tollgate 1.0.2__tar.gz → 1.0.3__tar.gz

{tollgate-1.0.2 → tollgate-1.0.3}/.claude/settings.local.json

@@ -10,7 +10,10 @@
       "Bash(.venv/bin/ruff format:*)",
       "Bash(git init:*)",
       "Bash(gh auth status:*)",
-      "Bash(.venv/bin/python:*)"
+      "Bash(.venv/bin/python:*)",
+      "Bash(python -m pytest tests/ -v)",
+      "Bash(python -m ruff:*)",
+      "Bash(python3 -m ruff check src/)"
     ]
   }
 }

{tollgate-1.0.2 → tollgate-1.0.3}/COMPARISON.md

@@ -2,6 +2,9 @@
 
 This guide demonstrates the minimal changes required to integrate `tollgate` into your existing AI agent workflows.
 
+> [!CAUTION]
+> **Disclaimer**: This project is an exploratory implementation intended for learning and discussion. It is not production-hardened and comes with no guarantees.
+
 ---
 
 ## 🔹 Scenario 1: Plain Python Tools

{tollgate-1.0.2 → tollgate-1.0.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: tollgate
-Version: 1.0.2
+Version: 1.0.3
 Summary: Runtime enforcement layer for AI agent tool calls using Identity + Intent + Policy
 Author: Tollgate Maintainers
 License-Expression: Apache-2.0
@@ -29,6 +29,9 @@ Runtime enforcement layer for AI agent tool calls using **Identity + Intent + Po
 
 `tollgate` provides a deterministic safety boundary for AI agents. It ensures every tool call is validated against a policy before execution, with support for async human-in-the-loop approvals, framework interception (MCP, Strands, LangChain, OpenAI), and structured audit logging.
 
+> [!CAUTION]
+> **Disclaimer**: This project is an exploratory implementation intended for learning and discussion. It is not production-hardened and comes with no guarantees.
+
 **[🚀 Quickstart Guide](https://github.com/ravi-labs/tollgate/blob/main/QUICKSTART.md) | [📊 Integration Comparison](https://github.com/ravi-labs/tollgate/blob/main/COMPARISON.md)**
 
 ```

{tollgate-1.0.2 → tollgate-1.0.3}/QUICKSTART.md

@@ -2,6 +2,9 @@
 
 Get started with `tollgate` in minutes. This guide covers the basic setup and integration options for various AI frameworks.
 
+> [!CAUTION]
+> **Disclaimer**: This project is an exploratory implementation intended for learning and discussion. It is not production-hardened and comes with no guarantees.
+
 ---
 
 ## 0. Key Concepts

{tollgate-1.0.2 → tollgate-1.0.3}/README.md

@@ -4,6 +4,9 @@ Runtime enforcement layer for AI agent tool calls using **Identity + Intent + Po
 
 `tollgate` provides a deterministic safety boundary for AI agents. It ensures every tool call is validated against a policy before execution, with support for async human-in-the-loop approvals, framework interception (MCP, Strands, LangChain, OpenAI), and structured audit logging.
 
+> [!CAUTION]
+> **Disclaimer**: This project is an exploratory implementation intended for learning and discussion. It is not production-hardened and comes with no guarantees.
+
 **[🚀 Quickstart Guide](https://github.com/ravi-labs/tollgate/blob/main/QUICKSTART.md) | [📊 Integration Comparison](https://github.com/ravi-labs/tollgate/blob/main/COMPARISON.md)**
 
 ```

{tollgate-1.0.2 → tollgate-1.0.3}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "tollgate"
-version = "1.0.2"
+version = "1.0.3"
 description = "Runtime enforcement layer for AI agent tool calls using Identity + Intent + Policy"
 readme = "README.md"
 requires-python = ">=3.10"

{tollgate-1.0.2 → tollgate-1.0.3}/src/tollgate/__init__.py

@@ -31,7 +31,7 @@ from .types import (
     ToolRequest,
 )
 
-__version__ = "1.0.2"
+__version__ = "1.0.3"
 
 __all__ = [
     "ControlTower",

{tollgate-1.0.2 → tollgate-1.0.3}/src/tollgate/approvals.py

@@ -56,6 +56,7 @@ class InMemoryApprovalStore(ApprovalStore):
     def __init__(self):
         self._requests: dict[str, dict[str, Any]] = {}
         self._events: dict[str, asyncio.Event] = {}
+        self._lock = asyncio.Lock()
 
     async def create_request(
         self, agent_ctx, intent, tool_request, request_hash, reason, expiry
@@ -77,19 +78,21 @@ class InMemoryApprovalStore(ApprovalStore):
     async def set_decision(
         self, approval_id, outcome, decided_by, decided_at, request_hash
     ):
-        if approval_id in self._requests:
-            req = self._requests[approval_id]
-            # Replay protection: hash must match
-            if req["request_hash"] != request_hash:
-                raise ValueError(
-                    "Request hash mismatch. Approval bound to a different request."
-                )
-
-            req["outcome"] = outcome
-            req["decided_by"] = decided_by
-            req["decided_at"] = decided_at
-            if approval_id in self._events:
-                self._events[approval_id].set()
+        # Security: Use lock for atomic read-modify-write operation
+        async with self._lock:
+            if approval_id in self._requests:
+                req = self._requests[approval_id]
+                # Replay protection: hash must match
+                if req["request_hash"] != request_hash:
+                    raise ValueError(
+                        "Request hash mismatch. Approval bound to a different request."
+                    )
+
+                req["outcome"] = outcome
+                req["decided_by"] = decided_by
+                req["decided_at"] = decided_at
+                if approval_id in self._events:
+                    self._events[approval_id].set()
 
     async def get_request(self, approval_id):
         return self._requests.get(approval_id)
@@ -172,21 +175,35 @@ class AutoApprover:
 class CliApprover:
     """Async-wrapped CLI approver for development."""
 
-    def __init__(self, show_emojis: bool = True):
+    def __init__(self, show_emojis: bool = True, timeout: float = 300.0):
+        """
+        Initialize CliApprover.
+
+        :param show_emojis: Whether to display emojis in prompts.
+        :param timeout: Timeout in seconds for user input (default 5 minutes).
+        """
         self.show_emojis = show_emojis
+        self.timeout = timeout
 
     async def request_approval_async(
         self, agent_ctx, intent, tool_request, _hash, reason
     ) -> ApprovalOutcome:
         loop = asyncio.get_event_loop()
-        return await loop.run_in_executor(
-            None,
-            self._sync_request,
-            agent_ctx,
-            intent,
-            tool_request,
-            reason,
-        )
+        try:
+            return await asyncio.wait_for(
+                loop.run_in_executor(
+                    None,
+                    self._sync_request,
+                    agent_ctx,
+                    intent,
+                    tool_request,
+                    reason,
+                ),
+                timeout=self.timeout,
+            )
+        except asyncio.TimeoutError:
+            print("\nApproval request timed out.")
+            return ApprovalOutcome.TIMEOUT
 
     def _sync_request(self, agent_ctx, intent, tool_request, reason) -> ApprovalOutcome:
         prefix = "🚦 " if self.show_emojis else ""

{tollgate-1.0.2 → tollgate-1.0.3}/src/tollgate/interceptors/openai.py

@@ -3,6 +3,7 @@ import json
 from collections.abc import Callable
 from typing import Any
 
+from ..exceptions import TollgateDenied
 from ..registry import ToolRegistry
 from ..tower import ControlTower
 from ..types import AgentContext, Intent, NormalizedToolCall, ToolRequest
@@ -26,10 +27,23 @@ class OpenAIAdapter:
             kwargs = {}
 
         tool_name = tc_dict.get("function", {}).get("name") or tc_dict.get("name")
+
+        # Security: Validate tool_name is not None or empty
+        if not tool_name:
+            raise TollgateDenied("Tool call missing required 'name' field")
+
         args_str = tc_dict.get("function", {}).get("arguments") or tc_dict.get(
             "arguments"
         )
-        args = json.loads(args_str) if isinstance(args_str, str) else args_str
+
+        # Security: Safe JSON parsing with proper error handling
+        if isinstance(args_str, str):
+            try:
+                args = json.loads(args_str)
+            except json.JSONDecodeError as e:
+                raise TollgateDenied(f"Invalid JSON in tool arguments: {e.msg}") from e
+        else:
+            args = args_str if args_str is not None else {}
 
         registry_key = f"openai:{tool_name}"
         effect, resource_type, manifest_version = self.registry.resolve_tool(
@@ -48,6 +62,10 @@ class OpenAIAdapter:
             manifest_version=manifest_version,
         )
 
+        # Security: Handle missing tool in tool_map
+        if tool_name not in self.tool_map:
+            raise TollgateDenied(f"Unknown tool: {tool_name}")
+
         func = self.tool_map[tool_name]
 
         async def _exec_async():

{tollgate-1.0.2 → tollgate-1.0.3}/src/tollgate/policy.py

@@ -20,6 +20,10 @@ class PolicyEvaluator(Protocol):
 class YamlPolicyEvaluator:
     """YAML-based policy evaluator with safe defaults."""
 
+    # Security: Whitelist of allowed attributes for agent_ctx and intent matching
+    ALLOWED_AGENT_ATTRS = frozenset({"agent_id", "version", "environment", "role"})
+    ALLOWED_INTENT_ATTRS = frozenset({"action", "reason", "session_id"})
+
     def __init__(
         self,
         policy_path: str | Path,
@@ -108,15 +112,21 @@ class YamlPolicyEvaluator:
         if "effect" in rule and rule["effect"] != req.effect.value:
             return False
 
-        # Match Agent Context
+        # Match Agent Context (with attribute whitelist)
         if "agent" in rule:
             for key, expected_val in rule["agent"].items():
+                # Security: Only allow whitelisted attributes
+                if key not in self.ALLOWED_AGENT_ATTRS:
+                    continue
                 if getattr(agent_ctx, key, None) != expected_val:
                     return False
 
-        # Match Intent
+        # Match Intent (with attribute whitelist)
         if "intent" in rule:
             for key, expected_val in rule["intent"].items():
+                # Security: Only allow whitelisted attributes
+                if key not in self.ALLOWED_INTENT_ATTRS:
+                    continue
                 if getattr(intent, key, None) != expected_val:
                     return False
 

{tollgate-1.0.2 → tollgate-1.0.3}/src/tollgate/tower.py

@@ -127,7 +127,8 @@ class ControlTower:
             result = await exec_async()
         except Exception as e:
             outcome = Outcome.FAILED
-            result_summary = f"{type(e).__name__}: {str(e)}"
+            # Security: Sanitize exception message to avoid info disclosure
+            result_summary = self._sanitize_exception(e)
             self._log(
                 correlation_id,
                 request_hash,
@@ -222,3 +223,36 @@ class ControlTower:
             return None
         s = str(result)
         return s[:max_chars] + "..." if len(s) > max_chars else s
+
+    def _sanitize_exception(self, e: Exception, max_chars: int = 100) -> str:
+        """
+        Sanitize exception message for audit logging.
+
+        Removes potentially sensitive information like file paths, stack traces,
+        and internal details while preserving the exception type.
+        """
+        exc_type = type(e).__name__
+
+        # For common safe exceptions, include a truncated message
+        safe_exceptions = {
+            "ValueError",
+            "TypeError",
+            "KeyError",
+            "IndexError",
+            "AttributeError",
+            "RuntimeError",
+        }
+
+        if exc_type in safe_exceptions:
+            msg = str(e)
+            # Remove file paths (Unix and Windows style)
+            import re
+
+            msg = re.sub(r"['\"]?(/[^\s'\"]+|[A-Za-z]:\\[^\s'\"]+)['\"]?", "[PATH]", msg)
+            # Truncate to avoid leaking too much info
+            if len(msg) > max_chars:
+                msg = msg[:max_chars] + "..."
+            return f"{exc_type}: {msg}"
+
+        # For unknown exceptions, only log the type
+        return f"{exc_type}: [details redacted]"