PyPI - lockstock-guard - Versions diffs - 1.0.0__py3-none-any.whl - Mend

lockstock-guard 1.0.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

lockstock_guard/__init__.py +39 -0
lockstock_guard/cli.py +139 -0
lockstock_guard/client.py +445 -0
lockstock_guard/daemon.py +549 -0
lockstock_guard-1.0.0.dist-info/METADATA +168 -0
lockstock_guard-1.0.0.dist-info/RECORD +9 -0
lockstock_guard-1.0.0.dist-info/WHEEL +5 -0
lockstock_guard-1.0.0.dist-info/entry_points.txt +2 -0
lockstock_guard-1.0.0.dist-info/top_level.txt +1 -0

lockstock_guard/__init__.py ADDED Viewed

@@ -0,0 +1,39 @@
+"""
+LockStock Guard - Enterprise Secrets Daemon
+This package provides the "Secure Enclave in Software" pattern for enterprise
+AI agent deployments. The daemon holds decrypted secrets in memory and serves
+them via Unix socket IPC, ensuring agent applications never have direct access
+to the vault file.
+Architecture:
+    liberty-user: Owns the vault, runs the daemon
+    agent-user:   Runs application code, connects via socket
+Components:
+    - daemon: The LockStock Guard daemon (lockstock-guard start)
+    - client: Client library for agent applications
+Usage:
+    # Start daemon (as liberty-user)
+    lockstock-guard start --vault /var/lib/liberty
+    # Agent code (as agent-user)
+    from lockstock_guard import client
+    secret = client.get("DATABASE_URL")
+"""
+__version__ = "1.0.0"
+from .client import LibertyClient, get, list_keys, is_available, connect
+from .daemon import LibertyDaemon, SecretCache
+__all__ = [
+    "LibertyClient",
+    "LibertyDaemon",
+    "SecretCache",
+    "get",
+    "list_keys",
+    "is_available",
+    "connect",
+]

lockstock_guard/cli.py ADDED Viewed

@@ -0,0 +1,139 @@
+#!/usr/bin/env python3
+"""
+LockStock Guard CLI - Enterprise Secrets Daemon
+This is the command-line interface for the LockStock Guard daemon,
+which implements the "Secure Enclave in Software" pattern.
+Usage:
+    lockstock-guard start [--vault PATH] [--socket PATH] [--foreground]
+    lockstock-guard stop [--socket PATH]
+    lockstock-guard status [--socket PATH]
+"""
+import argparse
+import sys
+import os
+from .daemon import LibertyDaemon
+# Default paths for enterprise deployment
+DEFAULT_SOCKET_PATH = "/var/run/liberty/liberty.sock"
+DEFAULT_VAULT_PATH = "/var/lib/liberty"
+DEFAULT_PID_FILE = "/var/run/liberty/liberty.pid"
+def main():
+    """Main CLI entry point."""
+    parser = argparse.ArgumentParser(
+        description='LockStock Guard - Enterprise Secrets Daemon',
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Architecture:
+    This daemon implements the "Secure Enclave in Software" pattern.
+    It holds secrets in memory and serves them via Unix socket IPC.
+    Agent applications connect to the socket to request secrets.
+Security:
+    - Daemon runs as privileged user (liberty-user) with vault access
+    - Agent apps run as unprivileged user with socket access only
+    - Secrets never touch agent process memory until explicitly requested
+    - Compromised agent cannot dump the vault
+Examples:
+    # Start daemon (as liberty-user or root)
+    lockstock-guard start
+    # Start with custom paths
+    lockstock-guard start --vault ~/.liberty --socket /tmp/liberty.sock
+    # Start in foreground for debugging
+    lockstock-guard start --foreground
+    # Stop daemon
+    lockstock-guard stop
+    # Check status
+    lockstock-guard status
+Agent Usage:
+    from lockstock_guard import client
+    # Connect to daemon
+    secret = client.get("DATABASE_URL", socket_path="/var/run/liberty/liberty.sock")
+"""
+    )
+    parser.add_argument(
+        "command",
+        choices=["start", "stop", "status"],
+        help="Command to run"
+    )
+    parser.add_argument(
+        "--socket",
+        default=DEFAULT_SOCKET_PATH,
+        help=f"Socket path (default: {DEFAULT_SOCKET_PATH})"
+    )
+    parser.add_argument(
+        "--vault",
+        default=DEFAULT_VAULT_PATH,
+        help=f"Vault path (default: {DEFAULT_VAULT_PATH})"
+    )
+    parser.add_argument(
+        "--group",
+        default="agents",
+        help="Socket group for agent access (default: agents)"
+    )
+    parser.add_argument(
+        "--foreground", "-f",
+        action="store_true",
+        help="Run in foreground (don't daemonize)"
+    )
+    parser.add_argument(
+        "--pid",
+        default=None,
+        help="PID file path (default: alongside socket)"
+    )
+    args = parser.parse_args()
+    # Expand paths
+    socket_path = os.path.expanduser(args.socket)
+    vault_path = os.path.expanduser(args.vault)
+    # Derive PID path from socket path if not specified
+    pid_file = args.pid
+    if pid_file is None:
+        from pathlib import Path
+        socket_dir = Path(socket_path).parent
+        pid_file = str(socket_dir / "liberty.pid")
+    daemon = LibertyDaemon(
+        socket_path=socket_path,
+        vault_path=vault_path,
+        socket_group=args.group,
+        pid_file=pid_file,
+    )
+    if args.command == "start":
+        print(f"Starting LockStock Guard daemon...")
+        print(f"  Vault: {vault_path}")
+        print(f"  Socket: {socket_path}")
+        daemon.start(foreground=args.foreground)
+    elif args.command == "stop":
+        daemon.stop()
+    elif args.command == "status":
+        if daemon._is_running():
+            pid = daemon.pid_file.read_text().strip()
+            print(f"LockStock Guard is running (PID: {pid})")
+            print(f"  Socket: {daemon.socket_path}")
+            print(f"  Vault: {daemon.vault_path}")
+        else:
+            print("LockStock Guard is not running")
+            sys.exit(1)
+if __name__ == "__main__":
+    main()

lockstock_guard/client.py ADDED Viewed

@@ -0,0 +1,445 @@
+#!/usr/bin/env python3
+"""
+LockStock Guard Client - Secure secret retrieval for agent applications.
+This client connects to the LockStock Guard daemon via Unix socket to retrieve secrets.
+The agent application NEVER has direct access to the vault file.
+Security Model:
+    - Daemon runs as liberty-user, owns the vault
+    - Agent runs as app-user, can only access socket
+    - Secrets are retrieved on-demand, not bulk-loaded
+Usage:
+    from lockstock_guard import client
+    # Get a single secret
+    db_url = client.get("DATABASE_URL")
+    # Get multiple secrets
+    secrets = client.get_many(["API_KEY", "DATABASE_URL"])
+    # List available keys
+    keys = client.list_keys()
+    # Use context manager for connection pooling
+    with client.connect() as conn:
+        api_key = conn.get("API_KEY")
+        db_url = conn.get("DATABASE_URL")
+"""
+import os
+import socket
+import struct
+import json
+from pathlib import Path
+from typing import Optional, Dict, List
+from contextlib import contextmanager
+# Default socket path (matches daemon)
+DEFAULT_SOCKET_PATH = "/var/run/liberty/liberty.sock"
+# Protocol constants (must match daemon)
+PROTOCOL_VERSION = 1
+MAX_MESSAGE_SIZE = 64 * 1024
+# Message types
+MSG_GET_SECRET = 0x01
+MSG_SECRET_RESPONSE = 0x02
+MSG_LIST_KEYS = 0x03
+MSG_KEYS_RESPONSE = 0x04
+MSG_PING = 0x05
+MSG_PONG = 0x06
+MSG_ERROR = 0xFF
+class LibertyError(Exception):
+    """Base exception for Liberty client errors."""
+    pass
+class DaemonNotRunning(LibertyError):
+    """Daemon is not running or socket not accessible."""
+    pass
+class SecretNotFound(LibertyError):
+    """Requested secret does not exist."""
+    pass
+class AccessDenied(LibertyError):
+    """Access to the requested secret was denied."""
+    pass
+class LibertyClient:
+    """
+    Client for communicating with Liberty daemon.
+    Usage:
+        client = LibertyClient()
+        secret = client.get("DATABASE_URL")
+        client.close()
+    Or with context manager:
+        with LibertyClient() as client:
+            secret = client.get("DATABASE_URL")
+    """
+    def __init__(self, socket_path: str = None):
+        """
+        Initialize client.
+        Args:
+            socket_path: Path to daemon socket (default: from LIBERTY_SOCKET env or /var/run/liberty/liberty.sock)
+        """
+        self.socket_path = socket_path or os.getenv("LIBERTY_SOCKET", DEFAULT_SOCKET_PATH)
+        self._socket = None
+    def connect(self):
+        """Connect to daemon."""
+        if self._socket is not None:
+            return  # Already connected
+        socket_path = Path(self.socket_path)
+        if not socket_path.exists():
+            raise DaemonNotRunning(f"Socket not found: {self.socket_path}")
+        try:
+            self._socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+            self._socket.connect(str(socket_path))
+        except (ConnectionRefusedError, PermissionError) as e:
+            self._socket = None
+            raise DaemonNotRunning(f"Cannot connect to daemon: {e}")
+    def close(self):
+        """Close connection to daemon."""
+        if self._socket:
+            try:
+                self._socket.close()
+            except Exception:
+                pass
+            self._socket = None
+    def __enter__(self):
+        """Context manager entry."""
+        self.connect()
+        return self
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        """Context manager exit."""
+        self.close()
+        return False
+    def get(self, key: str) -> str:
+        """
+        Get a secret value.
+        Args:
+            key: Secret key name
+        Returns:
+            Secret value
+        Raises:
+            SecretNotFound: If key doesn't exist
+            AccessDenied: If access is denied
+            DaemonNotRunning: If daemon is not available
+        """
+        self.connect()
+        # Send request
+        payload = key.encode("utf-8")
+        message = self._encode_message(MSG_GET_SECRET, payload)
+        self._socket.sendall(message)
+        # Read response
+        msg_type, response = self._read_response()
+        if msg_type == MSG_SECRET_RESPONSE:
+            data = json.loads(response.decode("utf-8"))
+            return data["value"]
+        elif msg_type == MSG_ERROR:
+            error = json.loads(response.decode("utf-8"))
+            error_type = error.get("error")
+            if error_type == "not_found":
+                raise SecretNotFound(f"Secret not found: {key}")
+            elif error_type == "access_denied":
+                raise AccessDenied(f"Access denied: {key}")
+            else:
+                raise LibertyError(f"Daemon error: {error}")
+        else:
+            raise LibertyError(f"Unexpected response type: {msg_type}")
+    def get_many(self, keys: List[str]) -> Dict[str, str]:
+        """
+        Get multiple secrets.
+        Args:
+            keys: List of secret key names
+        Returns:
+            Dict mapping keys to values (missing keys are omitted)
+        """
+        result = {}
+        for key in keys:
+            try:
+                result[key] = self.get(key)
+            except SecretNotFound:
+                pass  # Omit missing keys
+        return result
+    def list_keys(self) -> List[str]:
+        """
+        List available secret keys.
+        Returns:
+            List of key names
+        """
+        self.connect()
+        message = self._encode_message(MSG_LIST_KEYS, b"")
+        self._socket.sendall(message)
+        msg_type, response = self._read_response()
+        if msg_type == MSG_KEYS_RESPONSE:
+            data = json.loads(response.decode("utf-8"))
+            return data.get("keys", [])
+        elif msg_type == MSG_ERROR:
+            error = json.loads(response.decode("utf-8"))
+            raise LibertyError(f"Daemon error: {error}")
+        else:
+            raise LibertyError(f"Unexpected response type: {msg_type}")
+    def ping(self) -> bool:
+        """
+        Check if daemon is responding.
+        Returns:
+            True if daemon responded, False otherwise
+        """
+        try:
+            self.connect()
+            message = self._encode_message(MSG_PING, b"")
+            self._socket.sendall(message)
+            msg_type, response = self._read_response()
+            return msg_type == MSG_PONG
+        except Exception:
+            self.close()  # Reset connection on error
+            return False
+    def _encode_message(self, msg_type: int, payload: bytes) -> bytes:
+        """Encode message with header."""
+        header = struct.pack("!BBL", PROTOCOL_VERSION, msg_type, len(payload))
+        return header + payload
+    def _read_response(self) -> tuple:
+        """Read response from daemon. Returns (msg_type, payload)."""
+        # Read header
+        header = self._recv_exact(6)
+        if not header:
+            self.close()  # Reset connection state
+            raise DaemonNotRunning("Connection closed by daemon")
+        version, msg_type, length = struct.unpack("!BBL", header)
+        if version != PROTOCOL_VERSION:
+            raise LibertyError(f"Protocol version mismatch: {version}")
+        if length > MAX_MESSAGE_SIZE:
+            raise LibertyError(f"Message too large: {length}")
+        # Read payload
+        payload = self._recv_exact(length) if length > 0 else b""
+        return msg_type, payload
+    def _recv_exact(self, n: int) -> bytes:
+        """Receive exactly n bytes."""
+        data = b""
+        while len(data) < n:
+            chunk = self._socket.recv(n - len(data))
+            if not chunk:
+                return None
+            data += chunk
+        return data
+# Module-level singleton for convenience
+_default_client: Optional[LibertyClient] = None
+def _get_client() -> LibertyClient:
+    """Get or create default client."""
+    global _default_client
+    if _default_client is None:
+        _default_client = LibertyClient()
+    return _default_client
+def get(key: str) -> str:
+    """
+    Get a secret from the Liberty daemon.
+    This is the primary API for agent applications.
+    Args:
+        key: Secret key name (e.g., "DATABASE_URL", "API_KEY")
+    Returns:
+        Secret value
+    Raises:
+        SecretNotFound: If key doesn't exist
+        AccessDenied: If access is denied
+        DaemonNotRunning: If daemon is not available
+    Example:
+        import liberty_client
+        db_url = liberty_client.get("DATABASE_URL")
+    """
+    return _get_client().get(key)
+def get_many(keys: List[str]) -> Dict[str, str]:
+    """
+    Get multiple secrets from the Liberty daemon.
+    Args:
+        keys: List of secret key names
+    Returns:
+        Dict mapping keys to values (missing keys are omitted)
+    Example:
+        secrets = liberty_client.get_many(["API_KEY", "DATABASE_URL"])
+    """
+    return _get_client().get_many(keys)
+def list_keys() -> List[str]:
+    """
+    List available secret keys.
+    Returns:
+        List of key names
+    """
+    return _get_client().list_keys()
+def is_available() -> bool:
+    """
+    Check if Liberty daemon is available.
+    Returns:
+        True if daemon is running and accessible
+    """
+    return _get_client().ping()
+@contextmanager
+def connect(socket_path: str = None):
+    """
+    Context manager for explicit connection management.
+    Useful when making many requests to avoid reconnection overhead.
+    Args:
+        socket_path: Optional custom socket path
+    Example:
+        with liberty_client.connect() as client:
+            api_key = client.get("API_KEY")
+            db_url = client.get("DATABASE_URL")
+    """
+    client = LibertyClient(socket_path)
+    try:
+        client.connect()
+        yield client
+    finally:
+        client.close()
+# Environment variable helper
+def env(key: str, default: str = None) -> Optional[str]:
+    """
+    Get a secret, falling back to environment variable.
+    This provides a migration path from env-based config to Liberty.
+    Args:
+        key: Secret/env var name
+        default: Default value if neither source has the key
+    Returns:
+        Secret value, env value, or default
+    Example:
+        # Works with Liberty daemon or falls back to $DATABASE_URL
+        db_url = liberty_client.env("DATABASE_URL")
+    """
+    try:
+        if is_available():
+            return get(key)
+    except (SecretNotFound, AccessDenied):
+        pass
+    return os.getenv(key, default)
+if __name__ == "__main__":
+    # Simple CLI for testing
+    import sys
+    if len(sys.argv) < 2:
+        print("Usage: liberty_client.py <command> [args]")
+        print("Commands:")
+        print("  get <key>     - Get a secret")
+        print("  list          - List keys")
+        print("  ping          - Check daemon")
+        sys.exit(1)
+    cmd = sys.argv[1]
+    try:
+        if cmd == "get" and len(sys.argv) >= 3:
+            key = sys.argv[2]
+            value = get(key)
+            print(value)
+        elif cmd == "list":
+            keys = list_keys()
+            for k in keys:
+                print(k)
+        elif cmd == "ping":
+            if is_available():
+                print("Daemon is running")
+            else:
+                print("Daemon is not available")
+                sys.exit(1)
+        else:
+            print(f"Unknown command: {cmd}")
+            sys.exit(1)
+    except DaemonNotRunning as e:
+        print(f"Error: {e}", file=sys.stderr)
+        sys.exit(1)
+    except SecretNotFound as e:
+        print(f"Error: {e}", file=sys.stderr)
+        sys.exit(1)
+    except AccessDenied as e:
+        print(f"Error: {e}", file=sys.stderr)
+        sys.exit(1)

lockstock_guard/daemon.py ADDED Viewed

@@ -0,0 +1,549 @@
+#!/usr/bin/env python3
+"""
+LockStock Guard Daemon - Secure Enclave in Software
+This daemon holds decrypted secrets in memory and serves them via Unix socket.
+Agent applications NEVER have direct access to the vault file.
+Security Architecture:
+    liberty-user: Owns the vault, runs the daemon
+    agent-user:   Runs application code, connects via socket
+Filesystem Layout:
+    /var/lib/liberty/secrets.enc   (liberty-user:liberty-user, mode 600)
+    /var/run/liberty/liberty.sock  (liberty-user:agents, mode 660)
+Usage:
+    # Start daemon (as liberty-user)
+    lockstock-guard start
+    # Agent code (as agent-user)
+    from lockstock_guard import client
+    secret = client.get("DATABASE_URL")
+"""
+import os
+import sys
+import json
+import socket
+import signal
+import struct
+import threading
+import logging
+import hashlib
+import grp
+import pwd
+from pathlib import Path
+from datetime import datetime, timezone
+from typing import Dict, Optional, Any
+# Import vault from main liberty module
+try:
+    from liberty import SecretVault, HardwareFingerprint
+except ImportError:
+    # Fallback for standalone testing
+    print("Warning: liberty module not found, using mock vault")
+    SecretVault = None
+    HardwareFingerprint = None
+logging.basicConfig(
+    level=logging.INFO,
+    format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+)
+logger = logging.getLogger("lockstock-guard")
+# Default paths
+DEFAULT_SOCKET_PATH = "/var/run/liberty/liberty.sock"
+DEFAULT_VAULT_PATH = "/var/lib/liberty"
+DEFAULT_PID_FILE = "/var/run/liberty/liberty.pid"
+# Protocol constants
+PROTOCOL_VERSION = 1
+MAX_MESSAGE_SIZE = 64 * 1024  # 64KB max message
+class DaemonProtocol:
+    """Wire protocol for daemon communication."""
+    # Message types
+    MSG_GET_SECRET = 0x01
+    MSG_SECRET_RESPONSE = 0x02
+    MSG_LIST_KEYS = 0x03
+    MSG_KEYS_RESPONSE = 0x04
+    MSG_PING = 0x05
+    MSG_PONG = 0x06
+    MSG_ERROR = 0xFF
+    @staticmethod
+    def encode_message(msg_type: int, payload: bytes) -> bytes:
+        """Encode message with length prefix and type."""
+        # Format: [version:1][type:1][length:4][payload:N]
+        header = struct.pack("!BBL", PROTOCOL_VERSION, msg_type, len(payload))
+        return header + payload
+    @staticmethod
+    def decode_header(data: bytes) -> tuple:
+        """Decode message header. Returns (version, msg_type, length)."""
+        if len(data) < 6:
+            raise ValueError("Invalid header: too short")
+        version, msg_type, length = struct.unpack("!BBL", data[:6])
+        if version != PROTOCOL_VERSION:
+            raise ValueError(f"Unsupported protocol version: {version}")
+        if length > MAX_MESSAGE_SIZE:
+            raise ValueError(f"Message too large: {length}")
+        return version, msg_type, length
+class SecretCache:
+    """
+    In-memory secret cache with access control.
+    Secrets are decrypted once at daemon startup and held in memory.
+    Never written to disk in plaintext.
+    """
+    def __init__(self):
+        self._secrets: Dict[str, str] = {}
+        self._access_log: list = []
+        self._lock = threading.RLock()
+    def load_from_vault(self, vault: "SecretVault") -> int:
+        """Load all secrets from vault into memory."""
+        with self._lock:
+            try:
+                raw_secrets = vault._load_secrets()
+                # Extract just the values (vault stores metadata too)
+                self._secrets = {}
+                for key, data in raw_secrets.items():
+                    if isinstance(data, dict):
+                        self._secrets[key] = data.get('value', str(data))
+                    else:
+                        self._secrets[key] = data
+                logger.info(f"Loaded {len(self._secrets)} secrets into cache")
+                return len(self._secrets)
+            except Exception as e:
+                logger.error(f"Failed to load vault: {e}")
+                return 0
+    def get(self, key: str, client_info: dict = None) -> Optional[str]:
+        """Get a secret, logging access."""
+        with self._lock:
+            value = self._secrets.get(key)
+            self._log_access(key, client_info, found=value is not None)
+            return value
+    def list_keys(self) -> list:
+        """List all secret keys (not values)."""
+        with self._lock:
+            return list(self._secrets.keys())
+    def _log_access(self, key: str, client_info: dict, found: bool):
+        """Log secret access for audit."""
+        entry = {
+            "timestamp": datetime.now(timezone.utc).isoformat(),
+            "key": key,
+            "found": found,
+            "client": client_info or {},
+        }
+        self._access_log.append(entry)
+        # Keep last 1000 entries
+        if len(self._access_log) > 1000:
+            self._access_log = self._access_log[-1000:]
+class ClientHandler(threading.Thread):
+    """Handle a single client connection."""
+    def __init__(self, conn: socket.socket, addr, cache: SecretCache, allowed_keys: set = None):
+        super().__init__(daemon=True)
+        self.conn = conn
+        self.addr = addr
+        self.cache = cache
+        self.allowed_keys = allowed_keys  # If set, restrict to these keys
+        self._running = True
+    def run(self):
+        """Handle client requests."""
+        try:
+            # Get peer credentials (Unix socket only)
+            client_info = self._get_peer_credentials()
+            logger.info(f"Client connected: {client_info}")
+            while self._running:
+                # Read header
+                header = self._recv_exact(6)
+                if not header:
+                    break
+                version, msg_type, length = DaemonProtocol.decode_header(header)
+                # Read payload
+                payload = self._recv_exact(length) if length > 0 else b""
+                # Handle message
+                response = self._handle_message(msg_type, payload, client_info)
+                self.conn.sendall(response)
+        except Exception as e:
+            logger.error(f"Client handler error: {e}")
+        finally:
+            self.conn.close()
+            logger.info(f"Client disconnected")
+    def _recv_exact(self, n: int) -> bytes:
+        """Receive exactly n bytes."""
+        data = b""
+        while len(data) < n:
+            chunk = self.conn.recv(n - len(data))
+            if not chunk:
+                return None
+            data += chunk
+        return data
+    def _get_peer_credentials(self) -> dict:
+        """Get peer credentials from Unix socket."""
+        try:
+            creds = self.conn.getsockopt(
+                socket.SOL_SOCKET,
+                socket.SO_PEERCRED,
+                struct.calcsize("3i")
+            )
+            pid, uid, gid = struct.unpack("3i", creds)
+            return {
+                "pid": pid,
+                "uid": uid,
+                "gid": gid,
+                "user": pwd.getpwuid(uid).pw_name if uid >= 0 else "unknown",
+            }
+        except Exception:
+            return {"pid": 0, "uid": -1, "gid": -1, "user": "unknown"}
+    def _handle_message(self, msg_type: int, payload: bytes, client_info: dict) -> bytes:
+        """Handle a single message."""
+        try:
+            if msg_type == DaemonProtocol.MSG_PING:
+                return DaemonProtocol.encode_message(DaemonProtocol.MSG_PONG, b"pong")
+            elif msg_type == DaemonProtocol.MSG_GET_SECRET:
+                key = payload.decode("utf-8")
+                # Check access control
+                if self.allowed_keys and key not in self.allowed_keys:
+                    error = json.dumps({"error": "access_denied", "key": key})
+                    return DaemonProtocol.encode_message(
+                        DaemonProtocol.MSG_ERROR,
+                        error.encode("utf-8")
+                    )
+                value = self.cache.get(key, client_info)
+                if value is None:
+                    error = json.dumps({"error": "not_found", "key": key})
+                    return DaemonProtocol.encode_message(
+                        DaemonProtocol.MSG_ERROR,
+                        error.encode("utf-8")
+                    )
+                response = json.dumps({"key": key, "value": value})
+                return DaemonProtocol.encode_message(
+                    DaemonProtocol.MSG_SECRET_RESPONSE,
+                    response.encode("utf-8")
+                )
+            elif msg_type == DaemonProtocol.MSG_LIST_KEYS:
+                keys = self.cache.list_keys()
+                # Filter by allowed keys if restricted
+                if self.allowed_keys:
+                    keys = [k for k in keys if k in self.allowed_keys]
+                response = json.dumps({"keys": keys})
+                return DaemonProtocol.encode_message(
+                    DaemonProtocol.MSG_KEYS_RESPONSE,
+                    response.encode("utf-8")
+                )
+            else:
+                error = json.dumps({"error": "unknown_message_type", "type": msg_type})
+                return DaemonProtocol.encode_message(
+                    DaemonProtocol.MSG_ERROR,
+                    error.encode("utf-8")
+                )
+        except Exception as e:
+            error = json.dumps({"error": "internal_error", "message": str(e)})
+            return DaemonProtocol.encode_message(
+                DaemonProtocol.MSG_ERROR,
+                error.encode("utf-8")
+            )
+class LibertyDaemon:
+    """
+    Liberty Daemon - holds secrets in memory, serves via Unix socket.
+    This implements the "Secure Enclave in Software" pattern:
+    - Daemon runs as privileged user with vault access
+    - Agent apps run as unprivileged user with socket access only
+    - Secrets never touch agent process memory until explicitly requested
+    """
+    def __init__(
+        self,
+        socket_path: str = DEFAULT_SOCKET_PATH,
+        vault_path: str = DEFAULT_VAULT_PATH,
+        pid_file: str = DEFAULT_PID_FILE,
+        socket_group: str = "agents",
+    ):
+        self.socket_path = Path(socket_path)
+        self.vault_path = Path(vault_path)
+        self.pid_file = Path(pid_file)
+        self.socket_group = socket_group
+        self.cache = SecretCache()
+        self.server_socket = None
+        self._running = False
+        self._threads = []
+    def start(self, foreground: bool = False):
+        """Start the daemon."""
+        # Check if already running
+        if self._is_running():
+            logger.error("Daemon already running")
+            return False
+        # Load secrets into cache
+        if not self._load_vault():
+            logger.error("Failed to load vault")
+            return False
+        # Create socket directory
+        self.socket_path.parent.mkdir(parents=True, exist_ok=True)
+        # Remove stale socket
+        if self.socket_path.exists():
+            self.socket_path.unlink()
+        # Create Unix socket
+        self.server_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+        self.server_socket.bind(str(self.socket_path))
+        # Set socket permissions: owner + group can connect
+        os.chmod(self.socket_path, 0o660)
+        # Set group ownership if specified
+        try:
+            gid = grp.getgrnam(self.socket_group).gr_gid
+            os.chown(self.socket_path, -1, gid)
+        except KeyError:
+            logger.warning(f"Group '{self.socket_group}' not found, using default")
+        self.server_socket.listen(10)
+        logger.info(f"Listening on {self.socket_path}")
+        # Write PID file
+        self.pid_file.parent.mkdir(parents=True, exist_ok=True)
+        self.pid_file.write_text(str(os.getpid()))
+        # Setup signal handlers (only works in main thread)
+        try:
+            signal.signal(signal.SIGTERM, self._handle_signal)
+            signal.signal(signal.SIGINT, self._handle_signal)
+        except ValueError:
+            # Not in main thread, skip signal handling
+            pass
+        # Daemonize if not foreground
+        if not foreground:
+            self._daemonize()
+        # Accept connections
+        self._running = True
+        try:
+            while self._running:
+                try:
+                    self.server_socket.settimeout(1.0)
+                    conn, addr = self.server_socket.accept()
+                    handler = ClientHandler(conn, addr, self.cache)
+                    handler.start()
+                    self._threads.append(handler)
+                except socket.timeout:
+                    continue
+        finally:
+            self._cleanup()
+        return True
+    def stop(self):
+        """Stop the daemon."""
+        if not self._is_running():
+            logger.info("Daemon not running")
+            return
+        # Read PID and send SIGTERM
+        try:
+            pid = int(self.pid_file.read_text().strip())
+            os.kill(pid, signal.SIGTERM)
+            logger.info(f"Sent SIGTERM to PID {pid}")
+        except (FileNotFoundError, ValueError, ProcessLookupError) as e:
+            logger.error(f"Failed to stop daemon: {e}")
+    def _load_vault(self) -> bool:
+        """Load vault into memory cache."""
+        if SecretVault is None:
+            logger.error("SecretVault not available")
+            return False
+        vault = SecretVault(str(self.vault_path))
+        if not vault.secrets_file.exists():
+            logger.error(f"Vault not found at {self.vault_path}")
+            return False
+        count = self.cache.load_from_vault(vault)
+        if count == 0:
+            logger.warning("Vault is empty or failed to decrypt")
+        return True
+    def _is_running(self) -> bool:
+        """Check if daemon is already running."""
+        if not self.pid_file.exists():
+            return False
+        try:
+            pid = int(self.pid_file.read_text().strip())
+            # Check if process exists
+            os.kill(pid, 0)
+            return True
+        except (ValueError, ProcessLookupError):
+            # Stale PID file
+            self.pid_file.unlink(missing_ok=True)
+            return False
+    def _daemonize(self):
+        """Fork into background daemon."""
+        # First fork
+        if os.fork() > 0:
+            sys.exit(0)
+        os.setsid()
+        # Second fork
+        if os.fork() > 0:
+            sys.exit(0)
+        # Redirect stdio
+        sys.stdin = open(os.devnull, 'r')
+        sys.stdout = open(os.devnull, 'w')
+        sys.stderr = open(os.devnull, 'w')
+    def _handle_signal(self, signum, frame):
+        """Handle shutdown signals."""
+        logger.info(f"Received signal {signum}, shutting down")
+        self._running = False
+    def _cleanup(self):
+        """Clean up resources."""
+        if self.server_socket:
+            self.server_socket.close()
+        if self.socket_path.exists():
+            self.socket_path.unlink()
+        if self.pid_file.exists():
+            self.pid_file.unlink()
+        # Wait for handlers to finish
+        for thread in self._threads:
+            thread.join(timeout=1.0)
+        logger.info("Daemon stopped")
+def main():
+    """CLI entry point."""
+    import argparse
+    parser = argparse.ArgumentParser(
+        description="Liberty Daemon - Secure secret server",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+    # Start daemon (as liberty-user)
+    liberty-daemon start
+    # Start in foreground for debugging
+    liberty-daemon start --foreground
+    # Stop daemon
+    liberty-daemon stop
+    # Check status
+    liberty-daemon status
+"""
+    )
+    parser.add_argument(
+        "command",
+        choices=["start", "stop", "status"],
+        help="Command to run"
+    )
+    parser.add_argument(
+        "--socket",
+        default=DEFAULT_SOCKET_PATH,
+        help=f"Socket path (default: {DEFAULT_SOCKET_PATH})"
+    )
+    parser.add_argument(
+        "--vault",
+        default=DEFAULT_VAULT_PATH,
+        help=f"Vault path (default: {DEFAULT_VAULT_PATH})"
+    )
+    parser.add_argument(
+        "--group",
+        default="agents",
+        help="Socket group for agent access (default: agents)"
+    )
+    parser.add_argument(
+        "--foreground", "-f",
+        action="store_true",
+        help="Run in foreground (don't daemonize)"
+    )
+    parser.add_argument(
+        "--pid",
+        default=None,
+        help="PID file path (default: alongside socket)"
+    )
+    args = parser.parse_args()
+    # Derive PID path from socket path if not specified
+    pid_file = args.pid
+    if pid_file is None:
+        socket_dir = Path(args.socket).parent
+        pid_file = str(socket_dir / "liberty.pid")
+    daemon = LibertyDaemon(
+        socket_path=args.socket,
+        vault_path=args.vault,
+        socket_group=args.group,
+        pid_file=pid_file,
+    )
+    if args.command == "start":
+        daemon.start(foreground=args.foreground)
+    elif args.command == "stop":
+        daemon.stop()
+    elif args.command == "status":
+        if daemon._is_running():
+            pid = daemon.pid_file.read_text().strip()
+            print(f"Liberty daemon is running (PID: {pid})")
+            print(f"Socket: {daemon.socket_path}")
+        else:
+            print("Liberty daemon is not running")
+            sys.exit(1)
+if __name__ == "__main__":
+    main()

lockstock_guard-1.0.0.dist-info/METADATA ADDED Viewed

@@ -0,0 +1,168 @@
+Metadata-Version: 2.4
+Name: lockstock-guard
+Version: 1.0.0
+Summary: Enterprise secrets daemon for LockStock Protocol - Secure Enclave in Software
+Author-email: D3cipher <contact@d3cipher.ai>
+License: MIT
+Project-URL: Homepage, https://d3cipher.ai
+Project-URL: Documentation, https://d3cipher.ai/docs-architecture.html
+Project-URL: Repository, https://gitlab.com/deciphergit/lockstock
+Project-URL: Issues, https://gitlab.com/deciphergit/lockstock/-/issues
+Keywords: secrets,security,daemon,enterprise,lockstock,ai-agents
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: System :: Systems Administration
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: cryptography>=41.0.0
+Requires-Dist: liberty-secrets>=1.0.0
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0.0; extra == "dev"
+Requires-Dist: pytest-asyncio>=0.21.0; extra == "dev"
+# LockStock Guard
+Enterprise secrets daemon for LockStock Protocol - "Secure Enclave in Software"
+## Overview
+LockStock Guard provides enterprise-grade secrets management for AI agent deployments. Unlike personal secrets managers, Guard implements user separation where the daemon holds secrets and agent applications request them via IPC.
+```
+                    AGENT SERVER
+  +------------------+         +---------------------------+
+  |  lockstock-guard |         |    agent application      |
+  |  (liberty-user)  |         |    (app-user)             |
+  |                  |  Unix   |                           |
+  |  - Owns vault    | Socket  |  - Cannot read vault      |
+  |  - Decrypts      |<------->|  - Requests via IPC       |
+  |  - Serves        |         |  - Gets only what needed  |
+  +------------------+         +---------------------------+
+  /var/lib/liberty/secrets.enc  (liberty:liberty, mode 600)
+  /var/run/liberty/liberty.sock (liberty:agents, mode 660)
+```
+## Installation
+```bash
+pip install lockstock-guard
+```
+**Requires:** [liberty-secrets](https://pypi.org/project/liberty-secrets/) (installed automatically)
+## Quick Start
+### 1. Initialize the Enterprise Vault
+```bash
+# Create enterprise vault directory (as root or liberty-user)
+sudo mkdir -p /var/lib/liberty /var/run/liberty
+sudo chown liberty:liberty /var/lib/liberty
+sudo chown liberty:agents /var/run/liberty
+sudo chmod 750 /var/lib/liberty /var/run/liberty
+# Initialize vault (as liberty-user)
+sudo -u liberty liberty --vault /var/lib/liberty init
+# Add agent secrets
+sudo -u liberty liberty --vault /var/lib/liberty add AGENT_XYZ_SECRET
+```
+### 2. Start the Daemon
+```bash
+# Start daemon (as liberty-user or via systemd)
+lockstock-guard start
+# Or with custom paths
+lockstock-guard start --vault /var/lib/liberty --socket /var/run/liberty/liberty.sock
+# Check status
+lockstock-guard status
+```
+### 3. Use from Agent Application
+```python
+from lockstock_guard import client
+# Get a secret (connects to daemon via socket)
+secret = client.get("AGENT_XYZ_SECRET")
+# List available keys
+keys = client.list_keys()
+# Connection pooling for multiple requests
+with client.connect() as conn:
+    key1 = conn.get("API_KEY")
+    key2 = conn.get("DATABASE_URL")
+```
+## Systemd Service
+Install the systemd service for production:
+```bash
+sudo cp lockstock-guard.service /etc/systemd/system/
+sudo systemctl daemon-reload
+sudo systemctl enable lockstock-guard
+sudo systemctl start lockstock-guard
+```
+## Security Model
+| Component | User | Access |
+|-----------|------|--------|
+| Vault file | liberty-user | Read/write (mode 600) |
+| Socket | liberty:agents | Group access (mode 660) |
+| Daemon | liberty-user | Decrypts, serves secrets |
+| Agent app | app-user (in agents group) | Socket only, no vault access |
+**Key security properties:**
+- Secrets never in environment variables
+- Vault file inaccessible to agent processes
+- Compromised agent cannot dump vault
+- Least privilege - agent gets only requested secrets
+## Integration with LockStock MCP
+The Guard integrates with the LockStock MCP Wallet server:
+```python
+# MCP server configuration
+export LIBERTY_SOCKET=/var/run/liberty/liberty.sock
+export LOCKSTOCK_AGENT_ID=agent_xyz
+# MCP Wallet retrieves secret from Guard daemon
+# Agent never sees the secret directly
+```
+## CLI Reference
+```
+lockstock-guard start [OPTIONS]
+    --vault PATH      Vault directory (default: /var/lib/liberty)
+    --socket PATH     Socket path (default: /var/run/liberty/liberty.sock)
+    --group NAME      Socket group (default: agents)
+    --foreground      Run in foreground (don't daemonize)
+lockstock-guard stop
+    Stop the running daemon
+lockstock-guard status
+    Check if daemon is running
+```
+## License
+MIT License - See LICENSE file

lockstock_guard-1.0.0.dist-info/RECORD ADDED Viewed

@@ -0,0 +1,9 @@
+lockstock_guard/__init__.py,sha256=O59Lit8SuvbmTLbDxsnLg7FjNf2hIfdWjpeE0OjDnzo,1055
+lockstock_guard/cli.py,sha256=Oim2VUE_nsQmKv75bpbYsSp47FSZSmJ0DvelIK-XsEA,3938
+lockstock_guard/client.py,sha256=ZSrefFpdn4e9OUwD_Meo6lhY2DVahCA9MxoJ5voeuto,11599
+lockstock_guard/daemon.py,sha256=k4eYI1BvUP2CqlR8JonAMAYJ2v0y23tdnoCcQgZ0gh4,17267
+lockstock_guard-1.0.0.dist-info/METADATA,sha256=ZCPtJ_uXmzugTMIj_EbYf4-GobQwQDKsA2aF0fEMQlA,5103
+lockstock_guard-1.0.0.dist-info/WHEEL,sha256=qELbo2s1Yzl39ZmrAibXA2jjPLUYfnVhUNTlyF1rq0Y,92
+lockstock_guard-1.0.0.dist-info/entry_points.txt,sha256=hmhPEKUrxoaYQOi3H2h2l4y55gjWn8RobUD0gxuTyOI,61
+lockstock_guard-1.0.0.dist-info/top_level.txt,sha256=LHLVyMiO08cTiQgfC2r5XJLTAd-TAiX_dFD9CZwceOM,16
+lockstock_guard-1.0.0.dist-info/RECORD,,

lockstock_guard-1.0.0.dist-info/WHEEL ADDED Viewed

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.10.1)
+Root-Is-Purelib: true
+Tag: py3-none-any

lockstock_guard-1.0.0.dist-info/entry_points.txt ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ [console_scripts]
2	+ lockstock-guard = lockstock_guard.cli:main

lockstock_guard-1.0.0.dist-info/top_level.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ lockstock_guard