Metadata-Version: 2.4
Name: tappass
Version: 0.10.1
Summary: TapPass SDK — Zero Trust AI Agent Platform. Cryptographic capability tokens, governance pipeline, agent trust scoring.
Project-URL: Homepage, https://tappass.ai
Project-URL: Documentation, https://docs.tappass.ai
Project-URL: Repository, https://github.com/tappass/tappass-sdk
Project-URL: Changelog, https://github.com/tappass/tappass-sdk/blob/main/CHANGELOG.md
Project-URL: Issues, https://github.com/tappass/tappass-sdk/issues
Author-email: Jens Bontinck <jens@tappass.ai>
License: Apache-2.0
License-File: LICENSE
Keywords: ai-agents,audit,capability-tokens,crewai,eu-ai-act,gdpr,governance,langchain,llm,openai,pii-detection,prompt-injection,security
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Typing :: Typed
Requires-Python: >=3.11
Requires-Dist: cryptography>=41.0
Requires-Dist: httpx>=0.25
Requires-Dist: pybreaker>=1.0
Requires-Dist: typing-extensions>=4.12
Provides-Extra: all
Requires-Dist: crewai>=0.50; extra == 'all'
Requires-Dist: fastapi>=0.100; extra == 'all'
Requires-Dist: langchain-core>=0.2; extra == 'all'
Requires-Dist: nono-py>=0.1.0; extra == 'all'
Requires-Dist: openai>=1.0; extra == 'all'
Requires-Dist: temporalio>=1.5; extra == 'all'
Provides-Extra: crewai
Requires-Dist: crewai>=0.50; extra == 'crewai'
Provides-Extra: dev
Requires-Dist: anthropic>=0.40; extra == 'dev'
Requires-Dist: fastapi>=0.100; extra == 'dev'
Requires-Dist: hypothesis>=6.100; extra == 'dev'
Requires-Dist: mypy>=1.10; extra == 'dev'
Requires-Dist: nox>=2024.4.15; extra == 'dev'
Requires-Dist: openai>=1.0; extra == 'dev'
Requires-Dist: pyjwt>=2.10; extra == 'dev'
Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
Requires-Dist: pytest>=8.0; extra == 'dev'
Requires-Dist: respx>=0.21; extra == 'dev'
Provides-Extra: fastapi
Requires-Dist: fastapi>=0.100; extra == 'fastapi'
Requires-Dist: starlette>=0.27; extra == 'fastapi'
Provides-Extra: google-adk
Requires-Dist: google-adk>=0.1; extra == 'google-adk'
Provides-Extra: langchain
Requires-Dist: langchain-core>=0.2; extra == 'langchain'
Provides-Extra: openai
Requires-Dist: openai>=1.0; extra == 'openai'
Provides-Extra: sandbox
Requires-Dist: nono-py>=0.1.0; extra == 'sandbox'
Provides-Extra: temporal
Requires-Dist: temporalio>=1.5; extra == 'temporal'
Description-Content-Type: text/markdown

# tappass — Zero Trust Control Plane for Agentic AI (Python SDK)

Runtime governance for your LLM, agent, and tool calls. Embed in your code, get a typed audit trail, surface governance decisions as Python exceptions.

**What this SDK is for:**
- Governing LLM calls, agent runs, and tool executions at runtime.
- Emitting structured audit events with correlation IDs.
- Handling governance decisions (block, redact, approve, trust-tier, break-glass) as typed exceptions in your code.

**What this SDK is NOT for:**
- Policy CRUD, compliance report generation, Verified credential issuance, retention config, break-glass invocation, tool-integrity approval. Those live in the [TapPass dashboard](https://app.tappass.ai) — not in your agent code.

## Requirements

- Python ≥ 3.11.
- `tappass` server ≥ 0.6.0. (The SDK rejects older servers at construction time.)

## Install

    pip install tappass

## Quickstart — a governed chat call

    from tappass import Agent

    agent = Agent("https://tappass.example.com", api_key="tp_...")
    r = agent.chat("Summarize Q4 revenue")
    print(r.content)
    print(r.session_id, r.audit_url)   # correlation IDs, deep link to dashboard

## Quickstart — govern a CrewAI run

    from crewai import Agent, Task, Crew
    from tappass.integrations.crewai import guard_crew

    crew = Crew(agents=[...], tasks=[...])

    with guard_crew(crew, tappass_url="https://tappass.example.com", api_key="tp_...") as session:
        result = session.kickoff()
        print(session.id, session.audit_url)

## Telemetry kill-switch

The SDK delivers audit events to your TapPass server asynchronously via a
background reporter. To disable that delivery entirely, set either of:

    export TAPPASS_DISABLE_TELEMETRY=1
    export DO_NOT_TRACK=1     # community convention — consoledonottrack.com

This **only** suppresses audit-event delivery. It does **not** disable
governance — `govern()` calls still run, decisions are still enforced,
blocks still raise `GovernanceBlocked`. The distinction is deliberate:
governance is the product you're paying for; telemetry is observability
of your own usage.

## Decisions are typed exceptions

    from tappass import GovernanceDecision, PolicyBlockError, ApprovalRequired

    try:
        r = agent.chat("Show me all customer SSNs")
    except PolicyBlockError as e:
        print(f"Blocked by {e.blocked_by}: {e.reason}. See {e.audit_url}")
    except ApprovalRequired as e:
        print(f"Awaiting approval: {e.approval_url}")
    except GovernanceDecision as e:
        print(f"Governance decision: {e}")

## What's new in 0.6

See `CHANGELOG.md`. Breaking changes — no back-compat with 0.5.x. See the [migration guide](https://docs.tappass.ai/sdk/migration-0.6/).

## Publishing a release

Releases ship to PyPI via GitHub Actions using OIDC Trusted Publishing — no long-lived API token is stored anywhere. The workflow is `.github/workflows/release.yml`.

### One-time PyPI configuration

Only needed once per project (or whenever the workflow name / environment changes):

1. Log in to <https://pypi.org/manage/account/publishing/>.
2. Under **Add a new pending publisher** (if the project isn't on PyPI yet) or the existing project's **Publishing** tab, add a GitHub publisher with:
   - **PyPI Project Name:** `tappass`
   - **Owner:** `tappass`
   - **Repository name:** `tappass-sdk`
   - **Workflow name:** `release.yml`
   - **Environment name:** `pypi`
3. In the GitHub repo, go to **Settings → Environments** and create an environment named `pypi`. Optionally add a required-reviewers protection rule so a human approves each release.

That's it — no secrets, no tokens.

### Cutting a release

1. Bump `version` in `pyproject.toml` (and `__version__` in `tappass/__init__.py`).
2. Update `CHANGELOG.md`: flip `## [X.Y.Z] — Unreleased` to `## [X.Y.Z] — YYYY-MM-DD`.
3. Commit: `git commit -am "release: X.Y.Z"`.
4. Tag and push:
   ```
   git tag vX.Y.Z
   git push origin main --tags
   ```

The workflow then:
1. Verifies the tag matches `pyproject.toml` version (fails the release if not).
2. Builds wheel + sdist.
3. Runs `twine check`.
4. Publishes to PyPI via OIDC.
5. Creates a GitHub Release with the wheel + sdist attached and auto-generated notes.

### Dry run

To build the artifacts without publishing, use **Actions → Release to PyPI → Run workflow** with `dry_run` checked. The `publish` and `github_release` jobs are skipped; the `build` job's artifacts are retained for inspection.

## License

Apache-2.0. See `LICENSE`.
