Metadata-Version: 2.4
Name: tibet-airlock
Version: 0.3.1
Summary: Zero-trust sandbox Python operator-surface with TIBET provenance. v0.3.0: airlock-runtime posture enforcer (verdict.v1) — execute() raises AirlockPostureDenied before network I/O when external AI is denied. Pairs with the tibet-airlock-kernel Rust crate for hardened execution.
Author-email: Jasper van de Meent <jasper@humotica.com>, Root AI <root_idd@humotica.nl>
License-Expression: MIT
Project-URL: Homepage, https://ainternet.org
Project-URL: Repository, https://github.com/humotica/tibet-airlock
Project-URL: Rust Crate, https://crates.io/crates/tibet-airlock
Project-URL: TIBET Ecosystem, https://pypi.org/project/tibet/
Keywords: tibet,sandbox,security,microvm,provenance,airlock,snaft
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Rust
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Testing
Requires-Python: >=3.9
Description-Content-Type: text/markdown
Provides-Extra: tibet
Requires-Dist: tibet>=2.0.0; extra == "tibet"

# tibet-airlock

Zero-trust sandbox with TIBET provenance. Python operator/client surface for the
hardened Rust execution kernel.

> **Naming discipline (since v0.3.0):** `tibet-airlock` is the **Python operator
> surface** (this package — bindings, monitoring, posture enforcement). The
> hardened Rust execution kernel lives as the separate crate
> [`tibet-airlock-kernel`](https://crates.io/crates/tibet-airlock-kernel)
> (previously published as `tibet-airlock` on crates.io, v0.1.0 yanked).

## Install

```bash
pip install tibet-airlock
cargo install tibet-airlock-kernel   # the Rust execution kernel
```

Or as part of the TIBET security bundle:

```bash
pip install tibet[security]
```

## Airlock-runtime posture enforcement (since 0.3.0)

`tibet-airlock` is the **operator-side enforcer** of the
`tibet-pol → snaft → cap-bus → tibet-airlock` immune-switch pipeline. When a
verdict has been installed, `execute()` refuses to even open a connection if the
flow is forbidden by the active posture:

```python
import asyncio
from tibet_airlock import Airlock, AirlockPostureDenied
from snaft.posture import consume_verdict   # snaft >= 1.4.0

# Receive a verdict.v1 record from tibet-pol via cap-bus:
verdict = {...}  # airlock_runtime_verdict.v1 record
decision = consume_verdict(verdict)

airlock = Airlock()
airlock.set_posture(decision)

try:
    asyncio.run(
        airlock.execute("code:execute", "untrusted_payload", origin="external_ai")
    )
except AirlockPostureDenied as e:
    print(f"refused: {e}")
    # In python_fallback mode: "deny_external_ai_inbound ON (intent=code:execute)"
    # No socket was opened. Operator/local diagnostics still pass through.
```

The invariant — *"Als de bolle airlock-runtime wegvalt, mag extern AI-verkeer
niet meer binnen"* (Jasper 2026-05-29) — is honored at this layer: when the
posture has `deny_external_ai_inbound=True`, `drop_external_traffic=True`, or
`isolate_session=True`, no network I/O is attempted for matching origins. Local
diagnostics + operator-approved repair flows still pass through.

Reference: Codex policy 2026-05-29 (immune-switch ladder).

## Use with airlock kernel (full isolation)

```bash
# Terminal 1: start the airlock kernel
cargo install tibet-airlock-kernel
tibet-airlock-kernel

# Terminal 2: Python
from tibet_airlock import Airlock

result = Airlock.run("code:execute", "print('hello world')")
print(result.status)        # 200
print(result.safe)          # True
print(result.roundtrip_ms)  # 0.6
print(result.token)         # TIBET provenance token
```

## Use SNAFT directly (no binary needed)

```python
from tibet_airlock import SnaftMonitor

# Monitor syscalls for an intent
monitor = SnaftMonitor("code:execute")
monitor.log_syscall("sys_write")    # OK
monitor.log_syscall("sys_socket")   # VIOLATION - network access!

decision = monitor.triage()
print(decision.is_safe)     # False
print(decision.violations)  # ['sys_socket (blocked: dangerous syscall for any intent)']

# Or scan a payload string
monitor = SnaftMonitor("code:execute")
detected = monitor.scan_payload("import os; os.system('curl evil.com')")
decision = monitor.triage()
print(decision.is_kill)     # True
```

## How it works

```
Intent -> Snapshot Wake (<0.01ms) -> SNAFT Monitor -> Triage -> TIBET Token
```

1. **Intent routing** — each intent maps to a pre-warmed microVM snapshot
2. **SNAFT monitoring** — every syscall checked against intent-specific allowlist
3. **Triage** — violations = instant kill, clean = graceful shutdown
4. **TIBET token** — cryptographic proof of what happened (the 4 dimensions: erin, eraan, eromheen, erachter)

## Blocked syscalls (always dangerous)

`sys_ptrace`, `sys_socket`, `sys_connect`, `sys_dlopen`, `sys_fork`, `sys_clone`, `sys_mount`, `sys_reboot`, `sys_kexec_load`

## Part of TIBET

- Rust binary: [crates.io/crates/tibet-airlock](https://crates.io/crates/tibet-airlock)
- Full ecosystem: `pip install tibet[full]` (28 packages)
- Website: [ainternet.org](https://ainternet.org)

Built by [Humotica](https://humotica.com) for the [AInternet](https://ainternet.org).


## License

MIT

## Credits

Designed by [Jasper van de Meent](https://github.com/jaspertvdm). Built by Jasper and [Root AI](https://humotica.com) as part of [HumoticaOS](https://humotica.com).

---

**Stack-positie:** Groep `agentic` · Bootstrap = OSAPI-handshake naar [`tibet`](https://pypi.org/project/tibet-core/) + [`jis`](https://pypi.org/project/jis-core/) (fail → snaft-rule + tibet-pol-rapport) · ← [`tibet-phantom`](https://pypi.org/project/tibet-phantom/) · See `STACK.md` · See `demo/golden-path/` for the spine end-to-end.
---

## Enterprise

For private hub hosting, SLA support, custom integrations, or compliance guidance:

| | |
|---|---|
| **Enterprise** | enterprise@humotica.com |
| **Support** | support@humotica.com |
| **Security** | security@humotica.com |

See [ENTERPRISE.md](ENTERPRISE.md) for details.
