Shared foundation library for TLS-based protocol implementations
Project description
Tlacacoca - Shared Foundation Library for TLS-Based Protocols
A protocol-agnostic foundation library providing shared components for building secure TLS-based network protocol implementations in Python. Tlacacoca (pronounced "tla-ka-KO-ka", from Nahuatl meaning "secure/safe") provides security, middleware, and logging utilities that can be shared across multiple protocol implementations.
Key Features
- Security First - TLS context creation, TOFU certificate validation, certificate utilities
- Middleware System - Rate limiting, IP access control, certificate authentication
- Structured Logging - Privacy-preserving logging with IP hashing
- Protocol Agnostic - Abstract interfaces that any TLS-based protocol can build upon
- Modern Python - Full type hints, async/await support, and modern tooling with
uv
Quick Start
Installation
# As a library
uv add tlacacoca
# From source (for development)
git clone https://github.com/alanbato/tlacacoca.git
cd tlacacoca && uv sync
Basic Usage
import ssl
from tlacacoca import (
create_client_context,
create_server_context,
TOFUDatabase,
RateLimiter,
RateLimitConfig,
AccessControl,
AccessControlConfig,
MiddlewareChain,
)
# Create TLS contexts
client_ctx = create_client_context(verify_mode=ssl.CERT_REQUIRED)
server_ctx = create_server_context("cert.pem", "key.pem")
# Set up TOFU certificate validation
async with TOFUDatabase(app_name="myapp") as tofu:
# First connection - certificate is stored
await tofu.verify_or_trust("example.com", 1965, cert_fingerprint)
# Subsequent connections - certificate is verified
await tofu.verify_or_trust("example.com", 1965, cert_fingerprint)
# Configure middleware chain
rate_config = RateLimitConfig(capacity=10, refill_rate=1.0)
access_config = AccessControlConfig(
allow_list=["192.168.1.0/24"],
default_allow=False
)
chain = MiddlewareChain([
AccessControl(access_config),
RateLimiter(rate_config),
])
# Process requests through middleware
result = await chain.process_request(
request_url="protocol://example.com/path",
client_ip="192.168.1.100"
)
if result.allowed:
# Handle request
pass
else:
# Map denial_reason to protocol-specific response
if result.denial_reason == "rate_limit":
# e.g., Gemini: "44 SLOW DOWN\r\n"
pass
Components
Security
| Component | Description |
|---|---|
create_client_context() |
Create TLS context for client connections |
create_server_context() |
Create TLS context for server connections |
TOFUDatabase |
Trust-On-First-Use certificate validation |
generate_self_signed_cert() |
Generate self-signed certificates |
get_certificate_fingerprint() |
Get SHA-256 fingerprint of certificate |
load_certificate() |
Load certificate from PEM file |
Middleware
| Component | Description |
|---|---|
MiddlewareChain |
Chain multiple middleware components |
RateLimiter |
Token bucket rate limiting per IP |
AccessControl |
IP-based allow/deny lists with CIDR support |
CertificateAuth |
Client certificate authentication |
Logging
| Component | Description |
|---|---|
configure_logging() |
Configure structured logging |
get_logger() |
Get a logger instance |
hash_ip_processor() |
Privacy-preserving IP hashing |
Protocol Implementations Using Tlacacoca
Tlacacoca is designed to be used by protocol-specific implementations:
- nauyaca - Gemini protocol server & client
- amatl - Scroll protocol implementation (planned)
Documentation
Middleware Return Types
Middleware components return MiddlewareResult with protocol-agnostic denial reasons:
from tlacacoca import MiddlewareResult, DenialReason
# Allowed request
result = MiddlewareResult(allowed=True)
# Denied request
result = MiddlewareResult(
allowed=False,
denial_reason=DenialReason.RATE_LIMIT,
retry_after=30
)
Protocol implementations map these to their specific status codes:
| Denial Reason | Gemini Status | Description |
|---|---|---|
RATE_LIMIT |
44 SLOW DOWN | Rate limit exceeded |
ACCESS_DENIED |
53 PROXY REFUSED | IP not allowed |
CERT_REQUIRED |
60 CLIENT CERT REQUIRED | Need client certificate |
CERT_NOT_AUTHORIZED |
61 CERT NOT AUTHORIZED | Certificate not in allowed list |
Contributing
# Setup
git clone https://github.com/alanbato/tlacacoca.git
cd tlacacoca && uv sync
# Test
uv run pytest
# Lint & Type Check
uv run ruff check src/ tests/
uv run ty check src/
See CONTRIBUTING.md for guidelines.
License
MIT License - see LICENSE for details.
Resources
- SECURITY.md - Security documentation
- GitHub Issues - Bug reports
- GitHub Discussions - Questions and ideas
Status: Active development (pre-1.0). Core security and middleware features are stable.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
tlacacoca-0.2.0.tar.gz
(20.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
tlacacoca-0.2.0-py3-none-any.whl
(27.5 kB
view details)
File details
Details for the file tlacacoca-0.2.0.tar.gz.
File metadata
- Download URL: tlacacoca-0.2.0.tar.gz
- Upload date:
- Size: 20.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2c376537d65ba6b92b58502c2b54b4434d023da435c6e77d56d1a8fcdaf8ee40
|
|
| MD5 |
9ffae4a79607eb872f8f3ff7a75fb939
|
|
| BLAKE2b-256 |
91e766f07ff9f678f0b929e631f5d209b40720131366c44d6591637efc0f97a1
|
Provenance
The following attestation bundles were made for tlacacoca-0.2.0.tar.gz:
Publisher:
release-pypi.yml on alanbato/tlacacoca
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
tlacacoca-0.2.0.tar.gz -
Subject digest:
2c376537d65ba6b92b58502c2b54b4434d023da435c6e77d56d1a8fcdaf8ee40 - Sigstore transparency entry: 963267721
- Sigstore integration time:
-
Permalink:
alanbato/tlacacoca@bd78a3779e913a266b22e8a04d2a3ba41d89d1ec -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/alanbato
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release-pypi.yml@bd78a3779e913a266b22e8a04d2a3ba41d89d1ec -
Trigger Event:
push
-
Statement type:
File details
Details for the file tlacacoca-0.2.0-py3-none-any.whl.
File metadata
- Download URL: tlacacoca-0.2.0-py3-none-any.whl
- Upload date:
- Size: 27.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f9179ebddfc724835c7289be550910dc8b1891ef3297a1f9bf79bd4503d777bc
|
|
| MD5 |
528ce7af08194830bd76d8471ea14f61
|
|
| BLAKE2b-256 |
64d8712f6650b4d1e07d61db1b3e2bcb14b73e8ed03b088738356b6b8a5a6f47
|
Provenance
The following attestation bundles were made for tlacacoca-0.2.0-py3-none-any.whl:
Publisher:
release-pypi.yml on alanbato/tlacacoca
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
tlacacoca-0.2.0-py3-none-any.whl -
Subject digest:
f9179ebddfc724835c7289be550910dc8b1891ef3297a1f9bf79bd4503d777bc - Sigstore transparency entry: 963267725
- Sigstore integration time:
-
Permalink:
alanbato/tlacacoca@bd78a3779e913a266b22e8a04d2a3ba41d89d1ec -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/alanbato
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release-pypi.yml@bd78a3779e913a266b22e8a04d2a3ba41d89d1ec -
Trigger Event:
push
-
Statement type:
