[codex] Harden policy trust and sync security#2
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Reviewer's GuideStrengthens PolicyForge’s tool trust, policy loading, and sync safety by denying unknown tools by default, anchoring trust ledgers to policy locations, emitting audit events from TrustManager, and adding a CLI plus tests for safe approvals seeding and atomic ledger writes. Sequence diagram for trust check with audit events and ledger appendsequenceDiagram
actor ToolCaller
participant PolicyEngine
participant TrustManager
participant LedgerWriter
participant AuditLogger
ToolCaller->>PolicyEngine: evaluate(tool_name, args, context)
PolicyEngine->>TrustManager: check(tool_name, server_id, schema_hash, description_hash, tool_meta)
alt missing_tool_meta
TrustManager->>AuditLogger: log_event(tool_meta_missing,...)
TrustManager-->>PolicyEngine: TrustResult(verdict=DENY, reason=tool_meta_missing)
PolicyEngine-->>ToolCaller: Decision DENY
else unknown_tool_auto_approve
TrustManager->>AuditLogger: log_event(tool_unknown,...)
TrustManager->>LedgerWriter: append(ToolFingerprint)
LedgerWriter-->>TrustManager: ok
TrustManager->>AuditLogger: log_event(tool_approved,...)
TrustManager-->>PolicyEngine: TrustResult OK
PolicyEngine-->>ToolCaller: Decision ALLOW
else unknown_tool_deny
TrustManager->>AuditLogger: log_event(tool_unknown,...)
TrustManager-->>PolicyEngine: TrustResult(verdict=on_unknown, reason=tool_unknown)
PolicyEngine-->>ToolCaller: Decision (on_unknown)
else fingerprint_drift
TrustManager->>AuditLogger: log_event(fingerprint_drift,...)
TrustManager-->>PolicyEngine: TrustResult(verdict=DENY, reason=fingerprint_drift)
PolicyEngine-->>ToolCaller: Decision DENY
end
Class diagram for updated trust, engine, decorators, and CLIclassDiagram
class PolicyEngine {
- policies : list
- _loader
- _audit : AuditLogger
- _agent_id : str
- _trust : TrustManager
+ PolicyEngine(policy_paths, audit_logger, agent_id, trust_manager)
+ load(path : Path) : void
+ reload(policy_paths : list[Path]) : void
+ render_share_receipt(decision : Decision) : str
- _ensure_trust_config_wired() : void
- _preflight_trust(tool_name : str, context : dict) : Decision | None
}
class Loader {
+ trust_config : TrustConfig | None
+ load_file(path : Path) : list[Policy]
+ load_directory(path : Path) : list[Policy]
}
class TrustManager {
- _config : TrustConfig
- _approved_by : str
- _now : Callable
- _audit_logger : AuditLogger
- _writer : LedgerWriter
- _reader
- _approved : dict
+ TrustManager(config : TrustConfig, hmac_key : bytes, approved_by : str, now : Callable, audit_logger : AuditLogger)
+ set_audit_logger(audit_logger : AuditLogger) : void
+ check(tool_name : str, server_id : str, schema_hash : str, description_hash : str, tool_meta : dict) : TrustResult
- _mismatch(reason : str, message : str) : TrustResult
- _emit_event(event_type : str, tool_name : str, server_id : str, extra : dict) : void
}
class TrustConfig {
+ mode : TrustMode
+ ledger_path : Path
}
class LedgerWriter {
- _path : Path
- _key : bytes
- _last_hash : str
+ LedgerWriter(path : Path, hmac_key : bytes)
+ append(fp : ToolFingerprint) : void
}
class ToolFingerprint {
+ server_id : str
+ name : str
+ schema_hash : str
+ description_hash : str
+ first_seen : float
+ approved_by : str
}
class AuditLogger {
+ log_event(request_id : str, event_type : str, tool_name : str, metadata : dict) : void
}
class PolicyGateWrapper {
- _engine : PolicyEngine
- _extra_context : dict
+ wrap(func : Callable, tool_name : str, extra_context : dict, tool_meta : ToolMeta) : Callable
+ wrap_dict(tools : dict[str, Callable], extra_context : dict, tool_meta : ToolMetaSource) : dict[str, Callable]
+ _resolve_tool_meta(source : ToolMetaSource, tool_name : str) : ToolMeta | None
}
class DecoratorFunctions {
+ policy_gate(engine : PolicyEngine, tool_name : str, extra_context : dict, tool_meta : ToolMeta) : Callable
- _bind_positional_args(sig, args, kwargs) : dict
- _merge_context(extra_context : dict, tool_meta : ToolMeta) : dict | None
}
class TrustCLI {
+ main(argv : Sequence[str]) : int
- _build_parser() : ArgumentParser
- _fingerprint_from_fields(fields : dict, approved_by : str) : ToolFingerprint
- _load_fingerprints(args : Namespace) : list[ToolFingerprint]
}
class TrustApproveModule {
+ main(argv : Sequence[str]) : int
}
PolicyEngine --> Loader : uses
PolicyEngine --> TrustManager : uses
PolicyEngine --> AuditLogger : uses
Loader --> TrustConfig : produces
TrustManager --> TrustConfig : uses
TrustManager --> LedgerWriter : uses
TrustManager --> AuditLogger : emits events
LedgerWriter --> ToolFingerprint : appends
PolicyGateWrapper --> PolicyEngine : delegates
PolicyGateWrapper --> DecoratorFunctions : uses policy_gate
TrustCLI --> LedgerWriter : writes approvals
TrustCLI --> ToolFingerprint : creates
TrustApproveModule --> TrustCLI : reexports main
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Why
How
tool_trustconfigs and malformed directory-loaded policies; anchor ledger paths to policy YAML parents.tool_meta, and CLI approval seeding with regression coverage.Tests
pytest -q-> 251 passedruff check policyforge tests-> passedblack --check policyforge tests-> passedmypy policyforge-> passeduvx bandit -r policyforge -ll -q-> no medium/high findingspip-auditpinned direct core/optional specs -> no known vulnerabilitiespython -m examples.basic_usage-> audit verification 8 valid, 0 tamperedSummary by Sourcery
Harden policy trust enforcement, sync path handling, and default policies, and add operator-facing tooling and auditability for the trust subsystem.
New Features:
python -musage.Bug Fixes:
Enhancements:
Documentation:
Tests: