Conversation
github-actions
bot
added
documentation
bug-ops
force-pushed
the
aegis-pre-execution-firewall
branch
from
3c6e384 to
7ffc933
Compare
…-threshold classifier - zeph-tools: FirewallVerifier with path traversal detection, env-var exfiltration blocking, sensitive file glob patterns, configurable exempt tools and blocked paths; NFKC normalization against homoglyph bypasses; wired into CompositeExecutor pipeline (#2305) - zeph-a2a: AuthIdentity struct propagated via request extensions; require_auth config field rejects requests 401 when no auth_token is configured; blake3 constant-time token comparison (#2304) - zeph-sanitizer: InjectionVerdict enum with Suspicious (soft-threshold warn-only) and Blocked (hard-threshold block) tiers; injection_threshold_soft config field; classify_injection() updated to return three-way verdict (#2303)
bug-ops
force-pushed
the
aegis-pre-execution-firewall
branch
from
7ffc933 to
d4b0023
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
FirewallVerifier— fourth verifier in the pre-execution pipeline. Blocks path traversal (../), sensitive file access (/etc/passwd,~/.ssh/*,**/*.pem, etc.), env-var exfiltration ($AWS_*,$ZEPH_*), configurable blocked path globs and env var names, per-tool exemptions. NFKC normalization applied to defeat homoglyph bypasses. Wired intoCompositeExecutorafter existing verifiers; controlled by[tools.verifier.firewall]config section.AuthIdentity { authenticated: bool }struct inserted into request extensions byauth_middlewarefor every request.jsonrpc_handlerandstream_handlerextract it for audit logging. Newrequire_auth: boolfield inA2aServerConfig(defaultfalse) — whentrue, requests are rejected 401 when noauth_tokenis configured. Wired throughA2aServer::with_require_auth()and bootstrapdaemon.rs. Blake3 constant-time token comparison prevents length side-channel.InjectionVerdictenum with three tiers (Clean/Suspicious/Blocked). Newinjection_threshold_softconfig field — scores ≥ soft but < hard emitWARNlog and returnSuspiciouswithout blocking. Dual-threshold replaces the previous binary pass/block behavior, enabling operator visibility into borderline cases.Test count
+17 new tests (6
FirewallVerifier, 8AuthIdentity/require_auth, 3InjectionVerdictsoft-threshold). Total: 6963 passed (previously 6943 onmainbefore rebase; delta includes 3 unrelated PRs merged to main during development).LLM serialization gate
Not applicable — this PR does not touch any LLM request/response serialization paths (
claude.rs,openai.rs,MessagePart, context assembly). No live API session test required.Closes #2305
Closes #2304
Closes #2303