TapPass SDK — Zero Trust AI Agent Platform. Cryptographic capability tokens, governance pipeline, agent trust scoring.
Project description
tappass — Zero Trust Control Plane for Agentic AI (Python SDK)
Runtime governance for your LLM, agent, and tool calls. Embed in your code, get a typed audit trail, surface governance decisions as Python exceptions.
What this SDK is for:
- Governing LLM calls, agent runs, and tool executions at runtime.
- Emitting structured audit events with correlation IDs.
- Handling governance decisions (block, redact, approve, trust-tier, break-glass) as typed exceptions in your code.
What this SDK is NOT for:
- Policy CRUD, compliance report generation, Verified credential issuance, retention config, break-glass invocation, tool-integrity approval. Those live in the TapPass dashboard — not in your agent code.
Requirements
- Python ≥ 3.11.
tappassserver ≥ 0.6.0. (The SDK rejects older servers at construction time.)
Install
pip install tappass
Quickstart — a governed chat call
from tappass import Agent
agent = Agent("https://tappass.example.com", api_key="tp_...")
r = agent.chat("Summarize Q4 revenue")
print(r.content)
print(r.session_id, r.audit_url) # correlation IDs, deep link to dashboard
Quickstart — govern a CrewAI run
from crewai import Agent, Task, Crew
from tappass.integrations.crewai import guard_crew
crew = Crew(agents=[...], tasks=[...])
with guard_crew(crew, tappass_url="https://tappass.example.com", api_key="tp_...") as session:
result = session.kickoff()
print(session.id, session.audit_url)
Decisions are typed exceptions
from tappass import GovernanceDecision, PolicyBlockError, ApprovalRequired
try:
r = agent.chat("Show me all customer SSNs")
except PolicyBlockError as e:
print(f"Blocked by {e.blocked_by}: {e.reason}. See {e.audit_url}")
except ApprovalRequired as e:
print(f"Awaiting approval: {e.approval_url}")
except GovernanceDecision as e:
print(f"Governance decision: {e}")
What's new in 0.6
See CHANGELOG.md. Breaking changes — no back-compat with 0.5.x. See the migration guide.
Publishing a release
Releases ship to PyPI via GitHub Actions using OIDC Trusted Publishing — no long-lived API token is stored anywhere. The workflow is .github/workflows/release.yml.
One-time PyPI configuration
Only needed once per project (or whenever the workflow name / environment changes):
- Log in to https://pypi.org/manage/account/publishing/.
- Under Add a new pending publisher (if the project isn't on PyPI yet) or the existing project's Publishing tab, add a GitHub publisher with:
- PyPI Project Name:
tappass - Owner:
tappass - Repository name:
tappass-sdk - Workflow name:
release.yml - Environment name:
pypi
- PyPI Project Name:
- In the GitHub repo, go to Settings → Environments and create an environment named
pypi. Optionally add a required-reviewers protection rule so a human approves each release.
That's it — no secrets, no tokens.
Cutting a release
- Bump
versioninpyproject.toml(and__version__intappass/__init__.py). - Update
CHANGELOG.md: flip## [X.Y.Z] — Unreleasedto## [X.Y.Z] — YYYY-MM-DD. - Commit:
git commit -am "release: X.Y.Z". - Tag and push:
git tag vX.Y.Z git push origin main --tags
The workflow then:
- Verifies the tag matches
pyproject.tomlversion (fails the release if not). - Builds wheel + sdist.
- Runs
twine check. - Publishes to PyPI via OIDC.
- Creates a GitHub Release with the wheel + sdist attached and auto-generated notes.
Dry run
To build the artifacts without publishing, use Actions → Release to PyPI → Run workflow with dry_run checked. The publish and github_release jobs are skipped; the build job's artifacts are retained for inspection.
License
Apache-2.0. See LICENSE.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tappass-0.9.0.tar.gz.
File metadata
- Download URL: tappass-0.9.0.tar.gz
- Upload date:
- Size: 108.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2f047588c5440719f6309d09c29ddc67c95cd2bd8b40d5e330917660a822d9bf
|
|
| MD5 |
2b20ab39bbdcbc999d75347e84d8cb3c
|
|
| BLAKE2b-256 |
31a385088b9b8fcd83160211422c360da1897bc72d8737c1253bd774ca202c76
|
Provenance
The following attestation bundles were made for tappass-0.9.0.tar.gz:
Publisher:
release.yml on tappass/tappass-sdk
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
tappass-0.9.0.tar.gz -
Subject digest:
2f047588c5440719f6309d09c29ddc67c95cd2bd8b40d5e330917660a822d9bf - Sigstore transparency entry: 1672177985
- Sigstore integration time:
-
Permalink:
tappass/tappass-sdk@84a478ae9fafadb0de77242b2c32a415e82c4581 -
Branch / Tag:
refs/tags/v0.9.0 - Owner: https://github.com/tappass
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@84a478ae9fafadb0de77242b2c32a415e82c4581 -
Trigger Event:
push
-
Statement type:
File details
Details for the file tappass-0.9.0-py3-none-any.whl.
File metadata
- Download URL: tappass-0.9.0-py3-none-any.whl
- Upload date:
- Size: 132.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f2a5910f666875665f6f89cd24797667eae1780cbd53ebb68a907c7d402299ec
|
|
| MD5 |
9c2cdd16808361ca73954e0781ce8da3
|
|
| BLAKE2b-256 |
1775eb3af56d9e97db58d0695b57b18cd9713983f9ffe71bb5578a4313642ae3
|
Provenance
The following attestation bundles were made for tappass-0.9.0-py3-none-any.whl:
Publisher:
release.yml on tappass/tappass-sdk
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
tappass-0.9.0-py3-none-any.whl -
Subject digest:
f2a5910f666875665f6f89cd24797667eae1780cbd53ebb68a907c7d402299ec - Sigstore transparency entry: 1672178022
- Sigstore integration time:
-
Permalink:
tappass/tappass-sdk@84a478ae9fafadb0de77242b2c32a415e82c4581 -
Branch / Tag:
refs/tags/v0.9.0 - Owner: https://github.com/tappass
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@84a478ae9fafadb0de77242b2c32a415e82c4581 -
Trigger Event:
push
-
Statement type: