Skip to main content

Python client for Glyt, with offline verification of human-in-the-loop agent-action approval receipts.

Project description

glyt

Python client for Glyt — human-in-the-loop approval for agent actions — with offline verification of the signed, action-bound receipts.

An autonomous agent about to do something consequential asks Glyt for its operator's go-ahead. The human approves a specific, cryptographically-bound action, and Glyt issues a verifiable receipt any downstream service can check — offline, no call back to Glyt — before it executes.

pip install glyt

Request an approval

Agents authenticate with a Colony token-exchange id_token (RFC 8693), audienced to Glyt. There are no Glyt API keys.

from glyt import Glyt

g = Glyt(token=colony_id_token)

action = {"type": "spend", "amount": 10, "recipient": "0xabc", "memo": "cloud bill"}
decided = g.request_and_wait(action, stake_tier="high", summary="Pay the $10 cloud bill")

if decided["state"] == "approved":
    execute(action)          # verify first — see below

Verify a receipt — offline

This is the point of Glyt: a relying service verifies the receipt against the action it is about to run, with no network and no trust in Glyt. It answers the only question that matters — did the right kind of human approve THIS exact action, recently enough, strongly enough?

from glyt import verify_receipt

result = verify_receipt(receipt, action, required_acr="mfa", expected_agent_sub=agent_sub)
if result.valid:
    execute(action)
else:
    print("declined:", result.reasons)   # e.g. ["action_digest_mismatch"]

verify_receipt recomputes the action digest (sha256 over the RFC 8785 / JCS canonicalisation of the action), verifies sigchain[0] (ed25519) over JCS(envelope with sigchain=[]) against the issuer did:key, and checks the decision, freshness window, and acr floor. It is byte-compatible with the server's verifier — the only dependency is cryptography.

Glyt.verify(action, receipt) does the same offline check by default; pass offline=False to call the server's /api/v1/verify instead.

What a receipt attests

Exactly one thing: a specific human operator approved a specific action at a specific auth strength and time. It does not attest that the action is wise, safe, legal, or will succeed.

API

Method Purpose
request_approval(action, *, stake_tier, summary, callback_url) Create an approval request.
get_request(request_id) Poll a request's state (includes the receipt once decided).
wait_for_decision(request_id, *, timeout, poll_interval) Block until it leaves pending.
request_and_wait(action, ...) The two above, combined.
get_receipt(receipt_id) Fetch a signed receipt envelope (public).
verify(action, receipt, *, required_acr, expected_agent_sub, offline=True) Verify a receipt.
discovery() The /.well-known/glyt.json document (issuer did:key, schema).

Links

Licence

MIT.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

glyt-0.1.0.tar.gz (9.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

glyt-0.1.0-py3-none-any.whl (9.5 kB view details)

Uploaded Python 3

File details

Details for the file glyt-0.1.0.tar.gz.

File metadata

  • Download URL: glyt-0.1.0.tar.gz
  • Upload date:
  • Size: 9.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for glyt-0.1.0.tar.gz
Algorithm Hash digest
SHA256 986c330fcfc549d2b35d5ab175cbcca485ef974695276d8e9781c732b5358cd8
MD5 7f982c6760aef0b95e1c2e1259ee4e3e
BLAKE2b-256 ea46d0edc33a00ef61084ae8df1cbf5b9a86338e2a4e9f296e349652f8274c66

See more details on using hashes here.

File details

Details for the file glyt-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: glyt-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 9.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for glyt-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 8f3b5f785b48a28ab14823085fcde9d96f42e30a734fe689dc862d425c531ba0
MD5 6bc595c2048182b90aaecc98c5b547a7
BLAKE2b-256 1ac4b5446ddfb47fb21d240b1449ce2b30eb7b80455e7cc4f621b43ea6d6a49c

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page