aperion-shield 0.9.1

Aperion Shield -- a local MCP guardrail for AI coding agents with optional biometric identity gates (ID.me). Standalone, free, open source.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135

//! Mock identity provider.
//!
//! Used by:
//!   * Integration tests (no external service, deterministic output).
//!   * `aperion-shield --check` runs that need to exercise an
//!     identity-gated rule without any browser interaction.
//!   * Local demos before the ID.me sandbox is online.
//!
//! Behaviour:
//!   * [`begin`] returns a `verify_url` of the form
//!     `http://127.0.0.1:<port>/verify/<challenge_id>?mock=1`. When
//!     the user opens that URL, the local callback server immediately
//!     hits [`exchange`] with a synthetic code and the mock returns a
//!     [`VerifiedIdentity`] composed from its config.
//!   * [`exchange`] always succeeds. There is no failure path -- this
//!     is **not** a security boundary; never enable the mock provider
//!     in production.
//!
//! Configuration ([`crate::identity::config::ProviderConfig`]):
//!
//! ```yaml
//! - id: mock
//!   kind: mock
//!   subject: "[email protected]"   # synthetic subject id
//!   email:   "[email protected]"   # synthetic email claim
//!   loa: 2                          # LOA tier the mock claims
//! ```

use async_trait::async_trait;

use crate::identity::{
    Challenge, ChallengeRequest, IdentityProvider, VerifiedIdentity,
};

pub struct MockProvider {
    id: String,
    subject: String,
    email: Option<String>,
    loa: u8,
}

impl MockProvider {
    pub fn new(id: impl Into<String>, subject: impl Into<String>, email: Option<String>, loa: u8) -> Self {
        Self {
            id: id.into(),
            subject: subject.into(),
            email,
            loa,
        }
    }
}

#[async_trait]
impl IdentityProvider for MockProvider {
    fn id(&self) -> &str {
        &self.id
    }

    fn is_ready(&self) -> bool {
        true
    }

    async fn begin(&self, req: ChallengeRequest) -> anyhow::Result<Challenge> {
        let nonce = hex::encode(rand::random::<[u8; 16]>());
        // Mock URL: the local callback server matches /verify/<id>?mock=1
        // and short-circuits to an exchange with a synthetic code.
        let verify_url = format!(
            "{base}/verify/{cid}?mock=1",
            base = strip_callback_suffix(&req.callback_url),
            cid = req.challenge_id,
        );
        Ok(Challenge {
            challenge_id: req.challenge_id,
            verify_url,
            pkce_verifier: None,
            nonce,
            expires_at: super::super::unix_now() + 300,
        })
    }

    async fn exchange(
        &self,
        _challenge_id: &str,
        _code: &str,
        _state: &str,
        _pkce_verifier: Option<&str>,
    ) -> anyhow::Result<VerifiedIdentity> {
        Ok(VerifiedIdentity {
            provider: self.id.clone(),
            subject: self.subject.clone(),
            email: self.email.clone(),
            loa: self.loa,
            raw: serde_json::Value::Null,
        })
    }
}

/// `callback_url` is given to providers as `http://host:port/callback`.
/// For the mock URL we want `http://host:port` (so we can compose
/// `/verify/<id>?mock=1`). Strip the trailing `/callback` if present.
fn strip_callback_suffix(callback_url: &str) -> String {
    callback_url
        .strip_suffix("/callback")
        .unwrap_or(callback_url)
        .to_string()
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::identity::Requirement;

    #[tokio::test]
    async fn mock_begin_and_exchange_succeed() {
        let p = MockProvider::new("mock", "sub-a", Some("[email protected]".into()), 2);
        let req = ChallengeRequest {
            rule_id: "scm.commit_to_main".into(),
            requirement: Requirement {
                provider: "mock".into(),
                scope: "scm.commit_to_main".into(),
                allowed_subjects: vec!["*".into()],
                max_proof_age_seconds: 900,
                loa: 2,
            },
            callback_url: "http://127.0.0.1:9999/callback".into(),
            challenge_id: "ch-1".into(),
        };
        let ch = p.begin(req).await.unwrap();
        assert_eq!(ch.challenge_id, "ch-1");
        assert!(ch.verify_url.starts_with("http://127.0.0.1:9999/verify/ch-1"));
        let vi = p.exchange("ch-1", "synthetic-code", "ch-1", None).await.unwrap();
        assert_eq!(vi.subject, "sub-a");
        assert_eq!(vi.loa, 2);
    }
}