lockstock-integrations 1.1.0__tar.gz

lockstock_integrations-1.1.0/.gitignore

@@ -0,0 +1,60 @@
+# Environment files
+.env
+.env.*
+.envrc
+*.seal
+
+# Secrets and tokens
+*.key
+*.pem
+*_PRIVATE*
+*_SECRET*
+*token*
+*TOKEN*
+
+# Temporary files
+*.tmp
+*.log
+*.swp
+*.swo
+*~
+.DS_Store
+
+# IDE
+.vscode/
+.idea/
+*.iml
+
+# Node
+node_modules/
+npm-debug.log
+package-lock.json
+
+# Python
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+.Python
+*.egg-info/
+dist/
+build/
+
+# Coordination tmp
+/tmp/
+/acp-environment/tmp/
+
+# Test artifacts
+*.test
+test-*.json
+
+
+# Added by cargo
+
+/target
+
+# Dev infrastructure (belongs in coordination repo, not product repos)
+acp-relay/
+queue/
+guard_ingest/target/
+# Note: guard_ingest/Cargo.lock SHOULD be committed for reproducible builds

lockstock_integrations-1.1.0/CHANGELOG.md

@@ -0,0 +1,75 @@
+# Changelog
+
+All notable changes to lockstock-integrations will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.1.0] - 2026-02-05
+
+### Changed
+- **BREAKING**: Converted to chain-based authentication (NO SECRETS)
+  - `LockStockGuardrail.from_liberty()` now uses Chain Authority Mode
+  - Guard daemon tracks chain state (hash, matrix, sequence), not secrets
+  - Guard uses `current_hash` as HMAC key for signing
+  - Genesis token is BURNED to create initial chain state
+  - NO persistent secrets exist after genesis
+- Removed secret retrieval from `from_liberty()` method
+- Added chain state tracking (`current_hash`, `current_sequence`, `current_matrix`)
+- Added `_ensure_chain_initialized()` method to sync chain state from Guard
+- Added `_verify_with_server()` method for server communication
+- Updated `validate()` to use Guard's `sign_and_advance()` instead of legacy `verify()`
+
+### Security
+- Implements correct security model: secrets NEVER leave Guard daemon
+- Guard performs all HMAC signing internally using chain state
+- Application only receives signatures, never secrets
+- Aligns with TECHNICAL_SPECIFICATION.md line 1: "YOU DO NOT NEED AGENT SECRETS FOR ANYTHING"
+
+### Migration Guide
+If upgrading from v1.0.1:
+1. No code changes required - `from_liberty()` API is unchanged
+2. Ensure Guard daemon supports `sign_and_advance()` method
+3. Ensure Guard daemon has chain state synced from server
+
+## [1.0.1] - 2026-02-05 [YANKED]
+
+**YANKED**: This version implements WRONG security model (secret-based instead of chain-based)
+
+### Why Yanked
+- Uses legacy `guard.get(agent_id)` to retrieve secrets
+- Violates "secrets NEVER leave daemon" security model
+- Genesis token should be BURNED, not converted to persistent secret
+- Chain state (hash) should be HMAC key, not a separate secret
+
+### What Was Added (WRONG)
+- Implemented `LockStockGuardrail.from_liberty()` using secret retrieval (INCORRECT)
+- Retrieved hardware-bound secrets from Guard daemon (WRONG APPROACH)
+
+### Fix
+Upgrade to v1.1.0 which implements correct chain-based authentication
+
+## [1.0.0] - 2026-02-05
+
+### Fixed
+- **CRITICAL**: Fixed SHELL generator mismatch with server (was Matrix(1,1,0,1), now Matrix(1,4,0,1))
+  - This resolves "Topology violation: matrix multiplication check failed" errors when using Shell capability
+  - Server was updated to v1.0.8+ with distinct SHELL generator but Python SDK was not synchronized
+  - Discovered during production verification testing on RunPod before PyPI publish
+  - All 7/7 production tests now pass including Shell capability
+
+### Breaking Changes
+- SHELL generator matrix changed from Matrix(1, 1, 0, 1) to Matrix(1, 4, 0, 1) to match server v1.0.8+
+- Agents using SDK versions prior to 1.0.0 will fail Shell capability verification with topology violations
+- Upgrade required for all deployed agents using Shell capability
+
+## [0.1.0] - 2026-01-XX
+
+### Added
+- Initial release
+- Core LockStockClient with matrix state management
+- Integration modules for OpenAI, LangGraph, and Claude
+- Support for all capability types: Deploy, Restart, Backup, Rollback, Heartbeat, Checkpoint, Teleport, FileRead, FileWrite, Network, Shell, Database, Handoff, Delegate
+- GL(2, F_65537) matrix group for topological state transitions
+- HMAC-SHA256 signature generation
+- Audit trail support

lockstock_integrations-1.1.0/PKG-INFO

@@ -0,0 +1,141 @@
+Metadata-Version: 2.4
+Name: lockstock-integrations
+Version: 1.1.0
+Summary: LockStock compliance runtime integrations for AI Agent SDKs
+Project-URL: Homepage, https://d3cipher.ai
+Project-URL: Documentation, https://d3cipher.ai/docs
+Project-URL: Repository, https://gitlab.com/d3cipher/lockstock
+Author-email: d3cipher <dev@d3cipher.ai>
+License-Expression: MIT
+Keywords: ai-agents,audit,authentication,compliance,lockstock
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.10
+Requires-Dist: httpx>=0.25.0
+Requires-Dist: pydantic>=2.0.0
+Provides-Extra: adk
+Requires-Dist: google-adk>=0.1.0; extra == 'adk'
+Provides-Extra: all
+Requires-Dist: anthropic>=0.25.0; extra == 'all'
+Requires-Dist: crewai>=0.50.0; extra == 'all'
+Requires-Dist: google-adk>=0.1.0; extra == 'all'
+Requires-Dist: langgraph>=0.2.0; extra == 'all'
+Requires-Dist: openai-agents>=0.6.0; extra == 'all'
+Provides-Extra: claude
+Requires-Dist: anthropic>=0.25.0; extra == 'claude'
+Provides-Extra: crewai
+Requires-Dist: crewai>=0.50.0; extra == 'crewai'
+Provides-Extra: langgraph
+Requires-Dist: langgraph>=0.2.0; extra == 'langgraph'
+Provides-Extra: openai
+Requires-Dist: openai-agents>=0.6.0; extra == 'openai'
+Description-Content-Type: text/markdown
+
+# LockStock Integrations
+
+Universal compliance runtime for AI Agent SDKs. LockStock provides cryptographic identity, capability authorization, and audit trails for agents running on any framework.
+
+## Supported Frameworks
+
+| Integration | Framework | Status |
+|-------------|-----------|--------|
+| `lockstock_claude` | Claude Agent SDK | Alpha |
+| `lockstock_openai` | OpenAI Agents SDK | Alpha |
+| `lockstock_langgraph` | LangGraph | Alpha |
+| `lockstock_a2a` | A2A Protocol | Alpha |
+| `lockstock_adk` | Google ADK | Planned |
+| `lockstock_crewai` | CrewAI | Planned |
+
+## Installation
+
+```bash
+# Install with specific framework support
+pip install lockstock-integrations[claude]
+pip install lockstock-integrations[openai]
+pip install lockstock-integrations[langgraph]
+
+# Install with all frameworks
+pip install lockstock-integrations[all]
+```
+
+## Quick Start
+
+### Claude Agent SDK
+
+```python
+from lockstock_claude import LockStockHook
+
+# Create hook with your agent credentials
+hook = LockStockHook(
+    agent_id="agent_abc123",
+    api_key="lsk_admin_...",
+    endpoint="https://lockstock-api-i9kp.onrender.com"
+)
+
+# Use as pre-tool-execution hook
+# The hook will verify capabilities before each tool call
+```
+
+### OpenAI Agents SDK
+
+```python
+from lockstock_openai import LockStockGuardrail
+
+guardrail = LockStockGuardrail(agent_id="agent_abc123")
+
+# Add to your agent's guardrails
+agent = Agent(
+    name="my-agent",
+    guardrails=[guardrail]
+)
+```
+
+### LangGraph
+
+```python
+from lockstock_langgraph import lockstock_middleware
+
+# Wrap your graph with LockStock middleware
+app = lockstock_middleware(
+    graph=your_graph,
+    agent_id="agent_abc123"
+)
+```
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                     YOUR AGENT RUNTIME                          │
+│  (Claude Agent SDK / OpenAI / LangGraph / CrewAI / ADK)        │
+└─────────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                   LOCKSTOCK INTEGRATION                         │
+│                                                                  │
+│  • Pre-tool-execution hooks                                     │
+│  • Capability verification                                       │
+│  • Audit trail logging                                          │
+└─────────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                     LOCKSTOCK CORE API                          │
+│                                                                  │
+│  • /verify - Capability authorization                           │
+│  • /bootstrap - Agent identity initialization                   │
+│  • Hash chain - Cryptographic audit trail                       │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+## License
+
+MIT License - See LICENSE file for details.

lockstock_integrations-1.1.0/PYPI_PUBLICATION_PLAN.md

@@ -0,0 +1,285 @@
+# PyPI Publication Plan - lockstock-integrations v1.1.0
+
+**Date**: 2026-02-05
+**Status**: Ready for Publication
+**Version**: 1.1.0 (Chain-Based Authentication)
+
+---
+
+## Current Status
+
+### ✅ Completed
+
+1. **Code Implementation**
+   - v1.1.0 chain-based authentication implemented
+   - `LockStockGuardrail.from_liberty()` uses NO secrets
+   - Guard daemon integration complete
+   - All integrations updated (OpenAI, LangGraph, Claude)
+
+2. **Documentation**
+   - CHANGELOG.md updated with v1.1.0 notes
+   - v1.0.1 marked as [YANKED]
+   - NO_SECRETS_ARCHITECTURE.md created
+   - TEST_VERIFICATION.md documents 7/7 tests passing
+   - CLAUDE.md updated with warnings
+
+3. **Testing Infrastructure**
+   - test_trinity_lockstock.py updated to v1.1.0 pattern
+   - test_e2e_provisioning.py created (comprehensive E2E test)
+   - test_chain_sync.py created (chain state verification)
+   - test_generator_sync.py exists (generator matrix validation)
+
+4. **Version Configuration**
+   - pyproject.toml shows version = "1.1.0"
+   - All dependencies specified correctly
+
+### 🚧 Remaining Tasks
+
+1. **Yank v1.0.1 from PyPI**
+   - Package was published with WRONG security model
+   - Must be yanked to prevent usage
+   - Command: `twine yank lockstock-integrations==1.0.1 -r pypi -c "Wrong security model - use v1.1.0"`
+
+2. **Build v1.1.0 Package**
+   - Clean old builds
+   - Build new wheel and sdist
+   - Verify package contents
+
+3. **Publish to PyPI**
+   - Upload v1.1.0 to PyPI
+   - Verify package appears correctly
+   - Test installation
+
+---
+
+## Step-by-Step Publication Process
+
+### Prerequisites
+
+Ensure you have:
+- `twine` installed: `pip install twine`
+- `build` installed: `pip install build`
+- PyPI credentials configured
+
+### Step 1: Yank v1.0.1
+
+```bash
+# Yank the incorrect v1.0.1
+twine yank lockstock-integrations==1.0.1 -r pypi \
+  -c "Wrong security model - use v1.1.0 instead"
+
+# Verify yanked status
+# Visit: https://pypi.org/project/lockstock-integrations/1.0.1/
+```
+
+### Step 2: Clean Build Directory
+
+```bash
+cd lockstock-integrations
+rm -rf dist/lockstock_integrations-1.1.0*
+rm -rf build/
+rm -rf *.egg-info/
+```
+
+### Step 3: Build Package
+
+```bash
+cd lockstock-integrations
+python -m build
+
+# Expected output:
+# dist/lockstock_integrations-1.1.0-py3-none-any.whl
+# dist/lockstock_integrations-1.1.0.tar.gz
+```
+
+### Step 4: Verify Package Contents
+
+```bash
+# List wheel contents
+unzip -l dist/lockstock_integrations-1.1.0-py3-none-any.whl
+
+# Check for:
+# - lockstock_openai/guardrails.py (v1.1.0 chain-based)
+# - lockstock_core/client.py
+# - lockstock_claude/
+# - lockstock_langgraph/
+# - All __init__.py files
+```
+
+### Step 5: Upload to PyPI
+
+```bash
+cd lockstock-integrations
+twine upload dist/lockstock_integrations-1.1.0*
+
+# Enter PyPI credentials when prompted
+```
+
+### Step 6: Verify Publication
+
+```bash
+# Check PyPI page
+# https://pypi.org/project/lockstock-integrations/
+
+# Test installation in clean environment
+python -m venv test_env
+source test_env/bin/activate
+pip install lockstock-integrations==1.1.0
+
+# Verify imports work
+python -c "from lockstock_openai import LockStockGuardrail; print('OK')"
+python -c "from lockstock_core import LockStockClient; print('OK')"
+```
+
+---
+
+## Testing Before Publication
+
+### Unit Tests
+
+```bash
+cd lockstock-integrations
+
+# Run generator sync test
+python tests/test_generator_sync.py
+```
+
+### Integration Tests
+
+```bash
+# Test with live agent (requires Guard daemon and agent provisioned)
+export AGENT_ID="agent_test#1"
+export GENESIS_TOKEN="your_token_here"
+
+# E2E provisioning test
+python tests/test_e2e_provisioning.py $AGENT_ID $GENESIS_TOKEN
+
+# Chain sync test
+python tests/test_chain_sync.py $AGENT_ID
+```
+
+### Trinity Test (Full Stack)
+
+```bash
+# Full OpenAI agent test with POE API
+cd lockstock-integrations
+python test_trinity_lockstock.py
+```
+
+---
+
+## Post-Publication Verification
+
+### 1. Customer Quickstart Flow
+
+Verify a new customer can:
+
+```bash
+# 1. Install from PyPI
+pip install lockstock-integrations[openai]
+
+# 2. Provision agent identity
+# (Requires genesis token from dashboard)
+
+# 3. Bind with Guard daemon
+lockstock-guard bind --agent agent_test#1 --token GENESIS_TOKEN
+
+# 4. Use in code
+python -c "
+from lockstock_openai import LockStockGuardrail
+
+guardrail = LockStockGuardrail.from_liberty(
+    agent_id='agent_test#1',
+    socket_path='/var/run/lockstock-guard/guard.sock'
+)
+print('✓ NO SECRETS USED!')
+"
+```
+
+### 2. Verify Documentation
+
+Check that PyPI page shows:
+- Correct v1.1.0 version
+- CHANGELOG with v1.0.1 marked as YANKED
+- Installation instructions
+- Framework support matrix
+- Link to documentation
+
+### 3. Verify GitHub/GitLab
+
+Ensure repository has:
+- v1.1.0 git tag
+- CHANGELOG.md updated
+- README.md accurate
+- docs/NO_SECRETS_ARCHITECTURE.md visible
+
+---
+
+## What This Release Fixes
+
+### v1.0.1 Problems (YANKED)
+
+❌ Retrieved secrets from Guard daemon using `guard.get()`
+❌ Stored secrets in SDK classes
+❌ Violated "secrets never leave daemon" security model
+❌ Used persistent secret as HMAC key
+
+### v1.1.0 Solutions
+
+✅ NO secret retrieval or storage
+✅ Guard daemon tracks chain state internally
+✅ `current_hash` IS the HMAC key
+✅ Genesis token is BURNED, not converted to secret
+✅ Chain-based authentication throughout
+
+---
+
+## Customer-Facing Message
+
+When customers ask about the v1.0.1 → v1.1.0 change:
+
+> **v1.1.0 implements the correct chain-based authentication model.**
+>
+> v1.0.1 was yanked because it implemented a secret-storage pattern that violated LockStock's security architecture. In LockStock:
+>
+> - **Genesis tokens are BURNED** after one use (not stored)
+> - **Chain state evolves** with each action (hash, matrix, sequence)
+> - **current_hash IS the HMAC key** (no separate persistent secret)
+> - **NO secrets exist** anywhere in the system after genesis
+>
+> **Migration from v1.0.1 to v1.1.0:**
+> - API is unchanged - `from_liberty()` works the same
+> - Ensure Guard daemon supports `sign_and_advance()` method
+> - Ensure Guard daemon has synced chain state from server
+> - No code changes required in your agent
+
+---
+
+## Success Criteria
+
+v1.1.0 publication is successful when:
+
+- ✅ v1.0.1 is yanked on PyPI
+- ✅ v1.1.0 is published and installable
+- ✅ Package contents are correct
+- ✅ All tests pass in clean environment
+- ✅ Customer quickstart flow works end-to-end
+- ✅ Documentation is accurate
+- ✅ Audit trail shows topological causal ordering
+
+---
+
+## Contact
+
+If issues arise during publication:
+- Check Guard daemon is running: `lockstock-guard status`
+- Verify server is accessible: `curl https://lockstock-api-i9kp.onrender.com/health`
+- Review audit logs: `https://lockstock-api-i9kp.onrender.com/api/guard/audit`
+
+---
+
+**Ready for Publication**: YES
+**Blocking Issues**: NONE
+**Next Step**: Execute Step 1 (Yank v1.0.1)
+
+**WE HAVE NO SECRETS TO KEEP!**

lockstock_integrations-1.1.0/README.md

@@ -0,0 +1,101 @@
+# LockStock Integrations
+
+Universal compliance runtime for AI Agent SDKs. LockStock provides cryptographic identity, capability authorization, and audit trails for agents running on any framework.
+
+## Supported Frameworks
+
+| Integration | Framework | Status |
+|-------------|-----------|--------|
+| `lockstock_claude` | Claude Agent SDK | Alpha |
+| `lockstock_openai` | OpenAI Agents SDK | Alpha |
+| `lockstock_langgraph` | LangGraph | Alpha |
+| `lockstock_a2a` | A2A Protocol | Alpha |
+| `lockstock_adk` | Google ADK | Planned |
+| `lockstock_crewai` | CrewAI | Planned |
+
+## Installation
+
+```bash
+# Install with specific framework support
+pip install lockstock-integrations[claude]
+pip install lockstock-integrations[openai]
+pip install lockstock-integrations[langgraph]
+
+# Install with all frameworks
+pip install lockstock-integrations[all]
+```
+
+## Quick Start
+
+### Claude Agent SDK
+
+```python
+from lockstock_claude import LockStockHook
+
+# Create hook with your agent credentials
+hook = LockStockHook(
+    agent_id="agent_abc123",
+    api_key="lsk_admin_...",
+    endpoint="https://lockstock-api-i9kp.onrender.com"
+)
+
+# Use as pre-tool-execution hook
+# The hook will verify capabilities before each tool call
+```
+
+### OpenAI Agents SDK
+
+```python
+from lockstock_openai import LockStockGuardrail
+
+guardrail = LockStockGuardrail(agent_id="agent_abc123")
+
+# Add to your agent's guardrails
+agent = Agent(
+    name="my-agent",
+    guardrails=[guardrail]
+)
+```
+
+### LangGraph
+
+```python
+from lockstock_langgraph import lockstock_middleware
+
+# Wrap your graph with LockStock middleware
+app = lockstock_middleware(
+    graph=your_graph,
+    agent_id="agent_abc123"
+)
+```
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                     YOUR AGENT RUNTIME                          │
+│  (Claude Agent SDK / OpenAI / LangGraph / CrewAI / ADK)        │
+└─────────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                   LOCKSTOCK INTEGRATION                         │
+│                                                                  │
+│  • Pre-tool-execution hooks                                     │
+│  • Capability verification                                       │
+│  • Audit trail logging                                          │
+└─────────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                     LOCKSTOCK CORE API                          │
+│                                                                  │
+│  • /verify - Capability authorization                           │
+│  • /bootstrap - Agent identity initialization                   │
+│  • Hash chain - Cryptographic audit trail                       │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+## License
+
+MIT License - See LICENSE file for details.