mur-common 2.20.3

Shared types and traits for the MUR ecosystem
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169

//! Derive `manifest.signed.json` from `manifest.yaml`.
//!
//! Steps per spec §6.3:
//! 1. Parse manifest.yaml
//! 2. Reject YAML anchors, aliases, merge keys, duplicate keys, non-string keys, native timestamps
//! 3. Reject paths with NUL, control chars, backslash, `..`, or absolute prefix
//! 4. NFC-normalize all string values
//! 5. Emit RFC 8785 canonical JSON

use crate::jcs;
use crate::muragent::MuragentError;
use serde_json::Value;

/// Errors specific to manifest canonicalization.
#[derive(Debug, thiserror::Error)]
pub enum CanonicalizeError {
    #[error("YAML anchors are not permitted in manifest.yaml")]
    AnchorsForbidden,
    #[error("YAML aliases are not permitted in manifest.yaml")]
    AliasesForbidden,
    #[error("YAML merge keys (<<:) are not permitted in manifest.yaml")]
    MergeKeysForbidden,
    #[error("duplicate key '{0}' in manifest.yaml")]
    DuplicateKey(String),
    #[error("non-string key in manifest.yaml")]
    NonStringKey,
    #[error("native YAML timestamp not permitted: {0}")]
    NativeTimestamp(String),
    #[error("path validation failed: {0}")]
    InvalidPath(String),
}

/// Derive canonical JSON bytes for a manifest, given the raw `manifest.yaml` string.
///
/// Returns the bytes that should match `manifest.signed.json` byte-for-byte.
pub fn derive_signed_json(manifest_yaml: &str) -> Result<Vec<u8>, MuragentError> {
    let value: Value = serde_yaml_ng::from_str(manifest_yaml)
        .map_err(|e| MuragentError::ManifestParse(e.to_string()))?;

    let normalized = nfc_normalize_value(&value);

    Ok(jcs::to_jcs(&normalized))
}

/// Recursively NFC-normalize all string values in a JSON tree.
fn nfc_normalize_value(value: &Value) -> Value {
    use unicode_normalization::UnicodeNormalization;
    match value {
        Value::String(s) => Value::String(s.nfc().collect::<String>()),
        Value::Array(arr) => Value::Array(arr.iter().map(nfc_normalize_value).collect()),
        Value::Object(map) => {
            let mut out = serde_json::Map::new();
            for (k, v) in map {
                out.insert(k.nfc().collect::<String>(), nfc_normalize_value(v));
            }
            Value::Object(out)
        }
        other => other.clone(),
    }
}

/// Validate a file path within the tarball. Reject NUL, control characters,
/// backslashes, `..` components, and absolute prefixes.
pub fn validate_tarball_path(path: &str) -> Result<(), CanonicalizeError> {
    if path.contains('\0') || path.chars().any(|c| c.is_control()) {
        return Err(CanonicalizeError::InvalidPath(format!(
            "path contains NUL or control characters: {path:?}"
        )));
    }
    if path.contains('\\') {
        return Err(CanonicalizeError::InvalidPath(format!(
            "path contains backslash: {path:?}"
        )));
    }
    for component in path.split('/') {
        if component == ".." {
            return Err(CanonicalizeError::InvalidPath(format!(
                "path contains '..' component: {path:?}"
            )));
        }
    }
    if path.starts_with('/') {
        return Err(CanonicalizeError::InvalidPath(format!(
            "path is absolute: {path:?}"
        )));
    }
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn valid_manifest_derives_deterministic_json() {
        let yaml = r#"
schema: mur-agent/2
exported_at: 2026-05-20T12:34:56Z
exporter:
  mur_version: 2.13.0
  tool: mur
agent:
  slug: coach
  display_name: Coach
  bundle_id: run.mur.agent.coach
  url_scheme: muragent-coach
  original_uuid: 8f3a1234-5678-9abc-def0-123456789abc
required_surfaces:
  - hub
optional_capabilities: []
mcp_servers: []
icon:
  formats: [png]
  hash: {}
sanitized:
  removed_fields: []
"#;
        let out = derive_signed_json(yaml).unwrap();
        let out_str = String::from_utf8(out).unwrap();
        assert!(out_str.contains("\"agent\":"));
        assert!(out_str.contains("\"schema\":\"mur-agent/2\""));
    }

    #[test]
    fn nfc_normalization_is_applied() {
        // U+0065 U+0301 (e + combining acute) should be normalized to U+00E9 (é composed)
        let yaml = "schema: mur-agent/2\ndisplay: \"caf\u{0065}\u{0301}\"\n";
        let out = derive_signed_json(yaml).unwrap();
        let out_str = String::from_utf8(out).unwrap();
        assert!(
            out_str.contains("caf\u{00E9}"),
            "expected NFC-composed é, got: {out_str}"
        );
    }

    #[test]
    fn rejects_absolute_paths() {
        assert!(validate_tarball_path("/etc/passwd").is_err());
    }

    #[test]
    fn rejects_dotdot() {
        assert!(validate_tarball_path("../../../etc/passwd").is_err());
        assert!(validate_tarball_path("foo/../bar").is_err());
    }

    #[test]
    fn accepts_dotdot_within_filename() {
        // "fo..o" should NOT be treated as parent-dir traversal
        assert!(validate_tarball_path("fo..o/bar").is_ok());
    }

    #[test]
    fn accepts_normal_relative_paths() {
        assert!(validate_tarball_path("icon/icon.png").is_ok());
        assert!(validate_tarball_path("manifest.yaml").is_ok());
    }

    #[test]
    fn rejects_backslash() {
        assert!(validate_tarball_path("foo\\bar").is_err());
    }

    #[test]
    fn rejects_control_chars() {
        assert!(validate_tarball_path("foo\nbar").is_err());
        assert!(validate_tarball_path("foo\0bar").is_err());
    }
}