tappass 0.6.0__tar.gz

tappass-0.6.0/.gitignore

@@ -0,0 +1,14 @@
+__pycache__/
+*.pyc
+.venv/
+venv/
+dist/
+build/
+*.egg-info/
+.DS_Store
+*.swp
+.env
+tappass-pipeline.yaml
+.hypothesis/
+.pytest_cache/
+.benchmarks/

tappass-0.6.0/LICENSE

@@ -0,0 +1,17 @@
+                              Apache License
+                        Version 2.0, January 2004
+                     http://www.apache.org/licenses/
+
+Copyright 2026 Cogniqor BV
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

tappass-0.6.0/PKG-INFO

@@ -0,0 +1,161 @@
+Metadata-Version: 2.4
+Name: tappass
+Version: 0.6.0
+Summary: TapPass SDK — Zero Trust AI Agent Platform. Cryptographic capability tokens, governance pipeline, agent trust scoring.
+Project-URL: Homepage, https://tappass.ai
+Project-URL: Documentation, https://docs.tappass.ai
+Project-URL: Repository, https://github.com/tappass/tappass-sdk
+Project-URL: Changelog, https://github.com/tappass/tappass-sdk/blob/main/CHANGELOG.md
+Project-URL: Issues, https://github.com/tappass/tappass-sdk/issues
+Author-email: Jens Bontinck <jens@tappass.ai>
+License: Apache-2.0
+License-File: LICENSE
+Keywords: ai-agents,audit,capability-tokens,crewai,eu-ai-act,gdpr,governance,langchain,llm,openai,pii-detection,prompt-injection,security
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Classifier: Typing :: Typed
+Requires-Python: >=3.11
+Requires-Dist: cryptography>=41.0
+Requires-Dist: httpx>=0.25
+Provides-Extra: all
+Requires-Dist: crewai>=0.50; extra == 'all'
+Requires-Dist: fastapi>=0.100; extra == 'all'
+Requires-Dist: langchain-core>=0.2; extra == 'all'
+Requires-Dist: nono-py>=0.1.0; extra == 'all'
+Requires-Dist: openai>=1.0; extra == 'all'
+Requires-Dist: temporalio>=1.5; extra == 'all'
+Provides-Extra: crewai
+Requires-Dist: crewai>=0.50; extra == 'crewai'
+Provides-Extra: dev
+Requires-Dist: anthropic>=0.40; extra == 'dev'
+Requires-Dist: fastapi>=0.100; extra == 'dev'
+Requires-Dist: mypy>=1.10; extra == 'dev'
+Requires-Dist: openai>=1.0; extra == 'dev'
+Requires-Dist: pyjwt>=2.10; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: respx>=0.21; extra == 'dev'
+Provides-Extra: fastapi
+Requires-Dist: fastapi>=0.100; extra == 'fastapi'
+Requires-Dist: starlette>=0.27; extra == 'fastapi'
+Provides-Extra: google-adk
+Requires-Dist: google-adk>=0.1; extra == 'google-adk'
+Provides-Extra: langchain
+Requires-Dist: langchain-core>=0.2; extra == 'langchain'
+Provides-Extra: openai
+Requires-Dist: openai>=1.0; extra == 'openai'
+Provides-Extra: sandbox
+Requires-Dist: nono-py>=0.1.0; extra == 'sandbox'
+Provides-Extra: temporal
+Requires-Dist: temporalio>=1.5; extra == 'temporal'
+Description-Content-Type: text/markdown
+
+# tappass — Zero Trust Control Plane for Agentic AI (Python SDK)
+
+Runtime governance for your LLM, agent, and tool calls. Embed in your code, get a typed audit trail, surface governance decisions as Python exceptions.
+
+**What this SDK is for:**
+- Governing LLM calls, agent runs, and tool executions at runtime.
+- Emitting structured audit events with correlation IDs.
+- Handling governance decisions (block, redact, approve, trust-tier, break-glass) as typed exceptions in your code.
+
+**What this SDK is NOT for:**
+- Policy CRUD, compliance report generation, Verified credential issuance, retention config, break-glass invocation, tool-integrity approval. Those live in the [TapPass dashboard](https://app.tappass.ai) — not in your agent code.
+
+## Requirements
+
+- Python ≥ 3.11.
+- `tappass` server ≥ 0.6.0. (The SDK rejects older servers at construction time.)
+
+## Install
+
+    pip install tappass
+
+## Quickstart — a governed chat call
+
+    from tappass import Agent
+
+    agent = Agent("https://tappass.example.com", api_key="tp_...")
+    r = agent.chat("Summarize Q4 revenue")
+    print(r.content)
+    print(r.session_id, r.audit_url)   # correlation IDs, deep link to dashboard
+
+## Quickstart — govern a CrewAI run
+
+    from crewai import Agent, Task, Crew
+    from tappass.integrations.crewai import guard_crew
+
+    crew = Crew(agents=[...], tasks=[...])
+
+    with guard_crew(crew, tappass_url="https://tappass.example.com", api_key="tp_...") as session:
+        result = session.kickoff()
+        print(session.id, session.audit_url)
+
+## Decisions are typed exceptions
+
+    from tappass import GovernanceDecision, PolicyBlockError, ApprovalRequired
+
+    try:
+        r = agent.chat("Show me all customer SSNs")
+    except PolicyBlockError as e:
+        print(f"Blocked by {e.blocked_by}: {e.reason}. See {e.audit_url}")
+    except ApprovalRequired as e:
+        print(f"Awaiting approval: {e.approval_url}")
+    except GovernanceDecision as e:
+        print(f"Governance decision: {e}")
+
+## What's new in 0.6
+
+See `CHANGELOG.md`. Breaking changes — no back-compat with 0.5.x. See the [migration guide](https://docs.tappass.ai/sdk/migration-0.6/).
+
+## Publishing a release
+
+Releases ship to PyPI via GitHub Actions using OIDC Trusted Publishing — no long-lived API token is stored anywhere. The workflow is `.github/workflows/release.yml`.
+
+### One-time PyPI configuration
+
+Only needed once per project (or whenever the workflow name / environment changes):
+
+1. Log in to <https://pypi.org/manage/account/publishing/>.
+2. Under **Add a new pending publisher** (if the project isn't on PyPI yet) or the existing project's **Publishing** tab, add a GitHub publisher with:
+   - **PyPI Project Name:** `tappass`
+   - **Owner:** `tappass`
+   - **Repository name:** `tappass-sdk`
+   - **Workflow name:** `release.yml`
+   - **Environment name:** `pypi`
+3. In the GitHub repo, go to **Settings → Environments** and create an environment named `pypi`. Optionally add a required-reviewers protection rule so a human approves each release.
+
+That's it — no secrets, no tokens.
+
+### Cutting a release
+
+1. Bump `version` in `pyproject.toml` (and `__version__` in `tappass/__init__.py`).
+2. Update `CHANGELOG.md`: flip `## [X.Y.Z] — Unreleased` to `## [X.Y.Z] — YYYY-MM-DD`.
+3. Commit: `git commit -am "release: X.Y.Z"`.
+4. Tag and push:
+   ```
+   git tag vX.Y.Z
+   git push origin main --tags
+   ```
+
+The workflow then:
+1. Verifies the tag matches `pyproject.toml` version (fails the release if not).
+2. Builds wheel + sdist.
+3. Runs `twine check`.
+4. Publishes to PyPI via OIDC.
+5. Creates a GitHub Release with the wheel + sdist attached and auto-generated notes.
+
+### Dry run
+
+To build the artifacts without publishing, use **Actions → Release to PyPI → Run workflow** with `dry_run` checked. The `publish` and `github_release` jobs are skipped; the `build` job's artifacts are retained for inspection.
+
+## License
+
+Apache-2.0. See `LICENSE`.

tappass-0.6.0/README.md

@@ -0,0 +1,102 @@
+# tappass — Zero Trust Control Plane for Agentic AI (Python SDK)
+
+Runtime governance for your LLM, agent, and tool calls. Embed in your code, get a typed audit trail, surface governance decisions as Python exceptions.
+
+**What this SDK is for:**
+- Governing LLM calls, agent runs, and tool executions at runtime.
+- Emitting structured audit events with correlation IDs.
+- Handling governance decisions (block, redact, approve, trust-tier, break-glass) as typed exceptions in your code.
+
+**What this SDK is NOT for:**
+- Policy CRUD, compliance report generation, Verified credential issuance, retention config, break-glass invocation, tool-integrity approval. Those live in the [TapPass dashboard](https://app.tappass.ai) — not in your agent code.
+
+## Requirements
+
+- Python ≥ 3.11.
+- `tappass` server ≥ 0.6.0. (The SDK rejects older servers at construction time.)
+
+## Install
+
+    pip install tappass
+
+## Quickstart — a governed chat call
+
+    from tappass import Agent
+
+    agent = Agent("https://tappass.example.com", api_key="tp_...")
+    r = agent.chat("Summarize Q4 revenue")
+    print(r.content)
+    print(r.session_id, r.audit_url)   # correlation IDs, deep link to dashboard
+
+## Quickstart — govern a CrewAI run
+
+    from crewai import Agent, Task, Crew
+    from tappass.integrations.crewai import guard_crew
+
+    crew = Crew(agents=[...], tasks=[...])
+
+    with guard_crew(crew, tappass_url="https://tappass.example.com", api_key="tp_...") as session:
+        result = session.kickoff()
+        print(session.id, session.audit_url)
+
+## Decisions are typed exceptions
+
+    from tappass import GovernanceDecision, PolicyBlockError, ApprovalRequired
+
+    try:
+        r = agent.chat("Show me all customer SSNs")
+    except PolicyBlockError as e:
+        print(f"Blocked by {e.blocked_by}: {e.reason}. See {e.audit_url}")
+    except ApprovalRequired as e:
+        print(f"Awaiting approval: {e.approval_url}")
+    except GovernanceDecision as e:
+        print(f"Governance decision: {e}")
+
+## What's new in 0.6
+
+See `CHANGELOG.md`. Breaking changes — no back-compat with 0.5.x. See the [migration guide](https://docs.tappass.ai/sdk/migration-0.6/).
+
+## Publishing a release
+
+Releases ship to PyPI via GitHub Actions using OIDC Trusted Publishing — no long-lived API token is stored anywhere. The workflow is `.github/workflows/release.yml`.
+
+### One-time PyPI configuration
+
+Only needed once per project (or whenever the workflow name / environment changes):
+
+1. Log in to <https://pypi.org/manage/account/publishing/>.
+2. Under **Add a new pending publisher** (if the project isn't on PyPI yet) or the existing project's **Publishing** tab, add a GitHub publisher with:
+   - **PyPI Project Name:** `tappass`
+   - **Owner:** `tappass`
+   - **Repository name:** `tappass-sdk`
+   - **Workflow name:** `release.yml`
+   - **Environment name:** `pypi`
+3. In the GitHub repo, go to **Settings → Environments** and create an environment named `pypi`. Optionally add a required-reviewers protection rule so a human approves each release.
+
+That's it — no secrets, no tokens.
+
+### Cutting a release
+
+1. Bump `version` in `pyproject.toml` (and `__version__` in `tappass/__init__.py`).
+2. Update `CHANGELOG.md`: flip `## [X.Y.Z] — Unreleased` to `## [X.Y.Z] — YYYY-MM-DD`.
+3. Commit: `git commit -am "release: X.Y.Z"`.
+4. Tag and push:
+   ```
+   git tag vX.Y.Z
+   git push origin main --tags
+   ```
+
+The workflow then:
+1. Verifies the tag matches `pyproject.toml` version (fails the release if not).
+2. Builds wheel + sdist.
+3. Runs `twine check`.
+4. Publishes to PyPI via OIDC.
+5. Creates a GitHub Release with the wheel + sdist attached and auto-generated notes.
+
+### Dry run
+
+To build the artifacts without publishing, use **Actions → Release to PyPI → Run workflow** with `dry_run` checked. The `publish` and `github_release` jobs are skipped; the `build` job's artifacts are retained for inspection.
+
+## License
+
+Apache-2.0. See `LICENSE`.

tappass-0.6.0/pyproject.toml

@@ -0,0 +1,91 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "tappass"
+version = "0.6.0"
+description = "TapPass SDK — Zero Trust AI Agent Platform. Cryptographic capability tokens, governance pipeline, agent trust scoring."
+readme = "README.md"
+requires-python = ">=3.11"
+dependencies = ["httpx>=0.25", "cryptography>=41.0"]
+license = {text = "Apache-2.0"}
+authors = [
+    {name = "Jens Bontinck", email = "jens@tappass.ai"},
+]
+keywords = [
+    "ai-agents",
+    "governance",
+    "security",
+    "capability-tokens",
+    "audit",
+    "gdpr",
+    "eu-ai-act",
+    "langchain",
+    "crewai",
+    "openai",
+    "llm",
+    "prompt-injection",
+    "pii-detection",
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "Topic :: Security",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "License :: OSI Approved :: Apache Software License",
+    "Typing :: Typed",
+]
+
+[project.scripts]
+tappass = "tappass._cli:main"
+tappass-sign = "tappass.signing:main"
+tappass-claude-code-hook = "tappass.integrations.claude_code:main"
+
+[project.optional-dependencies]
+sandbox = ["nono-py>=0.1.0"]
+openai = ["openai>=1.0"]
+langchain = ["langchain-core>=0.2"]
+crewai = ["crewai>=0.50"]
+fastapi = ["fastapi>=0.100", "starlette>=0.27"]
+temporal = ["temporalio>=1.5"]
+google-adk = ["google-adk>=0.1"]
+all = ["nono-py>=0.1.0", "openai>=1.0", "langchain-core>=0.2", "crewai>=0.50", "fastapi>=0.100", "temporalio>=1.5"]
+dev = [
+    "pytest>=8.0",
+    "pytest-asyncio>=0.23",
+    "respx>=0.21",
+    "mypy>=1.10",
+    # Test-only — tests/test_fastapi_mandate.py exercises the JWS
+    # verifier and the example FastAPI route.
+    "pyjwt>=2.10",
+    "fastapi>=0.100",
+    # Drop-in client tests (test_openai_drop_in, test_anthropic_drop_in)
+    # import these directly; without them CI fails with ModuleNotFoundError.
+    "openai>=1.0",
+    "anthropic>=0.40",
+]
+
+[project.urls]
+Homepage = "https://tappass.ai"
+Documentation = "https://docs.tappass.ai"
+Repository = "https://github.com/tappass/tappass-sdk"
+Changelog = "https://github.com/tappass/tappass-sdk/blob/main/CHANGELOG.md"
+Issues = "https://github.com/tappass/tappass-sdk/issues"
+
+[tool.hatch.build.targets.wheel]
+packages = ["tappass"]
+
+[tool.hatch.build.targets.sdist]
+include = ["tappass/", "README.md", "LICENSE"]
+
+[tool.ruff]
+target-version = "py310"
+line-length = 120
+
+[tool.pytest.ini_options]
+asyncio_mode = "auto"

tappass-0.6.0/tappass/__init__.py

@@ -0,0 +1,127 @@
+"""TapPass — Zero Trust Control Plane for Agentic AI (SDK 0.6.0).
+
+Runtime governance for LLM, agent, and tool calls. For admin surface
+(policy CRUD, compliance reports, retention, etc.) use the dashboard.
+"""
+from __future__ import annotations
+
+__version__ = "0.6.0"
+
+# ── Core runtime ──────────────────────────────────────────────
+from tappass.client import Agent, AsyncAgent
+from tappass.admin import TapPass, AsyncTapPass
+from tappass.govern import govern
+from tappass.sor import govern_sor_write, govern_sor_write_async
+from tappass._govern_call import GovernanceBlocked, GovernanceUnavailable
+from tappass.session import (
+    current_session,
+    tappass_session,
+    tappass_session_async,
+)
+
+# ── Capability tokens ─────────────────────────────────────────
+from tappass.capability_token import (
+    CapabilityToken,
+    Authorizer,
+    AuthorizationResult,
+    SigningKey,
+    PublicKey,
+    Clearance,
+    TokenType,
+)
+
+# ── Constraints ───────────────────────────────────────────────
+from tappass.constraints import (
+    Constraint, ConstraintSet,
+    Exact, Pattern, Range, OneOf, NotOneOf,
+    Subpath, UrlSafe, Shlex, Cidr, UrlPattern, Regex, CEL, Wildcard,
+)
+
+# ── Guard ─────────────────────────────────────────────────────
+from tappass.guard import (
+    guard, token_scope, key_scope, authorizer_scope, guard_scope,
+    bypass_scope,
+    AuthorizationDenied as GuardDenied,
+    MissingContext, MissingSigningKey,
+)
+
+# ── Approval ──────────────────────────────────────────────────
+from tappass.approval import (
+    ApprovalPolicy, ApprovalRequest, ApprovalResult, ApprovalStatus,
+    ApprovalRegistry, SignedApproval,
+    approve, require_approval, auto_approve, auto_deny, cli_prompt,
+)
+
+# ── Resilience ────────────────────────────────────────────────
+from tappass.resilience import (
+    ResiliencePolicy, FailMode, ResilienceManager,
+    TapPassCircuitBreaker, LocalAuditBuffer,
+)
+
+# ── Exceptions ────────────────────────────────────────────────
+from tappass.errors import (
+    TapPassError,
+    TapPassConnectionError,
+    TapPassConfigError,
+    GovernanceDecision,
+    PolicyBlockError,
+    RedactionApplied,
+    ApprovalRequired,
+    TrustTierDenied,
+    BreakGlassActive,
+    ToolIntegrityViolation,
+)
+
+# ── Types ─────────────────────────────────────────────────────
+from tappass.types import (
+    ChatResponse,
+    ChatChunk,
+    Usage,
+    ToolCall,
+    StepResult,
+    PipelineResult,
+    Redaction,
+    AuditEvent,
+    Session,
+    HealthStatus,
+    AgentInfo,
+)
+
+__all__ = [
+    "__version__",
+    # Runtime
+    "Agent", "AsyncAgent",
+    "TapPass", "AsyncTapPass",
+    "govern",
+    "govern_sor_write", "govern_sor_write_async",
+    "GovernanceBlocked", "GovernanceUnavailable",
+    "tappass_session", "tappass_session_async", "current_session",
+    # Capability tokens
+    "CapabilityToken", "Authorizer", "AuthorizationResult",
+    "SigningKey", "PublicKey", "Clearance", "TokenType",
+    # Constraints
+    "Constraint", "ConstraintSet",
+    "Exact", "Pattern", "Range", "OneOf", "NotOneOf",
+    "Subpath", "UrlSafe", "Shlex", "Cidr", "UrlPattern",
+    "Regex", "CEL", "Wildcard",
+    # Guard
+    "guard", "token_scope", "key_scope", "authorizer_scope",
+    "guard_scope", "bypass_scope",
+    "GuardDenied", "MissingContext", "MissingSigningKey",
+    # Approval
+    "ApprovalPolicy", "ApprovalRequest", "ApprovalResult",
+    "ApprovalStatus", "ApprovalRegistry", "SignedApproval",
+    "approve", "require_approval", "auto_approve", "auto_deny", "cli_prompt",
+    # Resilience
+    "ResiliencePolicy", "FailMode", "ResilienceManager",
+    "TapPassCircuitBreaker", "LocalAuditBuffer",
+    # Exceptions
+    "TapPassError", "TapPassConnectionError", "TapPassConfigError",
+    "GovernanceDecision", "PolicyBlockError", "RedactionApplied",
+    "ApprovalRequired", "TrustTierDenied", "BreakGlassActive",
+    "ToolIntegrityViolation",
+    # Types
+    "ChatResponse", "ChatChunk", "Usage", "ToolCall", "StepResult",
+    "PipelineResult", "Redaction", "AuditEvent", "Session",
+    "HealthStatus", "AgentInfo",
+]