PyPI - connectonion - Versions diffs - 0.6.4__py3-none-any.whl → 0.6.5__py3-none-any.whl - Mend

connectonion 0.6.4py3-none-any.whl → 0.6.5py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

connectonion/__init__.py +1 -1
connectonion/cli/co_ai/main.py +2 -2
connectonion/cli/co_ai/prompts/connectonion/concepts/trust.md +166 -208
connectonion/cli/commands/copy_commands.py +21 -0
connectonion/cli/commands/trust_commands.py +152 -0
connectonion/cli/main.py +82 -0
connectonion/core/llm.py +2 -2
connectonion/docs/concepts/fast_rules.md +237 -0
connectonion/docs/concepts/onboarding.md +465 -0
connectonion/docs/concepts/trust.md +933 -192
connectonion/docs/design-decisions/023-trust-policy-system-design.md +323 -0
connectonion/docs/network/README.md +23 -1
connectonion/docs/network/connect.md +135 -0
connectonion/docs/network/host.md +73 -4
connectonion/network/__init__.py +7 -6
connectonion/network/asgi/__init__.py +3 -0
connectonion/network/asgi/http.py +125 -19
connectonion/network/asgi/websocket.py +276 -15
connectonion/network/connect.py +145 -29
connectonion/network/host/auth.py +70 -67
connectonion/network/host/routes.py +88 -3
connectonion/network/host/server.py +100 -17
connectonion/network/trust/__init__.py +27 -19
connectonion/network/trust/factory.py +51 -24
connectonion/network/trust/fast_rules.py +100 -0
connectonion/network/trust/tools.py +316 -32
connectonion/network/trust/trust_agent.py +403 -0
connectonion/transcribe.py +1 -1
{connectonion-0.6.4.dist-info → connectonion-0.6.5.dist-info}/METADATA +1 -1
{connectonion-0.6.4.dist-info → connectonion-0.6.5.dist-info}/RECORD +32 -27
connectonion/network/trust/prompts.py +0 -71
{connectonion-0.6.4.dist-info → connectonion-0.6.5.dist-info}/WHEEL +0 -0
{connectonion-0.6.4.dist-info → connectonion-0.6.5.dist-info}/entry_points.txt +0 -0

connectonion/docs/concepts/trust.md CHANGED Viewed

@@ -1,291 +1,1032 @@
 # Trust in ConnectOnion
-The `trust` parameter provides flexible, bidirectional trust configuration for agent interactions.
+Trust is a **host layer** concern that controls who can access your agent. It manages onboarding, access control, and client state (stranger → contact → trusted).
 ## Quick Start
 ```python
-from connectonion import Agent, need
-# Simple trust levels
-translator = need("translate", trust="strict")   # Production: verified only
-analyzer = need("analyze", trust="tested")       # Default: test first
-scraper = need("scrape", trust="open")          # Development: trust all
-# For your own agent
-agent = Agent(
-    name="my_service",
-    tools=[process_data],
-    trust="strict"  # Who can use my services
-)
+from connectonion import Agent
+from connectonion.network import host
+# Create your agent (no trust here - agent only cares about its job)
+agent = Agent("my_service", tools=[process_data])
+# Host it with trust (trust is a host concern)
+host(agent, trust="careful")  # Default: verify before allowing access
 ```
-## Three Forms of Trust
+## Core Concepts
-### 1. Trust Levels (String)
+### Separation of Concerns
-Simple predefined levels for common scenarios:
+| Layer | Responsibility |
+|-------|----------------|
+| **Agent** | What it does (skills, tools, reasoning) |
+| **Host** | How it's accessed (network, trust, security) |
 ```python
-# Development - trust everyone
-agent = need("service", trust="open")
+# Agent is pure - only cares about its job
+agent = Agent("translator", tools=[translate])
+# Trust is configured at host level
+host(agent, trust="open")     # Dev: trust everyone
+host(agent, trust="careful")  # Staging: verify first
+host(agent, trust="strict")   # Prod: whitelist only
+```
-# Default - test before trusting
-agent = need("service", trust="tested")
+### Protocol vs Policy
+Every request requires **two checks**:
+| Layer | Required | Purpose |
+|-------|----------|---------|
+| **Signature (Protocol)** | ALWAYS | Prove identity (Ed25519) |
+| **Trust Policy** | Configurable | Access control (open/careful/strict) |
-# Production - only verified/whitelisted
-agent = need("service", trust="strict")
 ```
+Request Flow:
+┌─────────────┐     ┌─────────────────────┐     ┌─────────────────┐
+│   Request   │ ──► │ Signature Required  │ ──► │  Trust Policy   │
+│  (signed)   │     │ (prove identity)    │     │ (access check)  │
+└─────────────┘     └─────────────────────┘     └─────────────────┘
+                              │                          │
+                         ALWAYS                    CONFIGURABLE
+                         REQUIRED                  (open/careful/strict)
+```
+**Important:** Even `trust="open"` requires valid signatures. "Open" means all verified identities are allowed - not that requests can be unsigned.
-### 2. Trust Policy (Natural Language)
+### Two Types of Access Control
-Express complex requirements in plain English:
+| Type | Tokens | When to Use |
+|------|--------|-------------|
+| **Fast Rules** | Zero | Simple checks (invite code, payment, whitelist) |
+| **Trust Agent** | Burns tokens | Complex decisions (behavior analysis, edge cases) |
+**90% of requests**: Fast rules (instant, free)
+**10% of requests**: Trust agent (LLM reasoning, rare)
+## Trust Levels
+All trust levels require **signed requests**. The difference is in access control policy.
+### Open (Development)
+Allow all **signed** requests. No additional access control.
 ```python
-# Inline policy
-translator = need("translate", trust="""
-    I trust agents that:
-    - Pass capability tests
-    - Respond within 500ms
-    - Are on my whitelist OR from local network
-""")
+host(agent, trust="open")
+```
+- Signature verification: **Required** (protocol level)
+- Access control: **None** (all verified identities allowed)
+Use for: Local development, Jupyter notebooks, testing.
-# From file
-translator = need("translate", trust="./trust_policy.md")
+**Note:** Requests still need valid Ed25519 signatures. "Open" means no access restrictions after identity is verified.
+### Careful (Default)
+Verify strangers before granting access. Fast rules first, then trust agent for complex cases.
+```python
+host(agent, trust="careful")
 ```
-Example trust policy file:
-```markdown
-# My Trust Requirements
+- Signature verification: **Required** (protocol level)
+- Access control: **Whitelist + contacts allowed, strangers evaluated**
+Use for: Staging, testing, pre-production.
+### Strict (Production)
+Whitelist only. No exceptions.
-I trust agents that meet ALL of these criteria:
-- Successfully translate "Hello" to "Hola"
-- Respond in less than 1 second
-- Have processed at least 10 requests successfully
+```python
+host(agent, trust="strict")
+```
+- Signature verification: **Required** (protocol level)
+- Access control: **Whitelist only**
+Use for: Production, sensitive data, payments.
-I immediately reject agents that:
-- Fail basic capability tests
-- Take longer than 5 seconds
-- Are on my blacklist
+## Request Format
+All requests must be signed with Ed25519:
+```json
+{
+    "payload": {
+        "prompt": "Your message here",
+        "to": "0xAgentAddress",
+        "timestamp": 1699999999
+    },
+    "from": "0xYourPublicKey",
+    "signature": "0xEd25519Signature..."
+}
 ```
-### 3. Trust Agent
+| Field | Required | Description |
+|-------|----------|-------------|
+| `payload.prompt` | Yes | The message to send |
+| `payload.to` | Optional | Target agent address |
+| `payload.timestamp` | Yes | Unix timestamp (5 min window) |
+| `from` | Yes | Your Ed25519 public key |
+| `signature` | Yes | Signature of canonicalized payload |
+**Signature protects against:**
+- Identity spoofing (only you have your private key)
+- Replay attacks (timestamp expires in 5 minutes)
+- Message tampering (signature covers payload)
+## Trust Policy Files
+Trust policies are markdown files with YAML frontmatter. The YAML defines fast rules (no tokens), the markdown body defines trust agent behavior (for complex decisions).
+### File Format
+```yaml
+# prompts/trust/careful.md
+---
+# Fast rules (no LLM, no tokens)
+fast_rules:
+  # Verification
+  - if: has_invite_code
+    action: verify_invite
+    on_success: promote_to_contact
+  - if: has_payment
+    action: verify_payment
+    on_success: promote_to_contact
+  # Access control (checked in order)
+  - if: is_blocked
+    action: deny
+  - if: is_admin
+    action: allow
+  - if: is_whitelist
+    action: allow
+  - if: is_contact
+    action: allow
+  - if: is_stranger
+    action: deny
+# When to use trust agent (burns tokens, rare)
+use_agent:
+  - when: requests > 10
+    reason: "Evaluate stranger for promotion"
+# Cache decisions
+cache: 24h
+---
+# Trust Agent Policy
+You handle complex trust decisions that fast rules can't cover.
+## Your Role
+Evaluate strangers and decide if they should become contacts.
+## Available Tools
+- `promote_to_contact(client_id)` - Stranger → Contact
+- `promote_to_whitelist(client_id)` - Contact → Whitelist
+- `demote_to_stranger(client_id)` - Contact → Stranger
+- `block(client_id, reason)` - Add to blocklist
+## Decision Process
+1. Review request history
+2. Look for red flags (suspicious patterns, abuse)
+3. Consider value provided
+## Response
+Use tools to take action, or return:
+- **allow** - Allow this request
+- **deny** - Deny this request
+```
+### How Host Uses This
+```
+host(agent, trust=...)
+        │
+        ├── "open"           ──┐
+        ├── "careful"          ├──► TrustAgent(trust)
+        ├── "strict"           │
+        ├── "./policy.md"    ──┘
+        │
+        └── TrustAgent(...)  ──► use directly
+                │
+                ▼
+        TrustAgent.should_allow(client_id, request)
+                │
+                ├── Fast Rules (no tokens)
+                │   - Check deny list (blocked)
+                │   - Check allow list (whitelist, contacts)
+                │   - Try onboarding (invite, payment)
+                │   - Apply default
+                │
+                └── LLM Fallback (only if default: ask)
+                    - Evaluate stranger with LLM
+```
+All trust inputs convert to TrustAgent internally. Developers can use string levels for simplicity or pass TrustAgent directly for more control.
+## Client States
+Trust manager handles all client state transitions:
+```
+Promotion Chain (earned trust):
+┌─────────────┐   verify    ┌─────────────┐  earn trust  ┌─────────────┐
+│  Stranger   │ ──────────► │   Contact   │ ───────────► │  Whitelist  │
+└─────────────┘             └─────────────┘              └─────────────┘
+      │                           │                            │
+      │ block                     │ demote                     │ demote
+      ▼                           ▼                            ▼
+┌─────────────┐             ┌─────────────┐              ┌─────────────┐
+│  Blocklist  │             │  Stranger   │              │   Contact   │
+└─────────────┘             └─────────────┘              └─────────────┘
+Admin (separate, manual only):
+┌─────────────┐  set_admin()   ┌─────────────┐
+│  Any Level  │ ─────────────► │    Admin    │
+└─────────────┘                └─────────────┘
+                                     │
+                               remove_admin()
+                                     │
+                                     ▼
+                               ┌─────────────┐
+                               │  Previous   │
+                               └─────────────┘
+```
-For maximum control, use a custom trust agent:
+### Client Levels
+| Level | Description | Access |
+|-------|-------------|--------|
+| **Stranger** | Unknown client, not verified | Limited or none |
+| **Contact** | Verified via invite/payment | Standard access |
+| **Whitelist** | Trusted, pre-approved | Full access |
+| **Admin** | Can manage other clients | Full access + management |
+| **Blocklist** | Blocked, denied access | No access |
+### State Transitions
+**Promotion Chain (earned):**
+| From | To | How |
+|------|-----|-----|
+| Stranger | Contact | `promote_to_contact()` - invite code, payment, or earned |
+| Contact | Whitelist | `promote_to_whitelist()` - consistent good behavior |
+**Demotion (lost trust):**
+| From | To | How |
+|------|-----|-----|
+| Whitelist | Contact | `demote_to_contact()` - trust issues |
+| Contact | Stranger | `demote_to_stranger()` - suspicious activity |
+| Any | Blocklist | `block()` - abuse detected |
+**Admin (manual only):**
+| From | To | How |
+|------|-----|-----|
+| Any | Admin | `set_admin()` - requires existing admin |
+| Admin | Previous | `remove_admin()` - requires existing admin |
+### Trust Manager Responsibilities
+The trust manager (TrustAgent) handles:
+1. **Onboarding** - Verify invite codes, payments
+2. **Promotion** - Move clients up the trust hierarchy
+3. **Demotion** - Move clients down when trust is broken
+4. **Blocking** - Add abusers to blocklist
+5. **List Management** - Maintain all client lists
 ```python
-# Create a trust agent with verification tools
-trust_agent = Agent(
-    name="my_guardian",
-    tools=[
-        check_whitelist,
-        verify_capability,
-        measure_response_time,
-        check_reputation
-    ],
-    system_prompt="""
-        You verify other agents before allowing interaction.
-        Be strict with payment processors, relaxed with read-only services.
-    """
-)
+# Trust manager actions
+trust_manager.promote(client_id)    # Move up one level
+trust_manager.demote(client_id)     # Move down one level
+trust_manager.block(client_id)      # Add to blocklist
+trust_manager.unblock(client_id)    # Remove from blocklist
+trust_manager.set_admin(client_id)  # Promote to admin (requires admin)
+```
-# Use it for your agent
-my_agent = Agent(
-    name="my_service",
-    tools=[process_payment],
-    trust=trust_agent  # My guardian protects me
-)
+## Fast Rules Reference
+Fast rules are simple if/then checks. No LLM, no tokens.
+### Conditions (if)
+| Condition | Description |
+|-----------|-------------|
+| `invite_code` | Client has invite code |
+| `payment` | Client has confirmed payment |
+| `is_stranger` | Client is a stranger |
+| `is_contact` | Client is a contact |
+| `is_whitelist` | Client is whitelisted |
+| `is_admin` | Client is an admin |
+| `is_blocked` | Client is blocked |
+### Actions
+| Action | Description |
+|--------|-------------|
+| `allow` | Allow this request |
+| `deny` | Deny this request |
+| `promote` | Promote to next level (stranger→contact→whitelist) |
+| `demote` | Demote to previous level |
+| `block` | Add to blocklist |
+| `require_admin` | Only allow if client is admin |
+### Examples
+```yaml
+fast_rules:
+  # Verification → promote to contact
+  - if: has_invite_code
+    action: verify_invite
+    on_success: promote_to_contact
+  - if: has_payment
+    action: verify_payment
+    on_success: promote_to_contact
+  # Access control (checked in order)
+  - if: is_blocked
+    action: deny
+  - if: is_admin
+    action: allow
+  - if: is_whitelist
+    action: allow
+  - if: is_contact
+    action: allow
+  - if: is_stranger
+    action: deny
+```
+## Trust Agent (Complex Decisions)
+For decisions that need reasoning, the trust agent uses LLM. This burns tokens, so use sparingly.
+### When to Use
+```yaml
+use_agent:
+  # After enough requests to evaluate
+  - when: requests > 10
+    reason: "Evaluate for promotion"
-# And for discovering services
-payment = need("payment processor", trust=trust_agent)
+  # Suspicious patterns
+  - when: suspicious_pattern
+    reason: "Investigate"
+  # Manual review requested
+  - when: manual_review
+    reason: "Human flagged for review"
+```
+### Trust Agent Response
+```python
+# Trust agent returns:
+{
+    "decision": "promote",  # or allow, deny, block
+    "reason": "Consistent good behavior over 50 requests",
+    "cache": True  # Cache this decision
+}
 ```
-## Bidirectional Trust
+## Custom Trust Policies
-The same `trust` parameter works in both directions:
+### Option 1: Use Preset
 ```python
-# As a SERVICE provider (who can use me?)
-alice_agent = Agent(
-    name="alice_translator",
-    tools=[translate],
-    trust="tested"  # Users must pass my tests
-)
+host(agent, trust="careful")  # Uses prompts/trust/careful.md
+```
-# As a SERVICE consumer (who do I trust?)
-translator = need("translate", trust="strict")  # I only use verified services
+### Option 2: Custom Markdown File
-# Both trust requirements must be satisfied for interaction!
+```python
+host(agent, trust="./my_policy.md")
 ```
-## Trust Flow Example
+### Option 3: Custom TrustAgent
 ```python
-# Alice creates a translation service
-alice = Agent(
-    name="alice_translator",
-    tools=[translate],
-    trust="tested"  # Test users before serving them
-)
-share(alice)
+from connectonion.network.trust import TrustAgent
-# Bob looks for a translator
-translator = need(
-    "translate to Spanish",
-    trust="strict"  # Bob only uses verified services
+trust = TrustAgent(
+    system_prompt="./my_policy.md",
+    tools=[my_custom_verifier]
 )
+host(agent, trust=trust)
+```
+## Preset Policies
+### open.md
-# What happens:
-# 1. Bob's trust agent evaluates Alice (strict check)
-# 2. Alice's trust agent evaluates Bob (test required)
-# 3. Both must approve for connection to succeed
+```yaml
+---
+fast_rules:
+  - if: always
+    action: allow
+---
+# Open Trust (Development Only)
+Trust everyone. No verification.
+Never use in production.
 ```
-## Environment-Based Defaults
+### careful.md
-ConnectOnion automatically adjusts trust based on environment:
+```yaml
+---
+fast_rules:
+  # Verification
+  - if: has_invite_code
+    action: verify_invite
+    on_success: promote_to_contact
-```python
-# No trust parameter needed - auto-detected!
-translator = need("translate")
+  - if: has_payment
+    action: verify_payment
+    on_success: promote_to_contact
-# In development (localhost, Jupyter)
-# → Defaults to trust="open"
+  # Access control
+  - if: is_blocked
+    action: deny
-# In test files (test_*.py)
-# → Defaults to trust="tested"
+  - if: is_admin
+    action: allow
-# In production
-# → Defaults to trust="strict"
+  - if: is_whitelist
+    action: allow
-# Override when needed
-translator = need("translate", trust="open")  # Force open even in production
+  - if: is_contact
+    action: allow
+  - if: is_stranger
+    action: deny
+use_agent:
+  - when: requests > 10
+    reason: "Evaluate stranger for promotion"
+cache: 24h
+---
+# Careful Trust Policy
+Evaluate strangers for promotion to contacts.
 ```
-## Trust Functions
+### strict.md
-Trust agents use composable functions:
+```yaml
+---
+fast_rules:
+  - if: is_blocked
+    action: deny
+  - if: is_admin
+    action: allow
+  - if: is_whitelist
+    action: allow
+  - if: always
+    action: deny
+use_agent: []  # Never use LLM
+---
+# Strict Trust Policy
+Whitelist only. No exceptions.
+```
+## List Management
+Trust manager maintains four lists:
-```python
-# Basic trust functions (provided by ConnectOnion)
-def check_whitelist(agent_id: str) -> bool:
-    """Check if agent is whitelisted"""
-def test_capability(agent, test_input, expected) -> bool:
-    """Test if agent produces expected output"""
-def measure_response_time(agent, timeout_ms) -> float:
-    """Measure agent response time"""
-def check_local_network(agent_ip: str) -> bool:
-    """Check if agent is on local network"""
-# Combine in your trust agent
-my_trust = Agent(
-    name="guardian",
-    tools=[
-        check_whitelist,
-        test_capability,
-        measure_response_time,
-        check_local_network
-    ]
-)
+```
+~/.co/
+├── strangers.txt    # Known strangers (optional tracking)
+├── contacts.txt     # Verified contacts
+├── whitelist.txt    # Trusted, pre-approved
+├── admins.txt       # Can manage other clients
+└── blocklist.txt    # Blocked clients
+```
+### Contacts
+```
+~/.co/contacts.txt
 ```
-## Whitelist Management
+Automatically managed. Clients who verified via invite code or payment.
-Simple text file at `~/.connectonion/trusted.txt`:
+### Whitelist
 ```
+~/.co/whitelist.txt
+```
+```
+# Trusted services (full access)
 translator.api.com
 analyzer.local
-my-company.internal.net
 192.168.1.*
 ```
-Edit with any text editor or programmatically:
+### Admins
+**Default admin:** The agent's own address (from `.co/address.json`) is automatically an admin. No config needed.
+**Additional admins:** Add public keys to `~/.co/admins.txt`:
-```python
-# Add to whitelist
-with open("~/.connectonion/trusted.txt", "a") as f:
-    f.write("new-service.com\n")
+```
+~/.co/admins.txt
 ```
-## Progressive Trust Building
+```
+# Additional admins (public keys)
+0xadmin1234567890...
+0xadmin0987654321...
+```
-Trust grows through successful interactions:
+Admins can:
+- Promote/demote other clients
+- Block/unblock clients
+- Query client trust levels
-```python
-# First encounter - requires testing
-translator = need("translate", trust="tested")
-# → Agent is tested before use
+### Blocklist
-# After successful interactions
-# → Agent automatically added to "verified" list
+```
+~/.co/blocklist.txt
+```
-# Future encounters
-translator = need("translate", trust="tested")
-# → Skip testing, already verified
+```
+# Blocked clients (no access)
+abuser-123
+spam-bot-*
 ```
-## Common Patterns
+## Environment-Based Defaults
-### Development Mode
 ```python
-# Trust everyone for rapid development
-connectonion.set_default_trust("open")
+# No trust specified - auto-detected from environment
+host(agent)
+# CONNECTONION_ENV=development → trust="open"
+# CONNECTONION_ENV=staging     → trust="careful"
+# CONNECTONION_ENV=production  → trust="strict"
+```
+## Architecture
 ```
+┌─────────────────────────────────────────────────────────┐
+│                      Request                            │
+│              (signed with Ed25519)                      │
+└─────────────────────────────────────────────────────────┘
+                          │
+                          ▼
+┌─────────────────────────────────────────────────────────┐
+│                    HOST LAYER                           │
+│                                                         │
+│  Routes:                                                │
+│  ├── /input              (agent endpoint)              │
+│  ├── /admin/trust/*      (any admin)                   │
+│  │    ├── POST /admin/trust/promote                    │
+│  │    ├── POST /admin/trust/demote                     │
+│  │    ├── POST /admin/trust/block                      │
+│  │    ├── POST /admin/trust/unblock                    │
+│  │    └── GET  /admin/trust/level/{client_id}          │
+│  └── /superadmin/*       (super admin only)            │
+│       ├── POST /superadmin/add                         │
+│       └── POST /superadmin/remove                      │
+│                                                         │
+│  ┌─────────────────────────────────────────────────┐   │
+│  │           TrustAgent.should_allow()              │   │
+│  │                                                  │   │
+│  │  1. Fast Rules (no tokens)                      │   │
+│  │     - Check deny list (blocked)                 │   │
+│  │     - Check allow list (whitelist, contacts)    │   │
+│  │     - Try onboarding (invite, payment)          │   │
+│  │     - Apply default                             │   │
+│  │                                                  │   │
+│  │  2. LLM Fallback (only if default: ask)         │   │
+│  │     - Evaluate stranger with LLM                │   │
+│  │                                                  │   │
+│  └─────────────────────────────────────────────────┘   │
+│                                                         │
+└─────────────────────────────────────────────────────────┘
+                          │
+                          ▼ (verified requests only)
+┌─────────────────────────────────────────────────────────┐
+│                      AGENT                              │
+│                                                         │
+│  Pure logic - tools, skills, reasoning                  │
+│  Doesn't know about trust                               │
+│                                                         │
+└─────────────────────────────────────────────────────────┘
+```
+## Routes
+Host provides these routes:
+### Agent Route
+| Route | Method | Description |
+|-------|--------|-------------|
+| `/input` | POST | Main agent endpoint |
+### Admin Routes (Requires Admin)
+Admin routes use **signed requests** (same as `/input`). The signer's address must be in the admins list.
+**Admins list = self address (default) + ~/.co/admins.txt**
+The agent's own public key is automatically an admin. No config needed - whoever deployed the agent can manage trust.
+| Route | Method | Who | Description |
+|-------|--------|-----|-------------|
+| `/admin/trust/promote` | POST | Any admin | Promote client to next level |
+| `/admin/trust/demote` | POST | Any admin | Demote client to previous level |
+| `/admin/trust/block` | POST | Any admin | Block client |
+| `/admin/trust/unblock` | POST | Any admin | Unblock client |
+| `/admin/trust/level/{client_id}` | GET | Any admin | Get client's current level |
+### Super Admin Routes (Self Address Only)
+Only the agent's own address (super admin) can manage the admins list.
+| Route | Method | Description |
+|-------|--------|-------------|
+| `/superadmin/add` | POST | Add an admin |
+| `/superadmin/remove` | POST | Remove an admin |
+**Example admin request:**
+```json
+{
+    "payload": {
+        "client_id": "0xclient123...",
+        "timestamp": 1699999999
+    },
+    "from": "0xAdminPublicKey",
+    "signature": "0xEd25519Signature..."
+}
+```
+**Example super admin request (add admin):**
+```json
+{
+    "payload": {
+        "admin_id": "0xnewadmin...",
+        "timestamp": 1699999999
+    },
+    "from": "0xSelfAddress",
+    "signature": "0xEd25519Signature..."
+}
+```
+## Policy File Format
+Trust policies are markdown files with YAML frontmatter:
+```yaml
+---
+# Who has access
+allow:
+  - whitelisted    # ~/.co/whitelist.txt
+  - contact        # ~/.co/contacts.txt
+# Who is blocked
+deny:
+  - blocked        # ~/.co/blocklist.txt
+# How strangers become contacts
+onboard:
+  invite_code: [CODE1, CODE2]
+  payment: 10
+# Strangers without credentials
+default: deny  # allow | deny | ask
+---
+# LLM Policy (only used when default: ask)
+Evaluate strangers for access...
+```
+### Evaluation Order
+1. Check `deny` list (blocked → reject)
+2. Check `allow` list (whitelist/contacts → allow)
+3. Try onboarding (invite code or payment → promote to contact)
+4. Apply `default` action
+## TrustAgent Class
+TrustAgent inherits from Agent and provides trust-specific methods.
-### Production Mode
 ```python
-# Strict verification for production
-payment = need("payment processor", trust="strict")
-sensitive = need("data processor", trust="strict")
+class TrustAgent(Agent):
+    """Agent specialized for trust decisions."""
+    def __init__(self, trust: str = "careful", *, api_key: str = None, model: str = "co/gpt-4o-mini"):
+        """Create from level ("open", "careful", "strict") or policy path."""
+    # === Main Decision ===
+    def should_allow(self, client_id: str, request: dict = None) -> Decision:
+        """Check if request is allowed. Returns Decision(allow, reason, used_llm)."""
+    # === Verification ===
+    def verify_invite(self, client_id: str, invite_code: str) -> bool:
+        """Verify invite code. Promotes to contact if valid."""
+    def verify_payment(self, client_id: str, payment_info: dict) -> bool:
+        """Verify payment. Promotes to contact if valid."""
+    # === Promotion (earned) ===
+    def promote_to_contact(self, client_id: str) -> bool:
+        """Stranger → Contact"""
+    def promote_to_whitelist(self, client_id: str) -> bool:
+        """Contact → Whitelist"""
+    # === Demotion ===
+    def demote_to_contact(self, client_id: str) -> bool:
+        """Whitelist → Contact"""
+    def demote_to_stranger(self, client_id: str) -> bool:
+        """Contact → Stranger"""
+    # === Blocking ===
+    def block(self, client_id: str, reason: str) -> bool:
+        """Add to blocklist."""
+    def unblock(self, client_id: str) -> bool:
+        """Remove from blocklist."""
+    # === Admin (manual only) ===
+    def set_admin(self, client_id: str, by_admin: str) -> bool:
+        """Grant admin. Requires existing admin."""
+    def remove_admin(self, client_id: str, by_admin: str) -> bool:
+        """Revoke admin. Requires existing admin."""
+    # === Queries ===
+    def get_level(self, client_id: str) -> str:
+        """Returns: stranger, contact, whitelist, admin, or blocked."""
+    def get_history(self, client_id: str) -> dict:
+        """Returns client's request history."""
+    def list_clients(self, level: str = None) -> list:
+        """List clients, optionally filtered by level."""
 ```
-### Mixed Trust
+## Host Uses TrustAgent Directly
 ```python
-# Different trust for different services
-scraper = need("web scraper", trust="open")      # Low risk
-analyzer = need("analyze data", trust="tested")   # Medium risk
-payment = need("process payment", trust="strict") # High risk
+# In host.py
+from connectonion.network.trust import TrustAgent
+# Load trust agent
+trust_agent = TrustAgent("careful")
+# Admin routes
+@app.post("/admin/trust/promote")
+def promote(client_id: str):
+    level = trust_agent.get_level(client_id)
+    if level == "stranger":
+        return trust_agent.promote_to_contact(client_id)
+    elif level == "contact":
+        return trust_agent.promote_to_whitelist(client_id)
+# Agent route
+@app.post("/input")
+def agent_input(client_id: str, request: dict):
+    # Check trust first
+    decision = trust_agent.should_allow(client_id, request)
+    if not decision.allow:
+        return {"error": decision.reason}
+    # Process with agent
+    return agent.input(request["prompt"])
 ```
-### Custom Trust Logic
+## Atomic Functions (Tools)
+Trust manager provides simple atomic functions as tools:
 ```python
-# Trust based on context
-def get_trust_level(service_type):
-    if "payment" in service_type:
-        return "strict"
-    elif "read" in service_type:
-        return "open"
-    else:
-        return "tested"
+# Promotion (earn trust)
+def promote_to_contact(client_id: str) -> str:
+    """Stranger → Contact"""
+def promote_to_whitelist(client_id: str) -> str:
+    """Contact → Whitelist"""
+# Demotion (lose trust)
+def demote_to_contact(client_id: str) -> str:
+    """Whitelist → Contact"""
+def demote_to_stranger(client_id: str) -> str:
+    """Contact → Stranger"""
+# Blocking
+def block(client_id: str, reason: str) -> str:
+    """Add to blocklist."""
+def unblock(client_id: str) -> str:
+    """Remove from blocklist."""
+# Admin (special, manual only)
+def set_admin(client_id: str) -> str:
+    """Grant admin privileges. Requires existing admin."""
+def remove_admin(client_id: str) -> str:
+    """Revoke admin privileges. Requires existing admin."""
+# Queries
+def get_client_level(client_id: str) -> str:
+    """Returns: stranger, contact, whitelist, admin, or blocked."""
+def get_client_history(client_id: str) -> str:
+    """Returns client's request history summary."""
+```
+### Promotion Chain vs Admin
+```
+Promotion chain (earned):
+Stranger → Contact → Whitelist
+Admin (manual only):
+set_admin() / remove_admin()
+```
+Admin is **not** part of the promotion chain. It's a special role granted manually by an existing admin.
+## Logic in Markdown
+The markdown body defines policy for complex decisions (when `use_agent` triggers):
-service = need("read data", trust=get_trust_level("read data"))
+```markdown
+# Trust Agent Policy
+You manage client trust levels using these tools:
+- `promote_to_contact(client_id)` - Stranger → Contact
+- `promote_to_whitelist(client_id)` - Contact → Whitelist
+- `block(client_id, reason)` - Block abuser
+## When to Promote
+Promote stranger to contact when:
+- 10+ requests with good behavior
+- No suspicious patterns
+Promote contact to whitelist when:
+- 100+ successful requests
+- Consistently valuable interactions
+## When to Block
+Block immediately if:
+- Abuse detected
+- Spam patterns
+- Attempting to bypass verification
 ```
-## Security Best Practices
+The trust agent reads this from `system_prompt` and uses the atomic functions as tools.
+## Best Practices
-1. **Production = Strict**: Always use `trust="strict"` in production
-2. **Test Sensitive Operations**: Payment, data modification, etc.
-3. **Whitelist Critical Services**: Manually verify and whitelist
-4. **Monitor Trust Decisions**: Log all trust evaluations
-5. **Regular Audits**: Review whitelist and trust policies
+1. **Use fast rules for common cases** - No tokens burned
+2. **Reserve trust agent for edge cases** - Saves money
+3. **Cache decisions** - Don't re-evaluate every request
+4. **Start with "careful"** - Good default for most cases
+5. **Use "strict" in production** - Whitelist critical services
+6. **Monitor trust decisions** - Log for audit trail
 ## FAQ
 **Q: What's the default trust level?**
-A: `"tested"` - agents are tested before first use
+A: `"careful"` - verify strangers, allow contacts.
+**Q: Do fast rules burn tokens?**
+A: No. Fast rules are simple if/then executed by host. Zero tokens.
+**Q: When does trust agent run?**
+A: Only when `use_agent` triggers fire (e.g., after 10 requests). Rare.
+**Q: Where are lists stored?**
+A: `~/.co/` - whitelist.txt, contacts.txt, blocklist.txt
+**Q: Can I use the same agent with different trust levels?**
+A: Yes. Trust is host config, not agent config.
+```python
+# Same agent, different trust
+host(agent, trust="open")    # Dev
+host(agent, trust="strict")  # Prod
+```
+**Q: How do I add custom verification?**
+A: Add tools to TrustAgent:
-**Q: Can I change trust after agent creation?**
-A: Yes: `agent.trust = new_trust_agent`
+```python
+trust = TrustAgent(
+    system_prompt="./my_policy.md",
+    tools=[my_custom_verifier]
+)
+```
+## TODO
+### Prevent Promote Injection During Skill Test
+**Problem:** If trust agent has tools like `promote_to_contact()`, during skill testing a malicious agent could trick the trust agent into calling these tools - essentially promoting itself or manipulating access management.
+**Security Risk:**
+- Skill test evaluates if agent can do what it claims
+- Malicious agent could inject prompts to trigger `promote_to_contact()`
+- Could bypass normal verification flow
+**Possible Solutions:**
+1. Separate skill-test mode (no list management tools available)
+2. Require confirmation before list changes
+3. Sandbox trust agent during skill evaluation
+4. Use different trust agent instance for skill tests (read-only)
-**Q: How do trust agents communicate?**
-A: They're regular ConnectOnion agents - they talk naturally
+**Status:** Needs design decision
-**Q: What if both agents have strict trust?**
-A: Both requirements must be met - most restrictive wins
+### WebSocket Protocol for Admin/Onboard
-**Q: Can I disable trust completely?**
-A: Yes: `trust="open"` accepts everyone without checks
+Both HTTP and WebSocket are supported for admin and onboard operations. WebSocket is future-proof for decentralized/P2P scenarios (WebRTC).
+**Client → Server Messages:**
+| Type | Payload | Who |
+|------|---------|-----|
+| `INPUT` | `{ prompt, ... }` | Anyone |
+| `ONBOARD_SUBMIT` | `{ invite_code }` or `{ payment }` | Stranger |
+| `ADMIN_PROMOTE` | `{ client_id }` | Admin |
+| `ADMIN_DEMOTE` | `{ client_id }` | Admin |
+| `ADMIN_BLOCK` | `{ client_id, reason }` | Admin |
+| `ADMIN_UNBLOCK` | `{ client_id }` | Admin |
+| `ADMIN_GET_LEVEL` | `{ client_id }` | Admin |
+| `ADMIN_ADD` | `{ admin_id }` | Super Admin |
+| `ADMIN_REMOVE` | `{ admin_id }` | Super Admin |
+**Server → Client Messages:**
+| Type | Payload | When |
+|------|---------|------|
+| `OUTPUT` | `{ result, session_id }` | Agent response |
+| `ONBOARD_REQUIRED` | `{ methods, payment_amount? }` | Stranger needs to onboard |
+| `ONBOARD_SUCCESS` | `{ identity, level }` | Onboard complete |
+| `ADMIN_RESULT` | `{ action, success, message }` | Admin action result |
+| `ERROR` | `{ message }` | Any error |
+**Example: Stranger connects, onboards, then chats:**
+```
+Client: { type: 'INPUT', prompt: 'Hello', payload, signature }
+Server: { type: 'ONBOARD_REQUIRED', methods: ['invite_code'], identity: '0x...' }
+Client: { type: 'ONBOARD_SUBMIT', payload: { invite_code: 'BETA2024' }, signature }
+Server: { type: 'ONBOARD_SUCCESS', identity: '0x...', level: 'contact' }
+Client: { type: 'INPUT', prompt: 'Hello', payload, signature }
+Server: { type: 'OUTPUT', result: 'Hi there!' }
+```

connectonion 0.6.4__py3-none-any.whl → 0.6.5__py3-none-any.whl

connectonion 0.6.4py3-none-any.whl → 0.6.5py3-none-any.whl