Metadata-Version: 2.4
Name: certior
Version: 0.1.0a0
Summary: Verified safety layer for AI agent tool calls - capability, content, and budget gates with signed certificates and a Lean-checked policy model
Author-email: Pauline Bourigault <pbourigault@gmail.com>
Maintainer-email: Certior <hello@certior.io>
License-Expression: Apache-2.0
Project-URL: Homepage, https://certior.io
Project-URL: Documentation, https://docs.certior.io
Project-URL: Repository, https://github.com/paulinebourigault/certior
Project-URL: Issues, https://github.com/paulinebourigault/certior/issues
Project-URL: Changelog, https://github.com/paulinebourigault/certior/blob/main/CHANGELOG.md
Project-URL: Source Code, https://github.com/paulinebourigault/certior
Keywords: ai-safety,ai-agents,agent-safety,llm-security,tool-calling,openai-tools,anthropic-tools,langchain,crewai,mcp,formal-verification,z3,lean4,policy-enforcement,compliance
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: Scientific/Engineering :: Artificial Intelligence
Classifier: Operating System :: POSIX :: Linux
Classifier: Operating System :: MacOS
Classifier: Operating System :: Microsoft :: Windows
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Typing :: Typed
Requires-Python: >=3.11
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: z3-solver>=4.12.0
Requires-Dist: httpx>=0.26.0
Requires-Dist: pydantic>=2.5.0
Requires-Dist: jsonschema>=4.21.0
Requires-Dist: PyYAML>=6.0.2
Provides-Extra: langchain
Requires-Dist: langchain-core>=0.2.0; extra == "langchain"
Provides-Extra: crewai
Requires-Dist: crewai>=0.28.0; extra == "crewai"
Provides-Extra: openclaw
Requires-Dist: openclaw-sdk>=2.1.0; extra == "openclaw"
Provides-Extra: api
Requires-Dist: fastapi>=0.109.0; extra == "api"
Requires-Dist: uvicorn>=0.27.0; extra == "api"
Requires-Dist: websockets>=12.0; extra == "api"
Requires-Dist: PyJWT>=2.8.0; extra == "api"
Provides-Extra: postgres
Requires-Dist: asyncpg>=0.29.0; extra == "postgres"
Provides-Extra: redis
Requires-Dist: celery>=5.3.0; extra == "redis"
Requires-Dist: redis>=5.0.0; extra == "redis"
Provides-Extra: observability
Requires-Dist: opentelemetry-api>=1.22.0; extra == "observability"
Requires-Dist: opentelemetry-sdk>=1.22.0; extra == "observability"
Requires-Dist: opentelemetry-exporter-otlp>=1.22.0; extra == "observability"
Provides-Extra: ner
Requires-Dist: spacy>=3.7.0; extra == "ner"
Provides-Extra: llm
Requires-Dist: anthropic>=0.39.0; extra == "llm"
Provides-Extra: openai-llm
Requires-Dist: openai>=1.12.0; extra == "openai-llm"
Provides-Extra: pdf
Requires-Dist: reportlab>=4.0.0; extra == "pdf"
Provides-Extra: all
Requires-Dist: certior[api,llm,observability,openai-llm,pdf,postgres,redis]; extra == "all"
Provides-Extra: dev
Requires-Dist: pytest>=8.0.0; extra == "dev"
Requires-Dist: pytest-asyncio>=0.23.0; extra == "dev"
Requires-Dist: pytest-cov>=4.1.0; extra == "dev"
Dynamic: license-file

# Certior

> **Provable boundaries for multi-agent AI.** A capability boundary for OpenClaw, LangChain, CrewAI, and your own delegation chains - every agent-to-agent call is checked against a Lean-proven policy before it runs. Allowed calls return a signed receipt. Blocked calls raise `CertiorBlocked` with a precise reason.

[![PyPI](https://img.shields.io/pypi/v/certior.svg)](https://pypi.org/project/certior/)
[![Python](https://img.shields.io/badge/python-3.11%2B-blue.svg)](https://pypi.org/project/certior/)
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://github.com/paulinebourigault/certior/blob/main/LICENSE)

> **Homepage**: [certior.io](https://certior.io) · **Docs**: [docs.certior.io](https://docs.certior.io) · **Source**: [github.com/paulinebourigault/certior](https://github.com/paulinebourigault/certior)

## Install

```bash
pip install certior
```

Requires Python 3.11 or later. Pulls in `z3-solver`, `httpx`, `pydantic`, `jsonschema`, and `PyYAML`.

## Quickstart

```python
from certior import Guard, CertiorBlocked

guard = Guard(permissions=["network:http:read"])           # an agent's capability boundary

@guard.wrap(required_capabilities=["network:http:read"])   # tool calls + child agents must fit inside
def web_fetch(url): ...

web_fetch("https://example.com")  # allowed -> signed receipt in guard.audit_log
                                   # capability escalation -> raises CertiorBlocked
```

One decorator. Wraps any function. The rest of your code is unchanged.

Full 5-minute walkthrough: [docs.certior.io/quickstart](https://docs.certior.io/quickstart).

## What it does

Three gates run before every tool call:

| Gate | Checks |
|---|---|
| **Capability** | child agent's capabilities ⊆ parent's; tool requires only what's granted |
| **Content** | HIPAA / SOX / attorney-client / custom detectors on prompts and outputs |
| **Budget** | per-agent hard ceiling; every step debits the parent |

Allowed calls return a signed certificate bound to a Lean-checked policy fingerprint. Blocked calls raise `CertiorBlocked` with a precise reason. An auditor reproduces the audit with a single `lake build`.

See [how it works](https://docs.certior.io/concepts/how-it-works) and [certificates](https://docs.certior.io/concepts/certificates) for the runtime model.

## Adapters

| Framework | Module | Guide |
|---|---|---|
| OpenAI tool use | `certior.adapters.tool_use` | [docs.certior.io/guides/openai](https://docs.certior.io/guides/openai) |
| Anthropic `tool_use` | `certior.adapters.tool_use` | same recipe, native shape |
| LangChain | `certior.adapters.langchain` | [docs.certior.io/guides/langchain](https://docs.certior.io/guides/langchain) |
| CrewAI | `certior.adapters.crewai` | [docs.certior.io/guides/crewai](https://docs.certior.io/guides/crewai) |
| OpenClaw | `certior.adapters.openclaw` | [docs.certior.io/guides/openclaw](https://docs.certior.io/guides/openclaw) |
| MCP / custom | `@guard.wrap(...)` | [docs.certior.io/guides/custom-loop](https://docs.certior.io/guides/custom-loop) |

## What is proven

Three formal tools, three jobs:

- **Z3** runs on every tool call and proves the action satisfies capability, budget, and flow constraints.
- **Lean 4** machine-checks the policy model (155 theorems and lemmas, 0 `sorry`, 0 axioms beyond Lean's standard three: `propext`, `Classical.choice`, `Quot.sound`). CI fails the build if any of the four headline guarantees - `delegationSafety`, `ifcSoundness`, `compositionSoundness`, `SecurityLevel.isValidBoundedLattice` - stops depending only on standard axioms.
- **Dafny** statically verifies kernel properties (path-safety, seccomp).

Certior does not verify the LLM's behaviour. It verifies the boundary the LLM operates inside.

Full assurance model: [docs.certior.io/reference/trust-package](https://docs.certior.io/reference/trust-package).

## Server, Studio, examples

The pip package is the SDK. The GitHub repository ships the FastAPI server, the Certior Studio UI, the Lean kernel, the GitHub Action, the `certior-skill-audit` CLI, and runnable examples:

- [github.com/paulinebourigault/certior](https://github.com/paulinebourigault/certior)
- [Server + Studio](https://docs.certior.io/integrations/studio)
- [GitHub Action](https://docs.certior.io/integrations/github-action)
- [Skill audit CLI](https://docs.certior.io/integrations/skill-audit)

## Status

Alpha release, in active development under Apache-2.0. Public API may change between minor versions during the 0.x line; pin to `certior==0.1.*` for compatible updates.

Looking for design partners in healthcare, finance, legal, and regulated AI teams who need real audit trails on agent workflows.

Contact: [hello@certior.io](mailto:hello@certior.io)
