creduent 0.1.0__tar.gz

creduent-0.1.0/PKG-INFO

@@ -0,0 +1,96 @@
+Metadata-Version: 2.4
+Name: creduent
+Version: 0.1.0
+Summary: Creduent Protocol SDK — cryptographic identity for AI agents
+License: MIT
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: cryptography
+Requires-Dist: requests
+Requires-Dist: jcs
+Requires-Dist: fastapi
+
+# Creduent Python SDK
+
+The official Python SDK for the **Creduent Protocol** — a federated, open trust-verification layer and cryptographic identity infrastructure for autonomous AI agents.
+
+## Installation
+
+Install the self-contained package from PyPI with a single command:
+
+```bash
+pip install creduent
+```
+
+## Quickstart
+
+Below is a complete quickstart demonstrating keypair generation, self-signing, verification, registration, and attestation resolution using the SDK.
+
+```python
+from creduent import (
+    generate_keys,
+    sign,
+    verify,
+    register,
+    attest,
+    CreduEntError
+)
+
+try:
+    # 1. Generate a new Ed25519 keypair
+    private_key_pem, public_key_str = generate_keys()
+    print(f"Generated Public Key: {public_key_str}\n")
+
+    # 2. Sign a draft agent.json document
+    draft_document = {
+        "agent_id": "agent://creduent/reconbot",
+        "owner": "Creduent",
+        "public_key": public_key_str,
+        "endpoint": "https://api.idevsec.com/recon",
+        "capabilities": ["osint", "dns_lookup", "vulnerability_scan"]
+    }
+    
+    signed_doc = sign(draft_document, private_key_pem)
+    print("Signed agent.json:")
+    print(signed_doc)
+    print()
+
+    # 3. Verify a self-signed agent.json (from dict, URL, domain, or agent:// URI)
+    # Verification with a document dictionary
+    result = verify(signed_doc)
+    print(f"Self-Signed Verification Result (dict): {result.valid}")
+    
+    # Verification with a live agent URL
+    live_result = verify("https://api.idevsec.com/.well-known/agent.json")
+    print(f"Live Verification Result (URL): {live_result.valid}")
+    print(f"Live Agent ID: {live_result.agent_id}")
+    print(f"Live Capabilities: {live_result.capabilities}\n")
+
+    # 4. Register an agent with the Creduent registry
+    # Returns RegisterResult with success (bool), attestation (dict|None), error (str|None)
+    reg_result = register(
+        agent_id="agent://creduent/reconbot",
+        domain="api.idevsec.com",
+        agent_json_url="https://api.idevsec.com/.well-known/agent.json"
+    )
+    print(f"Registration Successful: {reg_result.success}")
+    print(f"Attestation: {reg_result.attestation}\n")
+
+    # 5. Fetch and validate an active attestation for an agent
+    # Returns AttestResult with attested (bool), level (str), issued_at, expires_at, error (str|None)
+    attest_result = attest("agent://creduent/reconbot")
+    print(f"Is Attested: {attest_result.attested}")
+    print(f"Attestation Level: {attest_result.level}")
+    print(f"Issued At: {attest_result.issued_at}")
+    print(f"Expires At: {attest_result.expires_at}\n")
+
+except CreduEntError as e:
+    print(f"Creduent Protocol Error occurred: {e}")
+```
+
+## Protocol Specification
+
+For full information on the cryptographic standards, JCS canonicalization, and the federated verification workflows, read the complete [Creduent Protocol Specification](https://github.com/cyberfascinate/creduent).

creduent-0.1.0/README.md

@@ -0,0 +1,81 @@
+# Creduent Python SDK
+
+The official Python SDK for the **Creduent Protocol** — a federated, open trust-verification layer and cryptographic identity infrastructure for autonomous AI agents.
+
+## Installation
+
+Install the self-contained package from PyPI with a single command:
+
+```bash
+pip install creduent
+```
+
+## Quickstart
+
+Below is a complete quickstart demonstrating keypair generation, self-signing, verification, registration, and attestation resolution using the SDK.
+
+```python
+from creduent import (
+    generate_keys,
+    sign,
+    verify,
+    register,
+    attest,
+    CreduEntError
+)
+
+try:
+    # 1. Generate a new Ed25519 keypair
+    private_key_pem, public_key_str = generate_keys()
+    print(f"Generated Public Key: {public_key_str}\n")
+
+    # 2. Sign a draft agent.json document
+    draft_document = {
+        "agent_id": "agent://creduent/reconbot",
+        "owner": "Creduent",
+        "public_key": public_key_str,
+        "endpoint": "https://api.idevsec.com/recon",
+        "capabilities": ["osint", "dns_lookup", "vulnerability_scan"]
+    }
+    
+    signed_doc = sign(draft_document, private_key_pem)
+    print("Signed agent.json:")
+    print(signed_doc)
+    print()
+
+    # 3. Verify a self-signed agent.json (from dict, URL, domain, or agent:// URI)
+    # Verification with a document dictionary
+    result = verify(signed_doc)
+    print(f"Self-Signed Verification Result (dict): {result.valid}")
+    
+    # Verification with a live agent URL
+    live_result = verify("https://api.idevsec.com/.well-known/agent.json")
+    print(f"Live Verification Result (URL): {live_result.valid}")
+    print(f"Live Agent ID: {live_result.agent_id}")
+    print(f"Live Capabilities: {live_result.capabilities}\n")
+
+    # 4. Register an agent with the Creduent registry
+    # Returns RegisterResult with success (bool), attestation (dict|None), error (str|None)
+    reg_result = register(
+        agent_id="agent://creduent/reconbot",
+        domain="api.idevsec.com",
+        agent_json_url="https://api.idevsec.com/.well-known/agent.json"
+    )
+    print(f"Registration Successful: {reg_result.success}")
+    print(f"Attestation: {reg_result.attestation}\n")
+
+    # 5. Fetch and validate an active attestation for an agent
+    # Returns AttestResult with attested (bool), level (str), issued_at, expires_at, error (str|None)
+    attest_result = attest("agent://creduent/reconbot")
+    print(f"Is Attested: {attest_result.attested}")
+    print(f"Attestation Level: {attest_result.level}")
+    print(f"Issued At: {attest_result.issued_at}")
+    print(f"Expires At: {attest_result.expires_at}\n")
+
+except CreduEntError as e:
+    print(f"Creduent Protocol Error occurred: {e}")
+```
+
+## Protocol Specification
+
+For full information on the cryptographic standards, JCS canonicalization, and the federated verification workflows, read the complete [Creduent Protocol Specification](https://github.com/cyberfascinate/creduent).

creduent-0.1.0/creduent/__init__.py

@@ -0,0 +1,29 @@
+"""
+Creduent Protocol SDK — Cryptographic identity verification for AI agents.
+"""
+
+from creduent.sign import generate_keys, sign
+from creduent.verify import verify, VerifyResult
+from creduent.register import register, RegisterResult
+from creduent.attest import attest, AttestResult
+from creduent.exceptions import (
+    CreduEntError,
+    VerificationError,
+    RegistrationError,
+    AttestationError
+)
+
+__all__ = [
+    "generate_keys",
+    "sign",
+    "verify",
+    "VerifyResult",
+    "register",
+    "RegisterResult",
+    "attest",
+    "AttestResult",
+    "CreduEntError",
+    "VerificationError",
+    "RegistrationError",
+    "AttestationError"
+]

creduent-0.1.0/creduent/attest.py

@@ -0,0 +1,80 @@
+import requests
+from dataclasses import dataclass
+from typing import Optional
+
+from creduent.exceptions import AttestationError
+
+@dataclass
+class AttestResult:
+    attested: bool
+    level: Optional[str]
+    issued_at: Optional[str]
+    expires_at: Optional[str]
+    error: Optional[str] = None
+
+def attest(
+    agent_id: str,
+    registry_url: str = "https://api.idevsec.com"
+) -> AttestResult:
+    """
+    Fetch attestation for an agent from the Creduent registry.
+    Returns AttestResult.
+    Raises AttestationError on network, timeout, or registry 5xx failures.
+    """
+    base_url = registry_url.rstrip('/')
+    
+    # URL escape agent_id if needed, but since it's a path parameter:
+    # FastAPI path parameter matches `/attest/{agent_id:path}`
+    # E.g. /registry/attest/agent://creduent/reconbot
+    # Note: double slashes in agent:// might get collapsed by some proxies or routers.
+    # The registry endpoint router handles path normalization.
+    if base_url.endswith('/registry'):
+        endpoint = f"{base_url}/attest/{agent_id}"
+    else:
+        endpoint = f"{base_url}/registry/attest/{agent_id}"
+        
+    try:
+        response = requests.get(endpoint, timeout=10)
+    except requests.RequestException as e:
+        # Fallback without /registry if default failed
+        if not base_url.endswith('/registry'):
+            fallback_endpoint = f"{base_url}/attest/{agent_id}"
+            try:
+                response = requests.get(fallback_endpoint, timeout=10)
+            except requests.RequestException as inner_e:
+                raise AttestationError(f"Connection to Creduent registry failed: {inner_e}")
+        else:
+            raise AttestationError(f"Connection to Creduent registry failed: {e}")
+            
+    if response.status_code == 200:
+        try:
+            data = response.json()
+            return AttestResult(
+                attested=True,
+                level=data.get("level", "verified"),
+                issued_at=data.get("issued_at"),
+                expires_at=data.get("expires_at"),
+                error=None
+            )
+        except Exception as e:
+            raise AttestationError(f"Registry returned invalid JSON: {e}")
+    elif response.status_code == 404:
+        # Agent is not registered/attested
+        return AttestResult(
+            attested=False,
+            level=None,
+            issued_at=None,
+            expires_at=None,
+            error="Attestation not found or expired"
+        )
+    else:
+        # Server or validation error
+        err_detail = response.text
+        try:
+            err_json = response.json()
+            if isinstance(err_json, dict) and "detail" in err_json:
+                err_detail = err_json["detail"]
+        except Exception:
+            pass
+            
+        raise AttestationError(f"Attestation query failed with HTTP {response.status_code}: {err_detail}")

creduent-0.1.0/creduent/crypto.py

@@ -0,0 +1,9 @@
+# NOTE: Sync with creduent/crypto.py
+import jcs
+
+def canonicalize(obj) -> str:
+    """
+    Canonicalize JSON object according to RFC 8785 (JCS) using the jcs library.
+    Returns a UTF-8 string.
+    """
+    return jcs.canonicalize(obj).decode('utf-8')

creduent-0.1.0/creduent/exceptions.py

@@ -0,0 +1,19 @@
+"""
+Creduent Python SDK custom exceptions.
+"""
+
+class CreduEntError(Exception):
+    """Base exception for all Creduent errors."""
+    pass
+
+class VerificationError(CreduEntError):
+    """Exception raised when identity or cryptographic verification fails."""
+    pass
+
+class RegistrationError(CreduEntError):
+    """Exception raised when agent registration with the registry fails."""
+    pass
+
+class AttestationError(CreduEntError):
+    """Exception raised when querying or validating registry attestations fails."""
+    pass

creduent-0.1.0/creduent/register.py

@@ -0,0 +1,78 @@
+import json
+import requests
+from dataclasses import dataclass
+from typing import Optional
+
+from creduent.exceptions import RegistrationError
+
+@dataclass
+class RegisterResult:
+    success: bool
+    attestation: Optional[dict]
+    error: Optional[str] = None
+
+def register(
+    agent_id: str,
+    domain: str,
+    agent_json_url: str,
+    registry_url: str = "https://api.idevsec.com"
+) -> RegisterResult:
+    """
+    Register agent with Creduent registry.
+    Returns RegisterResult.
+    Raises RegistrationError on network, timeout, or validation failure.
+    """
+    base_url = registry_url.rstrip('/')
+    # If URL already ends with /registry, the endpoint is /register.
+    # Otherwise, it's /registry/register.
+    if base_url.endswith('/registry'):
+        endpoint = f"{base_url}/register"
+    else:
+        endpoint = f"{base_url}/registry/register"
+        
+    payload = {
+        "agent_id": agent_id,
+        "domain": domain,
+        "agent_json_url": agent_json_url
+    }
+    
+    try:
+        response = requests.post(
+            endpoint,
+            json=payload,
+            headers={"Content-Type": "application/json"},
+            timeout=10
+        )
+    except requests.RequestException as e:
+        # If the preferred endpoint failed, try fallback /register directly
+        if not base_url.endswith('/registry'):
+            fallback_endpoint = f"{base_url}/register"
+            try:
+                response = requests.post(
+                    fallback_endpoint,
+                    json=payload,
+                    headers={"Content-Type": "application/json"},
+                    timeout=10
+                )
+            except requests.RequestException as inner_e:
+                raise RegistrationError(f"Connection to Creduent registry failed: {inner_e}")
+        else:
+            raise RegistrationError(f"Connection to Creduent registry failed: {e}")
+            
+    if response.status_code == 200:
+        try:
+            attestation = response.json()
+            return RegisterResult(success=True, attestation=attestation, error=None)
+        except Exception as e:
+            raise RegistrationError(f"Registry returned invalid JSON: {e}")
+    else:
+        # Non-200 error
+        err_detail = response.text
+        try:
+            err_json = response.json()
+            if isinstance(err_json, dict) and "detail" in err_json:
+                err_detail = err_json["detail"]
+        except Exception:
+            pass
+            
+        raise RegistrationError(f"Registration failed with HTTP {response.status_code}: {err_detail}")

creduent-0.1.0/creduent/sign.py

@@ -0,0 +1,146 @@
+import os
+import sys
+import json
+import base64
+import argparse
+from datetime import datetime, timezone
+from cryptography.hazmat.primitives.asymmetric import ed25519
+from cryptography.hazmat.primitives import serialization
+from creduent.crypto import canonicalize
+from creduent.exceptions import CreduEntError
+
+def generate_keys() -> tuple[str, str]:
+    """
+    Generate a new Ed25519 keypair.
+    Returns: (private_key_pem_string, "ed25519:<base64>" public_key_string)
+    """
+    try:
+        private_key = ed25519.Ed25519PrivateKey.generate()
+        
+        # Format Private Key as PEM string
+        private_pem_bytes = private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.PKCS8,
+            encryption_algorithm=serialization.NoEncryption()
+        )
+        private_key_pem = private_pem_bytes.decode('utf-8')
+        
+        # Extract and format Public Key
+        public_key = private_key.public_key()
+        public_bytes = public_key.public_bytes(
+            encoding=serialization.Encoding.Raw,
+            format=serialization.PublicFormat.Raw
+        )
+        public_b64 = base64.b64encode(public_bytes).decode('utf-8')
+        public_key_str = f"ed25519:{public_b64}"
+        
+        return private_key_pem, public_key_str
+    except Exception as e:
+        raise CreduEntError(f"Failed to generate keys: {e}")
+
+def sign(draft: dict, private_key_pem: str) -> dict:
+    """
+    Sign a draft agent.json dict and return the signed document.
+    Adds JCS canonicalization (RFC 8785) + Ed25519 signature field.
+    """
+    if not isinstance(draft, dict):
+        raise CreduEntError("Draft must be a dictionary")
+        
+    doc = draft.copy()
+    
+    # Normalize fields
+    doc["version"] = "1.0"
+    if "issued_at" not in doc:
+        doc["issued_at"] = datetime.now(timezone.utc).isoformat(timespec='seconds').replace("+00:00", "Z")
+        
+    # Remove signature before signing
+    doc.pop("signature", None)
+    
+    try:
+        # Load the Ed25519 private key
+        private_key = serialization.load_pem_private_key(
+            private_key_pem.encode('utf-8'),
+            password=None
+        )
+        if not isinstance(private_key, ed25519.Ed25519PrivateKey):
+            raise ValueError("Key is not an Ed25519 private key")
+    except Exception as e:
+        raise CreduEntError(f"Failed parsing private key PEM: {e}")
+        
+    try:
+        # JCS canonicalization
+        canonical_str = canonicalize(doc)
+        canonical_bytes = canonical_str.encode('utf-8')
+        
+        # Sign payload
+        signature_bytes = private_key.sign(canonical_bytes)
+        signature_b64 = base64.b64encode(signature_bytes).decode('utf-8')
+        
+        # Append signature
+        doc["signature"] = signature_b64
+        return doc
+    except Exception as e:
+        raise CreduEntError(f"Failed during JCS canonicalization or signing: {e}")
+
+def main():
+    parser = argparse.ArgumentParser(description="Creduent Protocol - agent.json Signing CLI")
+    subparsers = parser.add_subparsers(dest="command", help="Subcommand to execute")
+    
+    # generate-keys parser
+    subparsers.add_parser("generate-keys", help="Generate Ed25519 private key and public key string")
+    
+    # sign parser
+    sign_parser = subparsers.add_parser("sign", help="Sign a draft agent.json payload")
+    sign_parser.add_argument("--key", required=True, help="Path to Ed25519 private_key.pem")
+    sign_parser.add_argument("--input", required=True, help="Path to unsigned draft JSON file")
+    sign_parser.add_argument("--output", required=True, help="Path to write the signed JSON output file")
+    
+    args = parser.parse_args()
+    
+    if args.command == "generate-keys":
+        try:
+            private_pem, public_key_str = generate_keys()
+            
+            # Save private key PEM locally
+            with open("private_key.pem", "w", encoding="utf-8") as f:
+                f.write(private_pem)
+            print("[SUCCESS] Private key saved to private_key.pem (KEEP THIS SECRET!)")
+            
+            print("\n" + "="*50)
+            print("YOUR PUBLIC KEY (Add this to your agent.json):")
+            print(public_key_str)
+            print("="*50)
+        except Exception as e:
+            print(f"[-] Error: {e}", file=sys.stderr)
+            sys.exit(1)
+            
+    elif args.command == "sign":
+        if not os.path.exists(args.key):
+            print(f"[-] Error: Key file not found at {args.key}", file=sys.stderr)
+            sys.exit(1)
+            
+        if not os.path.exists(args.input):
+            print(f"[-] Error: Input document not found at {args.input}", file=sys.stderr)
+            sys.exit(1)
+            
+        try:
+            with open(args.key, "r", encoding="utf-8") as f:
+                private_pem = f.read()
+                
+            with open(args.input, "r", encoding="utf-8") as f:
+                draft = json.load(f)
+                
+            signed_doc = sign(draft, private_pem)
+            
+            with open(args.output, "w", encoding="utf-8") as f:
+                json.dump(signed_doc, f, indent=2, ensure_ascii=False)
+                
+            print(f"[SUCCESS] Successfully signed and generated {args.output}!")
+        except Exception as e:
+            print(f"[-] Error: {e}", file=sys.stderr)
+            sys.exit(1)
+    else:
+        parser.print_help()
+
+if __name__ == "__main__":
+    main()

creduent-0.1.0/creduent/utils.py

@@ -0,0 +1,75 @@
+# NOTE: Sync with creduent/utils.py
+import ipaddress
+import socket
+import requests
+from fastapi import HTTPException
+from urllib.parse import urlparse, urljoin
+
+def is_private_ip(ip_str: str) -> bool:
+    try:
+        ip = ipaddress.ip_address(ip_str)
+        return ip.is_private or ip.is_loopback or ip.is_link_local
+    except ValueError:
+        return False
+
+def safe_requests_get(url: str, timeout: int = 5, allow_private: bool = False) -> requests.Response:
+    """
+    Safe version of requests.get that prevents SSRF by blocking access
+    to private IP ranges, including redirect targets.
+    """
+    history = []
+    current_url = url
+    for _ in range(5):  # Follow max 5 redirects
+        parsed = urlparse(current_url)
+        host = parsed.netloc.split(':')[0]
+        try:
+            ip = socket.gethostbyname(host)
+            if not allow_private and is_private_ip(ip):
+                raise HTTPException(status_code=400, detail="Access to private IP ranges is blocked.")
+        except socket.gaierror:
+            # If DNS resolution fails here, let requests handle the connection error
+            pass
+            
+        response = requests.get(current_url, timeout=timeout, allow_redirects=False)
+        if response.is_redirect:
+            history.append(response)
+            next_url = response.headers.get('location')
+            if not next_url:
+                break
+            current_url = urljoin(current_url, next_url)
+        else:
+            response.history = history
+            return response
+            
+    response = requests.get(current_url, timeout=timeout, allow_redirects=False)
+    response.history = history
+    return response
+
+def load_dotenv():
+    """
+    Manually loads .env.local or .env file from the project base directory
+    into os.environ for local testing/development.
+    """
+    import os
+    # Try to find base dir (where .env.local resides)
+    base_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), '..'))
+    for filename in ['.env.local', '.env']:
+        filepath = os.path.join(base_dir, filename)
+        if os.path.exists(filepath):
+            try:
+                with open(filepath, 'r', encoding='utf-8') as f:
+                    for line in f:
+                        line = line.strip()
+                        if not line or line.startswith('#'):
+                            continue
+                        if '=' in line:
+                            key, val = line.split('=', 1)
+                            key = key.strip()
+                            val = val.strip()
+                            # Strip quotes
+                            if (val.startswith('"') and val.endswith('"')) or (val.startswith("'") and val.endswith("'")):
+                                val = val[1:-1]
+                            # Set and overwrite in environment
+                            os.environ[key] = val
+            except Exception as e:
+                print(f"[-] Warning: Failed to load environment file {filename}: {e}")

creduent-0.1.0/creduent/verify.py

@@ -0,0 +1,238 @@
+import os
+import sys
+import json
+import base64
+import argparse
+from dataclasses import dataclass
+from typing import List, Optional
+from cryptography.hazmat.primitives.asymmetric import ed25519
+from cryptography.exceptions import InvalidSignature
+
+from creduent.crypto import canonicalize
+from creduent.utils import safe_requests_get
+from creduent.exceptions import VerificationError
+
+@dataclass
+class VerifyResult:
+    valid: bool
+    agent_id: str
+    public_key: str
+    endpoint: str
+    capabilities: List[str]
+    error: Optional[str] = None
+
+def resolve_target(target: str) -> str:
+    """
+    Resolves agent_id, domain, or URL to a fetchable well-known agent.json URL.
+    """
+    target = target.strip()
+    
+    # 1. Handle HTTP/HTTPS URLs
+    if target.startswith("http://") or target.startswith("https://"):
+        from urllib.parse import urlparse, urlunparse
+        parsed = urlparse(target)
+        if not parsed.path.endswith("/.well-known/agent.json"):
+            # Append well-known path if not present
+            path = parsed.path.rstrip('/') + "/.well-known/agent.json"
+            return urlunparse((parsed.scheme, parsed.netloc, path, parsed.params, parsed.query, parsed.fragment))
+        return target
+        
+    # 2. Handle agent:// URIs
+    if target.startswith("agent://"):
+        from urllib.parse import urlparse
+        parsed = urlparse(target)
+        namespace = parsed.netloc
+        
+        # Default mapping fallback for testing/reconbot
+        if target == "agent://creduent/reconbot":
+            return "https://api.idevsec.com/.well-known/agent.json"
+            
+        # Try to resolve domain from Creduent registry
+        try:
+            registry_url = "https://api.idevsec.com/registry/attest/" + target
+            response = safe_requests_get(registry_url, timeout=5)
+            if response.status_code == 200:
+                attestation = response.json()
+                domain = attestation.get("domain")
+                if domain:
+                    return f"https://{domain}/.well-known/agent.json"
+        except Exception:
+            pass
+            
+        # Fallback to default namespace resolution
+        return f"https://api.{namespace}.ai/.well-known/agent.json"
+        
+    # 3. Handle domain or host name (e.g. "api.idevsec.com")
+    scheme = "http" if "localhost" in target or "127.0.0.1" in target else "https"
+    return f"{scheme}://{target}/.well-known/agent.json"
+
+def verify(target: str | dict) -> VerifyResult:
+    """
+    Verify a self-signed agent.json — from URL, agent:// URI, domain string, or dict.
+    Returns VerifyResult.
+    Raises VerificationError on connection or critical resolution failures.
+    """
+    doc = None
+    if isinstance(target, dict):
+        doc = target
+    elif isinstance(target, str):
+        resolved_url = resolve_target(target)
+        try:
+            allow_private = "localhost" in resolved_url or "127.0.0.1" in resolved_url
+            response = safe_requests_get(resolved_url, timeout=5, allow_private=allow_private)
+            if response.status_code != 200:
+                raise VerificationError(f"Failed to fetch agent.json: HTTP status {response.status_code}")
+            doc = response.json()
+        except Exception as e:
+            # Re-raise VerificationError or wrap other errors
+            if isinstance(e, VerificationError):
+                raise
+            err_msg = str(e)
+            if hasattr(e, 'detail'):
+                err_msg = e.detail
+            raise VerificationError(f"Failed to retrieve agent.json: {err_msg}")
+    else:
+        raise VerificationError("Target must be a dictionary or a string")
+        
+    if not isinstance(doc, dict):
+        return VerifyResult(
+            valid=False,
+            agent_id="",
+            public_key="",
+            endpoint="",
+            capabilities=[],
+            error="Parsed document is not a JSON object"
+        )
+        
+    agent_id = doc.get("agent_id", "")
+    public_key_str = doc.get("public_key", "")
+    endpoint = doc.get("endpoint", "")
+    capabilities = doc.get("capabilities", [])
+    
+    # 1. Structural schema manual validation
+    required = ["version", "agent_id", "owner", "public_key", "endpoint", "capabilities", "signature"]
+    for field in required:
+        if field not in doc:
+            return VerifyResult(
+                valid=False,
+                agent_id=agent_id,
+                public_key=public_key_str,
+                endpoint=endpoint,
+                capabilities=capabilities,
+                error=f"Missing required field '{field}' in agent.json"
+            )
+            
+    if doc.get("version") != "1.0":
+        return VerifyResult(
+            valid=False,
+            agent_id=agent_id,
+            public_key=public_key_str,
+            endpoint=endpoint,
+            capabilities=capabilities,
+            error=f"Unsupported protocol version: {doc.get('version')}"
+        )
+        
+    if not isinstance(capabilities, list):
+        return VerifyResult(
+            valid=False,
+            agent_id=agent_id,
+            public_key=public_key_str,
+            endpoint=endpoint,
+            capabilities=[],
+            error="Capabilities field must be a list of strings"
+        )
+        
+    # 2. Cryptographic signature check
+    if not public_key_str.startswith("ed25519:"):
+        return VerifyResult(
+            valid=False,
+            agent_id=agent_id,
+            public_key=public_key_str,
+            endpoint=endpoint,
+            capabilities=capabilities,
+            error="Unsupported public key format. Only 'ed25519:' prefix is supported."
+        )
+        
+    try:
+        pk_b64 = public_key_str.split(":", 1)[1]
+        public_key_bytes = base64.b64decode(pk_b64)
+        public_key = ed25519.Ed25519PublicKey.from_public_bytes(public_key_bytes)
+        
+        signature_b64 = doc.get("signature")
+        signature_bytes = base64.b64decode(signature_b64)
+        
+        # Clone doc and remove signature before canonicalizing
+        doc_copy = doc.copy()
+        doc_copy.pop("signature", None)
+        
+        canonical_str = canonicalize(doc_copy)
+        canonical_bytes = canonical_str.encode('utf-8')
+        
+        public_key.verify(signature_bytes, canonical_bytes)
+    except InvalidSignature:
+        return VerifyResult(
+            valid=False,
+            agent_id=agent_id,
+            public_key=public_key_str,
+            endpoint=endpoint,
+            capabilities=capabilities,
+            error="Cryptographic signature in agent.json is INVALID."
+        )
+    except Exception as e:
+        return VerifyResult(
+            valid=False,
+            agent_id=agent_id,
+            public_key=public_key_str,
+            endpoint=endpoint,
+            capabilities=capabilities,
+            error=f"Signature verification failed: {e}"
+        )
+        
+    return VerifyResult(
+        valid=True,
+        agent_id=agent_id,
+        public_key=public_key_str,
+        endpoint=endpoint,
+        capabilities=capabilities,
+        error=None
+    )
+
+def main():
+    parser = argparse.ArgumentParser(description="Creduent Protocol - agent.json Verification CLI")
+    parser.add_argument("target", help="The verification target (domain, URL, agent:// URI, or local JSON path)")
+    
+    args = parser.parse_args()
+    
+    target = args.target
+    # Check if target is a local file path
+    if os.path.exists(target):
+        try:
+            with open(target, "r", encoding="utf-8") as f:
+                target = json.load(f)
+        except Exception as e:
+            print(f"[-] Error reading local target file: {e}", file=sys.stderr)
+            sys.exit(1)
+            
+    try:
+        result = verify(target)
+        if result.valid:
+            print("\n" + "="*50)
+            print("[SUCCESS] IDENTITY VERIFIED & CRYPTOGRAPHICALLY VALID")
+            print(f"Agent ID:     {result.agent_id}")
+            print(f"Public Key:   {result.public_key}")
+            print(f"Endpoint:     {result.endpoint}")
+            print(f"Capabilities: {', '.join(result.capabilities)}")
+            print("="*50)
+            sys.exit(0)
+        else:
+            print("\n" + "="*50)
+            print("[FAILED] VERIFICATION FAILED")
+            print(f"Error: {result.error}")
+            print("="*50)
+            sys.exit(1)
+    except Exception as e:
+        print(f"[-] Error during verification pipeline: {e}", file=sys.stderr)
+        sys.exit(1)
+
+if __name__ == "__main__":
+    main()

creduent-0.1.0/creduent.egg-info/PKG-INFO

@@ -0,0 +1,96 @@
+Metadata-Version: 2.4
+Name: creduent
+Version: 0.1.0
+Summary: Creduent Protocol SDK — cryptographic identity for AI agents
+License: MIT
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: cryptography
+Requires-Dist: requests
+Requires-Dist: jcs
+Requires-Dist: fastapi
+
+# Creduent Python SDK
+
+The official Python SDK for the **Creduent Protocol** — a federated, open trust-verification layer and cryptographic identity infrastructure for autonomous AI agents.
+
+## Installation
+
+Install the self-contained package from PyPI with a single command:
+
+```bash
+pip install creduent
+```
+
+## Quickstart
+
+Below is a complete quickstart demonstrating keypair generation, self-signing, verification, registration, and attestation resolution using the SDK.
+
+```python
+from creduent import (
+    generate_keys,
+    sign,
+    verify,
+    register,
+    attest,
+    CreduEntError
+)
+
+try:
+    # 1. Generate a new Ed25519 keypair
+    private_key_pem, public_key_str = generate_keys()
+    print(f"Generated Public Key: {public_key_str}\n")
+
+    # 2. Sign a draft agent.json document
+    draft_document = {
+        "agent_id": "agent://creduent/reconbot",
+        "owner": "Creduent",
+        "public_key": public_key_str,
+        "endpoint": "https://api.idevsec.com/recon",
+        "capabilities": ["osint", "dns_lookup", "vulnerability_scan"]
+    }
+    
+    signed_doc = sign(draft_document, private_key_pem)
+    print("Signed agent.json:")
+    print(signed_doc)
+    print()
+
+    # 3. Verify a self-signed agent.json (from dict, URL, domain, or agent:// URI)
+    # Verification with a document dictionary
+    result = verify(signed_doc)
+    print(f"Self-Signed Verification Result (dict): {result.valid}")
+    
+    # Verification with a live agent URL
+    live_result = verify("https://api.idevsec.com/.well-known/agent.json")
+    print(f"Live Verification Result (URL): {live_result.valid}")
+    print(f"Live Agent ID: {live_result.agent_id}")
+    print(f"Live Capabilities: {live_result.capabilities}\n")
+
+    # 4. Register an agent with the Creduent registry
+    # Returns RegisterResult with success (bool), attestation (dict|None), error (str|None)
+    reg_result = register(
+        agent_id="agent://creduent/reconbot",
+        domain="api.idevsec.com",
+        agent_json_url="https://api.idevsec.com/.well-known/agent.json"
+    )
+    print(f"Registration Successful: {reg_result.success}")
+    print(f"Attestation: {reg_result.attestation}\n")
+
+    # 5. Fetch and validate an active attestation for an agent
+    # Returns AttestResult with attested (bool), level (str), issued_at, expires_at, error (str|None)
+    attest_result = attest("agent://creduent/reconbot")
+    print(f"Is Attested: {attest_result.attested}")
+    print(f"Attestation Level: {attest_result.level}")
+    print(f"Issued At: {attest_result.issued_at}")
+    print(f"Expires At: {attest_result.expires_at}\n")
+
+except CreduEntError as e:
+    print(f"Creduent Protocol Error occurred: {e}")
+```
+
+## Protocol Specification
+
+For full information on the cryptographic standards, JCS canonicalization, and the federated verification workflows, read the complete [Creduent Protocol Specification](https://github.com/cyberfascinate/creduent).

creduent-0.1.0/creduent.egg-info/SOURCES.txt

@@ -0,0 +1,18 @@
+README.md
+pyproject.toml
+setup.py
+creduent/__init__.py
+creduent/attest.py
+creduent/crypto.py
+creduent/exceptions.py
+creduent/register.py
+creduent/sign.py
+creduent/utils.py
+creduent/verify.py
+creduent.egg-info/PKG-INFO
+creduent.egg-info/SOURCES.txt
+creduent.egg-info/dependency_links.txt
+creduent.egg-info/entry_points.txt
+creduent.egg-info/requires.txt
+creduent.egg-info/top_level.txt
+tests/test_sdk.py

creduent-0.1.0/creduent.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

creduent-0.1.0/creduent.egg-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+creduent-sign = creduent.sign:main
+creduent-verify = creduent.verify:main

creduent-0.1.0/creduent.egg-info/requires.txt

@@ -0,0 +1,4 @@
+cryptography
+requests
+jcs
+fastapi

creduent-0.1.0/creduent.egg-info/top_level.txt

@@ -0,0 +1 @@
+creduent

creduent-0.1.0/pyproject.toml

@@ -0,0 +1,30 @@
+[build-system]
+requires = ["setuptools>=61.0.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "creduent"
+version = "0.1.0"
+description = "Creduent Protocol SDK — cryptographic identity for AI agents"
+readme = "README.md"
+requires-python = ">=3.10"
+license = {text = "MIT"}
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: OS Independent",
+]
+dependencies = [
+    "cryptography",
+    "requests",
+    "jcs",
+    "fastapi",
+]
+
+[project.scripts]
+creduent-sign = "creduent.sign:main"
+creduent-verify = "creduent.verify:main"
+
+[tool.setuptools.packages.find]
+where = ["."]
+include = ["creduent*"]

creduent-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

creduent-0.1.0/setup.py

@@ -0,0 +1,19 @@
+from setuptools import setup, find_packages
+
+setup(
+    name="creduent",
+    version="0.1.0",
+    packages=find_packages(),
+    install_requires=[
+        "cryptography",
+        "requests",
+        "jcs",
+        "fastapi",
+    ],
+    entry_points={
+        "console_scripts": [
+            "creduent-sign=creduent.sign:main",
+            "creduent-verify=creduent.verify:main",
+        ]
+    }
+)

creduent-0.1.0/tests/test_sdk.py

@@ -0,0 +1,116 @@
+import os
+import sys
+import unittest
+import base64
+from cryptography.hazmat.primitives.asymmetric import ed25519
+
+# Add the sdk/ folder to path so we can import creduent directly
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
+
+from creduent import (
+    generate_keys,
+    sign,
+    verify,
+    attest,
+    VerificationError,
+    AttestationError
+)
+
+class TestCreduentSDK(unittest.TestCase):
+    
+    def test_generate_keys(self):
+        """1. generate_keys() returns valid PEM + ed25519 prefixed public key"""
+        private_key_pem, public_key_str = generate_keys()
+        
+        # Verify private key is PEM format
+        self.assertTrue(private_key_pem.startswith("-----BEGIN PRIVATE KEY-----"))
+        self.assertTrue(private_key_pem.strip().endswith("-----END PRIVATE KEY-----"))
+        
+        # Verify public key format
+        self.assertTrue(public_key_str.startswith("ed25519:"))
+        pk_b64 = public_key_str.split(":", 1)[1]
+        
+        # Verify it can be base64 decoded
+        pk_bytes = base64.b64decode(pk_b64)
+        self.assertEqual(len(pk_bytes), 32)
+        
+    def test_sign_document(self):
+        """2. sign() produces a dict with a valid signature field"""
+        private_key_pem, public_key_str = generate_keys()
+        
+        draft = {
+            "agent_id": "agent://creduent/reconbot",
+            "owner": "Creduent",
+            "public_key": public_key_str,
+            "endpoint": "https://api.idevsec.com/recon",
+            "capabilities": ["osint", "dns_lookup", "vulnerability_scan"]
+        }
+        
+        signed_doc = sign(draft, private_key_pem)
+        
+        self.assertIn("signature", signed_doc)
+        self.assertIn("issued_at", signed_doc)
+        self.assertEqual(signed_doc["version"], "1.0")
+        
+        # Verify the signature field is non-empty base64
+        sig_b64 = signed_doc["signature"]
+        sig_bytes = base64.b64decode(sig_b64)
+        self.assertEqual(len(sig_bytes), 64)
+        
+    def test_verify_live_endpoint(self):
+        """3. verify() on the live endpoint returns valid=True"""
+        target = "https://api.idevsec.com/.well-known/agent.json"
+        try:
+            result = verify(target)
+            self.assertTrue(result.valid)
+            self.assertIsNone(result.error)
+            self.assertEqual(result.agent_id, "agent://creduent/reconbot")
+        except VerificationError as e:
+            # If the network or live endpoint is completely unreachable, skip or print warning
+            print(f"\n[WARNING] Live verification test skipped/failed due to network: {e}")
+            
+    def test_verify_tampered_dict(self):
+        """4. verify() on a tampered dict returns valid=False"""
+        private_key_pem, public_key_str = generate_keys()
+        
+        draft = {
+            "agent_id": "agent://creduent/reconbot",
+            "owner": "Creduent",
+            "public_key": public_key_str,
+            "endpoint": "https://api.idevsec.com/recon",
+            "capabilities": ["osint", "dns_lookup", "vulnerability_scan"]
+        }
+        
+        signed_doc = sign(draft, private_key_pem)
+        
+        # 4a. Verify untampered dict is valid
+        res_ok = verify(signed_doc)
+        self.assertTrue(res_ok.valid)
+        
+        # 4b. Tamper with a field
+        tampered_doc = signed_doc.copy()
+        tampered_doc["owner"] = "Not Creduent"
+        
+        res_tampered = verify(tampered_doc)
+        self.assertFalse(res_tampered.valid)
+        self.assertIsNotNone(res_tampered.error)
+        
+    def test_attest_live(self):
+        """5. attest() against https://api.idevsec.com returns a valid AttestResult"""
+        try:
+            result = attest("agent://creduent/reconbot", "https://api.idevsec.com")
+            # The agent might or might not be currently registered in the database, 
+            # but the result should be a valid AttestResult dataclass
+            self.assertIn(result.attested, [True, False])
+            if result.attested:
+                self.assertEqual(result.level, "verified")
+                self.assertIsNotNone(result.issued_at)
+                self.assertIsNotNone(result.expires_at)
+                self.assertIsNone(result.error)
+            else:
+                self.assertIsNotNone(result.error)
+        except AttestationError as e:
+            print(f"\n[WARNING] Live attestation test skipped/failed due to network: {e}")
+
+if __name__ == '__main__':
+    unittest.main()