feat(diagnostics): expose structured diagnostics for Python supervisors

Cargo.toml

@@ -13,8 +13,8 @@ name = "_nono_py"
 crate-type = ["cdylib"]
 
 [dependencies]
-nono = "0.57.0"
-nono-proxy = "0.57.0"
+nono = "0.64.1"
+nono-proxy = "0.64.1"
 pyo3 = { version = "0.29", features = ["extension-module"] }
 tokio = { version = "1", features = ["rt-multi-thread"] }
 libc = "0.2"

python/nono_py/__init__.py

@@ -29,6 +29,7 @@
 from nono_py import audit
 from nono_py._nono_py import (
     AccessMode,
+    AwsAuthConfig,
     CapabilitySet,
     CapabilitySource,
     Change,
@@ -52,10 +53,12 @@
     SupportInfo,
     apply,
     apply_unlink_overrides,
+    build_session_diagnostic_report,
     embedded_policy_json,
     is_supported,
     load_embedded_policy,
     load_policy,
+    merge_diagnostic_report_json,
     sandboxed_exec,
     start_proxy,
     support_info,
@@ -74,6 +77,7 @@
     "ExternalProxyConfig",
     "FileState",
     "FsCapability",
+    "AwsAuthConfig",
     "InjectMode",
     "Policy",
     "ProxyConfig",
@@ -88,10 +92,12 @@
     "SupportInfo",
     "apply",
     "apply_unlink_overrides",
+    "build_session_diagnostic_report",
     "embedded_policy_json",
     "is_supported",
     "load_embedded_policy",
     "load_policy",
+    "merge_diagnostic_report_json",
     "sandboxed_exec",
     "start_proxy",
     "support_info",

python/nono_py/_nono_py.pyi

@@ -321,8 +321,27 @@ class ExecResult:
         """Process exit code (0 = success, -N = killed by signal N)."""
         ...
 
+    def session_diagnostics(self) -> dict[str, object]:
+        """Structured session diagnostic report for this execution."""
+        ...
+
+    def session_diagnostics_json(self) -> str:
+        """JSON session diagnostic report."""
+        ...
+
     def __repr__(self) -> str: ...
 
+def build_session_diagnostic_report(exit_code: int) -> dict[str, object]:
+    """Build a minimal session diagnostic report."""
+    ...
+
+def merge_diagnostic_report_json(
+    session_report_json: str,
+    proxy_diagnostics_json: str | None = None,
+) -> dict[str, object]:
+    """Merge session and proxy diagnostic JSON."""
+    ...
+
 def sandboxed_exec(
     caps: CapabilitySet,
     command: list[str],
@@ -419,6 +438,23 @@ class InjectMode(Enum):
     def __hash__(self) -> int: ...
     def __eq__(self, other: object) -> bool: ...
 
+class AwsAuthConfig:
+    """AWS SigV4 authentication configuration for a proxy route."""
+
+    def __init__(
+        self,
+        profile: str | None = None,
+        region: str | None = None,
+        service: str | None = None,
+    ) -> None: ...
+    @property
+    def profile(self) -> str | None: ...
+    @property
+    def region(self) -> str | None: ...
+    @property
+    def service(self) -> str | None: ...
+    def __repr__(self) -> str: ...
+
 class RouteConfig:
     """Configuration for a reverse proxy credential injection route."""
 
@@ -438,6 +474,7 @@ class RouteConfig:
         tls_ca: str | None = None,
         tls_client_cert: str | None = None,
         tls_client_key: str | None = None,
+        aws_auth: AwsAuthConfig | None = None,
     ) -> None: ...
     @property
     def prefix(self) -> str: ...
@@ -467,6 +504,8 @@ class RouteConfig:
     def tls_client_cert(self) -> str | None: ...
     @property
     def tls_client_key(self) -> str | None: ...
+    @property
+    def aws_auth(self) -> AwsAuthConfig | None: ...
     def __repr__(self) -> str: ...
 
 class ExternalProxyConfig:
@@ -561,6 +600,14 @@ class ProxyHandle:
         """Drain and return collected network audit events."""
         ...
 
+    def diagnostics(self) -> list[dict[str, object]]:
+        """Startup diagnostics from credential loading."""
+        ...
+
+    def diagnostics_json(self) -> str:
+        """Serialize startup diagnostics to JSON."""
+        ...
+
     def shutdown(self) -> None:
         """Signal the proxy to shut down gracefully."""
         ...

python/nono_py/audit.py

@@ -1686,17 +1686,11 @@ def to_wire(self) -> dict[str, Any]:
 
 
 def _validate_event(event: AuditEvent | dict[str, Any]) -> AuditEvent:
-    return cast(  # type: ignore[redundant-cast, unused-ignore]
-        AuditEvent,
-        _AUDIT_EVENT_ADAPTER.validate_python(event),
-    )
+    return _AUDIT_EVENT_ADAPTER.validate_python(event)
 
 
 def _validate_approval_decision(decision: ApprovalDecision) -> _ApprovalDecisionModelInput:
-    return cast(  # type: ignore[redundant-cast, unused-ignore]
-        _ApprovalDecisionModelInput,
-        _APPROVAL_DECISION_ADAPTER.validate_python(decision),
-    )
+    return _APPROVAL_DECISION_ADAPTER.validate_python(decision)
 
 
 def session_started(