Skip to content

fix(reborn): harden runtime network policy handoff#3165

Merged
serrrfirat merged 1 commit into
nearai:reborn-integrationfrom
serrrfirat:fix/pr3149-network-policy-followup
May 1, 2026
Merged

fix(reborn): harden runtime network policy handoff#3165
serrrfirat merged 1 commit into
nearai:reborn-integrationfrom
serrrfirat:fix/pr3149-network-policy-followup

Conversation

@serrrfirat
Copy link
Copy Markdown
Collaborator

@serrrfirat serrrfirat commented May 1, 2026

Summary

  • remove the stale network_policy field from WasmRuntimeCredentialRequest so credential providers cannot drift from the staged runtime policy handoff
  • add WASM/script/MCP adapter composition coverage through real HostHttpEgressService + NetworkObligationPolicyStore
  • restore staged policy consumption before request validation so one-shot policy handoffs cannot be reused after pre-transport request failures

Verification

  • cargo fmt --check
  • cargo test -p ironclaw_wasm --test wasm_http_adapter_contract
  • cargo test -p ironclaw_host_runtime --test runtime_http_egress_contract
  • cargo check -p ironclaw_host_runtime -p ironclaw_wasm -p ironclaw_scripts -p ironclaw_mcp --all-targets
  • cargo clippy -p ironclaw_host_runtime -p ironclaw_wasm -p ironclaw_scripts -p ironclaw_mcp --all-targets -- -D warnings
  • git diff --check

@github-actions github-actions Bot added size: XS < 10 changed lines (excluding docs) risk: low Changes to docs, tests, or low-risk modules contributor: core 20+ merged PRs labels May 1, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request enhances security by reordering network policy retrieval to occur before request validation, ensuring one-shot policies are consumed even if validation fails. It also simplifies the WasmRuntimeCredentialRequest struct by removing the network_policy field and adds comprehensive tests for WASM, Script, and MCP adapters to verify policy consumption. I have no further feedback to provide as the existing review comments were purely explanatory.

@serrrfirat serrrfirat merged commit cfe994b into nearai:reborn-integration May 1, 2026
13 checks passed
This was referenced May 7, 2026
Closed
Merged
@ironclaw-ci ironclaw-ci Bot mentioned this pull request May 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

contributor: core 20+ merged PRs risk: low Changes to docs, tests, or low-risk modules size: XS < 10 changed lines (excluding docs)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@serrrfirat