Client SDK for the Airlock Gateway — submit artifacts, poll for decisions, manage pairing and presence.
Project description
airlock-gateway (Python)
An async Python client SDK for the Airlock Integrations Gateway API.
Installation
pip install airlock-gateway
Quick Start
With Bearer Token
import asyncio
from airlock_gateway import (
AirlockGatewayClient,
ArtifactSubmitRequest,
CiphertextRef,
)
async def main():
async with AirlockGatewayClient(
"https://igw.airlocks.io", token="your-token"
) as client:
# Submit an artifact for approval
request_id = await client.submit_artifact(
ArtifactSubmitRequest(
enforcer_id="my-enforcer",
artifact_hash="sha256-hash",
ciphertext=CiphertextRef(
alg="aes-256-gcm",
data="base64-encrypted-content",
nonce="nonce",
tag="tag",
),
metadata={"routingToken": "rt-abc"},
)
)
# Wait for a decision (long-poll)
decision = await client.wait_for_decision(request_id, timeout_seconds=30)
if decision and decision.body and decision.body.is_approved:
print(f"Approved: {decision.body.reason}")
asyncio.run(main())
With Enforcer App Credentials
async with AirlockGatewayClient(
"https://igw.airlocks.io",
client_id="your-client-id",
client_secret="your-client-secret",
) as client:
echo = await client.echo()
Dual Auth (set_bearer_token)
After creating a client with credentials, set a user's Bearer token to enable user-scoped operations:
# After user login (Device Auth Grant or Auth Code + PKCE)
client.set_bearer_token(access_token)
Authentication by Enforcer App Kind
| EnforcerAppKind | OAuth2 Flow | SDK Methods | Reason |
|---|---|---|---|
| Agent | Device Authorization Grant (RFC 8628) | login(on_user_code) |
Headless/CLI — no embedded browser, user opens URL + enters code separately |
| Desktop | Device Authorization Grant (RFC 8628) | login(on_user_code) |
Desktop app — delegates to external browser for user code entry |
| VsCodeExtension | Device Authorization Grant (RFC 8628) | login(on_user_code) |
VS Code extension — no embedded browser, uses device code flow |
| Web | Auth Code + PKCE (RFC 7636) | login_with_auth_code(on_browser_url, port) or get_authorization_url(redirect_uri) + exchange_code(code, redirect_uri, verifier) |
Browser-capable — can handle redirects and local callback |
| Mobile | Auth Code + PKCE (RFC 7636) | get_authorization_url(redirect_uri) + exchange_code(code, redirect_uri, verifier) |
Uses system browser + deep-link callback (manages redirect externally) |
API Reference
| Method | Description |
|---|---|
echo() |
Gateway discovery/health |
submit_artifact(request) |
Submit artifact for approval |
get_exchange_status(request_id) |
Get exchange status |
wait_for_decision(request_id, timeout) |
Long-poll for decision |
withdraw_exchange(request_id) |
Withdraw pending exchange |
initiate_pairing(request) |
Start pairing session |
get_pairing_status(nonce) |
Poll pairing status |
revoke_pairing(routing_token) |
Revoke a pairing |
send_heartbeat(request) |
Presence heartbeat |
get_effective_dnd_policies(enforcer_id, workspace_id, session_id=None) |
Fetch effective DND policies |
check_consent() |
Check app consent status |
Error Handling
All errors raise AirlockGatewayError with helper properties:
from airlock_gateway import AirlockGatewayError
try:
await client.submit_artifact(request)
except AirlockGatewayError as e:
if e.is_quota_exceeded:
print("Quota exceeded")
elif e.is_pairing_revoked:
print("Pairing revoked")
elif e.is_conflict:
print("Idempotency conflict")
else:
print(f"Error {e.status_code}: {e}")
Requirements
- Python 3.9+
- httpx >= 0.25.0
- pydantic >= 2.0.0
Development
pip install -e ".[dev]"
pytest
Test Enforcer CLI
A fully interactive TUI application that demonstrates the complete enforcer lifecycle — setup wizard, Device Auth Grant sign-in, consent check, workspace pairing, background presence heartbeat, artifact submission with decision polling, withdrawal, unpairing, and sign-out.
Prerequisites
- Python 3.9+
- A running Airlock platform (Gateway + Keycloak)
Run
# From the repo root
cd src/python
# Create and activate virtual environment (required once)
python -m venv .venv
.venv\Scripts\Activate.ps1 # Windows PowerShell
# source .venv/bin/activate # macOS / Linux
# Install dependencies (required once)
pip install -r requirements.txt
# Run the test enforcer
python test_enforcer.py
On first run, the setup wizard will prompt for Gateway URL, Client ID, Client Secret, Enforcer ID, and Workspace Name. Configuration is saved to ~/.airlock/test-enforcer-python.json and restored on subsequent runs.
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file airlock_gateway-2.0.1.tar.gz.
File metadata
- Download URL: airlock_gateway-2.0.1.tar.gz
- Upload date:
- Size: 15.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3498da6239b434dce059602b9769ad522d8de4f8e804a21a949724fed901120b
|
|
| MD5 |
1d4b44f0a4526bff48a7c3cf11160255
|
|
| BLAKE2b-256 |
94ec2157c592526aba2fbb9c13e4bea731d37551da410bf68eb92d2f89072c54
|
File details
Details for the file airlock_gateway-2.0.1-py3-none-any.whl.
File metadata
- Download URL: airlock_gateway-2.0.1-py3-none-any.whl
- Upload date:
- Size: 13.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4b5c774a4fce827ae7e6b9e96872ef8d578dae796e62a4efa8060c259673831f
|
|
| MD5 |
7ffe4d0f2d63e46ccc47eab4f347d011
|
|
| BLAKE2b-256 |
c49473e83b3117ecdf4871810cd784fb272094a3e7e1008de39501f7e9339406
|
