mur_common/muragent/
validator.rs

1//! 11-step validation pipeline (§6.4).
2//!
3//! Every step's failure is fatal — no "continue anyway" path.
4
5use crate::muragent::MuragentError;
6use crate::muragent::dsse;
7use crate::muragent::executable_ban;
8use crate::muragent::jcs_canonical;
9use crate::muragent::manifest::MuragentManifest;
10use crate::muragent::reader::MuragentArchive;
11use crate::muragent::statement::{InTotoStatement, verify_subjects};
12
13pub struct ValidationResult {
14    pub manifest: MuragentManifest,
15    pub author_pubkey: [u8; 32],
16    pub keyid: String,
17}
18
19impl std::fmt::Debug for ValidationResult {
20    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
21        f.debug_struct("ValidationResult")
22            .field("manifest_schema", &self.manifest.schema)
23            .field("agent_slug", &self.manifest.agent.slug)
24            .field("keyid", &self.keyid)
25            .finish()
26    }
27}
28
29/// Run the full 11-step validation pipeline. Every failure is fatal (§7.5).
30pub fn validate(archive: &MuragentArchive) -> Result<ValidationResult, MuragentError> {
31    // Step 1: Tarball integrity — already done by MuragentArchive::read
32
33    // Step 2: No executable content
34    for path in archive.files.keys() {
35        executable_ban::check_extension(path).map_err(MuragentError::ExecutableContent)?;
36    }
37    let manifest_yaml = archive.get_str("manifest.yaml")?;
38    let manifest: MuragentManifest = serde_yaml_ng::from_str(manifest_yaml)
39        .map_err(|e| MuragentError::ManifestParse(e.to_string()))?;
40    for mcp in &manifest.mcp_servers {
41        executable_ban::check_mcp_command(&mcp.command_basename, &[])
42            .map_err(MuragentError::ForbiddenMcpCommand)?;
43    }
44
45    // Step 3: Schema version
46    if !manifest.is_v2() {
47        return Err(MuragentError::SchemaMismatch(manifest.schema.clone()));
48    }
49
50    // Step 3.5: Bundle ID
51    manifest
52        .validate_bundle_id()
53        .map_err(MuragentError::ManifestParse)?;
54
55    // Step 4: Version compatibility — deferred to caller (Hub/Commander checks its own version)
56
57    // Step 5: manifest.signed.json matches re-derived canonical JSON
58    let embedded_signed_json = archive
59        .get("manifest.signed.json")
60        .ok_or_else(|| MuragentError::Other("missing manifest.signed.json".into()))?;
61    let rederived = jcs_canonical::derive_signed_json(manifest_yaml)?;
62    if embedded_signed_json != rederived.as_slice() {
63        return Err(MuragentError::SignedJsonMismatch);
64    }
65
66    // Step 6: DSSE envelope structure
67    let signatures_json = archive.get_str("signatures.json")?;
68    let envelope: dsse::DsseEnvelope = serde_json::from_str(signatures_json)
69        .map_err(|e| MuragentError::DsseError(format!("signatures.json parse: {e}")))?;
70
71    // Step 7: Statement structure — payload decodes to in-toto v1 Statement
72    use base64::{Engine, engine::general_purpose::STANDARD as B64};
73    let payload_bytes = B64
74        .decode(&envelope.payload)
75        .map_err(|e| MuragentError::DsseError(format!("payload base64: {e}")))?;
76    let statement: InTotoStatement = serde_json::from_slice(&payload_bytes)
77        .map_err(|e| MuragentError::DsseError(format!("statement parse: {e}")))?;
78
79    if statement.type_ != "https://in-toto.io/Statement/v1" {
80        return Err(MuragentError::DsseError(format!(
81            "unexpected statement _type: {}",
82            statement.type_
83        )));
84    }
85    if statement.predicate_type != "https://mur.run/agent-manifest/v1" {
86        return Err(MuragentError::DsseError(format!(
87            "unexpected predicateType: {}",
88            statement.predicate_type
89        )));
90    }
91
92    let actual_manifest_sha256 = {
93        use sha2::Digest;
94        hex::encode(sha2::Sha256::digest(embedded_signed_json))
95    };
96    if statement.predicate.manifest_sha256 != actual_manifest_sha256 {
97        return Err(MuragentError::DsseError(format!(
98            "manifest_sha256 mismatch: expected {}, got {}",
99            actual_manifest_sha256, statement.predicate.manifest_sha256
100        )));
101    }
102
103    // Step 8: Author signature verification (verify_strict)
104    dsse::verify(&envelope, "application/vnd.in-toto+json")?;
105
106    // Step 9: Subject hashes
107    verify_subjects(&statement, &archive.files_as_vec())?;
108
109    // Step 10: Mur signature (ignored in v1)
110    // Step 11: Revocation check (skipped in v1)
111
112    let pubkey_bytes = B64
113        .decode(&envelope.signatures[0].public_key)
114        .map_err(|e| MuragentError::DsseError(format!("pubkey b64: {e}")))?;
115    let pubkey_arr: [u8; 32] = pubkey_bytes
116        .try_into()
117        .map_err(|_| MuragentError::DsseError("pubkey not 32 bytes".into()))?;
118
119    Ok(ValidationResult {
120        manifest,
121        author_pubkey: pubkey_arr,
122        keyid: envelope.signatures[0].keyid.clone(),
123    })
124}
mur_common/muragent/validator.rs

mur_common/muragent/
validator.rs
