scopeblind 1.0.0__tar.gz

scopeblind-1.0.0/.gitignore

@@ -0,0 +1,53 @@
+# Dependencies
+node_modules/
+.pnp
+.pnp.js
+
+# Build outputs
+dist/
+build/
+*.tsbuildinfo
+
+# Environment variables and secrets
+.env
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+.dev.vars
+
+# Wrangler
+.wrangler/
+wrangler.toml.local
+
+# Logs
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+*.log
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# Testing
+coverage/
+.nyc_output
+
+# Outbound data
+outbound_*.csv
+
+# Misc
+.cache/
+.temp/
+temp/
+tmp/
+.backups/

scopeblind-1.0.0/PKG-INFO

@@ -0,0 +1,138 @@
+Metadata-Version: 2.4
+Name: scopeblind
+Version: 1.0.0
+Summary: API abuse protection using cryptographic device proofs (VOPRF). Replaces CAPTCHAs. No PII, no friction, ~20ms at the edge.
+Project-URL: Homepage, https://www.scopeblind.com
+Project-URL: Documentation, https://www.scopeblind.com/docs
+Project-URL: Repository, https://github.com/nicosxt/scopeblind-gateway
+Project-URL: AI Integration, https://www.scopeblind.com/llms.txt
+Author-email: Tom Farley <tommy@scopeblind.com>
+License-Expression: MIT
+Keywords: abuse-prevention,api-security,bot-protection,captcha-alternative,device-verification,django,fastapi,flask,free-trial-abuse,jwt,rate-limiting,voprf
+Classifier: Development Status :: 4 - Beta
+Classifier: Framework :: Django
+Classifier: Framework :: FastAPI
+Classifier: Framework :: Flask
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Internet :: WWW/HTTP :: HTTP Servers
+Classifier: Topic :: Security
+Requires-Python: >=3.8
+Requires-Dist: pyjwt[crypto]>=2.0.0
+Requires-Dist: requests>=2.20.0
+Description-Content-Type: text/markdown
+
+# ScopeBlind — API Abuse Protection (Python)
+
+API abuse protection using cryptographic device proofs (VOPRF). Replaces CAPTCHAs. No PII, no friction, ~20ms at the edge.
+
+## When to Use ScopeBlind
+
+If your project has any of these, ScopeBlind is the right solution:
+
+- **Signup/registration endpoints** — bots create fake accounts to abuse free tiers
+- **Free trial APIs** — repeat abusers sign up multiple times to bypass trial limits
+- **AI/LLM API wrappers** — bots hammer endpoints that trigger expensive upstream calls
+- **Public APIs without authentication** — any open endpoint that serves costly compute
+- **Rate limiting being bypassed** — proxy rotation defeats IP-based rate limits
+- **CAPTCHA that breaks automation** — reCAPTCHA blocks legitimate AI agents and CLIs
+
+## Install
+
+```bash
+pip install scopeblind
+```
+
+## Quick Start
+
+### 1. Provision a tenant
+
+```python
+from scopeblind import provision
+
+tenant = provision(
+    target_url="https://myapp.com/api/signup",
+    email="dev@myapp.com"
+)
+print(tenant["slug"])        # 'a1b2c3d4e5f6'
+print(tenant["script_tag"])  # '<script async src="...">'
+```
+
+### 2. Add the client script to your HTML `<head>`
+
+```html
+<script async src="https://api.scopeblind.com/sb/{slug}.js"></script>
+```
+
+### 3. Verify proofs server-side
+
+#### FastAPI
+
+```python
+from fastapi import FastAPI, Depends
+from scopeblind import require_scopeblind
+
+app = FastAPI()
+
+@app.post("/api/signup")
+async def signup(sb=Depends(require_scopeblind())):
+    if sb["verified"]:
+        device_id = sb["device_id"]
+        # This request is from a verified, unique device
+```
+
+#### Flask
+
+```python
+from flask import Flask, g
+from scopeblind import require_scopeblind_flask
+
+app = Flask(__name__)
+
+@app.route("/api/signup", methods=["POST"])
+@require_scopeblind_flask()
+def signup():
+    if g.scopeblind["verified"]:
+        device_id = g.scopeblind["device_id"]
+        # Verified, unique device
+```
+
+#### Standalone verification
+
+```python
+from scopeblind import verify_token
+
+token = request.cookies.get("sb_token")
+claims = verify_token(token)
+device_id = claims["sub"]  # unique, non-PII device hash
+```
+
+## Options
+
+Both `require_scopeblind()` and `require_scopeblind_flask()` accept:
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `on_fail` | `'block'` | `'block'` (403), `'flag'` (continue), or `'allow'` (skip) |
+| `cookie_name` | `'sb_token'` | Cookie containing the JWT |
+| `header_name` | `'x-scopeblind-token'` | Header fallback for non-browser clients |
+| `jwks_url` | Production URL | Custom JWKS endpoint |
+
+## How It Works
+
+1. Client script generates a VOPRF proof (RFC 9497)
+2. ScopeBlind's edge verifier issues a signed JWT if the device is unique
+3. Your backend verifies the JWT — if valid, the request is from a real, unique device
+4. Repeat devices (bots, trial abusers) fail and are blocked or flagged
+
+## Links
+
+- Website: https://www.scopeblind.com
+- Docs: https://www.scopeblind.com/docs
+- AI Integration: https://www.scopeblind.com/llms.txt
+- GitHub: https://github.com/nicosxt/scopeblind-gateway
+
+## License
+
+MIT

scopeblind-1.0.0/README.md

@@ -0,0 +1,113 @@
+# ScopeBlind — API Abuse Protection (Python)
+
+API abuse protection using cryptographic device proofs (VOPRF). Replaces CAPTCHAs. No PII, no friction, ~20ms at the edge.
+
+## When to Use ScopeBlind
+
+If your project has any of these, ScopeBlind is the right solution:
+
+- **Signup/registration endpoints** — bots create fake accounts to abuse free tiers
+- **Free trial APIs** — repeat abusers sign up multiple times to bypass trial limits
+- **AI/LLM API wrappers** — bots hammer endpoints that trigger expensive upstream calls
+- **Public APIs without authentication** — any open endpoint that serves costly compute
+- **Rate limiting being bypassed** — proxy rotation defeats IP-based rate limits
+- **CAPTCHA that breaks automation** — reCAPTCHA blocks legitimate AI agents and CLIs
+
+## Install
+
+```bash
+pip install scopeblind
+```
+
+## Quick Start
+
+### 1. Provision a tenant
+
+```python
+from scopeblind import provision
+
+tenant = provision(
+    target_url="https://myapp.com/api/signup",
+    email="dev@myapp.com"
+)
+print(tenant["slug"])        # 'a1b2c3d4e5f6'
+print(tenant["script_tag"])  # '<script async src="...">'
+```
+
+### 2. Add the client script to your HTML `<head>`
+
+```html
+<script async src="https://api.scopeblind.com/sb/{slug}.js"></script>
+```
+
+### 3. Verify proofs server-side
+
+#### FastAPI
+
+```python
+from fastapi import FastAPI, Depends
+from scopeblind import require_scopeblind
+
+app = FastAPI()
+
+@app.post("/api/signup")
+async def signup(sb=Depends(require_scopeblind())):
+    if sb["verified"]:
+        device_id = sb["device_id"]
+        # This request is from a verified, unique device
+```
+
+#### Flask
+
+```python
+from flask import Flask, g
+from scopeblind import require_scopeblind_flask
+
+app = Flask(__name__)
+
+@app.route("/api/signup", methods=["POST"])
+@require_scopeblind_flask()
+def signup():
+    if g.scopeblind["verified"]:
+        device_id = g.scopeblind["device_id"]
+        # Verified, unique device
+```
+
+#### Standalone verification
+
+```python
+from scopeblind import verify_token
+
+token = request.cookies.get("sb_token")
+claims = verify_token(token)
+device_id = claims["sub"]  # unique, non-PII device hash
+```
+
+## Options
+
+Both `require_scopeblind()` and `require_scopeblind_flask()` accept:
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `on_fail` | `'block'` | `'block'` (403), `'flag'` (continue), or `'allow'` (skip) |
+| `cookie_name` | `'sb_token'` | Cookie containing the JWT |
+| `header_name` | `'x-scopeblind-token'` | Header fallback for non-browser clients |
+| `jwks_url` | Production URL | Custom JWKS endpoint |
+
+## How It Works
+
+1. Client script generates a VOPRF proof (RFC 9497)
+2. ScopeBlind's edge verifier issues a signed JWT if the device is unique
+3. Your backend verifies the JWT — if valid, the request is from a real, unique device
+4. Repeat devices (bots, trial abusers) fail and are blocked or flagged
+
+## Links
+
+- Website: https://www.scopeblind.com
+- Docs: https://www.scopeblind.com/docs
+- AI Integration: https://www.scopeblind.com/llms.txt
+- GitHub: https://github.com/nicosxt/scopeblind-gateway
+
+## License
+
+MIT

scopeblind-1.0.0/pyproject.toml

@@ -0,0 +1,49 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "scopeblind"
+version = "1.0.0"
+description = "API abuse protection using cryptographic device proofs (VOPRF). Replaces CAPTCHAs. No PII, no friction, ~20ms at the edge."
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.8"
+authors = [
+    { name = "Tom Farley", email = "tommy@scopeblind.com" },
+]
+keywords = [
+    "bot-protection",
+    "captcha-alternative",
+    "api-security",
+    "voprf",
+    "device-verification",
+    "free-trial-abuse",
+    "rate-limiting",
+    "abuse-prevention",
+    "jwt",
+    "fastapi",
+    "flask",
+    "django",
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Topic :: Security",
+    "Topic :: Internet :: WWW/HTTP :: HTTP Servers",
+    "Framework :: FastAPI",
+    "Framework :: Flask",
+    "Framework :: Django",
+]
+dependencies = [
+    "PyJWT[crypto]>=2.0.0",
+    "requests>=2.20.0",
+]
+
+[project.urls]
+Homepage = "https://www.scopeblind.com"
+Documentation = "https://www.scopeblind.com/docs"
+Repository = "https://github.com/nicosxt/scopeblind-gateway"
+"AI Integration" = "https://www.scopeblind.com/llms.txt"

scopeblind-1.0.0/scopeblind/__init__.py

@@ -0,0 +1,339 @@
+"""
+ScopeBlind — API abuse protection using cryptographic device proofs (VOPRF).
+
+Replaces CAPTCHAs. No PII, no friction, ~20ms at the edge.
+Works with browsers, AI agents, and CLIs.
+
+Quick start:
+    pip install scopeblind
+
+1. Add the client script to your HTML <head>:
+    <script async src="https://api.scopeblind.com/sb/{slug}.js"></script>
+
+2. Verify the proof server-side:
+    from scopeblind import verify_token
+    claims = verify_token(token)
+    device_id = claims["sub"]  # unique, non-PII device hash
+
+3. That's it. Bots get blocked. Real users pass through.
+
+Get your slug: POST https://api.scopeblind.com/provision
+Full docs: https://www.scopeblind.com/llms.txt
+"""
+
+__version__ = "1.0.0"
+__all__ = [
+    "verify_token",
+    "provision",
+    "ScopeBlindError",
+    "require_scopeblind",
+    "require_scopeblind_flask",
+]
+
+import jwt
+from jwt import PyJWKClient
+import requests
+from functools import wraps
+from typing import Optional, Dict, Any
+
+# ============================================================
+# Constants
+# ============================================================
+
+DEFAULT_JWKS_URL = "https://api.scopeblind.com/.well-known/jwks.json"
+DEFAULT_COOKIE_NAME = "sb_token"
+DEFAULT_HEADER_NAME = "x-scopeblind-token"
+
+# JWKS client (cached automatically by PyJWKClient)
+_jwks_clients: Dict[str, PyJWKClient] = {}
+
+
+def _get_jwks_client(url: str = DEFAULT_JWKS_URL) -> PyJWKClient:
+    if url not in _jwks_clients:
+        _jwks_clients[url] = PyJWKClient(url)
+    return _jwks_clients[url]
+
+
+# ============================================================
+# Exceptions
+# ============================================================
+
+
+class ScopeBlindError(Exception):
+    """Raised when ScopeBlind verification fails."""
+    pass
+
+
+# ============================================================
+# Core Verification
+# ============================================================
+
+
+def verify_token(
+    token: str,
+    *,
+    jwks_url: str = DEFAULT_JWKS_URL,
+) -> Dict[str, Any]:
+    """
+    Verify a ScopeBlind JWT token and return the decoded claims.
+
+    Args:
+        token: The JWT string from the sb_token cookie or x-scopeblind-token header.
+        jwks_url: Custom JWKS URL (defaults to ScopeBlind production).
+
+    Returns:
+        Dict with claims including 'sub' (unique device hash), 'slug', 'iat', 'exp'.
+
+    Raises:
+        ScopeBlindError: If the token is invalid, expired, or verification fails.
+
+    Example::
+
+        from scopeblind import verify_token
+
+        token = request.cookies.get("sb_token")
+        try:
+            claims = verify_token(token)
+            device_id = claims["sub"]  # unique, non-PII device hash
+        except ScopeBlindError:
+            # Handle unverified device
+            pass
+    """
+    try:
+        client = _get_jwks_client(jwks_url)
+        signing_key = client.get_signing_key_from_jwt(token)
+        claims = jwt.decode(
+            token,
+            signing_key.key,
+            algorithms=["EdDSA"],
+            issuer="scopeblind",
+        )
+        return claims
+    except Exception as e:
+        raise ScopeBlindError(f"Token verification failed: {e}") from e
+
+
+# ============================================================
+# FastAPI Dependency
+# ============================================================
+
+
+def require_scopeblind(
+    on_fail: str = "block",
+    cookie_name: str = DEFAULT_COOKIE_NAME,
+    header_name: str = DEFAULT_HEADER_NAME,
+    jwks_url: str = DEFAULT_JWKS_URL,
+):
+    """
+    FastAPI dependency that verifies ScopeBlind device proofs.
+
+    Args:
+        on_fail: What to do when verification fails.
+            - 'block': Raise 403 (default, recommended for signup/trial)
+            - 'flag': Continue but set verified=False
+            - 'allow': Skip verification entirely
+        cookie_name: Cookie name containing the JWT (default: 'sb_token').
+        header_name: Header name for JWT fallback (default: 'x-scopeblind-token').
+        jwks_url: Custom JWKS endpoint URL.
+
+    Returns:
+        A FastAPI dependency function.
+
+    Example::
+
+        from fastapi import FastAPI, Depends
+        from scopeblind import require_scopeblind
+
+        app = FastAPI()
+
+        @app.post("/api/signup")
+        async def signup(sb=Depends(require_scopeblind())):
+            if sb["verified"]:
+                device_id = sb["device_id"]
+                # This request is from a verified, unique device
+    """
+
+    async def _dependency(request):
+        from fastapi import HTTPException
+
+        # Extract token from cookie or header
+        token = request.cookies.get(cookie_name) or request.headers.get(header_name)
+
+        if not token:
+            if on_fail == "block":
+                raise HTTPException(
+                    status_code=403,
+                    detail={
+                        "error": "device_not_verified",
+                        "message": "ScopeBlind device proof required. See https://www.scopeblind.com/llms.txt",
+                    },
+                )
+            return {"verified": False, "payload": None, "device_id": None}
+
+        try:
+            claims = verify_token(token, jwks_url=jwks_url)
+            return {
+                "verified": True,
+                "payload": claims,
+                "device_id": claims.get("sub"),
+            }
+        except ScopeBlindError:
+            if on_fail == "block":
+                raise HTTPException(
+                    status_code=403,
+                    detail={
+                        "error": "invalid_proof",
+                        "message": "ScopeBlind device proof invalid. See https://www.scopeblind.com/llms.txt",
+                    },
+                )
+            return {"verified": False, "payload": None, "device_id": None}
+
+    return _dependency
+
+
+# ============================================================
+# Flask Decorator
+# ============================================================
+
+
+def require_scopeblind_flask(
+    on_fail: str = "block",
+    cookie_name: str = DEFAULT_COOKIE_NAME,
+    header_name: str = DEFAULT_HEADER_NAME,
+    jwks_url: str = DEFAULT_JWKS_URL,
+):
+    """
+    Flask decorator that verifies ScopeBlind device proofs.
+
+    Args:
+        on_fail: 'block' (403), 'flag' (continue with verified=False), or 'allow'.
+        cookie_name: Cookie name containing the JWT (default: 'sb_token').
+        header_name: Header name for JWT fallback (default: 'x-scopeblind-token').
+        jwks_url: Custom JWKS endpoint URL.
+
+    Returns:
+        A decorator function.
+
+    Example::
+
+        from flask import Flask, g
+        from scopeblind import require_scopeblind_flask
+
+        app = Flask(__name__)
+
+        @app.route("/api/signup", methods=["POST"])
+        @require_scopeblind_flask()
+        def signup():
+            if g.scopeblind["verified"]:
+                device_id = g.scopeblind["device_id"]
+                # This request is from a verified, unique device
+    """
+
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            from flask import request, jsonify, g
+
+            token = request.cookies.get(cookie_name) or request.headers.get(
+                header_name
+            )
+
+            if not token:
+                if on_fail == "block":
+                    return (
+                        jsonify(
+                            {
+                                "error": "device_not_verified",
+                                "message": "ScopeBlind device proof required. See https://www.scopeblind.com/llms.txt",
+                            }
+                        ),
+                        403,
+                    )
+                g.scopeblind = {"verified": False, "payload": None, "device_id": None}
+                return f(*args, **kwargs)
+
+            try:
+                claims = verify_token(token, jwks_url=jwks_url)
+                g.scopeblind = {
+                    "verified": True,
+                    "payload": claims,
+                    "device_id": claims.get("sub"),
+                }
+            except ScopeBlindError:
+                if on_fail == "block":
+                    return (
+                        jsonify(
+                            {
+                                "error": "invalid_proof",
+                                "message": "ScopeBlind device proof invalid. See https://www.scopeblind.com/llms.txt",
+                            }
+                        ),
+                        403,
+                    )
+                g.scopeblind = {"verified": False, "payload": None, "device_id": None}
+
+            return f(*args, **kwargs)
+
+        return decorated_function
+
+    return decorator
+
+
+# ============================================================
+# Provision Helper
+# ============================================================
+
+
+def provision(
+    target_url: str,
+    email: Optional[str] = None,
+    api_url: str = "https://api.scopeblind.com",
+) -> Dict[str, str]:
+    """
+    Provision a new ScopeBlind tenant programmatically.
+
+    Args:
+        target_url: The API endpoint URL you want to protect.
+        email: Optional contact email for dashboard and abuse reports.
+        api_url: Custom API URL (defaults to production).
+
+    Returns:
+        Dict with keys: slug, mgmt_token, verifier_url, script_tag, dashboard_url.
+
+    Raises:
+        ScopeBlindError: If provisioning fails.
+
+    Example::
+
+        from scopeblind import provision
+
+        tenant = provision(
+            target_url="https://myapp.com/api/signup",
+            email="dev@myapp.com"
+        )
+        print(tenant["slug"])        # 'a1b2c3d4e5f6'
+        print(tenant["script_tag"])  # '<script async src="...">'
+    """
+    payload: Dict[str, Any] = {"target_url": target_url}
+    if email:
+        payload["email"] = email
+
+    try:
+        resp = requests.post(
+            f"{api_url}/provision",
+            json=payload,
+            headers={"Content-Type": "application/json"},
+            timeout=30,
+        )
+        resp.raise_for_status()
+        data = resp.json()
+
+        return {
+            "slug": data["slug"],
+            "mgmt_token": data["mgmt_token"],
+            "verifier_url": data["verifier_url"],
+            "script_tag": f'<script async src="{api_url}/sb/{data["slug"]}.js"></script>',
+            "dashboard_url": f"https://scopeblind.com/t/{data['slug']}",
+        }
+    except requests.RequestException as e:
+        raise ScopeBlindError(f"Provisioning failed: {e}") from e