feat(sdk): initial standalone SDK repo

Extracted from ITL.ControlPlane.Attestation monorepo (src/sdk/).

- src/sdk/ layout with hatchling build backend
- Standalone CI workflow (lint, test, build, auto-tag, release)
- PyPI publish workflow with OIDC Trusted Publisher
- Updated project URLs to this repo

Author: nielsweistra

.github/workflows/ci.yml

@@ -0,0 +1,105 @@
+name: CI
+
+# ---------------------------------------------------------------------------
+# CI for itl-attestation-sdk
+#   detect-version → lint + test + build wheel → auto-tag → GitHub Release
+# ---------------------------------------------------------------------------
+on:
+  push:
+    branches: [main, develop, "feature/**", "release/**", "hotfix/**"]
+  pull_request:
+    branches: [main, develop]
+  workflow_dispatch:
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+  detect-version:
+    name: Detect version
+    uses: ITlusions/ITL.Github/.github/workflows/_reusable-detect-version.yml@main
+    with:
+      tag-prefix: "v"
+
+  ci:
+    name: Lint / Test / Build
+    needs: detect-version
+    uses: ITlusions/ITL.Github/.github/workflows/_reusable-ci-python.yml@main
+    with:
+      python-version: "3.12"
+      ref: ${{ github.sha }}
+      artifact-name: "sdk-wheel"
+      version: ${{ needs.detect-version.outputs.python-version }}
+      ruff-src: "."
+      test-path: "tests/"
+      extra-install: "pip install -e .[dev]"
+
+  build-meta:
+    name: Compute build ID
+    runs-on: ubuntu-latest
+    outputs:
+      build-id: ${{ steps.id.outputs.build-id }}
+    steps:
+      - name: Generate build ID
+        id: id
+        run: echo "build-id=$(date +%Y%m%d)-${{ github.run_number }}" >> "$GITHUB_OUTPUT"
+
+  auto-tag:
+    name: Auto-tag semver
+    needs: ci
+    if: |
+      github.event_name == 'push' &&
+      (
+        github.ref == 'refs/heads/main' ||
+        startsWith(github.ref, 'refs/heads/release/')
+      )
+    uses: ITlusions/ITL.Github/.github/workflows/_reusable-auto-tag.yml@main
+    with:
+      commit-sha: ${{ github.sha }}
+      tag-prefix: "v"
+    secrets:
+      gh-pat: ${{ secrets.GH_PAT }}
+
+  create-release:
+    name: Create GitHub Release
+    needs: [auto-tag, build-meta]
+    if: |
+      github.event_name == 'push' &&
+      (
+        github.ref == 'refs/heads/main' ||
+        startsWith(github.ref, 'refs/heads/release/')
+      )
+    uses: ITlusions/ITL.Github/.github/workflows/_reusable-release-gh.yml@main
+    with:
+      tag: ${{ needs.auto-tag.outputs.tag }}
+      artifact-name: "sdk-wheel"
+      artifact-run-id: ${{ github.run_id }}
+      generate-release-notes: true
+      body: |
+        ## Installation
+
+        **From PyPI**
+        ```bash
+        pip install itl-attestation-sdk==${{ needs.detect-version.outputs.python-version }}
+        ```
+
+        **From GitHub (this release)**
+        ```bash
+        pip install "itl-attestation-sdk @ https://github.com/${{ github.repository }}/releases/download/${{ needs.auto-tag.outputs.tag }}/$(ls dist/*.whl | xargs basename)"
+        ```
+
+        **From source**
+        ```bash
+        git clone https://github.com/${{ github.repository }}.git
+        cd ITL.ControlPlane.Attestation.Sdk
+        pip install .
+        ```
+
+        ---
+        **Build:** ${{ needs.build-meta.outputs.build-id }}
+        **Commit:** ${{ github.sha }}
+        **Workflow run:** ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    secrets:
+      gh-pat: ${{ secrets.GH_PAT }}

.github/workflows/publish.yml

@@ -0,0 +1,82 @@
+name: Publish — Release published
+
+# ---------------------------------------------------------------------------
+# Publish orchestrator for itl-attestation-sdk
+#
+# Triggered when a GitHub Release is published (from create-release in ci.yml).
+# Releases are created using GH_PAT so the release:published event fires.
+#
+# Authentication: PyPI Trusted Publisher (OIDC) — no API tokens.
+# ---------------------------------------------------------------------------
+on:
+  release:
+    types: [published]
+
+concurrency:
+  group: publish-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+jobs:
+
+  resolve-version:
+    name: Resolve release version
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.ver.outputs.version }}
+      prerelease: ${{ steps.ver.outputs.prerelease }}
+    steps:
+      - name: Extract version from tag
+        id: ver
+        run: |
+          TAG="${{ github.event.release.tag_name }}"
+          VERSION="${TAG#v}"
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          if [[ "$VERSION" == *"-"* ]]; then
+            echo "prerelease=true"  >> "$GITHUB_OUTPUT"
+          else
+            echo "prerelease=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  publish-pypi:
+    name: Publish to PyPI
+    needs: resolve-version
+    if: needs.resolve-version.outputs.prerelease == 'false'
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write   # OIDC Trusted Publisher
+    steps:
+      - name: Download wheel artifact
+        uses: dawidd6/action-download-artifact@v6
+        with:
+          github_token: ${{ secrets.GH_PAT }}
+          workflow: ci.yml
+          commit: ${{ github.sha }}
+          name: sdk-wheel
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  publish-testpypi:
+    name: Publish to TestPyPI (pre-release)
+    needs: resolve-version
+    if: needs.resolve-version.outputs.prerelease == 'true'
+    runs-on: ubuntu-latest
+    environment: testpypi
+    permissions:
+      id-token: write   # OIDC Trusted Publisher
+    steps:
+      - name: Download wheel artifact
+        uses: dawidd6/action-download-artifact@v6
+        with:
+          github_token: ${{ secrets.GH_PAT }}
+          workflow: ci.yml
+          commit: ${{ github.sha }}
+          name: sdk-wheel
+          path: dist/
+
+      - name: Publish to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/

.gitignore

@@ -0,0 +1,84 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+*.manifest
+*.spec
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Ruff
+.ruff_cache/
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# IDEs
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Database files (for testing)
+*.db
+*.db-journal
+*.db-wal
+*.db-shm

CHANGELOG.md

@@ -0,0 +1,39 @@
+# Changelog
+
+All notable changes to the ITL Attestation SDK will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] - 2026-05-15
+
+### Added
+- Initial SDK release with core infrastructure
+- `core/config.py` — AttestationConfig with Pydantic BaseSettings
+- `core/database.py` — Async SQLAlchemy engine and session factory
+- `core/exceptions.py` — Complete exception hierarchy
+- `models/machine.py` — MachineRow, NodeRole, MachineStatus ORM models
+- `models/operator.py` — AuditLogRow with cryptographic chain, ApprovalRequestRow
+- `repositories/machine_repo.py` — SqlMachineRepository with full CRUD
+- `repositories/operator_repo.py` — AuditRepository with hash verification, ApprovalRequestRepository
+- Comprehensive README with usage examples
+- Full type hints and mypy strict mode support
+- Environment-based configuration
+- Support for SQLite and async database operations
+
+### Features
+- **Cryptographic audit chain** — Hash-based integrity verification for audit logs
+- **TPM attestation models** — EK fingerprint, AK public key, hardware UUID tracking
+- **Dual-control approval workflow** — Multi-operator approval requests
+- **Machine lifecycle states** — pending_approval → registered → attested → locked/revoked
+- **Node role support** — Control plane, worker infrastructure, worker application tiers
+- **Source IP tracking** — All audit log entries include originating IP address
+
+### Dependencies
+- SQLModel >=0.0.16
+- SQLAlchemy[asyncio] >=2.0.0
+- aiosqlite >=0.19.0
+- Pydantic >=2.0.0
+- Pydantic-settings >=2.0.0
+
+[0.1.0]: https://github.com/ITLusions/ITL.ControlPlane.Attestation/releases/tag/v0.1.0

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 ITLusions
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.