Sovereign external API proxy with TIBET provenance — egress control, intent verification, host allowlist
Project description
tibet-gateway
Alpha -- API may change between versions.
Sovereign external API proxy with TIBET provenance. Routes all AI agent egress traffic through a single gateway with host allowlist, intent verification (SNAFT), and provenance sealing.
Install
pip install tibet-gateway
Quick start
1. Configure allowed hosts (safe default: block all)
export TIBET_GATEWAY_ALLOWED_HOSTS=api.openai.com,api.anthropic.com
export TIBET_GATEWAY_EVENT_LOG=/var/log/tibet/gateway.jsonl
2. Start the gateway
tibet-gateway serve --port 8080
3. Proxy a call
curl -X POST http://localhost:8080/proxy \
-H "Content-Type: application/json" \
-d '{
"agent_id": "my-bot.aint",
"intent": "summarize_text",
"target_url": "https://api.openai.com/v1/chat/completions",
"method": "POST",
"payload": {"model": "gpt-4", "messages": [{"role": "user", "content": "Hello"}]}
}'
The response includes the original API response plus a TIBET seal with full provenance.
4. Check stats
tibet-gateway stats
tibet-gateway events --limit 10
What happens on each call
- Host check -- target domain must be in
TIBET_GATEWAY_ALLOWED_HOSTS - TIBET envelope -- mint provenance token (actor, intent, timestamp)
- SNAFT check -- verify payload matches declared intent
- Identity headers -- attach AINS identity and TBZ signature
- Proxy -- forward to external API
- Seal -- wrap response with TIBET seal and log stats
Configuration
| Environment variable | Description | Default |
|---|---|---|
TIBET_GATEWAY_ALLOWED_HOSTS |
Comma-separated list of allowed domains | empty (block all) |
TIBET_GATEWAY_EVENT_LOG |
JSONL event log path for live gateway telemetry | /var/log/tibet/gateway.jsonl |
Structured Event Log
Besides TIBET token chains, tibet-gateway can emit a JSONL event lane for
operational governance and AI-SBOM ingestion.
Each event records:
- actor / agent identity
- provider
- model
- target URL
- route class
- TIBET envelope / seal references
- status and latency
This is the live Tier B source that tibet-ai-sbom can ingest as
observation_layer = tibet-gateway.
Part of the TIBET ecosystem
- tibet -- core provenance tokens
- tibet-airlock -- sandbox execution
- tibet-mux -- channel multiplexing
Authors: Jasper van de Meent, Gemini & Root AI (Humotica AI fAmIly) License: MIT
Enterprise
For private hub hosting, SLA support, custom integrations, or compliance guidance:
| Enterprise | enterprise@humotica.com |
| Support | support@humotica.com |
| Security | security@humotica.com |
See ENTERPRISE.md for details.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tibet_gateway-0.4.0.tar.gz.
File metadata
- Download URL: tibet_gateway-0.4.0.tar.gz
- Upload date:
- Size: 18.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1c320af24435a5f80f9dfea12ff2c3893d0e66029284691bc63b1c4cd77d11f7
|
|
| MD5 |
e7d60468c23cc1d29dc4f0cdc671f8a3
|
|
| BLAKE2b-256 |
fb919856f7827e9b8bfa396b1284e2a4e4a695733ab4079874f6f9f6e584c50b
|
File details
Details for the file tibet_gateway-0.4.0-py3-none-any.whl.
File metadata
- Download URL: tibet_gateway-0.4.0-py3-none-any.whl
- Upload date:
- Size: 11.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b7604e2a39c4a4dd44829a8b7e271dc8eeb283a211fc393b7df3b1ba50bc5b9c
|
|
| MD5 |
3e6f8ea16ef8171a71eec5ff017238c8
|
|
| BLAKE2b-256 |
5b221b5de6331e492ce5c99f0858bcbd451623e93f6528a5b91e516a517594c3
|
