Metadata-Version: 2.4
Name: tibet-db
Version: 0.1.1
Summary: Immutable Database Proxy — turns any database into a cryptographically verifiable ledger with TIBET provenance
Project-URL: Homepage, https://humotica.com
Project-URL: Repository, https://github.com/jaspertvdm/tibet-db
Project-URL: Documentation, https://humotica.com/docs/tibet-db
Project-URL: Bug Tracker, https://github.com/jaspertvdm/tibet-db/issues
Project-URL: TIBET Protocol, https://pypi.org/project/tibet-core/
Project-URL: IETF TIBET Draft, https://datatracker.ietf.org/doc/draft-vandemeent-tibet-provenance/
Author-email: "J. van de Meent" <jasper@humotica.com>, "R. AI" <root_idd@humotica.nl>
Maintainer-email: Humotica AI Lab <ai@humotica.nl>
License: MIT
License-File: LICENSE
Keywords: audit,compliance,database,forensics,immutable,proxy,tibet
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Database
Classifier: Topic :: Security
Requires-Python: >=3.10
Requires-Dist: jis-core>=0.4.0b1
Requires-Dist: tibet-core>=0.2.0
Provides-Extra: dev
Requires-Dist: pytest>=7.0; extra == 'dev'
Requires-Dist: ruff>=0.1.0; extra == 'dev'
Provides-Extra: full
Requires-Dist: psycopg2-binary>=2.9.0; extra == 'full'
Requires-Dist: pymysql>=1.1.0; extra == 'full'
Requires-Dist: rich>=13.0.0; extra == 'full'
Provides-Extra: mysql
Requires-Dist: pymysql>=1.1.0; extra == 'mysql'
Provides-Extra: postgres
Requires-Dist: psycopg2-binary>=2.9.0; extra == 'postgres'
Description-Content-Type: text/markdown

# tibet-db — Immutable Database Proxy

> Every query gets a TIBET token. No exceptions.
>
> No blockchain nonsense, just crypto + provenance.

**tibet-db** is a proxy that sits between your application and your database. Every SQL/NoSQL query is intercepted and receives a cryptographically verifiable [TIBET](https://pypi.org/project/tibet-core/) provenance token. This turns any legacy database into an immutable, auditable ledger — without changing a single line of application code.

## Architecture

```
[App] --SQL--> [tibet-db proxy] --SQL--> [PostgreSQL/MongoDB]
                    |
               TIBET token
               ├── ERIN:      the query itself, query type, affected tables
               ├── ERAAN:     caller JIS identity, connection info
               ├── EROMHEEN:  timestamp, proxy node, database target
               └── ERACHTER:  intent/context provided by caller
```

Every query — SELECT, INSERT, UPDATE, DELETE, DDL — gets a token. Dangerous queries (DROP TABLE, DELETE without WHERE) are blocked or flagged by policy.

## Use Cases

- **Forensics after a hack** — "Show me every query from this IP in the last 72 hours"
- **Compliance audit** — Prove who changed what, when, and why
- **Mutation tracking** — Full history of every write operation with provenance
- **Policy enforcement** — Block DROP TABLE in production, alert on DELETE without WHERE

## Install

```bash
pip install tibet-db
```

## Quick Start

```python
from tibet_db import QueryProxy, QueryPolicy

proxy = QueryProxy(database_target="postgresql://localhost/mydb")

# Intercept a query
record = proxy.intercept(
    query="SELECT * FROM users WHERE id = 42",
    caller_id="jis:backend-api:v2.1",
    context={"endpoint": "/api/users/42", "method": "GET"},
)
print(record.allowed)         # True
print(record.query_type)      # "SELECT"
print(record.tibet_token_id)  # "a3f8c1e2..."

# Block dangerous queries by default
record = proxy.intercept(
    query="DROP TABLE users",
    caller_id="jis:dev-intern:session-7",
)
print(record.allowed)  # False — blocked by default policy

# Search query history
records = proxy.query_log(caller_id="jis:dev-intern:session-7")

# Forensics mode
suspicious = proxy.forensics(query_pattern="DROP|TRUNCATE|DELETE.*users")
```

## Default Policies

tibet-db ships with three default policies:

| Policy | Targets | Action | Description |
|--------|---------|--------|-------------|
| `block-drop-table` | DDL | BLOCK | Blocks DROP TABLE / DROP DATABASE |
| `alert-delete-no-where` | DELETE | ALERT | Flags DELETE without WHERE clause |
| `alert-privilege-change` | DDL | ALERT | Flags GRANT / REVOKE statements |

Add custom policies:

```python
from tibet_db import QueryPolicy

proxy.add_policy(QueryPolicy(
    name="block-production-truncate",
    query_types=["DDL"],
    pattern=r"TRUNCATE\s+",
    action="BLOCK",
    description="No truncation in production",
))
```

## CLI

```bash
tibet-db info          # Concept overview and architecture
tibet-db demo          # Interactive demo: queries, tokens, blocked DROP TABLE
tibet-db policies      # Show default security policies
tibet-db forensics     # Demo forensics mode (simulate post-hack investigation)
```

## Why Not Just Database Logs?

Database logs tell you **what happened**. tibet-db tells you:

1. **Who** — JIS-verified caller identity, not just a connection string
2. **What** — The exact query, classified by type, with affected tables
3. **When** — Cryptographically timestamped, not filesystem time
4. **Why** — Application context: which endpoint, which user action, which intent

All four, chained together in a tamper-evident TIBET token.

## License

MIT — Humotica AI Lab 2025-2026


## Credits

Designed by [Jasper van de Meent](https://github.com/jaspertvdm). Built by Jasper and [Root AI](https://humotica.com) as part of [HumoticaOS](https://humotica.com).

---

**Stack-positie:** Groep `evidence` · Bootstrap = OSAPI-handshake naar [`tibet`](https://pypi.org/project/tibet-core/) + [`jis`](https://pypi.org/project/jis-core/) (fail → snaft-rule + tibet-pol-rapport) · ← [`tibet-core`](https://pypi.org/project/tibet-core/) · [`tibet-cbom`](https://pypi.org/project/tibet-cbom/) → · See `STACK.md` · See `demo/golden-path/` for the spine end-to-end.
---

## Enterprise

For private hub hosting, SLA support, custom integrations, or compliance guidance:

| | |
|---|---|
| **Enterprise** | enterprise@humotica.com |
| **Support** | support@humotica.com |
| **Security** | security@humotica.com |

See [ENTERPRISE.md](ENTERPRISE.md) for details.
