Merge pull request #7 from devonartis/feature/agentwrit-rename

feat: rename agentauth → agentwrit across entire SDK

Author: devonartis

.DS_Store

@@ -0,0 +1 @@
+{"sessionId":"1908df39-d905-4d70-b99c-7f30a973d0a9","pid":65999,"acquiredAt":1776175148293}

.claude/scheduled_tasks.lock

@@ -73,8 +73,8 @@ jobs:
       - run: uv sync --all-extras
       - name: Run integration tests
         env:
-          AGENTAUTH_BROKER_URL: http://localhost:8080
-          AGENTAUTH_ADMIN_SECRET: ${{ secrets.AA_ADMIN_SECRET }}
+          AGENTWRIT_BROKER_URL: http://localhost:8080
+          AGENTWRIT_ADMIN_SECRET: ${{ secrets.AA_ADMIN_SECRET }}
         run: uv run pytest -m integration -q
 
   secrets-scan:

.github/workflows/ci.yml

@@ -35,16 +35,6 @@ htmlcov/
 .playwright-mcp/
 .claude/settings.local.json
 
-# Broker — only track docker-compose, scripts, and API contract
-# Go source, data volumes, and build artifacts are never committed
-broker/*
-!broker/docker-compose.yml
-!broker/scripts/
-!broker/docs/
-broker/docs/*
-!broker/docs/api.md
-!broker/docs/api/
-
 # Local archive (historical artifacts, not for repo)
 archive/
 

.gitignore

@@ -0,0 +1,3 @@
+# Example/sample credentials in documentation — not real secrets
+7a7ff3b9b2f2674958ce416ed1000250f0ca8a2d:docs/testing-guide.md:generic-api-key:36
+7a7ff3b9b2f2674958ce416ed1000250f0ca8a2d:docs/testing-guide.md:generic-api-key:58

.gitleaksignore

@@ -2,19 +2,18 @@
 
 ## v0.1.0 (2026-03-07)
 
-Initial release of the AgentAuth Python SDK.
+Initial release of the AgentWrit Python SDK.
 
 ### Features
 
-- **AgentAuthApp** -- main entry point with app authentication on init
+- **AgentWritApp** -- main entry point with app authentication on init
 - **get_token()** -- full 8-step credential flow (app auth, launch token, Ed25519 challenge-response, caching)
-- **HITL support** -- `HITLApprovalRequired` exception with `approval_id` and `expires_at`, retry with `approval_token`
 - **delegate()** -- scope-attenuated delegation to another registered agent (C7 Delegation Chain)
 - **revoke_token()** -- self-revocation for credential cleanup (C4 Expiration & Revocation)
 - **validate_token()** -- online token validation against the broker (C3 Zero-Trust)
 - **Token caching** -- by (agent_name, scope) key, proactive renewal at 80% TTL, thread-safe
 - **Retry with backoff** -- exponential backoff on 5xx/connection errors, Retry-After on 429
-- **Error hierarchy** -- AgentAuthError, AuthenticationError, ScopeCeilingError, HITLApprovalRequired, RateLimitError, BrokerUnavailableError, TokenExpiredError
+- **Error hierarchy** -- AgentWritError, AuthenticationError, ScopeCeilingError, RateLimitError, BrokerUnavailableError, TokenExpiredError
 - **Type safety** -- mypy strict mode, no Any in source, TypedDict for all broker responses
 - **Security** -- ephemeral Ed25519 keys (never on disk), client_secret never in output, TLS verified by default, thread-safe app token state
 
@@ -27,8 +26,8 @@ Initial release of the AgentAuth Python SDK.
 
 ### Demo
 
-- Interactive HITL demo app (FastAPI + HTMX) with pattern/NIST annotations
-- 6 scenarios: Read Data, Write (HITL), Scope Violation, Delegation, Full Lifecycle, Blast Radius
+- Interactive demo app (FastAPI + HTMX) with pattern/NIST annotations
+- 6 scenarios: Read Data, Write, Scope Violation, Delegation, Full Lifecycle, Blast Radius
 
 ### Documentation
 

CHANGELOG.md

@@ -1,4 +1,4 @@
-# AgentAuth Python SDK
+# AgentWrit Python SDK
 
 ## Rules
 
@@ -38,5 +38,5 @@ uv run pytest tests/unit/              # unit tests
 - **Read `~/proj/devflow/agentwrit-python/MEMORY.md` first** every session — it has current state and lessons.
 - **Read `~/proj/devflow/agentwrit-python/FLOW.md`** for decision history and what's next.
 - **Use `devflow-client`** skill for all development work.
-- **API source of truth:** `broker/docs/api.md` — always verify SDK calls against it.
-- **Live broker for verification:** Stand up broker via `./broker/scripts/stack_up.sh` (pulls `devonartis/agentwrit` from Docker Hub).
+- **API source of truth:** [https://github.com/devonartis/agentwrit/blob/main/docs/api.md](https://github.com/devonartis/agentwrit/blob/main/docs/api.md) — always verify SDK calls against it.
+- **Live broker for verification:** Stand up broker via `docker compose up -d` (pulls `devonartis/agentwrit` from Docker Hub).

CLAUDE.md

@@ -1,4 +1,4 @@
-# Contributing to AgentAuth Python
+# Contributing to AgentWrit Python
 
 Thank you for helping improve this SDK. This document describes how we work and what we need to review a pull request with confidence.
 
@@ -8,7 +8,7 @@ This project is released under the [MIT License](LICENSE). By contributing, you
 
 ## What belongs in this repository
 
-This repo is the **open-source Python SDK** for the AgentAuth broker: challenge-response registration, scoped agents, delegation, validation, and related helpers.
+This repo is the **open-source Python SDK** for the AgentWrit broker: challenge-response registration, scoped agents, delegation, validation, and related helpers.
 
 **Do not add** HITL flows, OIDC or cloud identity federation, or enterprise-only sidecar integrations. Those belong in separate products or extensions.
 
@@ -23,15 +23,15 @@ This repo is the **open-source Python SDK** for the AgentAuth broker: challenge-
 
   (`--all-extras` pulls in `dev` optional dependencies used by tests and tooling.)
 
-- For HTTP behavior, treat [`broker/docs/api.md`](broker/docs/api.md) as the integration contract (vendored API description in this repo).
+- For HTTP behavior, treat [https://github.com/devonartis/agentwrit/blob/main/docs/api.md](https://github.com/devonartis/agentwrit/blob/main/docs/api.md) as the integration contract.
 
-## You need a running AgentAuth broker
+## You need a running AgentWrit broker
 
 Maintainers will not merge broker-facing changes on faith. You must exercise the SDK against a **live** broker.
 
 **Do not assume** a copy of the broker exists inside your clone of this repository. If you have a local checkout that includes a `broker/` tree, that is optional tooling; **contributors should obtain the server from the broker project** or use a deployment they already run.
 
-1. **Run the broker from source** — Clone [github.com/devonartis/agentauth](https://github.com/devonartis/agentauth) and follow that repository’s instructions to build and run the stack (Docker or otherwise).
+1. **Run the broker from source** — Clone [github.com/devonartis/agentwrit](https://github.com/devonartis/agentwrit) and follow that repository's instructions to build and run the stack (Docker or otherwise).
 
 2. **Or use an existing broker** you control — Point tests and demos at its base URL and register an application with a scope ceiling appropriate for the tests you run.
 
@@ -40,10 +40,10 @@ Maintainers will not merge broker-facing changes on faith. You must exercise the
 4. **Export credentials** (example — adjust host and secrets):
 
    ```bash
-   export AGENTAUTH_BROKER_URL=http://127.0.0.1:8080
-   export AGENTAUTH_ADMIN_SECRET=<admin-secret>
-   export AGENTAUTH_CLIENT_ID=<client_id>
-   export AGENTAUTH_CLIENT_SECRET=<client_secret>
+   export AGENTWRIT_BROKER_URL=http://127.0.0.1:8080
+   export AGENTWRIT_ADMIN_SECRET=<admin-secret>
+   export AGENTWRIT_CLIENT_ID=<client_id>
+   export AGENTWRIT_CLIENT_SECRET=<client_secret>
    ```
 
 ## Checks to run before opening a PR
@@ -82,4 +82,4 @@ Demo work under [`demo/`](demo/) should follow the same rule: run against a real
 
 ## Security issues
 
-Please report security-sensitive problems through [GitHub Security Advisories](https://github.com/devonartis/agentauth-python/security/advisories) for this repository (or the maintainer’s preferred private channel if one is published elsewhere). Do not file exploitable details in public issues before they are addressed.
+Please report security-sensitive problems through [GitHub Security Advisories](https://github.com/devonartis/agentauth-python/security/advisories) for this repository (or the maintainer's preferred private channel if one is published elsewhere). Do not file exploitable details in public issues before they are addressed.

CONTRIBUTING.md

@@ -1,8 +1,8 @@
 <p align="center">
-  <img src="docs/assets/agentauth-logo.png" alt="AgentAuth" width="300">
+  <img src="docs/assets/agentwrit-logo.png" alt="AgentWrit" width="300">
 </p>
 
-<h1 align="center">AgentAuth Python SDK</h1>
+<h1 align="center">AgentWrit Python SDK</h1>
 
 <p align="center">
   <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="License: MIT"></a>
@@ -17,42 +17,42 @@
 
 ---
 
-## Why AgentAuth?
+## Why AgentWrit?
 
-AI agents need credentials to access databases, APIs, and file systems. Most teams give agents shared API keys or inherit user permissions — both create over-privileged, long-lived, unauditable access. AgentAuth takes a different approach:
+AI agents need credentials to access databases, APIs, and file systems. Most teams give agents shared API keys or inherit user permissions — both create over-privileged, long-lived, unauditable access. AgentWrit takes a different approach:
 
 - **Ephemeral identities** — every agent gets a unique Ed25519 keypair, generated in memory and never persisted to disk
 - **Task-scoped tokens** — credentials are limited to exactly what the agent needs (`read:data:customers`, not `read:*:*`)
 - **Short-lived by default** — tokens expire in minutes, not hours or days
 - **Delegation chains** — agents can delegate narrower permissions to other agents, enforced at every hop
 
-This SDK is the Python client for the [AgentAuth broker](https://github.com/devonartis/agentauth). The broker is the credential authority; this SDK makes it easy to integrate from Python.
+This SDK is the Python client for the [AgentWrit broker](https://github.com/devonartis/agentwrit). The broker is the credential authority; this SDK makes it easy to integrate from Python.
 
 ## Installation
 
 ```bash
-uv add agentauth
+uv add agentwrit
 ```
 
 Or with pip:
 
 ```bash
-pip install agentauth
+pip install agentwrit
 ```
 
-**Requirements:** Python 3.10+ and a running [AgentAuth broker](https://github.com/devonartis/agentauth) instance.
+**Requirements:** Python 3.10+ and a running [AgentWrit broker](https://github.com/devonartis/agentwrit) instance.
 
 ## Quick Start
 
 ```python
 import os
-from agentauth import AgentAuthApp, validate
+from agentwrit import AgentWritApp, validate
 
 # Connect to the broker (lazy — no auth until first create_agent)
-app = AgentAuthApp(
-    broker_url=os.environ["AGENTAUTH_BROKER_URL"],
-    client_id=os.environ["AGENTAUTH_CLIENT_ID"],
-    client_secret=os.environ["AGENTAUTH_CLIENT_SECRET"],
+app = AgentWritApp(
+    broker_url=os.environ["AGENTWRIT_BROKER_URL"],
+    client_id=os.environ["AGENTWRIT_CLIENT_ID"],
+    client_secret=os.environ["AGENTWRIT_CLIENT_SECRET"],
 )
 
 # Create an agent with specific scope
@@ -84,7 +84,7 @@ agent.release()
 agent = app.create_agent(orch_id="svc", task_id="task", requested_scope=["read:data:x"])
 
 # Use — agent.access_token is a standard Bearer JWT
-print(agent.agent_id)      # spiffe://agentauth.local/agent/svc/task/a1b2c3d4
+print(agent.agent_id)      # spiffe://agentwrit.local/agent/svc/task/a1b2c3d4
 print(agent.scope)         # ['read:data:x']
 print(agent.expires_in)    # 300 (seconds)
 
@@ -100,7 +100,7 @@ agent.release()
 
 ## MedAssist AI Demo
 
-The [`demo/`](demo/) directory contains **MedAssist AI** — an interactive healthcare demo that showcases every AgentAuth capability against a live broker.
+The [`demo/`](demo/) directory contains **MedAssist AI** — an interactive healthcare demo that showcases every AgentWrit capability against a live broker.
 
 **What it does:** A FastAPI web app where you enter a patient ID and a plain-language request. A local LLM (OpenAI-compatible) chooses which tools to call. The app dynamically creates broker agents with only the scopes those tools need, for that specific patient. You see scope enforcement, cross-patient denial, delegation, token renewal, and release — all in a real-time execution trace.
 
@@ -118,11 +118,11 @@ The [`demo/`](demo/) directory contains **MedAssist AI** — an interactive heal
 ### Running the demo
 
 ```bash
-# 1. Start the AgentAuth broker
-cd broker && ./scripts/stack_up.sh && cd ..
+# 1. Start the AgentWrit broker
+docker compose up -d
 
 # 2. Register the demo app with the broker (one-time setup)
-export AGENTAUTH_ADMIN_SECRET="your-admin-secret"
+export AGENTWRIT_ADMIN_SECRET="your-admin-secret"
 uv run python demo/setup.py
 # → Prints client_id and client_secret
 
@@ -150,7 +150,7 @@ read:data:*                  — wildcard: read ANY data resource
 Wildcard `*` only works in the identifier (third) position. Action and resource must match exactly.
 
 ```python
-from agentauth import scope_is_subset
+from agentwrit import scope_is_subset
 
 scope_is_subset(["read:data:customers"], ["read:data:*"])     # True
 scope_is_subset(["write:data:customers"], ["read:data:*"])    # False (write != read)
@@ -182,7 +182,7 @@ print(result.claims.scope)  # ['read:data:partition-7']
 ## Error Handling
 
 ```python
-from agentauth.errors import AuthorizationError, TransportError
+from agentwrit.errors import AuthorizationError, TransportError
 
 try:
     agent = app.create_agent(orch_id="svc", task_id="t", requested_scope=scope)
@@ -200,10 +200,10 @@ except TransportError:
 graph TB
     subgraph App["Your Application"]
         direction TB
-        Client["AgentAuthApp"]
+        Client["AgentWritApp"]
     end
 
-    subgraph Broker["AgentAuth Broker"]
+    subgraph Broker["AgentWrit Broker"]
         direction LR
         AuthGroup["App Auth<br/>/v1/app/auth<br/>/v1/app/launch-tokens"]
         CredGroup["Credentials<br/>/v1/challenge<br/>/v1/register"]
@@ -229,7 +229,7 @@ graph TB
 Operator (root of trust)
   │  registers app, sets scope ceiling
   ▼
-Application (your code — AgentAuthApp)
+Application (your code — AgentWritApp)
   │  creates agents within ceiling
   ▼
 Agent (ephemeral SPIFFE identity + scoped JWT)
@@ -248,7 +248,7 @@ Delegated Agent (sub-agent, max 5 hops)
 | [API Reference](docs/api-reference.md) | Every class, method, parameter, and exception |
 | [Testing Guide](docs/testing-guide.md) | Unit tests, integration tests, running the test suite |
 
-For broker setup and administration, see the [AgentAuth broker documentation](https://github.com/devonartis/agentauth/tree/main/docs).
+For broker setup and administration, see the [AgentWrit broker documentation](https://github.com/devonartis/agentwrit/tree/main/docs).
 
 ## Standards Alignment
 
@@ -262,7 +262,7 @@ For broker setup and administration, see the [AgentAuth broker documentation](ht
 
 ## Contributing
 
-See **[CONTRIBUTING.md](CONTRIBUTING.md)** for the full workflow: `uv` setup, **live-broker** verification (clone [agentauth](https://github.com/devonartis/agentauth) or use your own broker), and **evidence to include in PRs** so maintainers can review broker-facing changes confidently.
+See **[CONTRIBUTING.md](CONTRIBUTING.md)** for the full workflow: `uv` setup, **live-broker** verification (clone [agentwrit](https://github.com/devonartis/agentwrit) or use your own broker), and **evidence to include in PRs** so maintainers can review broker-facing changes confidently.
 
 Quick local checks (no broker required for unit tests):
 
@@ -280,4 +280,4 @@ uv run pytest tests/unit/
 
 This SDK is licensed under the [MIT License](LICENSE).
 
-The [AgentAuth broker](https://github.com/devonartis/agentauth) is licensed separately under AGPL-3.0. See the broker repo for details.
+The [AgentWrit broker](https://github.com/devonartis/agentwrit) is licensed separately under AGPL-3.0. See the broker repo for details.