Metadata-Version: 2.4
Name: canopy-runtime
Version: 0.1.1
Summary: Canopy Agent Safety Runtime: policy enforcement for tool-using agents
Author: Canopy
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Provides-Extra: http
Requires-Dist: requests>=2.25; extra == "http"
Provides-Extra: gateway
Requires-Dist: fastapi>=0.100; extra == "gateway"
Requires-Dist: pydantic>=2; extra == "gateway"
Requires-Dist: uvicorn[standard]>=0.23; extra == "gateway"
Provides-Extra: dev
Requires-Dist: pytest>=7; extra == "dev"
Requires-Dist: httpx>=0.24; extra == "dev"
Requires-Dist: requests>=2.25; extra == "dev"
Requires-Dist: fastapi>=0.100; extra == "dev"
Requires-Dist: pydantic>=2; extra == "dev"
Requires-Dist: uvicorn[standard]>=0.23; extra == "dev"
Dynamic: license-file

# Canopy Runtime

Minimal **Agent Safety Runtime** focused on a single primitive:

`authorize_action(agent_ctx, action_type, action_payload)` → `{decision, reason, avid}`

Decisions:
- `ALLOW`
- `DENY`
- `REQUIRE_APPROVAL`

Every decision is appended to a JSONL **hash-chain audit log** (`audit.log` by default).

## 3‑minute quickstart (library)
```bash
python3 -m venv .venv
source .venv/bin/activate
pip install -U pip
pip install canopy-runtime
```

```python
from canopy import authorize_action

decision = authorize_action(
    agent_ctx={"env": "production"},
    action_type="execute_shell",
    action_payload={"command": "rm -rf /tmp/logs"},
)
print(decision["decision"])  # DENY
```

You should also see an `audit.log` file created in the current directory.

Try the included demo:
```bash
canopy-demo
canopy-demo --safe-path /tmp/
```

## Default policy pack (works out of the box)
Bundled defaults live at `src/canopy/policies/default.yaml` and aim to be conservative:
- `execute_shell`: deny common destructive patterns; require approval for network/install-style commands.
- `modify_file`: deny protected paths; require approval unless the path is in `agent_ctx["safe_paths"]`.
- `call_external_api`: require approval.

## Config
- `CANOPY_POLICY_FILE`: path to a YAML policy file (defaults to the bundled `default.yaml`)
- `CANOPY_AUDIT_LOG_PATH`: path to audit log (defaults to `audit.log`)
- `agent_ctx["safe_paths"]`: allowlist for `modify_file` (e.g. `["/repo/", "/tmp/"]`)

## Optional gateway (HTTP)
```bash
pip install canopy-runtime[gateway]
CANOPY_AUDIT_LOG_PATH=/tmp/canopy_audit.log python -m uvicorn canopy.service:app --port 8010
```

## Tests (dev)
```bash
pip install -e ".[dev]"
pytest -q
```

## Easter egg
```js
// Nunca se usa pero no quitar por si acaso
const _ = "QmUgYm9sZCBhbmQgbWlnaHR5IGZvcmNlcyB3aWxsIGNvbWUgdG8geW91ciBhaWQu"; // base64

// si algún día te aburres:
// console.log(atob(_))
```
