fix(interceptor): remove trusted-agent verification bypass to prevent false cryptographic endorsement (closes #5)

[Rahul Dass (rahuldass19)]

Summary

This PR fixes critical trust-boundary issue #5 by removing the trusted-agent short-circuit in the interceptor.

Previously, if sender_agent_id was listed in trusted_agents, the interceptor returned early with:

• status=FORWARDED
• engine_used="bypass"
• signed attestation JWT

That behavior skipped all verification engines and could produce false cryptographic confidence.

This PR removes that bypass so trusted agents still pass through the normal verification pipeline.

Closes #5.

Changes

• Removed trusted-agent early return from A2AVerificationInterceptor.intercept()
  • File: src/qwed_a2a/interceptor.py
• Updated trust integration tests
  • File: tests/test_interceptor.py
  • Replaced old bypass test with test_trusted_agent_no_longer_bypasses_verification
  • Added regression test test_trusted_agent_financial_fraud_is_blocked

Behavioral Impact

Before

Trusted sender could skip verification entirely and still get FORWARDED + JWT.

After

Trusted sender must still pass relevant verification engine checks.

• Fraudulent financial payload from trusted sender is now blocked by finance_guard.
• engine="bypass" path removed from interceptor behavior.

Verification

Executed:

pytest -q tests/test_interceptor.py tests/test_crypto_signing.py tests/test_schemas.py

Result:

• 30 passed

Notes

This PR intentionally focuses only on #5 (trusted-agent bypass removal) to keep blast radius controlled and review straightforward. Other semantic/fail-closed issues remain tracked in separate issues.

Summary by CodeRabbit

• Bug Fixes
  • Removed trusted agents allowlist bypass. All messages now consistently route through the verification engine.
  • Ensured financial hallucination detection applies uniformly across all message sources.

[coderabbitai]

Warning

Review limit reached

@rahuldass19, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 1 review/hour. Refill in 36 minutes and 42 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 58d253a0-4800-44c1-ab59-3fb5a4a7a73b

📥 Commits

Reviewing files that changed from the base of the PR and between 29934a9 and 20d18bc.

📒 Files selected for processing (2)

• pyproject.toml
• tests/test_endpoints.py

📝 Walkthrough

Walkthrough

The PR removes a critical security bypass in the A2A verification interceptor that allowed trusted agents to skip the entire verification pipeline. Trusted agents now route through verification engines like all other senders, and fraud detection remains active regardless of sender trust status.

Changes

Trusted Agent Bypass Removal

Layer / File(s)	Summary
Interceptor bypass removal and verification pipeline restoration src/qwed_a2a/interceptor.py	Step 2 "trusted agents allowlist bypass" block removed entirely. Messages now proceed to verification-engine routing after trust-boundary enforcement, eliminating the short-circuit that returned FORWARDED verdicts without running verification. Step order comments adjusted to reflect the flow.
Test coverage for trusted-agent verification routing and fraud detection tests/test_interceptor.py	Test suite updated: trusted agents with general messages now route through the passthrough engine and receive FORWARDED verdicts. New integration test validates that trusted agents sending financial hallucination-laden messages are blocked by finance_guard, confirming fraud detection applies to all senders.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• QWED-AI/qwed-a2a#3: Both PRs touch the interceptor's trust and trusted-agent handling, including trusted-agent bypass/routing logic and corresponding tests, forming a direct code-path relationship.

Poem

🐰 Bypass, begone! No more the shortcut's call,
All messages now through verification shall pass,
Trusted agents, too, must clear the judgment hall—
Fraud detectors catch the schemes of brass.
Security restored, no cryptographic lies!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: removing the trusted-agent verification bypass from the interceptor to prevent false cryptographic endorsement.
Linked Issues check	✅ Passed	The PR successfully implements all key objectives from issue #5: removes the trusted-agent bypass, eliminates engine='bypass' verdicts, ensures verification engines run for trusted agents, and adds regression tests confirming fraudulent payloads are blocked.
Out of Scope Changes check	✅ Passed	All changes are scoped to removing the trusted-agent bypass as required by issue #5; no unrelated modifications or new features introduced.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/issue-5-remove-trusted-bypass

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pytest-cov@​7.1.0
	httpx@​0.28.1

View full report