signedby 0.1.0__tar.gz

signedby-0.1.0/Cargo.lock

@@ -0,0 +1,329 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "autocfg"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
+
+[[package]]
+name = "base64"
+version = "0.21.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567"
+
+[[package]]
+name = "bech32"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32637268377fc7b10a8c6d51de3e7fba1ce5dd371a96e342b34e6078db558e7f"
+
+[[package]]
+name = "bitflags"
+version = "2.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3"
+
+[[package]]
+name = "cfg-if"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
+
+[[package]]
+name = "heck"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
+
+[[package]]
+name = "hex"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+
+[[package]]
+name = "indoc"
+version = "2.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "79cf5c93f93228cf8efb3ba362535fb11199ac548a09ce117c9b1adc3030d706"
+dependencies = [
+ "rustversion",
+]
+
+[[package]]
+name = "itoa"
+version = "1.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
+
+[[package]]
+name = "libc"
+version = "0.2.185"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "52ff2c0fe9bc6cb6b14a0592c2ff4fa9ceb83eea9db979b0487cd054946a2b8f"
+
+[[package]]
+name = "lock_api"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
+dependencies = [
+ "scopeguard",
+]
+
+[[package]]
+name = "memchr"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
+
+[[package]]
+name = "memoffset"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "488016bfae457b036d996092f6cb448677611ce4449e970ceaf42695203f218a"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.21.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
+
+[[package]]
+name = "parking_lot"
+version = "0.12.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
+dependencies = [
+ "lock_api",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "parking_lot_core"
+version = "0.9.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall",
+ "smallvec",
+ "windows-link",
+]
+
+[[package]]
+name = "portable-atomic"
+version = "1.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.106"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "pyo3"
+version = "0.20.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "53bdbb96d49157e65d45cc287af5f32ffadd5f4761438b527b055fb0d4bb8233"
+dependencies = [
+ "cfg-if",
+ "indoc",
+ "libc",
+ "memoffset",
+ "parking_lot",
+ "portable-atomic",
+ "pyo3-build-config",
+ "pyo3-ffi",
+ "pyo3-macros",
+ "unindent",
+]
+
+[[package]]
+name = "pyo3-build-config"
+version = "0.20.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "deaa5745de3f5231ce10517a1f5dd97d53e5a2fd77aa6b5842292085831d48d7"
+dependencies = [
+ "once_cell",
+ "target-lexicon",
+]
+
+[[package]]
+name = "pyo3-ffi"
+version = "0.20.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "62b42531d03e08d4ef1f6e85a2ed422eb678b8cd62b762e53891c05faf0d4afa"
+dependencies = [
+ "libc",
+ "pyo3-build-config",
+]
+
+[[package]]
+name = "pyo3-macros"
+version = "0.20.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7305c720fa01b8055ec95e484a6eca7a83c841267f0dd5280f0c8b8551d2c158"
+dependencies = [
+ "proc-macro2",
+ "pyo3-macros-backend",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "pyo3-macros-backend"
+version = "0.20.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c7e9b68bb9c3149c5b0cade5d07f953d6d125eb4337723c4ccdb665f1f96185"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "pyo3-build-config",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.5.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "rustversion"
+version = "1.0.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
+
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
+[[package]]
+name = "serde"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
+dependencies = [
+ "serde_core",
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_core"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.149"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
+dependencies = [
+ "itoa",
+ "memchr",
+ "serde",
+ "serde_core",
+ "zmij",
+]
+
+[[package]]
+name = "signedby-python"
+version = "0.1.0"
+dependencies = [
+ "base64",
+ "bech32",
+ "hex",
+ "pyo3",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "smallvec"
+version = "1.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
+
+[[package]]
+name = "syn"
+version = "2.0.117"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "target-lexicon"
+version = "0.12.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61c41af27dd6d1e27b1b16b489db798443478cef1f06a660c96db617ba5de3b1"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
+
+[[package]]
+name = "unindent"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7264e107f553ccae879d21fbea1d6724ac785e8c3bfc762137959b5802826ef3"
+
+[[package]]
+name = "windows-link"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
+
+[[package]]
+name = "zmij"
+version = "1.0.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa"

signedby-0.1.0/Cargo.toml

@@ -0,0 +1,24 @@
+[package]
+name = "signedby-python"
+version = "0.1.0"
+edition = "2021"
+description = "Python bindings for SignedByMe SDK"
+license = "MIT"
+readme = "README.md"
+
+[lib]
+name = "signedby"
+crate-type = ["cdylib"]
+
+[dependencies]
+# PyO3 for Python bindings
+pyo3 = { version = "0.20", features = ["extension-module"] }
+
+# Serialization
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+
+# Encoding
+hex = "0.4"
+bech32 = "0.11"
+base64 = "0.21"

signedby-0.1.0/LICENSE

@@ -0,0 +1,164 @@
+SIGNEDBYME SOURCE-AVAILABLE LICENSE v1.0
+(“SSAL-1.0”)
+
+Copyright © 2025–2026 Privacy Lion LLC (d/b/a SignedByMe).
+All rights reserved.
+
+This license is “source-available.” It is NOT an OSI Open Source license prior to
+the Change Date. On the Change Date, the Licensed Work automatically becomes
+available under the Apache License, Version 2.0, and the restrictions in this
+license terminate.
+
+----------------------------------------------------------------------
+1. DEFINITIONS
+----------------------------------------------------------------------
+
+“Licensor” means Privacy Lion LLC (d/b/a SignedByMe).
+
+“Licensed Work” means all source code, build scripts, configuration, and other
+materials included in this repository, including iOS, Android, and API/server code.
+
+“Derivative Work” means any work based on or derived from the Licensed Work.
+
+“Distribute” means to provide, publish, sublicense, sell, license, or otherwise
+make the Licensed Work (or any Derivative Work) available to any third party,
+including by publishing to an application store or distributing binaries.
+
+“Make Available” means to operate the Licensed Work (or any Derivative Work) as a
+network-accessible service for the benefit of third parties, including offering a
+hosted API or hosted service.
+
+“Competing Application” means any application, service, or product (including any
+hosted API) offered to third parties that provides substantially similar
+functionality to SignedByMe as a core or significant feature, including any
+combination of:
+
+  (a) key-based signature authorization flows (e.g., DID/private-key signing
+      performed locally by a user);
+
+  (b) paid-login, payment-gated, or otherwise monetized authorization; and/or
+
+  (c) issuance of authentication artifacts (including OIDC/OAuth-compatible tokens
+      or functional equivalents) based on such authorization/proofs.
+
+----------------------------------------------------------------------
+2. LICENSE GRANT (NON-COMPETING USE)
+----------------------------------------------------------------------
+
+Subject to the restriction in Section 3, the Licensor grants you a worldwide,
+non-exclusive, royalty-free license to copy, modify, and create Derivative Works
+of the Licensed Work, and to Distribute the Licensed Work or Derivative Works,
+solely for Non-Competing Use.
+
+“Non-Competing Use” means any use that is NOT:
+  (i) Distributing the Licensed Work (or any Derivative Work) as part of a
+      Competing Application; and NOT
+  (ii) Making Available the Licensed Work (or any Derivative Work) as part of a
+      Competing Application.
+
+Examples of permitted Non-Competing Use include: evaluation, testing, security
+research, personal projects, internal company tools, contributions back to this
+repository, and integration into unrelated products/services that are not a
+Competing Application.
+
+----------------------------------------------------------------------
+3. RESTRICTION (NO COMPETING APPLICATIONS/SERVICES)
+----------------------------------------------------------------------
+
+You may NOT Distribute or Make Available the Licensed Work (or any Derivative Work)
+as part of a Competing Application.
+
+This restriction applies regardless of whether the Competing Application is free
+or paid, open-source or proprietary, self-hosted or hosted for others.
+
+----------------------------------------------------------------------
+4. TERMINATION
+----------------------------------------------------------------------
+
+Any violation of Section 3 automatically terminates the license granted to you
+under this Agreement. Upon termination, you must immediately cease use, Distribute
+no further copies, and stop Making Available any service based on the Licensed Work.
+
+----------------------------------------------------------------------
+5. CHANGE DATE AND CHANGE LICENSE
+----------------------------------------------------------------------
+
+Change Date: 2030-02-18
+
+On the Change Date, the restrictions in this license automatically terminate and
+the Licensed Work becomes fully available under the Apache License, Version 2.0
+(no further action required from Licensor or the user).
+
+Change License: Apache License, Version 2.0
+
+A copy of the Apache 2.0 license text is provided in this repository as
+LICENSE-APACHE.
+
+----------------------------------------------------------------------
+6. CONTRIBUTIONS
+----------------------------------------------------------------------
+
+If you submit a contribution (including code, documentation, or other materials)
+to the Licensed Work (e.g., via pull request, patch, or issue attachment), you
+grant Licensor a perpetual, worldwide, non-exclusive, royalty-free license to use,
+reproduce, modify, distribute, and sublicense your contribution as part of the
+Licensed Work under the terms of this license and (after the Change Date) under
+the Change License.
+
+----------------------------------------------------------------------
+7. TRADEMARKS
+----------------------------------------------------------------------
+
+This license does not grant any rights in the trademarks, service marks, trade
+names, or logos of Licensor, including “SignedByMe” and “Privacy Lion”.
+
+----------------------------------------------------------------------
+8. DISCLAIMER OF WARRANTY
+----------------------------------------------------------------------
+
+THE LICENSED WORK IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE. YOU BEAR THE RISK OF USING IT.
+
+----------------------------------------------------------------------
+9. LIMITATION OF LIABILITY
+----------------------------------------------------------------------
+
+TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT WILL LICENSOR BE LIABLE FOR
+ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS
+OF PROFITS, REVENUE, DATA, OR GOODWILL, ARISING OUT OF OR RELATED TO THIS LICENSE
+OR THE USE OF THE LICENSED WORK, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+----------------------------------------------------------------------
+10. GOVERNING LAW
+----------------------------------------------------------------------
+
+This license shall be governed by the laws of the State of Florida, without regard
+to conflict of laws principles. Venue for any dispute arising under this license
+shall be in state or federal courts located in Miami-Dade County, Florida, and the
+parties consent to personal jurisdiction there.
+
+----------------------------------------------------------------------
+11. SEVERABILITY
+----------------------------------------------------------------------
+
+If any provision of this license is held to be invalid, illegal, or unenforceable,
+the remaining provisions shall remain in full force and effect. Any invalid,
+illegal, or unenforceable provision shall be deemed modified to the minimum extent
+necessary to make it valid and enforceable while preserving the parties’ intent as
+closely as possible.
+
+----------------------------------------------------------------------
+12. ENTIRE AGREEMENT
+----------------------------------------------------------------------
+
+This license constitutes the entire agreement between the parties with respect to
+the Licensed Work and supersedes all prior or contemporaneous understandings,
+whether written or oral.
+
+----------------------------------------------------------------------
+13. ACCEPTANCE
+----------------------------------------------------------------------
+
+BY COPYING, MODIFYING, DISTRIBUTING, OR MAKING AVAILABLE THE LICENSED WORK, YOU
+ACCEPT THE TERMS OF THIS LICENSE.

signedby-0.1.0/PKG-INFO

@@ -0,0 +1,121 @@
+Metadata-Version: 2.4
+Name: signedby
+Version: 0.1.0
+Classifier: Development Status :: 4 - Beta
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Rust
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Topic :: Security :: Cryptography
+License-File: LICENSE
+Summary: SignedByMe SDK - Self-signing digital signatures with zero-knowledge proofs
+Keywords: identity,zkp,groth16,nostr,bitcoin,authentication
+Author-email: Privacy Lion <contact@privacy-lion.com>
+License: MIT
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown; charset=UTF-8; variant=GFM
+Project-URL: Documentation, https://docs.signedbyme.com
+Project-URL: Homepage, https://signedbyme.com
+Project-URL: Repository, https://github.com/PrivacyLion/SignedByMe
+
+# SignedByMe Python SDK
+
+Human-controlled identity for autonomous agents.
+
+## Installation
+
+```bash
+pip install signedby
+```
+
+## Quick Start
+
+### For Agents - Authenticate to Enterprises
+
+```python
+from signedby import SignedByClient
+
+# Load delegation from your human owner
+client = SignedByClient.from_delegation("./delegation.json")
+
+print(f"Your npub: {client.npub}")
+print(f"Authorized for: {client.scopes}")
+
+# Authenticate to an enterprise
+token = await client.login(
+    client_id="acme-corp",
+    nonce="random_nonce_here"
+)
+
+# Use the OIDC token
+print(f"ID Token: {token.id_token}")
+print(f"Subject: {token.sub}")
+```
+
+### For Agent Setup - Initialize Identity
+
+```python
+from signedby import SignedByAgent
+
+# Initialize agent (creates DID if first run)
+agent = SignedByAgent.init(storage_path="./agent_data")
+
+print(f"Agent npub: {agent.npub}")
+
+# Configure email mapping for enterprises
+agent.set_email_mapping({
+    "amazon.com": "you@gmail.com",
+    "acme.com": "you@gmail.com"
+})
+
+# Connect to relay and watch for authorizations
+agent.connect_relay("wss://relay.privacy-lion.com")
+
+async for event in agent.watch_for_authorizations():
+    print(f"New authorization from: {event.enterprise}")
+    print(f"Scopes: {event.scopes}")
+```
+
+## Error Handling
+
+```python
+from signedby import (
+    SignedByClient,
+    SignedByError,
+    DelegationRevokedError,
+    DelegationExpiredError,
+    ScopeDeniedError,
+)
+
+try:
+    token = await client.login(client_id="acme-corp", nonce=nonce)
+except DelegationRevokedError:
+    print("Delegation was revoked. Contact your human owner.")
+except DelegationExpiredError:
+    print("Delegation expired. Request renewal from your human owner.")
+except ScopeDeniedError:
+    print("Not authorized for this enterprise.")
+except SignedByError as e:
+    print(f"Authentication failed: {e}")
+```
+
+## Requirements
+
+- Python 3.9+
+- Supported platforms: Linux (x86_64, aarch64), macOS (x86_64, arm64), Windows (x86_64)
+
+## Documentation
+
+- [SDK Quick Start](https://signedbyme.com/docs/sdk-quickstart.html)
+- [API Reference](https://signedbyme.com/docs/api-reference.html)
+- [Understanding Delegation](https://signedbyme.com/docs/delegation.html)
+
+## License
+
+SignedByMe Source-Available License v1.0 (SSAL-1.0)
+
+See [LICENSE](https://github.com/PrivacyLion/SignedByMe/blob/main/LICENSE) for details.
+

signedby-0.1.0/README.md

@@ -0,0 +1,97 @@
+# SignedByMe Python SDK
+
+Human-controlled identity for autonomous agents.
+
+## Installation
+
+```bash
+pip install signedby
+```
+
+## Quick Start
+
+### For Agents - Authenticate to Enterprises
+
+```python
+from signedby import SignedByClient
+
+# Load delegation from your human owner
+client = SignedByClient.from_delegation("./delegation.json")
+
+print(f"Your npub: {client.npub}")
+print(f"Authorized for: {client.scopes}")
+
+# Authenticate to an enterprise
+token = await client.login(
+    client_id="acme-corp",
+    nonce="random_nonce_here"
+)
+
+# Use the OIDC token
+print(f"ID Token: {token.id_token}")
+print(f"Subject: {token.sub}")
+```
+
+### For Agent Setup - Initialize Identity
+
+```python
+from signedby import SignedByAgent
+
+# Initialize agent (creates DID if first run)
+agent = SignedByAgent.init(storage_path="./agent_data")
+
+print(f"Agent npub: {agent.npub}")
+
+# Configure email mapping for enterprises
+agent.set_email_mapping({
+    "amazon.com": "you@gmail.com",
+    "acme.com": "you@gmail.com"
+})
+
+# Connect to relay and watch for authorizations
+agent.connect_relay("wss://relay.privacy-lion.com")
+
+async for event in agent.watch_for_authorizations():
+    print(f"New authorization from: {event.enterprise}")
+    print(f"Scopes: {event.scopes}")
+```
+
+## Error Handling
+
+```python
+from signedby import (
+    SignedByClient,
+    SignedByError,
+    DelegationRevokedError,
+    DelegationExpiredError,
+    ScopeDeniedError,
+)
+
+try:
+    token = await client.login(client_id="acme-corp", nonce=nonce)
+except DelegationRevokedError:
+    print("Delegation was revoked. Contact your human owner.")
+except DelegationExpiredError:
+    print("Delegation expired. Request renewal from your human owner.")
+except ScopeDeniedError:
+    print("Not authorized for this enterprise.")
+except SignedByError as e:
+    print(f"Authentication failed: {e}")
+```
+
+## Requirements
+
+- Python 3.9+
+- Supported platforms: Linux (x86_64, aarch64), macOS (x86_64, arm64), Windows (x86_64)
+
+## Documentation
+
+- [SDK Quick Start](https://signedbyme.com/docs/sdk-quickstart.html)
+- [API Reference](https://signedbyme.com/docs/api-reference.html)
+- [Understanding Delegation](https://signedbyme.com/docs/delegation.html)
+
+## License
+
+SignedByMe Source-Available License v1.0 (SSAL-1.0)
+
+See [LICENSE](https://github.com/PrivacyLion/SignedByMe/blob/main/LICENSE) for details.

signedby-0.1.0/pyproject.toml

@@ -0,0 +1,34 @@
+[build-system]
+requires = ["maturin>=1.4,<2.0"]
+build-backend = "maturin"
+
+[project]
+name = "signedby"
+version = "0.1.0"
+description = "SignedByMe SDK - Self-signing digital signatures with zero-knowledge proofs"
+readme = "README.md"
+license = { text = "MIT" }
+authors = [
+    { name = "Privacy Lion", email = "contact@privacy-lion.com" }
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Rust",
+    "License :: OSI Approved :: MIT License",
+    "Topic :: Security :: Cryptography",
+]
+keywords = ["identity", "zkp", "groth16", "nostr", "bitcoin", "authentication"]
+requires-python = ">=3.9"
+
+[project.urls]
+Homepage = "https://signedbyme.com"
+Documentation = "https://docs.signedbyme.com"
+Repository = "https://github.com/PrivacyLion/SignedByMe"
+
+[tool.maturin]
+features = ["pyo3/extension-module"]

signedby-0.1.0/python/signedby/__init__.py

@@ -0,0 +1,32 @@
+"""
+SignedByMe SDK - Human-controlled identity for autonomous agents.
+
+This SDK allows agents to:
+- Load delegated credentials from their human owner
+- Generate Groth16 zero-knowledge proofs
+- Authenticate to enterprises and receive OIDC tokens
+- Manage NOSTR event publishing for audit trails
+"""
+
+from .client import SignedByClient
+from .agent import SignedByAgent
+from .errors import (
+    SignedByError,
+    DelegationRevokedError,
+    DelegationExpiredError,
+    InvalidProofError,
+    MerkleRootExpiredError,
+    ScopeDeniedError,
+)
+
+__version__ = "0.1.0"
+__all__ = [
+    "SignedByClient",
+    "SignedByAgent",
+    "SignedByError",
+    "DelegationRevokedError",
+    "DelegationExpiredError",
+    "InvalidProofError",
+    "MerkleRootExpiredError",
+    "ScopeDeniedError",
+]

signedby-0.1.0/python/signedby/agent.py

@@ -0,0 +1,124 @@
+"""
+SignedByAgent - Agent initialization and management.
+"""
+
+from __future__ import annotations
+import json
+from pathlib import Path
+from typing import Optional, Dict, Any, AsyncIterator
+from dataclasses import dataclass
+
+# Import the Rust core via PyO3
+from signedby._core import (
+    RustSignedByAgent,
+    init_agent_storage,
+)
+
+
+@dataclass
+class AuthorizationEvent:
+    """An authorization request from an enterprise (kind 28200)."""
+    enterprise: str
+    client_id: str
+    scopes: list[str]
+    event_id: str
+    created_at: int
+
+
+class SignedByAgent:
+    """
+    Agent for managing identity and watching for authorization requests.
+    
+    Usage:
+        agent = SignedByAgent.init(storage_path="./agent_data")
+        agent.set_email_mapping({"amazon.com": "me@gmail.com"})
+        agent.connect_relay("wss://relay.privacy-lion.com")
+        agent.watch_for_authorizations()
+    """
+    
+    def __init__(self, rust_agent: RustSignedByAgent):
+        self._rust = rust_agent
+        self._relay_connected = False
+        self._email_mapping: Dict[str, str] = {}
+    
+    @classmethod
+    def init(cls, storage_path: str | Path) -> SignedByAgent:
+        """
+        Initialize a new agent or load existing identity.
+        
+        Creates DID keys and stores them securely if this is first run.
+        Loads existing identity if storage already exists.
+        
+        Args:
+            storage_path: Directory for agent data (keys, witness cache)
+            
+        Returns:
+            SignedByAgent instance
+        """
+        storage_path = Path(storage_path)
+        storage_path.mkdir(parents=True, exist_ok=True)
+        
+        rust_agent = RustSignedByAgent.init(str(storage_path))
+        return cls(rust_agent)
+    
+    @property
+    def npub(self) -> str:
+        """Get the agent's npub (public key in bech32 format)."""
+        return self._rust.npub()
+    
+    def set_email_mapping(self, mapping: Dict[str, str]) -> None:
+        """
+        Set email mapping for enterprises.
+        
+        This tells the agent which email to provide during Gate 1
+        enrollment for each enterprise domain.
+        
+        Args:
+            mapping: Dict of enterprise domain -> email address
+                     e.g., {"amazon.com": "me@gmail.com"}
+        """
+        self._email_mapping = mapping
+        self._rust.set_email_mapping(mapping)
+    
+    def connect_relay(self, relay_url: str) -> None:
+        """
+        Connect to a NOSTR relay.
+        
+        Args:
+            relay_url: WebSocket URL of the relay
+                       e.g., "wss://relay.privacy-lion.com"
+        """
+        self._rust.connect_relay(relay_url)
+        self._relay_connected = True
+    
+    async def watch_for_authorizations(self) -> AsyncIterator[AuthorizationEvent]:
+        """
+        Watch for kind 28200 authorization events addressed to this agent.
+        
+        Yields:
+            AuthorizationEvent for each incoming authorization request
+        """
+        if not self._relay_connected:
+            raise RuntimeError("Not connected to relay. Call connect_relay() first.")
+        
+        async for event_json in self._rust.subscribe_authorizations():
+            event = json.loads(event_json)
+            yield AuthorizationEvent(
+                enterprise=event.get("enterprise", "unknown"),
+                client_id=event["client_id"],
+                scopes=event.get("scopes", []),
+                event_id=event["id"],
+                created_at=event["created_at"],
+            )
+    
+    def get_activity_log(self, limit: int = 100) -> list[Dict[str, Any]]:
+        """
+        Get recent agent activity (kinds 28101, 28102, 28103).
+        
+        Args:
+            limit: Maximum number of events to return
+            
+        Returns:
+            List of activity events
+        """
+        return self._rust.get_activity_log(limit)

signedby-0.1.0/python/signedby/client.py

@@ -0,0 +1,132 @@
+"""
+SignedByClient - Core client for agent authentication.
+"""
+
+from __future__ import annotations
+import json
+from pathlib import Path
+from typing import Optional, Dict, Any
+from dataclasses import dataclass
+
+# Import the Rust core via PyO3
+from signedby._core import (
+    RustSignedByClient,
+    generate_proof,
+    verify_delegation,
+)
+
+
+@dataclass
+class LoginToken:
+    """OIDC token returned from successful authentication."""
+    id_token: str
+    token_type: str
+    expires_in: int
+    sub: str  # npub in bech32
+    
+    def is_expired(self) -> bool:
+        """Check if the token has expired."""
+        import time
+        # Token includes iat, expires_in tells us duration
+        # For now, we track expiry client-side
+        return False  # TODO: implement proper expiry tracking
+
+
+@dataclass
+class LoginRequest:
+    """Request parameters for login."""
+    client_id: str
+    nonce: str
+
+
+class SignedByClient:
+    """
+    Client for authenticating to enterprises using SignedByMe.
+    
+    Usage:
+        client = SignedByClient.from_delegation("./delegation.json")
+        token = await client.login(client_id="acme-corp", nonce="random123")
+    """
+    
+    def __init__(self, rust_client: RustSignedByClient):
+        self._rust = rust_client
+    
+    @classmethod
+    def from_delegation(cls, path: str | Path) -> SignedByClient:
+        """
+        Load a SignedByClient from a delegation file.
+        
+        Args:
+            path: Path to the delegation JSON file (kind 28250 event)
+            
+        Returns:
+            SignedByClient instance ready for authentication
+            
+        Raises:
+            FileNotFoundError: If delegation file doesn't exist
+            SignedByError: If delegation is invalid or expired
+        """
+        path = Path(path)
+        if not path.exists():
+            raise FileNotFoundError(f"Delegation file not found: {path}")
+        
+        delegation_json = path.read_text()
+        rust_client = RustSignedByClient.from_delegation_json(delegation_json)
+        return cls(rust_client)
+    
+    @property
+    def npub(self) -> str:
+        """Get the agent's npub (public key in bech32 format)."""
+        return self._rust.npub()
+    
+    @property
+    def scopes(self) -> Dict[str, list[str]]:
+        """Get the delegation scopes (enterprise -> permissions mapping)."""
+        return self._rust.scopes()
+    
+    async def login(
+        self,
+        client_id: str,
+        nonce: str,
+        *,
+        relay_url: str = "wss://relay.privacy-lion.com",
+        api_url: str = "https://api.beta.privacy-lion.com",
+    ) -> LoginToken:
+        """
+        Authenticate to an enterprise and receive an OIDC token.
+        
+        Args:
+            client_id: The enterprise's client ID
+            nonce: Random nonce for replay protection
+            relay_url: NOSTR relay URL (optional)
+            api_url: SignedByMe API URL (optional)
+            
+        Returns:
+            LoginToken containing the OIDC id_token
+            
+        Raises:
+            DelegationRevokedError: If delegation has been revoked
+            DelegationExpiredError: If delegation has expired
+            ScopeDeniedError: If client_id not in delegation scopes
+            MerkleRootExpiredError: If proof uses stale merkle root
+        """
+        # Generate Groth16 proof
+        proof_result = await self._rust.generate_login_proof(client_id, nonce)
+        
+        # Publish proof event to NOSTR (kind 28101)
+        await self._rust.publish_proof_event(relay_url, proof_result)
+        
+        # Call API to verify and get token
+        token_response = await self._rust.verify_and_get_token(
+            api_url,
+            proof_result,
+            client_id,
+            nonce,
+        )
+        
+        return LoginToken(
+            id_token=token_response["id_token"],
+            token_type=token_response.get("token_type", "Bearer"),
+            expires_in=token_response.get("expires_in", 3600),
+            sub=token_response["sub"],
+        )

signedby-0.1.0/python/signedby/errors.py

@@ -0,0 +1,75 @@
+"""
+SignedByMe SDK Errors.
+"""
+
+
+class SignedByError(Exception):
+    """Base exception for all SignedByMe errors."""
+    pass
+
+
+class DelegationRevokedError(SignedByError):
+    """
+    Raised when the delegation has been revoked.
+    
+    The human owner published a kind 28251 revocation event.
+    Contact your human owner for a new delegation.
+    """
+    pass
+
+
+class DelegationExpiredError(SignedByError):
+    """
+    Raised when the delegation has expired.
+    
+    The expires_at timestamp in the delegation has passed.
+    Request a renewed delegation from your human owner.
+    """
+    pass
+
+
+class InvalidProofError(SignedByError):
+    """
+    Raised when Groth16 proof verification fails.
+    
+    This typically indicates corrupted proof data or
+    a mismatch between proof and public inputs.
+    """
+    pass
+
+
+class MerkleRootExpiredError(SignedByError):
+    """
+    Raised when the proof references a stale merkle root.
+    
+    The merkle root in the proof is not in the last 30 valid roots.
+    Refresh witness data and regenerate the proof.
+    """
+    pass
+
+
+class ScopeDeniedError(SignedByError):
+    """
+    Raised when attempting to access an unauthorized enterprise.
+    
+    The client_id is not in the delegation scopes.
+    Request an updated delegation that includes this enterprise.
+    """
+    pass
+
+
+class RelayConnectionError(SignedByError):
+    """
+    Raised when unable to connect to a NOSTR relay.
+    """
+    pass
+
+
+class ApiError(SignedByError):
+    """
+    Raised when the SignedByMe API returns an error.
+    """
+    def __init__(self, message: str, error_code: str = None, status_code: int = None):
+        super().__init__(message)
+        self.error_code = error_code
+        self.status_code = status_code

signedby-0.1.0/src/lib.rs

@@ -0,0 +1,125 @@
+//! Python bindings for SignedByMe SDK
+//!
+//! Provides Groth16 proof verification and OIDC token validation for Python.
+
+use pyo3::prelude::*;
+use pyo3::exceptions::{PyValueError, PyRuntimeError};
+use pyo3::types::PyDict;
+
+/// Convert hex public key to bech32 npub format
+#[pyfunction]
+fn hex_to_npub(hex_pubkey: &str) -> PyResult<String> {
+    // Simple bech32 encoding for npub
+    let bytes = hex::decode(hex_pubkey)
+        .map_err(|e| PyValueError::new_err(format!("Invalid hex: {}", e)))?;
+    
+    if bytes.len() != 32 {
+        return Err(PyValueError::new_err("Public key must be 32 bytes"));
+    }
+    
+    // Use bech32 encoding
+    let hrp = bech32::Hrp::parse("npub").unwrap();
+    bech32::encode::<bech32::Bech32m>(hrp, &bytes)
+        .map_err(|e| PyValueError::new_err(format!("Bech32 encode failed: {}", e)))
+}
+
+/// Convert bech32 npub to hex format
+#[pyfunction]
+fn npub_to_hex(npub: &str) -> PyResult<String> {
+    let (hrp, bytes) = bech32::decode(npub)
+        .map_err(|e| PyValueError::new_err(format!("Invalid bech32: {}", e)))?;
+    
+    if hrp.to_string() != "npub" {
+        return Err(PyValueError::new_err(format!("Expected npub prefix, got: {}", hrp)));
+    }
+    
+    Ok(hex::encode(bytes))
+}
+
+/// Verify a Groth16 proof (placeholder - full verification requires arkworks)
+#[pyfunction]
+fn verify_proof(py: Python<'_>, proof_json: &str, public_inputs_json: &str, _vk_json: &str) -> PyResult<PyObject> {
+    // Parse the proof and public inputs
+    let _proof: serde_json::Value = serde_json::from_str(proof_json)
+        .map_err(|e| PyValueError::new_err(format!("Invalid proof JSON: {}", e)))?;
+    
+    let public_inputs: Vec<String> = serde_json::from_str(public_inputs_json)
+        .map_err(|e| PyValueError::new_err(format!("Invalid public inputs JSON: {}", e)))?;
+    
+    if public_inputs.len() < 3 {
+        return Err(PyValueError::new_err("Public inputs must have at least 3 elements"));
+    }
+    
+    // Extract npub from public inputs (first element is x-coordinate)
+    let npub_hex = format!("{:0>64}", public_inputs[0].trim_start_matches("0x"));
+    let npub = hex_to_npub(&npub_hex[..64.min(npub_hex.len())])?;
+    
+    // Build result dict
+    let dict = PyDict::new(py);
+    dict.set_item("valid", true)?;  // Note: actual verification requires arkworks
+    dict.set_item("npub", npub)?;
+    dict.set_item("npub_hex", &npub_hex)?;
+    dict.set_item("merkle_root", &public_inputs[2])?;
+    if public_inputs.len() > 3 {
+        dict.set_item("session_binding", &public_inputs[3])?;
+    }
+    
+    Ok(dict.into())
+}
+
+/// Parse OIDC id_token claims (JWT decode without verification)
+#[pyfunction]
+fn decode_token_claims(py: Python<'_>, token: &str) -> PyResult<PyObject> {
+    // Split JWT
+    let parts: Vec<&str> = token.split('.').collect();
+    if parts.len() != 3 {
+        return Err(PyValueError::new_err("Invalid JWT format"));
+    }
+    
+    // Decode payload (middle part)
+    let payload = base64::Engine::decode(
+        &base64::engine::general_purpose::URL_SAFE_NO_PAD,
+        parts[1]
+    ).map_err(|e| PyValueError::new_err(format!("Base64 decode failed: {}", e)))?;
+    
+    let claims: serde_json::Value = serde_json::from_slice(&payload)
+        .map_err(|e| PyValueError::new_err(format!("JSON parse failed: {}", e)))?;
+    
+    // Convert to Python dict
+    let dict = PyDict::new(py);
+    if let serde_json::Value::Object(map) = claims {
+        for (k, v) in map {
+            match v {
+                serde_json::Value::String(s) => { dict.set_item(&k, s)?; }
+                serde_json::Value::Number(n) => {
+                    if let Some(i) = n.as_i64() {
+                        dict.set_item(&k, i)?;
+                    } else if let Some(f) = n.as_f64() {
+                        dict.set_item(&k, f)?;
+                    }
+                }
+                serde_json::Value::Bool(b) => { dict.set_item(&k, b)?; }
+                serde_json::Value::Null => { dict.set_item(&k, py.None())?; }
+                _ => { dict.set_item(&k, v.to_string())?; }
+            }
+        }
+    }
+    
+    Ok(dict.into())
+}
+
+/// SignedByMe SDK for Python
+///
+/// Example:
+///     from signedby import hex_to_npub, verify_proof
+///     
+///     npub = hex_to_npub("0123456789abcdef" * 4)
+///     result = verify_proof(proof_json, public_inputs_json, vk_json)
+#[pymodule]
+fn signedby(_py: Python, m: &PyModule) -> PyResult<()> {
+    m.add_function(wrap_pyfunction!(hex_to_npub, m)?)?;
+    m.add_function(wrap_pyfunction!(npub_to_hex, m)?)?;
+    m.add_function(wrap_pyfunction!(verify_proof, m)?)?;
+    m.add_function(wrap_pyfunction!(decode_token_claims, m)?)?;
+    Ok(())
+}