pypredicate-temporal 0.1.0__tar.gz

pypredicate_temporal-0.1.0/.gitignore

@@ -0,0 +1,87 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# pyenv
+.python-version
+
+# IDEs
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Ruff
+.ruff_cache/
+
+# macOS
+.DS_Store
+
+# Jupyter
+.ipynb_checkpoints/

pypredicate_temporal-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Predicate Systems
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

pypredicate_temporal-0.1.0/PKG-INFO

@@ -0,0 +1,208 @@
+Metadata-Version: 2.4
+Name: pypredicate-temporal
+Version: 0.1.0
+Summary: Temporal.io Worker Interceptor for Predicate Authority Zero-Trust authorization
+Project-URL: Homepage, https://github.com/PredicateSystems/predicate-temporal-python
+Project-URL: Documentation, https://docs.predicatesystems.dev/integrations/temporal
+Project-URL: Repository, https://github.com/PredicateSystems/predicate-temporal-python
+Project-URL: Issues, https://github.com/PredicateSystems/predicate-temporal-python/issues
+Author-email: Predicate Systems <hello@predicatesystems.dev>
+License-Expression: MIT
+License-File: LICENSE
+Keywords: ai-agents,authorization,predicate-authority,security,temporal,zero-trust
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Classifier: Typing :: Typed
+Requires-Python: >=3.11
+Requires-Dist: predicate-authority>=0.1.0
+Requires-Dist: temporalio>=1.5.0
+Provides-Extra: dev
+Requires-Dist: mypy>=1.8.0; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.23.0; extra == 'dev'
+Requires-Dist: pytest-cov>=4.1.0; extra == 'dev'
+Requires-Dist: pytest>=8.0.0; extra == 'dev'
+Requires-Dist: ruff>=0.2.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# predicate-temporal
+
+Temporal.io Worker Interceptor for Predicate Authority Zero-Trust authorization.
+
+This package provides a pre-execution security gate for all Temporal Activities, enforcing cryptographic authorization mandates before any activity code runs.
+
+## Prerequisites
+
+This package requires the **Predicate Authority Sidecar** daemon to be running. The sidecar is a lightweight Rust binary that handles policy evaluation and mandate signing.
+
+| Resource | Link |
+|----------|------|
+| Sidecar Repository | [github.com/PredicateSystems/predicate-authority-sidecar](https://github.com/PredicateSystems/predicate-authority-sidecar) |
+| Download Binaries | [Latest Releases](https://github.com/PredicateSystems/predicate-authority-sidecar/releases) |
+| License | MIT / Apache 2.0 |
+
+### Quick Sidecar Setup
+
+```bash
+# Download the latest release for your platform
+# Linux x64, macOS x64/ARM64, Windows x64 available
+
+# Extract and run
+tar -xzf predicate-authorityd-*.tar.gz
+chmod +x predicate-authorityd
+
+# Start with a policy file
+./predicate-authorityd --port 8787 --policy-file policy.json
+```
+
+## Installation
+
+```bash
+pip install predicate-temporal
+```
+
+## Quick Start
+
+```python
+from temporalio.worker import Worker
+from predicate_temporal import PredicateInterceptor
+from predicate_authority import AuthorityClient
+
+# Initialize the Predicate Authority client
+ctx = AuthorityClient.from_env()
+
+# Create the interceptor
+interceptor = PredicateInterceptor(
+    authority_client=ctx.client,
+    principal="temporal-worker",
+)
+
+# Create worker with the interceptor
+worker = Worker(
+    client=temporal_client,
+    task_queue="my-task-queue",
+    workflows=[MyWorkflow],
+    activities=[my_activity],
+    interceptors=[interceptor],
+)
+```
+
+## How It Works
+
+The interceptor sits in the Temporal activity execution pipeline:
+
+1. Temporal dispatches an activity to your worker
+2. **Before** the activity code runs, the interceptor extracts:
+   - Activity name (action)
+   - Activity arguments (context)
+3. The interceptor calls `AuthorityClient.authorize()` to request a mandate
+4. If **denied**: raises `PermissionError` - activity never executes
+5. If **approved**: activity proceeds normally
+
+This ensures that no untrusted code or payload reaches your OS until it has been cryptographically authorized.
+
+## Configuration
+
+### Environment Variables
+
+Set these environment variables for the Authority client:
+
+```bash
+export PREDICATE_AUTHORITY_POLICY_FILE=/path/to/policy.json
+export PREDICATE_AUTHORITY_SIGNING_KEY=your-secret-key
+export PREDICATE_AUTHORITY_MANDATE_TTL_SECONDS=300
+```
+
+### Policy File
+
+Create a policy file that defines allowed activities:
+
+```json
+{
+  "rules": [
+    {
+      "name": "allow-safe-activities",
+      "effect": "allow",
+      "principals": ["temporal-worker"],
+      "actions": ["process_order", "send_notification"],
+      "resources": ["*"]
+    },
+    {
+      "name": "deny-dangerous-activities",
+      "effect": "deny",
+      "principals": ["*"],
+      "actions": ["delete_*", "admin_*"],
+      "resources": ["*"]
+    }
+  ]
+}
+```
+
+## API Reference
+
+### PredicateInterceptor
+
+```python
+PredicateInterceptor(
+    authority_client: AuthorityClient,
+    principal: str = "temporal-worker",
+    tenant_id: str | None = None,
+    session_id: str | None = None,
+)
+```
+
+**Parameters:**
+
+- `authority_client`: The Predicate Authority client instance
+- `principal`: Principal ID used for authorization requests (default: "temporal-worker")
+- `tenant_id`: Optional tenant ID for multi-tenant setups
+- `session_id`: Optional session ID for request correlation
+
+### PredicateActivityInterceptor
+
+The inbound interceptor that performs the actual authorization check. Created automatically by `PredicateInterceptor`.
+
+## Error Handling
+
+When authorization is denied, the interceptor raises a `PermissionError`:
+
+```python
+try:
+    await workflow.execute_activity(
+        dangerous_activity,
+        args,
+        start_to_close_timeout=timedelta(seconds=30),
+    )
+except ActivityError as e:
+    if isinstance(e.cause, ApplicationError):
+        # Handle authorization denial
+        print(f"Activity blocked: {e.cause.message}")
+```
+
+## Development
+
+```bash
+# Install dev dependencies
+pip install -e ".[dev]"
+
+# Run tests
+pytest
+
+# Type checking
+mypy src
+
+# Linting
+ruff check src tests
+ruff format src tests
+```
+
+## License
+
+MIT

pypredicate_temporal-0.1.0/README.md

@@ -0,0 +1,174 @@
+# predicate-temporal
+
+Temporal.io Worker Interceptor for Predicate Authority Zero-Trust authorization.
+
+This package provides a pre-execution security gate for all Temporal Activities, enforcing cryptographic authorization mandates before any activity code runs.
+
+## Prerequisites
+
+This package requires the **Predicate Authority Sidecar** daemon to be running. The sidecar is a lightweight Rust binary that handles policy evaluation and mandate signing.
+
+| Resource | Link |
+|----------|------|
+| Sidecar Repository | [github.com/PredicateSystems/predicate-authority-sidecar](https://github.com/PredicateSystems/predicate-authority-sidecar) |
+| Download Binaries | [Latest Releases](https://github.com/PredicateSystems/predicate-authority-sidecar/releases) |
+| License | MIT / Apache 2.0 |
+
+### Quick Sidecar Setup
+
+```bash
+# Download the latest release for your platform
+# Linux x64, macOS x64/ARM64, Windows x64 available
+
+# Extract and run
+tar -xzf predicate-authorityd-*.tar.gz
+chmod +x predicate-authorityd
+
+# Start with a policy file
+./predicate-authorityd --port 8787 --policy-file policy.json
+```
+
+## Installation
+
+```bash
+pip install predicate-temporal
+```
+
+## Quick Start
+
+```python
+from temporalio.worker import Worker
+from predicate_temporal import PredicateInterceptor
+from predicate_authority import AuthorityClient
+
+# Initialize the Predicate Authority client
+ctx = AuthorityClient.from_env()
+
+# Create the interceptor
+interceptor = PredicateInterceptor(
+    authority_client=ctx.client,
+    principal="temporal-worker",
+)
+
+# Create worker with the interceptor
+worker = Worker(
+    client=temporal_client,
+    task_queue="my-task-queue",
+    workflows=[MyWorkflow],
+    activities=[my_activity],
+    interceptors=[interceptor],
+)
+```
+
+## How It Works
+
+The interceptor sits in the Temporal activity execution pipeline:
+
+1. Temporal dispatches an activity to your worker
+2. **Before** the activity code runs, the interceptor extracts:
+   - Activity name (action)
+   - Activity arguments (context)
+3. The interceptor calls `AuthorityClient.authorize()` to request a mandate
+4. If **denied**: raises `PermissionError` - activity never executes
+5. If **approved**: activity proceeds normally
+
+This ensures that no untrusted code or payload reaches your OS until it has been cryptographically authorized.
+
+## Configuration
+
+### Environment Variables
+
+Set these environment variables for the Authority client:
+
+```bash
+export PREDICATE_AUTHORITY_POLICY_FILE=/path/to/policy.json
+export PREDICATE_AUTHORITY_SIGNING_KEY=your-secret-key
+export PREDICATE_AUTHORITY_MANDATE_TTL_SECONDS=300
+```
+
+### Policy File
+
+Create a policy file that defines allowed activities:
+
+```json
+{
+  "rules": [
+    {
+      "name": "allow-safe-activities",
+      "effect": "allow",
+      "principals": ["temporal-worker"],
+      "actions": ["process_order", "send_notification"],
+      "resources": ["*"]
+    },
+    {
+      "name": "deny-dangerous-activities",
+      "effect": "deny",
+      "principals": ["*"],
+      "actions": ["delete_*", "admin_*"],
+      "resources": ["*"]
+    }
+  ]
+}
+```
+
+## API Reference
+
+### PredicateInterceptor
+
+```python
+PredicateInterceptor(
+    authority_client: AuthorityClient,
+    principal: str = "temporal-worker",
+    tenant_id: str | None = None,
+    session_id: str | None = None,
+)
+```
+
+**Parameters:**
+
+- `authority_client`: The Predicate Authority client instance
+- `principal`: Principal ID used for authorization requests (default: "temporal-worker")
+- `tenant_id`: Optional tenant ID for multi-tenant setups
+- `session_id`: Optional session ID for request correlation
+
+### PredicateActivityInterceptor
+
+The inbound interceptor that performs the actual authorization check. Created automatically by `PredicateInterceptor`.
+
+## Error Handling
+
+When authorization is denied, the interceptor raises a `PermissionError`:
+
+```python
+try:
+    await workflow.execute_activity(
+        dangerous_activity,
+        args,
+        start_to_close_timeout=timedelta(seconds=30),
+    )
+except ActivityError as e:
+    if isinstance(e.cause, ApplicationError):
+        # Handle authorization denial
+        print(f"Activity blocked: {e.cause.message}")
+```
+
+## Development
+
+```bash
+# Install dev dependencies
+pip install -e ".[dev]"
+
+# Run tests
+pytest
+
+# Type checking
+mypy src
+
+# Linting
+ruff check src tests
+ruff format src tests
+```
+
+## License
+
+MIT

pypredicate_temporal-0.1.0/examples/README.md

@@ -0,0 +1,73 @@
+# Predicate Temporal Python Examples
+
+This directory contains examples demonstrating how to use `predicate-temporal` to secure Temporal activities.
+
+## Prerequisites
+
+1. Install dependencies:
+   ```bash
+   pip install temporalio predicate-authority predicate-temporal
+   ```
+
+2. Start the Predicate Authority daemon:
+   ```bash
+   # Download from https://github.com/PredicateSystems/predicate-authority-sidecar/releases
+   ./predicate-authorityd --port 8787 --policy-file policy.json
+   ```
+
+3. Start a local Temporal server:
+   ```bash
+   temporal server start-dev
+   ```
+
+## Examples
+
+### Basic Example (`basic_worker.py`)
+
+A minimal example showing:
+- Setting up activities with Predicate interceptor
+- Running a workflow that executes secured activities
+- Handling authorization denials
+
+Run with:
+```bash
+python basic_worker.py
+```
+
+### E-commerce Example (`ecommerce_worker.py`)
+
+A realistic e-commerce scenario with:
+- Order processing activities
+- Payment handling
+- Inventory management
+- Policy-based access control
+
+Run with:
+```bash
+python ecommerce_worker.py
+```
+
+## Policy File
+
+The `policy.json` file defines which activities are allowed. Example:
+
+```json
+{
+  "rules": [
+    {
+      "name": "allow-order-processing",
+      "effect": "allow",
+      "principals": ["temporal-worker"],
+      "actions": ["process_order", "check_inventory", "send_confirmation"],
+      "resources": ["*"]
+    },
+    {
+      "name": "deny-admin-actions",
+      "effect": "deny",
+      "principals": ["*"],
+      "actions": ["delete_*", "admin_*"],
+      "resources": ["*"]
+    }
+  ]
+}
+```

pypredicate_temporal-0.1.0/pyproject.toml

@@ -0,0 +1,120 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "pypredicate-temporal"
+version = "0.1.0"
+description = "Temporal.io Worker Interceptor for Predicate Authority Zero-Trust authorization"
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.11"
+authors = [
+    { name = "Predicate Systems", email = "hello@predicatesystems.dev" }
+]
+keywords = [
+    "temporal",
+    "authorization",
+    "zero-trust",
+    "security",
+    "ai-agents",
+    "predicate-authority"
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Topic :: Security",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+    "Typing :: Typed",
+]
+dependencies = [
+    "temporalio>=1.5.0",
+    "predicate-authority>=0.1.0",
+]
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=8.0.0",
+    "pytest-asyncio>=0.23.0",
+    "pytest-cov>=4.1.0",
+    "mypy>=1.8.0",
+    "ruff>=0.2.0",
+]
+
+[project.urls]
+Homepage = "https://github.com/PredicateSystems/predicate-temporal-python"
+Documentation = "https://docs.predicatesystems.dev/integrations/temporal"
+Repository = "https://github.com/PredicateSystems/predicate-temporal-python"
+Issues = "https://github.com/PredicateSystems/predicate-temporal-python/issues"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/predicate_temporal"]
+
+[tool.hatch.build.targets.sdist]
+include = [
+    "/src",
+    "/tests",
+    "README.md",
+    "LICENSE",
+]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+asyncio_mode = "auto"
+addopts = "-v --tb=short"
+
+[tool.mypy]
+python_version = "3.11"
+strict = true
+warn_return_any = true
+warn_unused_ignores = true
+show_error_codes = true
+
+[[tool.mypy.overrides]]
+module = ["temporalio.*"]
+ignore_missing_imports = true
+
+[[tool.mypy.overrides]]
+module = ["predicate_authority.*", "predicate_contracts.*"]
+ignore_missing_imports = true
+
+[tool.ruff]
+target-version = "py311"
+line-length = 100
+src = ["src", "tests"]
+
+[tool.ruff.lint]
+select = [
+    "E",    # pycodestyle errors
+    "W",    # pycodestyle warnings
+    "F",    # Pyflakes
+    "I",    # isort
+    "B",    # flake8-bugbear
+    "C4",   # flake8-comprehensions
+    "UP",   # pyupgrade
+    "ARG",  # flake8-unused-arguments
+    "SIM",  # flake8-simplify
+]
+ignore = [
+    "E501",   # line too long (handled by formatter)
+]
+
+[tool.ruff.lint.isort]
+known-first-party = ["predicate_temporal"]
+
+[tool.coverage.run]
+source = ["src/predicate_temporal"]
+branch = true
+
+[tool.coverage.report]
+exclude_lines = [
+    "pragma: no cover",
+    "if TYPE_CHECKING:",
+    "raise NotImplementedError",
+]

pypredicate_temporal-0.1.0/src/predicate_temporal/__init__.py

@@ -0,0 +1,13 @@
+"""Temporal.io Worker Interceptor for Predicate Authority Zero-Trust authorization."""
+
+from predicate_temporal.interceptor import (
+    PredicateActivityInterceptor,
+    PredicateInterceptor,
+)
+
+__version__ = "0.1.0"
+
+__all__ = [
+    "PredicateActivityInterceptor",
+    "PredicateInterceptor",
+]

pypredicate_temporal-0.1.0/src/predicate_temporal/interceptor.py

@@ -0,0 +1,196 @@
+"""Predicate Authority interceptor for Temporal.io activities.
+
+This module provides a pre-execution security gate for all Temporal Activities,
+enforcing cryptographic authorization mandates before any activity code runs.
+"""
+
+from __future__ import annotations
+
+import hashlib
+import json
+from typing import Any
+
+from predicate_authority import AuthorityClient
+from predicate_contracts import (
+    ActionRequest,
+    ActionSpec,
+    PrincipalRef,
+    StateEvidence,
+    VerificationEvidence,
+)
+from temporalio.worker import (
+    ActivityInboundInterceptor,
+    ExecuteActivityInput,
+    Interceptor,
+)
+
+
+class PredicateActivityInterceptor(ActivityInboundInterceptor):
+    """Inbound interceptor that enforces Predicate Authority authorization for activities.
+
+    This interceptor sits in the Temporal activity execution pipeline and ensures
+    that every activity is authorized before execution. If authorization is denied,
+    a PermissionError is raised and the activity never executes.
+    """
+
+    def __init__(
+        self,
+        next_interceptor: ActivityInboundInterceptor,
+        authority_client: AuthorityClient,
+        principal: str,
+        tenant_id: str | None = None,
+        session_id: str | None = None,
+    ) -> None:
+        """Initialize the activity interceptor.
+
+        Args:
+            next_interceptor: The next interceptor in the chain.
+            authority_client: The Predicate Authority client for authorization.
+            principal: Principal ID used for authorization requests.
+            tenant_id: Optional tenant ID for multi-tenant setups.
+            session_id: Optional session ID for request correlation.
+        """
+        super().__init__(next_interceptor)
+        self._authority_client = authority_client
+        self._principal = principal
+        self._tenant_id = tenant_id
+        self._session_id = session_id
+
+    async def execute_activity(self, input: ExecuteActivityInput) -> Any:
+        """Execute activity with Predicate Authority authorization check.
+
+        This method intercepts the activity execution, extracts the activity name
+        and arguments, and requests authorization from Predicate Authority.
+        If denied, raises PermissionError. If approved, proceeds with execution.
+
+        Args:
+            input: The activity execution input containing activity name and args.
+
+        Returns:
+            The result of the activity execution.
+
+        Raises:
+            PermissionError: If authorization is denied.
+        """
+        activity_name = input.fn.__name__
+        activity_args = input.args
+
+        args_json = json.dumps(
+            [self._serialize_arg(arg) for arg in activity_args],
+            sort_keys=True,
+            default=str,
+        )
+        args_hash = hashlib.sha256(args_json.encode()).hexdigest()
+
+        request = ActionRequest(
+            principal=PrincipalRef(
+                principal_id=self._principal,
+                tenant_id=self._tenant_id,
+                session_id=self._session_id,
+            ),
+            action_spec=ActionSpec(
+                action=activity_name,
+                resource="temporal:activity",
+                intent=f"execute:{activity_name}",
+            ),
+            state_evidence=StateEvidence(
+                source="temporal-worker",
+                state_hash=args_hash,
+                schema_version="v1",
+            ),
+            verification_evidence=VerificationEvidence(signals=()),
+        )
+
+        decision = self._authority_client.authorize(request)
+
+        if not decision.allowed:
+            raise PermissionError(
+                f"Predicate Zero-Trust Denial: Activity '{activity_name}' not authorized. "
+                f"Reason: {decision.reason.value}"
+                + (f", violated rule: {decision.violated_rule}" if decision.violated_rule else "")
+            )
+
+        return await super().execute_activity(input)
+
+    @staticmethod
+    def _serialize_arg(arg: Any) -> Any:
+        """Serialize an argument for hashing.
+
+        Args:
+            arg: The argument to serialize.
+
+        Returns:
+            A JSON-serializable representation of the argument.
+        """
+        if hasattr(arg, "__dict__"):
+            return {k: v for k, v in arg.__dict__.items() if not k.startswith("_")}
+        return arg
+
+
+class PredicateInterceptor(Interceptor):
+    """Top-level Temporal interceptor that injects Predicate Authority authorization.
+
+    Use this interceptor when creating a Temporal Worker to enforce Zero-Trust
+    authorization for all activities.
+
+    Example:
+        ```python
+        from temporalio.worker import Worker
+        from predicate_temporal import PredicateInterceptor
+        from predicate_authority import AuthorityClient
+
+        ctx = AuthorityClient.from_env()
+        interceptor = PredicateInterceptor(
+            authority_client=ctx.client,
+            principal="temporal-worker",
+        )
+
+        worker = Worker(
+            client=temporal_client,
+            task_queue="my-task-queue",
+            workflows=[MyWorkflow],
+            activities=[my_activity],
+            interceptors=[interceptor],
+        )
+        ```
+    """
+
+    def __init__(
+        self,
+        authority_client: AuthorityClient,
+        principal: str = "temporal-worker",
+        tenant_id: str | None = None,
+        session_id: str | None = None,
+    ) -> None:
+        """Initialize the Predicate interceptor.
+
+        Args:
+            authority_client: The Predicate Authority client for authorization.
+            principal: Principal ID used for authorization requests (default: "temporal-worker").
+            tenant_id: Optional tenant ID for multi-tenant setups.
+            session_id: Optional session ID for request correlation.
+        """
+        self._authority_client = authority_client
+        self._principal = principal
+        self._tenant_id = tenant_id
+        self._session_id = session_id
+
+    def intercept_activity(
+        self,
+        next_interceptor: ActivityInboundInterceptor,
+    ) -> ActivityInboundInterceptor:
+        """Inject the Predicate activity interceptor into the pipeline.
+
+        Args:
+            next_interceptor: The next interceptor in the chain.
+
+        Returns:
+            The PredicateActivityInterceptor wrapping the next interceptor.
+        """
+        return PredicateActivityInterceptor(
+            next_interceptor=next_interceptor,
+            authority_client=self._authority_client,
+            principal=self._principal,
+            tenant_id=self._tenant_id,
+            session_id=self._session_id,
+        )

pypredicate_temporal-0.1.0/tests/test_interceptor.py

@@ -0,0 +1,251 @@
+"""Tests for the Predicate Temporal interceptor."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Any
+from unittest.mock import AsyncMock, MagicMock
+
+import pytest
+
+from predicate_temporal.interceptor import (
+    PredicateActivityInterceptor,
+    PredicateInterceptor,
+)
+
+
+@dataclass
+class MockActivityInput:
+    """Mock for ExecuteActivityInput."""
+
+    fn: Any
+    args: tuple[Any, ...]
+
+
+def mock_activity_function(x: int, y: str) -> str:
+    """Mock activity function for testing."""
+    return f"{x}-{y}"
+
+
+class MockAuthorizationDecision:
+    """Mock authorization decision."""
+
+    def __init__(self, allowed: bool, reason: str = "allowed", violated_rule: str | None = None):
+        self.allowed = allowed
+        self.reason = MagicMock(value=reason)
+        self.violated_rule = violated_rule
+        self.mandate = MagicMock() if allowed else None
+
+
+class TestPredicateActivityInterceptor:
+    """Tests for PredicateActivityInterceptor."""
+
+    @pytest.fixture
+    def mock_authority_client(self) -> MagicMock:
+        """Create a mock authority client."""
+        return MagicMock()
+
+    @pytest.fixture
+    def mock_next_interceptor(self) -> MagicMock:
+        """Create a mock next interceptor."""
+        interceptor = MagicMock()
+        interceptor.execute_activity = AsyncMock(return_value="activity_result")
+        return interceptor
+
+    @pytest.fixture
+    def interceptor(
+        self, mock_next_interceptor: MagicMock, mock_authority_client: MagicMock
+    ) -> PredicateActivityInterceptor:
+        """Create the interceptor under test."""
+        return PredicateActivityInterceptor(
+            next_interceptor=mock_next_interceptor,
+            authority_client=mock_authority_client,
+            principal="test-worker",
+            tenant_id="test-tenant",
+            session_id="test-session",
+        )
+
+    @pytest.mark.asyncio
+    async def test_execute_activity_allowed(
+        self,
+        interceptor: PredicateActivityInterceptor,
+        mock_authority_client: MagicMock,
+        mock_next_interceptor: MagicMock,
+    ) -> None:
+        """Test that allowed activities proceed to execution."""
+        mock_authority_client.authorize.return_value = MockAuthorizationDecision(allowed=True)
+
+        input_data = MockActivityInput(fn=mock_activity_function, args=(42, "hello"))
+
+        result = await interceptor.execute_activity(input_data)  # type: ignore[arg-type]
+
+        assert result == "activity_result"
+        mock_authority_client.authorize.assert_called_once()
+        mock_next_interceptor.execute_activity.assert_called_once_with(input_data)
+
+    @pytest.mark.asyncio
+    async def test_execute_activity_denied(
+        self,
+        interceptor: PredicateActivityInterceptor,
+        mock_authority_client: MagicMock,
+        mock_next_interceptor: MagicMock,
+    ) -> None:
+        """Test that denied activities raise PermissionError."""
+        mock_authority_client.authorize.return_value = MockAuthorizationDecision(
+            allowed=False,
+            reason="explicit_deny",
+            violated_rule="deny-dangerous",
+        )
+
+        input_data = MockActivityInput(fn=mock_activity_function, args=(42, "hello"))
+
+        with pytest.raises(PermissionError) as exc_info:
+            await interceptor.execute_activity(input_data)  # type: ignore[arg-type]
+
+        assert "Predicate Zero-Trust Denial" in str(exc_info.value)
+        assert "mock_activity_function" in str(exc_info.value)
+        assert "explicit_deny" in str(exc_info.value)
+        assert "deny-dangerous" in str(exc_info.value)
+
+        mock_next_interceptor.execute_activity.assert_not_called()
+
+    @pytest.mark.asyncio
+    async def test_execute_activity_denied_no_violated_rule(
+        self,
+        interceptor: PredicateActivityInterceptor,
+        mock_authority_client: MagicMock,
+    ) -> None:
+        """Test denial message without violated rule."""
+        mock_authority_client.authorize.return_value = MockAuthorizationDecision(
+            allowed=False,
+            reason="no_matching_policy",
+            violated_rule=None,
+        )
+
+        input_data = MockActivityInput(fn=mock_activity_function, args=(42, "hello"))
+
+        with pytest.raises(PermissionError) as exc_info:
+            await interceptor.execute_activity(input_data)  # type: ignore[arg-type]
+
+        assert "no_matching_policy" in str(exc_info.value)
+        assert "violated rule" not in str(exc_info.value)
+
+    @pytest.mark.asyncio
+    async def test_authorization_request_structure(
+        self,
+        interceptor: PredicateActivityInterceptor,
+        mock_authority_client: MagicMock,
+    ) -> None:
+        """Test that the authorization request has correct structure."""
+        mock_authority_client.authorize.return_value = MockAuthorizationDecision(allowed=True)
+
+        input_data = MockActivityInput(fn=mock_activity_function, args=(42, "hello"))
+
+        await interceptor.execute_activity(input_data)  # type: ignore[arg-type]
+
+        call_args = mock_authority_client.authorize.call_args
+        request = call_args[0][0]
+
+        assert request.principal.principal_id == "test-worker"
+        assert request.principal.tenant_id == "test-tenant"
+        assert request.principal.session_id == "test-session"
+        assert request.action_spec.action == "mock_activity_function"
+        assert request.action_spec.resource == "temporal:activity"
+        assert "execute:mock_activity_function" in request.action_spec.intent
+        assert request.state_evidence.source == "temporal-worker"
+        assert request.state_evidence.state_hash  # Non-empty hash
+
+    def test_serialize_arg_primitive(self) -> None:
+        """Test serialization of primitive types."""
+        assert PredicateActivityInterceptor._serialize_arg(42) == 42
+        assert PredicateActivityInterceptor._serialize_arg("hello") == "hello"
+        assert PredicateActivityInterceptor._serialize_arg(True) is True
+        assert PredicateActivityInterceptor._serialize_arg(None) is None
+
+    def test_serialize_arg_object(self) -> None:
+        """Test serialization of objects with __dict__."""
+
+        @dataclass
+        class TestObject:
+            name: str
+            value: int
+            _private: str = "hidden"
+
+        obj = TestObject(name="test", value=123, _private="secret")
+        serialized = PredicateActivityInterceptor._serialize_arg(obj)
+
+        assert serialized == {"name": "test", "value": 123}
+        assert "_private" not in serialized
+
+
+class TestPredicateInterceptor:
+    """Tests for PredicateInterceptor."""
+
+    @pytest.fixture
+    def mock_authority_client(self) -> MagicMock:
+        """Create a mock authority client."""
+        return MagicMock()
+
+    def test_interceptor_creation(self, mock_authority_client: MagicMock) -> None:
+        """Test interceptor creation with all parameters."""
+        interceptor = PredicateInterceptor(
+            authority_client=mock_authority_client,
+            principal="custom-worker",
+            tenant_id="tenant-123",
+            session_id="session-456",
+        )
+
+        assert interceptor._authority_client == mock_authority_client
+        assert interceptor._principal == "custom-worker"
+        assert interceptor._tenant_id == "tenant-123"
+        assert interceptor._session_id == "session-456"
+
+    def test_interceptor_defaults(self, mock_authority_client: MagicMock) -> None:
+        """Test interceptor creation with default parameters."""
+        interceptor = PredicateInterceptor(authority_client=mock_authority_client)
+
+        assert interceptor._principal == "temporal-worker"
+        assert interceptor._tenant_id is None
+        assert interceptor._session_id is None
+
+    def test_intercept_activity(self, mock_authority_client: MagicMock) -> None:
+        """Test that intercept_activity returns PredicateActivityInterceptor."""
+        interceptor = PredicateInterceptor(
+            authority_client=mock_authority_client,
+            principal="test-worker",
+            tenant_id="tenant-123",
+        )
+
+        mock_next = MagicMock()
+        result = interceptor.intercept_activity(mock_next)
+
+        assert isinstance(result, PredicateActivityInterceptor)
+        assert result._authority_client == mock_authority_client
+        assert result._principal == "test-worker"
+        assert result._tenant_id == "tenant-123"
+
+
+class TestIntegration:
+    """Integration-style tests."""
+
+    @pytest.mark.asyncio
+    async def test_full_interceptor_chain(self) -> None:
+        """Test the full interceptor chain from top-level to activity execution."""
+        mock_client = MagicMock()
+        mock_client.authorize.return_value = MockAuthorizationDecision(allowed=True)
+
+        interceptor = PredicateInterceptor(
+            authority_client=mock_client,
+            principal="integration-worker",
+        )
+
+        mock_next = MagicMock()
+        mock_next.execute_activity = AsyncMock(return_value="success")
+
+        activity_interceptor = interceptor.intercept_activity(mock_next)
+
+        input_data = MockActivityInput(fn=mock_activity_function, args=("arg1",))
+        result = await activity_interceptor.execute_activity(input_data)  # type: ignore[arg-type]
+
+        assert result == "success"
+        mock_client.authorize.assert_called_once()