tking/fastapi-gsap
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
fastapi-gsap/gsap_broker/routers/complete.py
Tyler J King cbc9ad73f7 feat: fastapi-gsap — lightweight GSAP broker PoC 
Reference implementation of GCAP-SPEC-SHELLBOUND-BROKER-0001
in FastAPI. Designed for ISVs and enterprises implementing
the governed shell authorization protocol.

Architecture:
  FastAPI + SQLModel + Pydantic + async SQLite
  Single container deployment: Dockerfile included
  OpenAPI schema at /docs is the machine-readable GSAP contract

Broker Interface (§5):
  POST   /governance/authorize/     — Issue AC
  GET    /governance/authorize/{p}/ — Poll elevation
  POST   /governance/complete/      — Receive CR
  GET    /governance/session/{id}/  — View chain of custody
  POST   /governance/elevate/       — JIT elevation
  GET    /governance/drivers/       — List drivers

Identity Driver Interface (§2.2):
  IdentityDriver — abstract base (ISV extension point)
  KeycloakDriver — Keycloak implementation
  DriverRegistry — driver lookup and registration

Chronicle integration (§1.4):
  Optional CloudEvents emission via CHRONICLE_WEBHOOK_URL
  Forgejo push event format for receiver compatibility

Models:
  Pydantic schemas for AC, CR, Principal, Accord, Operation
  SQLModel DB models for persistence

Tests: 6 async tests including full AC→CR cycle

695 lines across 27 files.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 14:10:21 -04:00

39 lines
2 KiB
Python
Raw Blame History

"""POST /governance/complete/ — GSAP §5.4"""
import uuid
from datetime import datetime, UTC
from fastapi import APIRouter, Depends, HTTPException
from sqlmodel.ext.asyncio.session import AsyncSession
from sqlmodel import select
from gsap_broker.db import get_session
from gsap_broker.db_models import AuthorizationContextDB, CompletionReceiptDB
from gsap_broker.models import CompleteRequest, CompleteResponse
from gsap_broker import chronicle
router = APIRouter()
@router.post("/complete/", response_model=CompleteResponse, summary="Receive CR (GSAP §5.4)")
async def complete(request: CompleteRequest, db: AsyncSession = Depends(get_session)):
result = await db.exec(select(AuthorizationContextDB).where(
AuthorizationContextDB.context_id == request.context_id,
AuthorizationContextDB.status == "authorized"))
ac_db = result.first()
if not ac_db: raise HTTPException(status_code=404, detail="AC not found or already consumed.")
sig_verified = bool((request.signature or {}).get("value"))
cr_db = CompletionReceiptDB(
id=uuid.uuid4(), context_id=request.context_id, outcome=request.outcome.value,
completed_at=request.completed_at, failure_reason=request.failure_reason or "",
chronicle_session_id=request.chronicle_session_id or "",
chronicle_events=request.chronicle_evidence.events,
merkle_root=request.chronicle_evidence.merkle_root or "",
behavioral_attestation_status=request.behavioral_attestation.status.value,
ffc_did=request.ffc.get("did", ""), ffc_signature=(request.signature or {}).get("value", ""),
signature_verified=sig_verified)
db.add(cr_db)
ac_db.status = "consumed"; ac_db.consumed_at = datetime.now(UTC)
cid = await chronicle.emit("GSAP_CR_RECEIVED", {"event_code": "0x2706", "context_id": str(request.context_id), "outcome": request.outcome.value})
cr_db.chronicle_event_cid = cid
await db.commit()
return CompleteResponse(receipt_id=cr_db.id, signature_verified=sig_verified, chronicle_event_cid=cid or None)
Reference in a new issue View git blame Copy permalink