Skip to content

feat(prover): add native Rust policy prover with Z3 solver#741

Open
zredlined wants to merge 2 commits intomainfrom
feat/699-policy-prover-rust/zredlined
Open

feat(prover): add native Rust policy prover with Z3 solver#741
zredlined wants to merge 2 commits intomainfrom
feat/699-policy-prover-rust/zredlined

Conversation

@zredlined
Copy link
Copy Markdown
Collaborator

@zredlined zredlined commented Apr 2, 2026

Summary

Native Rust implementation of the OpenShell Policy Prover (OPP) using Z3 SMT solving. Answers two questions about any sandbox policy:

  1. Can data leave this sandbox? — finds exfiltration paths through uninspected (L4-only) endpoints and wire protocol bypasses
  2. Can the agent write despite read-only intent? — finds write operations that bypass read-only policy through binary capabilities and credential scopes

openshell policy prove is now a native CLI command — no Python, no subprocess, no PYTHONPATH.

Supersedes #703 (Python prototype). Closes #699.

Related Issue

Closes #699

Changes

New crate: crates/openshell-prover/

  • model.rs — Z3 constraint model encoding policy rules, binary capabilities, and credential scopes as boolean satisfiability constraints
  • queries.rs — two verification queries (exfiltration, write bypass)
  • policy.rs — policy YAML parser with intent detection, L7 enforcement helpers, workdir modeling
  • registry.rs — binary capability registry (git, curl, node, claude, etc.) loaded from YAML
  • credentials.rs — credential and API capability loading
  • accepted_risks.rs — risk acceptance matching by query + host
  • report.rs — terminal and compact (CI) output
  • finding.rs — finding types and risk levels (HIGH, CRITICAL only)
  • lib.rs — public prove() API + 7 tests

Registry data (crates/openshell-prover/registry/):

  • 9 binary capability descriptors, 1 API descriptor (GitHub)

CLI integration (crates/openshell-cli/src/main.rs):

  • openshell policy prove calls openshell_prover::prove() directly

Dependencies (Cargo.toml):

  • z3 = { version = "0.19", features = ["bundled"] } — self-contained Z3 build

Testing

  • cargo build -p openshell-prover — compiles with Z3 bundled
  • cargo test -p openshell-prover — 7/7 tests pass
  • cargo build -p openshell-cli — CLI compiles
  • End-to-end: openshell policy prove --compact detects exfil + write bypass on test fixture

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • SPDX license headers on all new files

@zredlined
feat(prover): add native Rust policy prover with Z3 solver
8d9167f 
Add openshell-prover crate implementing formal policy verification
using Z3 SMT solving. Answers two questions about any sandbox policy:
"Can data leave?" and "Can the agent write despite read-only intent?"

Native Rust — no Python subprocess, no PYTHONPATH, no uv dependency.
Z3 bundled via z3-sys for self-contained builds.

Replaces the Python prototype from #703.

Closes #699

Signed-off-by: Alexander Watson <zredlined@gmail.com>
@zredlined zredlined self-assigned this Apr 2, 2026
@zredlined zredlined requested a review from a team as a code owner April 2, 2026 20:32
@zredlined
fix(prover): skip L7-write in exfil, write bypass only on read-only i…
6229e4f 
…ntent

Port two fixes from the Python branch:
- Exfil query skips endpoints where L7 is enforced and working
- Write bypass only fires on explicit read-only intent, not L4-only

Signed-off-by: Alexander Watson <zredlined@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@zredlined zredlined

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Add formal policy verification (OpenShell Policy Prover) to Python SDK

1 participant

@zredlined