sigil-protocol 0.1.5

SIGIL — Sovereign Identity-Gated Interaction Layer. An open protocol for securing AI agent-to-tool interactions.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205

//! Audit — tamper-evident logging of all security events.
//!
//! SIGIL defines the event schema (concrete struct) and the logger trait.
//! The schema is part of the protocol; the logging backend is implementation-specific.

use serde::{Deserialize, Serialize};

/// Types of security events defined by the SIGIL protocol.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
pub enum AuditEventType {
    /// An agent tool/command was executed.
    CommandExecution,
    /// A file was accessed.
    FileAccess,
    /// Configuration was changed.
    ConfigChange,
    /// Authentication succeeded.
    AuthSuccess,
    /// Authentication failed.
    AuthFailure,
    /// A security policy was violated.
    PolicyViolation,
    /// A general security event.
    SecurityEvent,
    /// Sensitive content was intercepted by the scanner.
    SigilInterception,
    /// An MCP tool call was gated.
    McpToolGated,
    /// An agent-to-agent delegation boundary was crossed.
    DelegationCrossing,
}

/// Actor — who performed the action.
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct Actor {
    /// Channel the action originated from (e.g., "cli", "web", "mcp").
    pub channel: Option<String>,
    /// User identifier.
    pub user_id: Option<String>,
    /// Human-readable username.
    pub username: Option<String>,
}

/// Action — what was done.
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct Action {
    /// Description of the action (e.g., command string, tool name).
    pub description: String,
    /// Risk level assessment.
    pub risk_level: String,
    /// Whether the action was approved (by user or policy).
    pub approved: bool,
    /// Whether the action was allowed (by security policy).
    pub allowed: bool,
}

/// Result of an action execution.
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct ExecutionResult {
    /// Whether the action succeeded.
    pub success: bool,
    /// Exit code (for command executions).
    pub exit_code: Option<i32>,
    /// Duration in milliseconds.
    pub duration_ms: u64,
    /// Error message if failed.
    pub error: Option<String>,
}

/// A complete SIGIL audit event.
///
/// This is the protocol's standard event format. All SIGIL-compliant
/// systems must produce events conforming to this schema.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditEvent {
    /// Unique event identifier.
    pub id: String,
    /// ISO 8601 timestamp.
    pub timestamp: String,
    /// Event type.
    pub event_type: AuditEventType,
    /// Who performed the action.
    pub actor: Actor,
    /// What was done.
    pub action: Action,
    /// Execution result.
    pub result: ExecutionResult,
    /// Optional HMAC signature for tamper evidence.
    pub signature: Option<String>,
}

impl AuditEvent {
    /// Create a new audit event with a unique ID and current timestamp.
    pub fn new(event_type: AuditEventType) -> Self {
        Self {
            id: uuid::Uuid::new_v4().to_string(),
            timestamp: chrono::Utc::now().to_rfc3339(),
            event_type,
            actor: Actor::default(),
            action: Action::default(),
            result: ExecutionResult::default(),
            signature: None,
        }
    }

    /// Set the actor.
    pub fn with_actor(
        mut self,
        channel: String,
        user_id: Option<String>,
        username: Option<String>,
    ) -> Self {
        self.actor = Actor {
            channel: Some(channel),
            user_id,
            username,
        };
        self
    }

    /// Set the action.
    pub fn with_action(
        mut self,
        description: String,
        risk_level: String,
        approved: bool,
        allowed: bool,
    ) -> Self {
        self.action = Action {
            description,
            risk_level,
            approved,
            allowed,
        };
        self
    }

    /// Set the execution result.
    pub fn with_result(
        mut self,
        success: bool,
        exit_code: Option<i32>,
        duration_ms: u64,
        error: Option<String>,
    ) -> Self {
        self.result = ExecutionResult {
            success,
            exit_code,
            duration_ms,
            error,
        };
        self
    }
}

/// Trait for audit logging backends.
///
/// Implementations choose their storage (file, database, remote, etc.)
/// and may add features like HMAC signing, rotation, or streaming.
pub trait AuditLogger: Send + Sync {
    /// Log a SIGIL audit event.
    fn log(&self, event: &AuditEvent) -> anyhow::Result<()>;
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn audit_event_creates_unique_ids() {
        let e1 = AuditEvent::new(AuditEventType::CommandExecution);
        let e2 = AuditEvent::new(AuditEventType::CommandExecution);
        assert_ne!(e1.id, e2.id);
    }

    #[test]
    fn audit_event_serializes_to_json() {
        let event = AuditEvent::new(AuditEventType::SigilInterception)
            .with_actor("cli".into(), Some("u1".into()), Some("alice".into()))
            .with_action("Redacted IBAN".into(), "high".into(), true, true);

        let json = serde_json::to_string(&event).unwrap();
        assert!(json.contains("sigil_interception"));
        assert!(json.contains("alice"));
    }

    #[test]
    fn audit_event_type_variants_exhaustive() {
        // Ensure the protocol defines all expected event types
        let types = vec![
            AuditEventType::CommandExecution,
            AuditEventType::FileAccess,
            AuditEventType::ConfigChange,
            AuditEventType::AuthSuccess,
            AuditEventType::AuthFailure,
            AuditEventType::PolicyViolation,
            AuditEventType::SecurityEvent,
            AuditEventType::SigilInterception,
            AuditEventType::McpToolGated,
            AuditEventType::DelegationCrossing,
        ];
        assert_eq!(types.len(), 10);
    }
}