Skip to content

Add channel remote safety gate#1768

Merged
tpae merged 1 commit into
osaurus-ai:mainfrom
mimeding:codex/channel-remote-safety-policy
Jul 1, 2026
Merged

Add channel remote safety gate#1768
tpae merged 1 commit into
osaurus-ai:mainfrom
mimeding:codex/channel-remote-safety-policy

Conversation

@mimeding

Copy link
Copy Markdown
Contributor

Summary

Adds a provider-neutral remote safety layer for Agent Channels before live Discord, Slack, Telegram, or JSON adapters dispatch into an agent loop.

What changed

  • Added ChannelRemoteSafetyPolicy and ChannelRemoteSafetyGate.shared for remote receive/reply/Computer Use handoff flows.
  • Added a service-produced ChannelVerifiedReplyTokenValidation wrapper so remote safety requests use reply-token validations produced by ChannelReplyTokenService.
  • Re-checks accepted token payload identity, purpose, action, write-gate generation, issue time, expiry, and in-process replay state before allowing dangerous remote actions.
  • Requires stable task ids for remote Computer Use starts, limits active tasks per channel identity, supports explicit task finish, and prunes stale in-memory state.
  • Rate-limits authorized remote actions per normalized channel identity without burning accepted proof on later rate/task denials.
  • Wraps inbound channel text as untrusted JSON-framed content and sanitizes channel-returned result text so credentials, reply tokens, and oversized payloads are not echoed into shared rooms.
  • Updates channel docs with the required token-service-then-gate integration order and makes clear this helper is opt-in until adapters call it.

Validation

  • git diff --check
  • swiftlint lint --quiet Packages/OsaurusCore/Models/Channels/ChannelRemoteSafetyPolicy.swift Packages/OsaurusCore/Services/Channels/ChannelRemoteSafetyGate.swift Packages/OsaurusCore/Services/Channels/ChannelReplyTokenService.swift Packages/OsaurusCore/Tests/Channels/ChannelRemoteSafetyGateTests.swift
  • OSAURUS_DISABLE_KEYCHAIN_FOR_TESTS=1 OSAURUS_TEST_ROOT=/tmp/osaurus-channel-remote-safety swift test --package-path Packages/OsaurusCore --filter ChannelRemoteSafetyGateTests
  • OSAURUS_DISABLE_KEYCHAIN_FOR_TESTS=1 OSAURUS_TEST_ROOT=/tmp/osaurus-channel-security swift test --package-path Packages/OsaurusCore --filter ChannelSecurityTests
  • OSAURUS_DISABLE_KEYCHAIN_FOR_TESTS=1 OSAURUS_TEST_ROOT=/tmp/osaurus-channel-substrate swift test --package-path Packages/OsaurusCore --filter AgentChannelAsyncSubstrateTests
  • OSAURUS_TEST_ROOT=/tmp/osaurus-channel-remote-safety-keychain swift test --package-path Packages/OsaurusCore --filter AgentManagerLifecycleNotificationTests/deleteSweepsPerAgentKeychainSecrets

Notes

  • This is a helper-layer PR. No live adapter is protected until it explicitly invokes ChannelRemoteSafetyGate.shared.
  • Full local make test with Keychain disabled hit the expected keychain-specific lifecycle failure; the isolated keychain test passed without the disabled-keychain flag.
  • A canonical full local make test pass was started without the disabled-keychain flag but was interrupted after a prolonged local stall, so this draft does not claim full local-suite green evidence yet.

@mimeding mimeding marked this pull request as ready for review June 30, 2026 18:10
@tpae tpae merged commit 5d3c242 into osaurus-ai:main Jul 1, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants