fix: harden remote extends and resolve CI breakage

Author: bb-connor

crates/clawdstrike/src/engine.rs

@@ -482,10 +482,8 @@ impl HushEngineBuilder {
                 Ok(v) => (v, None),
                 Err(e) => (Vec::new(), Some(e.to_string())),
             };
-        let custom_guards = build_custom_guards_from_policy(
-            &self.policy,
-            self.custom_guard_registry.as_ref(),
-        )?;
+        let custom_guards =
+            build_custom_guards_from_policy(&self.policy, self.custom_guard_registry.as_ref())?;
 
         Ok(HushEngine {
             policy: self.policy,

crates/clawdstrike/src/guards/custom.rs

@@ -50,4 +50,3 @@ impl CustomGuardRegistry {
         factory.build(config)
     }
 }
-

crates/clawdstrike/src/lib.rs

@@ -59,8 +59,8 @@ pub use engine::{GuardReport, HushEngine};
 pub use error::{Error, Result};
 pub use guards::{
     CustomGuardFactory, CustomGuardRegistry, EgressAllowlistGuard, ForbiddenPathGuard, Guard,
-    GuardContext, GuardResult, JailbreakConfig, JailbreakGuard, McpToolGuard,
-    PatchIntegrityGuard, PromptInjectionGuard, SecretLeakGuard, Severity,
+    GuardContext, GuardResult, JailbreakConfig, JailbreakGuard, McpToolGuard, PatchIntegrityGuard,
+    PromptInjectionGuard, SecretLeakGuard, Severity,
 };
 pub use hygiene::{
     detect_prompt_injection, detect_prompt_injection_with_limit, wrap_user_content, DedupeStatus,

crates/clawdstrike/src/policy.rs

@@ -28,10 +28,10 @@ fn default_json_object() -> serde_json::Value {
     serde_json::Value::Object(serde_json::Map::new())
 }
 
-/// Policy-driven custom guard configuration.
+/// Policy-driven custom guard configuration (`policy.custom_guards[]`).
 #[derive(Clone, Debug, PartialEq, Serialize, Deserialize)]
 #[serde(deny_unknown_fields)]
-pub struct CustomGuardSpec {
+pub struct PolicyCustomGuardSpec {
     /// Installed guard id (resolved via `CustomGuardRegistry`).
     pub id: String,
     /// Enable/disable this custom guard.
@@ -167,7 +167,7 @@ pub struct Policy {
     pub guards: GuardConfigs,
     /// Policy-driven custom guards (resolved by runtimes via a registry).
     #[serde(default)]
-    pub custom_guards: Vec<CustomGuardSpec>,
+    pub custom_guards: Vec<PolicyCustomGuardSpec>,
     /// Global settings
     #[serde(default)]
     pub settings: PolicySettings,
@@ -860,15 +860,18 @@ impl Policy {
     }
 }
 
-fn merge_custom_guards(base: &[CustomGuardSpec], child: &[CustomGuardSpec]) -> Vec<CustomGuardSpec> {
+fn merge_custom_guards(
+    base: &[PolicyCustomGuardSpec],
+    child: &[PolicyCustomGuardSpec],
+) -> Vec<PolicyCustomGuardSpec> {
     if child.is_empty() {
         return base.to_vec();
     }
     if base.is_empty() {
         return child.to_vec();
     }
 
-    let mut out: Vec<CustomGuardSpec> = base.to_vec();
+    let mut out: Vec<PolicyCustomGuardSpec> = base.to_vec();
     let mut index: std::collections::HashMap<String, usize> = std::collections::HashMap::new();
     for (i, cg) in out.iter().enumerate() {
         index.insert(cg.id.clone(), i);

crates/clawdstrike/tests/policy_extends.rs

@@ -2,8 +2,8 @@
 
 #![allow(clippy::expect_used, clippy::unwrap_used)]
 
-use clawdstrike::Policy;
 use clawdstrike::policy::{PolicyLocation, PolicyResolver, ResolvedPolicySource};
+use clawdstrike::Policy;
 use std::fs;
 use tempfile::TempDir;
 
@@ -250,7 +250,11 @@ fn test_policy_extends_resolver_detects_cycles_across_non_file_keys() {
     }
 
     impl PolicyResolver for MapResolver {
-        fn resolve(&self, reference: &str, _from: &PolicyLocation) -> clawdstrike::Result<ResolvedPolicySource> {
+        fn resolve(
+            &self,
+            reference: &str,
+            _from: &PolicyLocation,
+        ) -> clawdstrike::Result<ResolvedPolicySource> {
             let yaml = self.policies.get(reference).cloned().ok_or_else(|| {
                 clawdstrike::Error::ConfigError(format!("Unknown policy ref: {}", reference))
             })?;

crates/clawdstrike/tests/threat_intel_guards.rs

@@ -63,7 +63,7 @@ async fn virustotal_file_hash_denies_and_caches() {
     std::env::set_var("VT_BASE_URL_TEST", format!("{}/api/v3", base));
 
     let yaml = r#"
-version: "1.0.0"
+version: "1.1.0"
 name: "ti"
 guards:
   custom:
@@ -118,7 +118,7 @@ async fn safe_browsing_denies_on_match() {
     std::env::set_var("GSB_BASE_URL_TEST", format!("{}/v4", base));
 
     let yaml = r#"
-version: "1.0.0"
+version: "1.1.0"
 name: "ti"
 guards:
   egress_allowlist:
@@ -175,7 +175,7 @@ async fn snyk_denies_on_upgradable_vulns() {
     std::env::set_var("SNYK_BASE_URL_TEST", format!("{}/api/v1", base));
 
     let yaml = r#"
-version: "1.0.0"
+version: "1.1.0"
 name: "ti"
 guards:
   custom:

crates/hush-cli/src/hush_run.rs

@@ -452,13 +452,8 @@ fn load_policy(
     policy: &str,
     remote_extends: &remote_extends::RemoteExtendsConfig,
 ) -> anyhow::Result<LoadedPolicy> {
-    let loaded = policy_diff::load_policy_from_arg(policy, true, remote_extends).map_err(|e| {
-        anyhow::anyhow!(
-            "Failed to load policy {}: {}",
-            e.source,
-            e.message
-        )
-    })?;
+    let loaded = policy_diff::load_policy_from_arg(policy, true, remote_extends)
+        .map_err(|e| anyhow::anyhow!("Failed to load policy {}: {}", e.source, e.message))?;
 
     Ok(loaded)
 }
@@ -475,8 +470,7 @@ fn load_or_create_signer(path: &Path, stderr: &mut dyn Write) -> anyhow::Result<
             let pub_path = PathBuf::from(format!("{}.pub", path.display()));
             let pub_hex = std::fs::read_to_string(&pub_path)
                 .with_context(|| format!("read public key {}", pub_path.display()))?;
-            let public_key =
-                PublicKey::from_hex(pub_hex.trim()).context("parse public key hex")?;
+            let public_key = PublicKey::from_hex(pub_hex.trim()).context("parse public key hex")?;
             return Ok(Box::new(hush_core::TpmSealedSeedSigner::new(
                 public_key, blob,
             )));
@@ -515,9 +509,13 @@ fn load_or_create_signer(path: &Path, stderr: &mut dyn Write) -> anyhow::Result<
 #[derive(Clone, Debug)]
 enum SandboxWrapper {
     None,
-    SandboxExec { profile_path: PathBuf },
+    SandboxExec {
+        profile_path: PathBuf,
+    },
     #[cfg(target_os = "linux")]
-    Bwrap { args: Vec<String> },
+    Bwrap {
+        args: Vec<String>,
+    },
 }
 
 fn maybe_prepare_sandbox(
@@ -693,8 +691,8 @@ async fn start_connect_proxy(
             let outcome = outcome.clone();
 
             tokio::spawn(async move {
-                let _ = handle_connect_proxy_client(socket, engine, context, event_tx, outcome)
-                    .await;
+                let _ =
+                    handle_connect_proxy_client(socket, engine, context, event_tx, outcome).await;
             });
         }
     });
@@ -713,8 +711,7 @@ async fn handle_connect_proxy_client(
         .await
         .context("read proxy request header")?;
 
-    let header_str =
-        std::str::from_utf8(&header).context("proxy request header must be UTF-8")?;
+    let header_str = std::str::from_utf8(&header).context("proxy request header must be UTF-8")?;
     let mut lines = header_str.split("\r\n");
     let request_line = lines
         .next()
@@ -772,9 +769,7 @@ async fn handle_connect_proxy_client(
     if !result.allowed {
         // If we already sent 200 (IP + SNI path), we can only close the tunnel.
         if sni_buf.is_empty() {
-            client
-                .write_all(b"HTTP/1.1 403 Forbidden\r\n\r\n")
-                .await?;
+            client.write_all(b"HTTP/1.1 403 Forbidden\r\n\r\n").await?;
         }
         return Ok(());
     }