kovra-native-macos 0.8.0

macOS LocalAuthentication (Touch ID) Confirmer for kovra (free core, [host]-validated).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264

//! `kovra-native-macos` — the macOS Touch ID [`Confirmer`] (spec §8, §14.1; L8
//! `[host]`).
//!
//! This crate is the **native half** of the confirmation broker: it renders the
//! core-authored [`ConfirmRequest`] in a macOS LocalAuthentication dialog and
//! returns [`ConfirmOutcome::Approved`] / [`ConfirmOutcome::Denied`] /
//! [`ConfirmOutcome::TimedOut`]. It is a *third* [`Confirmer`] implementation
//! beside [`kovra_core::CliApproveConfirmer`] and [`kovra_core::FileConfirmer`].
//!
//! Design constraints (immutable — see `CLAUDE.md`, spec §2):
//!
//! - **I16 — the prompt is authoritative from the core.** The native dialog
//!   *only* renders what the core put in [`ConfirmRequest`] (resolved `argv`,
//!   coordinate, sensitivity, environment, origin). It never fabricates its own
//!   prompt, and any requester-supplied free text is shown clearly segregated as
//!   untrusted. See [`render::prompt_text`].
//! - **No self-approve (§8.2).** Approval is performed by a human at the Touch ID
//!   sensor — a channel outside the model's process. The agent only *triggers*
//!   the prompt; it cannot satisfy it.
//! - **Timeout ⇒ deny (§8).** Anything that is not an explicit biometric success
//!   is a denial. A timeout is reported distinctly for audit but never delivers.
//! - **No secret value is ever rendered, logged, or returned (I7/I12).** Only the
//!   coordinate *address* and the resolved command appear in the dialog.
//!
//! ## `core` does not depend on this crate
//!
//! Trait injection points *into* core: `native-macos` depends on `kovra-core`,
//! never the reverse (spec §17). The CLI selects a [`Confirmer`] at the edge.
//!
//! ## Cross-platform
//!
//! The real LocalAuthentication binding lives under `cfg(target_os = "macos")`.
//! On every other target the crate compiles to a no-op stub whose
//! [`Biometric::prompt`] reports "unavailable" (denies) and whose
//! [`biometrics_available`] returns `false`, so the CLI auto-falls-back to the
//! file broker and the whole workspace builds on Linux CI.
//!
//! ## `[host]` validation
//!
//! The real Touch ID path (`LAContext`) is **not** exercised by automated tests —
//! it requires real hardware and a real human finger. It is validated by a human
//! on an M4 (see the crate's README / KOV-15 checklist). Automated tests here use
//! a deterministic mock [`Biometric`] and assert the OS-independent contract
//! (rendering, timeout⇒deny, no-self-approve, no leak).

use std::time::Duration;

use kovra_core::{Biometric, ConfirmOutcome, ConfirmRequest, Confirmer};

pub mod formatter;
pub mod render;

pub use formatter::DiskutilFormatter;

#[cfg(target_os = "macos")]
mod macos;

/// Whether an attended biometric prompt can actually be shown on this host
/// right now: macOS with biometrics present and enrolled. On non-macOS, or when
/// no hardware is present / the user is not enrolled, this is `false` and the
/// caller should fall back to [`kovra_core::FileConfirmer`].
///
/// This is a cheap, side-effect-free capability probe (`LAContext
/// canEvaluatePolicy:`); it does **not** show a dialog.
#[must_use]
pub fn biometrics_available() -> bool {
    #[cfg(target_os = "macos")]
    {
        macos::can_evaluate()
    }
    #[cfg(not(target_os = "macos"))]
    {
        false
    }
}

/// The native [`Biometric`] for this host.
///
/// On macOS this is the real `LAContext`-backed prompt (`[host]`). On other
/// targets it is a stub that always denies (biometrics is unavailable), which
/// keeps the type usable in cross-platform builds even though the CLI will never
/// select it off-macOS.
pub struct NativeBiometric {
    #[cfg(target_os = "macos")]
    inner: macos::MacBiometric,
}

impl NativeBiometric {
    /// Construct the host biometric handle.
    #[must_use]
    pub fn new() -> Self {
        Self {
            #[cfg(target_os = "macos")]
            inner: macos::MacBiometric::new(),
        }
    }
}

impl Default for NativeBiometric {
    fn default() -> Self {
        Self::new()
    }
}

impl Biometric for NativeBiometric {
    fn prompt(&self, req: &ConfirmRequest, timeout: Duration) -> ConfirmOutcome {
        #[cfg(target_os = "macos")]
        {
            self.inner.prompt(req, timeout)
        }
        #[cfg(not(target_os = "macos"))]
        {
            // No biometrics off-macOS: fail safe to denial. The CLI never selects
            // this path (it falls back to the file broker), but the trait must be
            // total.
            let _ = (req, timeout);
            ConfirmOutcome::Denied
        }
    }
}

/// A [`Confirmer`] that resolves a request through an attended biometric prompt.
///
/// This is the adapter from the OS-independent [`Confirmer`] surface (what the
/// wrapper/CLI consume) onto a [`Biometric`] implementation (the native dialog).
/// The biometric does the work; this type just maps the trait. The `B` generic
/// lets tests inject a deterministic mock [`Biometric`] without touching hardware.
pub struct BiometricConfirmer<B: Biometric = NativeBiometric> {
    biometric: B,
}

impl BiometricConfirmer<NativeBiometric> {
    /// A confirmer backed by the host's native biometric prompt.
    #[must_use]
    pub fn new() -> Self {
        Self {
            biometric: NativeBiometric::new(),
        }
    }
}

impl Default for BiometricConfirmer<NativeBiometric> {
    fn default() -> Self {
        Self::new()
    }
}

impl<B: Biometric> BiometricConfirmer<B> {
    /// A confirmer backed by an explicit [`Biometric`] (tests inject a mock).
    pub fn with_biometric(biometric: B) -> Self {
        Self { biometric }
    }
}

impl<B: Biometric> Confirmer for BiometricConfirmer<B> {
    fn confirm(&self, req: &ConfirmRequest, timeout: Duration) -> ConfirmOutcome {
        // The biometric prompt is the *only* way this resolves. There is no
        // in-process approve path (§8.2): the human authorizes at the sensor.
        self.biometric.prompt(req, timeout)
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use kovra_core::{Origin, Sensitivity};
    use std::cell::Cell;

    fn req() -> ConfirmRequest {
        ConfirmRequest::new("prod/db/password", Sensitivity::High, "prod", Origin::Agent)
            .with_command("/usr/bin/deploy --env prod")
    }

    /// A deterministic stand-in for the native dialog. Records that it was asked
    /// and returns a preset outcome — no hardware, no Touch ID.
    struct MockBiometric {
        outcome: ConfirmOutcome,
        prompted: Cell<u32>,
        last_text: std::cell::RefCell<Option<String>>,
    }

    impl MockBiometric {
        fn new(outcome: ConfirmOutcome) -> Self {
            Self {
                outcome,
                prompted: Cell::new(0),
                last_text: std::cell::RefCell::new(None),
            }
        }
    }

    impl Biometric for MockBiometric {
        fn prompt(&self, req: &ConfirmRequest, _timeout: Duration) -> ConfirmOutcome {
            self.prompted.set(self.prompted.get() + 1);
            // Mirror the real impl: render the authoritative text from the core
            // request (so a leak in rendering would be caught here too).
            *self.last_text.borrow_mut() = Some(render::prompt_text(req));
            self.outcome
        }
    }

    // I3: a high/prod confirmation drives the confirmer and the outcome decides
    // delivery — Approved delivers, Denied/TimedOut never do.
    #[test]
    fn i3_high_prod_drives_confirm_and_outcome_gates_delivery() {
        for outcome in [
            ConfirmOutcome::Approved,
            ConfirmOutcome::Denied,
            ConfirmOutcome::TimedOut,
        ] {
            let bio = MockBiometric::new(outcome);
            let confirmer = BiometricConfirmer::with_biometric(bio);
            let got = confirmer.confirm(&req(), Duration::from_secs(1));
            assert_eq!(got, outcome);
            assert_eq!(got.is_approved(), outcome == ConfirmOutcome::Approved);
        }
    }

    // §8: timeout fails safe to denial (is_approved() is false).
    #[test]
    fn timeout_fails_safe_to_denial() {
        let confirmer =
            BiometricConfirmer::with_biometric(MockBiometric::new(ConfirmOutcome::TimedOut));
        let got = confirmer.confirm(&req(), Duration::ZERO);
        assert_eq!(got, ConfirmOutcome::TimedOut);
        assert!(!got.is_approved());
    }

    // §8.2: the confirmer has no in-process approve method — resolution comes only
    // from the biometric (the human at the sensor). Confirming a request always
    // routes through the biometric prompt; there is no path that approves without
    // it. We assert structurally: every confirm() invokes the biometric exactly
    // once and returns precisely what it decided (no override, no self-approve).
    #[test]
    fn no_self_approve_resolution_only_via_biometric() {
        let bio = MockBiometric::new(ConfirmOutcome::Denied);
        let confirmer = BiometricConfirmer::with_biometric(bio);
        let got = confirmer.confirm(&req(), Duration::from_secs(1));
        // The only resolution is the biometric's denial — the confirmer cannot
        // turn it into an approval.
        assert_eq!(got, ConfirmOutcome::Denied);
        assert_eq!(confirmer.biometric.prompted.get(), 1);
    }

    // I7/I12: the value never reaches the confirm path. We attach a realistic
    // (fake) secret-looking string only as the *coordinate address* would never
    // contain it; assert the rendered dialog the biometric sees carries no value,
    // only the address + command.
    #[test]
    fn i7_i12_no_secret_value_in_confirm_path() {
        let bio = MockBiometric::new(ConfirmOutcome::Approved);
        let confirmer = BiometricConfirmer::with_biometric(bio);
        let _ = confirmer.confirm(&req(), Duration::from_secs(1));
        let text = confirmer.biometric.last_text.borrow().clone().unwrap();
        // The dialog contains the address (environment + secret, env prefix
        // stripped) and the command, never a value (there is no value field on
        // ConfirmRequest to begin with — this guards rendering).
        assert!(text.contains("Environment: prod"));
        assert!(text.contains("Secret: db/password"));
        assert!(text.contains("/usr/bin/deploy --env prod"));
        // No accidental value-shaped leakage.
        assert!(!text.to_lowercase().contains("secret-value"));
    }
}