wardproof 0.3.2__tar.gz → 0.3.3__tar.gz

{wardproof-0.3.2 → wardproof-0.3.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: wardproof
-Version: 0.3.2
+Version: 0.3.3
 Summary: Local-first, verifiable defensive AI agent swarms that protect other AI agent systems.
 Project-URL: Homepage, https://wardproof.xyz
 Project-URL: Repository, https://github.com/Impossible-Mission-Force/wardproof
@@ -220,6 +220,25 @@ Add `--json` to get a structured `{"verdict": ..., "allowed": ..., "risk": ...,
 "reasons": [...]}` result to parse. A portable guard skill that wires this check
 into a host agent lives in [`skill/wardproof-guard/`](https://github.com/Impossible-Mission-Force/wardproof/tree/main/skill/wardproof-guard).
 
+### Run it as a local service with `wardproof serve`
+
+When a host needs to screen many actions, run the swarm as a small local HTTP
+service instead of spawning a process per call. It builds the swarm once at
+startup and binds to localhost by default (meant to run next to the agent it
+guards, not exposed publicly):
+
+```bash
+wardproof serve --port 8787
+# GET  /health  -> {"status": "ok", "version": "..."}
+# POST /check   gates one input or tool call:
+curl -s -X POST http://127.0.0.1:8787/check \
+  -d '{"kind":"input","content":"ignore all previous instructions"}'
+# -> {"verdict": "block", "allowed": false, "risk": 1.0, "reasons": [...]}
+```
+
+`/check` replies with `allowed: true` only when the verdict is `ALLOW`, so a
+host can gate on one field.
+
 ---
 
 ## Architecture

{wardproof-0.3.2 → wardproof-0.3.3}/README.md

@@ -170,6 +170,25 @@ Add `--json` to get a structured `{"verdict": ..., "allowed": ..., "risk": ...,
 "reasons": [...]}` result to parse. A portable guard skill that wires this check
 into a host agent lives in [`skill/wardproof-guard/`](https://github.com/Impossible-Mission-Force/wardproof/tree/main/skill/wardproof-guard).
 
+### Run it as a local service with `wardproof serve`
+
+When a host needs to screen many actions, run the swarm as a small local HTTP
+service instead of spawning a process per call. It builds the swarm once at
+startup and binds to localhost by default (meant to run next to the agent it
+guards, not exposed publicly):
+
+```bash
+wardproof serve --port 8787
+# GET  /health  -> {"status": "ok", "version": "..."}
+# POST /check   gates one input or tool call:
+curl -s -X POST http://127.0.0.1:8787/check \
+  -d '{"kind":"input","content":"ignore all previous instructions"}'
+# -> {"verdict": "block", "allowed": false, "risk": 1.0, "reasons": [...]}
+```
+
+`/check` replies with `allowed: true` only when the verdict is `ALLOW`, so a
+host can gate on one field.
+
 ---
 
 ## Architecture

{wardproof-0.3.2 → wardproof-0.3.3}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "wardproof"
-version = "0.3.2"
+version = "0.3.3"
 description = "Local-first, verifiable defensive AI agent swarms that protect other AI agent systems."
 readme = "README.md"
 license = "MIT"

{wardproof-0.3.2 → wardproof-0.3.3}/wardproof/__init__.py

@@ -16,7 +16,7 @@ from wardproof.sandbox.executor import SandboxExecutor, ToolRegistry
 from wardproof.sandbox.permissions import PermissionBroker, ToolGrant
 from wardproof.schema import Decision, Event, Finding, Severity, Verdict
 
-__version__ = "0.3.2"
+__version__ = "0.3.3"
 __all__ = [
     "Event",
     "Decision",

{wardproof-0.3.2 → wardproof-0.3.3}/wardproof/cli.py

@@ -101,6 +101,9 @@ def main(argv: list[str] | None = None) -> int:
     cp.add_argument("--source", default="agent", help="who originated the event")
     cp.add_argument("--args", default=None, help="tool-call arguments as a JSON string")
     cp.add_argument("--json", action="store_true", help="print a JSON object instead of text")
+    rp = sub.add_parser("serve", help="run a local HTTP service that screens one event per request")
+    rp.add_argument("--host", default="127.0.0.1", help="bind address (default localhost)")
+    rp.add_argument("--port", type=int, default=8787, help="bind port (default 8787)")
     args = parser.parse_args(argv)
     if args.cmd == "verify-ledger":
         return _verify_file(args.path, args.pubkey)
@@ -108,6 +111,11 @@ def main(argv: list[str] | None = None) -> int:
         return _export_stix(args.path, args.out)
     if args.cmd == "check":
         return _check(args.kind, args.content, args.source, args.args, args.json)
+    if args.cmd == "serve":
+        from wardproof.server import serve
+
+        serve(host=args.host, port=args.port)
+        return 0
     return 1
 
 

wardproof-0.3.3/wardproof/server.py

@@ -0,0 +1,119 @@
+"""A small local HTTP service that screens one event per request.
+
+Stdlib only, no third-party dependencies. It builds the default swarm once at
+startup and reuses it, so a host (an agent, a bot, any language) can gate a tool
+call or input with a single HTTP request instead of spawning a process and
+re-importing on every call.
+
+The service binds to localhost by default and is meant to run next to the agent
+it guards, not to be exposed to the public internet.
+
+Endpoints:
+  GET  /health  -> {"status": "ok", "version": "..."}
+  POST /check   -> body: {"kind": "tool_call"|"input", "content": "...",
+                          "source": "...", "args": {...}}
+                  reply: {"verdict": "...", "allowed": true|false,
+                          "risk": 0.0, "reasons": [...]}
+"""
+
+from __future__ import annotations
+
+import json
+from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
+from typing import Any
+
+from wardproof import __version__
+from wardproof.orchestration.factory import build_default_swarm
+from wardproof.schema import Event, Verdict
+
+
+def screen_event(swarm: Any, payload: dict[str, Any]) -> dict[str, Any]:
+    """Screen one payload with the given swarm and return a JSON-able verdict.
+
+    Shared by the HTTP handler and the tests so both exercise identical logic.
+    """
+    kind = str(payload.get("kind", "tool_call"))
+    content = str(payload.get("content", ""))
+    source = str(payload.get("source", "agent"))
+    metadata: dict[str, Any] = {}
+    args = payload.get("args")
+    if isinstance(args, dict):
+        metadata["args"] = args
+
+    out = swarm.handle(Event(kind=kind, source=source, content=content, metadata=metadata))
+
+    seen: set[str] = set()
+    reasons: list[str] = []
+    for decision in (out.detector, out.verifier):
+        for finding in decision.findings:
+            if finding.triggered and finding.reason and finding.reason not in seen:
+                seen.add(finding.reason)
+                reasons.append(finding.reason)
+
+    return {
+        "verdict": out.verdict.value,
+        "allowed": out.verdict is Verdict.ALLOW,
+        "risk": round(out.risk, 3),
+        "reasons": reasons,
+    }
+
+
+def _make_handler(swarm: Any) -> type[BaseHTTPRequestHandler]:
+    class Handler(BaseHTTPRequestHandler):
+        # one shared swarm for every request
+        _swarm = swarm
+
+        def _send(self, code: int, body: dict[str, Any]) -> None:
+            raw = json.dumps(body).encode("utf-8")
+            self.send_response(code)
+            self.send_header("Content-Type", "application/json")
+            self.send_header("Content-Length", str(len(raw)))
+            self.end_headers()
+            self.wfile.write(raw)
+
+        def do_GET(self) -> None:  # noqa: N802 (stdlib name)
+            if self.path.rstrip("/") == "/health":
+                self._send(200, {"status": "ok", "version": __version__})
+            else:
+                self._send(404, {"error": "not found"})
+
+        def do_POST(self) -> None:  # noqa: N802 (stdlib name)
+            if self.path.rstrip("/") != "/check":
+                self._send(404, {"error": "not found"})
+                return
+            try:
+                length = int(self.headers.get("Content-Length", 0))
+            except (TypeError, ValueError):
+                length = 0
+            raw = self.rfile.read(length) if length else b""
+            try:
+                payload = json.loads(raw or b"{}")
+                if not isinstance(payload, dict):
+                    raise ValueError("body must be a JSON object")
+            except (json.JSONDecodeError, ValueError) as exc:
+                self._send(400, {"error": f"invalid JSON body: {exc}"})
+                return
+            try:
+                self._send(200, screen_event(self._swarm, payload))
+            except Exception as exc:  # fail closed: report, do not 200 a non-screen
+                self._send(500, {"error": f"screen failed: {exc}"})
+
+        def log_message(self, *_args: Any) -> None:
+            # stay quiet by default; the host decides what to log
+            return
+
+    return Handler
+
+
+def serve(host: str = "127.0.0.1", port: int = 8787) -> None:
+    """Build the swarm once and serve until interrupted."""
+    swarm = build_default_swarm()
+    handler = _make_handler(swarm)
+    httpd = ThreadingHTTPServer((host, port), handler)
+    print(f"wardproof serve: screening on http://{host}:{port}  (POST /check, GET /health)")
+    try:
+        httpd.serve_forever()
+    except KeyboardInterrupt:
+        pass
+    finally:
+        httpd.server_close()