Skip to content

feat(rust-sdk): add conflict resolution, trust decay, audit export#582

Merged
imran-siddique merged 2 commits intomicrosoft:mainfrom
imran-siddique:feat/rust-sdk-parity
Mar 29, 2026
Merged

feat(rust-sdk): add conflict resolution, trust decay, audit export#582
imran-siddique merged 2 commits intomicrosoft:mainfrom
imran-siddique:feat/rust-sdk-parity

Conversation

@imran-siddique
Copy link
Copy Markdown
Member

@imran-siddique imran-siddique commented Mar 29, 2026

Addresses #571 #572 #576 - Rust SDK parity. 628 lines, 53 tests passing.

@imran-siddique
feat(rust-sdk): add conflict resolution, trust decay, and audit export
0d88904 
- Policy: ConflictResolutionStrategy enum (DenyOverrides, AllowOverrides,
  PriorityFirstMatch, MostSpecificWins), PolicyScope enum, priority/scope
  fields on PolicyRule, resolve_conflicts() method (microsoft#571)
- Trust: decay_rate config with per-hour exponential decay, last_update
  tracking, verify_peer() challenge-response method (microsoft#572)
- Audit: export_json() serialization, max_entries retention with oldest
  entry eviction (microsoft#576)
- Added Serialize/Deserialize derives on all public types
- 53 unit tests passing

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions bot added agent-mesh agent-mesh package size/XL Extra large PR (500+ lines) labels Mar 29, 2026
github-actions[bot]
github-actions bot reviewed Mar 29, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Code Review Feedback for Pull Request: feat(rust-sdk): add conflict resolution, trust decay, audit export

General Observations

The changes introduced in this pull request enhance the Rust SDK by adding features related to conflict resolution, trust decay, and audit export. The implementation appears to be well-structured and includes a comprehensive set of tests. However, there are several areas that require attention regarding security, potential breaking changes, and overall improvements.

Security Concerns

  1. Mutex Locking:

    • The use of unwrap_or_else(|e| e.into_inner()) on the mutex locks can lead to potential data races or deadlocks if the lock is poisoned. It is generally safer to handle the lock poisoning more gracefully.
    • Action: Consider using expect with a clear error message or implement a retry mechanism if the lock is poisoned.
    • Severity: 🔴 CRITICAL

  2. Trust Decay Logic:

    • The decay logic applied in get_trust_score, record_success, and record_failure methods does not account for potential timing issues. If the system clock is manipulated, it could lead to incorrect trust scores.
    • Action: Consider using a monotonic clock for measuring elapsed time instead of relying on the system clock.
    • Severity: 🔴 CRITICAL

  3. Audit Logging:

    • The export_json method in AuditLogger does not handle serialization errors robustly. If serialization fails, it defaults to an empty array, which may hide issues.
    • Action: Log the error or handle it appropriately to ensure that failures in logging are visible.
    • Severity: 🔴 CRITICAL

Potential Breaking Changes

  1. Public API Changes:

    • The addition of new constructors and methods in PolicyEngine and AuditLogger may affect existing consumers of the API, especially if they rely on specific behaviors of the previous versions.
    • Action: Clearly document these changes in the release notes and consider versioning strategies to avoid breaking existing implementations.
    • Severity: 🟡 WARNING

  2. Changes in Policy Rule Structure:

    • The introduction of new fields (priority and scope) in PolicyRule could lead to issues if existing YAML configurations are not updated accordingly.
    • Action: Provide backward compatibility or migration strategies for existing configurations.
    • Severity: 🟡 WARNING

Suggestions for Improvement

  1. Documentation:

    • Ensure that all new methods and changes are well-documented, including examples of usage. This will help users understand the new features and how to implement them correctly.
    • Action: Update the documentation to reflect the changes made in this PR.

  2. Testing:

    • While there are tests for the new features, consider adding edge cases, especially for the trust decay logic and conflict resolution strategies.
    • Action: Implement additional tests that simulate various scenarios, including edge cases for trust score calculations and conflict resolution.

  3. Error Handling:

    • Improve error handling throughout the code, especially in areas where external operations (like file I/O or serialization) are performed.
    • Action: Use Result types to propagate errors instead of panicking or using defaults.

  4. Code Consistency:

    • Ensure consistent use of unwrap and error handling across the codebase. This will improve readability and maintainability.
    • Action: Review the code for consistent error handling practices.

Summary

This pull request introduces valuable features to the Rust SDK, but it also presents several critical security concerns and potential breaking changes that need to be addressed. By implementing the suggested improvements and addressing the flagged issues, the overall robustness and security of the library can be significantly enhanced.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 29, 2026
edited
Loading

🤖 AI Agent: security-scanner — Security Review of PR: `feat(rust-sdk): add conflict resolution, trust decay, audit export`

Security Review of PR: feat(rust-sdk): add conflict resolution, trust decay, audit export

This pull request introduces significant changes to the Rust SDK of the agent-mesh package, including new features for conflict resolution, trust decay, and audit export. Below is a detailed security analysis of the changes, categorized by potential vulnerabilities.

Findings

1. Prompt Injection Defense Bypass

No direct prompt injection vulnerabilities were identified in this PR. The changes primarily focus on the backend logic for audit logging, policy conflict resolution, and trust management. However, the AuditLogger's log method accepts agent_id, action, and decision as inputs, which could potentially be influenced by user-controlled data. If these inputs are used in downstream prompts without sanitization, they could lead to prompt injection vulnerabilities.

  • Risk: 🟡 MEDIUM
  • Attack Vector: If agent_id, action, or decision are used in prompts for an AI model without proper sanitization, an attacker could craft malicious input to manipulate the AI's behavior.
  • Recommendation: Ensure that all user-controlled inputs are sanitized before being used in any downstream AI prompts. Consider implementing a centralized sanitization function for all user inputs.

2. Policy Engine Circumvention

The PolicyEngine now includes a conflict resolution mechanism with multiple strategies (DenyOverrides, AllowOverrides, PriorityFirstMatch, MostSpecificWins). While the implementation appears robust, the default strategy (PriorityFirstMatch) could be exploited if an attacker can inject high-priority rules to override more restrictive policies.

  • Risk: 🟠 HIGH
  • Attack Vector: An attacker with the ability to modify or inject policy rules could exploit the PriorityFirstMatch strategy by adding high-priority rules that allow malicious actions, effectively bypassing stricter policies.
  • Recommendation:
    • Implement strict validation and authentication mechanisms for modifying or adding policy rules.
    • Log all policy changes in the AuditLogger to ensure traceability.
    • Consider adding a mechanism to detect and flag suspicious or conflicting rules during policy updates.

3. Trust Chain Weaknesses

The TrustManager introduces a decay mechanism for trust scores based on elapsed time. While this is a useful feature, there is a potential risk if the last_update timestamp is manipulated or if the system clock is tampered with.

  • Risk: 🟠 HIGH
  • Attack Vector: An attacker could manipulate the last_update timestamp or the system clock to bypass trust decay or artificially inflate trust scores.
  • Recommendation:
    • Use a secure and tamper-proof source of time, such as a trusted NTP server or a monotonic clock.
    • Validate and sanitize the last_update timestamp when loading persisted trust data.
    • Log all trust score changes in the AuditLogger for traceability.

4. Credential Exposure

No hardcoded credentials or sensitive information were found in the code. However, the AuditLogger's export_json method could potentially expose sensitive information if the audit logs contain sensitive data.

  • Risk: 🟡 MEDIUM
  • Attack Vector: If the audit logs contain sensitive information (e.g., agent IDs, actions, or decisions), exporting them as JSON could lead to data leakage.
  • Recommendation:
    • Ensure that sensitive information is redacted or encrypted before being logged.
    • Restrict access to the export_json method to authorized users only.

5. Sandbox Escape

No sandboxing mechanisms are directly implemented or modified in this PR. There is no indication of a sandbox escape vulnerability in the provided changes.

  • Risk: 🔵 LOW

6. Deserialization Attacks

The serde_yaml and serde_json libraries are used for deserialization. While these libraries are generally safe, improper handling of untrusted input could lead to deserialization attacks.

  • Risk: 🟡 MEDIUM
  • Attack Vector: If untrusted YAML or JSON data is deserialized without validation, an attacker could inject malicious payloads to exploit the system.
  • Recommendation:
    • Validate all deserialized data against a strict schema.
    • Use a library or configuration that prevents execution of arbitrary code during deserialization.

7. Race Conditions

The use of Mutex and RwLock for concurrent access to shared state (e.g., AuditLogger.entries and TrustManager.agents) is appropriate. However, there is a potential for Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities if the locks are not held consistently during critical operations.

  • Risk: 🟡 MEDIUM
  • Attack Vector: An attacker could exploit a TOCTOU vulnerability by modifying shared state between the time it is checked and the time it is used.
  • Recommendation:
    • Ensure that locks are held consistently during critical operations.
    • Consider using atomic operations where possible to reduce the risk of race conditions.

8. Supply Chain

The PR does not introduce any new dependencies, so there is no immediate risk of dependency confusion or typosquatting. However, the existing dependencies (serde, serde_yaml, serde_json) should be monitored for vulnerabilities.

  • Risk: 🔵 LOW
  • Recommendation:
    • Use a dependency scanning tool to monitor for vulnerabilities in third-party libraries.
    • Pin dependency versions to avoid unintentional updates to vulnerable versions.

Summary of Findings

Category Risk Description
Prompt Injection Defense Bypass 🟡 MEDIUM Potential risk if user-controlled inputs are used in downstream AI prompts without sanitization.
Policy Engine Circumvention 🟠 HIGH Risk of policy bypass if an attacker can inject high-priority rules under PriorityFirstMatch.
Trust Chain Weaknesses 🟠 HIGH Risk of trust decay manipulation via last_update timestamp or system clock tampering.
Credential Exposure 🟡 MEDIUM Potential data leakage if audit logs contain sensitive information and are exported without redaction.
Sandbox Escape 🔵 LOW No sandboxing mechanisms are directly affected.
Deserialization Attacks 🟡 MEDIUM Risk of unsafe deserialization if untrusted YAML/JSON is processed without validation.
Race Conditions 🟡 MEDIUM Potential TOCTOU vulnerabilities in Mutex and RwLock usage.
Supply Chain 🔵 LOW No new dependencies added, but existing dependencies should be monitored for vulnerabilities.

Recommendations

  1. Prompt Injection Mitigation:

    • Sanitize all user-controlled inputs before using them in downstream AI prompts.

  2. Policy Engine Hardening:

    • Implement strict validation and authentication for policy rule modifications.
    • Log all policy changes in the AuditLogger.
    • Consider adding a mechanism to detect and flag suspicious or conflicting rules.

  3. Trust Decay Security:

    • Use a tamper-proof time source for trust decay calculations.
    • Validate last_update timestamps when loading persisted trust data.
    • Log all trust score changes in the AuditLogger.

  4. Audit Log Security:

    • Redact or encrypt sensitive information in audit logs.
    • Restrict access to the export_json method.

  5. Deserialization Safety:

    • Validate all deserialized data against a strict schema.
    • Ensure that deserialization libraries are configured to prevent arbitrary code execution.

  6. Race Condition Mitigation:

    • Review all Mutex and RwLock usage to ensure locks are held consistently during critical operations.
    • Use atomic operations where feasible.

  7. Supply Chain Monitoring:

    • Regularly scan dependencies for vulnerabilities.
    • Pin dependency versions to prevent unintentional updates.

Overall Risk Assessment

The changes in this PR introduce useful features but also bring potential security risks, particularly in the areas of policy engine circumvention and trust chain weaknesses. These risks should be addressed before merging to ensure the integrity and security of the agent-mesh library.

github-actions[bot]
github-actions bot reviewed Mar 29, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Feedback on the Pull Request

🔴 CRITICAL: Security Issues

  1. Audit Log Integrity:

    • The AuditLogger class uses a Mutex<Vec<AuditEntry>> to store audit entries. While the log method calculates a hash for each entry to create a tamper-evident chain, there is no mechanism to ensure the integrity of the log when it is serialized or deserialized. An attacker could modify the serialized log and re-import it without detection. Consider implementing a digital signature or HMAC to ensure the integrity of the log.

  2. Trust Decay Implementation:

    • The apply_decay method is not shown in the diff, but its implementation is critical. If the decay calculation is incorrect or can be bypassed, it could lead to incorrect trust scores, which might allow malicious agents to bypass security mechanisms. Ensure that the decay calculation is thoroughly tested and validated.

  3. Error Handling in JSON Serialization:

    • The export_json method in AuditLogger uses unwrap_or_else to handle serialization errors by returning an empty JSON array ("[]"). This could lead to silent failures and loss of audit data. Instead, consider logging the error and returning a Result<String, Error> to propagate the error to the caller.

  4. Thread Safety:

    • The use of unwrap_or_else(|e| e.into_inner()) for handling poisoned locks in Mutex and RwLock is risky. While it prevents panics, it may lead to undefined behavior if the lock is poisoned due to a panic in another thread. Consider handling poisoned locks more explicitly, such as by logging the error and deciding whether to proceed or abort.

🟡 WARNING: Potential Breaking Changes

  1. Conflict Resolution Strategy:

    • The addition of the ConflictResolutionStrategy and its integration into the PolicyEngine introduces a new behavior for resolving policy conflicts. While the default strategy (PriorityFirstMatch) is backward-compatible, any existing users of the library relying on implicit conflict resolution behavior may experience unexpected results. Ensure this change is well-documented in the release notes.

  2. PolicyRule Schema Changes:

    • The PolicyRule struct now includes new fields: priority and scope. While these fields have default values, their addition may cause issues for users who rely on strict schema validation or who use custom YAML files that do not include these fields. Ensure that this change is communicated clearly in the documentation and release notes.

💡 Suggestions for Improvement

  1. Audit Log Export:

    • The export_json method currently serializes the entire audit log into a JSON string. For large logs, this could lead to performance issues or memory exhaustion. Consider implementing pagination or streaming for large logs.

  2. Error Handling:

    • Replace all instances of unwrap_or_else(|e| e.into_inner()) with more robust error handling. For example, log the error and decide whether to abort or proceed with a fallback mechanism.

  3. Test Coverage:

    • While the test coverage for the new features is comprehensive, consider adding tests for edge cases, such as:
      • Very large audit logs and their serialization.
      • Extreme values for trust decay (e.g., decay_rate set to 0.0 or 1.0).
      • Concurrent access to AuditLogger and TrustManager to ensure thread safety.

  4. Documentation:

    • Update the documentation to reflect the new features and changes, including:
      • The new ConflictResolutionStrategy and its impact on policy evaluation.
      • The new priority and scope fields in PolicyRule.
      • The trust decay mechanism and how it works.

  5. Performance Considerations:

    • The resolve_conflicts method sorts the candidate decisions for each strategy. For large numbers of candidates, this could become a performance bottleneck. Consider optimizing the sorting logic or limiting the number of candidates evaluated.

  6. Default Behavior for Empty Conflict Resolution:

    • The resolve_conflicts method defaults to PolicyDecision::Allow when no candidates are provided. This may not be the most secure default behavior. Consider making this configurable or defaulting to a more restrictive decision like Deny.

  7. Serialization and Deserialization:

    • The TrustConfig and AgentState structs now derive Serialize and Deserialize. Ensure that sensitive fields (e.g., score, last_update) are appropriately protected during serialization and deserialization to prevent tampering or leakage.

  8. Logging:

    • Add logging to critical operations, such as conflict resolution, trust score updates, and audit log modifications. This will help in debugging and monitoring the system.

  9. Documentation for New Features:

    • Provide examples in the documentation for using the new ConflictResolutionStrategy and AuditLogger features. This will help users understand how to integrate these features into their workflows.

Summary

  • The PR introduces valuable features like conflict resolution strategies, trust decay, and audit log export. However, there are critical security concerns related to audit log integrity and thread safety that need to be addressed before merging.
  • Potential breaking changes should be documented clearly in the release notes to avoid unexpected issues for existing users.
  • Additional tests and documentation updates are recommended to ensure robustness and ease of use.

Recommended Actions

  1. Address the critical security issues related to audit log integrity and thread safety.
  2. Review and test the apply_decay method for correctness.
  3. Improve error handling in JSON serialization and lock handling.
  4. Document all new features and changes, including potential breaking changes.
  5. Add tests for edge cases and performance scenarios.
  6. Consider optimizing the conflict resolution logic for large datasets.

Let me know if you need further clarification or assistance!

@imran-siddique imran-siddique merged commit 08bf010 into microsoft:main Mar 29, 2026
48 of 50 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

agent-mesh agent-mesh package size/XL Extra large PR (500+ lines)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@imran-siddique