fix: Incomplete Agent Trust Validation in ConfigValidator

bindu/common/protocol/types.py

@@ -1657,6 +1657,61 @@ class AgentTrust(TypedDict):
     allowed_operations: Dict[str, TrustLevel]
 
 
+@pydantic.with_config(ConfigDict(alias_generator=to_camel))
+class AgentTrustConfig(TypedDict):
+    """Agent trust configuration for deployment and validation.
+
+    This TypedDict defines the trust policies and security requirements
+    for agent deployments, ensuring proper verification and hierarchy constraints.
+    """
+
+    identity_provider: NotRequired[IdentityProvider]
+    """The identity provider for the agent (e.g., 'hydra').
+
+    Defaults to 'hydra' if not specified.
+    """
+
+    required_verification_level: Required[TrustLevel]
+    """The minimum required verification level for agent operations.
+
+    Examples: 'admin', 'analyst', 'auditor', 'editor', 'guest', 'manager',
+    'operator', 'super_admin', 'support', 'viewer'
+    """
+
+    allowed_origins: NotRequired[list[str]]
+    """List of allowed domains/origins that can invoke this agent.
+
+    Examples: ['https://example.com', 'https://api.example.com']
+    Wildcard patterns are supported: ['https://*.example.com']
+    If empty, all origins are allowed.
+    """
+
+    max_agent_hierarchy_depth: Required[int]
+    """Maximum nesting depth for agent-to-agent calls.
+
+    Prevents circular dependencies and infinite loops.
+    Value >= 1 is required. Typical value: 5
+    """
+
+    trust_verification_required: NotRequired[bool]
+    """Whether explicit trust verification is required before execution.
+
+    Defaults to False if not specified.
+    """
+
+    certificate_required: NotRequired[bool]
+    """Whether agent certificate is required for security.
+
+    Defaults to False if not specified.
+    """
+
+    metadata: NotRequired[dict[str, Any]]
+    """Additional trust-related metadata.
+
+    Can include custom fields for specific deployment scenarios.
+    """
+
+
 # -----------------------------------------------------------------------------
 # Agent
 # -----------------------------------------------------------------------------
@@ -1945,10 +2000,6 @@ class AgentCard(TypedDict):
 
 agent_card_ta = pydantic.TypeAdapter(AgentCard)
 
-# Rebuild TypeAdapters to resolve forward references
-a2a_request_ta.rebuild()
-a2a_response_ta.rebuild()
-send_message_request_ta.rebuild()
-send_message_response_ta.rebuild()
-stream_message_request_ta.rebuild()
-stream_message_response_ta.rebuild()
+# TypeAdapter in Pydantic 2.x automatically handles forward references
+# No need to manually call rebuild() as in v1.x
+

bindu/penguin/config_validator.py

@@ -9,7 +9,7 @@
 from typing import Any, Dict
 
 from bindu import __version__
-from bindu.common.protocol.types import AgentCapabilities, Skill
+from bindu.common.protocol.types import AgentCapabilities, AgentTrustConfig, Skill, TrustLevel
 
 
 class ConfigValidator:
@@ -267,6 +267,101 @@ def _validate_hydra_config(cls, auth_config: Dict[str, Any]) -> None:
     # Telemetry processing
     # ------------------------------------------------------------------
 
+    @classmethod
+    def _validate_agent_trust_config(cls, trust_config: AgentTrustConfig) -> None:
+        """Validate agent trust configuration.
+
+        Args:
+            trust_config: Agent trust configuration (AgentTrustConfig TypedDict)
+
+        Raises:
+            ValueError: If trust configuration is invalid
+        """
+        if not isinstance(trust_config, dict):
+            raise ValueError("Field 'agent_trust' must be a dictionary")
+
+        # Validate required_verification_level
+        if "required_verification_level" in trust_config:
+            level = trust_config["required_verification_level"]
+            valid_levels = [
+                "admin",
+                "analyst",
+                "auditor",
+                "editor",
+                "guest",
+                "manager",
+                "operator",
+                "super_admin",
+                "support",
+                "viewer",
+            ]
+            if level not in valid_levels:
+                raise ValueError(
+                    f"Invalid required_verification_level: '{level}'. "
+                    f"Must be one of: {', '.join(valid_levels)}"
+                )
+
+        # Validate max_agent_hierarchy_depth
+        if "max_agent_hierarchy_depth" in trust_config:
+            depth = trust_config["max_agent_hierarchy_depth"]
+            if not isinstance(depth, int) or depth < 1:
+                raise ValueError(
+                    f"Invalid max_agent_hierarchy_depth: '{depth}'. "
+                    f"Must be a positive integer (>= 1)"
+                )
+
+        # Validate identity_provider if provided
+        if "identity_provider" in trust_config:
+            provider = trust_config["identity_provider"]
+            if provider not in ["hydra"]:
+                raise ValueError(
+                    f"Invalid identity_provider: '{provider}'. "
+                    f"Supported providers: hydra"
+                )
+
+        # Validate allowed_origins if provided
+        if "allowed_origins" in trust_config:
+            origins = trust_config["allowed_origins"]
+            if not isinstance(origins, list):
+                raise ValueError(
+                    "Field 'allowed_origins' must be a list of strings"
+                )
+            for origin in origins:
+                if not isinstance(origin, str):
+                    raise ValueError(
+                        f"Invalid origin in allowed_origins: {origin}. "
+                        f"All origins must be strings"
+                    )
+                # Validate URL format
+                if not (
+                    origin.startswith("http://")
+                    or origin.startswith("https://")
+                    or "*" in origin
+                ):
+                    raise ValueError(
+                        f"Invalid origin format: '{origin}'. "
+                        f"Expected http:// or https:// URL or wildcard pattern"
+                    )
+
+        # Validate trust_verification_required if provided
+        if "trust_verification_required" in trust_config:
+            if not isinstance(trust_config["trust_verification_required"], bool):
+                raise ValueError(
+                    "Field 'trust_verification_required' must be a boolean"
+                )
+
+        # Validate certificate_required if provided
+        if "certificate_required" in trust_config:
+            if not isinstance(trust_config["certificate_required"], bool):
+                raise ValueError(
+                    "Field 'certificate_required' must be a boolean"
+                )
+
+        # Validate metadata if provided
+        if "metadata" in trust_config:
+            if not isinstance(trust_config["metadata"], dict):
+                raise ValueError("Field 'metadata' must be a dictionary")
+
     @classmethod
     def _process_oltp_config(cls, config: Dict[str, Any]) -> None:
         oltp_endpoint = config.get("oltp_endpoint")