vinctor-core 0.2.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (226) hide show
  1. vinctor_core-0.2.0/.dockerignore +12 -0
  2. vinctor_core-0.2.0/.github/ISSUE_TEMPLATE/bug_report.md +21 -0
  3. vinctor_core-0.2.0/.github/ISSUE_TEMPLATE/feature_request.md +11 -0
  4. vinctor_core-0.2.0/.github/pull_request_template.md +19 -0
  5. vinctor_core-0.2.0/.github/workflows/ci.yml +65 -0
  6. vinctor_core-0.2.0/.github/workflows/release.yml +107 -0
  7. vinctor_core-0.2.0/.gitignore +13 -0
  8. vinctor_core-0.2.0/AGENTS.md +97 -0
  9. vinctor_core-0.2.0/CODE_OF_CONDUCT.md +23 -0
  10. vinctor_core-0.2.0/CONTRIBUTING.md +52 -0
  11. vinctor_core-0.2.0/Dockerfile +31 -0
  12. vinctor_core-0.2.0/LICENSE +21 -0
  13. vinctor_core-0.2.0/Makefile +26 -0
  14. vinctor_core-0.2.0/OPEN-issues.md +10 -0
  15. vinctor_core-0.2.0/PKG-INFO +771 -0
  16. vinctor_core-0.2.0/README.md +745 -0
  17. vinctor_core-0.2.0/SECURITY.md +32 -0
  18. vinctor_core-0.2.0/compose.yaml +21 -0
  19. vinctor_core-0.2.0/demo/auto_approval_dry_run_demo.py +67 -0
  20. vinctor_core-0.2.0/demo/auto_approval_http_admin_demo.py +77 -0
  21. vinctor_core-0.2.0/demo/auto_approval_service_path_demo.py +88 -0
  22. vinctor_core-0.2.0/demo/boundary_admin_http_demo.py +210 -0
  23. vinctor_core-0.2.0/demo/boundary_registry_core_e2e.py +100 -0
  24. vinctor_core-0.2.0/demo/claude_code_design_partner_e2e_setup.py +525 -0
  25. vinctor_core-0.2.0/demo/git_repo_boundary_demo.py +53 -0
  26. vinctor_core-0.2.0/demo/grant_lifecycle_demo.py +84 -0
  27. vinctor_core-0.2.0/demo/grant_request_lifecycle_demo.py +80 -0
  28. vinctor_core-0.2.0/demo/in_memory_v1_service_demo.py +87 -0
  29. vinctor_core-0.2.0/demo/local_operator_flow_demo.py +126 -0
  30. vinctor_core-0.2.0/demo/local_service_bootstrap_demo.py +144 -0
  31. vinctor_core-0.2.0/demo/local_service_launch_helper_demo.py +107 -0
  32. vinctor_core-0.2.0/demo/local_v1_http_service_demo.py +155 -0
  33. vinctor_core-0.2.0/demo/manual_review_required_demo.py +72 -0
  34. vinctor_core-0.2.0/demo/mock_vinctor_service_demo.py +80 -0
  35. vinctor_core-0.2.0/demo/operator_storage_ops_demo.py +113 -0
  36. vinctor_core-0.2.0/demo/read_only_mcp_server_demo.py +125 -0
  37. vinctor_core-0.2.0/demo/self_hostable_service_demo.py +132 -0
  38. vinctor_core-0.2.0/demo/sqlite_boundary_registry_demo.py +125 -0
  39. vinctor_core-0.2.0/demo/sqlite_grant_audit_demo.py +99 -0
  40. vinctor_core-0.2.0/demo/sqlite_v1_service_demo.py +97 -0
  41. vinctor_core-0.2.0/demo/v1_http_contract_demo.py +79 -0
  42. vinctor_core-0.2.0/deploy/preview/.env.example +6 -0
  43. vinctor_core-0.2.0/deploy/preview/Caddyfile +12 -0
  44. vinctor_core-0.2.0/deploy/preview/compose.yaml +55 -0
  45. vinctor_core-0.2.0/deploy/preview/smoke.py +200 -0
  46. vinctor_core-0.2.0/docs/api-contract.md +462 -0
  47. vinctor_core-0.2.0/docs/assets/golden-path-demo.gif +0 -0
  48. vinctor_core-0.2.0/docs/assets/golden-path-demo.tape +43 -0
  49. vinctor_core-0.2.0/docs/assets/vinctor-hero.svg +57 -0
  50. vinctor_core-0.2.0/docs/cli-design.md +225 -0
  51. vinctor_core-0.2.0/docs/cli-reference.md +465 -0
  52. vinctor_core-0.2.0/docs/decisions/0001-service-package-in-repository.md +30 -0
  53. vinctor_core-0.2.0/docs/decisions/0002-durable-local-key-storage.md +127 -0
  54. vinctor_core-0.2.0/docs/decisions/0003-grant-lifecycle-jit-semantics.md +126 -0
  55. vinctor_core-0.2.0/docs/decisions/0004-approval-authority-and-auto-approval-rules.md +112 -0
  56. vinctor_core-0.2.0/docs/decisions/0005-grant-request-routing-and-approval-modes.md +126 -0
  57. vinctor_core-0.2.0/docs/decisions/0006-local-bootstrap-ux-and-key-reuse.md +59 -0
  58. vinctor_core-0.2.0/docs/decisions/0007-delegated-enforce-and-pep-identity.md +160 -0
  59. vinctor_core-0.2.0/docs/decisions/0008-auditing-pre-grant-evaluation-rejections.md +157 -0
  60. vinctor_core-0.2.0/docs/decisions/0009-mandatory-boundary-enforcement.md +111 -0
  61. vinctor_core-0.2.0/docs/decisions/0010-infer-scope-proposals-from-audit.md +62 -0
  62. vinctor_core-0.2.0/docs/decisions/0011-mcp-resource-side-pep.md +55 -0
  63. vinctor_core-0.2.0/docs/decisions/README.md +38 -0
  64. vinctor_core-0.2.0/docs/demo-service-runbook.md +182 -0
  65. vinctor_core-0.2.0/docs/deployment/operational-runbooks.md +419 -0
  66. vinctor_core-0.2.0/docs/deployment/preview-runbook.md +349 -0
  67. vinctor_core-0.2.0/docs/deployment/preview-validation.md +166 -0
  68. vinctor_core-0.2.0/docs/deployment/self-hosting.md +616 -0
  69. vinctor_core-0.2.0/docs/design-partner/end-to-end-claude-code-2.1.169-2026-06-12.md +355 -0
  70. vinctor_core-0.2.0/docs/dogfood/local-bootstrap-2026-06-11.md +191 -0
  71. vinctor_core-0.2.0/docs/dogfooding/2026-06-21-dogfooding-summary.md +169 -0
  72. vinctor_core-0.2.0/docs/examples/local-demo-policy.yaml +15 -0
  73. vinctor_core-0.2.0/docs/examples/policies/README.md +22 -0
  74. vinctor_core-0.2.0/docs/examples/policies/ci.yaml +16 -0
  75. vinctor_core-0.2.0/docs/examples/policies/deploy-manual-review.yaml +15 -0
  76. vinctor_core-0.2.0/docs/examples/policies/repo-write-boundary.yaml +7 -0
  77. vinctor_core-0.2.0/docs/examples/policies/secret-read.yaml +14 -0
  78. vinctor_core-0.2.0/docs/examples/policies/sibling-repo-deny.yaml +14 -0
  79. vinctor_core-0.2.0/docs/git-boundary-demo-scenario.md +50 -0
  80. vinctor_core-0.2.0/docs/local-hook-runbook.md +93 -0
  81. vinctor_core-0.2.0/docs/mcp-server.md +316 -0
  82. vinctor_core-0.2.0/docs/next-actions.md +562 -0
  83. vinctor_core-0.2.0/docs/openapi/v1.yaml +742 -0
  84. vinctor_core-0.2.0/docs/operator-policy-authoring/README.md +184 -0
  85. vinctor_core-0.2.0/docs/operator-policy-authoring/approval-mode-examples.md +144 -0
  86. vinctor_core-0.2.0/docs/operator-policy-authoring/examples.md +330 -0
  87. vinctor_core-0.2.0/docs/operator-policy-authoring/policy-file.md +97 -0
  88. vinctor_core-0.2.0/docs/operator-policy-authoring/troubleshooting.md +57 -0
  89. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-21-adr0007-subject-tokens.md +1250 -0
  90. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-22-adr0009-require-boundary.md +575 -0
  91. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-22-require-boundary-ws-policy.md +215 -0
  92. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-23-0007-hmac-pop.md +242 -0
  93. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-23-0007-per-action-token.md +124 -0
  94. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-23-0007-require-token-revoke.md +184 -0
  95. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-23-productionization-logging-metrics.md +209 -0
  96. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-24-cli-cosmetics.md +78 -0
  97. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-24-durable-pop-cache.md +100 -0
  98. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-24-e2e-code-fixes.md +114 -0
  99. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-24-mcp-grants-revoke.md +92 -0
  100. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-24-mcp-issue-grant.md +110 -0
  101. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-24-mcp-phase2-approvals.md +137 -0
  102. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-24-mcp-phase3-reports.md +135 -0
  103. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-24-require-pop-mandate.md +157 -0
  104. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-25-cli-quickwins.md +99 -0
  105. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-25-operator-grants-revoke.md +103 -0
  106. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-25-security-hardening.md +137 -0
  107. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-25-v011-security-hardening.md +114 -0
  108. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-26-per-source-rate-limiter.md +102 -0
  109. vinctor_core-0.2.0/docs/superpowers/plans/2026-06-26-scope-reject-path-traversal.md +88 -0
  110. vinctor_core-0.2.0/docs/superpowers/plans/2026-07-02-mcp-non-bypassable-pep.md +72 -0
  111. vinctor_core-0.2.0/docs/superpowers/plans/2026-07-02-record-infer.md +340 -0
  112. vinctor_core-0.2.0/docs/superpowers/specs/2026-06-21-adr0007-subject-token-identity-proof-design.md +283 -0
  113. vinctor_core-0.2.0/docs/superpowers/specs/2026-06-22-adr0009-require-boundary-design.md +175 -0
  114. vinctor_core-0.2.0/docs/superpowers/specs/2026-06-23-0007-hmac-pop-design.md +210 -0
  115. vinctor_core-0.2.0/docs/superpowers/specs/2026-06-25-golden-path-demo-design.md +143 -0
  116. vinctor_core-0.2.0/docs/superpowers/specs/2026-07-01-mcp-non-bypassable-enforcement.md +156 -0
  117. vinctor_core-0.2.0/docs/superpowers/specs/2026-07-01-record-infer-policy-from-audit.md +141 -0
  118. vinctor_core-0.2.0/docs/testing/mock-vinctor-service.md +223 -0
  119. vinctor_core-0.2.0/docs/threat-model.md +310 -0
  120. vinctor_core-0.2.0/pyproject.toml +57 -0
  121. vinctor_core-0.2.0/src/vinctor_core/__init__.py +44 -0
  122. vinctor_core-0.2.0/src/vinctor_core/audit.py +126 -0
  123. vinctor_core-0.2.0/src/vinctor_core/enforce.py +119 -0
  124. vinctor_core-0.2.0/src/vinctor_core/infer.py +124 -0
  125. vinctor_core-0.2.0/src/vinctor_core/models.py +179 -0
  126. vinctor_core-0.2.0/src/vinctor_core/policy.py +89 -0
  127. vinctor_core-0.2.0/src/vinctor_core/py.typed +1 -0
  128. vinctor_core-0.2.0/src/vinctor_core/registry.py +113 -0
  129. vinctor_core-0.2.0/src/vinctor_core/scope.py +94 -0
  130. vinctor_core-0.2.0/src/vinctor_mcp_server/__init__.py +2 -0
  131. vinctor_core-0.2.0/src/vinctor_mcp_server/__main__.py +6 -0
  132. vinctor_core-0.2.0/src/vinctor_mcp_server/config.py +53 -0
  133. vinctor_core-0.2.0/src/vinctor_mcp_server/output_policy.py +104 -0
  134. vinctor_core-0.2.0/src/vinctor_mcp_server/server.py +84 -0
  135. vinctor_core-0.2.0/src/vinctor_mcp_server/service_client.py +200 -0
  136. vinctor_core-0.2.0/src/vinctor_mcp_server/tools.py +576 -0
  137. vinctor_core-0.2.0/src/vinctor_service/__init__.py +196 -0
  138. vinctor_core-0.2.0/src/vinctor_service/__main__.py +6 -0
  139. vinctor_core-0.2.0/src/vinctor_service/audit.py +148 -0
  140. vinctor_core-0.2.0/src/vinctor_service/audit_http.py +179 -0
  141. vinctor_core-0.2.0/src/vinctor_service/authorize.py +48 -0
  142. vinctor_core-0.2.0/src/vinctor_service/auto_approval.py +208 -0
  143. vinctor_core-0.2.0/src/vinctor_service/auto_approval_http.py +239 -0
  144. vinctor_core-0.2.0/src/vinctor_service/boundary_http.py +230 -0
  145. vinctor_core-0.2.0/src/vinctor_service/cli.py +2474 -0
  146. vinctor_core-0.2.0/src/vinctor_service/grant_http.py +280 -0
  147. vinctor_core-0.2.0/src/vinctor_service/grant_request_http.py +660 -0
  148. vinctor_core-0.2.0/src/vinctor_service/grant_requests.py +299 -0
  149. vinctor_core-0.2.0/src/vinctor_service/grants.py +327 -0
  150. vinctor_core-0.2.0/src/vinctor_service/in_memory.py +449 -0
  151. vinctor_core-0.2.0/src/vinctor_service/key_ops.py +121 -0
  152. vinctor_core-0.2.0/src/vinctor_service/keys.py +426 -0
  153. vinctor_core-0.2.0/src/vinctor_service/local_admin.py +478 -0
  154. vinctor_core-0.2.0/src/vinctor_service/local_http.py +711 -0
  155. vinctor_core-0.2.0/src/vinctor_service/local_launcher.py +445 -0
  156. vinctor_core-0.2.0/src/vinctor_service/metrics.py +32 -0
  157. vinctor_core-0.2.0/src/vinctor_service/models.py +208 -0
  158. vinctor_core-0.2.0/src/vinctor_service/policy_files.py +342 -0
  159. vinctor_core-0.2.0/src/vinctor_service/policy_infer.py +90 -0
  160. vinctor_core-0.2.0/src/vinctor_service/pop.py +113 -0
  161. vinctor_core-0.2.0/src/vinctor_service/ratelimit.py +73 -0
  162. vinctor_core-0.2.0/src/vinctor_service/repositories.py +294 -0
  163. vinctor_core-0.2.0/src/vinctor_service/service_config.py +92 -0
  164. vinctor_core-0.2.0/src/vinctor_service/service_runtime.py +112 -0
  165. vinctor_core-0.2.0/src/vinctor_service/sqlite.py +1768 -0
  166. vinctor_core-0.2.0/src/vinctor_service/storage_ops.py +150 -0
  167. vinctor_core-0.2.0/src/vinctor_service/subject_tokens.py +115 -0
  168. vinctor_core-0.2.0/src/vinctor_service/v1_enforce.py +534 -0
  169. vinctor_core-0.2.0/src/vinctor_service/v1_http.py +367 -0
  170. vinctor_core-0.2.0/tests/test_access_log.py +145 -0
  171. vinctor_core-0.2.0/tests/test_agent_enforcement_settings_repository.py +70 -0
  172. vinctor_core-0.2.0/tests/test_audit.py +344 -0
  173. vinctor_core-0.2.0/tests/test_audit_list_filtered.py +341 -0
  174. vinctor_core-0.2.0/tests/test_auto_approval.py +364 -0
  175. vinctor_core-0.2.0/tests/test_auto_approval_http.py +117 -0
  176. vinctor_core-0.2.0/tests/test_boundary_http_contract.py +269 -0
  177. vinctor_core-0.2.0/tests/test_boundary_registry.py +319 -0
  178. vinctor_core-0.2.0/tests/test_claude_code_design_partner_e2e.py +126 -0
  179. vinctor_core-0.2.0/tests/test_cli.py +1636 -0
  180. vinctor_core-0.2.0/tests/test_delegated_enforce_contract.py +561 -0
  181. vinctor_core-0.2.0/tests/test_delegated_enforce_http_contract.py +191 -0
  182. vinctor_core-0.2.0/tests/test_durable_pop_cache.py +202 -0
  183. vinctor_core-0.2.0/tests/test_enforce.py +402 -0
  184. vinctor_core-0.2.0/tests/test_grant_lifecycle.py +391 -0
  185. vinctor_core-0.2.0/tests/test_grant_repositories.py +80 -0
  186. vinctor_core-0.2.0/tests/test_grant_request_http_status.py +181 -0
  187. vinctor_core-0.2.0/tests/test_grant_request_lifecycle.py +206 -0
  188. vinctor_core-0.2.0/tests/test_in_memory_v1_service.py +146 -0
  189. vinctor_core-0.2.0/tests/test_infer.py +109 -0
  190. vinctor_core-0.2.0/tests/test_key_ops.py +93 -0
  191. vinctor_core-0.2.0/tests/test_keys.py +255 -0
  192. vinctor_core-0.2.0/tests/test_local_admin.py +189 -0
  193. vinctor_core-0.2.0/tests/test_local_http.py +1384 -0
  194. vinctor_core-0.2.0/tests/test_local_launcher.py +276 -0
  195. vinctor_core-0.2.0/tests/test_mcp_server.py +240 -0
  196. vinctor_core-0.2.0/tests/test_mcp_server_cli.py +62 -0
  197. vinctor_core-0.2.0/tests/test_mcp_service_client.py +464 -0
  198. vinctor_core-0.2.0/tests/test_mcp_stdio_integration.py +363 -0
  199. vinctor_core-0.2.0/tests/test_mcp_tools.py +1158 -0
  200. vinctor_core-0.2.0/tests/test_metrics.py +28 -0
  201. vinctor_core-0.2.0/tests/test_mock_vinctor_service.py +231 -0
  202. vinctor_core-0.2.0/tests/test_per_action_token.py +183 -0
  203. vinctor_core-0.2.0/tests/test_policy.py +149 -0
  204. vinctor_core-0.2.0/tests/test_policy_infer.py +139 -0
  205. vinctor_core-0.2.0/tests/test_pop.py +370 -0
  206. vinctor_core-0.2.0/tests/test_preview_deployment.py +152 -0
  207. vinctor_core-0.2.0/tests/test_ratelimit.py +96 -0
  208. vinctor_core-0.2.0/tests/test_require_boundary.py +189 -0
  209. vinctor_core-0.2.0/tests/test_require_subject_token.py +251 -0
  210. vinctor_core-0.2.0/tests/test_scope.py +138 -0
  211. vinctor_core-0.2.0/tests/test_serialization.py +95 -0
  212. vinctor_core-0.2.0/tests/test_service_authorize.py +132 -0
  213. vinctor_core-0.2.0/tests/test_service_config.py +87 -0
  214. vinctor_core-0.2.0/tests/test_service_runtime.py +285 -0
  215. vinctor_core-0.2.0/tests/test_sqlite_boundary_registry.py +255 -0
  216. vinctor_core-0.2.0/tests/test_sqlite_grant_audit.py +251 -0
  217. vinctor_core-0.2.0/tests/test_sqlite_v1_service.py +396 -0
  218. vinctor_core-0.2.0/tests/test_storage_ops.py +206 -0
  219. vinctor_core-0.2.0/tests/test_subject_token_mint.py +111 -0
  220. vinctor_core-0.2.0/tests/test_subject_token_repository.py +156 -0
  221. vinctor_core-0.2.0/tests/test_subject_token_revoke.py +68 -0
  222. vinctor_core-0.2.0/tests/test_v1_compatibility.py +46 -0
  223. vinctor_core-0.2.0/tests/test_v1_enforce_contract.py +344 -0
  224. vinctor_core-0.2.0/tests/test_v1_http_contract.py +190 -0
  225. vinctor_core-0.2.0/tests/test_v1_tokens_http_contract.py +134 -0
  226. vinctor_core-0.2.0/tools/mock_vinctor_service.py +384 -0
@@ -0,0 +1,12 @@
1
+ .git
2
+ .venv
3
+ .pytest_cache
4
+ .ruff_cache
5
+ __pycache__
6
+ *.py[cod]
7
+ *.egg-info
8
+ dist
9
+ build
10
+ .vinctor
11
+ .vinctor.env
12
+ .vinctor-*.env
@@ -0,0 +1,21 @@
1
+ ---
2
+ name: Bug report
3
+ about: Something doesn't behave as documented
4
+ labels: bug
5
+ ---
6
+
7
+ **What happened**
8
+
9
+ **What you expected**
10
+
11
+ **Repro steps**
12
+
13
+ 1.
14
+
15
+ **Environment**
16
+
17
+ - vinctor-core version / commit:
18
+ - Python version:
19
+ - OS:
20
+
21
+ **Logs / output** (redact any secrets)
@@ -0,0 +1,11 @@
1
+ ---
2
+ name: Feature request
3
+ about: Suggest an improvement to the authorization core or service layer
4
+ labels: enhancement
5
+ ---
6
+
7
+ **Problem / use case**
8
+
9
+ **Proposed behavior**
10
+
11
+ **Alternatives considered**
@@ -0,0 +1,19 @@
1
+ ## Summary
2
+
3
+ <!-- What does this change, and why? -->
4
+
5
+ ## Testing
6
+
7
+ ```
8
+ make test
9
+ make lint
10
+ make demo
11
+ ```
12
+
13
+ ## Checklist
14
+
15
+ - [ ] Tests added/updated and green (`make test` + `make lint` + the demo scripts)
16
+ - [ ] Fail-closed preserved (no deny/error became a permit)
17
+ - [ ] No secrets, raw keys, or grant existence leaked in deny reasons or audit
18
+ - [ ] Schema changes additive + every schema-version assertion bumped (if applicable)
19
+ - [ ] Docs / ADR updated if behavior or the contract changed
@@ -0,0 +1,65 @@
1
+ name: CI
2
+
3
+ on:
4
+ push:
5
+ branches: ["main"]
6
+ pull_request:
7
+
8
+ jobs:
9
+ test:
10
+ name: Python 3.11
11
+ runs-on: ubuntu-latest
12
+
13
+ steps:
14
+ - name: Check out repository
15
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
16
+
17
+ - name: Set up Python
18
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
19
+ with:
20
+ python-version: "3.11"
21
+
22
+ - name: Install package
23
+ run: python -m pip install -e ".[dev]"
24
+
25
+ - name: Run tests
26
+ run: python -m pytest -q
27
+
28
+ - name: Run E2E demo
29
+ run: python demo/boundary_registry_core_e2e.py
30
+
31
+ - name: Run in-memory service demo
32
+ run: python demo/in_memory_v1_service_demo.py
33
+
34
+ - name: Run SQLite grant/audit demo
35
+ run: python demo/sqlite_grant_audit_demo.py
36
+
37
+ - name: Run SQLite boundary registry demo
38
+ run: python demo/sqlite_boundary_registry_demo.py
39
+
40
+ - name: Run SQLite V1 service demo
41
+ run: python demo/sqlite_v1_service_demo.py
42
+
43
+ - name: Run V1 HTTP contract demo
44
+ run: python demo/v1_http_contract_demo.py
45
+
46
+ - name: Run local V1 HTTP service demo
47
+ run: python demo/local_v1_http_service_demo.py
48
+
49
+ - name: Run boundary admin HTTP demo
50
+ run: python demo/boundary_admin_http_demo.py
51
+
52
+ - name: Run local service launch helper demo
53
+ run: python demo/local_service_launch_helper_demo.py
54
+
55
+ - name: Run local service bootstrap demo
56
+ run: python demo/local_service_bootstrap_demo.py
57
+
58
+ - name: Run Ruff
59
+ run: ruff check .
60
+
61
+ - name: Build package
62
+ run: python -m build
63
+
64
+ - name: Check whitespace
65
+ run: git diff --check
@@ -0,0 +1,107 @@
1
+ name: Release
2
+
3
+ # Cut a release by pushing a version tag, e.g. `git tag v0.1.0 && git push --tags`.
4
+ # Out of the box (using the automatic GITHUB_TOKEN) this:
5
+ # - builds the sdist + wheel and attaches them to the GitHub Release,
6
+ # - builds and pushes the Docker image to GHCR (ghcr.io/<owner>/vinctor-core).
7
+ # Publishing to PyPI is OPT-IN: set the repository variable PUBLISH_PYPI=true and
8
+ # configure PyPI Trusted Publishing for this repo (or add a PYPI_API_TOKEN secret
9
+ # and pass it to the publish step). See docs/deployment/self-hosting.md.
10
+
11
+ on:
12
+ push:
13
+ tags: ["v*"]
14
+ workflow_dispatch:
15
+
16
+ permissions:
17
+ contents: write
18
+ packages: write
19
+
20
+ jobs:
21
+ build:
22
+ name: Build distributions
23
+ runs-on: ubuntu-latest
24
+ steps:
25
+ - name: Check out repository
26
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
27
+
28
+ - name: Set up Python
29
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
30
+ with:
31
+ python-version: "3.11"
32
+
33
+ - name: Build sdist + wheel
34
+ run: |
35
+ python -m pip install --upgrade build
36
+ python -m build
37
+
38
+ - name: Upload dist artifacts
39
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
40
+ with:
41
+ name: dist
42
+ path: dist/
43
+
44
+ - name: Attach to GitHub Release
45
+ if: startsWith(github.ref, 'refs/tags/')
46
+ uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
47
+ with:
48
+ files: dist/*
49
+
50
+ docker:
51
+ name: Build + push image (GHCR)
52
+ runs-on: ubuntu-latest
53
+ steps:
54
+ - name: Check out repository
55
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
56
+
57
+ - name: Log in to GHCR
58
+ uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
59
+ with:
60
+ registry: ghcr.io
61
+ username: ${{ github.actor }}
62
+ password: ${{ secrets.GITHUB_TOKEN }}
63
+
64
+ - name: Image metadata
65
+ id: meta
66
+ uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
67
+ with:
68
+ images: ghcr.io/${{ github.repository }}
69
+ tags: |
70
+ type=semver,pattern={{version}}
71
+ type=ref,event=tag
72
+ type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') }}
73
+
74
+ - name: Build and push
75
+ uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
76
+ with:
77
+ context: .
78
+ # Push only for tag releases; workflow_dispatch is a build-only smoke check.
79
+ push: ${{ startsWith(github.ref, 'refs/tags/') }}
80
+ tags: ${{ steps.meta.outputs.tags }}
81
+ labels: ${{ steps.meta.outputs.labels }}
82
+ # Supply-chain attestations attached to the pushed image.
83
+ provenance: true
84
+ sbom: true
85
+
86
+ pypi:
87
+ name: Publish to PyPI (opt-in)
88
+ needs: build
89
+ runs-on: ubuntu-latest
90
+ # Opt-in: set repository variable PUBLISH_PYPI=true to enable.
91
+ if: ${{ vars.PUBLISH_PYPI == 'true' && startsWith(github.ref, 'refs/tags/') }}
92
+ environment: pypi
93
+ permissions:
94
+ id-token: write # PyPI Trusted Publishing (OIDC) — no stored token needed once configured
95
+ steps:
96
+ - name: Download dist artifacts
97
+ uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
98
+ with:
99
+ name: dist
100
+ path: dist/
101
+
102
+ - name: Publish to PyPI
103
+ uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
104
+ # Uses Trusted Publishing when configured on PyPI. To use a token instead,
105
+ # add a PYPI_API_TOKEN secret and uncomment:
106
+ # with:
107
+ # password: ${{ secrets.PYPI_API_TOKEN }}
@@ -0,0 +1,13 @@
1
+ .venv/
2
+ .pytest_cache/
3
+ .ruff_cache/
4
+ __pycache__/
5
+ *.py[cod]
6
+ *.egg-info/
7
+ dist/
8
+ build/
9
+ .DS_Store
10
+ .vinctor/
11
+ .vinctor-local.sqlite
12
+ .vinctor.env
13
+ .vinctor-*.env
@@ -0,0 +1,97 @@
1
+ # AGENTS.md
2
+
3
+ Guidance for AI coding agents working in this repository.
4
+
5
+ ## Project Shape
6
+
7
+ `vinctor-core` starts with the deterministic authorization core for mediated
8
+ AI-agent actions. It evaluates explicit authorization inputs and returns
9
+ deterministic decision/audit data.
10
+
11
+ Service-layer packages may live here as the implementation matures, but must
12
+ remain layered above the core. Keep core behavior small, deterministic, and
13
+ runtime-agnostic.
14
+
15
+ ## Hard Boundaries
16
+
17
+ Do not add runtime-specific code to `vinctor_core`.
18
+
19
+ Layering rule:
20
+
21
+ - `vinctor_core` must not import `vinctor_service`.
22
+ - `vinctor_service` may import `vinctor_core`.
23
+ - `vinctor_core` remains DB/HTTP/runtime-agnostic.
24
+ - `vinctor_service` owns HTTP APIs, auth headers, persistence, and
25
+ workspace/agent/grant/boundary/audit storage.
26
+
27
+ Do not implement:
28
+
29
+ - Claude Code, Codex, Hermes, LangGraph, or MCP hooks
30
+ - HTTP service endpoints unless a task explicitly asks for a service package
31
+ - durable database persistence unless a task explicitly asks for it
32
+ - prompt/content safety logic
33
+ - raw tool interception
34
+ - sandboxing or OS/process isolation
35
+ - provider integrations
36
+ - approval workflows
37
+ - hosted service behavior
38
+ - UI/dashboard behavior
39
+
40
+ Runtime adapters translate tool calls into action/resource pairs. Service
41
+ layers handle authentication and persistence. This core evaluates explicit
42
+ authorization inputs.
43
+
44
+ ## Sibling Runtime Repositories
45
+
46
+ Do not directly edit or push sibling hook/plugin repositories from this
47
+ repository's workstream. If Vinctor core work reveals a needed hook change,
48
+ document the request here or open an issue/PR for the sibling repo owner to
49
+ review.
50
+
51
+ ## Development Workflow
52
+
53
+ Use a small, test-first loop:
54
+
55
+ 1. Define the behavior with tests.
56
+ 2. Implement the minimum code needed to pass.
57
+ 3. Run the relevant tests.
58
+ 4. Simplify the diff.
59
+ 5. Update docs only when public behavior or agent workflow changes.
60
+
61
+ Prefer pure functions and small typed dataclasses. Avoid heavy class hierarchies
62
+ or speculative extension points.
63
+
64
+ ## Validation
65
+
66
+ Use:
67
+
68
+ ```bash
69
+ /opt/homebrew/bin/python3.11 -m venv .venv
70
+ .venv/bin/python -m pip install -e ".[dev]"
71
+ .venv/bin/python -m pytest -q
72
+ .venv/bin/python demo/boundary_registry_core_e2e.py
73
+ .venv/bin/ruff check .
74
+ .venv/bin/python -m build
75
+ git diff --check
76
+ ```
77
+
78
+ When using the local venv created for this repo:
79
+
80
+ ```bash
81
+ .venv/bin/python -m pytest -q
82
+ .venv/bin/python demo/boundary_registry_core_e2e.py
83
+ .venv/bin/ruff check .
84
+ .venv/bin/python -m build
85
+ git diff --check
86
+ ```
87
+
88
+ ## Documentation
89
+
90
+ Keep docs small and current.
91
+
92
+ - `README.md` explains the public package boundary.
93
+ - `docs/next-actions.md` tracks current work and the next useful tasks.
94
+ - `docs/decisions/` records durable decisions only when needed.
95
+
96
+ Do not create architecture-only documents as a substitute for implemented,
97
+ tested behavior.
@@ -0,0 +1,23 @@
1
+ # Code of Conduct
2
+
3
+ We are committed to a friendly, safe, and welcoming environment for everyone.
4
+
5
+ We pledge to make participation a harassment-free experience regardless of age,
6
+ body size, disability, ethnicity, gender identity and expression, level of
7
+ experience, nationality, personal appearance, race, religion, or sexual identity
8
+ and orientation.
9
+
10
+ Examples of unacceptable behavior include harassment, insulting or derogatory
11
+ comments, public or private harassment, and publishing others' private information
12
+ without permission.
13
+
14
+ This Code of Conduct adapts the
15
+ [Contributor Covenant](https://www.contributor-covenant.org/version/2/1/code_of_conduct/),
16
+ version 2.1.
17
+
18
+ ## Enforcement
19
+
20
+ Report unacceptable behavior privately to the maintainers via the repository's
21
+ *Security* tab -> *Advisories* -> [Report a vulnerability](../../security/advisories/new),
22
+ which routes privately to the maintainers. All complaints will be reviewed and
23
+ investigated promptly and fairly.
@@ -0,0 +1,52 @@
1
+ # Contributing
2
+
3
+ `vinctor-core` is the deterministic authorization core for mediated AI-agent
4
+ actions, plus a thin `vinctor_service` application layer above it. Contributions
5
+ are welcome — the goal is to keep the core small, explicit, and reviewable.
6
+
7
+ ## Dev setup
8
+
9
+ Python >= 3.11. Editable install with dev tools:
10
+
11
+ ```bash
12
+ python3.11 -m venv .venv
13
+ .venv/bin/python -m pip install -e ".[dev]"
14
+ ```
15
+
16
+ ## Quality gates
17
+
18
+ Before committing (CI runs the same on every PR):
19
+
20
+ ```bash
21
+ make test # python -m pytest -q
22
+ make lint # python -m ruff check .
23
+ make demo # the demo scripts, which CI also executes
24
+ ```
25
+
26
+ PRs must be green on the full suite, `ruff check`, and the demo scripts.
27
+
28
+ ## Conventions
29
+
30
+ - **stdlib + PyYAML only.** No new runtime dependencies without discussion — the
31
+ dependency surface is deliberately tiny. Lint is `ruff check` only (not `ruff format`).
32
+ - **Test-first.** New behavior or a bug fix lands with a test that fails before the
33
+ change and passes after.
34
+ - **Fail closed.** No change may turn a deny — or an error — into a permit. This is
35
+ the core invariant, and tests pin it.
36
+ - **No disclosure in deny reasons or audit.** Deny reasons and audit events must not
37
+ leak secrets, raw keys, or even grant existence (an unknown grant and a foreign
38
+ grant return the same generic 403). Resources are hierarchical path-prefixes, so
39
+ `.` / `..` traversal segments are rejected. Don't interpolate caller input into
40
+ reasons — the no-disclosure tests enforce this.
41
+ - **Schema changes are additive and versioned** (`schema_migrations`); bump every
42
+ schema-version assertion across the tests when you add a version.
43
+ - **Surgical diffs.** Match the surrounding style; don't refactor unrelated code.
44
+
45
+ ## Branch / PR model
46
+
47
+ `main` is human-merged only — work on a feature branch and open a PR. Architecture
48
+ and design decisions live in `docs/decisions/` (ADRs) and elsewhere under `docs/`.
49
+
50
+ ## Security
51
+
52
+ Found a vulnerability? See [SECURITY.md](SECURITY.md) — please don't use public issues.
@@ -0,0 +1,31 @@
1
+ # TODO: pin by digest (FROM python:3.11-slim@sha256:<digest> # 3.11-slim) once
2
+ # a digest can be resolved in CI (e.g. `docker buildx imagetools inspect`).
3
+ FROM python:3.11-slim
4
+
5
+ WORKDIR /app
6
+
7
+ COPY pyproject.toml README.md ./
8
+ COPY src ./src
9
+
10
+ RUN python -m pip install --no-cache-dir .
11
+
12
+ # Run as an unprivileged system user; own the data directory it writes to.
13
+ RUN useradd --system --uid 10001 vinctor \
14
+ && mkdir -p /data \
15
+ && chown vinctor:vinctor /data
16
+
17
+ ENV VINCTOR_HOST=0.0.0.0
18
+ ENV VINCTOR_PORT=8765
19
+ ENV VINCTOR_DB=/data/vinctor.sqlite
20
+ ENV VINCTOR_SERVICE_MODE=self_hosted
21
+ ENV VINCTOR_LOG_LEVEL=info
22
+
23
+ EXPOSE 8765
24
+
25
+ # Probe the service health endpoint with the stdlib (no curl in python-slim).
26
+ HEALTHCHECK --interval=30s --timeout=3s --start-period=5s CMD \
27
+ python -c "import urllib.request,os;urllib.request.urlopen('http://127.0.0.1:'+os.environ.get('VINCTOR_PORT','8765')+'/healthz').read()"
28
+
29
+ USER vinctor
30
+
31
+ CMD ["vinctor", "service", "serve"]
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Vinctor contributors
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
@@ -0,0 +1,26 @@
1
+ PYTHON ?= .venv/bin/python
2
+ VINCTOR ?= .venv/bin/vinctor
3
+
4
+ .PHONY: install-dev test lint demo demo-self-host demo-mock build
5
+
6
+ install-dev:
7
+ $(PYTHON) -m pip install -e ".[dev]"
8
+
9
+ test:
10
+ $(PYTHON) -m pytest -q
11
+
12
+ lint:
13
+ $(VINCTOR) --help >/dev/null
14
+ $(PYTHON) -m ruff check .
15
+
16
+ demo:
17
+ $(VINCTOR) demo service
18
+
19
+ demo-self-host:
20
+ $(PYTHON) demo/self_hostable_service_demo.py
21
+
22
+ demo-mock:
23
+ $(PYTHON) demo/mock_vinctor_service_demo.py
24
+
25
+ build:
26
+ $(PYTHON) -m build
@@ -0,0 +1,10 @@
1
+ # Open Issues — vinctor-core
2
+ Living tracker so already-fixed items are not re-worked. Code is the source of truth for "resolved" — re-verify before re-routing.
3
+
4
+ ## Open
5
+ - (none currently tracked — add as discovered)
6
+
7
+ ## Recently resolved — do NOT re-route
8
+ - F1 (2026-06-18): design-partner E2E setup helper now writes the hook config and exports VINCTOR_CLAUDE_CODE_HOOK_CONFIG (demo/claude_code_design_partner_e2e_setup.py).
9
+ - F6 (2026-06-18): vinctor_mcp_server/server.py has a __main__ guard — `python -m vinctor_mcp_server.server` serves over stdio.
10
+ - local-start UX (this PR): EADDRINUSE on a busy port exits with a friendly CliError instead of a raw traceback; restart hint emits `vinctor local start …`; corrected the "fixed test clock" note (frozen clock is pytest-only).