-
Notifications
You must be signed in to change notification settings - Fork 0
Architectural Alignment: Zero Trust & Mandate Enforcement #22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,6 +7,7 @@ | |
|
|
||
| const MandateService = require("./mandate"); | ||
| const logger = require("../utils/logger"); | ||
| const MandateService = require("./mandate"); | ||
|
|
||
| class A2AService { | ||
| constructor(walletService, db, config = {}) { | ||
|
|
@@ -67,10 +68,22 @@ class A2AService { | |
| ); | ||
| } | ||
|
|
||
| // 2. Policy Checks (Sender) | ||
| // 2. Zero Trust Mandate Validation | ||
| if (mandate) { | ||
| await this.mandateService.verifyMandate(mandate, { | ||
| amount, | ||
| recipient: toAgentId, | ||
| }); | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Mandate verified twice per transferMedium Severity When a mandate is present, Additional Locations (1)Reviewed by Cursor Bugbot for commit 26491c4. Configure here. |
||
| } else if (this.strictMandateMode) { | ||
| throw new Error( | ||
| "Zero Trust Validation Failed: Mandate required for A2A transfer in strict mode", | ||
| ); | ||
| } | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Unreachable strict mode branchLow Severity The Reviewed by Cursor Bugbot for commit 26491c4. Configure here. |
||
|
|
||
| // 3. Policy Checks (Sender) | ||
| await this._validateAgentPolicy(fromAgent, toAgentId, amount); | ||
|
|
||
| // 3. Execute Wallet Transfer | ||
| // 4. Execute Wallet Transfer | ||
| const transferResult = await this.walletService.transfer({ | ||
| fromWalletId: fromAgent.walletId, | ||
| toWalletId: toAgent.walletId, | ||
|
|
@@ -136,6 +149,15 @@ class A2AService { | |
| */ | ||
| _handleError(method, error) { | ||
| logger.error(`A2AService.${method} error:`, error); | ||
|
|
||
| // Normalize Zero Trust errors | ||
| if ( | ||
| error.message && | ||
| error.message.includes("Zero Trust Validation Failed:") | ||
| ) { | ||
| return error; | ||
| } | ||
|
|
||
| return error instanceof Error ? error : new Error(error); | ||
| } | ||
| } | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| const MandateService = require("../../src/services/mandate"); | ||
| const jwt = require("jsonwebtoken"); | ||
|
|
||
| describe("MandateService - Context Validation", () => { | ||
| let mandateService; | ||
| const signingKey = "test-secret"; | ||
|
|
||
| beforeEach(() => { | ||
| mandateService = new MandateService({ signingKey }); | ||
| }); | ||
|
|
||
| it("should validate amount against intent mandate budget", async () => { | ||
| const mandate = await mandateService.issueIntentMandate({ | ||
| userDid: "did:key:user", | ||
| agentDid: "did:key:agent", | ||
| maxBudget: 100, | ||
| }); | ||
|
|
||
| // Valid amount | ||
| await expect( | ||
| mandateService.verifyMandate(mandate, { amount: 50 }), | ||
| ).resolves.toBeDefined(); | ||
|
|
||
| // Invalid amount | ||
| await expect( | ||
| mandateService.verifyMandate(mandate, { amount: 150 }), | ||
| ).rejects.toThrow( | ||
| "Zero Trust Validation Failed: Amount 150 exceeds mandate budget of 100", | ||
| ); | ||
| }); | ||
|
|
||
| it("should validate recipient against allowed_merchants whitelist", async () => { | ||
| const mandate = await mandateService.issueIntentMandate({ | ||
| userDid: "did:key:user", | ||
| agentDid: "did:key:agent", | ||
| maxBudget: 100, | ||
| allowedMerchants: ["did:key:merchant-1"], | ||
| }); | ||
|
|
||
| // Authorized merchant | ||
| await expect( | ||
| mandateService.verifyMandate(mandate, { recipient: "did:key:merchant-1" }), | ||
| ).resolves.toBeDefined(); | ||
|
|
||
| // Unauthorized merchant | ||
| await expect( | ||
| mandateService.verifyMandate(mandate, { recipient: "did:key:merchant-2" }), | ||
| ).rejects.toThrow( | ||
| "Zero Trust Validation Failed: Merchant did:key:merchant-2 not authorized by mandate", | ||
| ); | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Whitelist test expects wrong errorMedium Severity The new whitelist test expects Reviewed by Cursor Bugbot for commit 26491c4. Configure here. |
||
| }); | ||
|
|
||
| it("should handle expired tokens with correct prefix", async () => { | ||
| const mandate = jwt.sign( | ||
| { | ||
| exp: Math.floor(Date.now() / 1000) - 60, | ||
| }, | ||
| signingKey, | ||
| ); | ||
|
|
||
| await expect(mandateService.verifyMandate(mandate)).rejects.toThrow( | ||
| "Zero Trust Validation Failed: Mandate has expired", | ||
| ); | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Expiry test expects wrong messageMedium Severity The expired-mandate test expects Reviewed by Cursor Bugbot for commit 26491c4. Configure here. |
||
| }); | ||
| }); | ||


There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Duplicate MandateService module import
High Severity
A duplicate
const MandateServicedeclaration ina2aService.jscreates a JavaScript syntax error. This prevents the file from parsing, so the A2A service cannot load or start.Reviewed by Cursor Bugbot for commit 26491c4. Configure here.