Firma-AI · luca-iachini · Jun 19, 2026 · Jun 19, 2026 · Jun 19, 2026 · Jun 19, 2026
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
@@ -0,0 +1,100 @@
+name: E2E Tests
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: e2e-tests-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  e2e:
+    name: e2e (${{ matrix.os }}, ${{ matrix.agent.name }})
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        agent:
+          - name: claude
+            package: "@anthropic-ai/claude-code"
+          - name: codex
+            package: "@openai/codex"
+
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
+
+      - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1
+        with:
+          rustflags: ""
+          cache: false
+
+      - name: Install cargo-binstall
+        uses: cargo-bins/cargo-binstall@30b5ca8b54e1dcffd9548bc87ede1531310fdc67 # v1.20.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Load tool versions
+        shell: bash
+        run: grep -E '^[A-Z0-9_]+=' tool-versions.env >> "$GITHUB_ENV"
+      - name: Install cargo-nextest
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: command -v cargo-nextest || cargo binstall -y --force --locked cargo-nextest@$CARGO_NEXTEST_VERSION
+        shell: bash
+
+      - name: Install protoc
+        uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install bubblewrap (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get install -y bubblewrap
+
+      # Ubuntu 24.04 ships kernel.apparmor_restrict_unprivileged_userns=1, which
+      # transitions bwrap to a profile that strips CAP_NET_ADMIN inside its user
+      # namespace, so it cannot bring up loopback (RTM_NEWADDR). Install the
+      # targeted AppArmor profile that lets bwrap keep its caps in the userns.
+      - name: Allow bwrap user namespaces via AppArmor profile (Linux)
+        if: runner.os == 'Linux'
+        run: |
+          sudo tee /etc/apparmor.d/bwrap >/dev/null <<'EOF'
+          abi <abi/4.0>,
+          include <tunables/global>
+
+          profile bwrap /usr/bin/bwrap flags=(unconfined) {
+              userns,
+              include if exists <local/bwrap>
+          }
+          EOF
+          sudo apparmor_parser -r /etc/apparmor.d/bwrap
+
+      - name: Install ${{ matrix.agent.name }}
+        run: |
+          npm install -g '${{ matrix.agent.package }}'
+          ${{ matrix.agent.name }} --version
+
+      - name: Authenticate codex
+        if: matrix.agent.name == 'codex'
+        run: printenv OPENAI_API_KEY | codex login --with-api-key
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+
+      # nextest builds the firma binary as part of the e2e test; firma_bin()
+      # reads its path from CARGO_BIN_EXE_firma.
+      - name: Run e2e tests
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+        run: cargo nextest run -p firma --test e2e --run-ignored all -E 'test(/${{ matrix.agent.name }}::/)'
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -53,12 +53,14 @@ firma-protobuf = "0.1.1"
 firma-run = { path = "crates/firma-run" }
 firma-sidecar = { path = "crates/firma-sidecar" }
 firma-stack = { path = "crates/firma-stack" }
+fs-err = "3.3"
 governor = "0.10"
 hex = "0.4"
 http-body = "1"
 http-body-util = "0.1"
 hyper = { version = "1", default-features = false }
 hyper-util = { version = "0.1", default-features = false }
+insta = { version = "1", features = ["json", "redactions"] }
 lru = "0.17"
 miette = { version = "7", features = ["fancy-no-backtrace"] }
 nix = { version = "0.31", features = ["fs", "process", "signal", "socket", "user"] }
@@ -81,6 +83,7 @@ rustls = "0.23"
 rustls-pemfile = "2"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
+serde_repr = "0.1"
 serde_yaml = "0.9"
 serial_test = "3"
 sha2 = "0.11"
@@ -105,5 +108,6 @@ uuid = { version = "1", features = ["v4", "v7", "serde"] }
 wait-timeout = "0.2"
 webpki-roots = "1"
 windows-sys = { version = "0.59", features = ["Win32_Foundation", "Win32_Security", "Win32_System_Console", "Win32_System_JobObjects", "Win32_System_Threading"] }
+wiremock = "0.6"
 x509-parser = "0.16"
 xxhash-rust = { version = "0.8", features = ["xxh3"] }
diff --git a/crates/firma-authority/src/config.rs b/crates/firma-authority/src/config.rs
@@ -1,4 +1,4 @@
-use serde::Deserialize;
+use serde::{Deserialize, Serialize};
 use std::path::PathBuf;
 
 /// Sentinel: unset `policy_dir`.
@@ -12,7 +12,7 @@ pub(crate) const DEFAULT_KEY_FILE: &str = "firma-authority.key";
 ///
 /// Environment variables take precedence over TOML values and use the
 /// `FIRMA_AUTHORITY_` prefix (e.g., `FIRMA_AUTHORITY_LISTEN_ADDR`).
-#[derive(Debug, Clone, Deserialize)]
+#[derive(Debug, Clone, Deserialize, Serialize)]
 #[serde(default)]
 pub struct AuthorityConfig {
     /// gRPC listen address (default: `[::1]:50051`).
@@ -51,7 +51,7 @@ pub struct AuthorityConfig {
 /// TLS configuration for the Authority gRPC server.
 ///
 /// Both values are required together to enable TLS.
-#[derive(Debug, Clone, Default, Deserialize)]
+#[derive(Debug, Clone, Default, Deserialize, Serialize)]
 pub struct AuthorityTlsConfig {
     /// Path to the TLS certificate file (PEM). Must be set together with
     /// `tls_key_path`.

diff --git a/crates/firma-run/src/sidecar/config.rs b/crates/firma-run/src/sidecar/config.rs
@@ -215,6 +215,11 @@ pub fn synthesize(req: SynthesizeRequest<'_>) -> Result<TemplateSource, RunError
         rebase_template_resource_paths(&mut value, dir)?;
     }
     override_interceptor(&mut value, req.socket_path, req.listen_addr)?;
+    // Pin ca.dir to the marker dir so the MITM CA cert lands where
+    // sidecar_trust_env_overrides expects it (<marker_dir>/firma-ca/).
+    // The default "./firma-ca/" is CWD-relative and would diverge when
+    // firma run's CWD differs from the marker dir.
+    override_ca_dir(&mut value, req.out_path)?;
     if let Some(url) = req.authority_url {
         override_authority_url(&mut value, url)?;
     }
@@ -528,6 +533,27 @@ fn override_sidecar_mode(value: &mut toml::Value, mode: &str) -> Result<(), RunE
     Ok(())
 }
 
+fn override_ca_dir(value: &mut toml::Value, out_path: &Path) -> Result<(), RunError> {
+    let marker_dir = out_path.parent().ok_or_else(|| {
+        RunError::Internal(format!(
+            "cannot resolve marker dir from synthesized config path {}",
+            out_path.display()
+        ))
+    })?;
+    let ca_dir = marker_dir.join("firma-ca");
+    let sidecar = sidecar_table_mut(value)?;
+    let ca_table = sidecar
+        .entry("ca".to_string())
+        .or_insert_with(|| toml::Value::Table(toml::value::Table::new()))
+        .as_table_mut()
+        .ok_or_else(|| RunError::Internal("[sidecar.ca] is not a table".into()))?;
+    ca_table.insert(
+        "dir".to_string(),
+        toml::Value::String(ca_dir.display().to_string()),
+    );
+    Ok(())
+}
+
 /// Default the audit sink to a file at `audit_path` when the template did not
 /// configure one. The per-run sidecar is spawned with a null stdout, so the
 /// default `stdout` audit sink would silently discard every decision and

diff --git a/crates/firma-sidecar/src/config/enforcement.rs b/crates/firma-sidecar/src/config/enforcement.rs
@@ -5,7 +5,7 @@
     reason = "Authority-wired capability manifest support is defined now but not consumed yet"
 )]
 
-use serde::Deserialize;
+use serde::{Deserialize, Serialize};
 
 const VALID_HTTP_METHODS: &[&str] = &[
     "GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "CONNECT",
@@ -130,14 +130,15 @@ impl Default for ConstraintEnforcementConfig {
 // ---------------------------------------------------------------------------
 
 /// A single mapping rule as deserialized from the rules TOML file.
-#[derive(Debug, Clone, Deserialize)]
+#[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct MappingRuleConfig {
     /// HTTP method to match (`None` = any method).
+    #[serde(default, skip_serializing_if = "Option::is_none")]
     pub method: Option<String>,
     /// Host pattern to match (supports `*` wildcard).
     pub host: String,
     /// Path pattern to match (supports `*` wildcard).
-    #[serde(default)]
+    #[serde(default, skip_serializing_if = "Option::is_none")]
     pub path: Option<String>,
     /// Canonical action class this rule maps to.
     pub action_class: String,
@@ -170,7 +171,7 @@ impl MappingRuleConfig {
 }
 
 /// Top-level structure of the mapping rules TOML file.
-#[derive(Debug, Clone, Deserialize)]
+#[derive(Debug, Clone, Default, Deserialize, Serialize)]
 pub struct MappingRulesFile {
     /// Individual mapping rules.
     #[serde(rename = "rules", default)]

diff --git a/crates/firma/Cargo.toml b/crates/firma/Cargo.toml
@@ -55,10 +55,18 @@ nix = { workspace = true }
 windows-sys = { workspace = true }
 
 [dev-dependencies]
+fs-err = { workspace = true }
+insta = { workspace = true }
 pretty_assertions = { workspace = true }
 rand = { workspace = true }
+serde_repr = { workspace = true }
 strum = { workspace = true, features = ["derive"] }
 tempfile = { workspace = true }
+wiremock = { workspace = true }
 
 [target.'cfg(unix)'.dev-dependencies]
 nix = { workspace = true }
+
+[[test]]
+name = "e2e"
+path = "../../tests/e2e/main.rs"
diff --git a/crates/firma/src/services/config.rs b/crates/firma/src/services/config.rs
@@ -1494,8 +1494,8 @@ mod tests {
         assert!(
             rules
                 .iter()
-                .any(|r| r.host == "api.openai.com" && r.method.as_deref() == Some("CONNECT")),
-            "expected api.openai.com:443 CONNECT rule"
+                .any(|r| r.host == "*.openai.com" && r.method.as_deref() == Some("CONNECT")),
+            "expected *.openai.com:443 CONNECT rule"
         );
     }
 

diff --git a/crates/firma/src/services/run.rs b/crates/firma/src/services/run.rs
@@ -78,7 +78,7 @@ pub fn run(args: RunArgs) -> anyhow::Result<ExitCode> {
         command: args.command,
         authority_cli,
         authority_profile: args.authority_profile,
-        user_config_path: None,
+        user_config_path: args.config.clone(),
         allow_non_structural: args.allow_non_structural,
         monitor_mode: args.monitor,
     };

diff --git a/crates/firma/templates/mappings/openai.toml b/crates/firma/templates/mappings/openai.toml
@@ -1,23 +1,35 @@
 # OpenAI API mapping.
 # Tunnels through without MITM; the LLM SDK does not need to trust firma-ca.
 
+# API-key traffic (api.openai.com, etc.) — single-label wildcard.
 [[rules]]
 method = "CONNECT"
-host = "api.openai.com"
+host = "*.openai.com"
 action_class = "communication.external.send"
 
 [[rules]]
 method = "CONNECT"
 host = "chatgpt.com"
 action_class = "communication.external.send"
 
+# Subdomains (ab.chatgpt.com, etc.) — single-label wildcard.
+[[rules]]
+method = "CONNECT"
+host = "*.chatgpt.com"
+action_class = "communication.external.send"
+
 # REST fallback (plain HTTP proxy or post-MITM).
 [[rules]]
-host = "api.openai.com"
+host = "*.openai.com"
 path = "*"
 action_class = "communication.external.send"
 
 [[rules]]
 host = "chatgpt.com"
 path = "*"
 action_class = "communication.external.send"
+
+[[rules]]
+host = "*.chatgpt.com"
+path = "*"
+action_class = "communication.external.send"
diff --git a/justfile b/justfile
@@ -35,6 +35,9 @@ test:
 build:
   cargo build --all-features --all-targets
 
+e2e:
+  cargo nextest run -p firma --test e2e --run-ignored all
+
 audit:
   cargo audit --deny warnings
-Original file line number
+Diff line change
@@ Expand Up / @@ -35,6 +35,9 @@ test: @@
     build:
       cargo build --all-features --all-targets
+    e2e:
+      cargo nextest run -p firma --test e2e --run-ignored all
     audit:
       cargo audit --deny warnings
@@ Expand Down @@