connectonion 0.6.4__py3-none-any.whl → 0.6.5__py3-none-any.whl

connectonion/network/host/server.py

@@ -26,6 +26,7 @@ don't interfere between concurrent requests.
 """
 
 import os
+from functools import partial
 from pathlib import Path
 from typing import Callable, Union
 
@@ -33,7 +34,8 @@ from rich.console import Console
 from rich.panel import Panel
 
 from ..asgi import create_app as asgi_create_app
-from ..trust import get_default_trust_level
+from ..trust import TrustAgent, get_default_trust_level, parse_policy, TRUST_LEVELS
+from ..trust.factory import PROMPTS_DIR
 from .session import SessionStorage
 from .auth import extract_and_authenticate
 from .routes import (
@@ -44,9 +46,49 @@ from .routes import (
     info_handler,
     admin_logs_handler,
     admin_sessions_handler,
+    # Admin trust routes
+    admin_trust_promote_handler,
+    admin_trust_demote_handler,
+    admin_trust_block_handler,
+    admin_trust_unblock_handler,
+    admin_trust_level_handler,
+    # Super admin routes
+    admin_admins_add_handler,
+    admin_admins_remove_handler,
 )
 
 
+def _parse_trust_config(trust: Union[str, "Agent"]) -> dict | None:
+    """Parse trust config from trust parameter.
+
+    Returns YAML config dict if trust is a level or file path, None otherwise.
+    Used to extract onboard info for /info endpoint.
+    """
+    if not isinstance(trust, str):
+        return None
+
+    # Check if it's a trust level
+    if trust.lower() in TRUST_LEVELS:
+        policy_path = PROMPTS_DIR / f"{trust.lower()}.md"
+        if policy_path.exists():
+            config, _ = parse_policy(policy_path.read_text(encoding='utf-8'))
+            return config
+        return None
+
+    # Check if it's a file path
+    path = Path(trust)
+    if path.exists() and path.is_file():
+        config, _ = parse_policy(path.read_text(encoding='utf-8'))
+        return config
+
+    # Inline policy text
+    if trust.startswith('---'):
+        config, _ = parse_policy(trust)
+        return config
+
+    return None
+
+
 def get_default_trust() -> str:
     """Get default trust based on environment.
 
@@ -70,7 +112,7 @@ def _extract_agent_metadata(create_agent: Callable) -> tuple[dict, object]:
     return metadata, sample
 
 
-def _create_route_handlers(create_agent: Callable, agent_metadata: dict, result_ttl: int):
+def _create_route_handlers(create_agent: Callable, agent_metadata: dict, result_ttl: int, trust_agent):
     """Create route handler dict for ASGI app.
 
     Args:
@@ -79,6 +121,7 @@ def _create_route_handlers(create_agent: Callable, agent_metadata: dict, result_
         agent_metadata: Pre-extracted metadata (name, tools, address) - avoids
                         creating agents for health/info endpoints.
         result_ttl: How long to keep results on server in seconds
+        trust_agent: TrustAgent instance for trust operations
     """
     agent_name = agent_metadata["name"]
 
@@ -91,8 +134,8 @@ def _create_route_handlers(create_agent: Callable, agent_metadata: dict, result_
     def handle_health(start_time):
         return health_handler(agent_name, start_time)
 
-    def handle_info(trust):
-        return info_handler(agent_metadata, trust)
+    def handle_info(trust, trust_config=None):
+        return info_handler(agent_metadata, trust, trust_config)
 
     def handle_admin_logs():
         return admin_logs_handler(agent_name)
@@ -107,6 +150,17 @@ def _create_route_handlers(create_agent: Callable, agent_metadata: dict, result_
         "ws_input": handle_ws_input,
         "admin_logs": handle_admin_logs,
         "admin_sessions": admin_sessions_handler,
+        # TrustAgent instance for direct access in http.py/websocket.py
+        "trust_agent": trust_agent,
+        # Admin trust routes (partial injects trust_agent as first arg)
+        "admin_trust_promote": partial(admin_trust_promote_handler, trust_agent),
+        "admin_trust_demote": partial(admin_trust_demote_handler, trust_agent),
+        "admin_trust_block": partial(admin_trust_block_handler, trust_agent),
+        "admin_trust_unblock": partial(admin_trust_unblock_handler, trust_agent),
+        "admin_trust_level": partial(admin_trust_level_handler, trust_agent),
+        # Super admin routes
+        "admin_admins_add": partial(admin_admins_add_handler, trust_agent),
+        "admin_admins_remove": partial(admin_admins_remove_handler, trust_agent),
     }
 
 
@@ -197,14 +251,14 @@ def host(
         whitelist: Allowed identities
 
     Endpoints:
-        POST /input         - Submit prompt, get result
-        GET  /sessions/{id} - Get session by ID
-        GET  /sessions      - List all sessions
-        GET  /health        - Health check
-        GET  /info          - Agent info
-        WS   /ws            - WebSocket
-        GET  /logs          - Activity log (requires OPENONION_API_KEY)
-        GET  /logs/sessions - Activity sessions (requires OPENONION_API_KEY)
+        POST /input          - Submit prompt, get result
+        GET  /sessions/{id}  - Get session by ID
+        GET  /sessions       - List all sessions
+        GET  /health         - Health check
+        GET  /info           - Agent info
+        WS   /ws             - WebSocket
+        GET  /admin/logs     - Activity log (requires OPENONION_API_KEY)
+        GET  /admin/sessions - Activity sessions (requires OPENONION_API_KEY)
     """
     import uvicorn
     from ... import address
@@ -228,11 +282,24 @@ def host(
     agent_metadata["address"] = addr_data['address']
 
     storage = SessionStorage()
-    route_handlers = _create_route_handlers(create_agent, agent_metadata, result_ttl)
+
+    # Create TrustAgent instance - the single interface for all trust operations
+    # Users can subclass TrustAgent to customize (e.g., database-backed admin storage)
+    if isinstance(trust, TrustAgent):
+        trust_agent = trust
+    else:
+        trust_agent = TrustAgent(trust if isinstance(trust, str) else "careful")
+
+    route_handlers = _create_route_handlers(create_agent, agent_metadata, result_ttl, trust_agent)
+
+    # Parse trust config for /info onboard info
+    trust_config = _parse_trust_config(trust)
+
     app = asgi_create_app(
         route_handlers=route_handlers,
         storage=storage,
-        trust=trust,
+        trust=trust_agent,  # Pass resolved TrustAgent, not raw trust
+        trust_config=trust_config,
         blacklist=blacklist,
         whitelist=whitelist,
     )
@@ -243,13 +310,23 @@ def host(
 
     # Display startup info
     relay_status = f"[green]✓[/] {relay_url}" if relay_url else "[dim]disabled[/]"
+
+    # Build trust info for display
+    trust_info = ""
+    if trust_config and isinstance(trust, str) and trust.lower() in TRUST_LEVELS:
+        onboard = trust_config.get("onboard", {})
+        invite_codes = onboard.get("invite_code", [])
+        if invite_codes:
+            codes_str = ", ".join(invite_codes) if isinstance(invite_codes, list) else invite_codes
+            trust_info = f"\n[bold]Invite:[/]  {codes_str}\n[dim]         Run 'co copy trust/{trust}' to customize[/]"
+
     Console().print(Panel(
         f"[bold]POST[/] http://localhost:{port}/input\n"
         f"[dim]GET  /sessions/{{id}} · /sessions · /health · /info[/]\n"
         f"[dim]WS   ws://localhost:{port}/ws\n"
         f"[dim]UI   http://localhost:{port}/docs[/]\n\n"
         f"[bold]Address:[/] {agent_metadata['address']}\n"
-        f"[bold]Relay:[/]   {relay_status}",
+        f"[bold]Relay:[/]   {relay_status}{trust_info}",
         title=f"[green]Agent '{agent_metadata['name']}'[/]"
     ))
 
@@ -279,11 +356,17 @@ def create_app(create_agent: Callable, storage=None, trust="careful", result_ttl
     agent_metadata, sample = _extract_agent_metadata(create_agent)
     agent_metadata["address"] = get_agent_address(sample)
 
-    route_handlers = _create_route_handlers(create_agent, agent_metadata, result_ttl)
+    # Create TrustAgent instance
+    if isinstance(trust, TrustAgent):
+        trust_agent = trust
+    else:
+        trust_agent = TrustAgent(trust if isinstance(trust, str) else "careful")
+
+    route_handlers = _create_route_handlers(create_agent, agent_metadata, result_ttl, trust_agent)
     return asgi_create_app(
         route_handlers=route_handlers,
         storage=storage,
-        trust=trust,
+        trust=trust_agent,  # Pass resolved TrustAgent, not raw trust
         blacklist=blacklist,
         whitelist=whitelist,
     )

connectonion/network/trust/__init__.py

@@ -1,30 +1,38 @@
 """
-Purpose: Trust verification system module re-exporting factory, prompts, and verification tools
-LLM-Note:
-  Dependencies: imports from [factory.py, prompts.py, tools.py] | imported by [network/__init__.py, network/host/auth.py, network/host/server.py] | tested by [tests/network/test_trust.py]
-  Data flow: re-exports trust agent creation utilities and trust level prompts
-  State/Effects: no state
-  Integration: exposes create_trust_agent(trust_spec) → Agent, get_default_trust_level() → str, validate_trust_level(level), TRUST_LEVELS dict, TRUST_PROMPTS dict, get_trust_prompt(level) → str, get_trust_verification_tools() → list | used by host() for access control policies
-  Performance: trivial
-  Errors: none
 Trust verification system for agent networking.
 
-This module contains:
-- factory: Trust agent creation and configuration
-- prompts: Pre-configured trust prompts for different levels
-- tools: Verification tools for trust agents
+Usage:
+    from connectonion.network.trust import TrustAgent
+
+    trust = TrustAgent("careful")  # or "open", "strict", or path to policy
+
+    # Access control
+    decision = trust.should_allow("client-123", {"prompt": "hello"})
+
+    # Trust level operations
+    trust.promote_to_contact("client-123")
+    trust.block("bad-actor", reason="spam")
+    level = trust.get_level("client-123")  # "stranger", "contact", "whitelist", "blocked"
+
+    # Admin operations
+    trust.is_admin("client-123")
+    trust.add_admin("new-admin")
+
+TrustAgent is the single interface for all trust operations.
+Subclass to customize behavior (e.g., database-backed admin storage).
 """
 
-from .factory import create_trust_agent, get_default_trust_level, validate_trust_level, TRUST_LEVELS
-from .prompts import TRUST_PROMPTS, get_trust_prompt
-from .tools import get_trust_verification_tools
+from .trust_agent import TrustAgent, Decision
+from .factory import get_default_trust_level, validate_trust_level, TRUST_LEVELS
+from .fast_rules import parse_policy
 
 __all__ = [
-    "create_trust_agent",
+    # TrustAgent - the single interface
+    "TrustAgent",
+    "Decision",
+    # Helpers
     "get_default_trust_level",
     "validate_trust_level",
     "TRUST_LEVELS",
-    "TRUST_PROMPTS",
-    "get_trust_prompt",
-    "get_trust_verification_tools",
+    "parse_policy",
 ]

connectonion/network/trust/factory.py

@@ -1,23 +1,36 @@
 """
-Purpose: Factory for creating trust verification agents with policies.
+Factory for creating trust verification agents with policies.
+
+Policy files use YAML frontmatter for fast rules + markdown body for LLM prompts:
+
+    ---
+    allow: [whitelisted, contact]
+    deny: [blocked]
+    onboard:
+      invite_code: [BETA2024]
+      payment: 10
+    default: ask
+    ---
+    # LLM Prompt for trust evaluation...
+
+Fast rules execute without LLM (zero tokens, instant). Only 'default: ask' triggers LLM.
 
 String Resolution Priority:
-  1. Trust level ("open", "careful", "strict")
+  1. Trust level ("open", "careful", "strict") → loads from prompts/trust/{level}.md
   2. File path (if exists)
   3. Inline policy text
-
-LLM-Note:
-  Dependencies: [os, pathlib, typing, .prompts, .tools] | imported by [host/server.py] | tested by [tests/unit/test_trust.py]
-  Data flow: trust param → check env default → resolve by priority → return Agent or None
-  Errors: TypeError (invalid type) | FileNotFoundError (Path doesn't exist)
 """
 
 import os
 from pathlib import Path
 from typing import Union, Optional
 
-from .prompts import get_trust_prompt
 from .tools import get_trust_verification_tools
+from .fast_rules import parse_policy
+
+
+# Path to trust policy files (at repo root: prompts/trust/)
+PROMPTS_DIR = Path(__file__).parent.parent.parent.parent / "prompts" / "trust"
 
 
 # Trust level constants
@@ -45,21 +58,28 @@ def get_default_trust_level() -> Optional[str]:
 
 def create_trust_agent(trust: Union[str, Path, 'Agent', None], api_key: Optional[str] = None, model: str = "gpt-5-mini") -> Optional['Agent']:
     """
-    Create a trust agent based on the trust parameter.
+    DEPRECATED: Use TrustAgent instead.
+
+    >>> from connectonion.network.trust import TrustAgent
+    >>> trust = TrustAgent("careful")
+    >>> trust.should_allow("client-123")
+
+    This function returns a regular Agent, which lacks TrustAgent methods
+    like should_allow(), promote_to_contact(), etc.
 
     Args:
-        trust: Trust configuration:
-            - None: Check CONNECTONION_TRUST env, else return None
-            - Agent: Return as-is (must have tools)
-            - Path: Read file as policy
-            - str: Resolved by priority:
-                1. Trust level ("open", "careful", "strict")
-                2. File path (if file exists)
-                3. Inline policy text
+        trust: Trust configuration (see TrustAgent for new API)
 
     Returns:
         Agent configured for trust verification, or None
     """
+    import warnings
+    warnings.warn(
+        "create_trust_agent() is deprecated. Use TrustAgent instead: "
+        "from connectonion.network.trust import TrustAgent; trust = TrustAgent('careful')",
+        DeprecationWarning,
+        stacklevel=2
+    )
     from ...core.agent import Agent  # Import here to avoid circular dependency
     
     # If None, check for environment default
@@ -95,13 +115,20 @@ def create_trust_agent(trust: Union[str, Path, 'Agent', None], api_key: Optional
     # Handle string: trust level > file path > inline policy
     if isinstance(trust, str):
         if trust.lower() in TRUST_LEVELS:
-            return Agent(
-                name=f"trust_agent_{trust.lower()}",
-                tools=trust_tools,
-                system_prompt=get_trust_prompt(trust.lower()),
-                api_key=api_key,
-                model=model
-            )
+            # Load from prompts/trust/{level}.md
+            policy_path = PROMPTS_DIR / f"{trust.lower()}.md"
+            if policy_path.exists():
+                policy_text = policy_path.read_text(encoding='utf-8')
+                config, markdown_body = parse_policy(policy_text)
+                return Agent(
+                    name=f"trust_agent_{trust.lower()}",
+                    tools=trust_tools,
+                    system_prompt=markdown_body,
+                    api_key=api_key,
+                    model=model
+                )
+            # Fallback if file doesn't exist
+            raise FileNotFoundError(f"Trust policy file not found: {policy_path}")
 
         path = Path(trust)
         if path.exists() and path.is_file():

connectonion/network/trust/fast_rules.py

@@ -0,0 +1,100 @@
+"""
+Parse YAML config from trust policy files and execute fast rules.
+
+Config format:
+    allow: [whitelisted, contact]  # Who has access
+    deny: [blocked]                 # Who is blocked
+    onboard:                        # How strangers become contacts
+      invite_code: [CODE1, CODE2]
+      payment: 10
+    default: deny                   # allow | deny | ask
+"""
+
+import yaml
+from typing import Optional
+from .tools import is_whitelisted, is_blocked, is_contact, promote_to_contact
+
+
+def parse_policy(policy_text: str) -> tuple[dict, str]:
+    """
+    Parse YAML frontmatter from markdown policy file.
+
+    Returns:
+        (config_dict, markdown_body)
+    """
+    if not policy_text.startswith('---'):
+        return {}, policy_text
+
+    end = policy_text.find('---', 3)
+    if end == -1:
+        return {}, policy_text
+
+    yaml_content = policy_text[3:end].strip()
+    markdown_body = policy_text[end + 3:].strip()
+
+    config = yaml.safe_load(yaml_content) or {}
+    return config, markdown_body
+
+
+def evaluate_request(config: dict, client_id: str, request: dict) -> Optional[str]:
+    """
+    Evaluate request using fast rules (no LLM).
+
+    Config format:
+        allow: [whitelisted, contact]  # Who has access
+        deny: [blocked]                 # Who is blocked
+        onboard:                        # How strangers become contacts
+          invite_code: [CODE1]
+          payment: 10
+        default: deny                   # allow | deny | ask
+
+    Args:
+        config: Parsed YAML config
+        client_id: The client making request
+        request: Request data (may contain invite_code, payment, etc.)
+
+    Returns:
+        'allow', 'deny', or None (needs LLM)
+    """
+    # 1. Check deny list first (blocked users)
+    deny_list = config.get('deny', ['blocked'])
+    for condition in deny_list:
+        if condition == 'blocked' and is_blocked(client_id):
+            return 'deny'
+
+    # 2. Check allow list (whitelisted, contacts)
+    allow_list = config.get('allow', [])
+    for condition in allow_list:
+        if condition == 'whitelisted' and is_whitelisted(client_id):
+            return 'allow'
+        if condition == 'contact' and is_contact(client_id):
+            return 'allow'
+
+    # 3. Try onboarding (stranger → contact)
+    onboard = config.get('onboard', {})
+
+    # Check invite code
+    valid_codes = onboard.get('invite_code', [])
+    request_code = request.get('invite_code')
+    if request_code and request_code in valid_codes:
+        promote_to_contact(client_id)
+        return 'allow'
+
+    # Check payment
+    required_payment = onboard.get('payment')
+    request_payment = request.get('payment', 0)
+    if required_payment and request_payment >= required_payment:
+        promote_to_contact(client_id)
+        return 'allow'
+
+    # 4. Default action for strangers without onboarding
+    default = config.get('default', 'deny')
+
+    if default == 'allow':
+        return 'allow'
+    elif default == 'deny':
+        return 'deny'
+    elif default == 'ask':
+        return None  # Needs LLM evaluation
+
+    return 'deny'  # Safe fallback