fred-runtime 3.1.0__tar.gz → 3.1.1__tar.gz

{fred_runtime-3.1.0 → fred_runtime-3.1.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fred-runtime
-Version: 3.1.0
+Version: 3.1.1
 Summary: Runtime adapters and infrastructure wiring for Fred v2 agents.
 Author-email: Thales <noreply@thalesgroup.com>
 License: Apache-2.0

{fred_runtime-3.1.0 → fred_runtime-3.1.1}/fred_runtime/integrations/v2_runtime/adapters.py

@@ -923,18 +923,35 @@ class FredWorkspaceFs(WorkspaceFsPort):
             )
         return str(uid)
 
+    def _session_agent_instance_id(self) -> str:
+        # The agents subtree is keyed by the immutable per-team agent_instance_id
+        # (FILES-04 / AGENT-FILESYSTEM-RFC §3.1), injected from the execution grant
+        # — never the template agent_id, never agent-supplied.
+        aid = getattr(self._binding.runtime_context, "agent_instance_id", None)
+        if not aid:
+            raise RuntimeError(
+                "Workspace filesystem requires an agent instance in the session context."
+            )
+        return str(aid)
+
     def _token(self) -> str:
         return _workspace_access_token(self._binding.runtime_context)
 
     # ---- path relativization (§7.1 security rule) ----
     def _resolve(self, path: str, *, allow_root: bool = False) -> str:
         team = self._session_team()
+        # Bare agent paths resolve to the running agent's own per-user space
+        # (FILES-04 / AGENT-FILESYSTEM-RFC §3, §6), not Mon espace.
+        agent_root = (
+            f"teams/{team}/agents/{self._session_agent_instance_id()}"
+            f"/users/{self._session_user()}"
+        )
         parts = [p for p in (path or "").strip().replace("\\", "/").split("/") if p]
         if ".." in parts:
             raise ValueError("Path cannot contain parent path segments")
         if not parts:
             if allow_root:
-                return f"teams/{team}/users/{self._session_user()}"
+                return agent_root
             raise ValueError("Path cannot be empty")
         head = parts[0]
         if head == "teams":
@@ -946,24 +963,78 @@ class FredWorkspaceFs(WorkspaceFsPort):
                 )
             return "/".join(parts)
         if head == "shared":
+            # Team-shared reads (e.g. resolve_template's team step) stay addressable;
+            # write/delete into shared is rejected separately (agents never share).
             return f"teams/{team}/" + "/".join(parts)
-        return f"teams/{team}/users/{self._session_user()}/" + "/".join(parts)
+        return f"{agent_root}/" + "/".join(parts)
+
+    def _agent_root(self) -> str:
+        return (
+            f"teams/{self._session_team()}/agents/{self._session_agent_instance_id()}"
+            f"/users/{self._session_user()}"
+        )
+
+    def _resolve_owned(self, path: str) -> str:
+        """
+        Resolve a path the agent must own — used for write and delete.
+
+        Agents read team-shared files and their own space, but may only *mutate*
+        inside their own agents subtree. A path resolving outside it — into
+        ``shared/`` (G3: agents never share), Mon espace, or a sibling agent's
+        subtree (G2) — is a hard ``PermissionError`` (AGENT-FILESYSTEM-RFC §6).
+        """
+        resolved = self._resolve(path)
+        root = self._agent_root()
+        if resolved != root and not resolved.startswith(root + "/"):
+            raise PermissionError(
+                f"Agents may only write inside their own space; '{path}' resolves outside it."
+            )
+        return resolved
+
+    def _clean_parts(self, path: str) -> list[str]:
+        parts = [p for p in (path or "").strip().replace("\\", "/").split("/") if p]
+        if ".." in parts:
+            raise ValueError("Path cannot contain parent path segments")
+        return parts
+
+    def _resolve_user(self, path: str) -> str:
+        # Explicit read of the run user's Mon espace (AGENT-FILESYSTEM-RFC §7) — same
+        # user the agent acts for; KF enforces own-uid ownership. v1 reads the whole
+        # Mon espace; selection-scoping (§7.3) is deferred hardening, like G1b.
+        return f"teams/{self._session_team()}/users/{self._session_user()}/" + "/".join(
+            self._clean_parts(path)
+        )
+
+    def _resolve_team(self, path: str) -> str:
+        # Explicit read of the team's Espace d'equipe; governed by the user's team read.
+        return f"teams/{self._session_team()}/shared/" + "/".join(
+            self._clean_parts(path)
+        )
 
     # ---- operations ----
-    async def read_bytes(self, path: str) -> bytes:
+    async def _download(self, resolved: str, original: str) -> bytes:
         try:
             blob = await self._workspace_client.fs_download_blob(
-                self._resolve(path), self._token()
+                resolved, self._token()
             )
         except WorkspaceRetrievalError as e:
             if e.status_code == 404:
-                raise WorkspaceFileNotFound(path) from e
+                raise WorkspaceFileNotFound(original) from e
             raise
         return blob.bytes
 
+    async def read_bytes(self, path: str) -> bytes:
+        return await self._download(self._resolve(path), path)
+
     async def read_text(self, path: str) -> str:
         return (await self.read_bytes(path)).decode("utf-8")
 
+    async def read_user_bytes(self, path: str) -> bytes:
+        return await self._download(self._resolve_user(path), path)
+
+    async def read_team_bytes(self, path: str) -> bytes:
+        return await self._download(self._resolve_team(path), path)
+
     async def write(
         self,
         path: str,
@@ -972,7 +1043,7 @@ class FredWorkspaceFs(WorkspaceFsPort):
         content_type: str | None = None,
         title: str | None = None,
     ) -> PublishedArtifact:
-        resolved = self._resolve(path)
+        resolved = self._resolve_owned(path)
         file_name = resolved.rsplit("/", 1)[-1]
         result = await self._workspace_client.fs_upload(
             resolved, content, file_name, content_type
@@ -997,7 +1068,7 @@ class FredWorkspaceFs(WorkspaceFsPort):
         ]
 
     async def delete(self, path: str) -> None:
-        await self._workspace_client.fs_delete(self._resolve(path), self._token())
+        await self._workspace_client.fs_delete(self._resolve_owned(path), self._token())
 
     async def link_for(self, path: str) -> PublishedArtifact:
         resolved = self._resolve(path)

{fred_runtime-3.1.0 → fred_runtime-3.1.1}/fred_runtime.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fred-runtime
-Version: 3.1.0
+Version: 3.1.1
 Summary: Runtime adapters and infrastructure wiring for Fred v2 agents.
 Author-email: Thales <noreply@thalesgroup.com>
 License: Apache-2.0

{fred_runtime-3.1.0 → fred_runtime-3.1.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "fred-runtime"
-version = "3.1.0"
+version = "3.1.1"
 description = "Runtime adapters and infrastructure wiring for Fred v2 agents."
 readme = "README.md"
 requires-python = ">=3.12,<3.13"

{fred_runtime-3.1.0 → fred_runtime-3.1.1}/tests/test_fred_workspace_fs.py

@@ -67,7 +67,10 @@ def _fs(client: _FakeClient | None = None) -> FredWorkspaceFs:
     fs = object.__new__(FredWorkspaceFs)
     fs._binding = SimpleNamespace(  # type: ignore[assignment]
         runtime_context=SimpleNamespace(
-            team_id="acme", user_id="u-1", access_token="tok"
+            team_id="acme",
+            user_id="u-1",
+            agent_instance_id="inst-7",
+            access_token="tok",
         )
     )
     fs._settings = SimpleNamespace(team_id="acme")  # type: ignore[assignment]
@@ -78,8 +81,20 @@ def _fs(client: _FakeClient | None = None) -> FredWorkspaceFs:
 # ---- relativization (the §7.1 security rule) ----
 
 
-def test_resolve_bare_path_goes_to_user_private_space():
-    assert _fs()._resolve("outputs/q3.pptx") == "teams/acme/users/u-1/outputs/q3.pptx"
+def test_resolve_bare_path_goes_to_agent_space():
+    # FILES-04 §3/§6: a bare agent write lands in the agent's own per-user space,
+    # keyed by agent_instance_id — not Mon espace.
+    assert (
+        _fs()._resolve("outputs/q3.pptx")
+        == "teams/acme/agents/inst-7/users/u-1/outputs/q3.pptx"
+    )
+
+
+def test_resolve_missing_agent_instance_raises():
+    fs = _fs()
+    fs._binding.runtime_context.agent_instance_id = None
+    with pytest.raises(RuntimeError, match="agent instance"):
+        fs._resolve("outputs/q3.pptx")
 
 
 def test_resolve_shared_prefix_goes_to_team_space():
@@ -107,7 +122,7 @@ def test_resolve_empty_requires_allow_root():
     fs = _fs()
     with pytest.raises(ValueError, match="empty"):
         fs._resolve("")
-    assert fs._resolve("", allow_root=True) == "teams/acme/users/u-1"
+    assert fs._resolve("", allow_root=True) == "teams/acme/agents/inst-7/users/u-1"
 
 
 # ---- operations ----
@@ -120,6 +135,32 @@ async def test_read_bytes_maps_404_to_not_found():
         await fs.read_bytes("outputs/missing.bin")
 
 
+@pytest.mark.asyncio
+async def test_read_user_bytes_resolves_to_mon_espace():
+    # G7: explicit read of the run user's Mon espace.
+    client = _FakeClient()
+    fs = _fs(client)
+    await fs.read_user_bytes("templates/brand.pptx")
+    assert client.calls[-1] == (
+        "download",
+        "teams/acme/users/u-1/templates/brand.pptx",
+        "tok",
+    )
+
+
+@pytest.mark.asyncio
+async def test_read_team_bytes_resolves_to_shared():
+    # G7: explicit read of Espace d'equipe.
+    client = _FakeClient()
+    fs = _fs(client)
+    await fs.read_team_bytes("templates/brand.pptx")
+    assert client.calls[-1] == (
+        "download",
+        "teams/acme/shared/templates/brand.pptx",
+        "tok",
+    )
+
+
 @pytest.mark.asyncio
 async def test_read_bytes_resolves_and_returns_content():
     client = _FakeClient()
@@ -134,7 +175,7 @@ async def test_read_bytes_resolves_and_returns_content():
 
 
 @pytest.mark.asyncio
-async def test_write_uploads_to_user_space_and_returns_artifact():
+async def test_write_uploads_to_agent_space_and_returns_artifact():
     client = _FakeClient()
     fs = _fs(client)
     artifact = await fs.write(
@@ -142,25 +183,65 @@ async def test_write_uploads_to_user_space_and_returns_artifact():
     )
     assert isinstance(artifact, PublishedArtifact)
     assert artifact.file_name == "q3.pptx"
-    assert artifact.href == "/dl/teams/acme/users/u-1/outputs/q3.pptx"
-    assert client.calls[-1][0:2] == ("upload", "teams/acme/users/u-1/outputs/q3.pptx")
+    assert artifact.href == "/dl/teams/acme/agents/inst-7/users/u-1/outputs/q3.pptx"
+    assert client.calls[-1][0:2] == (
+        "upload",
+        "teams/acme/agents/inst-7/users/u-1/outputs/q3.pptx",
+    )
 
 
 @pytest.mark.asyncio
-async def test_ls_lists_user_root_by_default():
+async def test_ls_lists_agent_root_by_default():
     client = _FakeClient()
     fs = _fs(client)
     entries = await fs.ls()
     assert [e.path for e in entries] == ["deck.pptx"]
-    assert client.calls[-1] == ("list", "teams/acme/users/u-1", "tok")
+    assert client.calls[-1] == ("list", "teams/acme/agents/inst-7/users/u-1", "tok")
 
 
 @pytest.mark.asyncio
-async def test_delete_resolves_path():
+async def test_delete_resolves_owned_path():
     client = _FakeClient()
     fs = _fs(client)
-    await fs.delete("shared/x.txt")
-    assert client.calls[-1] == ("delete", "teams/acme/shared/x.txt", "tok")
+    await fs.delete("outputs/x.txt")
+    assert client.calls[-1] == (
+        "delete",
+        "teams/acme/agents/inst-7/users/u-1/outputs/x.txt",
+        "tok",
+    )
+
+
+# ---- write/delete isolation: agents mutate only their own subtree (G2/G3) ----
+
+
+@pytest.mark.asyncio
+async def test_write_rejects_shared_path():
+    # G3: an agent cannot write into Espace d'equipe even though it can read it.
+    fs = _fs()
+    with pytest.raises(PermissionError, match="own space"):
+        await fs.write("shared/templates/brand.pptx", b"x")
+
+
+@pytest.mark.asyncio
+async def test_delete_rejects_shared_path():
+    fs = _fs()
+    with pytest.raises(PermissionError, match="own space"):
+        await fs.delete("shared/x.txt")
+
+
+@pytest.mark.asyncio
+async def test_write_rejects_sibling_agent_absolute_path():
+    # G2: an absolute path into another agent instance's subtree is rejected.
+    fs = _fs()
+    with pytest.raises(PermissionError, match="own space"):
+        await fs.write("/teams/acme/agents/inst-OTHER/users/u-1/outputs/x.pptx", b"x")
+
+
+@pytest.mark.asyncio
+async def test_write_rejects_cross_user_absolute_path():
+    fs = _fs()
+    with pytest.raises(PermissionError, match="own space"):
+        await fs.write("/teams/acme/agents/inst-7/users/u-OTHER/outputs/x.pptx", b"x")
 
 
 @pytest.mark.asyncio
@@ -170,10 +251,13 @@ async def test_link_for_resolves_and_returns_signed_artifact():
     artifact = await fs.link_for("uploads/report.xlsx")
     assert isinstance(artifact, PublishedArtifact)
     assert artifact.file_name == "report.xlsx"
-    assert artifact.href == "/dl/teams/acme/users/u-1/uploads/report.xlsx?token=sig"
+    assert (
+        artifact.href
+        == "/dl/teams/acme/agents/inst-7/users/u-1/uploads/report.xlsx?token=sig"
+    )
     assert artifact.mime == "application/octet-stream"
     assert client.calls[-1] == (
         "share",
-        "teams/acme/users/u-1/uploads/report.xlsx",
+        "teams/acme/agents/inst-7/users/u-1/uploads/report.xlsx",
         "tok",
     )

{fred_runtime-3.1.0 → fred_runtime-3.1.1}/tests/test_kf_workspace_client.py

@@ -247,7 +247,9 @@ def test_fs_path_percent_encodes_reserved_chars_preserving_separators():
     # Reserved chars (#, ?, space) must be encoded so the {path:path} route is not
     # truncated, while "/" separators stay literal.
     assert (
-        KfWorkspaceClient._fs_path("download", "teams/acme/users/u-1/outputs/Q3 #1?.txt")
+        KfWorkspaceClient._fs_path(
+            "download", "teams/acme/users/u-1/outputs/Q3 #1?.txt"
+        )
         == "/fs/download/teams/acme/users/u-1/outputs/Q3%20%231%3F.txt"
     )
 

{fred_runtime-3.1.0 → fred_runtime-3.1.1}/fred_runtime/common/kf_workspace_client.py

@@ -17,8 +17,8 @@ from __future__ import annotations
 import logging
 import re
 from dataclasses import dataclass
-from urllib.parse import quote
 from typing import BinaryIO, Callable
+from urllib.parse import quote
 
 import httpx