datacules-agent-identity 0.3.3__tar.gz

datacules_agent_identity-0.3.3/PKG-INFO

@@ -0,0 +1,89 @@
+Metadata-Version: 2.4
+Name: datacules-agent-identity
+Version: 0.3.3
+Summary: Python SDK for the agent-identity credential routing sidecar — by Datacules LLC
+Author-email: Datacules LLC <harshalrasal792@gmail.com>
+License: MIT
+Project-URL: Homepage, https://github.com/hvrcharon1/agent-identity
+Project-URL: Repository, https://github.com/hvrcharon1/agent-identity
+Project-URL: Documentation, https://github.com/hvrcharon1/agent-identity/tree/main/packages/python-sdk
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+Provides-Extra: dev
+Requires-Dist: pytest; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
+
+# agent-identity Python SDK
+
+Pure-Python client for the `agent-identity` sidecar. No Node.js required.
+
+## Install
+
+```bash
+pip install agent-identity
+```
+
+## Usage
+
+```python
+from agent_identity import AgentIdentityClient
+from datetime import datetime, timezone
+
+client = AgentIdentityClient(base_url="http://localhost:3001")
+
+# Resolve a credential for a single agent request
+resolved = client.resolve({
+    "userId": "user-abc",
+    "resourceId": "crm-db",
+    "resourceKind": "shared",
+    "provider": "anthropic",
+    "model": "claude-sonnet-4-20250514",
+    "action": "read",
+    "traceId": "trace-xyz",
+    "requestedAt": datetime.now(timezone.utc).isoformat(),
+})
+print(resolved["resolvedFor"])  # 'service' or userId
+
+# Resolve source + target credentials for a migration phase
+pair = client.resolve_migration({
+    "migrationId": "migration-2026-q2",
+    "phase": "load",
+    "sourceResourceId": "crm-postgres-prod",
+    "targetResourceId": "crm-postgres-v2",
+    "userId": "svc-migration-bot",
+    "provider": "anthropic",
+    "model": "claude-sonnet-4-20250514",
+    "traceId": "trace-abc123",
+    "dryRun": False,
+})
+print(pair["expiresAt"])  # ISO 8601 or None
+```
+
+## LangChain integration
+
+```python
+from langchain_anthropic import ChatAnthropic
+from agent_identity import AgentIdentityClient
+
+client = AgentIdentityClient()
+resolved = client.resolve({...})
+
+# resolved["resolvedFor"] is safe to log; the raw API key stays on the server
+llm = ChatAnthropic(model="claude-sonnet-4-20250514")
+# The sidecar injects the API key server-side when you call /api/resolve
+```
+
+## Error handling
+
+```python
+from agent_identity import AgentIdentityClient, NoCredentialError, ValidationError
+
+try:
+    result = client.resolve(ctx)
+except NoCredentialError:
+    # 403 — no routing rule matched this context
+    ...
+except ValidationError as e:
+    # 400 — bad request body
+    print(e)
+```

datacules_agent_identity-0.3.3/README.md

@@ -0,0 +1,74 @@
+# agent-identity Python SDK
+
+Pure-Python client for the `agent-identity` sidecar. No Node.js required.
+
+## Install
+
+```bash
+pip install agent-identity
+```
+
+## Usage
+
+```python
+from agent_identity import AgentIdentityClient
+from datetime import datetime, timezone
+
+client = AgentIdentityClient(base_url="http://localhost:3001")
+
+# Resolve a credential for a single agent request
+resolved = client.resolve({
+    "userId": "user-abc",
+    "resourceId": "crm-db",
+    "resourceKind": "shared",
+    "provider": "anthropic",
+    "model": "claude-sonnet-4-20250514",
+    "action": "read",
+    "traceId": "trace-xyz",
+    "requestedAt": datetime.now(timezone.utc).isoformat(),
+})
+print(resolved["resolvedFor"])  # 'service' or userId
+
+# Resolve source + target credentials for a migration phase
+pair = client.resolve_migration({
+    "migrationId": "migration-2026-q2",
+    "phase": "load",
+    "sourceResourceId": "crm-postgres-prod",
+    "targetResourceId": "crm-postgres-v2",
+    "userId": "svc-migration-bot",
+    "provider": "anthropic",
+    "model": "claude-sonnet-4-20250514",
+    "traceId": "trace-abc123",
+    "dryRun": False,
+})
+print(pair["expiresAt"])  # ISO 8601 or None
+```
+
+## LangChain integration
+
+```python
+from langchain_anthropic import ChatAnthropic
+from agent_identity import AgentIdentityClient
+
+client = AgentIdentityClient()
+resolved = client.resolve({...})
+
+# resolved["resolvedFor"] is safe to log; the raw API key stays on the server
+llm = ChatAnthropic(model="claude-sonnet-4-20250514")
+# The sidecar injects the API key server-side when you call /api/resolve
+```
+
+## Error handling
+
+```python
+from agent_identity import AgentIdentityClient, NoCredentialError, ValidationError
+
+try:
+    result = client.resolve(ctx)
+except NoCredentialError:
+    # 403 — no routing rule matched this context
+    ...
+except ValidationError as e:
+    # 400 — bad request body
+    print(e)
+```

datacules_agent_identity-0.3.3/agent_identity/__init__.py

@@ -0,0 +1,213 @@
+"""
+agent_identity — Python SDK for the agent-identity credential routing sidecar
+
+Installation:
+    pip install datacules-agent-identity
+    # or directly:
+    pip install git+https://github.com/hvrcharon1/agent-identity.git#subdirectory=packages/python-sdk
+
+Usage:
+    from agent_identity import AgentIdentityClient
+    from datetime import datetime, timezone
+
+    client = AgentIdentityClient(base_url="http://localhost:3001")
+
+    resolved = client.resolve({
+        "userId": "user-abc",
+        "resourceId": "crm-db",
+        "resourceKind": "shared",
+        "provider": "anthropic",
+        "model": "claude-sonnet-4-20250514",
+        "action": "read",
+        "traceId": "trace-xyz",
+        "requestedAt": datetime.now(timezone.utc).isoformat(),
+    })
+
+    pair = client.resolve_migration({
+        "migrationId": "migration-2026-q2",
+        "phase": "load",
+        "sourceResourceId": "crm-postgres-prod",
+        "targetResourceId": "crm-postgres-v2",
+        "userId": "svc-migration-bot",
+        "provider": "anthropic",
+        "model": "claude-sonnet-4-20250514",
+        "traceId": "trace-abc123",
+        "dryRun": False,
+    })
+"""
+
+from __future__ import annotations
+
+import json
+from datetime import datetime, timezone
+from typing import Any, Dict, Literal, Optional, TypedDict
+
+try:
+    import urllib.request as _urllib
+except ImportError:  # pragma: no cover
+    raise RuntimeError("agent-identity requires Python 3.8+")
+
+
+# ─── Type aliases ────────────────────────────────────────────────────────────────────
+
+ResourceKind  = Literal["shared", "personal"]
+SupportedProvider = Literal["openai", "anthropic", "gemini", "mistral", "local"]
+MigrationPhase = Literal["dry-run", "extract", "transform", "load", "verify", "rollback"]
+
+
+class AgentRequestContext(TypedDict, total=False):
+    userId: str           # required
+    resourceId: str       # required
+    resourceKind: ResourceKind  # required
+    provider: SupportedProvider  # required
+    model: str            # required
+    action: str           # required
+    traceId: str          # required
+    requestedAt: str      # required (ISO 8601)
+    sessionId: str        # optional
+    parentTraceId: str    # optional
+
+
+class MigrateResolveRequest(TypedDict, total=False):
+    migrationId: str      # required
+    phase: MigrationPhase  # required
+    sourceResourceId: str  # required
+    targetResourceId: str  # required
+    userId: str           # required
+    provider: SupportedProvider  # required
+    model: str            # required
+    traceId: str          # required
+    dryRun: bool          # optional, default False
+    batchIndex: int       # optional
+    totalBatches: int     # optional
+
+
+class ResolveResponse(TypedDict):
+    ok: bool
+    resolvedFor: str
+    expiresAt: Optional[str]
+
+
+class MigrateResolveResponse(TypedDict):
+    migrationId: str
+    phase: MigrationPhase
+    sourceResolvedFor: str
+    targetResolvedFor: str
+    dryRun: bool
+    expiresAt: Optional[str]
+
+
+# ─── Exceptions ───────────────────────────────────────────────────────────────────
+
+class AgentIdentityError(Exception):
+    """Base exception for all agent-identity SDK errors."""
+    def __init__(self, message: str, status_code: Optional[int] = None) -> None:
+        super().__init__(message)
+        self.status_code = status_code
+
+
+class NoCredentialError(AgentIdentityError):
+    """Raised when the server returns 403 — no routing rule matched."""
+
+
+class ValidationError(AgentIdentityError):
+    """Raised when the server returns 400 — invalid request body."""
+
+
+# ─── Client ────────────────────────────────────────────────────────────────────────
+
+class AgentIdentityClient:
+    """
+    Thin HTTP client for the agent-identity sidecar.
+    No Node.js required — pure Python 3.8+ stdlib.
+
+    Args:
+        base_url: URL of the running sidecar, e.g. 'http://localhost:3001'
+        timeout:  Request timeout in seconds (default 10)
+    """
+
+    def __init__(self, base_url: str = "http://localhost:3001", timeout: int = 10) -> None:
+        self.base_url = base_url.rstrip("/")
+        self.timeout = timeout
+
+    # ─── Public API ────────────────────────────────────────────────────────────────────
+
+    def resolve(self, ctx: AgentRequestContext) -> ResolveResponse:
+        """
+        Resolve the best credential for a single agent request.
+
+        Args:
+            ctx: AgentRequestContext dict — all required fields must be present.
+                 If 'requestedAt' is omitted, the current UTC time is used.
+
+        Returns:
+            ResolveResponse with resolvedFor and optional expiresAt.
+
+        Raises:
+            ValidationError:    Server returned 400 (missing/invalid field).
+            NoCredentialError:  Server returned 403 (no rule matched).
+            AgentIdentityError: Any other HTTP error.
+        """
+        if "requestedAt" not in ctx:
+            ctx = {**ctx, "requestedAt": datetime.now(timezone.utc).isoformat()}  # type: ignore[assignment]
+        return self._post("/api/resolve", ctx)  # type: ignore[return-value]
+
+    def resolve_migration(
+        self, request: MigrateResolveRequest
+    ) -> MigrateResolveResponse:
+        """
+        Resolve source + target credentials for a migration phase.
+
+        Call once at the start of each phase. The returned expiresAt lets
+        the agent decide when to re-call before the batch loop ends.
+
+        Args:
+            request: MigrateResolveRequest dict.
+
+        Returns:
+            MigrateResolveResponse with sourceResolvedFor, targetResolvedFor,
+            and optional expiresAt (earliest of the two credentials).
+        """
+        if "dryRun" not in request:
+            request = {**request, "dryRun": False}  # type: ignore[assignment]
+        return self._post("/api/migrate/resolve", request)  # type: ignore[return-value]
+
+    def health(self) -> bool:
+        """Returns True if the sidecar is reachable and healthy."""
+        try:
+            self._post("/api/health", {}, method="GET")
+            return True
+        except AgentIdentityError:
+            return False
+        except Exception:  # noqa: BLE001
+            return False
+
+    # ─── Internal ──────────────────────────────────────────────────────────────────────
+
+    def _post(self, path: str, body: Dict[str, Any], method: str = "POST") -> Any:
+        url = f"{self.base_url}{path}"
+        data = json.dumps(body).encode("utf-8")
+        req = _urllib.Request(
+            url,
+            data=data if method == "POST" else None,
+            headers={"Content-Type": "application/json", "Accept": "application/json"},
+            method=method,
+        )
+        try:
+            with _urllib.urlopen(req, timeout=self.timeout) as resp:
+                return json.loads(resp.read().decode("utf-8"))
+        except _urllib.HTTPError as e:
+            status = e.code
+            try:
+                error_body = json.loads(e.read().decode("utf-8"))
+                message = error_body.get("error", str(e))
+            except Exception:  # noqa: BLE001
+                message = str(e)
+
+            if status == 400:
+                raise ValidationError(message, status_code=status) from e
+            if status == 403:
+                raise NoCredentialError(message, status_code=status) from e
+            raise AgentIdentityError(message, status_code=status) from e
+        except Exception as e:
+            raise AgentIdentityError(f"Request failed: {e}") from e

datacules_agent_identity-0.3.3/datacules_agent_identity.egg-info/PKG-INFO

@@ -0,0 +1,89 @@
+Metadata-Version: 2.4
+Name: datacules-agent-identity
+Version: 0.3.3
+Summary: Python SDK for the agent-identity credential routing sidecar — by Datacules LLC
+Author-email: Datacules LLC <harshalrasal792@gmail.com>
+License: MIT
+Project-URL: Homepage, https://github.com/hvrcharon1/agent-identity
+Project-URL: Repository, https://github.com/hvrcharon1/agent-identity
+Project-URL: Documentation, https://github.com/hvrcharon1/agent-identity/tree/main/packages/python-sdk
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+Provides-Extra: dev
+Requires-Dist: pytest; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
+
+# agent-identity Python SDK
+
+Pure-Python client for the `agent-identity` sidecar. No Node.js required.
+
+## Install
+
+```bash
+pip install agent-identity
+```
+
+## Usage
+
+```python
+from agent_identity import AgentIdentityClient
+from datetime import datetime, timezone
+
+client = AgentIdentityClient(base_url="http://localhost:3001")
+
+# Resolve a credential for a single agent request
+resolved = client.resolve({
+    "userId": "user-abc",
+    "resourceId": "crm-db",
+    "resourceKind": "shared",
+    "provider": "anthropic",
+    "model": "claude-sonnet-4-20250514",
+    "action": "read",
+    "traceId": "trace-xyz",
+    "requestedAt": datetime.now(timezone.utc).isoformat(),
+})
+print(resolved["resolvedFor"])  # 'service' or userId
+
+# Resolve source + target credentials for a migration phase
+pair = client.resolve_migration({
+    "migrationId": "migration-2026-q2",
+    "phase": "load",
+    "sourceResourceId": "crm-postgres-prod",
+    "targetResourceId": "crm-postgres-v2",
+    "userId": "svc-migration-bot",
+    "provider": "anthropic",
+    "model": "claude-sonnet-4-20250514",
+    "traceId": "trace-abc123",
+    "dryRun": False,
+})
+print(pair["expiresAt"])  # ISO 8601 or None
+```
+
+## LangChain integration
+
+```python
+from langchain_anthropic import ChatAnthropic
+from agent_identity import AgentIdentityClient
+
+client = AgentIdentityClient()
+resolved = client.resolve({...})
+
+# resolved["resolvedFor"] is safe to log; the raw API key stays on the server
+llm = ChatAnthropic(model="claude-sonnet-4-20250514")
+# The sidecar injects the API key server-side when you call /api/resolve
+```
+
+## Error handling
+
+```python
+from agent_identity import AgentIdentityClient, NoCredentialError, ValidationError
+
+try:
+    result = client.resolve(ctx)
+except NoCredentialError:
+    # 403 — no routing rule matched this context
+    ...
+except ValidationError as e:
+    # 400 — bad request body
+    print(e)
+```

datacules_agent_identity-0.3.3/datacules_agent_identity.egg-info/SOURCES.txt

@@ -0,0 +1,9 @@
+README.md
+pyproject.toml
+agent_identity/__init__.py
+datacules_agent_identity.egg-info/PKG-INFO
+datacules_agent_identity.egg-info/SOURCES.txt
+datacules_agent_identity.egg-info/dependency_links.txt
+datacules_agent_identity.egg-info/requires.txt
+datacules_agent_identity.egg-info/top_level.txt
+tests/test_client.py

datacules_agent_identity-0.3.3/datacules_agent_identity.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

datacules_agent_identity-0.3.3/datacules_agent_identity.egg-info/requires.txt

@@ -0,0 +1,4 @@
+
+[dev]
+pytest
+pytest-cov

datacules_agent_identity-0.3.3/datacules_agent_identity.egg-info/top_level.txt

@@ -0,0 +1 @@
+agent_identity

datacules_agent_identity-0.3.3/pyproject.toml

@@ -0,0 +1,26 @@
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "datacules-agent-identity"
+version = "0.3.3"
+description = "Python SDK for the agent-identity credential routing sidecar — by Datacules LLC"
+authors = [{name = "Datacules LLC", email = "harshalrasal792@gmail.com"}]
+license = {text = "MIT"}
+readme = "README.md"
+requires-python = ">=3.8"
+# Zero runtime dependencies — pure Python stdlib
+dependencies = []
+
+[project.optional-dependencies]
+dev = ["pytest", "pytest-cov"]
+
+[project.urls]
+Homepage = "https://github.com/hvrcharon1/agent-identity"
+Repository = "https://github.com/hvrcharon1/agent-identity"
+Documentation = "https://github.com/hvrcharon1/agent-identity/tree/main/packages/python-sdk"
+
+[tool.setuptools.packages.find]
+where = ["."]
+include = ["agent_identity*"]

datacules_agent_identity-0.3.3/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

datacules_agent_identity-0.3.3/tests/test_client.py

@@ -0,0 +1,261 @@
+"""
+pytest suite for agent_identity.AgentIdentityClient.
+
+All HTTP calls are intercepted via unittest.mock so no live server is needed.
+The SDK imports urllib.request as _urllib (a module-level alias), so the
+correct patch target is urllib.request.urlopen — patching the real module
+in-place so every call through _urllib is intercepted regardless of alias.
+"""
+
+from __future__ import annotations
+
+import json
+import unittest
+from io import BytesIO
+from unittest.mock import MagicMock, patch
+
+from agent_identity import (
+    AgentIdentityClient,
+    AgentIdentityError,
+    NoCredentialError,
+    ValidationError,
+)
+
+
+# ─── Helpers ─────────────────────────────────────────────────────────────────
+
+def _make_response(body: dict, status: int = 200) -> MagicMock:
+    """Build a fake urllib response context-manager."""
+    raw = json.dumps(body).encode()
+    mock_resp = MagicMock()
+    mock_resp.read.return_value = raw
+    mock_resp.status = status
+    mock_resp.__enter__ = lambda s: s
+    mock_resp.__exit__ = MagicMock(return_value=False)
+    return mock_resp
+
+
+def _make_http_error(body: dict, code: int):
+    """Build a fake urllib.error.HTTPError."""
+    import urllib.error
+    raw = json.dumps(body).encode()
+    err = urllib.error.HTTPError(
+        url="http://localhost:3001/api/resolve",
+        code=code,
+        msg="Error",
+        hdrs=None,  # type: ignore[arg-type]
+        fp=BytesIO(raw),
+    )
+    return err
+
+
+MINIMAL_CTX = {
+    "userId": "user-1",
+    "resourceId": "kb-1",
+    "resourceKind": "personal",
+    "provider": "anthropic",
+    "model": "claude-sonnet-4-20250514",
+    "action": "read",
+    "traceId": "trace-001",
+    "requestedAt": "2026-05-27T00:00:00+00:00",
+}
+
+MINIMAL_MIGRATION = {
+    "migrationId": "mig-001",
+    "phase": "load",
+    "sourceResourceId": "pg-v1",
+    "targetResourceId": "pg-v2",
+    "userId": "svc-bot",
+    "provider": "anthropic",
+    "model": "claude-sonnet-4-20250514",
+    "traceId": "trace-mig-001",
+    "dryRun": False,
+}
+
+
+# ─── Tests ───────────────────────────────────────────────────────────────────
+
+class TestAgentIdentityClientInit(unittest.TestCase):
+    def test_trailing_slash_stripped(self):
+        client = AgentIdentityClient(base_url="http://localhost:3001/")
+        self.assertEqual(client.base_url, "http://localhost:3001")
+
+    def test_default_base_url(self):
+        client = AgentIdentityClient()
+        self.assertEqual(client.base_url, "http://localhost:3001")
+
+    def test_custom_timeout(self):
+        client = AgentIdentityClient(timeout=30)
+        self.assertEqual(client.timeout, 30)
+
+
+class TestResolve(unittest.TestCase):
+    def setUp(self):
+        self.client = AgentIdentityClient()
+
+    @patch("urllib.request.urlopen")
+    def test_resolve_success(self, mock_urlopen):
+        expected = {"ok": True, "resolvedFor": "user-1", "expiresAt": None}
+        mock_urlopen.return_value = _make_response(expected)
+
+        result = self.client.resolve(MINIMAL_CTX)
+
+        self.assertEqual(result["resolvedFor"], "user-1")
+        self.assertTrue(result["ok"])
+        mock_urlopen.assert_called_once()
+
+    @patch("urllib.request.urlopen")
+    def test_resolve_auto_injects_requested_at(self, mock_urlopen):
+        """resolve() must add requestedAt when the caller omits it."""
+        ctx_without_ts = {k: v for k, v in MINIMAL_CTX.items() if k != "requestedAt"}
+        expected = {"ok": True, "resolvedFor": "user-1", "expiresAt": None}
+        mock_urlopen.return_value = _make_response(expected)
+
+        self.client.resolve(ctx_without_ts)  # type: ignore[arg-type]
+
+        call_args = mock_urlopen.call_args
+        request_obj = call_args[0][0]
+        sent_body = json.loads(request_obj.data.decode())
+        self.assertIn("requestedAt", sent_body)
+
+    @patch("urllib.request.urlopen")
+    def test_resolve_no_credential_raises(self, mock_urlopen):
+        mock_urlopen.side_effect = _make_http_error({"error": "No credential resolved"}, 403)
+
+        with self.assertRaises(NoCredentialError) as cm:
+            self.client.resolve(MINIMAL_CTX)
+
+        self.assertEqual(cm.exception.status_code, 403)
+        self.assertIn("No credential resolved", str(cm.exception))
+
+    @patch("urllib.request.urlopen")
+    def test_resolve_validation_error_raises(self, mock_urlopen):
+        mock_urlopen.side_effect = _make_http_error({"error": "Missing required field: userId"}, 400)
+
+        with self.assertRaises(ValidationError) as cm:
+            self.client.resolve(MINIMAL_CTX)
+
+        self.assertEqual(cm.exception.status_code, 400)
+
+    @patch("urllib.request.urlopen")
+    def test_resolve_server_error_raises(self, mock_urlopen):
+        mock_urlopen.side_effect = _make_http_error({"error": "Internal server error"}, 500)
+
+        with self.assertRaises(AgentIdentityError) as cm:
+            self.client.resolve(MINIMAL_CTX)
+
+        self.assertEqual(cm.exception.status_code, 500)
+
+    @patch("urllib.request.urlopen")
+    def test_resolve_network_failure_raises(self, mock_urlopen):
+        import urllib.error
+        mock_urlopen.side_effect = urllib.error.URLError("Connection refused")
+
+        with self.assertRaises(AgentIdentityError) as cm:
+            self.client.resolve(MINIMAL_CTX)
+
+        self.assertIsNone(cm.exception.status_code)
+
+    @patch("urllib.request.urlopen")
+    def test_resolve_returns_expires_at(self, mock_urlopen):
+        expected = {
+            "ok": True,
+            "resolvedFor": "user-1",
+            "expiresAt": "2026-05-27T01:00:00+00:00",
+        }
+        mock_urlopen.return_value = _make_response(expected)
+
+        result = self.client.resolve(MINIMAL_CTX)
+
+        self.assertEqual(result["expiresAt"], "2026-05-27T01:00:00+00:00")
+
+
+class TestResolveMigration(unittest.TestCase):
+    def setUp(self):
+        self.client = AgentIdentityClient()
+
+    @patch("urllib.request.urlopen")
+    def test_resolve_migration_success(self, mock_urlopen):
+        expected = {
+            "migrationId": "mig-001",
+            "phase": "load",
+            "sourceResolvedFor": "service",
+            "targetResolvedFor": "service",
+            "dryRun": False,
+            "expiresAt": None,
+        }
+        mock_urlopen.return_value = _make_response(expected)
+
+        result = self.client.resolve_migration(MINIMAL_MIGRATION)
+
+        self.assertEqual(result["migrationId"], "mig-001")
+        self.assertEqual(result["sourceResolvedFor"], "service")
+        mock_urlopen.assert_called_once()
+
+    @patch("urllib.request.urlopen")
+    def test_resolve_migration_injects_dry_run_false(self, mock_urlopen):
+        req_without_dry_run = {k: v for k, v in MINIMAL_MIGRATION.items() if k != "dryRun"}
+        expected = {
+            "migrationId": "mig-001",
+            "phase": "load",
+            "sourceResolvedFor": "service",
+            "targetResolvedFor": "service",
+            "dryRun": False,
+            "expiresAt": None,
+        }
+        mock_urlopen.return_value = _make_response(expected)
+
+        self.client.resolve_migration(req_without_dry_run)  # type: ignore[arg-type]
+
+        call_args = mock_urlopen.call_args
+        request_obj = call_args[0][0]
+        sent_body = json.loads(request_obj.data.decode())
+        self.assertFalse(sent_body["dryRun"])
+
+    @patch("urllib.request.urlopen")
+    def test_resolve_migration_no_credential_raises(self, mock_urlopen):
+        mock_urlopen.side_effect = _make_http_error({"error": "No credential resolved"}, 403)
+
+        with self.assertRaises(NoCredentialError):
+            self.client.resolve_migration(MINIMAL_MIGRATION)
+
+
+class TestHealth(unittest.TestCase):
+    def setUp(self):
+        self.client = AgentIdentityClient()
+
+    @patch("urllib.request.urlopen")
+    def test_health_returns_true_on_200(self, mock_urlopen):
+        mock_urlopen.return_value = _make_response({"ok": True})
+        self.assertTrue(self.client.health())
+
+    @patch("urllib.request.urlopen")
+    def test_health_returns_false_on_connection_error(self, mock_urlopen):
+        import urllib.error
+        mock_urlopen.side_effect = urllib.error.URLError("Connection refused")
+        self.assertFalse(self.client.health())
+
+    @patch("urllib.request.urlopen")
+    def test_health_returns_false_on_500(self, mock_urlopen):
+        mock_urlopen.side_effect = _make_http_error({"error": "Internal error"}, 500)
+        self.assertFalse(self.client.health())
+
+
+class TestExceptions(unittest.TestCase):
+    def test_no_credential_error_is_agent_identity_error(self):
+        err = NoCredentialError("No match", status_code=403)
+        self.assertIsInstance(err, AgentIdentityError)
+        self.assertEqual(err.status_code, 403)
+
+    def test_validation_error_is_agent_identity_error(self):
+        err = ValidationError("Bad input", status_code=400)
+        self.assertIsInstance(err, AgentIdentityError)
+        self.assertEqual(err.status_code, 400)
+
+    def test_base_error_status_code_none(self):
+        err = AgentIdentityError("Network failure")
+        self.assertIsNone(err.status_code)
+
+
+if __name__ == "__main__":
+    unittest.main()