Conversation
I've implemented all the claim-based security enforcement gap fixes as specified in the plan: Task 1: Unit Tests ✅ File: jacs/tests/verification_claim_tests.rs (new) Created 12 new tests: - test_unverified_allows_relaxed_dns - Verifies unverified agents can use fallback DNS - test_verified_without_domain_fails - Verifies verified claims need domain - test_verified_enforces_strict_dns - Verifies strict DNS for verified claims - test_backward_compat_no_claim - Ensures missing claim = unverified behavior - test_update_cannot_downgrade_claim - Tests claim level hierarchy and downgrade detection - test_downgrade_error_is_actionable - Tests error message quality - test_verified_enforces_strict_tls - Verifies TLS strictness for verified claims - test_unverified_allows_relaxed_tls - Verifies unverified can use env-var logic - test_verification_error_is_actionable - Tests error message guidance - test_hai_verification_error_is_clear - Tests HAI.ai error clarity - test_claim_hierarchy - Tests complete claim level ordering - test_allowed_claim_transitions - Tests upgrade/downgrade rules Task 2: Prevent Downgrade Attacks ✅ File: jacs/src/agent/mod.rs - in update_self() at line 867 Added claim downgrade prevention logic: - claim_level() helper function mapping claims to security levels (0, 1, 2) - Check comparing original vs new claim levels - Returns VerificationClaimFailed error if downgrade attempted Task 3: TLS Strict by Claim ✅ File: jacs/src/schema/utils.rs Added should_accept_invalid_certs_for_claim(): - Returns false for verified and verified-hai.ai claims (always strict TLS) - Falls back to existing should_accept_invalid_certs() for unverified/missing - Exported via jacs/src/schema/mod.rs for external use Task 4: DevRel UX - Actionable Errors ✅ File: jacs/src/error.rs Enhanced VerificationClaimFailed Display implementation: - Claim-specific fix suggestions - Domain errors → suggest adding domain or using unverified - HAI.ai registration errors → suggest registering or using verified - Downgrade errors → explain security and suggest new agent - Includes docs link: https://hai.ai/docs/jacs/security#verification-claims - Added 3 new tests for error message quality Task 5: Documentation ✅ File: jacs/docs/jacsbook/src/advanced/security.md Added comprehensive troubleshooting section: - Common issues and solutions with code examples - Claim level reference table - Upgrade vs downgrade rules - Quick diagnostic commands Verification - All 12 new verification claim tests pass - All 3 new error message tests pass - All 246 library tests pass (no regressions) - All 4 DNS policy tests pass
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.