Metadata-Version: 2.4
Name: tigrbl_auth
Version: 0.3.4
Summary: A Tigrbl multi-tenant OpenID Connect / OAuth 2.0 identity-provider package by Swarmauri.
License-Expression: Apache-2.0
License-File: LICENSE
Keywords: oidc,oauth2,identity-provider,jwks,jwt,tigrbl,sdk,standards,auth,authentication
Author: Jacob Stewart
Author-email: jacob@swarmauri.com
Requires-Python: >=3.10,<3.13
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Development Status :: 3 - Alpha
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
Provides-Extra: hypercorn
Provides-Extra: postgres
Provides-Extra: servers
Provides-Extra: sqlite
Provides-Extra: test
Provides-Extra: tigrcorn
Provides-Extra: uvicorn
Requires-Dist: PyYAML (==6.0.3)
Requires-Dist: aiosqlite (==0.22.1)
Requires-Dist: aiosqlite (==0.22.1) ; extra == "sqlite"
Requires-Dist: asyncpg (==0.31.0) ; extra == "postgres"
Requires-Dist: bcrypt (==5.0.0)
Requires-Dist: httpx (==0.28.1)
Requires-Dist: hypercorn (==0.18.0) ; extra == "hypercorn"
Requires-Dist: hypercorn (==0.18.0) ; extra == "servers"
Requires-Dist: psycopg2-binary (==2.9.10) ; extra == "postgres"
Requires-Dist: pydantic-settings (==2.12.0)
Requires-Dist: pydantic[email] (==2.12.5)
Requires-Dist: pytest (==8.4.1) ; extra == "test"
Requires-Dist: pytest-asyncio (==1.2.0) ; extra == "test"
Requires-Dist: pytest-benchmark (==4.0.0) ; extra == "test"
Requires-Dist: pytest-json-report (==1.5.0) ; extra == "test"
Requires-Dist: pytest-timeout (==2.3.1) ; extra == "test"
Requires-Dist: pytest-xdist (==3.6.1) ; extra == "test"
Requires-Dist: python-dotenv (==1.2.2)
Requires-Dist: python-multipart (==0.0.22)
Requires-Dist: requests (==2.32.3) ; extra == "test"
Requires-Dist: sqlalchemy[asyncio] (==2.0.48)
Requires-Dist: swarmauri_base (==0.9.2)
Requires-Dist: swarmauri_core (==0.9.2)
Requires-Dist: swarmauri_crypto_jwe (==0.2.0.dev40)
Requires-Dist: swarmauri_crypto_paramiko (==0.3.0.dev41)
Requires-Dist: swarmauri_keyprovider_file (==0.2.0)
Requires-Dist: swarmauri_keyprovider_local (==0.2.0)
Requires-Dist: swarmauri_signing_dpop (==0.1.1)
Requires-Dist: swarmauri_signing_ed25519 (==0.2.0.dev32)
Requires-Dist: swarmauri_signing_jws (==0.3.0.dev31)
Requires-Dist: swarmauri_standard (==0.9.2)
Requires-Dist: swarmauri_tokens_jwt (==0.3.0.dev31)
Requires-Dist: tigrbl (==0.3.15)
Requires-Dist: tigrcorn (==0.3.8) ; (python_version >= "3.11") and (extra == "servers")
Requires-Dist: tigrcorn (==0.3.8) ; (python_version >= "3.11") and (extra == "tigrcorn")
Requires-Dist: tomli (==2.4.0) ; python_version < "3.11"
Requires-Dist: uvicorn[standard] (==0.41.0) ; extra == "servers"
Requires-Dist: uvicorn[standard] (==0.41.0) ; extra == "uvicorn"
Project-URL: Homepage, https://github.com/swarmauri/swarmauri-sdk
Project-URL: Repository, https://github.com/swarmauri/swarmauri-sdk
Description-Content-Type: text/markdown

![Tigrbl Logo](https://raw.githubusercontent.com/swarmauri/swarmauri-sdk/master/assets/tigrbl_full_logo.png)

# tigrbl_auth

Tigrbl-native authentication and authorization package for the Tigrbl ecosystem.

## Repository state

This checkpoint is a **Step 12 final certification aggregation checkpoint with follow-up target/profile truth reconciliation and clean-room executor / validated-evidence contract hardening** layered on top of the earlier certification-target, clean-room-matrix, published-dependency, runtime-validation, test-graph, production-grade operator-control-plane, migration-portability, fail-closed-gates, and Tier 4 peer-program work.

The current repository truth is:

- `fully_certifiable_now = false`
- `fully_rfc_compliant_now = false`
- `strict_independent_claims_ready = false`
- `profile_scope_mismatch_set_empty = true`
- `alignment_only_checkpoint_no_new_certification_evidence = false`
- `clean_room_executor_matrix_declared_complete = true`
- `validated_manifest_identity_contract_installed = true`
- the package is **not yet certifiably fully featured**
- the package is **not yet certifiably fully RFC/spec compliant**

Final package-level certification is still blocked because the fail-closed validated execution gates remain incomplete for the clean-room runtime matrix, in-scope certification lanes, migration portability preservation, Tier 3 evidence rebuilt from validated runs, and preserved Tier 4 external peer bundles.

This update keeps the retained target/profile mismatch set empty for **RFC 7516**, **RFC 7592**, and **RFC 9207**, and it also hardens the preserved evidence model so runtime, test-lane, and migration manifests only count as passing when they carry identity, install-substrate linkage, environment identity, and the expected runtime / pytest / revision-aware backend artifacts.

Start with:

- `docs/compliance/AUTHORITATIVE_CURRENT_DOCS.md`
- `CURRENT_STATE.md`
- `CERTIFICATION_STATUS.md`
- `docs/compliance/current_state_report.md`
- `docs/compliance/certification_state_report.md`
- `docs/compliance/release_gate_report.md`
- `docs/compliance/runtime_profile_report.md`
- `docs/compliance/validated_execution_report.md`
- `docs/compliance/PEER_MATRIX_REPORT.md`
- `docs/compliance/TIER4_PROMOTION_MATRIX.md`
- `docs/compliance/RELEASE_DECISION_RECORD.md`
- `docs/compliance/CLEAN_ROOM_EXECUTOR_AND_EVIDENCE_CHECKPOINT_2026-03-27.md`

Historical planning and scaffold-layout documents are retained under `docs/archive/` and are **non-authoritative** for the current repository state.

## Runtime entrypoints

- standalone gateway/application export: `tigrbl_auth.gateway:app`
- application factory export: `tigrbl_auth.app:app`
- plugin installation: `tigrbl_auth.plugin:TigrblAuthPlugin`

## Current runtime model

The package is treated as an **ASGI 3 application package**, not as a single bundled server. Runtime-serving claims are separated into runner profiles. `Uvicorn`, `Hypercorn`, and `Tigrcorn` are declared as runner-qualified certification targets, and the `serve` operator can launch runtime **when** the selected runner profile is installed and the Tigrbl runtime stack is importable in the active environment.

## Tigrbl-only policy

This checkpoint remains intentionally aligned to Tigrbl guidance:

- prefer Tigrbl exports and Tigrbl type exports,
- use Tigrbl ops and surfaces rather than ad-hoc framework routes,
- avoid direct FastAPI or Starlette imports and dependencies in verified release scopes.

## Installation profiles

### Base install

```bash
pip install -c constraints/base.txt .
```

### Storage extras

```bash
pip install -c constraints/base.txt '.[postgres]'
pip install -c constraints/base.txt '.[sqlite]'
```

### Runner extras

```bash
pip install -c constraints/base.txt -c constraints/runner-uvicorn.txt '.[uvicorn]'
pip install -c constraints/base.txt -c constraints/runner-hypercorn.txt '.[hypercorn]'
pip install -c constraints/base.txt -c constraints/runner-tigrcorn.txt '.[tigrcorn]'
pip install -c constraints/base.txt -c constraints/runner-uvicorn.txt -c constraints/runner-hypercorn.txt -c constraints/runner-tigrcorn.txt '.[servers]'
```

The `tigrcorn` extra is pinned to a published Tigrcorn runner package for Python `3.11` and `3.12`. Final certification is still blocked until preserved clean-room execution evidence exists for the full supported runtime/test/migration matrix and the Tier 4 external peer bundles are complete.

## Run

```bash
tigrbl-auth claims lint
```

or embed as a plugin:

```python
from tigrbl import TigrblApp
from tigrbl_auth.plugin import TigrblAuthPlugin

app = TigrblApp()
plugin = TigrblAuthPlugin()
plugin.install(app)
```

## Notes

- OAuth 2.1 alignment is tracked as a profile, not as a formal RFC claim.
- `keys` is the canonical certified command family; `key` is no longer part of the certified operator surface.
- public "independent" wording remains disallowed until preserved Tier 4 external peer bundles exist and promote the retained boundary.
- The authoritative executable CLI surface is `tigrbl_auth/cli/metadata.py` plus the generated `docs/reference/CLI_SURFACE.md`.
- A current checkpoint gap review remains published at `docs/compliance/PACKAGE_REVIEW_GAP_ANALYSIS.md`.
- Supplemental supporting review/plan docs remain available at `docs/compliance/INDEPENDENT_PACKAGE_REVIEW_2026-03-27.md` and `docs/compliance/CERTIFIABLE_DELIVERY_PLAN_2026-03-27.md`; the current authoritative truth is in the generated reports and top-level current-state docs.
- Dependency provenance for this checkpoint is preserved in `pyproject.toml`, `constraints/*.txt`, and `constraints/dependency-lock.json`.

## Known current blockers

- preserved Tier 4 external peer bundles are still absent and `strict_independent_claims_ready` remains `false`
- the package is still **not** truthfully certifiably fully featured or fully RFC/spec compliant because the fail-closed validated execution gates remain red
- validated clean-room runtime matrix evidence is not yet fully preserved as passing
- validated in-scope certification lane evidence is not yet fully preserved as passing
- SQLite and PostgreSQL migration portability has not yet been preserved as passing in the final validated execution report
- Tier 3 evidence has not yet been explicitly rebuilt from validated-run manifests in a fully green final gate set
- the supported interpreter range remains Python `3.10`–`3.12`; this local checkpoint container only provides Python `3.13`, so it cannot truthfully generate the required preserved supported-matrix evidence by itself
- release bundles and attestation verification can be rebuilt from this checkpoint, but the result remains a final-release **candidate**, not a truthful final certification release

## License

Apache-2.0

## Clean-room certification matrix

Use `tox.ini` for the same profile commands locally and in CI.

Examples:

- `tox -e py310-base`
- `tox -e py311-sqlite-uvicorn`
- `tox -e py312-postgres-hypercorn`
- `tox -e py311-tigrcorn`
- `tox -e py312-devtest`
- `tox -e py311-gates`

The Tier 4 peer-execution handoff package for the full supported peer-profile set is emitted under `dist/tier4-external-handoff/`, but preserved independent external bundles are still absent in this checkpoint, so strict independent public claims remain blocked.

