Metadata-Version: 2.4
Name: signet-sign
Version: 0.1.0
Summary: Capability-based safety gates for LLM agents. The model proposes; signet authorizes.
Project-URL: Homepage, https://github.com/jeranaias/signet
Project-URL: Documentation, https://jeranaias.github.io/signet
Project-URL: Repository, https://github.com/jeranaias/signet
Project-URL: Issues, https://github.com/jeranaias/signet/issues
Project-URL: Changelog, https://github.com/jeranaias/signet/blob/main/CHANGELOG.md
Author-email: Jesse Morgan <jeranaias@gmail.com>
License-Expression: Apache-2.0
License-File: LICENSE
License-File: NOTICE
Keywords: agent,anthropic,audit,audit-trail,capability,capability-security,compliance,guardrails,hmac,llm,nist,openai,policy-enforcement,proxy,safety
Classifier: Development Status :: 3 - Alpha
Classifier: Framework :: FastAPI
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Security :: Cryptography
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Monitoring
Classifier: Typing :: Typed
Requires-Python: >=3.11
Requires-Dist: click>=8.1
Requires-Dist: fastapi>=0.110
Requires-Dist: httpx>=0.27
Requires-Dist: pydantic>=2.6
Requires-Dist: pyyaml>=6.0
Requires-Dist: structlog>=24.1
Requires-Dist: uvicorn[standard]>=0.27
Provides-Extra: all
Requires-Dist: anthropic>=0.30; extra == 'all'
Requires-Dist: langchain-core>=0.2; extra == 'all'
Requires-Dist: openai>=1.40; extra == 'all'
Provides-Extra: anthropic
Requires-Dist: anthropic>=0.30; extra == 'anthropic'
Provides-Extra: dev
Requires-Dist: mypy>=1.10; extra == 'dev'
Requires-Dist: pre-commit>=3.7; extra == 'dev'
Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
Requires-Dist: pytest-cov>=4.1; extra == 'dev'
Requires-Dist: pytest-httpx>=0.30; extra == 'dev'
Requires-Dist: pytest>=8.0; extra == 'dev'
Requires-Dist: ruff>=0.5; extra == 'dev'
Requires-Dist: types-pyyaml>=6.0; extra == 'dev'
Provides-Extra: docs
Requires-Dist: mkdocs-material>=9.5; extra == 'docs'
Requires-Dist: mkdocs>=1.6; extra == 'docs'
Requires-Dist: mkdocstrings[python]>=0.25; extra == 'docs'
Provides-Extra: langchain
Requires-Dist: langchain-core>=0.2; extra == 'langchain'
Provides-Extra: openai
Requires-Dist: openai>=1.40; extra == 'openai'
Description-Content-Type: text/markdown

# signet

> Capability-based safety gates for LLM agents. The model proposes; signet authorizes.

**signet** sits between an LLM and any system that can execute its outputs. It is a small set of programmatic checks — owner resolution, classification gating, dual-judge dissent, sandbox preview, HMAC-chained audit — that decide whether the model's proposed action is allowed to actually run.

The model never holds commit authority. Same shape as a junior employee who can fill out a purchase order but cannot sign the check.

## Why this exists

LLM agents that "wait for human input" rely on the model itself to comply with the instruction. Sufficiently capable models ignore the instruction whenever their objective gradient outweighs it. No prompt fixes that.

signet takes a different path: separate **deciding what to do** from **being allowed to do it**. The model decides; signet decides whether the decision can fire. The model's compliance is no longer load-bearing for the gate.

## Install

```bash
pip install signet-sign
```

(The PyPI namespace `signet` was claimed by an unrelated abandoned project in 2014; the import name in code is still `import signet`.)

## Quickstart — drop-in OpenAI-compatible proxy

Scaffold a starter project and run the proxy in front of any OpenAI-compatible upstream:

```bash
signet init my-gate/
cd my-gate
signet serve \
    --upstream https://api.openai.com/v1 \
    --config pipeline.py \
    --audit-log audit.jsonl \
    --allow-ephemeral-key
```

(Drop `--allow-ephemeral-key` and set `SIGNET_HMAC_SECRET=$(openssl rand -hex 32)` for production.)

Point your client at `http://localhost:8443/v1` and add an owner header:

```python
from openai import OpenAI

client = OpenAI(
    base_url="http://localhost:8443/v1",
    default_headers={"X-Commit-Owner": "human:alice@example.com"},
)
client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "hello"}],
)
```

Without `X-Commit-Owner` (or `X-Agent-Id: agent:<id>`, or a configured trusted-network fallback), the proxy returns `403` with a refusal payload and writes an audit row.

## Architecture in one paragraph

A `Pipeline` runs an ordered list of `Check` objects against every request. Each check can `pre_request` (block before forward), `inspect_response_chunk` (abort mid-stream), `inspect_tool_call` (block tool execution), or `post_complete` (audit). All decisions are written to an HMAC-chained, tamper-evident audit log designed to align with NIST 800-53 AU-3 / AU-9 audit-content and integrity requirements (verify against your own auditor — signet does not authenticate the owner identity it records).

See [`docs/architecture.md`](docs/architecture.md) for the full design and [`SECURITY.md`](SECURITY.md) for the threat model and what's explicitly out of scope.

**Endpoint coverage in v0.1.** Only `POST /v1/chat/completions` is gated. Other OpenAI surfaces (`/v1/embeddings`, `/v1/completions`, `/v1/audio/*`, `/v1/images/*`) are not yet proxied. Calls to those endpoints will not reach signet's pipeline and will return 404 from the proxy.

## Built-in checks

| Check | What it does |
|---|---|
| `owner_resolution` | Refuse requests without resolvable commit owner |
| `hmac_audit` | Append every decision to the tamper-evident chain |
| `rate_limit` | Token-bucket per owner |
| `regex_content` | Block / redact patterns in input or output |
| `classification_gate` | 5-level architectural enforcement (UNCLASS → TS/SCI) |
| `prompt_injection` | Pattern + heuristic scan |
| `tool_call_inspector` | Inspect tool calls before forwarding |
| `token_budget` | Per-owner token quotas |
| `loopback_trust` | Auto-resolve owner for trusted internal IPs |

Bring your own via the plugin interface — [`docs/plugin_dev.md`](docs/plugin_dev.md).

## License

Apache-2.0. See [LICENSE](LICENSE).

## Provenance

Built by Jesse Morgan in tandem with Thornveil. Thornveil makes no IP claim on this open-source release; it is contributed under Apache-2.0 for community use. The proprietary Pyros engine and Mycelium proof-of-inference layer remain separate; signet is the publishable subset of the architectural pattern.
