tibet-spiffe 0.1.0

SPIFFE/SPIRE bridge with TIBET provenance — your server thinks it's talking to SPIRE, but gets auditable trust

tibet-spiffe

SPIFFE/SPIRE Bridge with TIBET Provenance — your server thinks it's talking to SPIRE, but gets auditable trust.

Part of the TIBET protocol suite by Humotica AI Lab.

The Problem

SPIFFE/SPIRE tells you WHO a workload is. But not WHAT it did, or WHY.

When relay station 3 gets compromised, SPIRE says "yes, this is relay-3." But it can't tell you that relay-3 modified a drone command, changed a payment amount, or poisoned an AI pipeline.

The Solution

tibet-spiffe bridges SPIFFE identities with TIBET provenance:

SPIFFE/SPIRE	tibet-spiffe adds
Workload identity (SVID)	+ TIBET provenance chain
Node attestation	+ Full audit trail
SVID rotation	+ Rotation history with intent
Federation	+ Cross-domain trust scoring
Trust domain	+ FIR/A behavioral trust

Your existing infrastructure sees standard SPIFFE IDs. TIBET adds the provenance layer underneath.

Install

pip install tibet-spiffe

Quick Start

from tibet_spiffe import AttestationEngine

engine = AttestationEngine(trust_domain="humotica.com")

# Node attestation (like SPIRE node-attestor)
node = engine.attest_node("relay-3", trust_score=0.8)
print(node.svid.spiffe_id)  # spiffe://humotica.com/node/relay-3

# Workload attestation (like SPIRE workload-attestor)
api = engine.attest_workload("api-server", node_svid=node.svid)
print(api.svid.spiffe_id)   # spiffe://humotica.com/workload/api-server
print(api.svid.jis_did)     # jis:api-server

# Identity bridge (SPIFFE ↔ JIS)
did = engine.bridge.spiffe_to_did(api.svid.spiffe_id)
spiffe = engine.bridge.did_to_spiffe(did)

# Full audit trail
for token in engine.audit_trail():
    print(f"[{token['action']}] {token['erachter']['intent']}")

CLI

# Interactive demo
tibet-spiffe demo

# Attest a node
tibet-spiffe attest-node relay-3 -d humotica.com -t 0.8

# Attest a workload
tibet-spiffe attest-workload api-server -d humotica.com -j

Architecture

┌─────────────────────────────────────────────────┐
│  Your Infrastructure                            │
│  (sees standard SPIFFE IDs)                     │
│                                                 │
│  spiffe://humotica.com/workload/api-server      │
│  spiffe://humotica.com/node/relay-3             │
│                                                 │
├─────────────────────────────────────────────────┤
│  tibet-spiffe bridge                            │
│                                                 │
│  SPIFFE ID ←→ JIS DID (bidirectional)           │
│  SVID issuance = TIBET token                    │
│  SVID rotation = TIBET provenance chain         │
│  Attestation = TIBET-audited                    │
│  Federation = trust-scored                      │
│                                                 │
├─────────────────────────────────────────────────┤
│  TIBET Layer                                    │
│  • ERIN: what was attested                      │
│  • ERAAN: what it depends on                    │
│  • EROMHEEN: where it happened                  │
│  • ERACHTER: why it was needed                  │
└─────────────────────────────────────────────────┘

Integration with tibet-workload

from tibet_spiffe import AttestationEngine
from tibet_workload import WorkloadEngine

spiffe = AttestationEngine(trust_domain="humotica.com")
workload = WorkloadEngine()
workload.connect_spiffe(spiffe)  # Link workload steps to SPIFFE SVIDs

IETF Drafts

• TIBET Provenance
• JIS Identity

License

MIT — Humotica AI Lab 2025-2026