Metadata-Version: 2.4
Name: tibet-spiffe
Version: 0.1.1
Summary: SPIFFE/SPIRE bridge with TIBET provenance — your server thinks it's talking to SPIRE, but gets auditable trust
Project-URL: Homepage, https://humotica.com
Project-URL: Repository, https://github.com/jaspertvdm/tibet-spiffe
Project-URL: Documentation, https://humotica.com/docs/tibet-spiffe
Project-URL: Bug Tracker, https://github.com/jaspertvdm/tibet-spiffe/issues
Project-URL: TIBET Protocol, https://pypi.org/project/tibet-core/
Project-URL: SPIFFE Standard, https://spiffe.io/
Project-URL: IETF TIBET Draft, https://datatracker.ietf.org/doc/draft-vandemeent-tibet-provenance/
Project-URL: IETF JIS Draft, https://datatracker.ietf.org/doc/draft-vandemeent-jis-identity/
Author-email: "J. van de Meent" <jasper@humotica.com>, "R. AI" <root_idd@humotica.nl>
Maintainer-email: Humotica AI Lab <ai@humotica.nl>
License: MIT
License-File: LICENSE
Keywords: provenance,spiffe,spire,svid,tibet,workload-identity,zero-trust
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: System :: Systems Administration
Requires-Python: >=3.10
Requires-Dist: jis-core>=0.4.0b1
Requires-Dist: tibet-core>=0.2.0
Provides-Extra: dev
Requires-Dist: pytest>=7.0; extra == 'dev'
Requires-Dist: ruff>=0.1.0; extra == 'dev'
Provides-Extra: full
Requires-Dist: rich>=13.0.0; extra == 'full'
Description-Content-Type: text/markdown

# tibet-spiffe

**SPIFFE/SPIRE Bridge with TIBET Provenance — your server thinks it's talking to SPIRE, but gets auditable trust.**

Part of the [TIBET protocol suite](https://pypi.org/project/tibet-core/) by [Humotica AI Lab](https://humotica.com).

## The Problem

SPIFFE/SPIRE tells you **WHO** a workload is. But not **WHAT** it did, or **WHY**.

When relay station 3 gets compromised, SPIRE says "yes, this is relay-3." But it can't tell you that relay-3 modified a drone command, changed a payment amount, or poisoned an AI pipeline.

## The Solution

tibet-spiffe bridges SPIFFE identities with TIBET provenance:

| SPIFFE/SPIRE | tibet-spiffe adds |
|---|---|
| Workload identity (SVID) | + TIBET provenance chain |
| Node attestation | + Full audit trail |
| SVID rotation | + Rotation history with intent |
| Federation | + Cross-domain trust scoring |
| Trust domain | + FIR/A behavioral trust |

Your existing infrastructure sees standard SPIFFE IDs. TIBET adds the provenance layer underneath.

## Install

```bash
pip install tibet-spiffe
```

## Quick Start

```python
from tibet_spiffe import AttestationEngine

engine = AttestationEngine(trust_domain="humotica.com")

# Node attestation (like SPIRE node-attestor)
node = engine.attest_node("relay-3", trust_score=0.8)
print(node.svid.spiffe_id)  # spiffe://humotica.com/node/relay-3

# Workload attestation (like SPIRE workload-attestor)
api = engine.attest_workload("api-server", node_svid=node.svid)
print(api.svid.spiffe_id)   # spiffe://humotica.com/workload/api-server
print(api.svid.jis_did)     # jis:api-server

# Identity bridge (SPIFFE ↔ JIS)
did = engine.bridge.spiffe_to_did(api.svid.spiffe_id)
spiffe = engine.bridge.did_to_spiffe(did)

# Full audit trail
for token in engine.audit_trail():
    print(f"[{token['action']}] {token['erachter']['intent']}")
```

## CLI

```bash
# Interactive demo
tibet-spiffe demo

# Attest a node
tibet-spiffe attest-node relay-3 -d humotica.com -t 0.8

# Attest a workload
tibet-spiffe attest-workload api-server -d humotica.com -j
```

## Architecture

```
┌─────────────────────────────────────────────────┐
│  Your Infrastructure                            │
│  (sees standard SPIFFE IDs)                     │
│                                                 │
│  spiffe://humotica.com/workload/api-server      │
│  spiffe://humotica.com/node/relay-3             │
│                                                 │
├─────────────────────────────────────────────────┤
│  tibet-spiffe bridge                            │
│                                                 │
│  SPIFFE ID ←→ JIS DID (bidirectional)           │
│  SVID issuance = TIBET token                    │
│  SVID rotation = TIBET provenance chain         │
│  Attestation = TIBET-audited                    │
│  Federation = trust-scored                      │
│                                                 │
├─────────────────────────────────────────────────┤
│  TIBET Layer                                    │
│  • ERIN: what was attested                      │
│  • ERAAN: what it depends on                    │
│  • EROMHEEN: where it happened                  │
│  • ERACHTER: why it was needed                  │
└─────────────────────────────────────────────────┘
```

## Integration with tibet-workload

```python
from tibet_spiffe import AttestationEngine
from tibet_workload import WorkloadEngine

spiffe = AttestationEngine(trust_domain="humotica.com")
workload = WorkloadEngine()
workload.connect_spiffe(spiffe)  # Link workload steps to SPIFFE SVIDs
```

## IETF Drafts

- [TIBET Provenance](https://datatracker.ietf.org/doc/draft-vandemeent-tibet-provenance/)
- [JIS Identity](https://datatracker.ietf.org/doc/draft-vandemeent-jis-identity/)

## License

MIT — Humotica AI Lab 2025-2026


## Credits

Designed by [Jasper van de Meent](https://github.com/jaspertvdm). Built by Jasper and [Root AI](https://humotica.com) as part of [HumoticaOS](https://humotica.com).

---

**Stack-positie:** Groep `substrate` · Bootstrap = OSAPI-handshake naar [`tibet`](https://pypi.org/project/tibet-core/) + [`jis`](https://pypi.org/project/jis-core/) (fail → snaft-rule + tibet-pol-rapport) · ← [`jis-core`](https://pypi.org/project/jis-core/) · [`tibet-workload`](https://pypi.org/project/tibet-workload/) → · See `STACK.md` · See `demo/golden-path/` for the spine end-to-end.
---

## Enterprise

For private hub hosting, SLA support, custom integrations, or compliance guidance:

| | |
|---|---|
| **Enterprise** | enterprise@humotica.com |
| **Support** | support@humotica.com |
| **Security** | security@humotica.com |

See [ENTERPRISE.md](ENTERPRISE.md) for details.
