noesis-auth 0.1.0__tar.gz

noesis_auth-0.1.0/PKG-INFO

@@ -0,0 +1,122 @@
+Metadata-Version: 2.4
+Name: noesis-auth
+Version: 0.1.0
+Summary: Python Auth SDK for AI tool integration with the Noesis AIToolCenter platform
+Author: Noesis AI Technologies
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/Noesis-AI-Technologies/AIToolCenter
+Project-URL: Documentation, https://github.com/Noesis-AI-Technologies/AIToolCenter/blob/main/docs/auth-sdk-guide.md
+Project-URL: Repository, https://github.com/Noesis-AI-Technologies/AIToolCenter
+Project-URL: Issues, https://github.com/Noesis-AI-Technologies/AIToolCenter/issues
+Keywords: auth,oauth2,jwt,sdk,ai-tools
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Classifier: Typing :: Typed
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: httpx>=0.24.0
+Requires-Dist: python-jose[cryptography]>=3.3.0
+Provides-Extra: fastapi
+Requires-Dist: fastapi>=0.100.0; extra == "fastapi"
+
+# noesis-auth (Python)
+
+Python Auth SDK for AI tool integration with the [Noesis AIToolCenter](https://github.com/Noesis-AI-Technologies/AIToolCenter) platform.
+
+## Installation
+
+```bash
+pip install noesis-auth
+
+# With FastAPI middleware support:
+pip install noesis-auth[fastapi]
+```
+
+## Quick Start
+
+### JWT Validation (Tool-side)
+
+```python
+from auth_sdk import JWTValidator
+
+validator = JWTValidator(
+    jwks_url="https://your-platform.com/.well-known/jwks.json"
+)
+
+payload = await validator.validate(token)
+print(payload["sub"])  # user ID
+```
+
+### FastAPI Middleware
+
+```python
+from fastapi import Depends, FastAPI
+from auth_sdk import AuthMiddleware, TokenPayload
+
+app = FastAPI()
+auth = AuthMiddleware(jwks_url="https://your-platform.com/.well-known/jwks.json")
+
+@app.get("/api/generate")
+async def generate(payload: TokenPayload = Depends(auth.require_tool("your-tool-id"))):
+    user_id = payload.sub
+    # ... your tool logic
+```
+
+### OAuth2 Client (PKCE)
+
+```python
+from auth_sdk import AuthClient
+
+client = AuthClient(base_url="https://your-platform.com")
+
+# Generate PKCE pair
+pkce = AuthClient.generate_pkce()
+
+# Build authorization URL
+url = client.build_authorize_url(
+    client_id="your-client-id",
+    redirect_uri="http://localhost:3000/callback",
+    code_challenge=pkce.code_challenge,
+)
+
+# Exchange code for tokens
+tokens = await client.exchange_code(
+    code=auth_code,
+    redirect_uri="http://localhost:3000/callback",
+    client_id="your-client-id",
+    code_verifier=pkce.code_verifier,
+)
+```
+
+### Activation Code Redemption
+
+```python
+result = await client.redeem_code(user_token="...", code="AXKF-M3PQ-7RBN-W2YT")
+print(result.tool_id, result.expires_at)
+```
+
+## Features
+
+- **JWT Validation** — RS256 (JWKS) and HS256 (shared secret) with auto-detection
+- **FastAPI Middleware** — Drop-in authentication and tool access verification
+- **OAuth2 Client** — Authorization URL builder, code exchange, token refresh
+- **PKCE Support** — S256 code challenge generation for public clients
+- **Token Introspection** — Remote token validation endpoint
+- **Activation Codes** — Redeem activation codes for tool entitlements
+- **JWKS Caching** — 6-hour cache with stale-while-revalidate and retry on failure
+
+## Requirements
+
+- Python >= 3.11
+- `httpx` >= 0.24
+- `python-jose[cryptography]` >= 3.3
+- `fastapi` >= 0.100 (optional, for middleware)
+
+## License
+
+MIT

noesis_auth-0.1.0/README.md

@@ -0,0 +1,96 @@
+# noesis-auth (Python)
+
+Python Auth SDK for AI tool integration with the [Noesis AIToolCenter](https://github.com/Noesis-AI-Technologies/AIToolCenter) platform.
+
+## Installation
+
+```bash
+pip install noesis-auth
+
+# With FastAPI middleware support:
+pip install noesis-auth[fastapi]
+```
+
+## Quick Start
+
+### JWT Validation (Tool-side)
+
+```python
+from auth_sdk import JWTValidator
+
+validator = JWTValidator(
+    jwks_url="https://your-platform.com/.well-known/jwks.json"
+)
+
+payload = await validator.validate(token)
+print(payload["sub"])  # user ID
+```
+
+### FastAPI Middleware
+
+```python
+from fastapi import Depends, FastAPI
+from auth_sdk import AuthMiddleware, TokenPayload
+
+app = FastAPI()
+auth = AuthMiddleware(jwks_url="https://your-platform.com/.well-known/jwks.json")
+
+@app.get("/api/generate")
+async def generate(payload: TokenPayload = Depends(auth.require_tool("your-tool-id"))):
+    user_id = payload.sub
+    # ... your tool logic
+```
+
+### OAuth2 Client (PKCE)
+
+```python
+from auth_sdk import AuthClient
+
+client = AuthClient(base_url="https://your-platform.com")
+
+# Generate PKCE pair
+pkce = AuthClient.generate_pkce()
+
+# Build authorization URL
+url = client.build_authorize_url(
+    client_id="your-client-id",
+    redirect_uri="http://localhost:3000/callback",
+    code_challenge=pkce.code_challenge,
+)
+
+# Exchange code for tokens
+tokens = await client.exchange_code(
+    code=auth_code,
+    redirect_uri="http://localhost:3000/callback",
+    client_id="your-client-id",
+    code_verifier=pkce.code_verifier,
+)
+```
+
+### Activation Code Redemption
+
+```python
+result = await client.redeem_code(user_token="...", code="AXKF-M3PQ-7RBN-W2YT")
+print(result.tool_id, result.expires_at)
+```
+
+## Features
+
+- **JWT Validation** — RS256 (JWKS) and HS256 (shared secret) with auto-detection
+- **FastAPI Middleware** — Drop-in authentication and tool access verification
+- **OAuth2 Client** — Authorization URL builder, code exchange, token refresh
+- **PKCE Support** — S256 code challenge generation for public clients
+- **Token Introspection** — Remote token validation endpoint
+- **Activation Codes** — Redeem activation codes for tool entitlements
+- **JWKS Caching** — 6-hour cache with stale-while-revalidate and retry on failure
+
+## Requirements
+
+- Python >= 3.11
+- `httpx` >= 0.24
+- `python-jose[cryptography]` >= 3.3
+- `fastapi` >= 0.100 (optional, for middleware)
+
+## License
+
+MIT

noesis_auth-0.1.0/__init__.py

@@ -0,0 +1,27 @@
+from auth_sdk.client import AuthClient, AuthError, TokenResponse, RedeemResult, IntrospectResult, PKCEPair
+from auth_sdk.jwt_validator import JWTValidator
+from auth_sdk.models import Entitlement, TokenPayload
+
+try:
+    from auth_sdk.fastapi_middleware import AuthMiddleware, require_tool_access
+except ImportError:
+    # FastAPI is an optional dependency
+    AuthMiddleware = None  # type: ignore[assignment, misc]
+    require_tool_access = None  # type: ignore[assignment]
+
+__version__ = "0.1.0"
+
+__all__ = [
+    "__version__",
+    "AuthClient",
+    "AuthError",
+    "AuthMiddleware",
+    "IntrospectResult",
+    "JWTValidator",
+    "PKCEPair",
+    "RedeemResult",
+    "TokenPayload",
+    "TokenResponse",
+    "Entitlement",
+    "require_tool_access",
+]

noesis_auth-0.1.0/client.py

@@ -0,0 +1,248 @@
+"""AuthClient — HTTP client for interacting with the ERP platform APIs.
+
+Implements TODO item B1 — Python SDK AuthClient (mirrors TypeScript SDK).
+
+Provides:
+  - build_authorize_url() — OAuth2 authorization URL builder
+  - exchange_code() — exchange auth code for tokens
+  - refresh_token() — refresh access token
+  - redeem_code() — redeem activation code
+  - introspect() — introspect token
+  - generate_pkce() — generate PKCE code verifier + challenge
+"""
+
+import base64
+import hashlib
+import os
+from dataclasses import dataclass
+from urllib.parse import urlencode
+
+import httpx
+
+from auth_sdk.models import TokenPayload
+
+
+class AuthError(Exception):
+    def __init__(self, message: str, code: str = "UNKNOWN", status: int = 0):
+        super().__init__(message)
+        self.code = code
+        self.status = status
+
+
+@dataclass
+class TokenResponse:
+    access_token: str
+    token_type: str
+    expires_in: int
+    refresh_token: str | None = None
+
+
+@dataclass
+class RedeemResult:
+    tool_id: str
+    expires_at: str
+    message: str = ""
+
+
+@dataclass
+class IntrospectResult:
+    active: bool
+    sub: str | None = None
+    exp: int | None = None
+    iat: int | None = None
+    jti: str | None = None
+    entitlements: list[dict] | None = None
+
+
+@dataclass
+class PKCEPair:
+    code_verifier: str
+    code_challenge: str
+
+
+def _base64url_encode(data: bytes) -> str:
+    return base64.urlsafe_b64encode(data).rstrip(b"=").decode("ascii")
+
+
+class AuthClient:
+    """HTTP client for AIToolCenter platform APIs."""
+
+    def __init__(self, base_url: str, timeout: float = 10.0):
+        self.base_url = base_url.rstrip("/")
+        self.timeout = timeout
+
+    @staticmethod
+    def generate_pkce() -> PKCEPair:
+        """Generate a PKCE code verifier and S256 challenge."""
+        verifier_bytes = os.urandom(32)
+        code_verifier = _base64url_encode(verifier_bytes)
+        digest = hashlib.sha256(code_verifier.encode("ascii")).digest()
+        code_challenge = _base64url_encode(digest)
+        return PKCEPair(code_verifier=code_verifier, code_challenge=code_challenge)
+
+    def build_authorize_url(
+        self,
+        client_id: str,
+        redirect_uri: str,
+        state: str | None = None,
+        code_challenge: str | None = None,
+    ) -> str:
+        """Build the OAuth2 authorization URL."""
+        params = {
+            "response_type": "code",
+            "client_id": client_id,
+            "redirect_uri": redirect_uri,
+        }
+        if state:
+            params["state"] = state
+        if code_challenge:
+            params["code_challenge"] = code_challenge
+            params["code_challenge_method"] = "S256"
+        return f"{self.base_url}/oauth/authorize?{urlencode(params)}"
+
+    async def exchange_code(
+        self,
+        code: str,
+        redirect_uri: str,
+        client_id: str,
+        code_verifier: str | None = None,
+        client_secret: str | None = None,
+    ) -> TokenResponse:
+        """Exchange an authorization code for tokens."""
+        data = {
+            "grant_type": "authorization_code",
+            "code": code,
+            "redirect_uri": redirect_uri,
+            "client_id": client_id,
+        }
+        if code_verifier:
+            data["code_verifier"] = code_verifier
+        if client_secret:
+            data["client_secret"] = client_secret
+
+        async with httpx.AsyncClient(timeout=self.timeout) as client:
+            resp = await client.post(
+                f"{self.base_url}/oauth/token",
+                data=data,
+                headers={"Content-Type": "application/x-www-form-urlencoded"},
+            )
+
+        if resp.status_code != 200:
+            body = resp.json() if resp.headers.get("content-type", "").startswith("application/json") else {}
+            raise AuthError(
+                body.get("detail", f"Code exchange failed: {resp.status_code}"),
+                "TOKEN_INVALID",
+                resp.status_code,
+            )
+
+        d = resp.json()
+        return TokenResponse(
+            access_token=d["access_token"],
+            token_type=d.get("token_type", "bearer"),
+            expires_in=d.get("expires_in", 0),
+            refresh_token=d.get("refresh_token"),
+        )
+
+    async def refresh_token(
+        self,
+        refresh_token: str,
+        client_id: str | None = None,
+        client_secret: str | None = None,
+    ) -> TokenResponse:
+        """Refresh an access token using a refresh token."""
+        data = {
+            "grant_type": "refresh_token",
+            "refresh_token": refresh_token,
+        }
+        if client_id:
+            data["client_id"] = client_id
+        if client_secret:
+            data["client_secret"] = client_secret
+
+        async with httpx.AsyncClient(timeout=self.timeout) as client:
+            resp = await client.post(
+                f"{self.base_url}/oauth/token",
+                data=data,
+                headers={"Content-Type": "application/x-www-form-urlencoded"},
+            )
+
+        if resp.status_code != 200:
+            body = resp.json() if resp.headers.get("content-type", "").startswith("application/json") else {}
+            raise AuthError(
+                body.get("detail", f"Token refresh failed: {resp.status_code}"),
+                "TOKEN_INVALID",
+                resp.status_code,
+            )
+
+        d = resp.json()
+        return TokenResponse(
+            access_token=d["access_token"],
+            token_type=d.get("token_type", "bearer"),
+            expires_in=d.get("expires_in", 0),
+            refresh_token=d.get("refresh_token"),
+        )
+
+    async def redeem_code(self, user_token: str, code: str) -> RedeemResult:
+        """Redeem an activation code for the authenticated user."""
+        async with httpx.AsyncClient(timeout=self.timeout) as client:
+            resp = await client.post(
+                f"{self.base_url}/api/v1/activation/redeem",
+                json={"code": code},
+                headers={
+                    "Authorization": f"Bearer {user_token}",
+                    "Content-Type": "application/json",
+                },
+            )
+
+        if resp.status_code != 200:
+            body = resp.json() if resp.headers.get("content-type", "").startswith("application/json") else {}
+            raise AuthError(
+                body.get("detail", f"Redemption failed: {resp.status_code}"),
+                "TOKEN_INVALID",
+                resp.status_code,
+            )
+
+        d = resp.json()
+        return RedeemResult(
+            tool_id=d["tool_id"],
+            expires_at=d["expires_at"],
+            message=d.get("message", ""),
+        )
+
+    async def introspect(
+        self,
+        token: str,
+        client_id: str | None = None,
+        client_secret: str | None = None,
+    ) -> IntrospectResult:
+        """Introspect a token to check if it's active."""
+        data = {"token": token}
+        if client_id:
+            data["client_id"] = client_id
+        if client_secret:
+            data["client_secret"] = client_secret
+
+        async with httpx.AsyncClient(timeout=self.timeout) as client:
+            resp = await client.post(
+                f"{self.base_url}/oauth/introspect",
+                data=data,
+                headers={"Content-Type": "application/x-www-form-urlencoded"},
+            )
+
+        if resp.status_code != 200:
+            body = resp.json() if resp.headers.get("content-type", "").startswith("application/json") else {}
+            raise AuthError(
+                body.get("detail", f"Introspection failed: {resp.status_code}"),
+                "NETWORK_ERROR",
+                resp.status_code,
+            )
+
+        d = resp.json()
+        return IntrospectResult(
+            active=d.get("active", False),
+            sub=d.get("sub"),
+            exp=d.get("exp"),
+            iat=d.get("iat"),
+            jti=d.get("jti"),
+            entitlements=d.get("entitlements"),
+        )

noesis_auth-0.1.0/fastapi_middleware.py

@@ -0,0 +1,80 @@
+import functools
+import time
+from typing import Callable
+
+from fastapi import HTTPException, Request, status
+
+from auth_sdk.jwt_validator import JWTValidator
+from auth_sdk.models import Entitlement, TokenPayload
+
+
+class AuthMiddleware:
+    """FastAPI dependency for tool-side authentication and authorization."""
+
+    def __init__(self, jwks_url: str, algorithm: str = "RS256", hs256_secret: str | None = None):
+        self.validator = JWTValidator(
+            jwks_url=jwks_url,
+            algorithm=algorithm,
+            hs256_secret=hs256_secret,
+        )
+
+    async def authenticate(self, request: Request) -> TokenPayload:
+        """Extract and validate the bearer token, return parsed payload."""
+        auth_header = request.headers.get("Authorization", "")
+        if not auth_header.startswith("Bearer "):
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Missing or invalid Authorization header",
+            )
+        token = auth_header[7:]
+        try:
+            raw = await self.validator.validate(token)
+        except ValueError as e:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=str(e))
+
+        entitlements = [
+            Entitlement(tool_id=e["tool_id"], expires_at=e["expires_at"]) for e in raw.get("entitlements", [])
+        ]
+        return TokenPayload(
+            sub=raw["sub"],
+            exp=raw["exp"],
+            iat=raw["iat"],
+            jti=raw.get("jti", ""),
+            entitlements=entitlements,
+        )
+
+    def require_tool(self, tool_id: str | int) -> Callable:
+        """FastAPI dependency that checks the user has access to a specific tool."""
+        middleware = self
+
+        async def dependency(request: Request) -> TokenPayload:
+            payload = await middleware.authenticate(request)
+            if not payload.has_tool_access(tool_id):
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail=f"No access to tool {tool_id}",
+                )
+            return payload
+
+        return dependency
+
+
+def require_tool_access(tool_id: str | int, *, jwks_url: str = "", _middleware_cache: dict = {}):
+    """Convenience function that returns a FastAPI dependency for tool access verification.
+
+    Usage:
+        from auth_sdk import require_tool_access
+
+        @app.get("/api/generate")
+        async def generate(
+            payload: TokenPayload = Depends(require_tool_access(1, jwks_url="https://auth.example.com/.well-known/jwks.json"))
+        ):
+            user_id = payload.sub
+            ...
+    """
+    if not jwks_url:
+        raise ValueError("jwks_url is required for require_tool_access()")
+    if jwks_url not in _middleware_cache:
+        _middleware_cache[jwks_url] = AuthMiddleware(jwks_url=jwks_url)
+    middleware = _middleware_cache[jwks_url]
+    return middleware.require_tool(tool_id)

noesis_auth-0.1.0/jwt_validator.py

@@ -0,0 +1,123 @@
+import asyncio
+import time
+import logging
+from typing import Any
+
+import httpx
+from jose import jwt, JWTError, ExpiredSignatureError
+from jose.constants import ALGORITHMS
+
+logger = logging.getLogger("auth_sdk")
+
+
+class JWTValidator:
+    """Validates JWTs using JWKS fetched from the Auth Center.
+
+    Supports RS256 (via JWKS) and HS256 (via shared secret).
+    When using HS256, pass the shared secret via ``hs256_secret``.
+    """
+
+    def __init__(
+        self,
+        jwks_url: str,
+        algorithm: str = "RS256",
+        cache_ttl: int = 21600,
+        hs256_secret: str | None = None,
+    ):
+        self.jwks_url = jwks_url
+        self.algorithm = algorithm
+        self.cache_ttl = cache_ttl  # default 6 hours
+        self.hs256_secret = hs256_secret
+        self._jwks: dict[str, Any] | None = None
+        self._jwks_fetched_at: float = 0
+
+    async def _fetch_jwks(self) -> dict:
+        """Fetch JWKS from the auth server with one retry on failure."""
+        last_error: Exception | None = None
+        for attempt in range(2):
+            try:
+                async with httpx.AsyncClient() as client:
+                    resp = await client.get(self.jwks_url, timeout=10)
+                    resp.raise_for_status()
+                    return resp.json()
+            except Exception as e:
+                last_error = e
+                if attempt == 0:
+                    logger.warning("JWKS fetch attempt %d failed: %s, retrying...", attempt + 1, e)
+                    await asyncio.sleep(1)
+        raise RuntimeError(f"Failed to fetch JWKS from {self.jwks_url}: {last_error}") from last_error
+
+    async def get_jwks(self) -> dict:
+        now = time.time()
+        if self._jwks is None or (now - self._jwks_fetched_at) > self.cache_ttl:
+            try:
+                self._jwks = await self._fetch_jwks()
+                self._jwks_fetched_at = now
+                logger.info("JWKS refreshed from %s", self.jwks_url)
+            except Exception as e:
+                if self._jwks is not None:
+                    logger.warning("Failed to refresh JWKS, using cached: %s", e)
+                else:
+                    raise RuntimeError(f"Cannot validate tokens: JWKS unavailable from {self.jwks_url}") from e
+        return self._jwks
+
+    async def validate(self, token: str) -> dict:
+        """Validate JWT signature and expiry. Returns decoded payload.
+
+        Auto-detects the algorithm from the JWT header:
+        - If alg=HS256 and hs256_secret is configured → symmetric validation
+        - If alg=RS256 → asymmetric validation via JWKS
+        - Falls back to configured self.algorithm if header detection fails
+        """
+        # Auto-detect algorithm from token header
+        try:
+            unverified_header = jwt.get_unverified_header(token)
+            token_alg = unverified_header.get("alg", self.algorithm)
+        except JWTError:
+            token_alg = self.algorithm
+
+        if token_alg == "HS256" and self.hs256_secret:
+            # Symmetric validation — no JWKS needed
+            try:
+                payload = jwt.decode(
+                    token,
+                    self.hs256_secret,
+                    algorithms=["HS256"],
+                    options={"verify_aud": False},
+                )
+                return payload
+            except ExpiredSignatureError:
+                raise ValueError("Token has expired")
+            except JWTError as e:
+                raise ValueError(f"Token validation failed: {e}") from e
+
+        # Asymmetric validation via JWKS
+        jwks = await self.get_jwks()
+
+        # If JWKS returns empty keys and we have an hs256_secret, fall back
+        if not jwks.get("keys") and self.hs256_secret:
+            try:
+                payload = jwt.decode(
+                    token,
+                    self.hs256_secret,
+                    algorithms=["HS256"],
+                    options={"verify_aud": False},
+                )
+                return payload
+            except ExpiredSignatureError:
+                raise ValueError("Token has expired")
+            except JWTError as e:
+                raise ValueError(f"Token validation failed: {e}") from e
+
+        try:
+            payload = jwt.decode(
+                token,
+                jwks,
+                algorithms=[self.algorithm],
+                options={"verify_aud": False},
+            )
+            return payload
+        except ExpiredSignatureError:
+            raise ValueError("Token has expired")
+        except JWTError as e:
+            raise ValueError(f"Token validation failed: {e}") from e

noesis_auth-0.1.0/models.py

@@ -0,0 +1,22 @@
+from dataclasses import dataclass, field
+
+
+@dataclass
+class Entitlement:
+    tool_id: str
+    expires_at: int  # unix timestamp
+
+
+@dataclass
+class TokenPayload:
+    sub: str
+    exp: int
+    iat: int
+    jti: str
+    entitlements: list[Entitlement] = field(default_factory=list)
+
+    def has_tool_access(self, tool_id: str) -> bool:
+        import time
+
+        now = int(time.time())
+        return any((e.tool_id == str(tool_id) and e.expires_at > now) for e in self.entitlements)

noesis_auth-0.1.0/noesis_auth.egg-info/PKG-INFO

@@ -0,0 +1,122 @@
+Metadata-Version: 2.4
+Name: noesis-auth
+Version: 0.1.0
+Summary: Python Auth SDK for AI tool integration with the Noesis AIToolCenter platform
+Author: Noesis AI Technologies
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/Noesis-AI-Technologies/AIToolCenter
+Project-URL: Documentation, https://github.com/Noesis-AI-Technologies/AIToolCenter/blob/main/docs/auth-sdk-guide.md
+Project-URL: Repository, https://github.com/Noesis-AI-Technologies/AIToolCenter
+Project-URL: Issues, https://github.com/Noesis-AI-Technologies/AIToolCenter/issues
+Keywords: auth,oauth2,jwt,sdk,ai-tools
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Classifier: Typing :: Typed
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: httpx>=0.24.0
+Requires-Dist: python-jose[cryptography]>=3.3.0
+Provides-Extra: fastapi
+Requires-Dist: fastapi>=0.100.0; extra == "fastapi"
+
+# noesis-auth (Python)
+
+Python Auth SDK for AI tool integration with the [Noesis AIToolCenter](https://github.com/Noesis-AI-Technologies/AIToolCenter) platform.
+
+## Installation
+
+```bash
+pip install noesis-auth
+
+# With FastAPI middleware support:
+pip install noesis-auth[fastapi]
+```
+
+## Quick Start
+
+### JWT Validation (Tool-side)
+
+```python
+from auth_sdk import JWTValidator
+
+validator = JWTValidator(
+    jwks_url="https://your-platform.com/.well-known/jwks.json"
+)
+
+payload = await validator.validate(token)
+print(payload["sub"])  # user ID
+```
+
+### FastAPI Middleware
+
+```python
+from fastapi import Depends, FastAPI
+from auth_sdk import AuthMiddleware, TokenPayload
+
+app = FastAPI()
+auth = AuthMiddleware(jwks_url="https://your-platform.com/.well-known/jwks.json")
+
+@app.get("/api/generate")
+async def generate(payload: TokenPayload = Depends(auth.require_tool("your-tool-id"))):
+    user_id = payload.sub
+    # ... your tool logic
+```
+
+### OAuth2 Client (PKCE)
+
+```python
+from auth_sdk import AuthClient
+
+client = AuthClient(base_url="https://your-platform.com")
+
+# Generate PKCE pair
+pkce = AuthClient.generate_pkce()
+
+# Build authorization URL
+url = client.build_authorize_url(
+    client_id="your-client-id",
+    redirect_uri="http://localhost:3000/callback",
+    code_challenge=pkce.code_challenge,
+)
+
+# Exchange code for tokens
+tokens = await client.exchange_code(
+    code=auth_code,
+    redirect_uri="http://localhost:3000/callback",
+    client_id="your-client-id",
+    code_verifier=pkce.code_verifier,
+)
+```
+
+### Activation Code Redemption
+
+```python
+result = await client.redeem_code(user_token="...", code="AXKF-M3PQ-7RBN-W2YT")
+print(result.tool_id, result.expires_at)
+```
+
+## Features
+
+- **JWT Validation** — RS256 (JWKS) and HS256 (shared secret) with auto-detection
+- **FastAPI Middleware** — Drop-in authentication and tool access verification
+- **OAuth2 Client** — Authorization URL builder, code exchange, token refresh
+- **PKCE Support** — S256 code challenge generation for public clients
+- **Token Introspection** — Remote token validation endpoint
+- **Activation Codes** — Redeem activation codes for tool entitlements
+- **JWKS Caching** — 6-hour cache with stale-while-revalidate and retry on failure
+
+## Requirements
+
+- Python >= 3.11
+- `httpx` >= 0.24
+- `python-jose[cryptography]` >= 3.3
+- `fastapi` >= 0.100 (optional, for middleware)
+
+## License
+
+MIT

noesis_auth-0.1.0/noesis_auth.egg-info/SOURCES.txt

@@ -0,0 +1,19 @@
+README.md
+__init__.py
+client.py
+fastapi_middleware.py
+jwt_validator.py
+models.py
+py.typed
+pyproject.toml
+./__init__.py
+./client.py
+./fastapi_middleware.py
+./jwt_validator.py
+./models.py
+./py.typed
+noesis_auth.egg-info/PKG-INFO
+noesis_auth.egg-info/SOURCES.txt
+noesis_auth.egg-info/dependency_links.txt
+noesis_auth.egg-info/requires.txt
+noesis_auth.egg-info/top_level.txt

noesis_auth-0.1.0/noesis_auth.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

noesis_auth-0.1.0/noesis_auth.egg-info/requires.txt

@@ -0,0 +1,5 @@
+httpx>=0.24.0
+python-jose[cryptography]>=3.3.0
+
+[fastapi]
+fastapi>=0.100.0

noesis_auth-0.1.0/noesis_auth.egg-info/top_level.txt

@@ -0,0 +1 @@
+auth_sdk

noesis_auth-0.1.0/pyproject.toml

@@ -0,0 +1,46 @@
+[project]
+name = "noesis-auth"
+version = "0.1.0"
+description = "Python Auth SDK for AI tool integration with the Noesis AIToolCenter platform"
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.11"
+authors = [
+    { name = "Noesis AI Technologies" },
+]
+keywords = ["auth", "oauth2", "jwt", "sdk", "ai-tools"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Security",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+    "Typing :: Typed",
+]
+dependencies = [
+    "httpx>=0.24.0",
+    "python-jose[cryptography]>=3.3.0",
+]
+
+[project.optional-dependencies]
+fastapi = [
+    "fastapi>=0.100.0",
+]
+
+[project.urls]
+Homepage = "https://github.com/Noesis-AI-Technologies/AIToolCenter"
+Documentation = "https://github.com/Noesis-AI-Technologies/AIToolCenter/blob/main/docs/auth-sdk-guide.md"
+Repository = "https://github.com/Noesis-AI-Technologies/AIToolCenter"
+Issues = "https://github.com/Noesis-AI-Technologies/AIToolCenter/issues"
+
+[build-system]
+requires = ["setuptools>=68.0"]
+build-backend = "setuptools.build_meta"
+
+[tool.setuptools]
+packages = ["auth_sdk"]
+
+[tool.setuptools.package-dir]
+auth_sdk = "."

noesis_auth-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+