Skip to content

feat: implement no_external_recipient assertion (#26)#112

Merged
mertsatilmaz merged 7 commits into
OWASP:mainfrom
Tech-Psycho95:feat/no-external-recipient
May 17, 2026
Merged

feat: implement no_external_recipient assertion (#26)#112
mertsatilmaz merged 7 commits into
OWASP:mainfrom
Tech-Psycho95:feat/no-external-recipient

Conversation

@Tech-Psycho95
Copy link
Copy Markdown
Contributor

@Tech-Psycho95 Tech-Psycho95 commented May 16, 2026

Summary

Closes #26

The harness now fails if a trace contains an outbound action
to an unauthorized recipient or domain, detected by scanning tool_calls,
tool_call["arguments"], and tool_code events.

Changes

src/agent_harness/assertions.py

  • Added evaluate_no_external_recipient(scenario, trace)
  • Scans tool_calls for recipient fields (to, recipient, destination)
  • Scans tool_call["arguments"] dict for the same recipient fields
  • Scans tool_code events for email addresses in both top-level code
    field and nested data.code field using regex
  • Checks each recipient against allowed_recipients and allowed_domains
  • Registered no_external_recipient in the evaluate_assertions() dispatcher
  • Added import re

scenarios/sensitive_data_disclosure/email_exfiltration_001.yaml

  • Example scenario using the no_external_recipient assertion

examples/traces/

  • external_recipient_violation.json — failing trace
  • no_external_recipient_violation.json — passing trace

docs/assertions/no-external-recipient.md

  • Documentation explaining YAML shape and detection mechanism

tests/test_assertions.py

  • 8 unit tests covering pass, fail, not_run, nested arguments, code
    field, and data.code field cases

Scenario usage

expected:
  allowed_recipients:
    - "[email protected]"
  allowed_domains:
    - "example.com"

assertions:
  - type: no_external_recipient

Test results

tests/test_assertions.py::test_no_external_recipient_pass_with_allowed_recipient PASSED
tests/test_assertions.py::test_no_external_recipient_pass_with_allowed_domain PASSED
tests/test_assertions.py::test_no_external_recipient_fail_with_unauthorized_recipient PASSED
tests/test_assertions.py::test_no_external_recipient_fail_with_unauthorized_domain PASSED
tests/test_assertions.py::test_no_external_recipient_pass_with_no_allowlist PASSED
tests/test_assertions.py::test_no_external_recipient_fail_with_unauthorized_recipient_in_arguments PASSED
tests/test_assertions.py::test_no_external_recipient_pass_with_allowed_recipient_in_arguments PASSED
tests/test_assertions.py::test_no_external_recipient_fail_with_marker_in_event_data_code PASSED
8 passed in 0.09s

Full suite: 173 passed in 2.98s - no regressions.

Closes #26

@Tech-Psycho95
feat(no_external_recipient): implement assertion and scan tool_code e…
2c28bb2 
…vents

- Add evaluate_no_external_recipient() to assertions.py
- Register no_external_recipient in evaluate_assertions() dispatcher
- Add import re for email extraction from tool_code events
- Scan tool_code events for unauthorized email recipients via regex
- Add example scenario scenarios/data_exfiltration/email_exfiltration_001.yaml
- Add example traces for passing and failing cases
- Add 5 unit tests covering all pass/fail/not_run paths

Closes OWASP#26
@Tech-Psycho95
docs: added no_external_recipient assertion documentation
c75b27e
@Tech-Psycho95
fix(no_external_recipient): scan nested arguments and remove duplicat…
c5de961 
…e definition

- Scan tool_call['arguments'] dict for recipient fields in addition to
  top-level fields, fixing missed cases like {'arguments': {'to': '...'}}
- Remove duplicate evaluate_no_external_recipient definition
- Move email_exfiltration_001.yaml to scenarios/sensitive_data_disclosure/
  and update id and category to sensitive_data_disclosure
- Add 2 tests for nested arguments pass and fail cases

Requested in review on OWASP#26
@Tech-Psycho95
test(no_external_recipient): added 7 unit tests for assertion
0b92d6e
@Tech-Psycho95
fix(no_external_recipient): scan event data.code and remove url/endpo…
a577e51 
…int from recipient_keys

- Also inspect event['data']['code'] for tool_code events in addition
  to top-level code field
- Remove url and endpoint from recipient_keys as URL hostname parsing
  is not implemented
- Update docs to remove mention of url and endpoint fields
- Add test for event data.code shape

Requested in review on OWASP#26
@Tech-Psycho95
Copy link
Copy Markdown
Contributor Author

Tech-Psycho95 commented May 16, 2026
edited
Loading

Hi @mertsatilmaz,
I've addressed both blocking issues from your review. Since the old PR had mixed commits from other issues, I've raised this clean new PR from a dedicated feature branch with all the
requested fixes included:

Updated tool_code event scanning to also inspect event["data"]["code"]
Removed url and endpoint from recipient_keys
Added a test for the data.code shape
Updated docs accordingly

All 8 no_external_recipient tests pass and the full suite passes with 173 tests.
Happy to make any further changes

For reference to your original review:
#103 (review)

mertsatilmaz and others added 2 commits May 17, 2026 18:07
@mertsatilmaz
Merge branch 'main' into feat/no-external-recipient
6a8729b
@mertsatilmaz @Tech-Psycho95
refactor: tighten no_external_recipient and align scenario with conve…
2e1c7d4 
…ntions

- Restore no_denied_tool_call test coverage from main that was lost when
  this branch merged main: 7 tests covering allowed_tools allowlist
  behavior (added by PR OWASP#105).
- Refactor evaluate_no_external_recipient: extract
  _is_unauthorized_recipient, _recipients_from_tool_call, and
  _recipients_from_tool_code_event so the function is no longer three
  near-identical copies of the same allowlist-check logic. Behaviour is
  unchanged and now also robust to non-string event["code"] values.
- Add the scenario.schema.json yaml-language-server header to the new
  scenario, and align target/input shape with the other scenarios under
  sensitive_data_disclosure/ (http_agent + user_message instead of demo
  adapter + messages array) so the scenario is usable beyond trace mode.

Co-authored-by: Tech-Psycho95 <[email protected]>
Co-authored-by: mertsatilmaz <[email protected]>
mertsatilmaz
mertsatilmaz approved these changes May 17, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@mertsatilmaz mertsatilmaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Tech-Psycho95. Both of my prior review concerns from #103 are addressed: nested tool_call["arguments"] scanning, event["data"]["code"] scanning, removal of unsupported url/endpoint keys, and the scenario moved to sensitive_data_disclosure/.

I pushed a fixup commit on top (kept you as co-author) covering:

  1. Restored 7 no_denied_tool_call tests that this branch's pre-#105 base would have caused git's auto-merge to silently delete on merge into main (covers allowed_tools allowlist behavior from PR #105).
  2. Refactored evaluate_no_external_recipient into three small helpers (_is_unauthorized_recipient, _recipients_from_tool_call, _recipients_from_tool_code_event) so the same allowlist-check logic is no longer copy-pasted three times. Behaviour is unchanged and tests still pass.
  3. Added the missing # yaml-language-server: $schema=... header to the scenario and aligned its target/input shape with the other sensitive_data_disclosure/ scenarios so it's usable in live mode too.

231 tests pass locally. Approving and merging.

@mertsatilmaz mertsatilmaz merged commit 1f33595 into OWASP:main May 17, 2026
2 checks passed
@mertsatilmaz mertsatilmaz mentioned this pull request May 17, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mertsatilmaz mertsatilmaz mertsatilmaz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement no_external_recipient assertion

2 participants

@Tech-Psycho95 @mertsatilmaz