qnsi 0.3.0__tar.gz

qnsi-0.3.0/.gitignore

@@ -0,0 +1,11 @@
+# Python SDK build/test artifacts (mirrored to qnsp-public minus these)
+.venv/
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+__pycache__/
+*.pyc
+*.pyo
+*.egg-info/
+build/
+dist/

qnsi-0.3.0/LICENSE

@@ -0,0 +1,17 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+   Copyright 2026 HEOSSI (PTE.) LTD.

qnsi-0.3.0/PKG-INFO

@@ -0,0 +1,242 @@
+Metadata-Version: 2.4
+Name: qnsi
+Version: 0.3.0
+Summary: Official Python SDK for the QNSI Quantum-Native Security Infrastructure — post-quantum cryptography (ML-KEM, ML-DSA, SLH-DSA, Falcon via liboqs), PQC-encrypted vault, KMS, and immutable audit trails. Mirrors the @heossi/qnsi-* TypeScript SDKs.
+Project-URL: Homepage, https://cloud.qnsi.heossi.com
+Project-URL: Documentation, https://docs.qnsi.heossi.com/sdk/python
+Project-URL: Repository, https://github.com/heossi-hq/qnsi-public
+Project-URL: Issues, https://github.com/heossi-hq/qnsi-public/issues
+Project-URL: Changelog, https://github.com/heossi-hq/qnsi-public/blob/main/sdks/python/qnsi/CHANGELOG.md
+Author: HEOSSI (PTE.) LTD.
+License: Apache-2.0
+License-File: LICENSE
+Keywords: audit,compliance,falcon,fips-203,fips-204,fips-205,kms,liboqs,ml-dsa,ml-kem,post-quantum,post-quantum-cryptography,pqc,qnsi,quantum-safe,slh-dsa,vault,zero-trust
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Classifier: Typing :: Typed
+Requires-Python: >=3.10
+Requires-Dist: httpx<1.0,>=0.27
+Requires-Dist: pyjwt<3.0,>=2.8
+Provides-Extra: all
+Requires-Dist: liboqs-python==0.12.0; extra == 'all'
+Provides-Extra: crypto
+Requires-Dist: liboqs-python==0.12.0; extra == 'crypto'
+Provides-Extra: dev
+Requires-Dist: mypy>=1.10; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
+Requires-Dist: pytest-httpx>=0.30; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.6; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# qnsp — Python SDK for the Quantum-Native Security Infrastructure
+
+[![PyPI version](https://img.shields.io/pypi/v/qnsp.svg)](https://pypi.org/project/qnsp/)
+[![Python versions](https://img.shields.io/pypi/pyversions/qnsp.svg)](https://pypi.org/project/qnsp/)
+[![License](https://img.shields.io/pypi/l/qnsp.svg)](./LICENSE)
+
+Typed Python client for QNSI — post-quantum cryptography (ML-KEM, ML-DSA, SLH-DSA, Falcon via liboqs), PQC-encrypted vault, server-side KMS, immutable audit trails. Same wire contracts as the official `@heossi/qnsi-*` TypeScript SDKs — pick whichever language fits your stack and the byte-for-byte outputs round-trip.
+
+> **Free tier available.** Free-forever account at <https://cloud.qnsi.heossi.com/auth> — 60-second signup, no credit card. Includes 10 GB PQC storage, 50 000 API calls/month, 20 KMS keys, 25 vault secrets.
+
+## Installation
+
+Base install (HTTP clients for vault, KMS, audit):
+
+```bash
+pip install qnsp
+```
+
+With local PQC primitives (`qnsp.crypto` — wraps `liboqs-python` 0.12.0):
+
+```bash
+pip install 'qnsi[crypto]'
+```
+
+`liboqs-python` requires the `liboqs` C library available on the host. Easiest paths:
+
+| Platform | Command |
+| --- | --- |
+| macOS | `brew install liboqs` |
+| Debian/Ubuntu | `apt install liboqs-dev` |
+| From source | `cmake -DBUILD_SHARED_LIBS=ON ...` — see <https://github.com/open-quantum-safe/liboqs> |
+
+(A v0.3.x release will ship `cibuildwheel`-built wheels that bundle a self-contained liboqs binary, removing the system prerequisite.)
+
+Requires Python 3.10+ and `httpx`. Tested on CPython 3.10, 3.11, 3.12, 3.13.
+
+## Quick start
+
+```python
+import os
+import base64
+
+from qnsi import QnspClient
+
+with QnspClient(api_key=os.environ["QNSP_API_KEY"]) as qnsp:
+    # ── Vault — PQC-encrypted secret storage ─────────────────────────
+    secret = qnsp.vault.create_secret(
+        name="openai-api-key",
+        payload_b64=base64.b64encode(b"sk-...").decode(),
+        algorithm="ml-kem-768",
+    )
+    fresh = qnsp.vault.get_secret(secret["id"])
+
+    # ── KMS — server-side PQC keys ──────────────────────────────────
+    key = qnsp.kms.create_key(algorithm="ml-dsa-65", purpose="signing")
+    signature = qnsp.kms.sign(key["keyId"], data=b"hello")
+    assert qnsp.kms.verify(key["keyId"], data=b"hello", signature=signature)
+
+    # ── Audit — immutable, hash-chained event log ───────────────────
+    qnsp.audit.log_event(
+        event_type="model.inference",
+        payload={"modelId": "gpt-4o", "latencyMs": 412},
+    )
+
+    # ── New in 0.3.0 — full parity with Go and Rust SDKs ────────────
+    qnsp.tenant.get_tenant(qnsp.tenant_id)
+    qnsp.access.check_permission(subject_id="user-1", permission="vault.read")
+    qnsp.billing.get_entitlements()
+    qnsp.crypto_inventory.get_readiness_score(qnsp.tenant_id)
+    qnsp.storage.put_object("uploads", "report.pdf", data=b"...")
+    qnsp.search.query("docs", vector=[0.1] * 768, top_k=5)
+    qnsp.ai.invoke_inference(model_id="gpt-4o", input={"prompt": "..."})
+    qnsp.auth.login(email="user@example.com", password="...", tenant_id=qnsp.tenant_id)
+```
+
+## Local PQC primitives
+
+`qnsp.crypto` wraps `liboqs-python` so you don't have to write `oqs` calls yourself, and so the algorithm-name surface matches the rest of the QNSI ecosystem (TypeScript, Go, Rust):
+
+```python
+from qnsi.crypto import MlKem, MlDsa, SlhDsa, Falcon
+
+# Module-Lattice KEM (FIPS 203)
+kem = MlKem("ML-KEM-768")
+pk, sk = kem.keygen()
+enc = kem.encapsulate(pk)
+recovered = kem.decapsulate(enc.ciphertext, sk)
+assert recovered == enc.shared_secret
+
+# Module-Lattice signatures (FIPS 204)
+sig = MlDsa("ML-DSA-65")
+sig_pk, sig_sk = sig.keygen()
+signature = sig.sign(b"hello", sig_sk)
+assert sig.verify(b"hello", signature, sig_pk)
+
+# Stateless hash-based signatures (FIPS 205) — conservative, no lattice assumption
+slh = SlhDsa("SLH-DSA-SHA2-128f")
+
+# Compact lattice signatures (NIST PQC selection)
+fal = Falcon("Falcon-512")
+```
+
+Sizes match the FIPS specs exactly (the SDK reads them from the linked liboqs build, so no inline literals drift).
+
+## Verifying inbound webhooks
+
+QNSI signs every webhook with HMAC-SHA-256. Verify the **raw body** before parsing JSON:
+
+```python
+from fastapi import FastAPI, Request, HTTPException
+from qnsi import parse_qnsp_webhook, QnspWebhookError
+
+app = FastAPI()
+
+@app.post("/webhooks/qnsp")
+async def receive(request: Request) -> dict:
+    body = await request.body()
+    try:
+        event = parse_qnsp_webhook(
+            body=body,
+            signature_header=request.headers.get("x-qnsp-signature", ""),
+            timestamp_header=request.headers.get("x-qnsp-timestamp"),
+            secret=os.environ["QNSP_WEBHOOK_SECRET"],
+        )
+    except QnspWebhookError as exc:
+        raise HTTPException(400, str(exc))
+
+    if event.event_type == "key.rotated":
+        ...
+    return {"ok": True}
+```
+
+The verifier runs HMAC comparison in constant time, rejects timestamps older than 5 minutes by default (replay protection), and refuses payloads missing required fields.
+
+## Error handling
+
+All errors descend from `qnsp.QnspError`:
+
+| Class | When |
+| --- | --- |
+| `QnspNetworkError` | DNS, TLS, timeout, or connection failure |
+| `QnspAuthError` | API key rejected at activation |
+| `QnspApiError` | A service returned 4xx/5xx with a structured body |
+| `QnspWebhookError` | HMAC mismatch, expired timestamp, malformed body, etc. |
+
+```python
+from qnsi import QnspApiError, QnspNetworkError
+
+try:
+    qnsp.vault.get_secret("missing")
+except QnspApiError as exc:
+    print("HTTP", exc.status_code, exc.code, exc.body)
+except QnspNetworkError as exc:
+    print("Could not reach QNSI:", exc)
+```
+
+## Activation + tier introspection
+
+`QnspClient` performs a one-shot handshake against `/billing/v1/sdk/activate` on first use. The result is cached in memory; subsequent calls reuse it until ~1 minute before expiry. You can inspect the current activation:
+
+```python
+qnsp.tenant_id        # resolved tenant
+qnsp.tier             # plan tier
+qnsp.limits           # full limits dict
+qnsp.has_feature("sseEnabled")  # convenience boolean
+```
+
+If the activation token is rotated server-side, the SDK invalidates its cache and retries the originating request once on a 401.
+
+## What's covered today (v0.3.0 — full parity with Go and Rust SDKs)
+
+Customer-facing service modules — every QNSI service callable through the edge gateway:
+
+- `qnsp.vault` — secrets management (create / get / get-version / rotate / delete / list-versions)
+- `qnsp.kms` — server-side PQC keys (create / list / get / rotate / delete / sign / verify / wrap / unwrap)
+- `qnsp.audit` — immutable hash-chained event log (log-event / ingest-events / list-events)
+- `qnsp.auth` — login, refresh, revoke, WebAuthn passkeys, MFA, SAML/OIDC federation, risk-based auth
+- `qnsp.tenant` — tenant CRUD, crypto-policy management, current-health, current-quotas
+- `qnsp.access` — RBAC roles, role assignments, `check_permission`
+- `qnsp.billing` — entitlements, usage meters (single + batch), invoice listing, credit balance
+- `qnsp.crypto_inventory` — Cryptographic Bill of Materials: assets, discovery runs, PQC readiness
+- `qnsp.storage` — PQC-encrypted object storage with SSE-X
+- `qnsp.search` — encrypted vector search (index lifecycle, `upsert_vectors`, `query`)
+- `qnsp.ai` — model registry, AI workloads with enclave attestation, `invoke_inference`, artifacts
+
+Local primitives + integration:
+
+- `qnsp.crypto` (requires `qnsi[crypto]`) — ML-KEM (512/768/1024), ML-DSA (44/65/87), SLH-DSA (8 variants), Falcon (512/1024), plus BIKE, FrodoKEM, Classic-McEliece, MAYO, CROSS — every FIPS 203/204/205 finalist exposed by liboqs 0.12.0
+- `qnsp.parse_qnsp_webhook` / `qnsp.verify_qnsp_webhook_signature` — HMAC-SHA-256 verify + replay protection
+- `qnsp.QnspClient` — API-key activation with caching and 401 retry
+
+## What's coming
+
+- `AsyncQnspClient` — native-async variants using `httpx.AsyncClient`
+- A `pytest` plugin that mocks the QNSI API for tests in your codebase
+- Generated typed responses (currently `dict[str, Any]`) for every method
+
+## License
+
+Apache-2.0. See [LICENSE](./LICENSE).

qnsi-0.3.0/README.md

@@ -0,0 +1,200 @@
+# qnsp — Python SDK for the Quantum-Native Security Infrastructure
+
+[![PyPI version](https://img.shields.io/pypi/v/qnsp.svg)](https://pypi.org/project/qnsp/)
+[![Python versions](https://img.shields.io/pypi/pyversions/qnsp.svg)](https://pypi.org/project/qnsp/)
+[![License](https://img.shields.io/pypi/l/qnsp.svg)](./LICENSE)
+
+Typed Python client for QNSI — post-quantum cryptography (ML-KEM, ML-DSA, SLH-DSA, Falcon via liboqs), PQC-encrypted vault, server-side KMS, immutable audit trails. Same wire contracts as the official `@heossi/qnsi-*` TypeScript SDKs — pick whichever language fits your stack and the byte-for-byte outputs round-trip.
+
+> **Free tier available.** Free-forever account at <https://cloud.qnsi.heossi.com/auth> — 60-second signup, no credit card. Includes 10 GB PQC storage, 50 000 API calls/month, 20 KMS keys, 25 vault secrets.
+
+## Installation
+
+Base install (HTTP clients for vault, KMS, audit):
+
+```bash
+pip install qnsp
+```
+
+With local PQC primitives (`qnsp.crypto` — wraps `liboqs-python` 0.12.0):
+
+```bash
+pip install 'qnsi[crypto]'
+```
+
+`liboqs-python` requires the `liboqs` C library available on the host. Easiest paths:
+
+| Platform | Command |
+| --- | --- |
+| macOS | `brew install liboqs` |
+| Debian/Ubuntu | `apt install liboqs-dev` |
+| From source | `cmake -DBUILD_SHARED_LIBS=ON ...` — see <https://github.com/open-quantum-safe/liboqs> |
+
+(A v0.3.x release will ship `cibuildwheel`-built wheels that bundle a self-contained liboqs binary, removing the system prerequisite.)
+
+Requires Python 3.10+ and `httpx`. Tested on CPython 3.10, 3.11, 3.12, 3.13.
+
+## Quick start
+
+```python
+import os
+import base64
+
+from qnsi import QnspClient
+
+with QnspClient(api_key=os.environ["QNSP_API_KEY"]) as qnsp:
+    # ── Vault — PQC-encrypted secret storage ─────────────────────────
+    secret = qnsp.vault.create_secret(
+        name="openai-api-key",
+        payload_b64=base64.b64encode(b"sk-...").decode(),
+        algorithm="ml-kem-768",
+    )
+    fresh = qnsp.vault.get_secret(secret["id"])
+
+    # ── KMS — server-side PQC keys ──────────────────────────────────
+    key = qnsp.kms.create_key(algorithm="ml-dsa-65", purpose="signing")
+    signature = qnsp.kms.sign(key["keyId"], data=b"hello")
+    assert qnsp.kms.verify(key["keyId"], data=b"hello", signature=signature)
+
+    # ── Audit — immutable, hash-chained event log ───────────────────
+    qnsp.audit.log_event(
+        event_type="model.inference",
+        payload={"modelId": "gpt-4o", "latencyMs": 412},
+    )
+
+    # ── New in 0.3.0 — full parity with Go and Rust SDKs ────────────
+    qnsp.tenant.get_tenant(qnsp.tenant_id)
+    qnsp.access.check_permission(subject_id="user-1", permission="vault.read")
+    qnsp.billing.get_entitlements()
+    qnsp.crypto_inventory.get_readiness_score(qnsp.tenant_id)
+    qnsp.storage.put_object("uploads", "report.pdf", data=b"...")
+    qnsp.search.query("docs", vector=[0.1] * 768, top_k=5)
+    qnsp.ai.invoke_inference(model_id="gpt-4o", input={"prompt": "..."})
+    qnsp.auth.login(email="user@example.com", password="...", tenant_id=qnsp.tenant_id)
+```
+
+## Local PQC primitives
+
+`qnsp.crypto` wraps `liboqs-python` so you don't have to write `oqs` calls yourself, and so the algorithm-name surface matches the rest of the QNSI ecosystem (TypeScript, Go, Rust):
+
+```python
+from qnsi.crypto import MlKem, MlDsa, SlhDsa, Falcon
+
+# Module-Lattice KEM (FIPS 203)
+kem = MlKem("ML-KEM-768")
+pk, sk = kem.keygen()
+enc = kem.encapsulate(pk)
+recovered = kem.decapsulate(enc.ciphertext, sk)
+assert recovered == enc.shared_secret
+
+# Module-Lattice signatures (FIPS 204)
+sig = MlDsa("ML-DSA-65")
+sig_pk, sig_sk = sig.keygen()
+signature = sig.sign(b"hello", sig_sk)
+assert sig.verify(b"hello", signature, sig_pk)
+
+# Stateless hash-based signatures (FIPS 205) — conservative, no lattice assumption
+slh = SlhDsa("SLH-DSA-SHA2-128f")
+
+# Compact lattice signatures (NIST PQC selection)
+fal = Falcon("Falcon-512")
+```
+
+Sizes match the FIPS specs exactly (the SDK reads them from the linked liboqs build, so no inline literals drift).
+
+## Verifying inbound webhooks
+
+QNSI signs every webhook with HMAC-SHA-256. Verify the **raw body** before parsing JSON:
+
+```python
+from fastapi import FastAPI, Request, HTTPException
+from qnsi import parse_qnsp_webhook, QnspWebhookError
+
+app = FastAPI()
+
+@app.post("/webhooks/qnsp")
+async def receive(request: Request) -> dict:
+    body = await request.body()
+    try:
+        event = parse_qnsp_webhook(
+            body=body,
+            signature_header=request.headers.get("x-qnsp-signature", ""),
+            timestamp_header=request.headers.get("x-qnsp-timestamp"),
+            secret=os.environ["QNSP_WEBHOOK_SECRET"],
+        )
+    except QnspWebhookError as exc:
+        raise HTTPException(400, str(exc))
+
+    if event.event_type == "key.rotated":
+        ...
+    return {"ok": True}
+```
+
+The verifier runs HMAC comparison in constant time, rejects timestamps older than 5 minutes by default (replay protection), and refuses payloads missing required fields.
+
+## Error handling
+
+All errors descend from `qnsp.QnspError`:
+
+| Class | When |
+| --- | --- |
+| `QnspNetworkError` | DNS, TLS, timeout, or connection failure |
+| `QnspAuthError` | API key rejected at activation |
+| `QnspApiError` | A service returned 4xx/5xx with a structured body |
+| `QnspWebhookError` | HMAC mismatch, expired timestamp, malformed body, etc. |
+
+```python
+from qnsi import QnspApiError, QnspNetworkError
+
+try:
+    qnsp.vault.get_secret("missing")
+except QnspApiError as exc:
+    print("HTTP", exc.status_code, exc.code, exc.body)
+except QnspNetworkError as exc:
+    print("Could not reach QNSI:", exc)
+```
+
+## Activation + tier introspection
+
+`QnspClient` performs a one-shot handshake against `/billing/v1/sdk/activate` on first use. The result is cached in memory; subsequent calls reuse it until ~1 minute before expiry. You can inspect the current activation:
+
+```python
+qnsp.tenant_id        # resolved tenant
+qnsp.tier             # plan tier
+qnsp.limits           # full limits dict
+qnsp.has_feature("sseEnabled")  # convenience boolean
+```
+
+If the activation token is rotated server-side, the SDK invalidates its cache and retries the originating request once on a 401.
+
+## What's covered today (v0.3.0 — full parity with Go and Rust SDKs)
+
+Customer-facing service modules — every QNSI service callable through the edge gateway:
+
+- `qnsp.vault` — secrets management (create / get / get-version / rotate / delete / list-versions)
+- `qnsp.kms` — server-side PQC keys (create / list / get / rotate / delete / sign / verify / wrap / unwrap)
+- `qnsp.audit` — immutable hash-chained event log (log-event / ingest-events / list-events)
+- `qnsp.auth` — login, refresh, revoke, WebAuthn passkeys, MFA, SAML/OIDC federation, risk-based auth
+- `qnsp.tenant` — tenant CRUD, crypto-policy management, current-health, current-quotas
+- `qnsp.access` — RBAC roles, role assignments, `check_permission`
+- `qnsp.billing` — entitlements, usage meters (single + batch), invoice listing, credit balance
+- `qnsp.crypto_inventory` — Cryptographic Bill of Materials: assets, discovery runs, PQC readiness
+- `qnsp.storage` — PQC-encrypted object storage with SSE-X
+- `qnsp.search` — encrypted vector search (index lifecycle, `upsert_vectors`, `query`)
+- `qnsp.ai` — model registry, AI workloads with enclave attestation, `invoke_inference`, artifacts
+
+Local primitives + integration:
+
+- `qnsp.crypto` (requires `qnsi[crypto]`) — ML-KEM (512/768/1024), ML-DSA (44/65/87), SLH-DSA (8 variants), Falcon (512/1024), plus BIKE, FrodoKEM, Classic-McEliece, MAYO, CROSS — every FIPS 203/204/205 finalist exposed by liboqs 0.12.0
+- `qnsp.parse_qnsp_webhook` / `qnsp.verify_qnsp_webhook_signature` — HMAC-SHA-256 verify + replay protection
+- `qnsp.QnspClient` — API-key activation with caching and 401 retry
+
+## What's coming
+
+- `AsyncQnspClient` — native-async variants using `httpx.AsyncClient`
+- A `pytest` plugin that mocks the QNSI API for tests in your codebase
+- Generated typed responses (currently `dict[str, Any]`) for every method
+
+## License
+
+Apache-2.0. See [LICENSE](./LICENSE).

qnsi-0.3.0/pyproject.toml

@@ -0,0 +1,108 @@
+[build-system]
+requires = ["hatchling>=1.27"]
+build-backend = "hatchling.build"
+
+[project]
+name = "qnsi"
+version = "0.3.0"
+description = "Official Python SDK for the QNSI Quantum-Native Security Infrastructure — post-quantum cryptography (ML-KEM, ML-DSA, SLH-DSA, Falcon via liboqs), PQC-encrypted vault, KMS, and immutable audit trails. Mirrors the @heossi/qnsi-* TypeScript SDKs."
+readme = "README.md"
+license = { text = "Apache-2.0" }
+requires-python = ">=3.10"
+authors = [
+  { name = "HEOSSI (PTE.) LTD." },
+]
+keywords = [
+  "qnsi",
+  "post-quantum",
+  "post-quantum-cryptography",
+  "pqc",
+  "vault",
+  "kms",
+  "audit",
+  "compliance",
+  "fips-203",
+  "fips-204",
+  "fips-205",
+  "ml-kem",
+  "ml-dsa",
+  "slh-dsa",
+  "falcon",
+  "liboqs",
+  "quantum-safe",
+  "zero-trust",
+]
+classifiers = [
+  "Development Status :: 4 - Beta",
+  "Intended Audience :: Developers",
+  "Intended Audience :: Information Technology",
+  "License :: OSI Approved :: Apache Software License",
+  "Operating System :: OS Independent",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3 :: Only",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Programming Language :: Python :: 3.13",
+  "Topic :: Security :: Cryptography",
+  "Topic :: Software Development :: Libraries :: Python Modules",
+  "Typing :: Typed",
+]
+dependencies = [
+  "httpx>=0.27,<1.0",
+  "PyJWT>=2.8,<3.0",
+]
+
+[project.optional-dependencies]
+# Local PQC primitives — wraps liboqs via the open-quantum-safe Python binding.
+# `liboqs-python` 0.12.0 expects the liboqs C library to be discoverable on the
+# system. Inside the QNSI monorepo this is satisfied automatically by
+# `tooling/liboqs-src/build/`. End users install via:
+#   - macOS:   brew install liboqs   &&  pip install 'qnsi[crypto]'
+#   - Debian:  apt install liboqs-dev && pip install 'qnsi[crypto]'
+#   - Other:   build liboqs from source (see https://github.com/open-quantum-safe/liboqs)
+# A v0.3.x follow-up will ship cibuildwheel-built wheels that bundle a fully
+# self-contained liboqs binary — same model as @heossi/liboqs-native's prebuilds/.
+crypto = [
+  "liboqs-python==0.12.0",
+]
+dev = [
+  "pytest>=8.0",
+  "pytest-asyncio>=0.23",
+  "pytest-httpx>=0.30",
+  "mypy>=1.10",
+  "ruff>=0.6",
+]
+all = [
+  "qnsi[crypto]",
+]
+
+[project.urls]
+Homepage = "https://cloud.qnsi.heossi.com"
+Documentation = "https://docs.qnsi.heossi.com/sdk/python"
+Repository = "https://github.com/heossi-hq/qnsi-public"
+Issues = "https://github.com/heossi-hq/qnsi-public/issues"
+Changelog = "https://github.com/heossi-hq/qnsi-public/blob/main/sdks/python/qnsi/CHANGELOG.md"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/qnsi"]
+
+[tool.hatch.build.targets.sdist]
+include = ["src", "README.md", "LICENSE", "pyproject.toml"]
+
+[tool.ruff]
+line-length = 100
+target-version = "py310"
+
+[tool.ruff.lint]
+select = ["E", "F", "W", "I", "N", "UP", "B", "C4", "SIM", "RUF"]
+
+[tool.mypy]
+python_version = "3.10"
+strict = true
+warn_return_any = true
+warn_unused_configs = true
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+asyncio_mode = "auto"

qnsi-0.3.0/src/qnsi/__init__.py

@@ -0,0 +1,98 @@
+"""QNSI — official Python SDK for the Quantum-Native Security Infrastructure.
+
+Mirrors the surface of the ``@heossi/qnsi-*`` TypeScript SDK family for the Python
+ecosystem. Same wire contracts, same algorithm names, same FIPS 203/204/205
+posture — pick whichever language fits your stack and the byte-for-byte
+outputs round-trip.
+
+Quick start::
+
+    from qnsi import QnspClient
+
+    qnsp = QnspClient(api_key=os.environ["QNSP_API_KEY"])
+
+    # Vault
+    secret = qnsp.vault.create_secret(
+        name="openai-key",
+        payload_b64=base64.b64encode(b"sk-...").decode(),
+    )
+
+    # KMS
+    key = qnsp.kms.create_key(algorithm="ml-dsa-65", purpose="signing")
+    sig = qnsp.kms.sign(key["keyId"], data=b"hello")
+
+    # Audit
+    qnsp.audit.log_event(event_type="model.inference", payload={"modelId": "gpt-4o"})
+
+Local PQC primitives (requires ``qnsi[crypto]``)::
+
+    from qnsi.crypto import MlKem, MlDsa
+
+    kem = MlKem("ML-KEM-768")
+    pk, sk = kem.keygen()
+    enc = kem.encapsulate(pk)
+    assert kem.decapsulate(enc.ciphertext, sk) == enc.shared_secret
+
+Webhook verification::
+
+    from qnsi import parse_qnsp_webhook, QnspWebhookError
+
+    event = parse_qnsp_webhook(
+        body=raw_body,
+        signature_header=request.headers["x-qnsp-signature"],
+        timestamp_header=request.headers["x-qnsp-timestamp"],
+        secret=os.environ["QNSP_WEBHOOK_SECRET"],
+    )
+
+Free signup at https://cloud.qnsi.heossi.com/auth — no credit card.
+"""
+
+from qnsi._client import QnspClient
+from qnsi._errors import (
+    QnspApiError,
+    QnspAuthError,
+    QnspError,
+    QnspNetworkError,
+    QnspWebhookError,
+)
+from qnsi.access import AccessClient
+from qnsi.ai import AIClient
+from qnsi.audit import AuditClient
+from qnsi.auth import AuthClient
+from qnsi.billing import BillingClient
+from qnsi.crypto_inventory import CryptoInventoryClient
+from qnsi.kms import KmsClient
+from qnsi.search import SearchClient
+from qnsi.storage import StorageClient
+from qnsi.tenant import TenantClient
+from qnsi.vault import VaultClient
+from qnsi.webhooks import (
+    QnspWebhookEvent,
+    parse_qnsp_webhook,
+    verify_qnsp_webhook_signature,
+)
+
+__version__ = "0.3.0"
+
+__all__ = [
+    "AccessClient",
+    "AIClient",
+    "AuditClient",
+    "AuthClient",
+    "BillingClient",
+    "CryptoInventoryClient",
+    "KmsClient",
+    "QnspApiError",
+    "QnspAuthError",
+    "QnspClient",
+    "QnspError",
+    "QnspNetworkError",
+    "QnspWebhookError",
+    "QnspWebhookEvent",
+    "SearchClient",
+    "StorageClient",
+    "TenantClient",
+    "VaultClient",
+    "parse_qnsp_webhook",
+    "verify_qnsp_webhook_signature",
+]