` request is evaluated against a YAML policy set before it reaches the upstream. Decisions are written to a hash-chain audit log so tampering is detectable. The engine is pure Python — no OPA, no ML, no cloud credentials — so the policy outcome for a given input is always the same. The 14 policies (7 core reference + 7 integration-specific) ship with the container; core policies are the same ones sold separately by other vendors.
+
+---
+
+## Installation
+
+### Option 1: Docker (recommended for production)
+
+```bash
+docker pull ghcr.io/cloudmorphai/tessera:0.1.1
+```
+
+### Option 2: Python package (for local development and CLI use)
+
+```bash
+pip install cloudmorph-tessera
+```
+
+After install, verify:
+
+```bash
+tessera version
+# tessera 0.1.1
+```
+
+Docker is the primary path for users running Tessera as a service. PyPI is the path for users who want to author policies locally or run `tessera policy lint` / `tessera policy test` in CI.
+
+---
+
+## 5-minute quickstart
+
+```bash
+# Step 1: Pull
+docker pull ghcr.io/cloudmorphai/tessera:0.1.1
+
+# Step 2: Scaffold
+docker run --rm -v "$PWD:/out" ghcr.io/cloudmorphai/tessera:0.1.1 tessera init --dir /out
+# Creates tessera.yaml (mode: log_only), policies/, .env.example
+
+# Step 3: Edit tessera.yaml — change upstreams[].url to your real MCP server URL
+
+# Step 4: Start Tessera (log_only by default — safe to try, nothing is blocked yet)
+docker run -d --name tessera \
+  -p 8080:8080 \
+  -v "$PWD/tessera.yaml:/etc/tessera/tessera.yaml:ro" \
+  -v "$PWD/policies:/etc/tessera/policies:ro" \
+  -v tessera_audit:/var/lib/tessera \
+  -e TESSERA_BEARER_TOKEN="tk_$(openssl rand -hex 16)" \
+  ghcr.io/cloudmorphai/tessera:0.1.1
+
+# Step 5: Wire your agent — add to ~/.cursor/mcp.json:
+# {
+#   "mcpServers": {
+#     "aws-via-tessera": {
+#       "url": "http://localhost:8080/mcp/aws",
+#       "headers": {"Authorization": "Bearer <your-token>"}
+#     }
+#   }
+# }
+# See docs/INTEGRATIONS.md for Claude Code, Claude Desktop, Windsurf.
+
+# Step 6: Verify a tool call was logged
+docker exec tessera tessera audit verify --scope default
+
+# Step 7: When ready, switch to enforcement
+# Edit tessera.yaml: change mode: log_only -> mode: enforcement
+# Restart Tessera. Now block decisions fire.
+
+# IMPORTANT: If exposing Tessera beyond localhost, put it behind nginx/Caddy
+# with a rate-limit rule. Native rate limiting is on the v0.2 roadmap.
+```
+
+---
+
+## What ships
+
+- **Multi-token bearer auth** — inline env var, YAML file, or single legacy token; per-token scope isolates audit streams. See [docs/CONFIGURATION.md](docs/CONFIGURATION.md).
+- **Three enforcement modes** — `enforcement` (blocks fire), `log_only` (advisory, always forwards), `observation` (engine skipped). See [docs/CONFIGURATION.md](docs/CONFIGURATION.md).
+- **16-condition pure-Python policy engine** — `arg_equals`, `arg_greater_than`, `arg_less_than`, `arg_matches_regex`, `arg_in_set`, `arg_contains_pattern`, `arg_size_greater_than`, `tool_name_in`, `action_class_in`, `intent_class_in`, `intent_purpose_matches`, `region_in`, `time_of_day_outside`, `meta_field_equals`, `any_of`, `none_of`. See [docs/POLICIES.md](docs/POLICIES.md).
+- **Hash-chain audit log** — every event is chained to the previous via SHA-256; `tessera audit verify` detects any gap or tamper. Per-token scope isolation. See [docs/AUDIT.md](docs/AUDIT.md).
+- **14 policies** — 7 core reference policies (`read-only-mode`, `prod-protection`, `secret-leak-block`, `pii-block`, `cost-cap`, `write-action-approval`, `data-residency-eu`) and 7 integration-specific protection policies (`github-mcp-protection`, `jira-mcp-protection`, `owasp-mcp-prompt-injection`, `owasp-mcp-tool-poisoning`, `postgres-mcp-protection`, `salesforce-mcp-protection`, `slack-mcp-protection`). See [docs/POLICIES.md](docs/POLICIES.md).
+- **Per-file reload error isolation** — a bad YAML file is skipped and logged; the rest of the policy set remains live. See [docs/CONFIGURATION.md](docs/CONFIGURATION.md).
+- **Regex safety (ReDoS defense)** — all regex conditions are evaluated via the `regex` library with a 100 ms timeout; a timeout returns `false` and tags the audit event. See [docs/POLICIES.md](docs/POLICIES.md).
+- **Intent-blind agent support** — agents that do not declare intent in `_meta.tessera_intent` are handled by tool-name and argument policies. `intent.required: false` is the default. See [docs/INTEGRATIONS.md](docs/INTEGRATIONS.md).
+- **CLI** — `tessera serve`, `tessera audit verify`, `tessera policy test`, `tessera policy lint`, `tessera version`, `tessera init`. See [docs/CONFIGURATION.md](docs/CONFIGURATION.md).
+- **Multi-stage Docker image** — builder + slim runtime; runs as UID 10001 (non-root). See [docs/INSTALL.md](docs/INSTALL.md).
+- **Three pluggable Protocols** — `Authenticator`, `PolicyLoader`, `AuditSink` are resolved via importlib at startup; swap implementations without modifying core code. See [tessera/pluggable.py](tessera/pluggable.py).
+
+---
+
+## How it works
+
+```
+Agent --> [Tessera: auth --> engine --> audit] --> Upstream MCP
+```
+
+Every inbound `POST /mcp/{upstream}` is:
+
+1. Authenticated — bearer token matched against configured tokens; `AuthContext.scope` assigned.
+2. Evaluated — policy engine walks the sorted policy set (first-match-wins) and returns `allow`, `block`, `log_only`, or `require_approval`.
+3. Audited — the decision (and response, if forwarded) is written to the hash-chain.
+
+In `enforcement` mode a `block` decision returns a JSON-RPC error (code `-32603`) over HTTP 200 to the agent and does not touch the upstream. In `log_only` mode the upstream is always called and the decision is returned in response headers (`X-Tessera-Decision`, `X-Tessera-Policy-Id`, `X-Tessera-Reason`).
+
+Source code is under [tessera/](tessera/); contributor notes in [CONTRIBUTING.md](CONTRIBUTING.md).
+
+---
+
+## Configuration at a glance
+
+```yaml
+listen:
+  host: 0.0.0.0
+  port: 8080
+
+auth:
+  type: bearer
+
+policies:
+  dir: /etc/tessera/policies
+  reload: watch          # watch | sighup | none
+  mode: log_only         # enforcement | log_only | observation
+  default_action: block
+
+upstreams:
+  - name: aws
+    url: https://mcp.aws.example.com
+    credentials:
+      header: Authorization
+      value: "Bearer ${AWS_MCP_TOKEN}"   # resolved from environment at startup
+```
+
+Full reference: [docs/CONFIGURATION.md](docs/CONFIGURATION.md). Annotated example: [tessera.example.yaml](tessera.example.yaml).
+
+---
+
+## Authoring policies
+
+```yaml
+id: block-delete-prod
+name: Block Delete in Production
+description: Block delete calls targeting prod-suffixed resources.
+match:
+  upstream: "*"
+when:
+  - condition: action_class_in
+    values: ["write.delete"]
+  - condition: arg_matches_regex
+    arg: resource_name
+    pattern: ".*-prod$"
+action: block
+reason: "Delete blocked on production resource"
+priority: 90
+```
+
+Policies are one YAML file per rule in the directory set by `policies.dir`. Files prefixed with `_` are skipped. The engine evaluates policies in descending `priority` order; the first matching policy wins. `when: []` (empty) matches every call.
+
+Test before deploying:
+
+```bash
+tessera policy lint --policy-dir policies/
+tessera policy test --policy-dir policies/ --fixture-dir tests/fixtures/
+```
+
+Full condition catalog and fixture format: [docs/POLICIES.md](docs/POLICIES.md).
+
+---
+
+## Routing your AI agent through Tessera (CLAUDE.md / system-prompt pattern)
+
+Adding Tessera as one of many available MCP servers isn't enough — your agent will often prefer the direct cloud MCP server because it sees that one too. To make Tessera the default route for cloud tool calls, instruct the agent in its system context.
+
+For **Claude Code**, drop a `CLAUDE.md` at your project root (or `~/.claude/CLAUDE.md` for global default):
+
+```markdown
+# Tool routing — use Tessera as the MCP firewall
+
+When this project calls MCP tools that touch cloud resources (AWS, GCP, Azure,
+Databricks, Snowflake, GitHub, Slack, Postgres, Kubernetes):
+
+- **Always prefer the `tessera` MCP server** if the same tool is reachable
+  through it. Tessera enforces deterministic policy + writes a hash-chained
+  audit log of every call.
+- If a tool is only available via a direct cloud MCP server, **stop and ask
+  the user before proceeding** — don't silently bypass the firewall.
+- Read-only operations (list, describe, get) typically pass through normally.
+- Destructive operations (delete, terminate, drop, force-push) WILL be blocked
+  by the shipped reference policies if they touch prod resources. When the
+  block response carries `error.data._meta.tessera_audit_event_id`, surface
+  the policy reason to the user verbatim.
+```
+
+For **Cursor**, equivalent goes in `.cursorrules` at project root, or in user-level Cursor settings. For **Claude Desktop**, put it in the global system prompt via Settings → "Personalization".
+
+This pattern is the difference between "a firewall the user must remember to use" and "a firewall the agent uses by default." Combined with the 14 reference policies, it gives you defense-in-depth without per-call vigilance.
+
+See [docs/INTEGRATIONS.md](docs/INTEGRATIONS.md) for per-client config recipes (Cursor, Claude Code, Claude Desktop).
+
+---
+
+## Tessera Cloud
+
+Want hosted? Multi-tenant? SSO? Compliance evidence export? Tessera Cloud is the same engine with hosted orchestration. The same `Authenticator`, `PolicyLoader`, and `AuditSink` Protocols are used — the implementations are swapped (e.g., `DynamoDBPolicyLoader` instead of `FilesystemPolicyLoader`). Your existing `tessera.yaml` and policy files work without changes when you migrate. https://cloudmorph.ai
+
+---
+
+## Roadmap
+
+Deferred from v0.1; detail and rationale in [docs/ROADMAP.md](docs/ROADMAP.md).
+
+- **OAuth 2.1 PKCE** — v0.2; needed for SaaS/CI deployments where the identity issuer is a third-party IdP.
+- **Native rate limiting** — v0.2; per-token token bucket; workaround in v0.1 is nginx/Caddy in front.
+- **Postgres audit sink** — v0.2; the `AuditSink` Protocol is already designed for it; SQLite covers v0.1 write volume.
+- **stdio transport** — v0.2; for Claude Desktop and agent runtimes that launch MCP servers as subprocesses.
+- **Rego escape hatch** — v0.2; gated on a concrete use case the YAML condition catalog cannot express.
+- **Multi-tenant isolation** — not planned for OSS; available in Tessera Cloud.
+
+---
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md). Run `pip install -e ".[dev]"` and `pre-commit install` to get started.
+
+## License
+
+Apache-2.0. See [LICENSE](LICENSE).
+
+## Security
+
+Report vulnerabilities privately via [SECURITY.md](SECURITY.md).

cloudmorph_tessera-0.1.1.dist-info/RECORD

@@ -0,0 +1,36 @@
+cloudmorph_tessera-0.1.1.dist-info/licenses/LICENSE,sha256=YdF_UdSt6aaFr4X2SVED9Q5t51WwTJhr9z4ZTKBCLQk,11552
+tessera/__init__.py,sha256=jecNhwTki6tTXQEsmF_Ke9DI-7pm3Ldn_uXhdXSoOf8,153
+tessera/cli.py,sha256=yZL4KIgKl1f9vqV0sdsgkj2FBtEjYrXNIC-lI_dmJAc,17805
+tessera/config.py,sha256=hhw7I5jlqREjyYaymDuWKrunCxaY2CEswPLbhsbe8Tc,7417
+tessera/errors.py,sha256=RvETwtL0YtlxtLKGbuzw1EvdMmE_Y_5USZeuu5D-QjE,869
+tessera/intent.py,sha256=EZrJJyo6TnFyparieu5N2xOEvL33yYHCYViTublV8HQ,1820
+tessera/pluggable.py,sha256=TaghkfgY2I7vn6PoAk4Krozs3GAXIqK3SLeSYFuBGg8,1016
+tessera/proxy.py,sha256=aSFIzrKEILYJkQSuhuhx6IdeE0AKsYecPtqal-0qT9M,31786
+tessera/audit/__init__.py,sha256=Oa_qO7Euu-yVnw36NXSHMhryj5q6UGuXzddCiEuf1Iw,544
+tessera/audit/canonical_json.py,sha256=jao3_WL0FTOAd2RWASPBGOZK1dowTaxcb4woF0TCKKM,2725
+tessera/audit/chain.py,sha256=FrMs0YlauAI52GIorjsl48Ul_gwda96YHHNmxn1Nth0,3996
+tessera/audit/emitter.py,sha256=oDLREXfJ2rc2D_rNm6zir2xP-hzEh1zWu0QEtLWPsk8,5139
+tessera/audit/verifier.py,sha256=XBaso-tI4kUJB22blgKjBanE-04OVWc5FeMpCFzKaaY,2937
+tessera/audit/sinks/__init__.py,sha256=v-t2baoS4knY9KJJ6bL95ijReicyPpe99SSgrTWzwwk,28
+tessera/audit/sinks/base.py,sha256=bTagMhclNmn6bTE0vq6vcCOou0Jy62-DRPiluB8X0Wk,496
+tessera/audit/sinks/buffered.py,sha256=ND5JZxvdEyBBsjw9Pfux3JfDJT507s1c2An6OwDmQGI,4531
+tessera/audit/sinks/sqlite.py,sha256=uXOqQVba_8JmnVUMZQ1sqktxG58ln5Djtu6qzLvNIeI,4370
+tessera/audit/sinks/stdout.py,sha256=dv-PJzy9gdfWBPKRin69AJxUywAlNT4cM47bJdqr-E8,1185
+tessera/auth/__init__.py,sha256=gNaUe5KLmfEXT4C7ID9M_Ap2uYzY6EpCDyTc3GFU4FY,31
+tessera/auth/base.py,sha256=Jr_9ZlHdNFsZbBWOsxv3jbXRgIELQcmvelssGxL3Ubo,652
+tessera/auth/bearer.py,sha256=EklhDKk5wMrdIBMVCQIACU5YmNZkGxF920MAUY6falQ,7720
+tessera/integrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+tessera/integrations/cursor_hooks.py,sha256=0BampFSrfjU0aiVoBArSGRUrGjePTr1qfnTg4RNiySs,4513
+tessera/policy/__init__.py,sha256=ieoVxfpSQmKYl-q1oa04W50pGLWl4L169royWg40uQk,310
+tessera/policy/action_verbs.py,sha256=IYVmwaB9kP6rf1j4mPAjC4bFNSqF4PNzOWorSZWYTqE,7992
+tessera/policy/conditions.py,sha256=T8GvVih84sy7HTlHzapRXhUsrh0c0WWPZqgXNQzANpA,8685
+tessera/policy/engine.py,sha256=Eq6KgSpznDTMehH7O6X-gGFFjJPyjvojQZxku_aKZJw,2542
+tessera/policy/loader.py,sha256=A9soUAYvC662JJ1aSd2f_TuakDnevYw2AE_4eIlwlMA,9649
+tessera/policy/matchers.py,sha256=foqQMvwo2_Y0Hxo2eEmP1YOT-AaSuSkwgVXQxAlvPhU,1361
+tessera/policy/regex_safety.py,sha256=VtUHqvZA9J05YGVKVKSij7DxJ-_vpMowmB3Dj4VlnyQ,1879
+tessera/policy/schema.py,sha256=_IfMfKDRFIwoklXO_Pul22GcBhLSWYpvRA3_xledeFk,4831
+cloudmorph_tessera-0.1.1.dist-info/METADATA,sha256=_Ne8SwYzoCQSq8ia_eiNrxq2DZCAtGML7vf0p5Uv6ao,14788
+cloudmorph_tessera-0.1.1.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+cloudmorph_tessera-0.1.1.dist-info/entry_points.txt,sha256=oVMcEWOXXJyZVLXxtDPbbIrZEQUO586qc8Yi_b5ott0,44
+cloudmorph_tessera-0.1.1.dist-info/top_level.txt,sha256=joYc6MMtKOuVa-O6Kv_MMWu74pecOm0BEuAsX3G2Y3M,8
+cloudmorph_tessera-0.1.1.dist-info/RECORD,,

cloudmorph_tessera-0.1.1.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

cloudmorph_tessera-0.1.1.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+tessera = tessera.cli:app

cloudmorph_tessera-0.1.1.dist-info/licenses/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 CloudMorph AI, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

cloudmorph_tessera-0.1.1.dist-info/top_level.txt

@@ -0,0 +1 @@
+tessera

tessera/__init__.py

@@ -0,0 +1,6 @@
+"""Tessera — the open-source MCP firewall for AI agents."""
+
+from __future__ import annotations
+
+__version__ = "0.1.1"
+__all__ = ["__version__"]

tessera/audit/__init__.py

@@ -0,0 +1,19 @@
+"""Tessera audit subsystem — public API."""
+
+from tessera.audit import canonical_json
+from tessera.audit.chain import HashChain
+from tessera.audit.emitter import AuditEmitter
+from tessera.audit.sinks.base import AuditSink
+from tessera.audit.sinks.buffered import BufferedSink
+from tessera.audit.sinks.sqlite import SqliteSink
+from tessera.audit.sinks.stdout import StdoutSink
+
+__all__ = [
+    "HashChain",
+    "AuditEmitter",
+    "AuditSink",
+    "SqliteSink",
+    "StdoutSink",
+    "BufferedSink",
+    "canonical_json",
+]

tessera/audit/canonical_json.py

@@ -0,0 +1,71 @@
+"""Canonical JSON serialization (RFC 8785 JCS).
+
+Produces a byte-stable JSON representation across Python and TypeScript
+implementations. Used as the input to the audit hash chain so that
+auditors using either language compute identical event hashes.
+
+Key invariants:
+- UTF-8 encoded
+- No whitespace
+- Object keys sorted lexicographically (UTF-16 code units per spec)
+- Numbers: integers as integers; floats round-trip per JSON.stringify semantics
+- No NaN, no +/-Infinity (spec rejects these — we raise ValueError)
+
+Reference: https://www.rfc-editor.org/rfc/rfc8785
+"""
+
+from __future__ import annotations
+
+import json
+import math
+from typing import Any
+
+__all__ = ["canonical_json", "canonical_json_str"]
+
+
+def _normalize(value: Any) -> Any:
+    """Recursively normalize a value into something json.dumps can handle deterministically."""
+    if value is None:
+        return None
+    if isinstance(value, bool):
+        return value
+    if isinstance(value, int):
+        return value
+    if isinstance(value, float):
+        if math.isnan(value) or math.isinf(value):
+            raise ValueError("canonical_json: NaN/Infinity not permitted by RFC 8785")
+        # Per JCS §3.2.2: integers must serialize as integers even if they came in as floats.
+        if value.is_integer() and abs(value) < 2**53:
+            return int(value)
+        return value
+    if isinstance(value, str):
+        return value
+    if isinstance(value, (list, tuple)):
+        return [_normalize(item) for item in value]
+    if isinstance(value, dict):
+        # Sort keys lexicographically. Reject non-string keys (would be ambiguous).
+        normalized: dict[str, Any] = {}
+        for key in sorted(value.keys()):
+            if not isinstance(key, str):
+                raise ValueError(f"canonical_json: non-string key not permitted: {key!r}")
+            normalized[key] = _normalize(value[key])
+        return normalized
+    if hasattr(value, "model_dump"):  # pydantic v2 model
+        return _normalize(value.model_dump())
+    raise TypeError(f"canonical_json: unsupported type {type(value).__name__}")
+
+
+def canonical_json(value: Any) -> bytes:
+    """Return RFC 8785 canonical JSON encoding of value as UTF-8 bytes.
+
+    Raises:
+        ValueError: on NaN/Infinity or non-string dict keys.
+        TypeError: on unsupported types.
+    """
+    normalized = _normalize(value)
+    return json.dumps(normalized, ensure_ascii=False, separators=(",", ":"), sort_keys=True).encode("utf-8")
+
+
+def canonical_json_str(value: Any) -> str:
+    """Same as canonical_json but returns a str (for use cases that need it)."""
+    return canonical_json(value).decode("utf-8")