feat: Add SHADI implementation (#2)

* feat: Add SHADI implementation

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* chore: remove issue pr description file

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* ci: install nettle and llvm dependencies

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* ci: fix macos pyo3 linking

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* ci: skip shadi_py tests on macos

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* ci: install openssl for windows

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* ci: use preinstalled vcpkg on windows

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* ci: add pkg-config and nettle on windows

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* chore: add codeowners

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* build: add Windows build and test support

- Add windows-shell to Justfile and windows-build/windows-test recipes
- Fix Win32_Security_Isolation missing feature in shadi_sandbox
- Fix WindowsAclRollback visibility and unused-mut warnings
- Switch sequoia-openpgp to crypto-rust backend on Windows (pure Rust,
  no native deps) with allow-experimental-crypto and
  allow-variable-time-crypto opt-in flags
- Fix test failures on Windows: backslash escaping in path assertions,
  Windows-specific run_cli_executes_allowed_command using where.exe
- Update ci.yml: add windows-latest matrix, taiki-e/install-action for
  just, Swatinem/rust-cache@v2 with cache-on-failure on all platforms
- Add Swatinem/rust-cache@v2 to coverage.yml

Signed-off-by: Luca Muscariello <muscariello@ieee.org>
Signed-off-by: Luca Muscariello (lumuscar) <lumuscar@cisco.com>

* ci: restore OpenSSL env vars for libsqlite3-sys on Windows

libsqlite3-sys (sqlcipher) requires OPENSSL_DIR to compile on Windows
regardless of the sequoia-openpgp crypto backend. Detect pre-installed
OpenSSL on the runner and only fall back to choco if not found.
Auto-detect lib dir (VC\x64\MD vs lib) to handle different installers.

Signed-off-by: Luca Muscariello <muscariello@ieee.org>
Signed-off-by: Luca Muscariello (lumuscar) <lumuscar@cisco.com>

* Add portable launcher profiles and verifiable human-agent identity derivation

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* fix(shadi-py): resolve macOS PyO3 linking and expand root README

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* docs(scripts): update launcher script guide

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* test(shadictl): make profile path assertions cross-platform

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* fix(windows): preserve existing DACL when granting sandbox access

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

---------

Signed-off-by: Luca Muscariello <muscariello@ieee.org>
Signed-off-by: Luca Muscariello (lumuscar) <lumuscar@cisco.com>

Author: muscariello

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @rustaceans

.github/workflows/ci.yml

@@ -0,0 +1,64 @@
+name: CI
+
+on:
+  pull_request:
+
+jobs:
+  build-test:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os:
+          - ubuntu-latest
+          - macos-latest
+          - windows-latest
+    env:
+      PYO3_PYTHON: python
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Restore Rust cache
+        uses: Swatinem/rust-cache@v2
+        with:
+          cache-on-failure: true
+      - name: Install just
+        if: runner.os == 'Windows'
+        uses: taiki-e/install-action@v2
+        with:
+          tool: just
+      - name: Set OpenSSL env vars (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          $candidates = @("C:\Program Files\OpenSSL-Win64", "C:\Program Files\OpenSSL", "C:\OpenSSL-Win64")
+          $opensslDir = $candidates | Where-Object { Test-Path $_ } | Select-Object -First 1
+          if (-not $opensslDir) {
+            choco install openssl -y --no-progress
+            $opensslDir = "C:\Program Files\OpenSSL-Win64"
+          }
+          $libDir = if (Test-Path "$opensslDir\lib\VC\x64\MD") { "$opensslDir\lib\VC\x64\MD" } else { "$opensslDir\lib" }
+          "OPENSSL_DIR=$opensslDir" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          "OPENSSL_LIB_DIR=$libDir" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          "OPENSSL_INCLUDE_DIR=$opensslDir\include" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+      - name: Install Linux dependencies
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y pkg-config nettle-dev
+      - name: Install macOS dependencies
+        if: runner.os == 'macOS'
+        run: brew install python@3.12 nettle pkg-config
+      - name: Set Python for PyO3 (macOS)
+        if: runner.os == 'macOS'
+        run: echo "PYO3_PYTHON=/opt/homebrew/opt/python@3.12/bin/python3.12" >> "$GITHUB_ENV"
+      - name: Build and test
+        if: runner.os != 'Windows'
+        run: cargo test --workspace
+      - name: Build and test (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: just windows-test

.github/workflows/coverage.yml

@@ -0,0 +1,32 @@
+name: Coverage
+
+on:
+  pull_request:
+
+jobs:
+  coverage:
+    runs-on: macos-latest
+    env:
+      PYO3_PYTHON: "/opt/homebrew/opt/python@3.12/bin/python3.12"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+      - name: Install Homebrew dependencies
+        run: brew install python@3.12 just llvm nettle pkg-config
+      - name: Restore Rust cache
+        uses: Swatinem/rust-cache@v2
+        with:
+          cache-on-failure: true
+      - name: Install cargo-llvm-cov
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-llvm-cov
+      - name: Generate coverage
+        run: just coverage
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          files: coverage/lcov.info
+          token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/publish.yml

@@ -0,0 +1,29 @@
+name: Publish
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    env:
+      CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+      - name: Rust cache
+        uses: Swatinem/rust-cache@v2
+      - name: Publish crates
+        run: |
+          cargo publish -p agent_secrets
+          cargo publish -p shadi_sandbox
+          cargo publish -p shadi_memory
+          cargo publish -p agent_transport_slim
+          cargo publish -p shadi_py
+          cargo publish -p slim_mas
+          cargo publish -p shadictl

.gitignore

@@ -0,0 +1,27 @@
+# Rust
+/target/
+**/*.rs.bk
+
+# Python
+.venv/
+.venv-py312/
+__pycache__/
+**/*.py[cod]
+.adk/
+
+# MkDocs
+/site/
+
+# Coverage
+/coverage/
+
+# Local data
+.tmp/
+tmp/
+*.db
+
+# Editors
+.vscode/
+
+# OS
+.DS_Store