controller: preflight SBPL and surface compile failures

Add a host-side SBPL preflight helper that compiles policy.sbpl_source and emits a JSON envelope with compile status and error details.
Invoke the preflight before launching any runner, fast-fail on compile errors, and include preflight/diagnostic context when XPC startup fails.

Author: Protonk

AGENTS.md

@@ -63,6 +63,7 @@ Documentation should be stateless: describe current behavior without historical
 - Build: `make build` (or `./build.sh`)
   - Requires `IDENTITY` to be set to a **Developer ID Application** identity in your keychain (see `SIGNING.md`).
   - If you are in a sandboxed automation harness, signing/keychain access may fail; ask for approval/escalation and rerun.
+- If you add a helper under `Contents/MacOS`, update the `build.sh` signing list; notarization fails if any embedded tool is left ad hoc-signed.
 - Run: `PolicyWitness.app/Contents/MacOS/policy-witness run tests/fixtures/pw_runner/<request>.json > result.json`
 
 Build knobs worth knowing (debugging/iteration):

SIGNING.md

@@ -31,6 +31,7 @@ Signing is “inside-out”:
 3. Sign the outer `.app` last.
 
 Do not “fix” signing by adding `codesign --deep` to the signing steps. Explicitly sign the known nested binaries and then sign the outer app.
+When you add a new embedded helper under `Contents/MacOS`, add an explicit signing step in `build.sh`. Notarization will fail if any embedded tool remains ad hoc-signed.
 
 ## Evidence artifacts
 

build.sh

@@ -136,10 +136,12 @@ fi
 echo "==> Building Rust controller + tools"
 cargo build --manifest-path "${RUNNER_MANIFEST}" --release \
   --bin policy-witness \
-  --bin sandbox-log-observer
+  --bin sandbox-log-observer \
+  --bin sbpl-preflight
 
 RUNNER_BIN="${ROOT_DIR}/controller/target/release/policy-witness"
 SANDBOX_LOG_OBSERVER_BIN="${ROOT_DIR}/controller/target/release/sandbox-log-observer"
+SBPL_PREFLIGHT_BIN="${ROOT_DIR}/controller/target/release/sbpl-preflight"
 if [[ ! -x "${RUNNER_BIN}" ]]; then
   echo "ERROR: expected policy-witness binary at ${RUNNER_BIN}" 1>&2
   exit 2
@@ -148,6 +150,10 @@ if [[ ! -x "${SANDBOX_LOG_OBSERVER_BIN}" ]]; then
   echo "ERROR: expected sandbox-log-observer binary at ${SANDBOX_LOG_OBSERVER_BIN}" 1>&2
   exit 2
 fi
+if [[ ! -x "${SBPL_PREFLIGHT_BIN}" ]]; then
+  echo "ERROR: expected sbpl-preflight binary at ${SBPL_PREFLIGHT_BIN}" 1>&2
+  exit 2
+fi
 if [[ ! -f "${SB_API_VALIDATOR_SRC}" ]]; then
   echo "ERROR: missing sb_api_validator source at ${SB_API_VALIDATOR_SRC}" 1>&2
   exit 2
@@ -179,6 +185,9 @@ chmod +x "${APP_BUNDLE}/Contents/MacOS/policy-witness"
 cp "${SANDBOX_LOG_OBSERVER_BIN}" "${APP_BUNDLE}/Contents/MacOS/sandbox-log-observer"
 chmod +x "${APP_BUNDLE}/Contents/MacOS/sandbox-log-observer"
 
+cp "${SBPL_PREFLIGHT_BIN}" "${APP_BUNDLE}/Contents/MacOS/sbpl-preflight"
+chmod +x "${APP_BUNDLE}/Contents/MacOS/sbpl-preflight"
+
 cp "${SB_API_VALIDATOR_BIN}" "${APP_BUNDLE}/Contents/MacOS/sb_api_validator"
 chmod +x "${APP_BUNDLE}/Contents/MacOS/sb_api_validator"
 
@@ -297,6 +306,7 @@ sign_macho() {
 echo "==> Codesigning embedded MacOS tools"
 sign_macho "${APP_BUNDLE}/Contents/MacOS/pw-runner-client"
 sign_macho "${APP_BUNDLE}/Contents/MacOS/sandbox-log-observer"
+sign_macho "${APP_BUNDLE}/Contents/MacOS/sbpl-preflight"
 sign_macho "${APP_BUNDLE}/Contents/MacOS/sb_api_validator"
 
 if [[ "${BUILD_XPC}" == "1" ]] && [[ -d "${XPC_SERVICES_DIR}" ]]; then

controller/Cargo.toml

@@ -12,6 +12,10 @@ path = "src/main.rs"
 name = "sandbox-log-observer"
 path = "src/bin/sandbox-log-observer.rs"
 
+[[bin]]
+name = "sbpl-preflight"
+path = "src/bin/sbpl-preflight.rs"
+
 [[test]]
 name = "cli_contract"
 path = "integration/cli_contract.rs"

controller/README.md

@@ -27,6 +27,7 @@ Support modules:
 - `controller/src/plist.rs` — PlistBuddy helpers for Info.plist lookups
 - `controller/src/bundle.rs` — bundle metadata reader for external runners
 - `controller/src/request_patch.rs` — request JSON injection helpers
+- `controller/src/policy_preflight.rs` — SBPL preflight runner wiring
 - `controller/src/utils.rs` — shared time + output helpers
 - `controller/src/evidence.rs` — evidence manifest parsing + verification
 - `controller/src/json_contract.rs` — JSON envelope rendering with sorted keys
@@ -36,6 +37,8 @@ Standalone helper tools (embedded into the `.app`):
 
 - `controller/src/bin/sandbox-log-observer.rs` → `PolicyWitness.app/Contents/MacOS/sandbox-log-observer`
   - Captures unified-log sandbox deny lines by PID + process name
+- `controller/src/bin/sbpl-preflight.rs` → `PolicyWitness.app/Contents/MacOS/sbpl-preflight`
+  - Compiles SBPL policies and reports compiler errors before the runner launches
 - `controller/tools/sb_api_validator/sb_api_validator` → `PolicyWitness.app/Contents/MacOS/sb_api_validator`
   - Direct `sandbox_check` cross-check helper (used by `--sonoma-cross-check`)
 
@@ -76,6 +79,8 @@ The controller prints one JSON envelope to stdout (`kind="run"`). It contains:
 
 - `data.runner_result`: the runner's JSON (if parseable)
 - `data.runner_client`: argv + stdout/stderr + timing for the client call
+- `data.policy_preflight`: SBPL compile report from `sbpl-preflight` (best-effort)
+- `data.runner_startup_diagnostics`: extra context when XPC startup fails
 - `data.sandbox_log_capture`: optional unified-log evidence (best-effort)
 - `data.sonoma_cross_check`: optional `sandbox_check` cross-check report (best-effort)
 - `data.runner_provenance`: runner identity + entitlements metadata

controller/src/bin/sbpl-preflight.rs

@@ -0,0 +1,293 @@
+//! SBPL preflight compiler for host-side diagnostics.
+//!
+//! This tool parses a PolicyWitness request JSON, extracts the SBPL policy,
+//! and runs sandbox_compile_string to catch syntax and parameter errors.
+
+#[path = "../json_contract.rs"]
+#[allow(dead_code)]
+mod json_contract;
+
+use serde::Deserialize;
+use serde::Serialize;
+use sha2::{Digest, Sha256};
+use std::collections::BTreeMap;
+use std::ffi::{CStr, CString};
+use std::os::raw::{c_char, c_int, c_void};
+use std::path::PathBuf;
+
+#[link(name = "sandbox")]
+unsafe extern "C" {
+    fn sandbox_compile_string(
+        profile: *const c_char,
+        params: *const c_void,
+        errorbuf: *mut *mut c_char,
+    ) -> *mut c_void;
+    fn sandbox_free_error(errorbuf: *mut c_char);
+    fn sandbox_free_profile(profile: *mut c_void);
+    fn sandbox_create_params() -> *mut c_void;
+    fn sandbox_set_param(params: *mut c_void, key: *const c_char, value: *const c_char)
+        -> c_int;
+    fn sandbox_free_params(params: *mut c_void);
+}
+
+#[derive(Deserialize)]
+struct PreflightRequest {
+    policy: PreflightPolicy,
+}
+
+#[derive(Deserialize)]
+struct PreflightPolicy {
+    format: String,
+    sbpl_source: Option<String>,
+    params: Option<BTreeMap<String, String>>,
+}
+
+#[derive(Serialize)]
+struct PreflightData {
+    policy_format: String,
+    policy_sha256: Option<String>,
+    params_present: bool,
+    params_count: usize,
+    compiled: bool,
+    compile_error: Option<String>,
+}
+
+fn usage() -> String {
+    "\
+usage:
+  sbpl-preflight --request <request.json>
+
+notes:
+  - reads request.json and compiles policy.sbpl_source
+  - prints a JSON envelope with compile status and error details"
+        .to_string()
+}
+
+fn sha256_hex(data: &str) -> String {
+    let digest = Sha256::digest(data.as_bytes());
+    digest.iter().map(|b| format!("{b:02x}")).collect()
+}
+
+fn compile_sbpl(source: &str, params: Option<&BTreeMap<String, String>>) -> Result<(), String> {
+    let mut param_cstrings: Vec<CString> = Vec::new();
+    let params_obj: *mut c_void = if let Some(params) = params {
+        if params.is_empty() {
+            std::ptr::null_mut()
+        } else {
+            let obj = unsafe { sandbox_create_params() };
+            if obj.is_null() {
+                return Err("sandbox_create_params returned NULL".to_string());
+            }
+            for (key, value) in params.iter() {
+                let key_c = CString::new(key.as_str())
+                    .map_err(|_| format!("invalid param key (NUL): {key}"))?;
+                let value_c = CString::new(value.as_str())
+                    .map_err(|_| format!("invalid param value for {key} (NUL)"))?;
+                let rc = unsafe {
+                    sandbox_set_param(obj, key_c.as_ptr(), value_c.as_ptr())
+                };
+                if rc != 0 {
+                    unsafe { sandbox_free_params(obj) };
+                    return Err(format!("sandbox_set_param failed for {key}: rc={rc}"));
+                }
+                param_cstrings.push(key_c);
+                param_cstrings.push(value_c);
+            }
+            obj
+        }
+    } else {
+        std::ptr::null_mut()
+    };
+
+    let mut err_buf: *mut c_char = std::ptr::null_mut();
+    let profile = unsafe {
+        let cstr = CString::new(source).map_err(|_| "sbpl_source contains NUL".to_string())?;
+        sandbox_compile_string(cstr.as_ptr(), params_obj, &mut err_buf)
+    };
+
+    if !err_buf.is_null() {
+        let message = unsafe {
+            let msg = CStr::from_ptr(err_buf).to_string_lossy().to_string();
+            sandbox_free_error(err_buf);
+            msg
+        };
+        if !profile.is_null() {
+            unsafe { sandbox_free_profile(profile) };
+        }
+        if !params_obj.is_null() {
+            unsafe { sandbox_free_params(params_obj) };
+        }
+        return Err(format!("sandbox_compile_string failed: {message}"));
+    }
+
+    if profile.is_null() {
+        if !params_obj.is_null() {
+            unsafe { sandbox_free_params(params_obj) };
+        }
+        return Err("sandbox_compile_string failed (no profile and no error)".to_string());
+    }
+
+    unsafe { sandbox_free_profile(profile) };
+    if !params_obj.is_null() {
+        unsafe { sandbox_free_params(params_obj) };
+    }
+    Ok(())
+}
+
+fn main() {
+    let args: Vec<String> = std::env::args().skip(1).collect();
+    if args.is_empty() {
+        eprintln!("{}", usage());
+        std::process::exit(2);
+    }
+
+    let mut request_path: Option<PathBuf> = None;
+    let mut idx = 0usize;
+    while idx < args.len() {
+        match args[idx].as_str() {
+            "-h" | "--help" => {
+                println!("{}", usage());
+                return;
+            }
+            "--request" => {
+                if let Some(path) = args.get(idx + 1) {
+                    request_path = Some(PathBuf::from(path));
+                    idx += 2;
+                } else {
+                    eprintln!("missing value for --request");
+                    eprintln!("{}", usage());
+                    std::process::exit(2);
+                }
+            }
+            other => {
+                eprintln!("unknown argument: {other}\n\n{}", usage());
+                std::process::exit(2);
+            }
+        }
+    }
+
+    let request_path = match request_path {
+        Some(path) => path,
+        None => {
+            eprintln!("missing --request\n\n{}", usage());
+            std::process::exit(2);
+        }
+    };
+
+    let text = match std::fs::read_to_string(&request_path) {
+        Ok(text) => text,
+        Err(err) => {
+            eprintln!("failed to read request: {err}");
+            std::process::exit(2);
+        }
+    };
+
+    let parsed: PreflightRequest = match serde_json::from_str(&text) {
+        Ok(req) => req,
+        Err(err) => {
+            eprintln!("failed to parse request.json: {err}");
+            std::process::exit(2);
+        }
+    };
+
+    let format = parsed.policy.format;
+    let params = parsed.policy.params.as_ref();
+
+    if format != "sbpl" {
+        let data = PreflightData {
+            policy_format: format,
+            policy_sha256: None,
+            params_present: params.is_some(),
+            params_count: params.map(|p| p.len()).unwrap_or(0),
+            compiled: false,
+            compile_error: Some("unsupported policy.format (expected sbpl)".to_string()),
+        };
+        let result = json_contract::JsonResult {
+            ok: false,
+            rc: None,
+            exit_code: Some(1),
+            normalized_outcome: Some("unsupported_format".to_string()),
+            errno: None,
+            error: Some("unsupported policy.format (expected sbpl)".to_string()),
+            stderr: None,
+            stdout: None,
+        };
+        let _ = json_contract::print_envelope("sbpl_preflight", result, &data);
+        std::process::exit(1);
+    }
+
+    let source = match parsed.policy.sbpl_source.as_ref() {
+        Some(src) => src,
+        None => {
+            let data = PreflightData {
+                policy_format: format,
+                policy_sha256: None,
+                params_present: params.is_some(),
+                params_count: params.map(|p| p.len()).unwrap_or(0),
+                compiled: false,
+                compile_error: Some("missing policy.sbpl_source".to_string()),
+            };
+            let result = json_contract::JsonResult {
+                ok: false,
+                rc: None,
+                exit_code: Some(1),
+                normalized_outcome: Some("bad_policy".to_string()),
+                errno: None,
+                error: Some("missing policy.sbpl_source".to_string()),
+                stderr: None,
+                stdout: None,
+            };
+            let _ = json_contract::print_envelope("sbpl_preflight", result, &data);
+            std::process::exit(1);
+        }
+    };
+
+    let policy_sha = sha256_hex(source);
+    let compile_result = compile_sbpl(source, params);
+    match compile_result {
+        Ok(()) => {
+            let data = PreflightData {
+                policy_format: format,
+                policy_sha256: Some(policy_sha),
+                params_present: params.is_some(),
+                params_count: params.map(|p| p.len()).unwrap_or(0),
+                compiled: true,
+                compile_error: None,
+            };
+            let result = json_contract::JsonResult {
+                ok: true,
+                rc: None,
+                exit_code: Some(0),
+                normalized_outcome: Some("ok".to_string()),
+                errno: None,
+                error: None,
+                stderr: None,
+                stdout: None,
+            };
+            let _ = json_contract::print_envelope("sbpl_preflight", result, &data);
+            std::process::exit(0);
+        }
+        Err(err) => {
+            let data = PreflightData {
+                policy_format: format,
+                policy_sha256: Some(policy_sha),
+                params_present: params.is_some(),
+                params_count: params.map(|p| p.len()).unwrap_or(0),
+                compiled: false,
+                compile_error: Some(err.clone()),
+            };
+            let result = json_contract::JsonResult {
+                ok: false,
+                rc: None,
+                exit_code: Some(1),
+                normalized_outcome: Some("compile_error".to_string()),
+                errno: None,
+                error: Some(err),
+                stderr: None,
+                stdout: None,
+            };
+            let _ = json_contract::print_envelope("sbpl_preflight", result, &data);
+            std::process::exit(1);
+        }
+    }
+}

controller/src/main.rs

@@ -8,6 +8,7 @@ mod bundle;
 mod cli;
 mod evidence;
 mod json_contract;
+mod policy_preflight;
 mod plist;
 mod request_patch;
 mod run_flow;