Skip to main content

SPIFFE/SPIRE bridge with TIBET provenance — your server thinks it's talking to SPIRE, but gets auditable trust

Project description

tibet-spiffe

SPIFFE/SPIRE Bridge with TIBET Provenance — your server thinks it's talking to SPIRE, but gets auditable trust.

Part of the TIBET protocol suite by Humotica AI Lab.

The Problem

SPIFFE/SPIRE tells you WHO a workload is. But not WHAT it did, or WHY.

When relay station 3 gets compromised, SPIRE says "yes, this is relay-3." But it can't tell you that relay-3 modified a drone command, changed a payment amount, or poisoned an AI pipeline.

The Solution

tibet-spiffe bridges SPIFFE identities with TIBET provenance:

SPIFFE/SPIRE tibet-spiffe adds
Workload identity (SVID) + TIBET provenance chain
Node attestation + Full audit trail
SVID rotation + Rotation history with intent
Federation + Cross-domain trust scoring
Trust domain + FIR/A behavioral trust

Your existing infrastructure sees standard SPIFFE IDs. TIBET adds the provenance layer underneath.

Install

pip install tibet-spiffe

Quick Start

from tibet_spiffe import AttestationEngine

engine = AttestationEngine(trust_domain="humotica.com")

# Node attestation (like SPIRE node-attestor)
node = engine.attest_node("relay-3", trust_score=0.8)
print(node.svid.spiffe_id)  # spiffe://humotica.com/node/relay-3

# Workload attestation (like SPIRE workload-attestor)
api = engine.attest_workload("api-server", node_svid=node.svid)
print(api.svid.spiffe_id)   # spiffe://humotica.com/workload/api-server
print(api.svid.jis_did)     # jis:api-server

# Identity bridge (SPIFFE ↔ JIS)
did = engine.bridge.spiffe_to_did(api.svid.spiffe_id)
spiffe = engine.bridge.did_to_spiffe(did)

# Full audit trail
for token in engine.audit_trail():
    print(f"[{token['action']}] {token['erachter']['intent']}")

CLI

# Interactive demo
tibet-spiffe demo

# Attest a node
tibet-spiffe attest-node relay-3 -d humotica.com -t 0.8

# Attest a workload
tibet-spiffe attest-workload api-server -d humotica.com -j

Architecture

┌─────────────────────────────────────────────────┐
│  Your Infrastructure                            │
│  (sees standard SPIFFE IDs)                     │
│                                                 │
│  spiffe://humotica.com/workload/api-server      │
│  spiffe://humotica.com/node/relay-3             │
│                                                 │
├─────────────────────────────────────────────────┤
│  tibet-spiffe bridge                            │
│                                                 │
│  SPIFFE ID ←→ JIS DID (bidirectional)           │
│  SVID issuance = TIBET token                    │
│  SVID rotation = TIBET provenance chain         │
│  Attestation = TIBET-audited                    │
│  Federation = trust-scored                      │
│                                                 │
├─────────────────────────────────────────────────┤
│  TIBET Layer                                    │
│  • ERIN: what was attested                      │
│  • ERAAN: what it depends on                    │
│  • EROMHEEN: where it happened                  │
│  • ERACHTER: why it was needed                  │
└─────────────────────────────────────────────────┘

Integration with tibet-workload

from tibet_spiffe import AttestationEngine
from tibet_workload import WorkloadEngine

spiffe = AttestationEngine(trust_domain="humotica.com")
workload = WorkloadEngine()
workload.connect_spiffe(spiffe)  # Link workload steps to SPIFFE SVIDs

IETF Drafts

License

MIT — Humotica AI Lab 2025-2026

Credits

Designed by Jasper van de Meent. Built by Jasper and Root AI as part of HumoticaOS.


Stack-positie: Groep substrate · Bootstrap = OSAPI-handshake naar tibet + jis (fail → snaft-rule + tibet-pol-rapport) · ← jis-core · tibet-workload → · See STACK.md · See demo/golden-path/ for the spine end-to-end.

Enterprise

For private hub hosting, SLA support, custom integrations, or compliance guidance:

Enterprise enterprise@humotica.com
Support support@humotica.com
Security security@humotica.com

See ENTERPRISE.md for details.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tibet_spiffe-0.1.1.tar.gz (12.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tibet_spiffe-0.1.1-py3-none-any.whl (13.2 kB view details)

Uploaded Python 3

File details

Details for the file tibet_spiffe-0.1.1.tar.gz.

File metadata

  • Download URL: tibet_spiffe-0.1.1.tar.gz
  • Upload date:
  • Size: 12.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for tibet_spiffe-0.1.1.tar.gz
Algorithm Hash digest
SHA256 8be95c7ba77208c0634a7cbfa71bffa99021113d399df5f8c716859e2b4b852b
MD5 1144f660ab361c7e4531f9cd0507e953
BLAKE2b-256 4aa42db0696bc6a03b1e1add5fcd072a356db79842857084bef281d8a0f3f11e

See more details on using hashes here.

File details

Details for the file tibet_spiffe-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: tibet_spiffe-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 13.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for tibet_spiffe-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 3fe65afeb9f351f1560721615782fc3bc9e73bbf69a29d47aa0d16981a988e53
MD5 324ec47f304d775a1a986d7416a72412
BLAKE2b-256 0deaea45c427da5cc024b4ea20b8037859c52b146c22da7ff7f0b3c098e23271

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page