Skip to content

validate: separation-of-duties agent + Symbiont 1.14.1#3

Merged
jaschadub merged 4 commits into
mainfrom
validate-agent
May 21, 2026
Merged

validate: separation-of-duties agent + Symbiont 1.14.1#3
jaschadub merged 4 commits into
mainfrom
validate-agent

Conversation

@jaschadub
Copy link
Copy Markdown
Contributor

@jaschadub jaschadub commented May 21, 2026

Summary

  • deps: switch symbi-runtime / symbi-channel-adapter to crates.io v1.14.1 / 0.1.3 (the ../../../symbiont path dep was broken — it resolved to a directory that doesn't exist on disk).
  • separation of duties: add agents/validate.symbi as the only principal allowed to flip findings.verified / false_positive. Without this, the unverified_critical_high_count > 0 gate in evidence.cedar was a permanent deadlock — nothing could satisfy it.
  • structural Cedar denial in policies/validation.cedar: validate is forbidden from store_finding; every non-validate principal is forbidden from verify_finding / mark_false_positive. Deny-overrides keeps these absolute even if a future tool-auth rule slips up.
  • MCP tools: verify_finding and mark_false_positive (Cedar action verify_evidence) write a finding_verifications audit row + flip flags atomically.
  • schema: new finding_verifications table with verifier / verdict / rationale; idx_verifications_finding.
  • engagement controller invokes validate after vuln-assess (clears vuln_findings_reviewed) and after post-exploit (clears unverified_critical_high_count so reporter can run).
  • migration: db/migrations/2026-05-21-validate-cutover.sql backfills legacy findings stuck at verified = FALSE with a pre_validate_cutover verifier identity — smoke-tested.
  • rename agents/*.dslagents/*.symbi (canonical extension in symbi-dsl 1.14.1; .dsl still supported as legacy).

Test plan

  • cargo build -j10 green
  • cargo test -j10 — 96 tests pass (28 + 1 + 15 + 15 + 37, plus 3 new verification tests in db_tests.rs)
  • cargo clippy -j10 --all-targets -- -D warnings clean
  • Migration SQL smoke-tested against a fresh sqlite DB: 2 unverified high/crit → 0; 3 backfill rows recorded; pre-existing false_positive=TRUE preserved while verified flips
  • Reviewer: spot-check policies/validation.cedar deny-overrides interaction with existing tool-authorization.cedar rules
  • Reviewer: confirm the engagement-controller phase ordering matches your mental model (validate appears twice — after vuln-assess and after post-exploit)

jaschadub added 2 commits May 21, 2026 13:05
@jaschadub
deps: switch Symbiont to crates.io v1.14.1
d61eaa4 
The path dep ../../../symbiont was broken since the project moved under
repos/ -- it resolved to /home/jascha/Documents/symbiont which does not
exist. Pin symbi-runtime = 1.14.1 and symbi-channel-adapter = 0.1.3 from
crates.io so builds work without a sibling checkout.
@jaschadub
validate: separation-of-duties agent + structural Cedar denial
52263f6 
Add a validate agent that adjudicates findings and is the only principal
allowed to flip findings.verified / false_positive. Without this the
unverified_critical_high_count gate in evidence.cedar was a permanent
deadlock -- nothing could ever satisfy it.

- agents/validate.symbi: capabilities exclude store_finding by construction
- policies/validation.cedar: forbid validate from store_finding; forbid
  every non-validate principal from verify_finding / mark_false_positive
- src/evidence_tools.rs: verify_finding + mark_false_positive MCP tools
  (Cedar action verify_evidence); both fail fast on empty inputs
- src/db.rs: Verdict enum, NewVerification, transactional
  record_verification() that updates flags + inserts audit row atomically
- db/schema.sql: finding_verifications audit table with verifier/verdict/
  rationale; idx_verifications_finding for lookup
- db/migrations/2026-05-21-validate-cutover.sql: one-time backfill for
  legacy findings stuck at verified = FALSE; smoke-tested
- agents/engagement-controller.symbi: invoke validate after vuln-assess
  (gates exploit phase) and after post-exploit (unblocks reporter)
- tests/db_tests.rs: 3 new tests for verified / false-positive / unknown
- tests/tool_registration_tests.rs: evidence 5 -> 7, total 33 -> 35

Also rename agents/*.dsl -> agents/*.symbi (canonical extension in
symbi-dsl 1.14.1; .dsl is supported as legacy) and refresh AGENTS.md /
README.md.
jaschadub added 2 commits May 21, 2026 13:13
@jaschadub
docker: pin symbi CLI to v1.14.1 (1.10.0 yanked)
4980a92 
cargo install symbi@1.10.0 now fails because the crate was yanked from
crates.io. v1.14.1 is the current published release and matches the
runtime dep we just pinned in Cargo.toml. v1.14.1 also brings the
security-audit response (fail-closed default policy gate, JWT algorithm
allowlist, hardened invis-strip).
@jaschadub
docker: drop native-sandbox feature, add cedar
5e1e1ec 
v1.14.0's security audit response made `native-sandbox` a compile-time
error in release builds (zero isolation; "use Docker, gVisor, Firecracker,
or E2B"). cargo install always builds release, so the previous feature
set fails outright.

This container is itself the sandbox (Kali image with dropped caps), so
the native sandbox runner was never the right primitive. Drop it.

Add `cedar` because v1.14.0 also flipped the default policy gate to
fail-closed: without the Cedar feature every tool call is denied at
runtime, which would brick the whole pen-test pipeline.

`interactive` is already in the symbi default feature set, so the
explicit listing was redundant.
@jaschadub jaschadub merged commit 2229f01 into main May 21, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jaschadub