infill-bedrock 0.3.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- infill_bedrock-0.3.0/CONTRIBUTING.md +45 -0
- infill_bedrock-0.3.0/LICENSE +57 -0
- infill_bedrock-0.3.0/MANIFEST.in +7 -0
- infill_bedrock-0.3.0/PKG-INFO +268 -0
- infill_bedrock-0.3.0/README.md +224 -0
- infill_bedrock-0.3.0/SECURITY.md +39 -0
- infill_bedrock-0.3.0/bedrock/__init__.py +10 -0
- infill_bedrock-0.3.0/bedrock/__main__.py +7 -0
- infill_bedrock-0.3.0/bedrock/access_control/__init__.py +35 -0
- infill_bedrock-0.3.0/bedrock/access_control/controller.py +523 -0
- infill_bedrock-0.3.0/bedrock/audit/__init__.py +12 -0
- infill_bedrock-0.3.0/bedrock/audit/chain.py +424 -0
- infill_bedrock-0.3.0/bedrock/cli.py +624 -0
- infill_bedrock-0.3.0/bedrock/config.py +200 -0
- infill_bedrock-0.3.0/bedrock/data_separation/__init__.py +22 -0
- infill_bedrock-0.3.0/bedrock/data_separation/anonymous_id.py +1663 -0
- infill_bedrock-0.3.0/bedrock/data_separation/consent.py +271 -0
- infill_bedrock-0.3.0/bedrock/data_separation/silo.py +168 -0
- infill_bedrock-0.3.0/bedrock/encryption/__init__.py +28 -0
- infill_bedrock-0.3.0/bedrock/encryption/aad.py +83 -0
- infill_bedrock-0.3.0/bedrock/encryption/engine.py +575 -0
- infill_bedrock-0.3.0/bedrock/encryption/legacy.py +189 -0
- infill_bedrock-0.3.0/bedrock/encryption/version.py +28 -0
- infill_bedrock-0.3.0/bedrock/health.py +179 -0
- infill_bedrock-0.3.0/bedrock/identity/__init__.py +53 -0
- infill_bedrock-0.3.0/bedrock/identity/attestation.py +383 -0
- infill_bedrock-0.3.0/bedrock/identity/capabilities.py +49 -0
- infill_bedrock-0.3.0/bedrock/identity/certificates.py +357 -0
- infill_bedrock-0.3.0/bedrock/identity/node.py +164 -0
- infill_bedrock-0.3.0/bedrock/identity/registration.py +264 -0
- infill_bedrock-0.3.0/bedrock/key_management/__init__.py +28 -0
- infill_bedrock-0.3.0/bedrock/key_management/keys.py +230 -0
- infill_bedrock-0.3.0/bedrock/key_management/rotation.py +468 -0
- infill_bedrock-0.3.0/bedrock/licensing/__init__.py +63 -0
- infill_bedrock-0.3.0/bedrock/licensing/checkout.py +250 -0
- infill_bedrock-0.3.0/bedrock/licensing/enforcement.py +530 -0
- infill_bedrock-0.3.0/bedrock/licensing/keygen.py +541 -0
- infill_bedrock-0.3.0/bedrock/licensing/webhook.py +214 -0
- infill_bedrock-0.3.0/bedrock/mesh/__init__.py +34 -0
- infill_bedrock-0.3.0/bedrock/mesh/detector.py +150 -0
- infill_bedrock-0.3.0/bedrock/mesh/healing.py +318 -0
- infill_bedrock-0.3.0/bedrock/mesh/integration.py +353 -0
- infill_bedrock-0.3.0/bedrock/mesh/router.py +240 -0
- infill_bedrock-0.3.0/bedrock/mesh/state_machine.py +156 -0
- infill_bedrock-0.3.0/bedrock/metering/__init__.py +332 -0
- infill_bedrock-0.3.0/bedrock/server/__init__.py +17 -0
- infill_bedrock-0.3.0/bedrock/server/app.py +682 -0
- infill_bedrock-0.3.0/bedrock/server/tls.py +375 -0
- infill_bedrock-0.3.0/bedrock/storage/__init__.py +11 -0
- infill_bedrock-0.3.0/bedrock/storage/persistence.py +376 -0
- infill_bedrock-0.3.0/bedrock/storage/sqlite_backend.py +289 -0
- infill_bedrock-0.3.0/bedrock/transport/__init__.py +29 -0
- infill_bedrock-0.3.0/bedrock/transport/security.py +432 -0
- infill_bedrock-0.3.0/infill_bedrock.egg-info/PKG-INFO +268 -0
- infill_bedrock-0.3.0/infill_bedrock.egg-info/SOURCES.txt +59 -0
- infill_bedrock-0.3.0/infill_bedrock.egg-info/dependency_links.txt +1 -0
- infill_bedrock-0.3.0/infill_bedrock.egg-info/entry_points.txt +2 -0
- infill_bedrock-0.3.0/infill_bedrock.egg-info/requires.txt +23 -0
- infill_bedrock-0.3.0/infill_bedrock.egg-info/top_level.txt +1 -0
- infill_bedrock-0.3.0/pyproject.toml +94 -0
- infill_bedrock-0.3.0/setup.cfg +4 -0
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
# Contributing to Bedrock
|
|
2
|
+
|
|
3
|
+
Thank you for your interest in contributing to Bedrock. This project is developed by InFill Systems, LLC under a proprietary license.
|
|
4
|
+
|
|
5
|
+
## Development Setup
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
cd core
|
|
9
|
+
pip install -e ".[dev]"
|
|
10
|
+
pytest
|
|
11
|
+
|
|
12
|
+
cd ../sdk-python
|
|
13
|
+
pip install -e ".[dev]"
|
|
14
|
+
pytest
|
|
15
|
+
|
|
16
|
+
cd ../sdk-ts
|
|
17
|
+
npm install
|
|
18
|
+
npm test
|
|
19
|
+
```
|
|
20
|
+
|
|
21
|
+
## Code Standards
|
|
22
|
+
|
|
23
|
+
- **Python 3.11+** with type hints (`mypy --strict`)
|
|
24
|
+
- **Line length**: 100 chars (black + isort)
|
|
25
|
+
- **Tests**: every feature gets tests before merge
|
|
26
|
+
- **Commit messages**: `B-XXX: Short description` format
|
|
27
|
+
|
|
28
|
+
## Pull Request Process
|
|
29
|
+
|
|
30
|
+
1. Create a feature branch from `develop`
|
|
31
|
+
2. Write tests first (TDD preferred)
|
|
32
|
+
3. Implement the feature
|
|
33
|
+
4. Ensure all tests pass: `pytest`, `npm test`
|
|
34
|
+
5. Submit PR with description referencing the build number (B-XXX)
|
|
35
|
+
6. Code review required before merge
|
|
36
|
+
|
|
37
|
+
## Security Vulnerabilities
|
|
38
|
+
|
|
39
|
+
**Do not report security issues through public GitHub issues.**
|
|
40
|
+
|
|
41
|
+
Email security@infill.systems instead. See [SECURITY.md](SECURITY.md) for details.
|
|
42
|
+
|
|
43
|
+
## License
|
|
44
|
+
|
|
45
|
+
By contributing, you agree that your contributions will be licensed under the same proprietary license as Bedrock (InFill Systems, LLC).
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
Business Source License 1.1
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2025-2026 InFill Systems, LLC
|
|
4
|
+
|
|
5
|
+
License Scope: The contents of this repository are licensed under the
|
|
6
|
+
Business Source License 1.1 (the "License"). You may not use this file
|
|
7
|
+
except in compliance with the License. You may obtain a copy of the
|
|
8
|
+
License at https://github.com/drc10101/bedrock/blob/main/LICENSE
|
|
9
|
+
|
|
10
|
+
Change Date: On or after the Change Date specified in the License
|
|
11
|
+
Reference below, you may use this software under the terms of the
|
|
12
|
+
Change License specified below.
|
|
13
|
+
|
|
14
|
+
Change License: Apache License, Version 2.0
|
|
15
|
+
|
|
16
|
+
License Reference: Bedrock Core — BSL 1.1
|
|
17
|
+
|
|
18
|
+
Additional Use Grant: You may use the Software for development,
|
|
19
|
+
testing, and evaluation purposes, including in non-production
|
|
20
|
+
environments, provided that:
|
|
21
|
+
|
|
22
|
+
1. You have obtained a valid license key from InFill Systems, LLC;
|
|
23
|
+
OR
|
|
24
|
+
2. You are within a 30-day trial period, which begins on the date
|
|
25
|
+
you first install or use the Software.
|
|
26
|
+
|
|
27
|
+
Production deployment of the Software requires a Production License
|
|
28
|
+
from InFill Systems, LLC. "Production" means any deployment that
|
|
29
|
+
serves end users, processes live data, or operates in a non-
|
|
30
|
+
development environment.
|
|
31
|
+
|
|
32
|
+
You may create modifications, extensions, or derivative works of the
|
|
33
|
+
Software, provided that:
|
|
34
|
+
|
|
35
|
+
(a) Any derivative works are also subject to this License; and
|
|
36
|
+
(b) You retain all original copyright notices; and
|
|
37
|
+
(c) You do not represent that your derivative works are the
|
|
38
|
+
original Software.
|
|
39
|
+
|
|
40
|
+
You may not:
|
|
41
|
+
- Use the Software in production without a valid Production License;
|
|
42
|
+
- Use the Software after the 30-day trial period without a valid
|
|
43
|
+
Developer or Production License;
|
|
44
|
+
- Remove, alter, or obscure any license enforcement mechanisms;
|
|
45
|
+
- Distribute the Software or derivative works under a different
|
|
46
|
+
license without written permission from InFill Systems, LLC;
|
|
47
|
+
- Use the Software to compete with InFill Systems, LLC.
|
|
48
|
+
|
|
49
|
+
The Software is provided "as is", without warranty of any kind,
|
|
50
|
+
express or implied, including but not limited to the warranties of
|
|
51
|
+
merchantability, fitness for a particular purpose and noninfringement.
|
|
52
|
+
In no event shall the authors or copyright holders be liable for any
|
|
53
|
+
claim, damages or other liability, whether in an action of contract,
|
|
54
|
+
tort or otherwise, arising from, out of or in connection with the
|
|
55
|
+
Software or the use or other dealings in the Software.
|
|
56
|
+
|
|
57
|
+
For license inquiries: licensing@infill.systems
|
|
@@ -0,0 +1,268 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: infill-bedrock
|
|
3
|
+
Version: 0.3.0
|
|
4
|
+
Summary: Identity-based security framework. Every node is a user. Everything between is encrypted at rest.
|
|
5
|
+
Author: InFill Systems, LLC
|
|
6
|
+
License: BSL-1.1
|
|
7
|
+
Project-URL: Homepage, https://bedrock.dev
|
|
8
|
+
Project-URL: Repository, https://github.com/drc10101/bedrock
|
|
9
|
+
Project-URL: Documentation, https://bedrock.dev/docs
|
|
10
|
+
Project-URL: Issues, https://github.com/drc10101/bedrock/issues
|
|
11
|
+
Classifier: Development Status :: 3 - Alpha
|
|
12
|
+
Classifier: Intended Audience :: Developers
|
|
13
|
+
Classifier: Operating System :: OS Independent
|
|
14
|
+
Classifier: Programming Language :: Python :: 3
|
|
15
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
16
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
17
|
+
Classifier: Programming Language :: Python :: 3.13
|
|
18
|
+
Classifier: Programming Language :: Python :: 3.14
|
|
19
|
+
Classifier: Topic :: Security
|
|
20
|
+
Classifier: Topic :: Security :: Cryptography
|
|
21
|
+
Requires-Python: >=3.11
|
|
22
|
+
Description-Content-Type: text/markdown
|
|
23
|
+
License-File: LICENSE
|
|
24
|
+
Requires-Dist: cryptography>=42.0
|
|
25
|
+
Requires-Dist: fastapi>=0.110
|
|
26
|
+
Requires-Dist: uvicorn[standard]>=0.29
|
|
27
|
+
Requires-Dist: uuid7>=0.1
|
|
28
|
+
Provides-Extra: dev
|
|
29
|
+
Requires-Dist: pytest>=8.0; extra == "dev"
|
|
30
|
+
Requires-Dist: pytest-asyncio>=1.0; extra == "dev"
|
|
31
|
+
Requires-Dist: pytest-cov>=5.0; extra == "dev"
|
|
32
|
+
Requires-Dist: ruff>=0.4; extra == "dev"
|
|
33
|
+
Requires-Dist: mypy>=1.10; extra == "dev"
|
|
34
|
+
Requires-Dist: black>=24.0; extra == "dev"
|
|
35
|
+
Requires-Dist: isort>=5.13; extra == "dev"
|
|
36
|
+
Requires-Dist: httpx2>=0.28; extra == "dev"
|
|
37
|
+
Provides-Extra: sqlcipher
|
|
38
|
+
Requires-Dist: sqlcipher3>=0.5; extra == "sqlcipher"
|
|
39
|
+
Provides-Extra: hsm
|
|
40
|
+
Requires-Dist: pkcs11>=1.1; extra == "hsm"
|
|
41
|
+
Provides-Extra: stripe
|
|
42
|
+
Requires-Dist: stripe>=10.0; extra == "stripe"
|
|
43
|
+
Dynamic: license-file
|
|
44
|
+
|
|
45
|
+
<p align="center">
|
|
46
|
+
<img src="assets/Bedrock_Logo.png" alt="Bedrock" width="600">
|
|
47
|
+
</p>
|
|
48
|
+
|
|
49
|
+
<h3 align="center">Build your app. Inherit the security.</h3>
|
|
50
|
+
|
|
51
|
+
<p align="center">
|
|
52
|
+
Bedrock is the security layer your app sits on top of.<br>
|
|
53
|
+
Identity, encryption, consent, and audit — handled from the start.
|
|
54
|
+
</p>
|
|
55
|
+
|
|
56
|
+
<p align="center">
|
|
57
|
+
<a href="https://github.com/drc10101/bedrock/releases/tag/v0.3.0"><img src="https://img.shields.io/badge/version-0.3.0-blue" alt="Version"></a>
|
|
58
|
+
<img src="https://img.shields.io/badge/tests-841-passing-brightgreen" alt="Tests">
|
|
59
|
+
<img src="https://img.shields.io/badge/python-3.11+-blue" alt="Python">
|
|
60
|
+
<img src="https://img.shields.io/badge/license-BSL--1.1-orange" alt="License">
|
|
61
|
+
<img src="https://img.shields.io/badge/trial-free_30_days-success" alt="Free Trial">
|
|
62
|
+
</p>
|
|
63
|
+
|
|
64
|
+
---
|
|
65
|
+
|
|
66
|
+
**You don't bolt security on after the fact. You build on Bedrock, and your app inherits it.**
|
|
67
|
+
|
|
68
|
+
Bedrock is a security framework that your application calls into — not a service you route traffic through. When your app uses Bedrock's SDK, every node gets a cryptographic identity, every field write gets encrypted at rest, every cross-silo read requires cryptographic consent, and every action gets written to a tamper-evident audit chain. Your app focuses on business logic. Bedrock handles the security guarantees.
|
|
69
|
+
|
|
70
|
+
## What Your App Gets
|
|
71
|
+
|
|
72
|
+
- **Cryptographic identity for every node.** Each service, device, or user in your system gets a signed identity. No anonymous access.
|
|
73
|
+
- **Field-level encryption at rest.** Data is encrypted before it hits storage. Siloed by category — medical records, financial data, PII — each in its own encrypted container.
|
|
74
|
+
- **Consent-gated data access.** No cross-silo read without a cryptographic consent token. If the patient didn't authorize it, the data doesn't move.
|
|
75
|
+
- **Tamper-evident audit chain.** Every write, read, consent grant, and revocation is SHA-256 chained. Detect tampering, prove compliance.
|
|
76
|
+
- **Self-healing mesh transport.** Encrypted node-to-node communication with automatic failover and reconnection.
|
|
77
|
+
- **License-gated operation.** Runtime enforcement of tier limits — nodes, certificates, features.
|
|
78
|
+
|
|
79
|
+
Your app calls the SDK. The SDK calls Bedrock Core. The security is there because you built on Bedrock, not because you remembered to add it later.
|
|
80
|
+
|
|
81
|
+
## How It Works
|
|
82
|
+
|
|
83
|
+
```
|
|
84
|
+
┌─────────────────────────────────────────────────────┐
|
|
85
|
+
│ Your Application │
|
|
86
|
+
│ │
|
|
87
|
+
│ Business logic, routes, UI — whatever you build │
|
|
88
|
+
│ │
|
|
89
|
+
├──────────┬──────────┬──────────────────────────────┤
|
|
90
|
+
│ Python │TypeScript│ REST API │
|
|
91
|
+
│ SDK │ SDK │ │
|
|
92
|
+
├──────────┴──────────┴──────────────────────────────┤
|
|
93
|
+
│ │
|
|
94
|
+
│ Bedrock Core │
|
|
95
|
+
│ │
|
|
96
|
+
│ You inherit: identity, encryption, consent, │
|
|
97
|
+
│ audit, key management, mesh transport │
|
|
98
|
+
│ │
|
|
99
|
+
└─────────────────────────────────────────────────────┘
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
Your app makes normal SDK calls — register a node, create a silo, encrypt a field, request consent. Bedrock handles the cryptography, the key derivation, the consent verification, the audit logging. You never touch raw crypto. You never write your own access control. You build on top, and the security is already there.
|
|
103
|
+
|
|
104
|
+
## Status
|
|
105
|
+
|
|
106
|
+
Bedrock v0.3 is an active development release. Core modules (crypto, identity, data separation, licensing) are well-tested (841 tests, zero type errors). The HTTP API server has SQLite persistence and works for development and testing, but is not yet hardened for production traffic. See [PRODUCTION_DEPLOYMENT.md](../docs/PRODUCTION_DEPLOYMENT.md) for the roadmap.
|
|
107
|
+
|
|
108
|
+
## Quick Start
|
|
109
|
+
|
|
110
|
+
```bash
|
|
111
|
+
# Install
|
|
112
|
+
pip install bedrock-core
|
|
113
|
+
|
|
114
|
+
# Initialize a project
|
|
115
|
+
bedrock init ./my-project
|
|
116
|
+
cd my-project
|
|
117
|
+
|
|
118
|
+
# Generate a free 30-day trial license
|
|
119
|
+
bedrock trial --licensee "your-email@example.com"
|
|
120
|
+
|
|
121
|
+
# Start the API server
|
|
122
|
+
bedrock serve
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
### From Source
|
|
126
|
+
|
|
127
|
+
```bash
|
|
128
|
+
git clone https://github.com/drc10101/bedrock.git
|
|
129
|
+
cd bedrock/core
|
|
130
|
+
pip install -e ".[dev]"
|
|
131
|
+
pytest
|
|
132
|
+
|
|
133
|
+
# Or with Docker
|
|
134
|
+
docker compose -f deploy/docker-compose.yml up
|
|
135
|
+
```
|
|
136
|
+
|
|
137
|
+
## Use It In Your App
|
|
138
|
+
|
|
139
|
+
### Python
|
|
140
|
+
|
|
141
|
+
```python
|
|
142
|
+
from bedrock_sdk import BedrockClient
|
|
143
|
+
|
|
144
|
+
client = BedrockClient(
|
|
145
|
+
base_url="https://bedrock.infill.systems",
|
|
146
|
+
license_key="1:...",
|
|
147
|
+
)
|
|
148
|
+
|
|
149
|
+
# Register your service as a node — it now has a cryptographic identity
|
|
150
|
+
node = client.nodes.register(name="my-service", node_type="application")
|
|
151
|
+
|
|
152
|
+
# Create a data silo — medical records live here, encrypted at rest
|
|
153
|
+
silo = client.silos.create(
|
|
154
|
+
name="patient-records",
|
|
155
|
+
display_name="Patient Records",
|
|
156
|
+
categories=["medical", "phi"],
|
|
157
|
+
)
|
|
158
|
+
|
|
159
|
+
# Encrypt a field before storing it — Bedrock handles key derivation
|
|
160
|
+
ciphertext = client.encryption.encrypt(
|
|
161
|
+
plaintext="SSN-123-45-6789",
|
|
162
|
+
silo=silo.silo_id,
|
|
163
|
+
record_id="patient-001",
|
|
164
|
+
scope="ssn",
|
|
165
|
+
operation="store",
|
|
166
|
+
)
|
|
167
|
+
|
|
168
|
+
# Request consent before reading cross-silo data — cryptographic proof required
|
|
169
|
+
consent = client.consent.request(
|
|
170
|
+
requester_id=node.node_id,
|
|
171
|
+
target_id="patient-001",
|
|
172
|
+
silo_id=silo.silo_id,
|
|
173
|
+
purpose="treatment",
|
|
174
|
+
scope=["ssn", "diagnosis"],
|
|
175
|
+
)
|
|
176
|
+
```
|
|
177
|
+
|
|
178
|
+
### TypeScript
|
|
179
|
+
|
|
180
|
+
```typescript
|
|
181
|
+
import { BedrockClient } from "@infill/bedrock-sdk";
|
|
182
|
+
|
|
183
|
+
const client = new BedrockClient({
|
|
184
|
+
baseUrl: "https://bedrock.infill.systems",
|
|
185
|
+
licenseKey: "1:...",
|
|
186
|
+
});
|
|
187
|
+
|
|
188
|
+
// Same API surface as Python SDK
|
|
189
|
+
const node = await client.nodes.register({ name: "my-service" });
|
|
190
|
+
const silo = await client.silos.create({ name: "patient-records" });
|
|
191
|
+
```
|
|
192
|
+
|
|
193
|
+
That's it. Your app now has identity, encryption, consent, and audit — because it's built on Bedrock.
|
|
194
|
+
|
|
195
|
+
## CLI Commands
|
|
196
|
+
|
|
197
|
+
| Command | Description |
|
|
198
|
+
|---------|-------------|
|
|
199
|
+
| `bedrock init [dir]` | Initialize a new project (config, keys, env template) |
|
|
200
|
+
| `bedrock trial [--licensee]` | Generate a free 30-day trial license |
|
|
201
|
+
| `bedrock serve [--host] [--port]` | Start the API server |
|
|
202
|
+
| `bedrock keygen [--key-id]` | Generate a signing key |
|
|
203
|
+
| `bedrock license issue --tier --licensee` | Issue a license key |
|
|
204
|
+
| `bedrock license validate --key` | Validate a license key |
|
|
205
|
+
| `bedrock license revoke --key-id` | Revoke a signing key |
|
|
206
|
+
| `bedrock health [--json]` | Run health checks |
|
|
207
|
+
| `bedrock status` | Show system status and config |
|
|
208
|
+
|
|
209
|
+
## Licensing
|
|
210
|
+
|
|
211
|
+
Bedrock is source-available under the [Business Source License 1.1](LICENSE).
|
|
212
|
+
|
|
213
|
+
### Free Trial
|
|
214
|
+
|
|
215
|
+
Start with a free 30-day trial — full developer features, 3 local nodes, self-signed certificates. No credit card required.
|
|
216
|
+
|
|
217
|
+
```bash
|
|
218
|
+
bedrock trial --licensee "your-email@example.com"
|
|
219
|
+
```
|
|
220
|
+
|
|
221
|
+
### Pricing
|
|
222
|
+
|
|
223
|
+
| Tier | Price | Nodes | Certificates | Use Case |
|
|
224
|
+
|------|-------|-------|---------------|----------|
|
|
225
|
+
| **Trial** | Free (30 days) | 3 | Self-signed | Evaluation and development |
|
|
226
|
+
| **Developer** | $99/yr | 3 | Self-signed | Individual development |
|
|
227
|
+
| **Professional** | $499/yr | 10 | Self-signed | Team development |
|
|
228
|
+
| **Starter** | $5K/yr | 5 | CA-enforced | Production deployment |
|
|
229
|
+
| **Business** | $20K/yr | 25 | CA-enforced | Production at scale |
|
|
230
|
+
| **Enterprise** | Custom | Unlimited | CA-enforced | Mission-critical deployments |
|
|
231
|
+
|
|
232
|
+
**Non-production use** (development, testing, evaluation) is free forever under BSL-1.1. **Production deployment** requires a paid license.
|
|
233
|
+
|
|
234
|
+
### How It Works
|
|
235
|
+
|
|
236
|
+
1. `bedrock trial` — get a free 30-day license with full developer features
|
|
237
|
+
2. Build your app on Bedrock — identity, encryption, consent, audit are inherited
|
|
238
|
+
3. When ready for production, purchase a runtime license at [bedrock.dev/pricing](https://bedrock.dev/pricing)
|
|
239
|
+
4. Upgrade your license key — no code changes, no reinstallation
|
|
240
|
+
|
|
241
|
+
## Testing
|
|
242
|
+
|
|
243
|
+
```bash
|
|
244
|
+
# Core tests
|
|
245
|
+
cd core && pytest
|
|
246
|
+
|
|
247
|
+
# Python SDK tests
|
|
248
|
+
cd sdk-python && pytest
|
|
249
|
+
|
|
250
|
+
# TypeScript SDK tests
|
|
251
|
+
cd sdk-ts && npm test
|
|
252
|
+
```
|
|
253
|
+
|
|
254
|
+
841 tests pass across core modules (841) and Python SDK (20). Zero type errors.
|
|
255
|
+
|
|
256
|
+
## Security
|
|
257
|
+
|
|
258
|
+
See [SECURITY.md](SECURITY.md) for reporting vulnerabilities.
|
|
259
|
+
|
|
260
|
+
**Do not report security issues through public GitHub issues.**
|
|
261
|
+
|
|
262
|
+
## License
|
|
263
|
+
|
|
264
|
+
This software is licensed under the [Business Source License 1.1](LICENSE).
|
|
265
|
+
|
|
266
|
+
You may use, modify, and redistribute this software for non-production purposes (development, testing, evaluation) free of charge. Production use requires a paid license — see [bedrock.dev/pricing](https://bedrock.dev/pricing).
|
|
267
|
+
|
|
268
|
+
The BSL converts to an open-source license (typically Apache 2.0) on a predetermined change date — see the LICENSE file for details.
|
|
@@ -0,0 +1,224 @@
|
|
|
1
|
+
<p align="center">
|
|
2
|
+
<img src="assets/Bedrock_Logo.png" alt="Bedrock" width="600">
|
|
3
|
+
</p>
|
|
4
|
+
|
|
5
|
+
<h3 align="center">Build your app. Inherit the security.</h3>
|
|
6
|
+
|
|
7
|
+
<p align="center">
|
|
8
|
+
Bedrock is the security layer your app sits on top of.<br>
|
|
9
|
+
Identity, encryption, consent, and audit — handled from the start.
|
|
10
|
+
</p>
|
|
11
|
+
|
|
12
|
+
<p align="center">
|
|
13
|
+
<a href="https://github.com/drc10101/bedrock/releases/tag/v0.3.0"><img src="https://img.shields.io/badge/version-0.3.0-blue" alt="Version"></a>
|
|
14
|
+
<img src="https://img.shields.io/badge/tests-841-passing-brightgreen" alt="Tests">
|
|
15
|
+
<img src="https://img.shields.io/badge/python-3.11+-blue" alt="Python">
|
|
16
|
+
<img src="https://img.shields.io/badge/license-BSL--1.1-orange" alt="License">
|
|
17
|
+
<img src="https://img.shields.io/badge/trial-free_30_days-success" alt="Free Trial">
|
|
18
|
+
</p>
|
|
19
|
+
|
|
20
|
+
---
|
|
21
|
+
|
|
22
|
+
**You don't bolt security on after the fact. You build on Bedrock, and your app inherits it.**
|
|
23
|
+
|
|
24
|
+
Bedrock is a security framework that your application calls into — not a service you route traffic through. When your app uses Bedrock's SDK, every node gets a cryptographic identity, every field write gets encrypted at rest, every cross-silo read requires cryptographic consent, and every action gets written to a tamper-evident audit chain. Your app focuses on business logic. Bedrock handles the security guarantees.
|
|
25
|
+
|
|
26
|
+
## What Your App Gets
|
|
27
|
+
|
|
28
|
+
- **Cryptographic identity for every node.** Each service, device, or user in your system gets a signed identity. No anonymous access.
|
|
29
|
+
- **Field-level encryption at rest.** Data is encrypted before it hits storage. Siloed by category — medical records, financial data, PII — each in its own encrypted container.
|
|
30
|
+
- **Consent-gated data access.** No cross-silo read without a cryptographic consent token. If the patient didn't authorize it, the data doesn't move.
|
|
31
|
+
- **Tamper-evident audit chain.** Every write, read, consent grant, and revocation is SHA-256 chained. Detect tampering, prove compliance.
|
|
32
|
+
- **Self-healing mesh transport.** Encrypted node-to-node communication with automatic failover and reconnection.
|
|
33
|
+
- **License-gated operation.** Runtime enforcement of tier limits — nodes, certificates, features.
|
|
34
|
+
|
|
35
|
+
Your app calls the SDK. The SDK calls Bedrock Core. The security is there because you built on Bedrock, not because you remembered to add it later.
|
|
36
|
+
|
|
37
|
+
## How It Works
|
|
38
|
+
|
|
39
|
+
```
|
|
40
|
+
┌─────────────────────────────────────────────────────┐
|
|
41
|
+
│ Your Application │
|
|
42
|
+
│ │
|
|
43
|
+
│ Business logic, routes, UI — whatever you build │
|
|
44
|
+
│ │
|
|
45
|
+
├──────────┬──────────┬──────────────────────────────┤
|
|
46
|
+
│ Python │TypeScript│ REST API │
|
|
47
|
+
│ SDK │ SDK │ │
|
|
48
|
+
├──────────┴──────────┴──────────────────────────────┤
|
|
49
|
+
│ │
|
|
50
|
+
│ Bedrock Core │
|
|
51
|
+
│ │
|
|
52
|
+
│ You inherit: identity, encryption, consent, │
|
|
53
|
+
│ audit, key management, mesh transport │
|
|
54
|
+
│ │
|
|
55
|
+
└─────────────────────────────────────────────────────┘
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
Your app makes normal SDK calls — register a node, create a silo, encrypt a field, request consent. Bedrock handles the cryptography, the key derivation, the consent verification, the audit logging. You never touch raw crypto. You never write your own access control. You build on top, and the security is already there.
|
|
59
|
+
|
|
60
|
+
## Status
|
|
61
|
+
|
|
62
|
+
Bedrock v0.3 is an active development release. Core modules (crypto, identity, data separation, licensing) are well-tested (841 tests, zero type errors). The HTTP API server has SQLite persistence and works for development and testing, but is not yet hardened for production traffic. See [PRODUCTION_DEPLOYMENT.md](../docs/PRODUCTION_DEPLOYMENT.md) for the roadmap.
|
|
63
|
+
|
|
64
|
+
## Quick Start
|
|
65
|
+
|
|
66
|
+
```bash
|
|
67
|
+
# Install
|
|
68
|
+
pip install bedrock-core
|
|
69
|
+
|
|
70
|
+
# Initialize a project
|
|
71
|
+
bedrock init ./my-project
|
|
72
|
+
cd my-project
|
|
73
|
+
|
|
74
|
+
# Generate a free 30-day trial license
|
|
75
|
+
bedrock trial --licensee "your-email@example.com"
|
|
76
|
+
|
|
77
|
+
# Start the API server
|
|
78
|
+
bedrock serve
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
### From Source
|
|
82
|
+
|
|
83
|
+
```bash
|
|
84
|
+
git clone https://github.com/drc10101/bedrock.git
|
|
85
|
+
cd bedrock/core
|
|
86
|
+
pip install -e ".[dev]"
|
|
87
|
+
pytest
|
|
88
|
+
|
|
89
|
+
# Or with Docker
|
|
90
|
+
docker compose -f deploy/docker-compose.yml up
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
## Use It In Your App
|
|
94
|
+
|
|
95
|
+
### Python
|
|
96
|
+
|
|
97
|
+
```python
|
|
98
|
+
from bedrock_sdk import BedrockClient
|
|
99
|
+
|
|
100
|
+
client = BedrockClient(
|
|
101
|
+
base_url="https://bedrock.infill.systems",
|
|
102
|
+
license_key="1:...",
|
|
103
|
+
)
|
|
104
|
+
|
|
105
|
+
# Register your service as a node — it now has a cryptographic identity
|
|
106
|
+
node = client.nodes.register(name="my-service", node_type="application")
|
|
107
|
+
|
|
108
|
+
# Create a data silo — medical records live here, encrypted at rest
|
|
109
|
+
silo = client.silos.create(
|
|
110
|
+
name="patient-records",
|
|
111
|
+
display_name="Patient Records",
|
|
112
|
+
categories=["medical", "phi"],
|
|
113
|
+
)
|
|
114
|
+
|
|
115
|
+
# Encrypt a field before storing it — Bedrock handles key derivation
|
|
116
|
+
ciphertext = client.encryption.encrypt(
|
|
117
|
+
plaintext="SSN-123-45-6789",
|
|
118
|
+
silo=silo.silo_id,
|
|
119
|
+
record_id="patient-001",
|
|
120
|
+
scope="ssn",
|
|
121
|
+
operation="store",
|
|
122
|
+
)
|
|
123
|
+
|
|
124
|
+
# Request consent before reading cross-silo data — cryptographic proof required
|
|
125
|
+
consent = client.consent.request(
|
|
126
|
+
requester_id=node.node_id,
|
|
127
|
+
target_id="patient-001",
|
|
128
|
+
silo_id=silo.silo_id,
|
|
129
|
+
purpose="treatment",
|
|
130
|
+
scope=["ssn", "diagnosis"],
|
|
131
|
+
)
|
|
132
|
+
```
|
|
133
|
+
|
|
134
|
+
### TypeScript
|
|
135
|
+
|
|
136
|
+
```typescript
|
|
137
|
+
import { BedrockClient } from "@infill/bedrock-sdk";
|
|
138
|
+
|
|
139
|
+
const client = new BedrockClient({
|
|
140
|
+
baseUrl: "https://bedrock.infill.systems",
|
|
141
|
+
licenseKey: "1:...",
|
|
142
|
+
});
|
|
143
|
+
|
|
144
|
+
// Same API surface as Python SDK
|
|
145
|
+
const node = await client.nodes.register({ name: "my-service" });
|
|
146
|
+
const silo = await client.silos.create({ name: "patient-records" });
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
That's it. Your app now has identity, encryption, consent, and audit — because it's built on Bedrock.
|
|
150
|
+
|
|
151
|
+
## CLI Commands
|
|
152
|
+
|
|
153
|
+
| Command | Description |
|
|
154
|
+
|---------|-------------|
|
|
155
|
+
| `bedrock init [dir]` | Initialize a new project (config, keys, env template) |
|
|
156
|
+
| `bedrock trial [--licensee]` | Generate a free 30-day trial license |
|
|
157
|
+
| `bedrock serve [--host] [--port]` | Start the API server |
|
|
158
|
+
| `bedrock keygen [--key-id]` | Generate a signing key |
|
|
159
|
+
| `bedrock license issue --tier --licensee` | Issue a license key |
|
|
160
|
+
| `bedrock license validate --key` | Validate a license key |
|
|
161
|
+
| `bedrock license revoke --key-id` | Revoke a signing key |
|
|
162
|
+
| `bedrock health [--json]` | Run health checks |
|
|
163
|
+
| `bedrock status` | Show system status and config |
|
|
164
|
+
|
|
165
|
+
## Licensing
|
|
166
|
+
|
|
167
|
+
Bedrock is source-available under the [Business Source License 1.1](LICENSE).
|
|
168
|
+
|
|
169
|
+
### Free Trial
|
|
170
|
+
|
|
171
|
+
Start with a free 30-day trial — full developer features, 3 local nodes, self-signed certificates. No credit card required.
|
|
172
|
+
|
|
173
|
+
```bash
|
|
174
|
+
bedrock trial --licensee "your-email@example.com"
|
|
175
|
+
```
|
|
176
|
+
|
|
177
|
+
### Pricing
|
|
178
|
+
|
|
179
|
+
| Tier | Price | Nodes | Certificates | Use Case |
|
|
180
|
+
|------|-------|-------|---------------|----------|
|
|
181
|
+
| **Trial** | Free (30 days) | 3 | Self-signed | Evaluation and development |
|
|
182
|
+
| **Developer** | $99/yr | 3 | Self-signed | Individual development |
|
|
183
|
+
| **Professional** | $499/yr | 10 | Self-signed | Team development |
|
|
184
|
+
| **Starter** | $5K/yr | 5 | CA-enforced | Production deployment |
|
|
185
|
+
| **Business** | $20K/yr | 25 | CA-enforced | Production at scale |
|
|
186
|
+
| **Enterprise** | Custom | Unlimited | CA-enforced | Mission-critical deployments |
|
|
187
|
+
|
|
188
|
+
**Non-production use** (development, testing, evaluation) is free forever under BSL-1.1. **Production deployment** requires a paid license.
|
|
189
|
+
|
|
190
|
+
### How It Works
|
|
191
|
+
|
|
192
|
+
1. `bedrock trial` — get a free 30-day license with full developer features
|
|
193
|
+
2. Build your app on Bedrock — identity, encryption, consent, audit are inherited
|
|
194
|
+
3. When ready for production, purchase a runtime license at [bedrock.dev/pricing](https://bedrock.dev/pricing)
|
|
195
|
+
4. Upgrade your license key — no code changes, no reinstallation
|
|
196
|
+
|
|
197
|
+
## Testing
|
|
198
|
+
|
|
199
|
+
```bash
|
|
200
|
+
# Core tests
|
|
201
|
+
cd core && pytest
|
|
202
|
+
|
|
203
|
+
# Python SDK tests
|
|
204
|
+
cd sdk-python && pytest
|
|
205
|
+
|
|
206
|
+
# TypeScript SDK tests
|
|
207
|
+
cd sdk-ts && npm test
|
|
208
|
+
```
|
|
209
|
+
|
|
210
|
+
841 tests pass across core modules (841) and Python SDK (20). Zero type errors.
|
|
211
|
+
|
|
212
|
+
## Security
|
|
213
|
+
|
|
214
|
+
See [SECURITY.md](SECURITY.md) for reporting vulnerabilities.
|
|
215
|
+
|
|
216
|
+
**Do not report security issues through public GitHub issues.**
|
|
217
|
+
|
|
218
|
+
## License
|
|
219
|
+
|
|
220
|
+
This software is licensed under the [Business Source License 1.1](LICENSE).
|
|
221
|
+
|
|
222
|
+
You may use, modify, and redistribute this software for non-production purposes (development, testing, evaluation) free of charge. Production use requires a paid license — see [bedrock.dev/pricing](https://bedrock.dev/pricing).
|
|
223
|
+
|
|
224
|
+
The BSL converts to an open-source license (typically Apache 2.0) on a predetermined change date — see the LICENSE file for details.
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Reporting a Vulnerability
|
|
4
|
+
|
|
5
|
+
**Do not report security vulnerabilities through public GitHub issues.**
|
|
6
|
+
|
|
7
|
+
Instead, email **security@infill.systems** with:
|
|
8
|
+
|
|
9
|
+
- A description of the vulnerability
|
|
10
|
+
- Steps to reproduce
|
|
11
|
+
- Potential impact
|
|
12
|
+
- Any suggested mitigations
|
|
13
|
+
|
|
14
|
+
You should receive a response within 48 hours. If you do not, please follow up to ensure we received your message.
|
|
15
|
+
|
|
16
|
+
## Disclosure Policy
|
|
17
|
+
|
|
18
|
+
- We acknowledge all vulnerability reports within 48 hours
|
|
19
|
+
- We provide a timeline for fix within 5 business days
|
|
20
|
+
- We credit researchers in our changelog (unless anonymity is requested)
|
|
21
|
+
- We ask for 90 days before public disclosure to allow users to patch
|
|
22
|
+
|
|
23
|
+
## Supported Versions
|
|
24
|
+
|
|
25
|
+
| Version | Supported |
|
|
26
|
+
|---------|-----------|
|
|
27
|
+
| 0.3.x | Active development |
|
|
28
|
+
| < 0.3 | Not supported |
|
|
29
|
+
|
|
30
|
+
## Security Architecture
|
|
31
|
+
|
|
32
|
+
Bedrock is designed with defense in depth:
|
|
33
|
+
|
|
34
|
+
- **Encryption at rest**: All data encrypted with AES-256-GCM, keys derived via HKDF
|
|
35
|
+
- **Identity-first**: Every node has a cryptographic identity, verified at every interaction
|
|
36
|
+
- **Consent-gated access**: Cross-silo data access requires cryptographic proof of consent
|
|
37
|
+
- **Audit chain**: SHA-256 hash chain provides tamper-evident audit trail
|
|
38
|
+
- **TLS enforcement**: All transport encrypted, downgrade detection active
|
|
39
|
+
- **Key isolation**: Silo-scoped keys, master key never stored in cleartext
|