guardledger 0.1.0__py3-none-any.whl

guardledger-0.1.0.dist-info/METADATA

@@ -0,0 +1,180 @@
+Metadata-Version: 2.4
+Name: guardledger
+Version: 0.1.0
+Summary: Sentinel — compliance-grade flight recorder + kill switch for AI agents
+Author: Itamar Meirovich
+License: Apache-2.0
+License-File: LICENSE
+Keywords: agent-governance,ai-agents,ai-security,audit,compliance,eu-ai-act,guardrails,mcp
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.11
+Requires-Dist: fastapi>=0.110
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: uvicorn>=0.29
+Provides-Extra: dev
+Requires-Dist: build>=1.0; extra == 'dev'
+Requires-Dist: httpx>=0.27; extra == 'dev'
+Requires-Dist: mcp>=1.0; extra == 'dev'
+Requires-Dist: opentelemetry-sdk>=1.20; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.5; extra == 'dev'
+Provides-Extra: mcp
+Requires-Dist: mcp>=1.0; extra == 'mcp'
+Provides-Extra: otel
+Requires-Dist: opentelemetry-sdk>=1.20; extra == 'otel'
+Description-Content-Type: text/markdown
+
+# Sentinel
+
+[![CI](https://github.com/itamarmeirovichai-source/sentinel/actions/workflows/ci.yml/badge.svg)](https://github.com/itamarmeirovichai-source/sentinel/actions/workflows/ci.yml)
+[![License: Apache-2.0](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](LICENSE)
+[![Python 3.11+](https://img.shields.io/badge/python-3.11%2B-blue.svg)](pyproject.toml)
+
+**The compliance-grade flight recorder + kill switch for AI agents.**
+
+Sentinel sits between **any** AI agent (any framework) and its tools. Every action is
+checked against your policy *before* it runs, recorded into a tamper-evident
+audit trail you can replay and export as compliance evidence, and you can stop
+the agent instantly. The point is provability: knowing — and being able to
+prove — exactly what your agent did.
+
+> Status: **MVP / alpha (v0.1).** This is the narrow wedge of a larger vision (see
+> [RESEARCH.md](RESEARCH.md) and [ROADMAP.md](ROADMAP.md)). It is **not** another
+> prompt-injection filter — it leads with deterministic enforcement + provable audit.
+>
+> ⚠️ **Disclaimer.** Experimental; APIs may change; provided "as is", no warranty
+> (Apache-2.0). Compliance mappings (EU AI Act Art. 12, OWASP) are **indicative
+> engineering aids — not legal advice or a certification**. You remain responsible for
+> your own compliance and for reviewing Sentinel before relying on it in high-stakes systems.
+
+## Why
+
+Teams can't get sign-off to let agents touch high-stakes systems (trading,
+billing, prod DBs) because there's no audit-grade record of what the agent did,
+no enforcement of what it's allowed to do, and no instant stop. Regulation now
+forces the issue: **EU AI Act Article 12** mandates automatic event logging for
+high-risk systems (enforcement from **2026-08-02**). Sentinel is the layer that
+produces that evidence. Full market/competitive analysis: [RESEARCH.md](RESEARCH.md).
+
+## Core guarantees
+
+- **Default-deny** — an action with no matching allow rule is blocked.
+- **Fail-closed** — if the decision core itself errors, the action is blocked, not run.
+- **Tamper-evident** — the audit log is hash-chained; any edit/reorder/delete is detectable via `verify`.
+
+## Architecture (one glance)
+
+```
+agent ─tool_call─► Interceptor ─► KillSwitch? ─► Detector(flags) ─► Policy(default-deny)
+                                                                         │
+                              audit (hash-chained, redacted) ◄── execute / block
+```
+
+Interception is an SDK wrapper today, behind an `Interceptor` interface so an
+MCP-proxy adapter slots in later without touching the policy/audit/kill core.
+Details + threat model: [ARCHITECTURE.md](ARCHITECTURE.md).
+
+## Quickstart
+
+```bash
+python3 -m venv .venv && source .venv/bin/activate
+pip install -e ".[dev]"
+cp .env.example .env
+
+# run the tests (security-critical core is tested first)
+pytest
+
+# run the end-to-end demo (a generic agent; see DEMO.md)
+python examples/generic_agent.py        # or: sentinel demo
+
+# launch the control API + dashboard
+sentinel serve            # then open http://127.0.0.1:8787
+```
+
+> Shortcut: `make install && make test && make demo`.
+> On PyPI the package is **`guardledger`** (the `sentinel` handle is taken); the import
+> name and CLI stay `sentinel` — `pip install guardledger` → `import sentinel`.
+
+## Usage sketch
+
+```python
+from sentinel import Sentinel
+
+sentinel = Sentinel.from_files(policy="policies/starter.yaml", db="data/sentinel.db")
+
+@sentinel.guard                      # every call is checked, logged, killable
+def send_email(to: str, subject: str, body: str): ...
+
+# …or guard a whole toolset at once:
+tools = sentinel.wrap_all({"send_email": send_email, "search_web": search_web})
+
+# over-policy / killed / suspicious calls raise BlockedError and are recorded;
+# allowed calls run normally and are recorded with their outcome.
+```
+
+## Works with any agent, any framework
+
+Plain Python functions, LangChain, OpenAI Agents SDK, CrewAI, LlamaIndex, or MCP — guard
+your tools with `@sentinel.guard` / `sentinel.wrap_all(...)`, or use the MCP proxy/server.
+See [INTEGRATIONS.md](INTEGRATIONS.md). The default demo (`sentinel demo`) is a generic
+agent; [`examples/trading_agent.py`](examples/trading_agent.py) is a vertical example.
+
+## Two interceptors, one core
+
+The SDK wrapper is the default. For agents that reach tools over **MCP**, the same
+enforcement (`Sentinel.enforce`) runs behind a proxy — nothing the agent calls can
+bypass it:
+
+```python
+from sentinel import MCPProxy, SentinelMCPServer
+
+proxy = MCPProxy(sentinel, upstream=my_mcp_session)   # guard calls to upstream MCP servers
+server = SentinelMCPServer(sentinel)                  # OR expose your own tools over MCP
+server.add_tool("get_quote", get_quote)               #    with enforcement built in
+```
+
+Install the optional transports with `pip install "guardledger[mcp,otel]"`.
+
+## Operating it
+
+- **Monitor mode** — `SENTINEL_MODE=monitor` (or `Sentinel(mode="monitor")`) logs the
+  would-be verdict and **never blocks** — the kill switch still works. Deploy in front of
+  a live agent, watch, build trust, then flip to enforce. (Try `SENTINEL_MODE=monitor sentinel demo`.)
+- **Dashboard auth** — set `SENTINEL_API_TOKEN` (or let `sentinel serve` generate one);
+  mutating endpoints (kill / policy / approve) then require `Authorization: Bearer …`.
+- **Human-in-the-loop** — a `require_approval` call is parked; approve it from the
+  dashboard or `sentinel approve <id>`, and the next identical call runs exactly once.
+- **Interop** — `sentinel export --format otel` emits OpenTelemetry GenAI spans
+  (`gen_ai.*`) for Langfuse / Datadog / any OTel backend.
+- **Compliance** — `sentinel compliance --all` maps Sentinel to EU AI Act, GDPR, NIST AI
+  RMF, ISO 42001, Colorado AI Act, and SEC/FINRA with honest full/partial/none coverage
+  ([COMPLIANCE.md](COMPLIANCE.md)); `sentinel export --format art12` produces an EU AI Act
+  Article 12 record-keeping report.
+- **Housekeeping** — `sentinel gc` purges stale approvals / rate-limit state (never the audit log).
+- **Overhead** — ~0.4 ms per guarded call on a dev laptop (policy + detector + two durable
+  audit writes), well under the 20 ms target. Reproduce: `python examples/benchmark.py`.
+
+## Documents
+
+| File | What |
+|---|---|
+| [RESEARCH.md](RESEARCH.md) | Market & competitive research, wedge recommendation |
+| [PRD.md](PRD.md) | Product requirements for this MVP |
+| [ARCHITECTURE.md](ARCHITECTURE.md) | Components, data flow, threat model |
+| [DECISIONS.md](DECISIONS.md) | Decision log |
+| [INTEGRATIONS.md](INTEGRATIONS.md) | Add Sentinel to any framework (LangChain, OpenAI, CrewAI, MCP, …) |
+| [LAUNCH.md](LAUNCH.md) | The honest go-to-market plan + ready-to-post launch assets (`launch/`, `site/`) |
+| [DEMO.md](DEMO.md) | How to run the end-to-end demo |
+| [ROADMAP.md](ROADMAP.md) | What's next, and the known-limitation → feature map |
+| [SECURITY.md](SECURITY.md) | Design posture, self-check, known limitations |
+| [COMPLIANCE.md](COMPLIANCE.md) | Mapping to AI/data law (EU AI Act, GDPR, NIST, ISO 42001, Colorado, SEC/FINRA) |
+| [CHANGELOG.md](CHANGELOG.md) | Release notes |
+
+## License
+
+Apache-2.0.

guardledger-0.1.0.dist-info/RECORD

@@ -0,0 +1,26 @@
+sentinel/__init__.py,sha256=6s0UZzE1Ly3TDZrHvlv43zbyvVU1SlmPtc_GajxR00M,1224
+sentinel/api.py,sha256=zkp9Z5jveKJXYpwbCivBKbmP_9JQXBzWsqCuXb1159k,5038
+sentinel/approvals.py,sha256=fNW3cKTLnsDTIMzMMTbKUmtoS1kuaW3_9Nd6CXQPyCE,4910
+sentinel/audit.py,sha256=zjq81Bh-u6fYmcnjbgAUXDKJQybF4hDKlhMOdJ-smi8,7639
+sentinel/cli.py,sha256=ynGA1WgG1z9feQ7Q36utfxoPhasn_KXdLd4htVlnJ_o,6813
+sentinel/compliance.py,sha256=YlW7uGUuUEaVlthMMclXpVvdynvZ5TgpP_lU_KW2Xmc,3233
+sentinel/config.py,sha256=uM_mD0C-dcJAxM-eN7aVk7DnJcQJSBhIt3oHQFW2E38,1852
+sentinel/db.py,sha256=SuS_QezsUtDOL0boNfmpVCbQnF2JgUvsA_JJGra-9uM,750
+sentinel/detector.py,sha256=Wq01ca6764uI2viK75MC-orBH8RkAXQEFd0WPZEZJSM,4536
+sentinel/frameworks.py,sha256=oa5oNPifqcUH472pJNS05WpQtXT0O5UFMnbKP-IErRU,13258
+sentinel/killswitch.py,sha256=7eRRuScTc2UZTSlTr8HCaUYhInuT_qdYNvh4qpHGgEs,2078
+sentinel/mcp_proxy.py,sha256=UjUYthzbJf4IwNkGKYEDb8T2GMY3Zi3fyedNicAm-q0,2869
+sentinel/mcp_server.py,sha256=YFotaJQE797-I1mNcafFJSS2PeDQ094ZSg2p1HSwLW8,3145
+sentinel/models.py,sha256=Ct-S7QYSgmxGXSWwk3s0yj6tE5qu5LaxYicvrY3CFi8,2316
+sentinel/otel.py,sha256=FBoAWJpkvmWk5Dc0ob-daBXJErP-7rSth5jHFgiVG8Q,3051
+sentinel/policy.py,sha256=uSya438cc40M6UGpbL94UkjHcCvLU3WBjAA4M5f7fas,4861
+sentinel/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sentinel/ratelimit.py,sha256=kMerTgWdjkLsmntLcp4W8ttIG66yGu2i6lYBisAlaeQ,1964
+sentinel/redaction.py,sha256=JyW00eXEQR1FBg3S2_I7-IpteJ2QGRmNXr0sm8UeosU,1769
+sentinel/sentinel.py,sha256=BwcqpEtopbNp6X8ZDIZTuJMmgSDHVE9tWiWflNKD2MI,8507
+sentinel/dashboard/index.html,sha256=-Fhzs6ou0PX4PkHErI5cbJQ3e3LL0-24Zc2s-KvvTPs,9008
+guardledger-0.1.0.dist-info/METADATA,sha256=yx_3EXIIpl9HeEzXmxZw98H6eGZCeHHp587ytv0Jvo0,8399
+guardledger-0.1.0.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+guardledger-0.1.0.dist-info/entry_points.txt,sha256=ocLIRMq9Ouq9WNyGxm5wf_4S_Lg_L_FA3jBcXo9o2kw,47
+guardledger-0.1.0.dist-info/licenses/LICENSE,sha256=bumBeFxE99gYKvJrs76oaJk2nsk4qLh0TLAoKYU46Ls,9446
+guardledger-0.1.0.dist-info/RECORD,,

guardledger-0.1.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.30.1
+Root-Is-Purelib: true
+Tag: py3-none-any

guardledger-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+sentinel = sentinel.cli:main

guardledger-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,173 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or Derivative
+          Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or agreed
+      to in writing, Licensor provides the Work (and each Contributor
+      provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES
+      OR CONDITIONS OF ANY KIND, either express or implied, including,
+      without limitation, any warranties or conditions of TITLE,
+      NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR
+      PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Itamar Meirovich
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

sentinel/__init__.py

@@ -0,0 +1,53 @@
+"""Sentinel — compliance-grade flight recorder + kill switch for AI agents.
+
+Typical use:
+
+    from sentinel import Sentinel
+    s = Sentinel.from_files(policy="policies/example.yaml", db="data/sentinel.db")
+
+    @s.guard
+    def place_order(symbol: str, amount: float): ...
+"""
+
+from sentinel.approvals import Approvals
+from sentinel.audit import AuditLog, VerifyResult
+from sentinel.detector import Detector
+from sentinel.killswitch import KillSwitch
+from sentinel.mcp_proxy import AsyncMCPProxy, MCPProxy
+from sentinel.mcp_server import SentinelMCPServer
+from sentinel.models import (
+    AuditRecord,
+    CheckResult,
+    Decision,
+    Flag,
+    Status,
+    ToolCall,
+)
+from sentinel.policy import Policy, PolicyResult
+from sentinel.ratelimit import SqliteRateLimiter
+from sentinel.sentinel import BlockedError, Sentinel
+
+__version__ = "0.1.0"
+
+__all__ = [
+    "Sentinel",
+    "BlockedError",
+    "MCPProxy",
+    "AsyncMCPProxy",
+    "SentinelMCPServer",
+    "Policy",
+    "PolicyResult",
+    "AuditLog",
+    "VerifyResult",
+    "KillSwitch",
+    "Detector",
+    "Approvals",
+    "SqliteRateLimiter",
+    "ToolCall",
+    "Decision",
+    "Status",
+    "Flag",
+    "CheckResult",
+    "AuditRecord",
+    "__version__",
+]

sentinel/api.py

@@ -0,0 +1,126 @@
+"""Minimal control plane: a FastAPI app exposing the audit trail, integrity check,
+policy, approvals, and the kill switch — plus a single-page dashboard.
+
+The API and any running agent share state through the SQLite DB, so hitting KILL in
+the dashboard genuinely stops a separate agent process on its next guarded call.
+
+Auth: if `config.api_token` is set, every *mutating* endpoint (kill/unkill/policy/
+approve) requires `Authorization: Bearer <token>`. Read endpoints stay open (intended
+for a localhost bind). `sentinel serve` auto-generates a token if none is configured.
+"""
+from __future__ import annotations
+
+import os
+import secrets
+from collections import Counter
+from typing import Optional
+
+from fastapi import Body, Depends, FastAPI, Header, HTTPException
+from fastapi.responses import HTMLResponse
+
+from sentinel.approvals import Approvals
+from sentinel.audit import AuditLog
+from sentinel.config import Config
+from sentinel.killswitch import KillSwitch
+from sentinel.policy import Policy
+
+_DASHBOARD_FILE = os.path.join(os.path.dirname(__file__), "dashboard", "index.html")
+
+
+def create_app(config: Optional[Config] = None) -> FastAPI:
+    cfg = config or Config.from_env()
+    app = FastAPI(title="Sentinel Control Plane", version="0.1.0")
+    audit = AuditLog(cfg.db_path, redact_keys=cfg.redact_keys)
+    killswitch = KillSwitch(cfg.db_path)
+    approvals = Approvals(cfg.db_path)
+
+    def require_token(authorization: str = Header(default="")) -> None:
+        if not cfg.api_token:
+            return  # auth disabled
+        if not secrets.compare_digest(authorization, f"Bearer {cfg.api_token}"):
+            raise HTTPException(status_code=401, detail="missing or invalid control token")
+
+    auth = [Depends(require_token)]
+    read_auth = auth if cfg.protect_reads else []
+
+    @app.get("/", response_class=HTMLResponse)
+    def dashboard() -> HTMLResponse:
+        with open(_DASHBOARD_FILE, "r", encoding="utf-8") as fh:
+            return HTMLResponse(fh.read())
+
+    @app.get("/api/status", dependencies=read_auth)
+    def status() -> dict:
+        v = audit.verify()
+        recs = audit.records()
+        return {
+            "integrity": {"ok": v.ok, "first_bad_seq": v.first_bad_seq, "message": v.message},
+            "killswitch": killswitch.status(),
+            "total_actions": len(recs),
+            "by_status": dict(Counter(r.status for r in recs)),
+            "by_decision": dict(Counter(r.decision for r in recs)),
+            "pending_approvals": len(approvals.pending()),
+            "auth_required": bool(cfg.api_token),
+        }
+
+    @app.get("/api/actions", dependencies=read_auth)
+    def actions(limit: int = 100) -> list:
+        recs = audit.records()[-limit:]
+        return [r.__dict__ for r in reversed(recs)]
+
+    @app.get("/api/verify", dependencies=read_auth)
+    def verify() -> dict:
+        v = audit.verify()
+        return {"ok": v.ok, "first_bad_seq": v.first_bad_seq, "message": v.message}
+
+    @app.get("/api/export", dependencies=read_auth)
+    def export() -> dict:
+        return audit.export()
+
+    @app.get("/api/approvals", dependencies=read_auth)
+    def list_approvals() -> list:
+        return approvals.pending()
+
+    @app.get("/api/policy", dependencies=read_auth)
+    def get_policy() -> dict:
+        try:
+            with open(cfg.policy_path, "r", encoding="utf-8") as fh:
+                text = fh.read()
+        except FileNotFoundError:
+            text = ""
+        return {"path": cfg.policy_path, "yaml": text}
+
+    @app.put("/api/policy", dependencies=auth)
+    def put_policy(payload: dict = Body(...)) -> dict:
+        text = payload.get("yaml", "")
+        try:
+            Policy.from_yaml(text)  # validate before persisting
+        except Exception as exc:  # surface parse error to the caller
+            raise HTTPException(status_code=400, detail=f"invalid policy: {exc}") from exc
+        with open(cfg.policy_path, "w", encoding="utf-8") as fh:
+            fh.write(text)
+        return {"ok": True}
+
+    @app.post("/api/kill", dependencies=auth)
+    def kill(payload: dict = Body(default={})) -> dict:
+        scope = payload.get("scope", "*")
+        reason = payload.get("reason", "killed via dashboard")
+        killswitch.arm(scope, reason=reason)
+        return {"ok": True, "killswitch": killswitch.status()}
+
+    @app.post("/api/unkill", dependencies=auth)
+    def unkill(payload: dict = Body(default={})) -> dict:
+        scope = payload.get("scope", "*")
+        killswitch.disarm(scope)
+        return {"ok": True, "killswitch": killswitch.status()}
+
+    @app.post("/api/approve", dependencies=auth)
+    def approve(payload: dict = Body(...)) -> dict:
+        approval_id = payload.get("id")
+        if not approval_id:
+            raise HTTPException(status_code=400, detail="missing approval id")
+        ok = approvals.approve(approval_id, by=payload.get("by", "dashboard"))
+        if not ok:
+            raise HTTPException(status_code=404, detail="no such pending approval")
+        return {"ok": True}
+
+    return app