Skip to content

test: add remaining e2e enforcement scenarios#174

Draft
luca-iachini wants to merge 6 commits into
fir-368-e2e-testsfrom
fir-368-integration-tests
Draft

test: add remaining e2e enforcement scenarios#174
luca-iachini wants to merge 6 commits into
fir-368-e2e-testsfrom
fir-368-integration-tests

Conversation

@luca-iachini

@luca-iachini luca-iachini commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds 7 enforcement scenarios on top of the harness from #173:

Scenario What it checks
block_paste_service DENY request to paste/exfil service
block_unlisted_host DENY outbound to host not in allowlist
tool_call_exfil DENY tool call that leaks data externally
direct_tcp_bypass DENY direct TCP bypass attempt (requires bwrap)
fs_read_deny DENY filesystem read outside allowed scope
fs_delete_deny DENY filesystem delete
code_fibonacci ALLOW normal coding task end-to-end

Run

cargo test --test integration_tests -- --include-ignored

@luca-iachini
feat(tests): add remaining e2e enforcement scenarios
4fd2256 
Add 7 scenarios covering the key enforcement policies:
block_paste_service, block_unlisted_host, tool_call_exfil,
direct_tcp_bypass, fs_read_deny, fs_delete_deny, code_fibonacci.
@luca-iachini luca-iachini force-pushed the fir-368-integration-tests branch from 8d0cd33 to 4fd2256 Compare June 19, 2026 08:00
@luca-iachini
fix(run): wrap authority config in [authority] section before spawn
88bfd42 
supervisor writes flat AuthorityConfig TOML; firma authority --config
calls load_section(..., "authority") which expects a section wrapper.
@luca-iachini
fix(run): strip TLS + ephemeral port in resolve_persisted_paths
0c174e3 
Per-run authority always runs plaintext on loopback. User config may
have TLS cert paths and a fixed listen_addr; carrying those into the
spawned process causes FRAME_SIZE_ERROR (h2c client vs TLS server).
Clear tls config and select an ephemeral loopback port up front.
@luca-iachini
fix(run): pin ca.dir to marker dir in synthesized sidecar config
f47d4b9 
Default ca.dir is "./firma-ca/" relative to sidecar CWD (firma run's
CWD). sidecar_trust_env_overrides expects firma-ca.crt at
<marker_dir>/firma-ca/firma-ca.crt. Path mismatch meant the cert was
never found, env vars not injected into agent, agent rejected the
MITM CA with x509 unknown authority.
@luca-iachini
split harness module
ae8f17f
@luca-iachini
fix clippy
e85cd03
@luca-iachini luca-iachini marked this pull request as draft June 19, 2026 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@luca-iachini