Retry && Agents

RAZKOM · RAZKOM · commit 418ff6176cbf · 2026-04-12T19:58:37.000-05:00
diff --git a/AGENTS.md b/AGENTS.md
@@ -0,0 +1,114 @@
+# AuthForge SDK — AI Agent Reference
+
+> This file is optimized for AI coding agents (Cursor, Copilot, Claude Code, etc.).
+> It contains everything needed to correctly integrate AuthForge licensing into a project.
+
+## What AuthForge does
+
+AuthForge is a license key validation service. Your app sends a license key + hardware ID to the AuthForge API, gets back a cryptographically signed response, and runs background heartbeats to maintain the session. If the license is revoked or expired, the heartbeat fails and you handle it (typically exit the app).
+
+## Installation
+
+Copy `authforge.py` into your project (single file, stdlib only). Requires Python 3.9+.
+
+## Minimal working integration
+
+```python
+import sys
+from typing import Optional
+
+from authforge import AuthForgeClient
+
+
+def on_failure(reason: str, exc: Optional[Exception]) -> None:
+    print(f"AuthForge: {reason}", file=sys.stderr)
+    if exc is not None:
+        print(exc, file=sys.stderr)
+    sys.exit(1)
+
+
+def main() -> None:
+    client = AuthForgeClient(
+        app_id="YOUR_APP_ID",
+        app_secret="YOUR_APP_SECRET",
+        heartbeat_mode="SERVER",
+        on_failure=on_failure,
+    )
+    license_key = input("Enter license key: ").strip()
+    if not client.login(license_key):
+        print("Login failed.", file=sys.stderr)
+        sys.exit(1)
+    # --- Your application code starts here ---
+    print("Running with a valid license.")
+    # --- Your application code ends here ---
+    client.logout()
+
+
+if __name__ == "__main__":
+    main()
+```
+
+## Constructor parameters
+
+| Parameter | Type | Required | Default | Description |
+|-----------|------|----------|---------|-------------|
+| `app_id` | `str` | yes | — | Application ID |
+| `app_secret` | `str` | yes | — | Application secret |
+| `heartbeat_mode` | `str` | yes | — | `"SERVER"` or `"LOCAL"` (case-insensitive) |
+| `heartbeat_interval` | `int` | no | `900` | Seconds between heartbeats |
+| `api_base_url` | `str` | no | `https://auth.authforge.cc` | API base URL |
+| `on_failure` | `Callable[[str, Optional[Exception]], None] \| None` | no | `None` | Called on login/heartbeat/network failure; if omitted, process exits via `os._exit(1)` |
+| `request_timeout` | `int` | no | `15` | HTTP timeout (seconds) |
+
+## Methods
+
+| Method | Returns | Description |
+|--------|---------|-------------|
+| `login(license_key: str)` | `bool` | Validates license, verifies signatures, starts heartbeat thread |
+| `logout()` | `None` | Stops heartbeat and clears session state |
+| `is_authenticated()` | `bool` | Whether a session token is present and marked authenticated |
+| `get_session_data()` | `dict \| None` | Decoded signed payload map |
+| `get_app_variables()` | `dict \| None` | App-scoped variables |
+| `get_license_variables()` | `dict \| None` | License-scoped variables |
+
+## Error codes the server can return
+
+invalid_app, invalid_key, expired, revoked, hwid_mismatch, no_credits, blocked, rate_limited, replay_detected, checksum_required, checksum_mismatch, session_expired, app_disabled
+
+## Common patterns
+
+### Reading license variables (feature gating)
+
+```python
+vars_map = client.get_license_variables() or {}
+tier = vars_map.get("tier")
+```
+
+### Graceful shutdown
+
+```python
+client.logout()
+```
+
+### Custom error handling
+
+Server error codes appear as `ValueError` in the `exc` passed to `on_failure` from failed validation (e.g. `invalid_key`). Reasons are `login_failed`, `heartbeat_failed`, or `network_error`.
+
+```python
+import sys
+from typing import Optional
+
+def on_failure(reason: str, exc: Optional[Exception]) -> None:
+    if isinstance(exc, ValueError) and exc.args:
+        code = str(exc.args[0])
+        if code in {"invalid_key", "expired", "revoked"}:
+            print(f"License issue: {code}", file=sys.stderr)
+    sys.exit(1)
+```
+
+## Do NOT
+
+- Do not hardcode the app secret as a plain string literal in source — use environment variables or encrypted config
+- Do not skip the `on_failure` callback — without it, heartbeat failures terminate the process via `os._exit(1)` without your cleanup
+- Do not call `login()` on every app action — call it once at startup; heartbeats handle the rest
+- Do not use `heartbeat_mode="LOCAL"` unless the app has no internet after initial auth
diff --git a/README.md b/README.md
@@ -39,16 +39,35 @@ else:
 | `on_failure` | callable | `None` | Callback `(reason: str, exc: Exception | None)` on auth failure |
 | `request_timeout` | int | `15` | HTTP request timeout in seconds |
 
+## Methods
+
+| Method | Returns | Description |
+|---|---|---|
+| `login(license_key)` | `bool` | Validates key and stores signed session (`sessionToken`, `expiresIn`, `appVariables`, `licenseVariables`) |
+| `logout()` | `None` | Stops heartbeat and clears all session/auth state |
+| `is_authenticated()` | `bool` | True when an active authenticated session exists |
+| `get_session_data()` | `dict \| None` | Full decoded payload map |
+| `get_app_variables()` | `dict \| None` | App-scoped variables map |
+| `get_license_variables()` | `dict \| None` | License-scoped variables map |
+
 ## Heartbeat Modes
 
-**SERVER** — The SDK pings the AuthForge API every `heartbeat_interval` seconds with a fresh nonce. Each response is cryptographically verified. If the license is revoked or the session expires, the failure handler triggers.
+**SERVER** — The SDK calls `/auth/heartbeat` every `heartbeat_interval` seconds with a fresh nonce, verifies signature + nonce, and triggers failure on invalid session state.
 
-**LOCAL** — No network requests during heartbeats. The SDK verifies the stored HMAC signature and checks that the session hasn't expired. When the prepaid block runs out, it makes a single network call to refresh. Use this for apps where you want minimal network overhead.
+**LOCAL** — No network calls. The SDK re-verifies stored signature state and checks expiry timestamp locally. If expired, it triggers failure with `session_expired`.
 
 ## Failure Handling
 
 If authentication fails (login rejected, heartbeat fails, signature mismatch, etc.), the SDK calls your `on_failure` callback if one is provided. If no callback is set, **the SDK calls `os._exit(1)` to terminate the process.** This is intentional — it prevents your app from running without a valid license.
 
+Recognized server errors:
+`invalid_app`, `invalid_key`, `expired`, `revoked`, `hwid_mismatch`, `no_credits`, `blocked`, `rate_limited`, `replay_detected`, `app_disabled`, `session_expired`, `bad_request`, `checksum_required`, `checksum_mismatch`
+
+Request retries are automatic inside the internal HTTP layer:
+- `rate_limited`: retry after 2s, then 5s (max 3 attempts total)
+- network failure: retry once after 2s
+- every retry regenerates a fresh nonce
+
 ```python
 def handle_auth_failure(reason, exception):
     print(f"Auth failed: {reason}")
diff --git a/authforge.py b/authforge.py
