Merge branch 'main' into feat/python-sdk-parity

Author: imran-siddique

packages/agent-mesh/sdks/go/audit.go

@@ -1,8 +1,13 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
 package agentmesh
 
 import (
 	"crypto/sha256"
 	"encoding/hex"
+	"encoding/json"
+	"fmt"
 	"sync"
 	"time"
 )
@@ -19,8 +24,9 @@ type AuditEntry struct {
 
 // AuditLogger maintains an append-only hash-chained audit log.
 type AuditLogger struct {
-	mu      sync.Mutex
-	entries []*AuditEntry
+	mu         sync.Mutex
+	entries    []*AuditEntry
+	MaxEntries int
 }
 
 // NewAuditLogger creates an empty AuditLogger.
@@ -29,10 +35,15 @@ func NewAuditLogger() *AuditLogger {
 }
 
 // Log appends a new entry to the audit chain.
+// When MaxEntries is set and exceeded, the oldest entries are evicted.
 func (al *AuditLogger) Log(agentID, action string, decision PolicyDecision) *AuditEntry {
 	al.mu.Lock()
 	defer al.mu.Unlock()
 
+	if al.MaxEntries > 0 && len(al.entries) >= al.MaxEntries {
+		al.entries = al.entries[len(al.entries)-al.MaxEntries+1:]
+	}
+
 	prevHash := ""
 	if len(al.entries) > 0 {
 		prevHash = al.entries[len(al.entries)-1].Hash
@@ -61,7 +72,8 @@ func (al *AuditLogger) Verify() bool {
 			return false
 		}
 		if i == 0 {
-			if entry.PreviousHash != "" {
+			// Allow non-empty PreviousHash when retention eviction is active
+			if al.MaxEntries == 0 && entry.PreviousHash != "" {
 				return false
 			}
 		} else {
@@ -109,3 +121,15 @@ func computeHash(e *AuditEntry) string {
 	h := sha256.Sum256([]byte(data))
 	return hex.EncodeToString(h[:])
 }
+
+// ExportJSON serialises all audit entries to a JSON string.
+func (al *AuditLogger) ExportJSON() (string, error) {
+	al.mu.Lock()
+	defer al.mu.Unlock()
+
+	data, err := json.Marshal(al.entries)
+	if err != nil {
+		return "", fmt.Errorf("marshalling audit entries: %w", err)
+	}
+	return string(data), nil
+}

packages/agent-mesh/sdks/go/audit_test.go

@@ -65,3 +65,51 @@ func TestAuditHashesAreUnique(t *testing.T) {
 		t.Error("different entries should have different hashes")
 	}
 }
+
+func TestExportJSON(t *testing.T) {
+	al := NewAuditLogger()
+	al.Log("agent-1", "read", Allow)
+	al.Log("agent-2", "write", Deny)
+
+	jsonStr, err := al.ExportJSON()
+	if err != nil {
+		t.Fatalf("ExportJSON: %v", err)
+	}
+	if jsonStr == "" {
+		t.Error("ExportJSON returned empty string")
+	}
+	if len(jsonStr) < 10 {
+		t.Error("ExportJSON result too short")
+	}
+}
+
+func TestMaxEntriesRetention(t *testing.T) {
+	al := NewAuditLogger()
+	al.MaxEntries = 3
+
+	al.Log("a1", "action1", Allow)
+	al.Log("a2", "action2", Deny)
+	al.Log("a3", "action3", Allow)
+	al.Log("a4", "action4", Deny)
+
+	entries := al.GetEntries(AuditFilter{})
+	if len(entries) != 3 {
+		t.Errorf("entries after retention = %d, want 3", len(entries))
+	}
+	if entries[0].AgentID != "a2" {
+		t.Errorf("oldest entry agent = %q, want a2", entries[0].AgentID)
+	}
+}
+
+func TestMaxEntriesVerify(t *testing.T) {
+	al := NewAuditLogger()
+	al.MaxEntries = 2
+
+	al.Log("a1", "x", Allow)
+	al.Log("a2", "y", Deny)
+	al.Log("a3", "z", Allow)
+
+	if !al.Verify() {
+		t.Error("chain with retention eviction should still verify")
+	}
+}

packages/agent-mesh/sdks/go/conflict.go

@@ -0,0 +1,92 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package agentmesh
+
+import "strings"
+
+// ConflictResolutionStrategy defines how conflicting policy decisions are resolved.
+type ConflictResolutionStrategy string
+
+const (
+	DenyOverrides      ConflictResolutionStrategy = "deny_overrides"
+	AllowOverrides     ConflictResolutionStrategy = "allow_overrides"
+	PriorityFirstMatch ConflictResolutionStrategy = "priority_first_match"
+	MostSpecificWins   ConflictResolutionStrategy = "most_specific_wins"
+)
+
+// CandidateDecision pairs a matched rule with its resulting decision.
+type CandidateDecision struct {
+	Rule     PolicyRule
+	Decision PolicyDecision
+}
+
+// PolicyConflictResolver resolves conflicts between multiple matching rules.
+type PolicyConflictResolver struct {
+	Strategy ConflictResolutionStrategy
+}
+
+// Resolve returns a single PolicyDecision from a set of candidates using the configured strategy.
+func (r *PolicyConflictResolver) Resolve(candidates []CandidateDecision) PolicyDecision {
+	if len(candidates) == 0 {
+		return Deny
+	}
+
+	switch r.Strategy {
+	case DenyOverrides:
+		for _, c := range candidates {
+			if c.Decision == Deny {
+				return Deny
+			}
+		}
+		return candidates[0].Decision
+
+	case AllowOverrides:
+		for _, c := range candidates {
+			if c.Decision == Allow {
+				return Allow
+			}
+		}
+		return candidates[0].Decision
+
+	case PriorityFirstMatch:
+		best := candidates[0]
+		for _, c := range candidates[1:] {
+			if c.Rule.Priority < best.Rule.Priority {
+				best = c
+			}
+		}
+		return best.Decision
+
+	case MostSpecificWins:
+		best := candidates[0]
+		bestSpec := ruleSpecificity(best)
+		for _, c := range candidates[1:] {
+			s := ruleSpecificity(c)
+			if s > bestSpec {
+				best = c
+				bestSpec = s
+			}
+		}
+		return best.Decision
+
+	default:
+		return candidates[0].Decision
+	}
+}
+
+func ruleSpecificity(c CandidateDecision) int {
+	score := len(c.Rule.Conditions)
+	switch c.Rule.Scope {
+	case Agent:
+		score += 3
+	case Tenant:
+		score += 2
+	case Global:
+		score += 1
+	}
+	if c.Rule.Action != "*" && !strings.HasSuffix(c.Rule.Action, ".*") {
+		score += 2
+	}
+	return score
+}

packages/agent-mesh/sdks/go/conflict_test.go

@@ -0,0 +1,90 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package agentmesh
+
+import "testing"
+
+func TestDenyOverrides(t *testing.T) {
+	r := &PolicyConflictResolver{Strategy: DenyOverrides}
+	candidates := []CandidateDecision{
+		{Rule: PolicyRule{Action: "data.read", Effect: Allow}, Decision: Allow},
+		{Rule: PolicyRule{Action: "data.read", Effect: Deny}, Decision: Deny},
+	}
+	if d := r.Resolve(candidates); d != Deny {
+		t.Errorf("DenyOverrides = %q, want deny", d)
+	}
+}
+
+func TestDenyOverridesAllAllow(t *testing.T) {
+	r := &PolicyConflictResolver{Strategy: DenyOverrides}
+	candidates := []CandidateDecision{
+		{Rule: PolicyRule{Action: "data.read", Effect: Allow}, Decision: Allow},
+		{Rule: PolicyRule{Action: "data.read", Effect: Review}, Decision: Review},
+	}
+	if d := r.Resolve(candidates); d != Allow {
+		t.Errorf("DenyOverrides with no deny = %q, want allow", d)
+	}
+}
+
+func TestAllowOverrides(t *testing.T) {
+	r := &PolicyConflictResolver{Strategy: AllowOverrides}
+	candidates := []CandidateDecision{
+		{Rule: PolicyRule{Action: "data.read", Effect: Deny}, Decision: Deny},
+		{Rule: PolicyRule{Action: "data.read", Effect: Allow}, Decision: Allow},
+	}
+	if d := r.Resolve(candidates); d != Allow {
+		t.Errorf("AllowOverrides = %q, want allow", d)
+	}
+}
+
+func TestAllowOverridesNoneAllow(t *testing.T) {
+	r := &PolicyConflictResolver{Strategy: AllowOverrides}
+	candidates := []CandidateDecision{
+		{Rule: PolicyRule{Action: "data.read", Effect: Deny}, Decision: Deny},
+		{Rule: PolicyRule{Action: "data.read", Effect: Review}, Decision: Review},
+	}
+	if d := r.Resolve(candidates); d != Deny {
+		t.Errorf("AllowOverrides with no allow = %q, want deny", d)
+	}
+}
+
+func TestPriorityFirstMatch(t *testing.T) {
+	r := &PolicyConflictResolver{Strategy: PriorityFirstMatch}
+	candidates := []CandidateDecision{
+		{Rule: PolicyRule{Action: "data.read", Effect: Deny, Priority: 10}, Decision: Deny},
+		{Rule: PolicyRule{Action: "data.read", Effect: Allow, Priority: 1}, Decision: Allow},
+	}
+	if d := r.Resolve(candidates); d != Allow {
+		t.Errorf("PriorityFirstMatch = %q, want allow (priority 1)", d)
+	}
+}
+
+func TestMostSpecificWins(t *testing.T) {
+	r := &PolicyConflictResolver{Strategy: MostSpecificWins}
+	candidates := []CandidateDecision{
+		{
+			Rule:     PolicyRule{Action: "*", Effect: Deny, Scope: Global},
+			Decision: Deny,
+		},
+		{
+			Rule: PolicyRule{
+				Action:     "data.read",
+				Effect:     Allow,
+				Scope:      Agent,
+				Conditions: map[string]interface{}{"role": "admin"},
+			},
+			Decision: Allow,
+		},
+	}
+	if d := r.Resolve(candidates); d != Allow {
+		t.Errorf("MostSpecificWins = %q, want allow (more specific)", d)
+	}
+}
+
+func TestResolveEmptyCandidates(t *testing.T) {
+	r := &PolicyConflictResolver{Strategy: DenyOverrides}
+	if d := r.Resolve(nil); d != Deny {
+		t.Errorf("empty candidates = %q, want deny", d)
+	}
+}