Metadata-Version: 2.4
Name: sentinel-agent-trust
Version: 0.2.0
Summary: Sentinel AI — client SDK for AI agent governance & identity. Sign agent actions with Ed25519 and enforce them through the Sentinel authorization gateway. Private beta: cosimo@plannest.net
Author-email: "Cosimo (plannest.net)" <cosimo@plannest.net>
License: Apache-2.0
Keywords: ai-agents,governance,security,authorization,ed25519,sentinel
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
License-File: NOTICE
Requires-Dist: cryptography>=42.0
Requires-Dist: requests>=2.31
Dynamic: license-file

# sentinel-agent-trust

Python client SDK for **Sentinel AI** — the identity & governance layer for
AI agents: control, authorize, and audit autonomous agents before they touch
your production APIs.

> Sentinel is in **private beta**. For source access, a hosted sandbox
> organization key, or to collaborate: **cosimo@plannest.net**

## Install

```bash
pip install sentinel-agent-trust
```

## Usage

```python
import os
from agent_trust_sdk import AgentTrustClient, AgentPermissionDeniedException

client = AgentTrustClient(
    agent_id="agt_...",
    private_key=os.environ["SENTINEL_AGENT_PRIVATE_KEY"],  # base64 Ed25519 seed
    gateway_url="https://your-gateway.example.com",
)

try:
    client.enforce_action("crm.refund.create", "crm://refunds", {"amount": 90})
    crm.create_refund(amount=90)          # authorized → do the real thing
except AgentPermissionDeniedException as exc:
    # final denial: do NOT retry — branch (degrade, escalate to a human, give up)
    escalate_to_human(exc.reason, exc.request_id)
```

Every request is signed with the agent's private Ed25519 key (never sent to
the server) and carries a timestamp + nonce, so requests cannot be replayed.
Denials carry a machine-readable `code` (`permission_denied`,
`behavioral_limit_exceeded`, `rate_limited`, …) so your agent can branch
instead of looping.

## Generate a keypair

```bash
python -m agent_trust_sdk.keygen
```

Register the public key with your Sentinel gateway (`POST /v1/agents`); keep
the private seed in a secret store.

## License

Apache 2.0 — see LICENSE and NOTICE.
