symbi-runtime 1.6.0

Agent Runtime System for the Symbi platform
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355

//! Secrets auditing infrastructure
//!
//! This module provides structured auditing for all secret operations,
//! allowing tracking of who accessed what secrets and when.

use async_trait::async_trait;
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use std::path::PathBuf;
use std::sync::Arc;
use thiserror::Error;
use tokio::fs::OpenOptions;
use tokio::io::AsyncWriteExt;

/// Controls whether audit failures block secret operations
#[derive(Debug, Default, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum AuditFailureMode {
    /// Block the secret operation if audit logging fails (production default)
    #[default]
    Strict,
    /// Log a warning and allow the operation to proceed
    Permissive,
}

/// Errors that can occur during audit operations
#[derive(Debug, Error, Clone, Serialize, Deserialize)]
pub enum AuditError {
    /// IO error during audit logging
    #[error("Audit IO error: {message}")]
    IoError { message: String },

    /// Serialization error when converting audit events to JSON
    #[error("Audit serialization error: {message}")]
    SerializationError { message: String },

    /// Configuration error for audit sink
    #[error("Audit configuration error: {message}")]
    ConfigurationError { message: String },

    /// Permission error when writing audit logs
    #[error("Audit permission error: {message}")]
    PermissionError { message: String },
}

/// A structured audit event for secret operations
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SecretAuditEvent {
    /// Timestamp when the event occurred
    pub timestamp: DateTime<Utc>,
    /// ID of the agent performing the action
    pub agent_id: String,
    /// The type of operation performed
    pub operation: String,
    /// The key of the secret being accessed (if applicable)
    pub secret_key: Option<String>,
    /// The result of the operation
    pub outcome: AuditOutcome,
    /// Error details if the operation failed
    pub error_message: Option<String>,
    /// Additional context or metadata
    pub metadata: Option<serde_json::Value>,
}

/// Outcome of a secret operation for auditing
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum AuditOutcome {
    /// Intent to perform an operation (logged *before* the call)
    Attempt,
    /// Operation completed successfully
    Success,
    /// Operation failed
    Failure,
}

impl SecretAuditEvent {
    /// Create an intent-to-access audit event, logged **before** the backend call.
    ///
    /// This ensures that even if the process crashes during the Vault/file read,
    /// there is a paper trail showing the access was attempted.
    pub fn attempt(agent_id: String, operation: String, secret_key: Option<String>) -> Self {
        Self {
            timestamp: Utc::now(),
            agent_id,
            operation,
            secret_key,
            outcome: AuditOutcome::Attempt,
            error_message: None,
            metadata: None,
        }
    }

    /// Create a new audit event for a successful operation
    pub fn success(agent_id: String, operation: String, secret_key: Option<String>) -> Self {
        Self {
            timestamp: Utc::now(),
            agent_id,
            operation,
            secret_key,
            outcome: AuditOutcome::Success,
            error_message: None,
            metadata: None,
        }
    }

    /// Create a new audit event for a failed operation
    pub fn failure(
        agent_id: String,
        operation: String,
        secret_key: Option<String>,
        error_message: String,
    ) -> Self {
        Self {
            timestamp: Utc::now(),
            agent_id,
            operation,
            secret_key,
            outcome: AuditOutcome::Failure,
            error_message: Some(error_message),
            metadata: None,
        }
    }

    /// Add metadata to the audit event
    pub fn with_metadata(mut self, metadata: serde_json::Value) -> Self {
        self.metadata = Some(metadata);
        self
    }
}

/// Trait for audit sink implementations that can log secret operations
#[async_trait]
pub trait SecretAuditSink: Send + Sync {
    /// Log an audit event
    ///
    /// # Arguments
    /// * `event` - The audit event to log
    ///
    /// # Returns
    /// * `Ok(())` - If the event was successfully logged
    /// * `Err(AuditError)` - If there was an error logging the event
    async fn log_event(&self, event: SecretAuditEvent) -> Result<(), AuditError>;

    /// Return the failure mode for this audit sink
    fn failure_mode(&self) -> AuditFailureMode;
}

/// JSON file-based audit sink that appends audit events as JSON lines
pub struct JsonFileAuditSink {
    /// Path to the audit log file
    file_path: PathBuf,
    /// Failure mode for this sink
    failure_mode: AuditFailureMode,
}

impl JsonFileAuditSink {
    /// Create a new JSON file audit sink
    ///
    /// # Arguments
    /// * `file_path` - Path to the audit log file
    ///
    /// # Returns
    /// * New JsonFileAuditSink instance (defaults to Strict failure mode)
    pub fn new(file_path: PathBuf) -> Self {
        Self {
            file_path,
            failure_mode: AuditFailureMode::default(),
        }
    }

    /// Create a new JSON file audit sink with a specific failure mode
    pub fn with_failure_mode(file_path: PathBuf, failure_mode: AuditFailureMode) -> Self {
        Self {
            file_path,
            failure_mode,
        }
    }

    /// Ensure the audit log directory exists
    async fn ensure_directory_exists(&self) -> Result<(), AuditError> {
        if let Some(parent) = self.file_path.parent() {
            tokio::fs::create_dir_all(parent)
                .await
                .map_err(|e| AuditError::IoError {
                    message: format!("Failed to create audit log directory: {}", e),
                })?;
        }
        Ok(())
    }
}

#[async_trait]
impl SecretAuditSink for JsonFileAuditSink {
    async fn log_event(&self, event: SecretAuditEvent) -> Result<(), AuditError> {
        // Ensure the directory exists
        self.ensure_directory_exists().await?;

        // Serialize the event to JSON
        let json_line =
            serde_json::to_string(&event).map_err(|e| AuditError::SerializationError {
                message: format!("Failed to serialize audit event: {}", e),
            })?;

        // Open the file in append mode (create if it doesn't exist)
        let mut file = OpenOptions::new()
            .create(true)
            .append(true)
            .open(&self.file_path)
            .await
            .map_err(|e| AuditError::IoError {
                message: format!("Failed to open audit log file: {}", e),
            })?;

        // Write the JSON line followed by a newline
        file.write_all(json_line.as_bytes())
            .await
            .map_err(|e| AuditError::IoError {
                message: format!("Failed to write to audit log: {}", e),
            })?;

        file.write_all(b"\n")
            .await
            .map_err(|e| AuditError::IoError {
                message: format!("Failed to write newline to audit log: {}", e),
            })?;

        // Ensure data is written to disk
        file.flush().await.map_err(|e| AuditError::IoError {
            message: format!("Failed to flush audit log: {}", e),
        })?;

        Ok(())
    }

    fn failure_mode(&self) -> AuditFailureMode {
        self.failure_mode
    }
}

/// Convenience type for boxed audit sink
pub type BoxedAuditSink = Arc<dyn SecretAuditSink + Send + Sync>;

/// Helper function to create an optional audit sink from configuration
pub fn create_audit_sink(audit_config: &Option<AuditConfig>) -> Option<BoxedAuditSink> {
    audit_config.as_ref().map(|config| match config {
        AuditConfig::JsonFile {
            file_path,
            failure_mode,
        } => Arc::new(JsonFileAuditSink::with_failure_mode(
            file_path.clone(),
            failure_mode.unwrap_or_default(),
        )) as BoxedAuditSink,
    })
}

/// Configuration for audit logging
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "type", rename_all = "lowercase")]
pub enum AuditConfig {
    /// JSON file-based audit logging
    JsonFile {
        /// Path to the audit log file
        file_path: PathBuf,
        /// Failure mode: strict (block operation) or permissive (log warning)
        #[serde(default)]
        failure_mode: Option<AuditFailureMode>,
    },
}

#[cfg(test)]
mod tests {
    use super::*;
    use tempfile::NamedTempFile;
    use tokio::fs;

    #[tokio::test]
    async fn test_secret_audit_event_creation() {
        let event = SecretAuditEvent::success(
            "agent-123".to_string(),
            "get_secret".to_string(),
            Some("api-key".to_string()),
        );

        assert_eq!(event.agent_id, "agent-123");
        assert_eq!(event.operation, "get_secret");
        assert_eq!(event.secret_key, Some("api-key".to_string()));
        assert!(matches!(event.outcome, AuditOutcome::Success));
        assert!(event.error_message.is_none());
    }

    #[tokio::test]
    async fn test_failure_audit_event() {
        let event = SecretAuditEvent::failure(
            "agent-456".to_string(),
            "get_secret".to_string(),
            Some("missing-key".to_string()),
            "Secret not found".to_string(),
        );

        assert_eq!(event.agent_id, "agent-456");
        assert!(matches!(event.outcome, AuditOutcome::Failure));
        assert_eq!(event.error_message, Some("Secret not found".to_string()));
    }

    #[tokio::test]
    async fn test_json_file_audit_sink() {
        let temp_file = NamedTempFile::new().unwrap();
        let sink = JsonFileAuditSink::new(temp_file.path().to_path_buf());

        let event = SecretAuditEvent::success(
            "test-agent".to_string(),
            "get_secret".to_string(),
            Some("test-key".to_string()),
        );

        let result = sink.log_event(event.clone()).await;
        assert!(result.is_ok());

        // Verify the file was written correctly
        let content = fs::read_to_string(temp_file.path()).await.unwrap();
        let lines: Vec<&str> = content.trim().split('\n').collect();
        assert_eq!(lines.len(), 1);

        // Parse and verify the JSON
        let parsed_event: SecretAuditEvent = serde_json::from_str(lines[0]).unwrap();
        assert_eq!(parsed_event.agent_id, "test-agent");
        assert_eq!(parsed_event.operation, "get_secret");
    }

    #[tokio::test]
    async fn test_multiple_audit_events() {
        let temp_file = NamedTempFile::new().unwrap();
        let sink = JsonFileAuditSink::new(temp_file.path().to_path_buf());

        // Log multiple events
        for i in 0..3 {
            let event =
                SecretAuditEvent::success(format!("agent-{}", i), "list_secrets".to_string(), None);
            sink.log_event(event).await.unwrap();
        }

        // Verify all events were written
        let content = fs::read_to_string(temp_file.path()).await.unwrap();
        let lines: Vec<&str> = content.trim().split('\n').collect();
        assert_eq!(lines.len(), 3);

        // Verify each line is valid JSON
        for (i, line) in lines.iter().enumerate() {
            let parsed_event: SecretAuditEvent = serde_json::from_str(line).unwrap();
            assert_eq!(parsed_event.agent_id, format!("agent-{}", i));
            assert_eq!(parsed_event.operation, "list_secrets");
        }
    }
}