infill-bedrock 0.3.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (61) hide show
  1. infill_bedrock-0.3.0/CONTRIBUTING.md +45 -0
  2. infill_bedrock-0.3.0/LICENSE +57 -0
  3. infill_bedrock-0.3.0/MANIFEST.in +7 -0
  4. infill_bedrock-0.3.0/PKG-INFO +268 -0
  5. infill_bedrock-0.3.0/README.md +224 -0
  6. infill_bedrock-0.3.0/SECURITY.md +39 -0
  7. infill_bedrock-0.3.0/bedrock/__init__.py +10 -0
  8. infill_bedrock-0.3.0/bedrock/__main__.py +7 -0
  9. infill_bedrock-0.3.0/bedrock/access_control/__init__.py +35 -0
  10. infill_bedrock-0.3.0/bedrock/access_control/controller.py +523 -0
  11. infill_bedrock-0.3.0/bedrock/audit/__init__.py +12 -0
  12. infill_bedrock-0.3.0/bedrock/audit/chain.py +424 -0
  13. infill_bedrock-0.3.0/bedrock/cli.py +624 -0
  14. infill_bedrock-0.3.0/bedrock/config.py +200 -0
  15. infill_bedrock-0.3.0/bedrock/data_separation/__init__.py +22 -0
  16. infill_bedrock-0.3.0/bedrock/data_separation/anonymous_id.py +1663 -0
  17. infill_bedrock-0.3.0/bedrock/data_separation/consent.py +271 -0
  18. infill_bedrock-0.3.0/bedrock/data_separation/silo.py +168 -0
  19. infill_bedrock-0.3.0/bedrock/encryption/__init__.py +28 -0
  20. infill_bedrock-0.3.0/bedrock/encryption/aad.py +83 -0
  21. infill_bedrock-0.3.0/bedrock/encryption/engine.py +575 -0
  22. infill_bedrock-0.3.0/bedrock/encryption/legacy.py +189 -0
  23. infill_bedrock-0.3.0/bedrock/encryption/version.py +28 -0
  24. infill_bedrock-0.3.0/bedrock/health.py +179 -0
  25. infill_bedrock-0.3.0/bedrock/identity/__init__.py +53 -0
  26. infill_bedrock-0.3.0/bedrock/identity/attestation.py +383 -0
  27. infill_bedrock-0.3.0/bedrock/identity/capabilities.py +49 -0
  28. infill_bedrock-0.3.0/bedrock/identity/certificates.py +357 -0
  29. infill_bedrock-0.3.0/bedrock/identity/node.py +164 -0
  30. infill_bedrock-0.3.0/bedrock/identity/registration.py +264 -0
  31. infill_bedrock-0.3.0/bedrock/key_management/__init__.py +28 -0
  32. infill_bedrock-0.3.0/bedrock/key_management/keys.py +230 -0
  33. infill_bedrock-0.3.0/bedrock/key_management/rotation.py +468 -0
  34. infill_bedrock-0.3.0/bedrock/licensing/__init__.py +63 -0
  35. infill_bedrock-0.3.0/bedrock/licensing/checkout.py +250 -0
  36. infill_bedrock-0.3.0/bedrock/licensing/enforcement.py +530 -0
  37. infill_bedrock-0.3.0/bedrock/licensing/keygen.py +541 -0
  38. infill_bedrock-0.3.0/bedrock/licensing/webhook.py +214 -0
  39. infill_bedrock-0.3.0/bedrock/mesh/__init__.py +34 -0
  40. infill_bedrock-0.3.0/bedrock/mesh/detector.py +150 -0
  41. infill_bedrock-0.3.0/bedrock/mesh/healing.py +318 -0
  42. infill_bedrock-0.3.0/bedrock/mesh/integration.py +353 -0
  43. infill_bedrock-0.3.0/bedrock/mesh/router.py +240 -0
  44. infill_bedrock-0.3.0/bedrock/mesh/state_machine.py +156 -0
  45. infill_bedrock-0.3.0/bedrock/metering/__init__.py +332 -0
  46. infill_bedrock-0.3.0/bedrock/server/__init__.py +17 -0
  47. infill_bedrock-0.3.0/bedrock/server/app.py +682 -0
  48. infill_bedrock-0.3.0/bedrock/server/tls.py +375 -0
  49. infill_bedrock-0.3.0/bedrock/storage/__init__.py +11 -0
  50. infill_bedrock-0.3.0/bedrock/storage/persistence.py +376 -0
  51. infill_bedrock-0.3.0/bedrock/storage/sqlite_backend.py +289 -0
  52. infill_bedrock-0.3.0/bedrock/transport/__init__.py +29 -0
  53. infill_bedrock-0.3.0/bedrock/transport/security.py +432 -0
  54. infill_bedrock-0.3.0/infill_bedrock.egg-info/PKG-INFO +268 -0
  55. infill_bedrock-0.3.0/infill_bedrock.egg-info/SOURCES.txt +59 -0
  56. infill_bedrock-0.3.0/infill_bedrock.egg-info/dependency_links.txt +1 -0
  57. infill_bedrock-0.3.0/infill_bedrock.egg-info/entry_points.txt +2 -0
  58. infill_bedrock-0.3.0/infill_bedrock.egg-info/requires.txt +23 -0
  59. infill_bedrock-0.3.0/infill_bedrock.egg-info/top_level.txt +1 -0
  60. infill_bedrock-0.3.0/pyproject.toml +94 -0
  61. infill_bedrock-0.3.0/setup.cfg +4 -0
@@ -0,0 +1,45 @@
1
+ # Contributing to Bedrock
2
+
3
+ Thank you for your interest in contributing to Bedrock. This project is developed by InFill Systems, LLC under a proprietary license.
4
+
5
+ ## Development Setup
6
+
7
+ ```bash
8
+ cd core
9
+ pip install -e ".[dev]"
10
+ pytest
11
+
12
+ cd ../sdk-python
13
+ pip install -e ".[dev]"
14
+ pytest
15
+
16
+ cd ../sdk-ts
17
+ npm install
18
+ npm test
19
+ ```
20
+
21
+ ## Code Standards
22
+
23
+ - **Python 3.11+** with type hints (`mypy --strict`)
24
+ - **Line length**: 100 chars (black + isort)
25
+ - **Tests**: every feature gets tests before merge
26
+ - **Commit messages**: `B-XXX: Short description` format
27
+
28
+ ## Pull Request Process
29
+
30
+ 1. Create a feature branch from `develop`
31
+ 2. Write tests first (TDD preferred)
32
+ 3. Implement the feature
33
+ 4. Ensure all tests pass: `pytest`, `npm test`
34
+ 5. Submit PR with description referencing the build number (B-XXX)
35
+ 6. Code review required before merge
36
+
37
+ ## Security Vulnerabilities
38
+
39
+ **Do not report security issues through public GitHub issues.**
40
+
41
+ Email security@infill.systems instead. See [SECURITY.md](SECURITY.md) for details.
42
+
43
+ ## License
44
+
45
+ By contributing, you agree that your contributions will be licensed under the same proprietary license as Bedrock (InFill Systems, LLC).
@@ -0,0 +1,57 @@
1
+ Business Source License 1.1
2
+
3
+ Copyright (c) 2025-2026 InFill Systems, LLC
4
+
5
+ License Scope: The contents of this repository are licensed under the
6
+ Business Source License 1.1 (the "License"). You may not use this file
7
+ except in compliance with the License. You may obtain a copy of the
8
+ License at https://github.com/drc10101/bedrock/blob/main/LICENSE
9
+
10
+ Change Date: On or after the Change Date specified in the License
11
+ Reference below, you may use this software under the terms of the
12
+ Change License specified below.
13
+
14
+ Change License: Apache License, Version 2.0
15
+
16
+ License Reference: Bedrock Core — BSL 1.1
17
+
18
+ Additional Use Grant: You may use the Software for development,
19
+ testing, and evaluation purposes, including in non-production
20
+ environments, provided that:
21
+
22
+ 1. You have obtained a valid license key from InFill Systems, LLC;
23
+ OR
24
+ 2. You are within a 30-day trial period, which begins on the date
25
+ you first install or use the Software.
26
+
27
+ Production deployment of the Software requires a Production License
28
+ from InFill Systems, LLC. "Production" means any deployment that
29
+ serves end users, processes live data, or operates in a non-
30
+ development environment.
31
+
32
+ You may create modifications, extensions, or derivative works of the
33
+ Software, provided that:
34
+
35
+ (a) Any derivative works are also subject to this License; and
36
+ (b) You retain all original copyright notices; and
37
+ (c) You do not represent that your derivative works are the
38
+ original Software.
39
+
40
+ You may not:
41
+ - Use the Software in production without a valid Production License;
42
+ - Use the Software after the 30-day trial period without a valid
43
+ Developer or Production License;
44
+ - Remove, alter, or obscure any license enforcement mechanisms;
45
+ - Distribute the Software or derivative works under a different
46
+ license without written permission from InFill Systems, LLC;
47
+ - Use the Software to compete with InFill Systems, LLC.
48
+
49
+ The Software is provided "as is", without warranty of any kind,
50
+ express or implied, including but not limited to the warranties of
51
+ merchantability, fitness for a particular purpose and noninfringement.
52
+ In no event shall the authors or copyright holders be liable for any
53
+ claim, damages or other liability, whether in an action of contract,
54
+ tort or otherwise, arising from, out of or in connection with the
55
+ Software or the use or other dealings in the Software.
56
+
57
+ For license inquiries: licensing@infill.systems
@@ -0,0 +1,7 @@
1
+ include LICENSE
2
+ include README.md
3
+ include CHANGELOG.md
4
+ include SECURITY.md
5
+ include CONTRIBUTING.md
6
+ recursive-include bedrock *.py
7
+ recursive-include docs *.md
@@ -0,0 +1,268 @@
1
+ Metadata-Version: 2.4
2
+ Name: infill-bedrock
3
+ Version: 0.3.0
4
+ Summary: Identity-based security framework. Every node is a user. Everything between is encrypted at rest.
5
+ Author: InFill Systems, LLC
6
+ License: BSL-1.1
7
+ Project-URL: Homepage, https://bedrock.dev
8
+ Project-URL: Repository, https://github.com/drc10101/bedrock
9
+ Project-URL: Documentation, https://bedrock.dev/docs
10
+ Project-URL: Issues, https://github.com/drc10101/bedrock/issues
11
+ Classifier: Development Status :: 3 - Alpha
12
+ Classifier: Intended Audience :: Developers
13
+ Classifier: Operating System :: OS Independent
14
+ Classifier: Programming Language :: Python :: 3
15
+ Classifier: Programming Language :: Python :: 3.11
16
+ Classifier: Programming Language :: Python :: 3.12
17
+ Classifier: Programming Language :: Python :: 3.13
18
+ Classifier: Programming Language :: Python :: 3.14
19
+ Classifier: Topic :: Security
20
+ Classifier: Topic :: Security :: Cryptography
21
+ Requires-Python: >=3.11
22
+ Description-Content-Type: text/markdown
23
+ License-File: LICENSE
24
+ Requires-Dist: cryptography>=42.0
25
+ Requires-Dist: fastapi>=0.110
26
+ Requires-Dist: uvicorn[standard]>=0.29
27
+ Requires-Dist: uuid7>=0.1
28
+ Provides-Extra: dev
29
+ Requires-Dist: pytest>=8.0; extra == "dev"
30
+ Requires-Dist: pytest-asyncio>=1.0; extra == "dev"
31
+ Requires-Dist: pytest-cov>=5.0; extra == "dev"
32
+ Requires-Dist: ruff>=0.4; extra == "dev"
33
+ Requires-Dist: mypy>=1.10; extra == "dev"
34
+ Requires-Dist: black>=24.0; extra == "dev"
35
+ Requires-Dist: isort>=5.13; extra == "dev"
36
+ Requires-Dist: httpx2>=0.28; extra == "dev"
37
+ Provides-Extra: sqlcipher
38
+ Requires-Dist: sqlcipher3>=0.5; extra == "sqlcipher"
39
+ Provides-Extra: hsm
40
+ Requires-Dist: pkcs11>=1.1; extra == "hsm"
41
+ Provides-Extra: stripe
42
+ Requires-Dist: stripe>=10.0; extra == "stripe"
43
+ Dynamic: license-file
44
+
45
+ <p align="center">
46
+ <img src="assets/Bedrock_Logo.png" alt="Bedrock" width="600">
47
+ </p>
48
+
49
+ <h3 align="center">Build your app. Inherit the security.</h3>
50
+
51
+ <p align="center">
52
+ Bedrock is the security layer your app sits on top of.<br>
53
+ Identity, encryption, consent, and audit — handled from the start.
54
+ </p>
55
+
56
+ <p align="center">
57
+ <a href="https://github.com/drc10101/bedrock/releases/tag/v0.3.0"><img src="https://img.shields.io/badge/version-0.3.0-blue" alt="Version"></a>
58
+ <img src="https://img.shields.io/badge/tests-841-passing-brightgreen" alt="Tests">
59
+ <img src="https://img.shields.io/badge/python-3.11+-blue" alt="Python">
60
+ <img src="https://img.shields.io/badge/license-BSL--1.1-orange" alt="License">
61
+ <img src="https://img.shields.io/badge/trial-free_30_days-success" alt="Free Trial">
62
+ </p>
63
+
64
+ ---
65
+
66
+ **You don't bolt security on after the fact. You build on Bedrock, and your app inherits it.**
67
+
68
+ Bedrock is a security framework that your application calls into — not a service you route traffic through. When your app uses Bedrock's SDK, every node gets a cryptographic identity, every field write gets encrypted at rest, every cross-silo read requires cryptographic consent, and every action gets written to a tamper-evident audit chain. Your app focuses on business logic. Bedrock handles the security guarantees.
69
+
70
+ ## What Your App Gets
71
+
72
+ - **Cryptographic identity for every node.** Each service, device, or user in your system gets a signed identity. No anonymous access.
73
+ - **Field-level encryption at rest.** Data is encrypted before it hits storage. Siloed by category — medical records, financial data, PII — each in its own encrypted container.
74
+ - **Consent-gated data access.** No cross-silo read without a cryptographic consent token. If the patient didn't authorize it, the data doesn't move.
75
+ - **Tamper-evident audit chain.** Every write, read, consent grant, and revocation is SHA-256 chained. Detect tampering, prove compliance.
76
+ - **Self-healing mesh transport.** Encrypted node-to-node communication with automatic failover and reconnection.
77
+ - **License-gated operation.** Runtime enforcement of tier limits — nodes, certificates, features.
78
+
79
+ Your app calls the SDK. The SDK calls Bedrock Core. The security is there because you built on Bedrock, not because you remembered to add it later.
80
+
81
+ ## How It Works
82
+
83
+ ```
84
+ ┌─────────────────────────────────────────────────────┐
85
+ │ Your Application │
86
+ │ │
87
+ │ Business logic, routes, UI — whatever you build │
88
+ │ │
89
+ ├──────────┬──────────┬──────────────────────────────┤
90
+ │ Python │TypeScript│ REST API │
91
+ │ SDK │ SDK │ │
92
+ ├──────────┴──────────┴──────────────────────────────┤
93
+ │ │
94
+ │ Bedrock Core │
95
+ │ │
96
+ │ You inherit: identity, encryption, consent, │
97
+ │ audit, key management, mesh transport │
98
+ │ │
99
+ └─────────────────────────────────────────────────────┘
100
+ ```
101
+
102
+ Your app makes normal SDK calls — register a node, create a silo, encrypt a field, request consent. Bedrock handles the cryptography, the key derivation, the consent verification, the audit logging. You never touch raw crypto. You never write your own access control. You build on top, and the security is already there.
103
+
104
+ ## Status
105
+
106
+ Bedrock v0.3 is an active development release. Core modules (crypto, identity, data separation, licensing) are well-tested (841 tests, zero type errors). The HTTP API server has SQLite persistence and works for development and testing, but is not yet hardened for production traffic. See [PRODUCTION_DEPLOYMENT.md](../docs/PRODUCTION_DEPLOYMENT.md) for the roadmap.
107
+
108
+ ## Quick Start
109
+
110
+ ```bash
111
+ # Install
112
+ pip install bedrock-core
113
+
114
+ # Initialize a project
115
+ bedrock init ./my-project
116
+ cd my-project
117
+
118
+ # Generate a free 30-day trial license
119
+ bedrock trial --licensee "your-email@example.com"
120
+
121
+ # Start the API server
122
+ bedrock serve
123
+ ```
124
+
125
+ ### From Source
126
+
127
+ ```bash
128
+ git clone https://github.com/drc10101/bedrock.git
129
+ cd bedrock/core
130
+ pip install -e ".[dev]"
131
+ pytest
132
+
133
+ # Or with Docker
134
+ docker compose -f deploy/docker-compose.yml up
135
+ ```
136
+
137
+ ## Use It In Your App
138
+
139
+ ### Python
140
+
141
+ ```python
142
+ from bedrock_sdk import BedrockClient
143
+
144
+ client = BedrockClient(
145
+ base_url="https://bedrock.infill.systems",
146
+ license_key="1:...",
147
+ )
148
+
149
+ # Register your service as a node — it now has a cryptographic identity
150
+ node = client.nodes.register(name="my-service", node_type="application")
151
+
152
+ # Create a data silo — medical records live here, encrypted at rest
153
+ silo = client.silos.create(
154
+ name="patient-records",
155
+ display_name="Patient Records",
156
+ categories=["medical", "phi"],
157
+ )
158
+
159
+ # Encrypt a field before storing it — Bedrock handles key derivation
160
+ ciphertext = client.encryption.encrypt(
161
+ plaintext="SSN-123-45-6789",
162
+ silo=silo.silo_id,
163
+ record_id="patient-001",
164
+ scope="ssn",
165
+ operation="store",
166
+ )
167
+
168
+ # Request consent before reading cross-silo data — cryptographic proof required
169
+ consent = client.consent.request(
170
+ requester_id=node.node_id,
171
+ target_id="patient-001",
172
+ silo_id=silo.silo_id,
173
+ purpose="treatment",
174
+ scope=["ssn", "diagnosis"],
175
+ )
176
+ ```
177
+
178
+ ### TypeScript
179
+
180
+ ```typescript
181
+ import { BedrockClient } from "@infill/bedrock-sdk";
182
+
183
+ const client = new BedrockClient({
184
+ baseUrl: "https://bedrock.infill.systems",
185
+ licenseKey: "1:...",
186
+ });
187
+
188
+ // Same API surface as Python SDK
189
+ const node = await client.nodes.register({ name: "my-service" });
190
+ const silo = await client.silos.create({ name: "patient-records" });
191
+ ```
192
+
193
+ That's it. Your app now has identity, encryption, consent, and audit — because it's built on Bedrock.
194
+
195
+ ## CLI Commands
196
+
197
+ | Command | Description |
198
+ |---------|-------------|
199
+ | `bedrock init [dir]` | Initialize a new project (config, keys, env template) |
200
+ | `bedrock trial [--licensee]` | Generate a free 30-day trial license |
201
+ | `bedrock serve [--host] [--port]` | Start the API server |
202
+ | `bedrock keygen [--key-id]` | Generate a signing key |
203
+ | `bedrock license issue --tier --licensee` | Issue a license key |
204
+ | `bedrock license validate --key` | Validate a license key |
205
+ | `bedrock license revoke --key-id` | Revoke a signing key |
206
+ | `bedrock health [--json]` | Run health checks |
207
+ | `bedrock status` | Show system status and config |
208
+
209
+ ## Licensing
210
+
211
+ Bedrock is source-available under the [Business Source License 1.1](LICENSE).
212
+
213
+ ### Free Trial
214
+
215
+ Start with a free 30-day trial — full developer features, 3 local nodes, self-signed certificates. No credit card required.
216
+
217
+ ```bash
218
+ bedrock trial --licensee "your-email@example.com"
219
+ ```
220
+
221
+ ### Pricing
222
+
223
+ | Tier | Price | Nodes | Certificates | Use Case |
224
+ |------|-------|-------|---------------|----------|
225
+ | **Trial** | Free (30 days) | 3 | Self-signed | Evaluation and development |
226
+ | **Developer** | $99/yr | 3 | Self-signed | Individual development |
227
+ | **Professional** | $499/yr | 10 | Self-signed | Team development |
228
+ | **Starter** | $5K/yr | 5 | CA-enforced | Production deployment |
229
+ | **Business** | $20K/yr | 25 | CA-enforced | Production at scale |
230
+ | **Enterprise** | Custom | Unlimited | CA-enforced | Mission-critical deployments |
231
+
232
+ **Non-production use** (development, testing, evaluation) is free forever under BSL-1.1. **Production deployment** requires a paid license.
233
+
234
+ ### How It Works
235
+
236
+ 1. `bedrock trial` — get a free 30-day license with full developer features
237
+ 2. Build your app on Bedrock — identity, encryption, consent, audit are inherited
238
+ 3. When ready for production, purchase a runtime license at [bedrock.dev/pricing](https://bedrock.dev/pricing)
239
+ 4. Upgrade your license key — no code changes, no reinstallation
240
+
241
+ ## Testing
242
+
243
+ ```bash
244
+ # Core tests
245
+ cd core && pytest
246
+
247
+ # Python SDK tests
248
+ cd sdk-python && pytest
249
+
250
+ # TypeScript SDK tests
251
+ cd sdk-ts && npm test
252
+ ```
253
+
254
+ 841 tests pass across core modules (841) and Python SDK (20). Zero type errors.
255
+
256
+ ## Security
257
+
258
+ See [SECURITY.md](SECURITY.md) for reporting vulnerabilities.
259
+
260
+ **Do not report security issues through public GitHub issues.**
261
+
262
+ ## License
263
+
264
+ This software is licensed under the [Business Source License 1.1](LICENSE).
265
+
266
+ You may use, modify, and redistribute this software for non-production purposes (development, testing, evaluation) free of charge. Production use requires a paid license — see [bedrock.dev/pricing](https://bedrock.dev/pricing).
267
+
268
+ The BSL converts to an open-source license (typically Apache 2.0) on a predetermined change date — see the LICENSE file for details.
@@ -0,0 +1,224 @@
1
+ <p align="center">
2
+ <img src="assets/Bedrock_Logo.png" alt="Bedrock" width="600">
3
+ </p>
4
+
5
+ <h3 align="center">Build your app. Inherit the security.</h3>
6
+
7
+ <p align="center">
8
+ Bedrock is the security layer your app sits on top of.<br>
9
+ Identity, encryption, consent, and audit — handled from the start.
10
+ </p>
11
+
12
+ <p align="center">
13
+ <a href="https://github.com/drc10101/bedrock/releases/tag/v0.3.0"><img src="https://img.shields.io/badge/version-0.3.0-blue" alt="Version"></a>
14
+ <img src="https://img.shields.io/badge/tests-841-passing-brightgreen" alt="Tests">
15
+ <img src="https://img.shields.io/badge/python-3.11+-blue" alt="Python">
16
+ <img src="https://img.shields.io/badge/license-BSL--1.1-orange" alt="License">
17
+ <img src="https://img.shields.io/badge/trial-free_30_days-success" alt="Free Trial">
18
+ </p>
19
+
20
+ ---
21
+
22
+ **You don't bolt security on after the fact. You build on Bedrock, and your app inherits it.**
23
+
24
+ Bedrock is a security framework that your application calls into — not a service you route traffic through. When your app uses Bedrock's SDK, every node gets a cryptographic identity, every field write gets encrypted at rest, every cross-silo read requires cryptographic consent, and every action gets written to a tamper-evident audit chain. Your app focuses on business logic. Bedrock handles the security guarantees.
25
+
26
+ ## What Your App Gets
27
+
28
+ - **Cryptographic identity for every node.** Each service, device, or user in your system gets a signed identity. No anonymous access.
29
+ - **Field-level encryption at rest.** Data is encrypted before it hits storage. Siloed by category — medical records, financial data, PII — each in its own encrypted container.
30
+ - **Consent-gated data access.** No cross-silo read without a cryptographic consent token. If the patient didn't authorize it, the data doesn't move.
31
+ - **Tamper-evident audit chain.** Every write, read, consent grant, and revocation is SHA-256 chained. Detect tampering, prove compliance.
32
+ - **Self-healing mesh transport.** Encrypted node-to-node communication with automatic failover and reconnection.
33
+ - **License-gated operation.** Runtime enforcement of tier limits — nodes, certificates, features.
34
+
35
+ Your app calls the SDK. The SDK calls Bedrock Core. The security is there because you built on Bedrock, not because you remembered to add it later.
36
+
37
+ ## How It Works
38
+
39
+ ```
40
+ ┌─────────────────────────────────────────────────────┐
41
+ │ Your Application │
42
+ │ │
43
+ │ Business logic, routes, UI — whatever you build │
44
+ │ │
45
+ ├──────────┬──────────┬──────────────────────────────┤
46
+ │ Python │TypeScript│ REST API │
47
+ │ SDK │ SDK │ │
48
+ ├──────────┴──────────┴──────────────────────────────┤
49
+ │ │
50
+ │ Bedrock Core │
51
+ │ │
52
+ │ You inherit: identity, encryption, consent, │
53
+ │ audit, key management, mesh transport │
54
+ │ │
55
+ └─────────────────────────────────────────────────────┘
56
+ ```
57
+
58
+ Your app makes normal SDK calls — register a node, create a silo, encrypt a field, request consent. Bedrock handles the cryptography, the key derivation, the consent verification, the audit logging. You never touch raw crypto. You never write your own access control. You build on top, and the security is already there.
59
+
60
+ ## Status
61
+
62
+ Bedrock v0.3 is an active development release. Core modules (crypto, identity, data separation, licensing) are well-tested (841 tests, zero type errors). The HTTP API server has SQLite persistence and works for development and testing, but is not yet hardened for production traffic. See [PRODUCTION_DEPLOYMENT.md](../docs/PRODUCTION_DEPLOYMENT.md) for the roadmap.
63
+
64
+ ## Quick Start
65
+
66
+ ```bash
67
+ # Install
68
+ pip install bedrock-core
69
+
70
+ # Initialize a project
71
+ bedrock init ./my-project
72
+ cd my-project
73
+
74
+ # Generate a free 30-day trial license
75
+ bedrock trial --licensee "your-email@example.com"
76
+
77
+ # Start the API server
78
+ bedrock serve
79
+ ```
80
+
81
+ ### From Source
82
+
83
+ ```bash
84
+ git clone https://github.com/drc10101/bedrock.git
85
+ cd bedrock/core
86
+ pip install -e ".[dev]"
87
+ pytest
88
+
89
+ # Or with Docker
90
+ docker compose -f deploy/docker-compose.yml up
91
+ ```
92
+
93
+ ## Use It In Your App
94
+
95
+ ### Python
96
+
97
+ ```python
98
+ from bedrock_sdk import BedrockClient
99
+
100
+ client = BedrockClient(
101
+ base_url="https://bedrock.infill.systems",
102
+ license_key="1:...",
103
+ )
104
+
105
+ # Register your service as a node — it now has a cryptographic identity
106
+ node = client.nodes.register(name="my-service", node_type="application")
107
+
108
+ # Create a data silo — medical records live here, encrypted at rest
109
+ silo = client.silos.create(
110
+ name="patient-records",
111
+ display_name="Patient Records",
112
+ categories=["medical", "phi"],
113
+ )
114
+
115
+ # Encrypt a field before storing it — Bedrock handles key derivation
116
+ ciphertext = client.encryption.encrypt(
117
+ plaintext="SSN-123-45-6789",
118
+ silo=silo.silo_id,
119
+ record_id="patient-001",
120
+ scope="ssn",
121
+ operation="store",
122
+ )
123
+
124
+ # Request consent before reading cross-silo data — cryptographic proof required
125
+ consent = client.consent.request(
126
+ requester_id=node.node_id,
127
+ target_id="patient-001",
128
+ silo_id=silo.silo_id,
129
+ purpose="treatment",
130
+ scope=["ssn", "diagnosis"],
131
+ )
132
+ ```
133
+
134
+ ### TypeScript
135
+
136
+ ```typescript
137
+ import { BedrockClient } from "@infill/bedrock-sdk";
138
+
139
+ const client = new BedrockClient({
140
+ baseUrl: "https://bedrock.infill.systems",
141
+ licenseKey: "1:...",
142
+ });
143
+
144
+ // Same API surface as Python SDK
145
+ const node = await client.nodes.register({ name: "my-service" });
146
+ const silo = await client.silos.create({ name: "patient-records" });
147
+ ```
148
+
149
+ That's it. Your app now has identity, encryption, consent, and audit — because it's built on Bedrock.
150
+
151
+ ## CLI Commands
152
+
153
+ | Command | Description |
154
+ |---------|-------------|
155
+ | `bedrock init [dir]` | Initialize a new project (config, keys, env template) |
156
+ | `bedrock trial [--licensee]` | Generate a free 30-day trial license |
157
+ | `bedrock serve [--host] [--port]` | Start the API server |
158
+ | `bedrock keygen [--key-id]` | Generate a signing key |
159
+ | `bedrock license issue --tier --licensee` | Issue a license key |
160
+ | `bedrock license validate --key` | Validate a license key |
161
+ | `bedrock license revoke --key-id` | Revoke a signing key |
162
+ | `bedrock health [--json]` | Run health checks |
163
+ | `bedrock status` | Show system status and config |
164
+
165
+ ## Licensing
166
+
167
+ Bedrock is source-available under the [Business Source License 1.1](LICENSE).
168
+
169
+ ### Free Trial
170
+
171
+ Start with a free 30-day trial — full developer features, 3 local nodes, self-signed certificates. No credit card required.
172
+
173
+ ```bash
174
+ bedrock trial --licensee "your-email@example.com"
175
+ ```
176
+
177
+ ### Pricing
178
+
179
+ | Tier | Price | Nodes | Certificates | Use Case |
180
+ |------|-------|-------|---------------|----------|
181
+ | **Trial** | Free (30 days) | 3 | Self-signed | Evaluation and development |
182
+ | **Developer** | $99/yr | 3 | Self-signed | Individual development |
183
+ | **Professional** | $499/yr | 10 | Self-signed | Team development |
184
+ | **Starter** | $5K/yr | 5 | CA-enforced | Production deployment |
185
+ | **Business** | $20K/yr | 25 | CA-enforced | Production at scale |
186
+ | **Enterprise** | Custom | Unlimited | CA-enforced | Mission-critical deployments |
187
+
188
+ **Non-production use** (development, testing, evaluation) is free forever under BSL-1.1. **Production deployment** requires a paid license.
189
+
190
+ ### How It Works
191
+
192
+ 1. `bedrock trial` — get a free 30-day license with full developer features
193
+ 2. Build your app on Bedrock — identity, encryption, consent, audit are inherited
194
+ 3. When ready for production, purchase a runtime license at [bedrock.dev/pricing](https://bedrock.dev/pricing)
195
+ 4. Upgrade your license key — no code changes, no reinstallation
196
+
197
+ ## Testing
198
+
199
+ ```bash
200
+ # Core tests
201
+ cd core && pytest
202
+
203
+ # Python SDK tests
204
+ cd sdk-python && pytest
205
+
206
+ # TypeScript SDK tests
207
+ cd sdk-ts && npm test
208
+ ```
209
+
210
+ 841 tests pass across core modules (841) and Python SDK (20). Zero type errors.
211
+
212
+ ## Security
213
+
214
+ See [SECURITY.md](SECURITY.md) for reporting vulnerabilities.
215
+
216
+ **Do not report security issues through public GitHub issues.**
217
+
218
+ ## License
219
+
220
+ This software is licensed under the [Business Source License 1.1](LICENSE).
221
+
222
+ You may use, modify, and redistribute this software for non-production purposes (development, testing, evaluation) free of charge. Production use requires a paid license — see [bedrock.dev/pricing](https://bedrock.dev/pricing).
223
+
224
+ The BSL converts to an open-source license (typically Apache 2.0) on a predetermined change date — see the LICENSE file for details.
@@ -0,0 +1,39 @@
1
+ # Security Policy
2
+
3
+ ## Reporting a Vulnerability
4
+
5
+ **Do not report security vulnerabilities through public GitHub issues.**
6
+
7
+ Instead, email **security@infill.systems** with:
8
+
9
+ - A description of the vulnerability
10
+ - Steps to reproduce
11
+ - Potential impact
12
+ - Any suggested mitigations
13
+
14
+ You should receive a response within 48 hours. If you do not, please follow up to ensure we received your message.
15
+
16
+ ## Disclosure Policy
17
+
18
+ - We acknowledge all vulnerability reports within 48 hours
19
+ - We provide a timeline for fix within 5 business days
20
+ - We credit researchers in our changelog (unless anonymity is requested)
21
+ - We ask for 90 days before public disclosure to allow users to patch
22
+
23
+ ## Supported Versions
24
+
25
+ | Version | Supported |
26
+ |---------|-----------|
27
+ | 0.3.x | Active development |
28
+ | < 0.3 | Not supported |
29
+
30
+ ## Security Architecture
31
+
32
+ Bedrock is designed with defense in depth:
33
+
34
+ - **Encryption at rest**: All data encrypted with AES-256-GCM, keys derived via HKDF
35
+ - **Identity-first**: Every node has a cryptographic identity, verified at every interaction
36
+ - **Consent-gated access**: Cross-silo data access requires cryptographic proof of consent
37
+ - **Audit chain**: SHA-256 hash chain provides tamper-evident audit trail
38
+ - **TLS enforcement**: All transport encrypted, downgrade detection active
39
+ - **Key isolation**: Silo-scoped keys, master key never stored in cleartext
@@ -0,0 +1,10 @@
1
+ """
2
+ Bedrock Core — Identity-based security framework.
3
+
4
+ Every node is a user. Everything between is encrypted at rest.
5
+
6
+ SPDX-License-Identifier: BSL-1.1 — See LICENSE for details.
7
+ """
8
+
9
+ __version__ = "0.3.0"
10
+ __author__ = "InFill Systems, LLC"
@@ -0,0 +1,7 @@
1
+ """Bedrock CLI entry point for `python -m bedrock`."""
2
+
3
+ import sys
4
+
5
+ from bedrock.cli import main
6
+
7
+ sys.exit(main())