Shared foundation library for TLS-based protocol implementations
Project description
Tlacacoca - Shared Foundation Library for TLS-Based Protocols
A protocol-agnostic foundation library providing shared components for building secure TLS-based network protocol implementations in Python. Tlacacoca (pronounced "tla-ka-KO-ka", from Nahuatl meaning "secure/safe") provides security, middleware, and logging utilities that can be shared across multiple protocol implementations.
Key Features
- Security First - TLS context creation, TOFU certificate validation, certificate utilities
- Middleware System - Rate limiting, IP access control, certificate authentication
- Structured Logging - Privacy-preserving logging with IP hashing
- Protocol Agnostic - Abstract interfaces that any TLS-based protocol can build upon
- Modern Python - Full type hints, async/await support, and modern tooling with
uv
Quick Start
Installation
# As a library
uv add tlacacoca
# From source (for development)
git clone https://github.com/alanbato/tlacacoca.git
cd tlacacoca && uv sync
Basic Usage
import ssl
from tlacacoca import (
create_client_context,
create_server_context,
TOFUDatabase,
RateLimiter,
RateLimitConfig,
AccessControl,
AccessControlConfig,
MiddlewareChain,
)
# Create TLS contexts
client_ctx = create_client_context(verify_mode=ssl.CERT_REQUIRED)
server_ctx = create_server_context("cert.pem", "key.pem")
# Set up TOFU certificate validation
async with TOFUDatabase(app_name="myapp") as tofu:
# First connection - certificate is stored
await tofu.verify_or_trust("example.com", 1965, cert_fingerprint)
# Subsequent connections - certificate is verified
await tofu.verify_or_trust("example.com", 1965, cert_fingerprint)
# Configure middleware chain
rate_config = RateLimitConfig(capacity=10, refill_rate=1.0)
access_config = AccessControlConfig(
allow_list=["192.168.1.0/24"],
default_allow=False
)
chain = MiddlewareChain([
AccessControl(access_config),
RateLimiter(rate_config),
])
# Process requests through middleware
result = await chain.process_request(
request_url="protocol://example.com/path",
client_ip="192.168.1.100"
)
if result.allowed:
# Handle request
pass
else:
# Map denial_reason to protocol-specific response
if result.denial_reason == "rate_limit":
# e.g., Gemini: "44 SLOW DOWN\r\n"
pass
Components
Security
| Component | Description |
|---|---|
create_client_context() |
Create TLS context for client connections |
create_server_context() |
Create TLS context for server connections |
TOFUDatabase |
Trust-On-First-Use certificate validation |
generate_self_signed_cert() |
Generate self-signed certificates |
get_certificate_fingerprint() |
Get SHA-256 fingerprint of certificate |
load_certificate() |
Load certificate from PEM file |
Middleware
| Component | Description |
|---|---|
MiddlewareChain |
Chain multiple middleware components |
RateLimiter |
Token bucket rate limiting per IP |
AccessControl |
IP-based allow/deny lists with CIDR support |
CertificateAuth |
Client certificate authentication |
Logging
| Component | Description |
|---|---|
configure_logging() |
Configure structured logging |
get_logger() |
Get a logger instance |
hash_ip_processor() |
Privacy-preserving IP hashing |
Protocol Implementations Using Tlacacoca
Tlacacoca is designed to be used by protocol-specific implementations:
- nauyaca - Gemini protocol server & client
- amatl - Scroll protocol implementation (planned)
Documentation
Middleware Return Types
Middleware components return MiddlewareResult with protocol-agnostic denial reasons:
from tlacacoca import MiddlewareResult, DenialReason
# Allowed request
result = MiddlewareResult(allowed=True)
# Denied request
result = MiddlewareResult(
allowed=False,
denial_reason=DenialReason.RATE_LIMIT,
retry_after=30
)
Protocol implementations map these to their specific status codes:
| Denial Reason | Gemini Status | Description |
|---|---|---|
RATE_LIMIT |
44 SLOW DOWN | Rate limit exceeded |
ACCESS_DENIED |
53 PROXY REFUSED | IP not allowed |
CERT_REQUIRED |
60 CLIENT CERT REQUIRED | Need client certificate |
CERT_NOT_AUTHORIZED |
61 CERT NOT AUTHORIZED | Certificate not in allowed list |
Contributing
# Setup
git clone https://github.com/alanbato/tlacacoca.git
cd tlacacoca && uv sync
# Test
uv run pytest
# Lint & Type Check
uv run ruff check src/ tests/
uv run ty check src/
See CONTRIBUTING.md for guidelines.
License
MIT License - see LICENSE for details.
Resources
- SECURITY.md - Security documentation
- GitHub Issues - Bug reports
- GitHub Discussions - Questions and ideas
Status: Active development (pre-1.0). Core security and middleware features are stable.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
tlacacoca-0.1.3.tar.gz
(17.0 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
tlacacoca-0.1.3-py3-none-any.whl
(23.1 kB
view details)
File details
Details for the file tlacacoca-0.1.3.tar.gz.
File metadata
- Download URL: tlacacoca-0.1.3.tar.gz
- Upload date:
- Size: 17.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
eccff3311090349970f28465224f8f632ecab8757d1dd3e3be7ec4436d5c6fae
|
|
| MD5 |
fee17515b052ebeac88a2db4215d3350
|
|
| BLAKE2b-256 |
385660545de7ff181070bcf0ddc822a88a96b8a975417173be99edc121ea4a4a
|
Provenance
The following attestation bundles were made for tlacacoca-0.1.3.tar.gz:
Publisher:
release-pypi.yml on alanbato/tlacacoca
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
tlacacoca-0.1.3.tar.gz -
Subject digest:
eccff3311090349970f28465224f8f632ecab8757d1dd3e3be7ec4436d5c6fae - Sigstore transparency entry: 811870599
- Sigstore integration time:
-
Permalink:
alanbato/tlacacoca@70dd78d674d3f9a9402047ea13220d38a51b93de -
Branch / Tag:
refs/tags/v0.1.3 - Owner: https://github.com/alanbato
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release-pypi.yml@70dd78d674d3f9a9402047ea13220d38a51b93de -
Trigger Event:
push
-
Statement type:
File details
Details for the file tlacacoca-0.1.3-py3-none-any.whl.
File metadata
- Download URL: tlacacoca-0.1.3-py3-none-any.whl
- Upload date:
- Size: 23.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
620f16a681f00f94685fcc5bedbe066cff0db5f40467c7103732a967f2f45c18
|
|
| MD5 |
f96ceefab8ff92592530c692fda29ad1
|
|
| BLAKE2b-256 |
0c802f8bf7261aa5d395f8204e8caf92c00fcbc49591e3d615c20f2429e13219
|
Provenance
The following attestation bundles were made for tlacacoca-0.1.3-py3-none-any.whl:
Publisher:
release-pypi.yml on alanbato/tlacacoca
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
tlacacoca-0.1.3-py3-none-any.whl -
Subject digest:
620f16a681f00f94685fcc5bedbe066cff0db5f40467c7103732a967f2f45c18 - Sigstore transparency entry: 811870602
- Sigstore integration time:
-
Permalink:
alanbato/tlacacoca@70dd78d674d3f9a9402047ea13220d38a51b93de -
Branch / Tag:
refs/tags/v0.1.3 - Owner: https://github.com/alanbato
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release-pypi.yml@70dd78d674d3f9a9402047ea13220d38a51b93de -
Trigger Event:
push
-
Statement type:
