swiftapi-python 1.0.0__py3-none-any.whl

swiftapi/__init__.py

@@ -0,0 +1,91 @@
+"""
+SwiftAPI Python SDK
+
+No AI action executes without verification.
+
+Usage:
+    from swiftapi import SwiftAPI, Enforcement
+
+    # Initialize client
+    api = SwiftAPI(key="swiftapi_live_...")
+
+    # Create enforcement point
+    guard = Enforcement(api)
+
+    # Protect dangerous operations
+    guard.run(
+        lambda: os.system("rm -rf /tmp/data"),
+        action="file_delete",
+        intent="Cleanup temporary data"
+    )
+
+    # Or use decorator
+    @guard.protect(action="api_call", intent="Send email")
+    def send_email(to, subject, body):
+        ...
+
+    # Or use context manager
+    with guard.guard(action="database_write", intent="Update user"):
+        db.update(user_id, data)
+"""
+
+__version__ = "1.0.0"
+__author__ = "Rayan Pal"
+
+# Core exports
+from .client import SwiftAPI
+from .enforcement import Enforcement, enforce
+from .verifier import verify_signature, is_valid, get_public_key
+
+# Exceptions
+from .exceptions import (
+    SwiftAPIError,
+    AuthenticationError,
+    PolicyViolation,
+    SignatureVerificationError,
+    AttestationExpiredError,
+    AttestationRevokedError,
+    RateLimitError,
+    NetworkError,
+)
+
+# UX utilities
+from .utils import (
+    Colors,
+    Symbols,
+    print_approved,
+    print_denied,
+    print_verified,
+    print_error,
+    print_info,
+)
+
+__all__ = [
+    # Version
+    "__version__",
+    # Core
+    "SwiftAPI",
+    "Enforcement",
+    "enforce",
+    # Verification
+    "verify_signature",
+    "is_valid",
+    "get_public_key",
+    # Exceptions
+    "SwiftAPIError",
+    "AuthenticationError",
+    "PolicyViolation",
+    "SignatureVerificationError",
+    "AttestationExpiredError",
+    "AttestationRevokedError",
+    "RateLimitError",
+    "NetworkError",
+    # UX
+    "Colors",
+    "Symbols",
+    "print_approved",
+    "print_denied",
+    "print_verified",
+    "print_error",
+    "print_info",
+]

swiftapi/client.py

@@ -0,0 +1,282 @@
+"""
+SwiftAPI SDK - HTTP Client
+
+This module provides the HTTP client for communicating with SwiftAPI.
+"""
+
+import requests
+from typing import Dict, Any, Optional, List
+
+from .exceptions import (
+    SwiftAPIError,
+    AuthenticationError,
+    PolicyViolation,
+    RateLimitError,
+    NetworkError,
+)
+
+DEFAULT_BASE_URL = "https://swiftapi.ai"
+DEFAULT_TIMEOUT = 30
+
+
+class SwiftAPI:
+    """
+    SwiftAPI HTTP Client.
+
+    Usage:
+        api = SwiftAPI(key="swiftapi_live_...")
+        result = api.verify("file_write", "Save config", {"path": "/etc/config"})
+    """
+
+    def __init__(
+        self,
+        key: str,
+        base_url: str = DEFAULT_BASE_URL,
+        timeout: int = DEFAULT_TIMEOUT,
+    ):
+        """
+        Initialize SwiftAPI client.
+
+        Args:
+            key: SwiftAPI authority key (swiftapi_live_...)
+            base_url: API base URL (default: https://swiftapi.ai)
+            timeout: Request timeout in seconds
+        """
+        if not key:
+            raise AuthenticationError("API key is required")
+        if not key.startswith("swiftapi_live_"):
+            raise AuthenticationError("Invalid key format: must start with 'swiftapi_live_'")
+
+        self.key = key
+        self.base_url = base_url.rstrip("/")
+        self.timeout = timeout
+        self._session = requests.Session()
+        self._session.headers.update({
+            "X-SwiftAPI-Authority": key,
+            "Content-Type": "application/json",
+            "User-Agent": "swiftapi-python/1.0.0",
+        })
+
+    def _request(
+        self,
+        method: str,
+        endpoint: str,
+        json: Dict = None,
+        params: Dict = None,
+    ) -> Dict[str, Any]:
+        """Make HTTP request to SwiftAPI."""
+        url = f"{self.base_url}{endpoint}"
+
+        try:
+            response = self._session.request(
+                method=method,
+                url=url,
+                json=json,
+                params=params,
+                timeout=self.timeout,
+            )
+        except requests.exceptions.ConnectionError as e:
+            raise NetworkError(f"Failed to connect to SwiftAPI: {e}")
+        except requests.exceptions.Timeout:
+            raise NetworkError(f"Request timed out after {self.timeout}s")
+        except requests.exceptions.RequestException as e:
+            raise NetworkError(f"Request failed: {e}")
+
+        # Handle response
+        return self._handle_response(response)
+
+    def _handle_response(self, response: requests.Response) -> Dict[str, Any]:
+        """Handle API response and raise appropriate exceptions."""
+        # Rate limit
+        if response.status_code == 429:
+            retry_after = response.headers.get("Retry-After")
+            raise RateLimitError(int(retry_after) if retry_after else None)
+
+        # Auth errors
+        if response.status_code == 401:
+            raise AuthenticationError("Invalid API key")
+        if response.status_code == 403:
+            try:
+                data = response.json()
+                raise AuthenticationError(data.get("detail", {}).get("message", "Forbidden"))
+            except ValueError:
+                raise AuthenticationError("Forbidden")
+
+        # Parse JSON
+        try:
+            data = response.json()
+        except ValueError:
+            raise SwiftAPIError(f"Invalid JSON response: {response.text[:200]}")
+
+        # Policy violations (denied actions)
+        if response.status_code == 200 and data.get("approved") is False:
+            raise PolicyViolation(
+                message=data.get("reason", "Action denied by policy"),
+                action_type=data.get("action", {}).get("type"),
+                denial_reason=data.get("reason"),
+            )
+
+        # Other errors
+        if response.status_code >= 400:
+            detail = data.get("detail", {})
+            if isinstance(detail, dict):
+                message = detail.get("message", str(detail))
+            else:
+                message = str(detail)
+            raise SwiftAPIError(message, response.status_code, data)
+
+        return data
+
+    # =========================================================================
+    # Core Endpoints
+    # =========================================================================
+
+    def verify(
+        self,
+        action_type: str,
+        intent: str,
+        params: Optional[Dict[str, Any]] = None,
+        actor: str = "sdk",
+        app_id: str = "swiftapi-python",
+    ) -> Dict[str, Any]:
+        """
+        Submit an action for verification and get an execution attestation.
+
+        Args:
+            action_type: Type of action (e.g., "file_write", "api_call")
+            intent: Human-readable description of intent
+            params: Optional action parameters
+            actor: Identifier for the requesting agent
+            app_id: Application identifier
+
+        Returns:
+            Full verification response including execution_attestation
+
+        Raises:
+            PolicyViolation: If action is denied
+            AuthenticationError: If key is invalid
+            SwiftAPIError: For other errors
+        """
+        payload = {
+            "action": {
+                "type": action_type,
+                "intent": intent,
+                "params": params or {},
+            },
+            "actor": actor,
+            "app_id": app_id,
+        }
+        return self._request("POST", "/verify", json=payload)
+
+    def verify_attestation(self, attestation: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Verify an existing attestation with the server.
+
+        Args:
+            attestation: The execution_attestation to verify
+
+        Returns:
+            Verification result
+        """
+        return self._request("POST", "/attestation/verify", json=attestation)
+
+    def revoke(self, jti: str, reason: str = "SDK revocation") -> Dict[str, Any]:
+        """
+        Revoke an attestation by JTI.
+
+        Args:
+            jti: The attestation's unique identifier
+            reason: Reason for revocation
+
+        Returns:
+            Revocation confirmation
+        """
+        payload = {"jti": jti, "reason": reason}
+        return self._request("POST", "/attestation/revoke", json=payload)
+
+    def check_revocation(self, jti: str) -> bool:
+        """
+        Check if an attestation has been revoked.
+
+        This is a fast check - use for real-time revocation verification.
+
+        Args:
+            jti: The attestation's unique identifier
+
+        Returns:
+            True if revoked, False if valid
+        """
+        try:
+            result = self._request("GET", f"/attestation/revoked/{jti}")
+            return result.get("revoked", False)
+        except SwiftAPIError:
+            # If endpoint fails, assume not revoked (fail-open for availability)
+            return False
+
+    # =========================================================================
+    # Info Endpoints
+    # =========================================================================
+
+    def get_info(self) -> Dict[str, Any]:
+        """Get API info and public key."""
+        return self._request("GET", "/")
+
+    def health(self) -> bool:
+        """Check API health."""
+        try:
+            result = self._request("GET", "/health")
+            return result.get("status") == "healthy"
+        except Exception:
+            return False
+
+    def get_policies(self) -> List[Dict[str, Any]]:
+        """Get active policies."""
+        result = self._request("GET", "/policies")
+        return result.get("policies", [])
+
+    def get_scopes(self) -> List[str]:
+        """Get available authority scopes."""
+        result = self._request("GET", "/authority/scopes")
+        return result.get("scopes", [])
+
+    # =========================================================================
+    # Key Management (Admin Only)
+    # =========================================================================
+
+    def list_keys(self) -> List[Dict[str, Any]]:
+        """List authority keys (requires admin scope)."""
+        result = self._request("GET", "/authority/keys")
+        return result.get("keys", [])
+
+    def create_key(
+        self,
+        name: str,
+        scopes: List[str],
+    ) -> Dict[str, Any]:
+        """
+        Create a new authority key (requires admin scope).
+
+        Args:
+            name: Key name
+            scopes: List of scopes to grant
+
+        Returns:
+            New key details (including the key itself - shown only once!)
+        """
+        payload = {"name": name, "scopes": scopes}
+        return self._request("POST", "/authority/keys", json=payload)
+
+    def revoke_key(self, key_hash: str) -> Dict[str, Any]:
+        """Revoke an authority key by hash."""
+        return self._request("DELETE", f"/authority/keys/{key_hash}")
+
+    # =========================================================================
+    # Context Manager
+    # =========================================================================
+
+    def __enter__(self):
+        return self
+
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        self._session.close()
+        return False

swiftapi/enforcement.py

@@ -0,0 +1,280 @@
+"""
+SwiftAPI SDK - Enforcement Point (The Golden Loop)
+
+This module provides the high-level enforcement mechanism that ensures
+no action executes without proper verification and attestation.
+
+The Golden Loop:
+1. API Call: client.verify() -> Get Attestation
+2. Crypto Check: verifier.verify_signature() -> OFFLINE TRUTH
+3. Online Check: client.check_revocation() -> ONLINE TRUTH (optional)
+4. Execute: Run the protected function
+
+If any step fails, the action is BLOCKED.
+"""
+
+from typing import Callable, Any, Dict, Optional
+from functools import wraps
+
+from .client import SwiftAPI
+from .verifier import verify_signature, is_valid
+from .exceptions import (
+    PolicyViolation,
+    SignatureVerificationError,
+    AttestationRevokedError,
+    AttestationExpiredError,
+    SwiftAPIError,
+)
+from .utils import print_approved, print_denied, print_verified, print_error
+
+
+class Enforcement:
+    """
+    SwiftAPI Enforcement Point.
+
+    This is the "ignition key" - no action executes without verification.
+
+    Usage:
+        api = SwiftAPI(key="swiftapi_live_...")
+        guard = Enforcement(api)
+
+        # Option 1: Run with enforcement
+        guard.run(
+            lambda: dangerous_operation(),
+            action="file_delete",
+            intent="Remove temp files"
+        )
+
+        # Option 2: Decorator
+        @guard.protect(action="api_call", intent="Send notification")
+        def send_notification(user_id, message):
+            ...
+    """
+
+    def __init__(
+        self,
+        client: SwiftAPI,
+        paranoid: bool = False,
+        verbose: bool = True,
+    ):
+        """
+        Initialize enforcement point.
+
+        Args:
+            client: SwiftAPI client instance
+            paranoid: If True, always check revocation online (slower but safer)
+            verbose: If True, print status messages
+        """
+        self.client = client
+        self.paranoid = paranoid
+        self.verbose = verbose
+
+    def run(
+        self,
+        func: Callable[[], Any],
+        action: str,
+        intent: str,
+        params: Optional[Dict[str, Any]] = None,
+        actor: str = "sdk",
+    ) -> Any:
+        """
+        Execute a function with SwiftAPI enforcement.
+
+        The function will ONLY execute if:
+        1. SwiftAPI approves the action
+        2. The attestation signature is valid (cryptographic proof)
+        3. The attestation is not revoked (if paranoid mode)
+
+        Args:
+            func: The function to execute (takes no arguments)
+            action: Action type for verification
+            intent: Human-readable intent description
+            params: Optional action parameters
+            actor: Actor identifier
+
+        Returns:
+            The return value of func()
+
+        Raises:
+            PolicyViolation: If action is denied by policy
+            SignatureVerificationError: If attestation signature is invalid
+            AttestationRevokedError: If attestation was revoked
+            SwiftAPIError: For other API errors
+        """
+        # Step 1: API Call - Get attestation
+        try:
+            result = self.client.verify(
+                action_type=action,
+                intent=intent,
+                params=params,
+                actor=actor,
+            )
+        except PolicyViolation as e:
+            if self.verbose:
+                print_denied(action, intent, e.denial_reason)
+            raise
+
+        # Check if approved
+        if not result.get("approved"):
+            reason = result.get("reason", "Unknown denial reason")
+            if self.verbose:
+                print_denied(action, intent, reason)
+            raise PolicyViolation(
+                message=f"Action denied: {reason}",
+                action_type=action,
+                denial_reason=reason,
+            )
+
+        attestation = result.get("execution_attestation")
+        if not attestation:
+            raise SwiftAPIError("No attestation in response")
+
+        jti = attestation.get("jti")
+
+        # Step 2: Crypto Check - OFFLINE TRUTH
+        try:
+            verify_signature(attestation)
+            if self.verbose:
+                print_verified(jti)
+        except (SignatureVerificationError, AttestationExpiredError) as e:
+            if self.verbose:
+                print_error(str(e))
+            raise
+
+        # Step 3: Online Check - ONLINE TRUTH (optional but recommended)
+        if self.paranoid:
+            if self.client.check_revocation(jti):
+                if self.verbose:
+                    print_error(f"Attestation {jti} has been revoked")
+                raise AttestationRevokedError(jti)
+
+        # Step 4: Execute - THE ACTION RUNS
+        if self.verbose:
+            print_approved(action, intent)
+
+        return func()
+
+    def protect(
+        self,
+        action: str,
+        intent: str,
+        params: Optional[Dict[str, Any]] = None,
+    ):
+        """
+        Decorator to protect a function with SwiftAPI enforcement.
+
+        Usage:
+            @guard.protect(action="file_write", intent="Save config")
+            def save_config(data):
+                with open("/etc/config", "w") as f:
+                    f.write(data)
+
+        Args:
+            action: Action type for verification
+            intent: Human-readable intent description
+            params: Optional action parameters
+        """
+        def decorator(func: Callable) -> Callable:
+            @wraps(func)
+            def wrapper(*args, **kwargs):
+                return self.run(
+                    func=lambda: func(*args, **kwargs),
+                    action=action,
+                    intent=intent,
+                    params=params,
+                    actor=func.__name__,
+                )
+            return wrapper
+        return decorator
+
+    def guard(
+        self,
+        action: str,
+        intent: str,
+        params: Optional[Dict[str, Any]] = None,
+    ) -> "AttestationGuard":
+        """
+        Context manager for guarded execution blocks.
+
+        Usage:
+            with guard.guard(action="file_delete", intent="Cleanup temp"):
+                os.remove("/tmp/file.txt")
+
+        Args:
+            action: Action type for verification
+            intent: Human-readable intent description
+            params: Optional action parameters
+        """
+        return AttestationGuard(self, action, intent, params)
+
+
+class AttestationGuard:
+    """Context manager for guarded execution."""
+
+    def __init__(
+        self,
+        enforcement: Enforcement,
+        action: str,
+        intent: str,
+        params: Optional[Dict[str, Any]] = None,
+    ):
+        self.enforcement = enforcement
+        self.action = action
+        self.intent = intent
+        self.params = params
+        self.attestation = None
+
+    def __enter__(self):
+        # Get and verify attestation before entering the block
+        result = self.enforcement.client.verify(
+            action_type=self.action,
+            intent=self.intent,
+            params=self.params,
+        )
+
+        if not result.get("approved"):
+            reason = result.get("reason", "Unknown")
+            if self.enforcement.verbose:
+                print_denied(self.action, self.intent, reason)
+            raise PolicyViolation(
+                message=f"Action denied: {reason}",
+                action_type=self.action,
+                denial_reason=reason,
+            )
+
+        self.attestation = result.get("execution_attestation")
+        verify_signature(self.attestation)
+
+        if self.enforcement.paranoid:
+            jti = self.attestation.get("jti")
+            if self.enforcement.client.check_revocation(jti):
+                raise AttestationRevokedError(jti)
+
+        if self.enforcement.verbose:
+            print_approved(self.action, self.intent)
+
+        return self.attestation
+
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        return False  # Don't suppress exceptions
+
+
+# Convenience function for one-off protected execution
+def enforce(
+    client: SwiftAPI,
+    func: Callable[[], Any],
+    action: str,
+    intent: str,
+    params: Optional[Dict[str, Any]] = None,
+) -> Any:
+    """
+    One-off enforcement without creating an Enforcement instance.
+
+    Usage:
+        from swiftapi import SwiftAPI, enforce
+
+        api = SwiftAPI(key="...")
+        enforce(api, lambda: rm_rf("/"), action="file_delete", intent="Nuke it")
+    """
+    guard = Enforcement(client)
+    return guard.run(func, action, intent, params)

swiftapi/exceptions.py

@@ -0,0 +1,61 @@
+"""
+SwiftAPI SDK Exceptions
+"""
+
+
+class SwiftAPIError(Exception):
+    """Base exception for SwiftAPI SDK errors."""
+
+    def __init__(self, message: str, status_code: int = None, response: dict = None):
+        self.message = message
+        self.status_code = status_code
+        self.response = response
+        super().__init__(self.message)
+
+
+class AuthenticationError(SwiftAPIError):
+    """Raised when API key is invalid or missing."""
+    pass
+
+
+class PolicyViolation(SwiftAPIError):
+    """Raised when an action violates policy and is denied."""
+
+    def __init__(self, message: str, action_type: str = None, denial_reason: str = None):
+        self.action_type = action_type
+        self.denial_reason = denial_reason
+        super().__init__(message)
+
+
+class SignatureVerificationError(SwiftAPIError):
+    """Raised when attestation signature verification fails."""
+    pass
+
+
+class AttestationExpiredError(SwiftAPIError):
+    """Raised when an attestation has expired."""
+    pass
+
+
+class AttestationRevokedError(SwiftAPIError):
+    """Raised when an attestation has been revoked."""
+
+    def __init__(self, jti: str):
+        self.jti = jti
+        super().__init__(f"Attestation {jti} has been revoked")
+
+
+class RateLimitError(SwiftAPIError):
+    """Raised when rate limit is exceeded."""
+
+    def __init__(self, retry_after: int = None):
+        self.retry_after = retry_after
+        message = "Rate limit exceeded"
+        if retry_after:
+            message += f", retry after {retry_after}s"
+        super().__init__(message)
+
+
+class NetworkError(SwiftAPIError):
+    """Raised when network connectivity fails."""
+    pass

swiftapi/utils.py

@@ -0,0 +1,89 @@
+"""
+SwiftAPI SDK Utilities - UX and Display
+"""
+
+import sys
+
+try:
+    from colorama import Fore, Style, init
+    init(autoreset=True)
+    COLORS_AVAILABLE = True
+except ImportError:
+    COLORS_AVAILABLE = False
+
+
+# Color constants
+class Colors:
+    """Terminal color codes for SwiftAPI output."""
+
+    if COLORS_AVAILABLE:
+        RED = Fore.RED
+        GREEN = Fore.GREEN
+        YELLOW = Fore.YELLOW
+        BLUE = Fore.BLUE
+        MAGENTA = Fore.MAGENTA
+        CYAN = Fore.CYAN
+        WHITE = Fore.WHITE
+        RESET = Style.RESET_ALL
+        BOLD = Style.BRIGHT
+    else:
+        RED = GREEN = YELLOW = BLUE = MAGENTA = CYAN = WHITE = RESET = BOLD = ""
+
+
+# Unicode symbols
+class Symbols:
+    """Unicode symbols for SwiftAPI output."""
+
+    LOCK = "\U0001F512"        # Locked
+    UNLOCK = "\U0001F513"      # Unlocked
+    CHECK = "\u2713"           # Checkmark
+    CROSS = "\u2717"           # X mark
+    SHIELD = "\U0001F6E1"      # Shield
+    KEY = "\U0001F511"         # Key
+    WARNING = "\u26A0"         # Warning
+    LIGHTNING = "\u26A1"       # Lightning bolt
+
+
+def print_approved(action_type: str, intent: str):
+    """Print approval message with green styling."""
+    print(f"{Colors.GREEN}{Symbols.CHECK} APPROVED{Colors.RESET} [{action_type}] {intent}")
+
+
+def print_denied(action_type: str, intent: str, reason: str = None):
+    """Print denial message with red styling."""
+    msg = f"{Colors.RED}{Symbols.LOCK} DENIED{Colors.RESET} [{action_type}] {intent}"
+    if reason:
+        msg += f"\n  {Colors.YELLOW}Reason: {reason}{Colors.RESET}"
+    print(msg, file=sys.stderr)
+
+
+def print_verified(jti: str):
+    """Print verification success message."""
+    print(f"{Colors.CYAN}{Symbols.SHIELD} VERIFIED{Colors.RESET} Attestation {jti[:16]}...")
+
+
+def print_revoked(jti: str):
+    """Print revocation message."""
+    print(f"{Colors.RED}{Symbols.CROSS} REVOKED{Colors.RESET} Attestation {jti[:16]}...")
+
+
+def print_error(message: str):
+    """Print error message."""
+    print(f"{Colors.RED}{Symbols.WARNING} ERROR{Colors.RESET} {message}", file=sys.stderr)
+
+
+def print_info(message: str):
+    """Print info message."""
+    print(f"{Colors.BLUE}{Symbols.LIGHTNING} INFO{Colors.RESET} {message}")
+
+
+def format_attestation(attestation: dict) -> str:
+    """Format attestation for display."""
+    lines = [
+        f"{Colors.CYAN}Execution Attestation{Colors.RESET}",
+        f"  JTI: {attestation.get('jti', 'N/A')}",
+        f"  Expires: {attestation.get('expires_at', 'N/A')}",
+        f"  Fingerprint: {attestation.get('action_fingerprint', 'N/A')[:32]}...",
+        f"  Signed: {attestation.get('signing_mode', 'N/A')}",
+    ]
+    return "\n".join(lines)

swiftapi/verifier.py

@@ -0,0 +1,122 @@
+"""
+SwiftAPI SDK - Ed25519 Signature Verifier (The Shield)
+
+This module provides OFFLINE cryptographic verification of execution attestations.
+It does not require network connectivity - it uses the hardcoded SwiftAPI public key.
+"""
+
+import base64
+import json
+from datetime import datetime, timezone
+from typing import Dict, Any
+
+from nacl.signing import VerifyKey
+from nacl.exceptions import BadSignatureError
+
+from .exceptions import (
+    SignatureVerificationError,
+    AttestationExpiredError,
+)
+
+# SwiftAPI's Ed25519 Public Key (Base64)
+# This is the ONLY source of truth for attestation verification
+SWIFTAPI_PUBLIC_KEY_B64 = "jajZXZ0R3CUWkE5/5Mxx5Y76CdsSzaPDuT7aWnooZSk="
+
+# Decode public key once at module load
+SWIFTAPI_PUBLIC_KEY = base64.b64decode(SWIFTAPI_PUBLIC_KEY_B64)
+VERIFY_KEY = VerifyKey(SWIFTAPI_PUBLIC_KEY)
+
+
+def verify_signature(attestation: Dict[str, Any]) -> bool:
+    """
+    Verify the Ed25519 signature of an execution attestation.
+
+    This is OFFLINE verification - no network required.
+    The signature proves the attestation was issued by SwiftAPI.
+
+    Args:
+        attestation: The execution_attestation dict from /verify response
+
+    Returns:
+        True if signature is valid
+
+    Raises:
+        SignatureVerificationError: If signature is invalid or missing
+        AttestationExpiredError: If attestation has expired
+    """
+    # Extract required fields
+    signature_b64 = attestation.get("signature")
+    if not signature_b64:
+        raise SignatureVerificationError("Missing signature in attestation")
+
+    jti = attestation.get("jti")
+    action_fingerprint = attestation.get("action_fingerprint")
+    expires_at = attestation.get("expires_at")
+
+    if not all([jti, action_fingerprint, expires_at]):
+        raise SignatureVerificationError("Incomplete attestation: missing required fields")
+
+    # Check expiration FIRST
+    try:
+        expiry = datetime.fromisoformat(expires_at.replace("Z", "+00:00"))
+        now = datetime.now(timezone.utc)
+        if now > expiry:
+            raise AttestationExpiredError(f"Attestation expired at {expires_at}")
+    except ValueError as e:
+        raise SignatureVerificationError(f"Invalid expiration format: {e}")
+
+    # Reconstruct the signed payload (deterministic serialization)
+    # This MUST match the server's signing logic exactly
+    signed_payload = _reconstruct_signed_payload(attestation)
+
+    # Decode signature
+    try:
+        signature = base64.b64decode(signature_b64)
+    except Exception as e:
+        raise SignatureVerificationError(f"Invalid signature encoding: {e}")
+
+    # Verify signature
+    try:
+        VERIFY_KEY.verify(signed_payload, signature)
+        return True
+    except BadSignatureError:
+        raise SignatureVerificationError(
+            "INVALID SIGNATURE: Attestation was not signed by SwiftAPI. "
+            "This could indicate a forged or tampered attestation."
+        )
+
+
+def _reconstruct_signed_payload(attestation: Dict[str, Any]) -> bytes:
+    """
+    Reconstruct the exact payload that was signed by SwiftAPI.
+
+    The server signs the attestation BEFORE adding signature/signing_mode fields.
+    We must reconstruct that exact payload.
+    """
+    # Copy attestation and remove signature fields (they weren't in the signed payload)
+    signed_fields = {k: v for k, v in attestation.items() if k not in ("signature", "signing_mode")}
+
+    # Deterministic JSON serialization (must match server exactly)
+    payload_str = json.dumps(signed_fields, sort_keys=True, separators=(",", ":"))
+    return payload_str.encode("utf-8")
+
+
+def get_public_key() -> str:
+    """Return SwiftAPI's public key in Base64 format."""
+    return SWIFTAPI_PUBLIC_KEY_B64
+
+
+def is_valid(attestation: Dict[str, Any]) -> bool:
+    """
+    Check if attestation is valid without raising exceptions.
+
+    Args:
+        attestation: The execution_attestation dict
+
+    Returns:
+        True if valid, False otherwise
+    """
+    try:
+        return verify_signature(attestation)
+    except Exception:
+        return False

swiftapi_python-1.0.0.dist-info/METADATA

@@ -0,0 +1,256 @@
+Metadata-Version: 2.4
+Name: swiftapi-python
+Version: 1.0.0
+Summary: SwiftAPI Python SDK - AI Action Verification Gateway
+Author-email: Rayan Pal <rayan@swiftapi.ai>
+License-Expression: MIT
+Project-URL: Homepage, https://swiftapi.ai
+Project-URL: Documentation, https://docs.swiftapi.ai
+Project-URL: Repository, https://github.com/swiftapi/swiftapi-python
+Project-URL: Issues, https://github.com/swiftapi/swiftapi-python/issues
+Keywords: swiftapi,ai,verification,attestation,security,governance,enforcement
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: requests>=2.31.0
+Requires-Dist: pynacl>=1.5.0
+Requires-Dist: colorama>=0.4.6
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0.0; extra == "dev"
+Requires-Dist: pytest-cov>=4.0.0; extra == "dev"
+Requires-Dist: black>=23.0.0; extra == "dev"
+Requires-Dist: mypy>=1.0.0; extra == "dev"
+Requires-Dist: types-requests>=2.31.0; extra == "dev"
+
+# SwiftAPI Python SDK
+
+**No AI action executes without verification.**
+
+SwiftAPI is the ignition key for AI agents. This SDK provides Python bindings for the SwiftAPI execution governance protocol.
+
+## Installation
+
+```bash
+pip install swiftapi
+```
+
+## Quick Start
+
+```python
+from swiftapi import SwiftAPI, Enforcement
+
+# Initialize client with your API key
+api = SwiftAPI(key="swiftapi_live_...")
+
+# Create an enforcement point
+guard = Enforcement(api)
+
+# THE LINE THAT SAVES THE COMPANY
+guard.run(
+    lambda: os.system("rm -rf /tmp/data"),
+    action="file_delete",
+    intent="Cleanup temporary files"
+)
+```
+
+If the action is denied by policy, a `PolicyViolation` exception is raised and **nothing executes**.
+
+## Features
+
+- **Cryptographic Enforcement**: Ed25519 signed attestations prove authorization
+- **Offline Verification**: Verify attestation signatures without network calls
+- **Policy Enforcement**: Actions blocked if they violate configured policies
+- **Rate Limiting**: Built-in handling for API rate limits
+- **Beautiful Output**: Color-coded terminal output for approvals/denials
+
+## Usage Patterns
+
+### 1. Direct Execution
+
+```python
+from swiftapi import SwiftAPI, Enforcement
+
+api = SwiftAPI(key="swiftapi_live_...")
+guard = Enforcement(api)
+
+# Execute with verification
+result = guard.run(
+    lambda: dangerous_operation(),
+    action="database_write",
+    intent="Update user preferences"
+)
+```
+
+### 2. Decorator
+
+```python
+@guard.protect(action="api_call", intent="Send notification")
+def send_notification(user_id: str, message: str):
+    # This only runs if SwiftAPI approves
+    notification_service.send(user_id, message)
+
+# Usage - automatically enforced
+send_notification("user123", "Hello!")
+```
+
+### 3. Context Manager
+
+```python
+with guard.guard(action="file_write", intent="Save configuration"):
+    # This block only executes if approved
+    with open("/etc/myapp/config.json", "w") as f:
+        json.dump(config, f)
+```
+
+### 4. One-off Enforcement
+
+```python
+from swiftapi import SwiftAPI, enforce
+
+api = SwiftAPI(key="swiftapi_live_...")
+enforce(api, lambda: risky_operation(), action="admin", intent="Reset system")
+```
+
+## Paranoid Mode
+
+For maximum security, enable paranoid mode to check revocation status online:
+
+```python
+guard = Enforcement(api, paranoid=True)
+```
+
+This adds an extra network call but ensures revoked attestations are caught in real-time.
+
+## Offline Verification
+
+You can verify attestation signatures without any network calls:
+
+```python
+from swiftapi import verify_signature, is_valid
+
+# Verify signature (raises exception if invalid)
+verify_signature(attestation)
+
+# Check validity without exceptions
+if is_valid(attestation):
+    print("Attestation is valid")
+```
+
+## Error Handling
+
+```python
+from swiftapi import (
+    SwiftAPI,
+    Enforcement,
+    PolicyViolation,
+    SignatureVerificationError,
+    AttestationRevokedError,
+)
+
+api = SwiftAPI(key="swiftapi_live_...")
+guard = Enforcement(api)
+
+try:
+    guard.run(lambda: delete_everything(), action="nuke", intent="YOLO")
+except PolicyViolation as e:
+    print(f"Action denied: {e.denial_reason}")
+except SignatureVerificationError:
+    print("CRITICAL: Attestation signature is invalid!")
+except AttestationRevokedError as e:
+    print(f"Attestation {e.jti} was revoked")
+```
+
+## API Client
+
+The SDK also provides direct API access:
+
+```python
+from swiftapi import SwiftAPI
+
+api = SwiftAPI(key="swiftapi_live_...")
+
+# Get API info
+info = api.get_info()
+
+# Verify an action
+result = api.verify(
+    action_type="file_write",
+    intent="Save user data",
+    params={"path": "/data/users.json"}
+)
+
+# Check attestation revocation
+is_revoked = api.check_revocation(jti="attestation-id")
+
+# List authority keys (admin only)
+keys = api.list_keys()
+
+# Create new key (admin only)
+new_key = api.create_key(name="agent-1", scopes=["verify"])
+```
+
+## Configuration
+
+```python
+api = SwiftAPI(
+    key="swiftapi_live_...",
+    base_url="https://swiftapi.ai",  # Default
+    timeout=30,  # Request timeout in seconds
+)
+
+guard = Enforcement(
+    client=api,
+    paranoid=False,  # Enable online revocation checks
+    verbose=True,    # Print status messages
+)
+```
+
+## The Golden Loop
+
+Every protected action goes through this verification chain:
+
+```
+┌─────────────────────────────────────────────────────────┐
+│                    THE GOLDEN LOOP                       │
+├─────────────────────────────────────────────────────────┤
+│                                                          │
+│  1. API CALL                                            │
+│     client.verify() ──────────────────────────────┐     │
+│                                                    │     │
+│  2. CRYPTO CHECK (Offline Truth)                  │     │
+│     verifier.verify_signature() ◄─────────────────┤     │
+│                                                    │     │
+│  3. ONLINE CHECK (Optional/Paranoid)              │     │
+│     client.check_revocation() ◄───────────────────┤     │
+│                                                    │     │
+│  4. EXECUTE                                        │     │
+│     func() ◄──────────────────────────────────────┘     │
+│                                                          │
+│  If ANY step fails → PolicyViolation raised             │
+│  The action NEVER executes without full verification    │
+│                                                          │
+└─────────────────────────────────────────────────────────┘
+```
+
+## License
+
+MIT License - See LICENSE file for details.
+
+## Links
+
+- **API**: https://swiftapi.ai
+- **Documentation**: https://docs.swiftapi.ai
+- **GitHub**: https://github.com/swiftapi/swiftapi-python
+
+---
+
+*Built by Rayan Pal. No AI action executes without verification.*

swiftapi_python-1.0.0.dist-info/RECORD

@@ -0,0 +1,10 @@
+swiftapi/__init__.py,sha256=u4aQrcZqV7Hjdy1eOV_-G1OvYH7_iZ1Yr4qelDXPg2c,1938
+swiftapi/client.py,sha256=i7O4GmlS_7HVxKwFvdh550pP1jcNUZXAyXkhTqviCi8,9373
+swiftapi/enforcement.py,sha256=L-2JKvvL5U3Q4ZU_o889RxZteuN-ELuxKGIMUXtx2sw,8725
+swiftapi/exceptions.py,sha256=hBleOCc1WwDEM70WNYTy1TDOSOaBJSx3PtzFzfmVOGY,1701
+swiftapi/utils.py,sha256=HVDhQq7-5dDiuifzo58BH57S1VAvXYB4hIh41PiS20U,2765
+swiftapi/verifier.py,sha256=KoZWx6SIgeCs2ke3ufQYN8or5-8Uo3DeKsn9AaXBuB0,4161
+swiftapi_python-1.0.0.dist-info/METADATA,sha256=pWrSZBuOKXPpkyG1cbx6_WhNNmh59prvB0TYGE72TdE,7814
+swiftapi_python-1.0.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+swiftapi_python-1.0.0.dist-info/top_level.txt,sha256=oio-d2BTrT91P7dmufUhlSYjOtWBh4bOYz6rsTDDvu4,9
+swiftapi_python-1.0.0.dist-info/RECORD,,

swiftapi_python-1.0.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.9.0)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

swiftapi_python-1.0.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+swiftapi