deepstrike-core 0.2.33

Cross-language agent runtime kernel — pure computation, zero I/O
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357

use serde::{Deserialize, Serialize};

use super::audit::AuditLog;
use super::constraint::ConstraintValidator;
use super::permission::{PermissionAction, PermissionManager};
use super::rate_limit::RateLimiter;
use super::sandbox::{SandboxPolicy, SandboxProfile};
use super::tool_decision::{ToolDecision, ToolDecisionPipeline, ToolDecisionStage};
use super::veto::VetoAuthority;
use crate::types::capability::CapabilityDescriptor;
use crate::types::message::ToolCall;
use crate::types::policy::{CallerContext, GovernanceVerdict};
use crate::AgentRunSpec;

/// Security policy snapshot for auditing/inspection.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SecurityPolicySnapshot {
    pub default_permission: String,
    pub rule_count: usize,
    pub veto_count: usize,
    pub rate_limit_count: usize,
    pub constraint_count: usize,
    pub has_sandbox_profile: bool,
}

/// Full governance pipeline: CapabilityCheck -> ConstraintCheck -> PermissionCheck -> VetoCheck -> RateLimit -> SandboxPolicy
/// Any stage can deny; all must pass for Allow.
pub struct GovernancePipeline {
    pub permission: PermissionManager,
    pub veto: VetoAuthority,
    pub rate_limiter: RateLimiter,
    pub constraints: ConstraintValidator,
    pub audit: AuditLog,
    pub sandbox: SandboxPolicy,
    pub capabilities: Option<Vec<CapabilityDescriptor>>,
    pub run_spec: Option<AgentRunSpec>,
}

impl GovernancePipeline {
    pub fn new(default_action: PermissionAction) -> Self {
        Self {
            permission: PermissionManager::new(default_action),
            veto: VetoAuthority::new(),
            rate_limiter: RateLimiter::default(),
            constraints: ConstraintValidator::new(),
            audit: AuditLog::new(),
            sandbox: SandboxPolicy::new(),
            capabilities: None,
            run_spec: None,
        }
    }

    /// Set sandbox profile
    pub fn set_sandbox_profile(&mut self, profile: SandboxProfile) {
        self.sandbox.profile = Some(profile);
    }

    /// Set capabilities list
    pub fn set_capabilities(&mut self, capabilities: Vec<CapabilityDescriptor>) {
        self.capabilities = Some(capabilities);
    }

    /// Set agent run spec
    pub fn set_run_spec(&mut self, run_spec: AgentRunSpec) {
        self.run_spec = Some(run_spec);
    }

    /// Expose current policy snapshot
    pub fn take_policy_snapshot(&self) -> SecurityPolicySnapshot {
        let default_perm = match self.permission.default_action() {
            PermissionAction::Allow => "allow",
            PermissionAction::Deny => "deny",
            PermissionAction::AskUser => "ask_user",
        };
        SecurityPolicySnapshot {
            default_permission: default_perm.to_string(),
            rule_count: self.permission.rule_count(),
            veto_count: self.veto.blocked_count() + self.veto.custom_count(),
            rate_limit_count: self.rate_limiter.limit_count(),
            constraint_count: self.constraints.constraint_count(),
            has_sandbox_profile: self.sandbox.profile.is_some(),
        }
    }

    /// Set the current timestamp for rate limiting and audit.
    pub fn set_time(&mut self, now_ms: u64) {
        self.rate_limiter.set_time(now_ms);
        self.audit.set_time(now_ms);
    }

    /// Evaluate a tool call through the full pipeline.
    pub fn evaluate(&mut self, call: &ToolCall, caller: &CallerContext) -> GovernanceVerdict {
        let mut decisions = Vec::new();

        // 1. Classifier
        decisions.push(ToolDecision::allow(ToolDecisionStage::Classifier));

        // 2. CapabilityCheck
        let capability_verdict = self.check_capability(call);
        decisions.push(match capability_verdict {
            Some(v) => ToolDecision {
                stage: ToolDecisionStage::CapabilityCheck,
                verdict: v,
            },
            None => ToolDecision::allow(ToolDecisionStage::CapabilityCheck),
        });

        // 3. ConstraintCheck
        let constraint_verdict = self.constraints.validate(call);
        decisions.push(match constraint_verdict {
            Some(v) => ToolDecision {
                stage: ToolDecisionStage::ConstraintCheck,
                verdict: v,
            },
            None => ToolDecision::allow(ToolDecisionStage::ConstraintCheck),
        });

        // 4. PermissionCheck
        let permission_verdict = self.permission.check(call, caller);
        decisions.push(match permission_verdict {
            Some(v) => ToolDecision {
                stage: ToolDecisionStage::PermissionCheck,
                verdict: v,
            },
            None => ToolDecision::allow(ToolDecisionStage::PermissionCheck),
        });

        // 5. VetoCheck
        let veto_verdict = self.veto.check(call, caller);
        decisions.push(match veto_verdict {
            Some(v) => ToolDecision {
                stage: ToolDecisionStage::VetoCheck,
                verdict: v,
            },
            None => ToolDecision::allow(ToolDecisionStage::VetoCheck),
        });

        // 6. RateLimit
        let rate_verdict = self.rate_limiter.check(call);
        decisions.push(match rate_verdict {
            Some(v) => ToolDecision {
                stage: ToolDecisionStage::RateLimit,
                verdict: v,
            },
            None => ToolDecision::allow(ToolDecisionStage::RateLimit),
        });

        // 7. SandboxPolicy
        let sandbox_verdict = self.sandbox.check(call);
        decisions.push(match sandbox_verdict {
            Some(v) => ToolDecision {
                stage: ToolDecisionStage::SandboxPolicy,
                verdict: v,
            },
            None => ToolDecision::allow(ToolDecisionStage::SandboxPolicy),
        });

        // 8. Audit (we reduce first and then audit the final verdict)
        let final_verdict = ToolDecisionPipeline::reduce(&decisions);

        match final_verdict {
            GovernanceVerdict::Allow => {
                self.audit.record_allow(call);
            }
            ref other => {
                self.audit.record_deny(call, other);
            }
        }

        final_verdict
    }

    fn check_capability(&self, call: &ToolCall) -> Option<GovernanceVerdict> {
        // If capabilities manifest is mounted, check it
        if let Some(ref caps) = self.capabilities {
            let found = caps.iter().any(|c| {
                c.kind == crate::types::capability::CapabilityKind::Tool && c.id == call.name.as_str()
            });
            if !found {
                return Some(GovernanceVerdict::Deny {
                    stage: "capability_check",
                    reason: format!(
                        "tool '{}' is not mounted in the current capabilities manifest",
                        call.name
                    ),
                });
            }
        }

        // If run_spec is set, check run_spec filter
        if let Some(ref spec) = self.run_spec {
            let desc = crate::types::capability::CapabilityDescriptor::marker(
                crate::types::capability::CapabilityKind::Tool,
                call.name.clone(),
                "",
            );
            if !spec.capability_filter.allows(&desc) {
                return Some(GovernanceVerdict::Deny {
                    stage: "capability_check",
                    reason: format!(
                        "tool '{}' is blocked by agent run specification capability filter",
                        call.name
                    ),
                });
            }
        }

        None
    }
}

impl Default for GovernancePipeline {
    fn default() -> Self {
        Self::new(PermissionAction::Allow)
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::governance::permission::PermissionRule;
    use compact_str::CompactString;

    fn call(name: &str) -> ToolCall {
        ToolCall {
            id: CompactString::new("c1"),
            name: CompactString::new(name),
            arguments: serde_json::Value::Null,
        }
    }

    fn caller() -> CallerContext {
        CallerContext {
            agent_id: "a".into(),
            session_id: "s".into(),
            is_sub_agent: false,
            parent_session_id: None,
        }
    }

    #[test]
    fn full_pipeline_allow() {
        let mut pipeline = GovernancePipeline::new(PermissionAction::Allow);
        pipeline.set_time(1000);
        let v = pipeline.evaluate(&call("read_file"), &caller());
        assert!(matches!(v, GovernanceVerdict::Allow));
        assert_eq!(pipeline.audit.len(), 1);
    }

    #[test]
    fn permission_deny_stops_pipeline() {
        let mut pipeline = GovernancePipeline::new(PermissionAction::Allow);
        pipeline.permission.add_rule(PermissionRule {
            tool_pattern: "danger.*".into(),
            action: PermissionAction::Deny,
        });

        let v = pipeline.evaluate(&call("danger.delete"), &caller());
        assert!(matches!(
            v,
            GovernanceVerdict::Deny {
                stage: "permission",
                ..
            }
        ));
    }

    #[test]
    fn veto_overrides_permission() {
        let mut pipeline = GovernancePipeline::new(PermissionAction::Allow);
        pipeline.veto.block_tool("nuke");

        let v = pipeline.evaluate(&call("nuke"), &caller());
        assert!(matches!(v, GovernanceVerdict::Deny { stage: "veto", .. }));
    }

    #[test]
    fn ask_user_verdict() {
        let mut pipeline = GovernancePipeline::new(PermissionAction::Allow);
        pipeline.set_time(1000);
        pipeline.permission.add_rule(PermissionRule {
            tool_pattern: "sensitive.*".into(),
            action: PermissionAction::AskUser,
        });

        let v = pipeline.evaluate(&call("sensitive.delete"), &caller());
        assert!(matches!(v, GovernanceVerdict::AskUser { .. }));
    }

    #[test]
    fn deny_default_blocks_all() {
        let mut pipeline = GovernancePipeline::new(PermissionAction::Deny);
        pipeline.set_time(1000);
        let v = pipeline.evaluate(&call("anything"), &caller());
        assert!(matches!(
            v,
            GovernanceVerdict::Deny {
                stage: "permission",
                ..
            }
        ));
    }

    // ─── Monotonic Veto invariant ──────────────────────────────────────────
    // Once VetoAuthority issues Deny, no other stage can flip it to Allow.

    #[test]
    fn veto_deny_overrides_explicit_permission_allow() {
        // Permission has an explicit Allow rule for the tool (returns None = pass-through).
        // Veto hard-blocks the same tool.
        // The veto must win — permission Allow cannot suppress a veto Deny.
        let mut pipeline = GovernancePipeline::new(PermissionAction::Deny);
        pipeline.permission.add_rule(PermissionRule {
            tool_pattern: "rm_rf".into(),
            action: PermissionAction::Allow,
        });
        pipeline.veto.block_tool("rm_rf");

        let v = pipeline.evaluate(&call("rm_rf"), &caller());
        assert!(
            matches!(v, GovernanceVerdict::Deny { stage: "veto", .. }),
            "Veto must override explicit permission Allow: got {v:?}",
        );
    }

    #[test]
    fn veto_deny_is_monotonic_across_repeated_evaluations() {
        // After a Veto Deny is issued, subsequent evaluations on the same pipeline
        // continue to return Deny — the veto is not a one-shot effect.
        let mut pipeline = GovernancePipeline::new(PermissionAction::Allow);
        pipeline.veto.block_tool("nuke");

        for _ in 0..3 {
            let v = pipeline.evaluate(&call("nuke"), &caller());
            assert!(
                matches!(v, GovernanceVerdict::Deny { stage: "veto", .. }),
                "Veto deny must persist monotonically: got {v:?}",
            );
        }
    }

    #[test]
    fn veto_deny_blocks_even_when_default_is_allow() {
        // Sanity: the overall pipeline default of Allow does not prevent Veto.
        // This ensures no Allow shortcut fires before the Veto stage.
        let mut pipeline = GovernancePipeline::new(PermissionAction::Allow);
        pipeline.veto.block_tool("exec_shell");

        // Allowed tool passes through
        let pass = pipeline.evaluate(&call("read_file"), &caller());
        assert!(matches!(pass, GovernanceVerdict::Allow));

        // Vetoed tool is denied regardless of the Allow default
        let deny = pipeline.evaluate(&call("exec_shell"), &caller());
        assert!(matches!(deny, GovernanceVerdict::Deny { stage: "veto", .. }));
    }
}