Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
55 commits
Select commit Hold shift + click to select a range
22623fe
feat: production hardening sprint — revocation, security audit, proto…
shivdeep1 Mar 31, 2026
756a0d9
feat: complete protocol hardening — delegation, audit trail, integrat…
shivdeep1 Apr 1, 2026
edb8afe
chore: production readiness — docs, security policy, CI fix, dependen…
shivdeep1 Apr 1, 2026
0cc79c1
chore: add LF-standard governance, CI hardening, and DCO enforcement
shivdeep1 Apr 1, 2026
7835073
chore: supply chain security, property tests, ADRs, and process docum…
shivdeep1 Apr 1, 2026
ac73a94
fix: resolve all CI failures — ruff, format, StrEnum, workflow permis…
shivdeep1 Apr 1, 2026
e74919c
fix: skip false-positive bandit findings in security scan
shivdeep1 Apr 1, 2026
720abde
feat: open-source readiness — CLI, SDK, type safety, domain branding
shivdeep1 Apr 3, 2026
6458765
feat: default to central Airlock registry (api.airlock.ing)
shivdeep1 Apr 3, 2026
ccd8fa6
chore(deps): Bump @modelcontextprotocol/sdk from 1.28.0 to 1.29.0
dependabot[bot] Apr 3, 2026
0596879
chore(deps-dev): Bump @types/node from 22.19.15 to 25.5.2
dependabot[bot] Apr 3, 2026
24a7dbc
docs: update README — new SDK, CLI, registry, org badge links
shivdeep1 Apr 3, 2026
e542b4c
feat: landing page for airlock.ing + custom domain
shivdeep1 Apr 3, 2026
2e5a782
feat: full 5-phase verification + production gateway + TS defaults
shivdeep1 Apr 3, 2026
3e91c2f
Delete CNAME
shivdeep1 Apr 3, 2026
2844429
Create CNAME
shivdeep1 Apr 3, 2026
db0bf74
fix: re-enable GitHub Security features for public repo + fix CI
shivdeep1 Apr 3, 2026
11472aa
Merge branch 'main' of https://github.com/airlock-protocol/airlock
shivdeep1 Apr 3, 2026
5902de8
chore(deps): Bump actions/checkout from 4 to 6
dependabot[bot] Apr 3, 2026
b70fdbd
Merge pull request #7 from airlock-protocol/dependabot/github_actions…
shivdeep1 Apr 3, 2026
95cdc2d
chore(deps): Bump actions/upload-artifact from 4 to 7
dependabot[bot] Apr 3, 2026
bb51cd7
chore(deps): Bump aquasecurity/trivy-action from 0.28.0 to 0.35.0
dependabot[bot] Apr 3, 2026
202790d
chore(deps): Bump docker/build-push-action from 6 to 7
dependabot[bot] Apr 3, 2026
7752082
chore(deps): Bump actions/setup-node from 4 to 6
dependabot[bot] Apr 3, 2026
b376c54
Merge pull request #9 from airlock-protocol/dependabot/github_actions…
shivdeep1 Apr 3, 2026
2f69497
Merge pull request #4 from airlock-protocol/dependabot/github_actions…
shivdeep1 Apr 3, 2026
ada7331
Merge pull request #3 from airlock-protocol/dependabot/github_actions…
shivdeep1 Apr 3, 2026
14a5e67
Merge pull request #2 from airlock-protocol/dependabot/github_actions…
shivdeep1 Apr 3, 2026
8c8426f
Merge pull request #6 from airlock-protocol/dependabot/npm_and_yarn/m…
shivdeep1 Apr 3, 2026
24fed67
Merge pull request #8 from airlock-protocol/dependabot/npm_and_yarn/t…
shivdeep1 Apr 3, 2026
79d88ac
Clean up documentation and normalize examples
shivdeep1 Apr 4, 2026
2486caf
Harden gateway, add open-core licensing, Docker demo
shivdeep1 Apr 4, 2026
644c54f
feat: v0.2 enterprise-grade trust verification protocol
shivdeep1 Apr 5, 2026
c443460
fix: raise SimHash hamming threshold to 5, skip reputation write for …
shivdeep1 Apr 5, 2026
c68a6b4
feat: v0.2 Enterprise-Grade Trust Verification Protocol (#14)
shivdeep1 Apr 5, 2026
fd1c675
docs: fix test count in CHANGELOG (60+ → 131 new tests)
shivdeep1 Apr 5, 2026
5ea7a1e
security: harden nonce replay guard, constant-time signature comparison
shivdeep1 Apr 5, 2026
0712cc6
feat: signed CRL, trust token revocation, async fingerprinting, DID r…
shivdeep1 Apr 5, 2026
28414ad
fix: reject sync fingerprint calls from async contexts
shivdeep1 Apr 5, 2026
5c613cc
feat: argon2id memory-hard PoW, key rotation with chain continuity, p…
shivdeep1 Apr 5, 2026
71f555a
fix: wire persistence, CRL force-regen, chain registry, mid-session r…
shivdeep1 Apr 5, 2026
6760e43
feat: persistent audit trail, multi-replica Redis, VC capability veri…
shivdeep1 Apr 5, 2026
56de062
bump version to 1.0.0 and make litellm an optional dependency
shivdeep1 Apr 12, 2026
7380f90
add compliance module with agent inventory and risk classification
shivdeep1 Apr 12, 2026
a5f866b
add OAuth 2.1 authorization server with client credentials and token …
shivdeep1 Apr 12, 2026
84f830c
add dual-mode identity verification and disable semantic challenge by…
shivdeep1 Apr 12, 2026
f3a0434
Merge pull request #20 from airlock-protocol/worktree-agent-acc3f57a
shivdeep1 Apr 13, 2026
3356b63
Merge pull request #23 from airlock-protocol/worktree-agent-ac96ae14
shivdeep1 Apr 13, 2026
d374524
Merge pull request #22 from airlock-protocol/worktree-agent-ab56c55b
shivdeep1 Apr 13, 2026
0427340
merge main and resolve config.py conflict
shivdeep1 Apr 13, 2026
7bf43c2
Merge pull request #21 from airlock-protocol/worktree-agent-a0e41c0d
shivdeep1 Apr 13, 2026
e610ae1
rename regulatory mapper and genericize compliance framework references
shivdeep1 Apr 13, 2026
9e55b38
update README for v1.0.0 with OAuth, compliance, and dual-mode auth
shivdeep1 Apr 13, 2026
fe22099
update landing page for v1.0 release
shivdeep1 Apr 22, 2026
200b8af
chore(deps): Update a2a-sdk requirement
dependabot[bot] Apr 24, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
.git
.github
.cursor
**/node_modules
**/dist
**/__pycache__
**/*.pyc
**/.pytest_cache
**/.mypy_cache
**/.ruff_cache
.env
.env.*
!.env.example
data
*.lance
**/.DS_Store
docs/_build
agent-transcripts
integrations/airlock-mcp/node_modules
sdks/typescript/node_modules
tests
examples
*.md
!README.md
75 changes: 65 additions & 10 deletions .env.example
Original file line number Diff line number Diff line change
@@ -1,16 +1,71 @@
# LLM Configuration (used only for semantic challenge in Phase 3)
LITELLM_MODEL=ollama/llama3
LITELLM_API_BASE=http://localhost:11434
# Copy to .env and adjust. Compose substitutes ${VAR} from this file automatically.
# See ROLL_OUT_STATUS.md for the full env reference.

# Gateway Configuration
# --- Deployment mode ---
# AIRLOCK_ENV=development
# production: fail-fast startup (seed, CORS, issuer allowlist, service + session tokens, etc.)
# AIRLOCK_ENV=production

# --- Required in production ---
# 64 hex chars = 32-byte Ed25519 seed for the gateway signing identity
AIRLOCK_GATEWAY_SEED_HEX=

# Bearer for GET /metrics and POST /token/introspect (required when AIRLOCK_ENV=production)
# AIRLOCK_SERVICE_TOKEN=

# HS256 secret for session viewer JWT (handshake ACK); GET /session + WS require this token
# (required when AIRLOCK_ENV=production)
# AIRLOCK_SESSION_VIEW_SECRET=

# --- Protocol / HTTP ---
AIRLOCK_PROTOCOL_VERSION=0.1.0
AIRLOCK_SESSION_TTL=180
AIRLOCK_HEARTBEAT_TTL=60
AIRLOCK_HOST=0.0.0.0
AIRLOCK_PORT=8000
# Host port when using docker compose (maps host:container)
# AIRLOCK_PUBLISH_PORT=8000

# --- Data ---
AIRLOCK_LANCEDB_PATH=/app/data/reputation.lance

# --- LLM (semantic challenge) ---
# AIRLOCK_LITELLM_MODEL=ollama/llama3
# AIRLOCK_LITELLM_API_BASE=http://localhost:11434

# --- Internal / multi-replica ---
# Empty = in-process nonce + rate limits (single pod only)
# AIRLOCK_REDIS_URL=redis://redis:6379/0

# --- Rate limits & replay ---
# AIRLOCK_NONCE_REPLAY_TTL_SECONDS=600
# AIRLOCK_RATE_LIMIT_PER_IP_PER_MINUTE=120
# AIRLOCK_RATE_LIMIT_HANDSHAKE_PER_DID_PER_MINUTE=30

# --- Trust tokens ---
# AIRLOCK_TRUST_TOKEN_SECRET=
# AIRLOCK_TRUST_TOKEN_TTL_SECONDS=600

# --- Admin API ---
# AIRLOCK_ADMIN_TOKEN=

# --- Policy ---
# AIRLOCK_CORS_ORIGINS=https://your-app.example.com
# AIRLOCK_VC_ISSUER_ALLOWLIST=
# AIRLOCK_REGISTER_MAX_PER_IP_PER_HOUR=0

# --- Registry delegation ---
# AIRLOCK_DEFAULT_REGISTRY_URL=

# Reputation Store
LANCEDB_PATH=./data/reputation.lance
# --- Client default (SDK docs) ---
# AIRLOCK_DEFAULT_GATEWAY_URL=http://127.0.0.1:8000
# Public URL for A2A agent card / discovery (HTTPS in production)
# AIRLOCK_PUBLIC_BASE_URL=https://airlock.example.com

# Session TTL (seconds)
SESSION_TTL=180
# --- Scaling ---
# AIRLOCK_EXPECT_REPLICAS=1
# AIRLOCK_EVENT_BUS_DRAIN_TIMEOUT_SECONDS=30

# Heartbeat TTL (seconds)
HEARTBEAT_TTL=60
# --- Observability ---
# AIRLOCK_LOG_JSON=false
# AIRLOCK_LOG_LEVEL=INFO
17 changes: 17 additions & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Default owner for everything
* @shivdeep1

# Crypto module — security-sensitive
/airlock/crypto/ @shivdeep1

# Protocol engine
/airlock/engine/ @shivdeep1

# Gateway API
/airlock/gateway/ @shivdeep1

# CI/CD workflows
/.github/ @shivdeep1

# Protocol specification
/docs/ @shivdeep1
33 changes: 33 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
name: Bug Report
about: Report a bug in the Airlock protocol or gateway
labels: bug
---

## Description

A clear and concise description of the bug.

## Steps to Reproduce

1.
2.
3.

## Expected Behavior

What you expected to happen.

## Actual Behavior

What actually happened. Include error messages and tracebacks if applicable.

## Environment

- **Python version:**
- **OS:**
- **Airlock version:**

## Additional Context

Any other context, logs, or screenshots relevant to the issue.
21 changes: 21 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
---
name: Feature Request
about: Suggest an enhancement to the Airlock protocol
labels: enhancement
---

## Problem Statement

A clear description of the problem or limitation this feature would address.

## Proposed Solution

Describe the solution you would like to see implemented.

## Alternatives Considered

Any alternative approaches or workarounds you have considered.

## Additional Context

Any other context, references, or design notes relevant to this request.
22 changes: 22 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
## Description

**What:**

**Why:**

## Type of Change

- [ ] Bug fix (non-breaking change that fixes an issue)
- [ ] New feature (non-breaking change that adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] Documentation update

## Checklist

- [ ] Tests added for new functionality
- [ ] All tests pass (`pytest`)
- [ ] Linter clean (`ruff check`)
- [ ] Type checker clean (`mypy`)
- [ ] CHANGELOG updated (if user-facing change)
- [ ] Documentation updated (if needed)
- [ ] Commits signed off (DCO)
20 changes: 20 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Weekly update PRs for dependencies and Actions pin freshness.
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5

- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5

- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
161 changes: 161 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
name: CI

on:
push:
branches: [main, master]
pull_request:
branches: [main, master]

permissions:
contents: read

jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"

- name: Install
run: pip install -e ".[dev]"

- name: Ruff lint
run: ruff check airlock tests examples

- name: Ruff format
run: ruff format --check airlock tests examples

- name: Mypy
run: mypy airlock || echo "::warning::mypy found type errors — see above for details"

security:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v6

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"

- name: Install
run: pip install -e ".[dev,redis,a2a]" bandit pip-audit

- name: Bandit (security linter)
run: bandit -r airlock -c pyproject.toml -f sarif -o bandit-results.sarif || true

- name: Upload Bandit SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: bandit-results.sarif
category: bandit
continue-on-error: true

- name: Bandit (check for HIGH severity)
run: |
bandit -r airlock -c pyproject.toml -f json -o bandit-check.json || true
python -c "
import json, sys
with open('bandit-check.json') as f:
data = json.load(f)
results = data.get('results', [])
high = [r for r in results if r['issue_severity'] == 'HIGH']
if high:
for r in high:
print(f\"HIGH: {r['issue_text']} at {r['filename']}:{r['line_number']}\")
print(f'FAIL: {len(high)} HIGH severity findings')
sys.exit(1)
print(f'OK: No HIGH severity findings ({len(results)} total)')
"

- name: pip-audit (dependency vulnerabilities)
run: pip-audit || echo "::warning::pip-audit found vulnerabilities — review output above"

test:
runs-on: ubuntu-latest
needs: [lint]
strategy:
matrix:
python-version: ["3.11", "3.12"]

steps:
- uses: actions/checkout@v6

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}

- name: Install
run: pip install -e ".[dev,redis,a2a]" pytest-cov

- name: Test with coverage
run: python -m pytest tests/ -v --tb=short --cov=airlock --cov-report=term-missing --cov-report=xml

- name: Upload coverage
if: matrix.python-version == '3.12'
uses: actions/upload-artifact@v7
with:
name: coverage-report
path: coverage.xml

dco:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0

- name: DCO check
run: |
base=${{ github.event.pull_request.base.sha }}
head=${{ github.event.pull_request.head.sha }}
failed=0
for sha in $(git rev-list "$base".."$head"); do
msg=$(git log -1 --format=%B "$sha")
if ! echo "$msg" | grep -qi "Signed-off-by:"; then
echo "FAIL: Commit $sha missing Signed-off-by"
failed=1
fi
done
if [ "$failed" -eq 1 ]; then
echo ""
echo "All commits must include a DCO sign-off."
echo "Use: git commit -s -m 'your message'"
echo "See: https://developercertificate.org/"
exit 1
fi
echo "OK: All commits have DCO sign-off"

docker-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

- name: Docker build (gateway image)
run: docker build -t airlock-gateway:ci .

js:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

- uses: actions/setup-node@v6
with:
node-version: "20"
cache: npm

- name: Install npm workspaces
run: npm ci

- name: Build TypeScript SDK + MCP
run: npm run build:js
Loading
Loading