mur-common 2.20.7

Shared types and traits for the MUR ecosystem
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

use super::types::TrustLevel;
use serde::{Deserialize, Serialize};
use std::str::FromStr;

#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum Capability {
    FsReadAgentHome,
    FsWriteAgentHome,
    FsReadHost,
    FsWriteHost,
    NetworkOutbound,
    NetworkOutboundAllowlisted,
    SpawnAllowlisted,
    Spawn,
    Mcp,
    SkillReadOthers,
}

impl FromStr for Capability {
    type Err = ();
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        let v: serde_yaml_ng::Value = serde_yaml_ng::Value::String(s.to_string());
        serde_yaml_ng::from_value(v).map_err(|_| ())
    }
}

pub fn allowed_for(level: TrustLevel) -> &'static [Capability] {
    use Capability::*;
    match level {
        TrustLevel::Sandboxed => &[FsReadAgentHome, Mcp],
        TrustLevel::Verified => &[
            FsReadAgentHome,
            FsWriteAgentHome,
            NetworkOutboundAllowlisted,
            SpawnAllowlisted,
            Mcp,
        ],
        TrustLevel::Trusted => &[
            FsReadAgentHome,
            FsWriteAgentHome,
            FsReadHost,
            FsWriteHost,
            NetworkOutbound,
            NetworkOutboundAllowlisted,
            Spawn,
            SpawnAllowlisted,
            Mcp,
            SkillReadOthers,
        ],
    }
}

#[derive(Debug, PartialEq, Eq)]
pub struct CapabilityViolation {
    pub capability: Capability,
    pub trust_level: TrustLevel,
}

pub fn check_capabilities(
    declared: &[String],
    level: TrustLevel,
) -> Result<(), CapabilityViolation> {
    let allowed = allowed_for(level);
    for s in declared {
        let Ok(cap) = Capability::from_str(s) else {
            return Err(CapabilityViolation {
                capability: Capability::Mcp,
                trust_level: level,
            });
        };
        if !allowed.contains(&cap) {
            return Err(CapabilityViolation {
                capability: cap,
                trust_level: level,
            });
        }
    }
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn sandboxed_blocks_network() {
        let r = check_capabilities(&["network_outbound".into()], TrustLevel::Sandboxed);
        assert!(matches!(
            r,
            Err(CapabilityViolation {
                capability: Capability::NetworkOutbound,
                ..
            })
        ));
    }

    #[test]
    fn verified_allows_allowlisted_net() {
        let r = check_capabilities(
            &[
                "network_outbound_allowlisted".into(),
                "fs_write_agent_home".into(),
            ],
            TrustLevel::Verified,
        );
        assert!(r.is_ok());
    }

    #[test]
    fn trusted_allows_everything_declared() {
        let r = check_capabilities(
            &["spawn".into(), "fs_write_host".into()],
            TrustLevel::Trusted,
        );
        assert!(r.is_ok());
    }

    #[test]
    fn unknown_capability_rejected() {
        let r = check_capabilities(&["nuke_from_orbit".into()], TrustLevel::Trusted);
        assert!(r.is_err());
    }

    #[test]
    fn empty_declarations_always_ok() {
        assert!(check_capabilities(&[], TrustLevel::Sandboxed).is_ok());
    }
}