agentkernel 0.18.1

Run AI coding agents in secure, isolated microVMs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

//! HTTP client for fetching policy bundles from the enterprise policy server.
//!
//! Supports authenticated requests via Bearer token or API key header,
//! and background polling for policy updates.

#![cfg(feature = "enterprise")]

use anyhow::{Context as _, Result};
use std::sync::Arc;
use std::time::Duration;
use tokio::sync::watch;

use super::signing::PolicyBundle;

/// HTTP client for the enterprise policy server.
pub struct PolicyClient {
    /// Base URL of the policy server (e.g., "https://policy.acme-corp.com")
    server_url: String,
    /// API key for authentication
    api_key: Option<String>,
    /// HTTP client
    http_client: reqwest::Client,
}

impl PolicyClient {
    /// Create a new PolicyClient.
    ///
    /// # Arguments
    /// * `server_url` - Base URL of the policy server
    /// * `api_key` - Optional API key for authentication
    pub fn new(server_url: &str, api_key: Option<String>) -> Result<Self> {
        let http_client = reqwest::Client::builder()
            .timeout(Duration::from_secs(30))
            .connect_timeout(Duration::from_secs(10))
            .user_agent(format!("agentkernel/{}", env!("CARGO_PKG_VERSION")))
            .build()
            .context("Failed to build HTTP client")?;

        Ok(Self {
            server_url: server_url.trim_end_matches('/').to_string(),
            api_key,
            http_client,
        })
    }

    /// Fetch the current policy bundle from the server.
    ///
    /// Makes a GET request to `/v1/policies` and deserializes the response
    /// as a PolicyBundle.
    pub async fn fetch_bundle(&self) -> Result<PolicyBundle> {
        let url = format!("{}/v1/policies", self.server_url);

        let mut request = self.http_client.get(&url);

        // Add authentication
        if let Some(ref key) = self.api_key {
            request = request.header("Authorization", format!("Bearer {}", key));
        }

        let response = request
            .send()
            .await
            .context("Failed to connect to policy server")?;

        if !response.status().is_success() {
            let status = response.status();
            let body = response
                .text()
                .await
                .unwrap_or_else(|_| "<no body>".to_string());
            anyhow::bail!("Policy server returned {}: {}", status, body);
        }

        let bundle: PolicyBundle = response
            .json()
            .await
            .context("Failed to parse policy bundle response")?;

        Ok(bundle)
    }

    /// Start background polling for policy updates.
    ///
    /// Fetches the policy bundle at the given interval and sends updates
    /// through the returned watch channel. Stops when the shutdown signal
    /// is received.
    ///
    /// # Arguments
    /// * `interval` - How often to poll for updates
    /// * `shutdown` - Receiver that signals when to stop polling
    ///
    /// # Returns
    /// A watch receiver that receives new PolicyBundle values on updates.
    pub fn poll(
        self: Arc<Self>,
        interval: Duration,
        mut shutdown: watch::Receiver<bool>,
    ) -> watch::Receiver<Option<PolicyBundle>> {
        let (tx, rx) = watch::channel(None);

        tokio::spawn(async move {
            let mut ticker = tokio::time::interval(interval);
            // First tick is immediate
            ticker.tick().await;

            loop {
                tokio::select! {
                    _ = ticker.tick() => {
                        match self.fetch_bundle().await {
                            Ok(bundle) => {
                                let _ = tx.send(Some(bundle));
                            }
                            Err(e) => {
                                eprintln!("[enterprise] Failed to fetch policy bundle: {}", e);
                            }
                        }
                    }
                    _ = shutdown.changed() => {
                        if *shutdown.borrow() {
                            break;
                        }
                    }
                }
            }
        });

        rx
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_client_creation() {
        let client = PolicyClient::new("https://policy.example.com", None);
        assert!(client.is_ok());
    }

    #[test]
    fn test_client_creation_with_key() {
        let client = PolicyClient::new(
            "https://policy.example.com",
            Some("test-api-key".to_string()),
        );
        assert!(client.is_ok());
    }

    #[test]
    fn test_server_url_normalization() {
        let client = PolicyClient::new("https://policy.example.com/", None).unwrap();
        assert_eq!(client.server_url, "https://policy.example.com");
    }
}