enya-agent 0.1.0

package/crates/enact-security/src/policy.rs

@@ -0,0 +1,406 @@
+//! Security policy for agent actions
+//!
+//! Defines autonomy levels, rate limiting, and action validation.
+
+use serde::{Deserialize, Serialize};
+use std::path::{Path, PathBuf};
+use std::sync::atomic::{AtomicU32, Ordering};
+use std::time::{Duration, Instant};
+
+/// Autonomy level for agent actions
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum AutonomyLevel {
+    /// Read-only access, no modifications allowed
+    ReadOnly,
+    /// Supervised mode (default) - some actions require approval
+    #[default]
+    Supervised,
+    /// Full autonomy - all actions allowed within policy
+    Full,
+}
+
+impl AutonomyLevel {
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            Self::ReadOnly => "read_only",
+            Self::Supervised => "supervised",
+            Self::Full => "full",
+        }
+    }
+
+    pub fn parse(s: &str) -> Self {
+        match s.to_lowercase().as_str() {
+            "read_only" | "readonly" | "read-only" => Self::ReadOnly,
+            "full" | "autonomous" => Self::Full,
+            _ => Self::Supervised,
+        }
+    }
+}
+
+/// Risk level for actions
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub enum RiskLevel {
+    Low,
+    Medium,
+    High,
+    Critical,
+}
+
+impl RiskLevel {
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            Self::Low => "low",
+            Self::Medium => "medium",
+            Self::High => "high",
+            Self::Critical => "critical",
+        }
+    }
+}
+
+/// Action validation result
+#[derive(Debug, Clone)]
+pub struct ActionValidation {
+    pub allowed: bool,
+    pub risk_level: RiskLevel,
+    pub reason: Option<String>,
+    pub requires_approval: bool,
+}
+
+impl ActionValidation {
+    pub fn allow(risk_level: RiskLevel) -> Self {
+        Self {
+            allowed: true,
+            risk_level,
+            reason: None,
+            requires_approval: false,
+        }
+    }
+
+    pub fn deny(risk_level: RiskLevel, reason: impl Into<String>) -> Self {
+        Self {
+            allowed: false,
+            risk_level,
+            reason: Some(reason.into()),
+            requires_approval: false,
+        }
+    }
+
+    pub fn needs_approval(risk_level: RiskLevel, reason: impl Into<String>) -> Self {
+        Self {
+            allowed: false,
+            risk_level,
+            reason: Some(reason.into()),
+            requires_approval: true,
+        }
+    }
+}
+
+/// Security policy configuration
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct PolicyConfig {
+    pub autonomy: AutonomyLevel,
+    pub max_actions_per_hour: u32,
+    pub allowed_commands: Vec<String>,
+    pub blocked_commands: Vec<String>,
+    pub blocked_patterns: Vec<String>,
+    pub allowed_paths: Vec<String>,
+    pub blocked_paths: Vec<String>,
+    pub require_approval_for: Vec<String>,
+}
+
+impl Default for PolicyConfig {
+    fn default() -> Self {
+        Self {
+            autonomy: AutonomyLevel::Supervised,
+            max_actions_per_hour: 1000,
+            allowed_commands: Vec::new(),
+            blocked_commands: vec![
+                "rm -rf /".into(),
+                "sudo".into(),
+                "chmod 777".into(),
+                "dd if=".into(),
+                "> /dev/".into(),
+            ],
+            blocked_patterns: vec![
+                "curl | sh".into(),
+                "wget | sh".into(),
+                "$(.*rm.*)".into(),
+            ],
+            allowed_paths: Vec::new(),
+            blocked_paths: vec![
+                "/etc".into(),
+                "/var".into(),
+                "/usr".into(),
+                "/sys".into(),
+                "/proc".into(),
+            ],
+            require_approval_for: vec![
+                "rm".into(),
+                "mv".into(),
+                "chmod".into(),
+                "chown".into(),
+            ],
+        }
+    }
+}
+
+/// Security policy with runtime state
+pub struct SecurityPolicy {
+    pub config: PolicyConfig,
+    pub workspace_dir: PathBuf,
+    action_count: AtomicU32,
+    last_reset: std::sync::Mutex<Instant>,
+}
+
+impl SecurityPolicy {
+    /// Create a new security policy
+    pub fn new(config: PolicyConfig, workspace_dir: PathBuf) -> Self {
+        Self {
+            config,
+            workspace_dir,
+            action_count: AtomicU32::new(0),
+            last_reset: std::sync::Mutex::new(Instant::now()),
+        }
+    }
+
+    /// Create with default config
+    pub fn default_for(workspace_dir: PathBuf) -> Self {
+        Self::new(PolicyConfig::default(), workspace_dir)
+    }
+
+    /// Check if the agent can perform write actions
+    pub fn can_act(&self) -> bool {
+        !matches!(self.config.autonomy, AutonomyLevel::ReadOnly)
+    }
+
+    /// Get autonomy level
+    pub fn autonomy(&self) -> AutonomyLevel {
+        self.config.autonomy
+    }
+
+    /// Check and reset rate limit if hour has passed
+    fn check_rate_limit_reset(&self) {
+        let mut last_reset = self.last_reset.lock().unwrap();
+        if last_reset.elapsed() >= Duration::from_secs(3600) {
+            self.action_count.store(0, Ordering::Relaxed);
+            *last_reset = Instant::now();
+        }
+    }
+
+    /// Check if rate limited
+    pub fn is_rate_limited(&self) -> bool {
+        if self.config.max_actions_per_hour == 0 {
+            return false;
+        }
+        self.check_rate_limit_reset();
+        self.action_count.load(Ordering::Relaxed) >= self.config.max_actions_per_hour
+    }
+
+    /// Record an action and return true if allowed
+    pub fn record_action(&self) -> bool {
+        if self.config.max_actions_per_hour == 0 {
+            return true;
+        }
+        self.check_rate_limit_reset();
+        let current = self.action_count.fetch_add(1, Ordering::Relaxed);
+        current < self.config.max_actions_per_hour
+    }
+
+    /// Get remaining actions this hour
+    pub fn remaining_actions(&self) -> u32 {
+        if self.config.max_actions_per_hour == 0 {
+            return u32::MAX;
+        }
+        self.check_rate_limit_reset();
+        let used = self.action_count.load(Ordering::Relaxed);
+        self.config.max_actions_per_hour.saturating_sub(used)
+    }
+
+    /// Validate a command execution
+    pub fn validate_command(&self, command: &str, approved: bool) -> ActionValidation {
+        if !self.can_act() {
+            return ActionValidation::deny(
+                RiskLevel::Low,
+                "Action blocked: autonomy is read-only",
+            );
+        }
+
+        // Check blocked commands
+        for blocked in &self.config.blocked_commands {
+            if command.contains(blocked) {
+                return ActionValidation::deny(
+                    RiskLevel::Critical,
+                    format!("Command blocked by security policy: {blocked}"),
+                );
+            }
+        }
+
+        // Check blocked patterns
+        for pattern in &self.config.blocked_patterns {
+            if command.contains(pattern) {
+                return ActionValidation::deny(
+                    RiskLevel::High,
+                    format!("Command matches blocked pattern: {pattern}"),
+                );
+            }
+        }
+
+        // Determine risk level
+        let risk = self.assess_command_risk(command);
+
+        // Check if approval is required
+        if self.config.autonomy == AutonomyLevel::Supervised && !approved {
+            let cmd_name = command.split_whitespace().next().unwrap_or("");
+            if self.config.require_approval_for.iter().any(|c| c == cmd_name) {
+                return ActionValidation::needs_approval(
+                    risk,
+                    format!("Command '{cmd_name}' requires explicit approval in supervised mode"),
+                );
+            }
+        }
+
+        // Check allowed commands (if configured)
+        if !self.config.allowed_commands.is_empty() {
+            let cmd_name = command.split_whitespace().next().unwrap_or("");
+            if !self.config.allowed_commands.iter().any(|c| c == cmd_name) {
+                return ActionValidation::deny(
+                    risk,
+                    format!("Command '{cmd_name}' not in allowed commands list"),
+                );
+            }
+        }
+
+        ActionValidation::allow(risk)
+    }
+
+    /// Assess risk level of a command
+    fn assess_command_risk(&self, command: &str) -> RiskLevel {
+        let high_risk = ["rm -rf", "mkfs", "dd if=", "sudo", "chmod 777"];
+        for pattern in high_risk {
+            if command.contains(pattern) {
+                return RiskLevel::Critical;
+            }
+        }
+
+        let medium_risk = ["rm", "mv", "cp", "chmod", "chown", "kill"];
+        let cmd_name = command.split_whitespace().next().unwrap_or("");
+        if medium_risk.contains(&cmd_name) {
+            return RiskLevel::Medium;
+        }
+
+        RiskLevel::Low
+    }
+
+    /// Validate a file path access
+    pub fn validate_path(&self, path: &str, write: bool) -> ActionValidation {
+        if write && !self.can_act() {
+            return ActionValidation::deny(
+                RiskLevel::Low,
+                "Write access blocked: autonomy is read-only",
+            );
+        }
+
+        // Block path traversal
+        if path.contains("..") {
+            return ActionValidation::deny(
+                RiskLevel::High,
+                "Path traversal not allowed",
+            );
+        }
+
+        // Block absolute paths outside workspace
+        if path.starts_with('/') {
+            let path_buf = PathBuf::from(path);
+            if !path_buf.starts_with(&self.workspace_dir) {
+                // Check against blocked paths
+                for blocked in &self.config.blocked_paths {
+                    if path.starts_with(blocked) {
+                        return ActionValidation::deny(
+                            RiskLevel::High,
+                            format!("Access to {blocked} is blocked"),
+                        );
+                    }
+                }
+            }
+        }
+
+        let risk = if write { RiskLevel::Medium } else { RiskLevel::Low };
+        ActionValidation::allow(risk)
+    }
+
+    /// Check if a resolved path is within workspace
+    pub fn is_path_in_workspace(&self, resolved: &Path) -> bool {
+        resolved.starts_with(&self.workspace_dir)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn test_policy() -> SecurityPolicy {
+        SecurityPolicy::default_for(PathBuf::from("/tmp/workspace"))
+    }
+
+    #[test]
+    fn autonomy_level_parse() {
+        assert_eq!(AutonomyLevel::parse("read_only"), AutonomyLevel::ReadOnly);
+        assert_eq!(AutonomyLevel::parse("full"), AutonomyLevel::Full);
+        assert_eq!(AutonomyLevel::parse("supervised"), AutonomyLevel::Supervised);
+        assert_eq!(AutonomyLevel::parse("unknown"), AutonomyLevel::Supervised);
+    }
+
+    #[test]
+    fn can_act_respects_autonomy() {
+        let mut policy = test_policy();
+        assert!(policy.can_act());
+
+        policy.config.autonomy = AutonomyLevel::ReadOnly;
+        assert!(!policy.can_act());
+    }
+
+    #[test]
+    fn validate_command_blocks_dangerous() {
+        let policy = test_policy();
+        let result = policy.validate_command("rm -rf /", false);
+        assert!(!result.allowed);
+        assert_eq!(result.risk_level, RiskLevel::Critical);
+    }
+
+    #[test]
+    fn validate_command_needs_approval() {
+        let policy = test_policy();
+        let result = policy.validate_command("rm file.txt", false);
+        assert!(!result.allowed);
+        assert!(result.requires_approval);
+    }
+
+    #[test]
+    fn validate_command_allows_with_approval() {
+        let policy = test_policy();
+        let result = policy.validate_command("rm file.txt", true);
+        assert!(result.allowed);
+    }
+
+    #[test]
+    fn validate_path_blocks_traversal() {
+        let policy = test_policy();
+        let result = policy.validate_path("../etc/passwd", false);
+        assert!(!result.allowed);
+    }
+
+    #[test]
+    fn rate_limiting_works() {
+        let mut config = PolicyConfig::default();
+        config.max_actions_per_hour = 2;
+        let policy = SecurityPolicy::new(config, PathBuf::from("/tmp"));
+
+        assert!(!policy.is_rate_limited());
+        assert!(policy.record_action());
+        assert!(policy.record_action());
+        assert!(!policy.record_action());
+        assert!(policy.is_rate_limited());
+    }
+}

package/crates/enact-skills/Cargo.toml

@@ -0,0 +1,25 @@
+[package]
+name = "enact-skills"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+description = "Skills system with TOML manifests for Enact"
+repository.workspace = true
+homepage.workspace = true
+keywords = ["skills", "tools", "capabilities", "plugin"]
+categories.workspace = true
+
+[dependencies]
+enact-core.workspace = true
+anyhow.workspace = true
+async-trait.workspace = true
+tokio.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+toml.workspace = true
+tracing.workspace = true
+glob = "0.3"
+directories = "5.0"
+
+[dev-dependencies]
+tempfile.workspace = true