Skip to main content

TapPass SDK — Zero Trust AI Agent Platform. Cryptographic capability tokens, governance pipeline, agent trust scoring.

Project description

tappass — Zero Trust Control Plane for Agentic AI (Python SDK)

Runtime governance for your LLM, agent, and tool calls. Embed in your code, get a typed audit trail, surface governance decisions as Python exceptions.

What this SDK is for:

  • Governing LLM calls, agent runs, and tool executions at runtime.
  • Emitting structured audit events with correlation IDs.
  • Handling governance decisions (block, redact, approve, trust-tier, break-glass) as typed exceptions in your code.

What this SDK is NOT for:

  • Policy CRUD, compliance report generation, Verified credential issuance, retention config, break-glass invocation, tool-integrity approval. Those live in the TapPass dashboard — not in your agent code.

Requirements

  • Python ≥ 3.11.
  • tappass server ≥ 0.6.0. (The SDK rejects older servers at construction time.)

Install

pip install tappass

Quickstart — a governed chat call

from tappass import Agent

agent = Agent("https://tappass.example.com", api_key="tp_...")
r = agent.chat("Summarize Q4 revenue")
print(r.content)
print(r.session_id, r.audit_url)   # correlation IDs, deep link to dashboard

Quickstart — govern a CrewAI run

from crewai import Agent, Task, Crew
from tappass.integrations.crewai import guard_crew

crew = Crew(agents=[...], tasks=[...])

with guard_crew(crew, tappass_url="https://tappass.example.com", api_key="tp_...") as session:
    result = session.kickoff()
    print(session.id, session.audit_url)

Telemetry kill-switch

The SDK delivers audit events to your TapPass server asynchronously via a background reporter. To disable that delivery entirely, set either of:

export TAPPASS_DISABLE_TELEMETRY=1
export DO_NOT_TRACK=1     # community convention — consoledonottrack.com

This only suppresses audit-event delivery. It does not disable governance — govern() calls still run, decisions are still enforced, blocks still raise GovernanceBlocked. The distinction is deliberate: governance is the product you're paying for; telemetry is observability of your own usage.

Decisions are typed exceptions

from tappass import GovernanceDecision, PolicyBlockError, ApprovalRequired

try:
    r = agent.chat("Show me all customer SSNs")
except PolicyBlockError as e:
    print(f"Blocked by {e.blocked_by}: {e.reason}. See {e.audit_url}")
except ApprovalRequired as e:
    print(f"Awaiting approval: {e.approval_url}")
except GovernanceDecision as e:
    print(f"Governance decision: {e}")

What's new in 0.6

See CHANGELOG.md. Breaking changes — no back-compat with 0.5.x. See the migration guide.

Publishing a release

Releases ship to PyPI via GitHub Actions using OIDC Trusted Publishing — no long-lived API token is stored anywhere. The workflow is .github/workflows/release.yml.

One-time PyPI configuration

Only needed once per project (or whenever the workflow name / environment changes):

  1. Log in to https://pypi.org/manage/account/publishing/.
  2. Under Add a new pending publisher (if the project isn't on PyPI yet) or the existing project's Publishing tab, add a GitHub publisher with:
    • PyPI Project Name: tappass
    • Owner: tappass
    • Repository name: tappass-sdk
    • Workflow name: release.yml
    • Environment name: pypi
  3. In the GitHub repo, go to Settings → Environments and create an environment named pypi. Optionally add a required-reviewers protection rule so a human approves each release.

That's it — no secrets, no tokens.

Cutting a release

  1. Bump version in pyproject.toml (and __version__ in tappass/__init__.py).
  2. Update CHANGELOG.md: flip ## [X.Y.Z] — Unreleased to ## [X.Y.Z] — YYYY-MM-DD.
  3. Commit: git commit -am "release: X.Y.Z".
  4. Tag and push:
    git tag vX.Y.Z
    git push origin main --tags
    

The workflow then:

  1. Verifies the tag matches pyproject.toml version (fails the release if not).
  2. Builds wheel + sdist.
  3. Runs twine check.
  4. Publishes to PyPI via OIDC.
  5. Creates a GitHub Release with the wheel + sdist attached and auto-generated notes.

Dry run

To build the artifacts without publishing, use Actions → Release to PyPI → Run workflow with dry_run checked. The publish and github_release jobs are skipped; the build job's artifacts are retained for inspection.

License

Apache-2.0. See LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tappass-0.10.1.tar.gz (110.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tappass-0.10.1-py3-none-any.whl (134.8 kB view details)

Uploaded Python 3

File details

Details for the file tappass-0.10.1.tar.gz.

File metadata

  • Download URL: tappass-0.10.1.tar.gz
  • Upload date:
  • Size: 110.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for tappass-0.10.1.tar.gz
Algorithm Hash digest
SHA256 bc161eed2abb5aafe8728ab8b1f9b314d57171017d5946dfed2c2c462851e4c3
MD5 3008571a7724111bd73cd4ef612830b3
BLAKE2b-256 f3441c381f2cffbf1aa90bd4e45d9dab819810a3bde822e4939482ca47647475

See more details on using hashes here.

Provenance

The following attestation bundles were made for tappass-0.10.1.tar.gz:

Publisher: release.yml on tappass/tappass-sdk

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file tappass-0.10.1-py3-none-any.whl.

File metadata

  • Download URL: tappass-0.10.1-py3-none-any.whl
  • Upload date:
  • Size: 134.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for tappass-0.10.1-py3-none-any.whl
Algorithm Hash digest
SHA256 94627d8f01d873e0faa14f74b20de7ee679b953f79e4c46f2f813b7d9e446d24
MD5 4ba91bc33cfdcebce2fdf747da8636e6
BLAKE2b-256 36998b2c2af33398a327a9630964268db6e5a40071ddf516718d61eefc0e1f9e

See more details on using hashes here.

Provenance

The following attestation bundles were made for tappass-0.10.1-py3-none-any.whl:

Publisher: release.yml on tappass/tappass-sdk

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page