network-ai 5.2.2 → 5.3.1

package/scripts/check_permission.py

@@ -41,6 +41,17 @@ GRANT_TOKEN_TTL_MINUTES = 5
 GRANTS_FILE = Path(__file__).parent.parent / "data" / "active_grants.json"
 AUDIT_LOG = Path(__file__).parent.parent / "data" / "audit_log.jsonl"
 
+# ADVISORY TOKENS — IMPORTANT
+# Grant tokens produced by this script are ADVISORY scoring outputs only.
+# They are NOT authenticated credentials. The agent_id supplied via --agent
+# is accepted as-is from the caller and is NOT verified against an identity
+# provider. Downstream systems MUST treat these tokens as hints, not proof
+# of identity, and SHOULD require a separate authenticated session or human
+# approval before honouring access to sensitive resources.
+#
+# For PAYMENTS, DATABASE (write), and FILE_EXPORT the caller must also pass
+# --confirm-high-risk to acknowledge the advisory-only nature of the grant.
+
 # Default trust levels for known agents
 DEFAULT_TRUST_LEVELS = {
     "orchestrator": 0.9,
@@ -49,6 +60,13 @@ DEFAULT_TRUST_LEVELS = {
     "risk_assessor": 0.85,
 }
 
+# Agents whose identity is pre-registered. Any agent_id NOT in this set
+# receives a reduced trust score (0.3) and triggers an advisory warning.
+KNOWN_AGENTS: set[str] = set(DEFAULT_TRUST_LEVELS.keys())
+
+# Resource types that require --confirm-high-risk before a grant is issued
+HIGH_RISK_RESOURCES: set[str] = {"PAYMENTS", "DATABASE"}
+
 # Base risk scores for resource types
 BASE_RISKS = {
     "DATABASE": 0.5,      # Internal database access
@@ -258,48 +276,88 @@ def save_grant(grant: dict[str, Any]) -> None:
     GRANTS_FILE.write_text(json.dumps(grants, indent=2))
 
 
-def evaluate_permission(agent_id: str, resource_type: str, 
-                       justification: str, scope: Optional[str] = None) -> dict[str, Any]:
+def evaluate_permission(
+    agent_id: str,
+    resource_type: str,
+    justification: str,
+    scope: Optional[str] = None,
+    confirm_high_risk: bool = False,
+) -> dict[str, Any]:
     """
     Evaluate a permission request using weighted scoring.
-    
+
+    NOTE: These tokens are ADVISORY ONLY — the caller supplies their own
+    agent_id and it is not authenticated. Downstream systems must not treat
+    the resulting token as proof of identity without additional verification.
+
     Weights:
     - Justification Quality: 40%
     - Agent Trust Level: 30%
     - Risk Assessment: 30%
     """
+    # Warn if agent_id is not in the pre-registered known-agents list
+    unknown_agent = agent_id not in KNOWN_AGENTS
+
     # Log the request
     log_audit("permission_request", {
         "agent_id": agent_id,
         "resource_type": resource_type,
         "justification": justification,
-        "scope": scope
+        "scope": scope,
+        "unknown_agent": unknown_agent,
     })
-    
+
+    # Require explicit acknowledgement for high-risk resources
+    needs_confirmation = (
+        resource_type in HIGH_RISK_RESOURCES
+        or (resource_type == "DATABASE" and scope and re.search(
+            r'\b(write|delete|update|modify|create)\b', scope, re.IGNORECASE
+        ))
+    )
+    if needs_confirmation and not confirm_high_risk:
+        return {
+            "granted": False,
+            "advisory": True,
+            "reason": (
+                f"{resource_type} is a high-risk resource. Re-run with --confirm-high-risk "
+                "to acknowledge that this token is advisory only and does not authenticate "
+                "the supplied agent identity."
+            ),
+            "scores": {"justification": None, "trust": None, "risk": None},
+        }
+
     # 1. Justification Quality (40% weight)
     justification_score = score_justification(justification)
     if justification_score < 0.3:
         return {
             "granted": False,
+            "advisory": True,
             "reason": "Justification is insufficient. Please provide specific task context.",
             "scores": {
                 "justification": justification_score,
                 "trust": None,
-                "risk": None
-            }
+                "risk": None,
+            },
         }
-    
+
     # 2. Agent Trust Level (30% weight)
-    trust_level = DEFAULT_TRUST_LEVELS.get(agent_id, 0.5)
+    # Unknown agents receive a reduced base trust score (0.3) — their identity
+    # has not been pre-registered and cannot be verified by this script.
+    trust_level = DEFAULT_TRUST_LEVELS.get(agent_id, 0.3) if not unknown_agent \
+        else 0.3
     if trust_level < 0.4:
         return {
             "granted": False,
-            "reason": "Agent trust level is below threshold. Escalate to human operator.",
+            "advisory": True,
+            "reason": (
+                "Agent trust level is below threshold. Escalate to human operator."
+                + (" (unrecognized agent_id — identity not pre-registered)" if unknown_agent else "")
+            ),
             "scores": {
                 "justification": justification_score,
                 "trust": trust_level,
-                "risk": None
-            }
+                "risk": None,
+            },
         }
     
     # 3. Risk Assessment (30% weight)
@@ -307,12 +365,13 @@ def evaluate_permission(agent_id: str, resource_type: str,
     if risk_score > 0.8:
         return {
             "granted": False,
+            "advisory": True,
             "reason": "Risk assessment exceeds acceptable threshold. Narrow the requested scope.",
             "scores": {
                 "justification": justification_score,
                 "trust": trust_level,
-                "risk": risk_score
-            }
+                "risk": risk_score,
+            },
         }
     
     # Calculate weighted approval score
@@ -325,13 +384,14 @@ def evaluate_permission(agent_id: str, resource_type: str,
     if weighted_score < 0.5:
         return {
             "granted": False,
+            "advisory": True,
             "reason": f"Combined evaluation score ({weighted_score:.2f}) below threshold (0.5).",
             "scores": {
                 "justification": justification_score,
                 "trust": trust_level,
                 "risk": risk_score,
-                "weighted": weighted_score
-            }
+                "weighted": weighted_score,
+            },
         }
     
     # Generate grant
@@ -346,15 +406,19 @@ def evaluate_permission(agent_id: str, resource_type: str,
         "scope": scope,
         "expires_at": expires_at,
         "restrictions": restrictions,
-        "granted_at": datetime.now(timezone.utc).isoformat()
+        "granted_at": datetime.now(timezone.utc).isoformat(),
+        "advisory": True,           # Always advisory — not an authenticated credential
+        "unknown_agent": unknown_agent,
     }
-    
+
     # Save grant and log
     save_grant(grant)
     log_audit("permission_granted", grant)
-    
+
     return {
         "granted": True,
+        "advisory": True,           # Token is advisory — agent identity was not verified
+        "unknown_agent": unknown_agent,
         "token": token,
         "expires_at": expires_at,
         "restrictions": restrictions,
@@ -362,8 +426,14 @@ def evaluate_permission(agent_id: str, resource_type: str,
             "justification": justification_score,
             "trust": trust_level,
             "risk": risk_score,
-            "weighted": weighted_score
-        }
+            "weighted": weighted_score,
+        },
+        "notice": (
+            "This token was issued based on local scoring only. "
+            "The agent identity supplied via --agent was NOT cryptographically verified. "
+            "Treat this token as advisory and require human approval before granting "
+            "access to sensitive systems."
+        ),
     }
 
 
@@ -649,6 +719,16 @@ Examples:
         action="store_true",
         help="Output result as JSON"
     )
+    parser.add_argument(
+        "--confirm-high-risk",
+        action="store_true",
+        dest="confirm_high_risk",
+        help=(
+            "Required for PAYMENTS and DATABASE resources. Acknowledges that the issued "
+            "token is advisory only and that the caller-supplied agent identity was not "
+            "cryptographically verified."
+        ),
+    )
 
     args = parser.parse_args()
 
@@ -672,17 +752,21 @@ Examples:
         agent_id=args.agent,
         resource_type=args.resource,
         justification=args.justification,
-        scope=args.scope
+        scope=args.scope,
+        confirm_high_risk=getattr(args, "confirm_high_risk", False),
     )
 
     if args.json:
         print(json.dumps(result, indent=2))
     else:
         if result["granted"]:
-            print("GRANTED")
-            print(f"Token: {result['token']}")
-            print(f"Expires: {result['expires_at']}")
+            print("GRANTED  [ADVISORY — agent identity was NOT verified]")
+            print(f"Token:        {result['token']}")
+            print(f"Expires:      {result['expires_at']}")
             print(f"Restrictions: {', '.join(result['restrictions'])}")
+            if result.get("unknown_agent"):
+                print("WARNING: agent_id is not in the pre-registered known-agents list.")
+            print(f"\nNOTICE: {result.get('notice', '')}")
         else:
             print("DENIED")
             print(f"Reason: {result['reason']}")

package/scripts/context_manager.py

@@ -74,6 +74,72 @@ def _now_iso() -> str:
     return datetime.now(timezone.utc).isoformat()
 
 
+def _validate_context(ctx: dict[str, Any]) -> list[str]:
+    """
+    Validate the project context file against the expected schema.
+
+    Returns a list of warning strings (empty = clean).
+    Checks:
+    - Required top-level keys are present
+    - String fields are not excessively long (injection/poisoning guard)
+    - List entries are strings or dicts, not executable-looking content
+    - No obvious prompt-injection patterns in goals, decisions, or banned entries
+    """
+    import re as _re
+    warnings: list[str] = []
+
+    REQUIRED_KEYS = {"project", "goals", "stack", "milestones", "decisions",
+                     "banned_approaches", "updated_at"}
+    missing = REQUIRED_KEYS - set(ctx.keys())
+    if missing:
+        warnings.append(f"Missing keys in context file: {', '.join(sorted(missing))}")
+
+    # Field length caps
+    project = ctx.get("project", {})
+    for field in ("name", "description", "version"):
+        val = project.get(field, "")
+        if isinstance(val, str) and len(val) > 500:
+            warnings.append(f"project.{field} exceeds 500 characters \u2014 consider shortening.")
+
+    # Injection pattern check on free-text list fields
+    INJECTION_RE = _re.compile(
+        r'ignore\s+(previous|above|prior|all)|override\s+(policy|restriction|rule)|'
+        r'system\s*prompt|you\s+are\s+(now|a)|act\s+as\s+(if|a|an)|'
+        r'pretend\s+(to|that|you)|bypass\s+(security|check|restriction)|'
+        r'disregard\s+(policy|rule)|admin\s+(mode|access|override)|'
+        r'\bsudo\b|\bjailbreak\b',
+        _re.IGNORECASE,
+    )
+
+    def _check_text(label: str, text: str) -> None:
+        if INJECTION_RE.search(text):
+            warnings.append(
+                f"Possible injection pattern detected in {label}: {text[:80]!r}"
+            )
+        if len(text) > 2000:
+            warnings.append(f"{label} entry exceeds 2000 characters \u2014 review before injecting.")
+
+    for i, goal in enumerate(ctx.get("goals", [])):
+        if isinstance(goal, str):
+            _check_text(f"goals[{i}]", goal)
+
+    for i, dec in enumerate(ctx.get("decisions", [])):
+        if isinstance(dec, dict):
+            dec_dict = cast(dict[str, object], dec)
+            for fld in ("decision", "rationale"):
+                fld_val = dec_dict.get(fld)
+                if isinstance(fld_val, str):
+                    _check_text(f"decisions[{i}].{fld}", fld_val)
+        elif isinstance(dec, str):
+            _check_text(f"decisions[{i}]", dec)
+
+    for i, banned in enumerate(ctx.get("banned_approaches", [])):
+        if isinstance(banned, str):
+            _check_text(f"banned_approaches[{i}]", banned)
+
+    return warnings
+
+
 def _load() -> dict[str, Any]:
     if not CONTEXT_PATH.exists():
         print(
@@ -127,6 +193,11 @@ def cmd_init(args: argparse.Namespace) -> int:
 
 def cmd_show(args: argparse.Namespace) -> int:  # noqa: ARG001
     ctx = _load()
+    warnings = _validate_context(ctx)
+    if warnings:
+        print("[context_manager] VALIDATION WARNINGS — review before injecting:", file=sys.stderr)
+        for w in warnings:
+            print(f"  ! {w}", file=sys.stderr)
     print(json.dumps(ctx, indent=2))
     return 0
 
@@ -134,6 +205,12 @@ def cmd_show(args: argparse.Namespace) -> int:  # noqa: ARG001
 def cmd_inject(args: argparse.Namespace) -> int:  # noqa: ARG001
     """Print a formatted block suitable for injection into an agent system prompt."""
     ctx = _load()
+    warnings = _validate_context(ctx)
+    if warnings:
+        print("[context_manager] VALIDATION WARNINGS \u2014 context has potential issues:", file=sys.stderr)
+        for w in warnings:
+            print(f"  ! {w}", file=sys.stderr)
+        print("[context_manager] Proceeding with inject, but review warnings above.", file=sys.stderr)
     p = ctx.get("project", {})
 
     lines: list[str] = []

package/socket.json

@@ -1,4 +1,4 @@
-{
+            {
   "version": 2,
   "ignore": {
     "evalDynamicCodeExecution": [