@aigne/ash 0.0.1

package/src/type-checker.test.ts

@@ -0,0 +1,1494 @@
+import { describe, it, expect } from "vitest";
+import { AshLexer } from "./lexer.js";
+import { AshParser } from "./parser.js";
+import { checkPipelineTypes, checkProhibitedPatterns, checkAnnotations } from "./type-checker.js";
+import { compileSource } from "./compiler.js";
+import type { PipelineStage, Program } from "./ast.js";
+import type { AshDiagnostic } from "./type-checker.js";
+
+const lexer = new AshLexer();
+const parser = new AshParser();
+
+function parse(source: string): Program {
+  return parser.parse(lexer.tokenize(source));
+}
+
+function stages(source: string): PipelineStage[] {
+  return parse(source).jobs[0].pipeline;
+}
+
+describe("Phase 2: Type Checker + Prohibited Patterns", () => {
+  // ── Happy: type compatibility ──
+
+  it("find → where → type compatible (object_stream → object_stream)", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x | where age > 18 }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("where → map → type compatible", () => {
+    const errors = checkPipelineTypes(stages("job q { where x > 1 | map name }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("map → save → type compatible", () => {
+    const errors = checkPipelineTypes(stages("job q { map name | save /world/out }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("full chain find | where | map | tee | save → passes", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x | where x > 1 | map name | tee /world/bak | save /world/out }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("fanout accepts object_stream → passes", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x | fanout { save /world/a, save /world/b } }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("publish at end receives object_stream → passes", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x | publish /topic/out }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  // ── Output / Input type checking ──
+
+  it("output in pipeline: passes through object_stream", () => {
+    const errors = checkPipelineTypes(stages('job q { find /world/x | output "msg" | save /world/out }'));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("input as source: outputs object_stream", () => {
+    const errors = checkPipelineTypes(stages('job q { input "name?" | save /world/out }'));
+    expect(errors).toHaveLength(0);
+  });
+
+  // ── Bad: type incompatibility ──
+
+  it("save → where → type mismatch (none → object_stream)", () => {
+    const errors = checkPipelineTypes(stages("job q { save /world/out | where x > 1 }"));
+    expect(errors).toHaveLength(1);
+    expect(errors[0].message).toMatch(/type mismatch/i);
+    expect(errors[0].actual).toBe("none");
+    expect(errors[0].expected).toBe("object_stream");
+  });
+
+  it("map receives none input → mismatch", () => {
+    const errors = checkPipelineTypes(stages("job q { save /world/out | map name }"));
+    expect(errors).toHaveLength(1);
+  });
+
+  it("two saves in sequence → type error", () => {
+    const errors = checkPipelineTypes(stages("job q { save /world/a | save /world/b }"));
+    expect(errors).toHaveLength(1);
+  });
+
+  // ── Edge ──
+
+  it("single command pipeline → no type check needed, passes", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("tee in middle: object_stream → object_stream → correct", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x | tee /world/bak | map name }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  // ── Security ──
+
+  it("unknown annotation rejected", () => {
+    const prog = parse("@unknown_ann\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors.length).toBeGreaterThanOrEqual(1);
+    expect(errors[0].kind).toBe("prohibited");
+  });
+
+  it("valid annotation accepted", () => {
+    const prog = parse("@approval(human)\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors).toHaveLength(0);
+  });
+
+  // ── Data Loss ──
+
+  it("type error includes expected/actual type + pipeline position", () => {
+    const errors = checkPipelineTypes(stages("job q { save /world/out | where x > 1 }"));
+    expect(errors[0].stage).toBe(1);
+    expect(errors[0].expected).toBeDefined();
+    expect(errors[0].actual).toBeDefined();
+  });
+});
+
+describe("Phase 8: count/group-by type checking", () => {
+  it("find | count → type compatible (object_stream → single_object)", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x | count }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("find | count | save → type compatible (single_object auto-promotes)", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x | count | save /world/out }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("find | group-by dept → type compatible", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x | group-by dept }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("find | group-by dept | save → type compatible", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x | group-by dept | save /world/out }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("count is recognized as builtin (not unknown command)", () => {
+    const prog = parse("job q { find /world/x | count }");
+    const errors = checkProhibitedPatterns(prog);
+    expect(errors).toHaveLength(0);
+  });
+
+  it("group-by is recognized as builtin (not unknown command)", () => {
+    const prog = parse("job q { find /world/x | group-by dept }");
+    const errors = checkProhibitedPatterns(prog);
+    expect(errors).toHaveLength(0);
+  });
+});
+
+describe("Phase 9: Type Checker — annotation validation + enhanced errors", () => {
+  // Happy
+  it("find → where → map → save full chain passes bidirectional check", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x | where x > 1 | map name | save /world/out }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("@approval(human) passes validation", () => {
+    const prog = parse("@approval(human)\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors).toHaveLength(0);
+  });
+
+  it("@approval(auto) passes validation", () => {
+    const prog = parse("@approval(auto)\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors).toHaveLength(0);
+  });
+
+  it("@retry(3) passes validation", () => {
+    const prog = parse("@retry(3)\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors).toHaveLength(0);
+  });
+
+  it("@timeout(5000) passes validation", () => {
+    const prog = parse("@timeout(5000)\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors).toHaveLength(0);
+  });
+
+  // Bad
+  it("input → save → map → detects type mismatch after save", () => {
+    const errors = checkPipelineTypes(stages('job q { input "x" | save /world/out | map name }'));
+    expect(errors.length).toBeGreaterThan(0);
+  });
+
+  it("@approval(robot) → invalid value", () => {
+    const prog = parse("@approval(robot)\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors.length).toBeGreaterThan(0);
+  });
+
+  it("@retry(-1) → rejected (annotation validator rejects non-integer arg)", () => {
+    // With MINUS as a valid token, `-1` parses as two tokens: `-`, `1`
+    // The annotation sees arg[0] = "-" which is not a valid integer
+    const prog = parse("@retry(-1)\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors.length).toBeGreaterThan(0);
+  });
+
+  it("@retry(abc) → non-numeric argument", () => {
+    const prog = parse("@retry(abc)\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors.length).toBeGreaterThan(0);
+  });
+
+  // Edge
+  it("@readonly no args → passes", () => {
+    const prog = parse("@readonly\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors).toHaveLength(0);
+  });
+
+  it("multiple annotations combined → all validated", () => {
+    const prog = parse("@approval(human)\n@retry(3)\n@timeout(5000)\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors).toHaveLength(0);
+  });
+
+  // Security
+  it("annotation value cannot contain code execution", () => {
+    const prog = parse("@approval(process.exit)\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors.length).toBeGreaterThan(0);
+  });
+
+  // Data Loss
+  it("enhanced checks do not break v0 valid programs (regression)", () => {
+    const prog = parse("@approval(human)\n@readonly\njob q { find /world/x | where x > 1 | map name | save /world/out }");
+    const typeErrors = checkPipelineTypes(prog.jobs[0].pipeline);
+    const annErrors = checkAnnotations(prog.jobs[0]);
+    const prohibErrors = checkProhibitedPatterns(prog);
+    expect(typeErrors).toHaveLength(0);
+    expect(annErrors).toHaveLength(0);
+    expect(prohibErrors).toHaveLength(0);
+  });
+});
+
+describe("Phase v3-0: action type checking", () => {
+  it("action stage has stdin=object_stream, stdout=object_stream (find | action passes)", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x | action /tools/transform }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("action after find passes type check", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x | action /tools/x }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("action before save passes type check", () => {
+    const errors = checkPipelineTypes(stages("job q { action /tools/x | save /world/out }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("find | action | save full chain passes", () => {
+    const errors = checkPipelineTypes(stages("job q { find /world/x | action /tools/t | save /world/out }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("action is recognized as builtin (not unknown command)", () => {
+    const prog = parse("job q { find /world/x | action /tools/t }");
+    const errors = checkProhibitedPatterns(prog);
+    expect(errors).toHaveLength(0);
+  });
+
+  it("action as pipeline source (stdin=object_stream but first stage is allowed)", () => {
+    // action as first stage: receives empty stream implicitly
+    const errors = checkPipelineTypes(stages("job q { action /tools/generate }"));
+    expect(errors).toHaveLength(0);
+  });
+
+  it("save | action → type mismatch (save outputs none, action expects object_stream)", () => {
+    const errors = checkPipelineTypes(stages("job q { save /world/x | action /tools/t }"));
+    expect(errors).toHaveLength(1);
+    expect(errors[0].message).toMatch(/type mismatch/i);
+  });
+
+  it("@on_error(skip) annotation passes validation", () => {
+    const prog = parse("@on_error(skip)\njob q { find /world/x | action /tools/t }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors).toHaveLength(0);
+  });
+
+  it("@on_error(fail) annotation passes validation", () => {
+    const prog = parse("@on_error(fail)\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors).toHaveLength(0);
+  });
+
+  it("@on_error(invalid) → annotation error", () => {
+    const prog = parse("@on_error(invalid)\njob q { find /world/x }");
+    const errors = checkAnnotations(prog.jobs[0]);
+    expect(errors.length).toBeGreaterThan(0);
+  });
+});
+
+describe("Phase 10: Structured Diagnostics (AshDiagnostic)", () => {
+  // Happy
+  it("compileSource valid program → { program, diagnostics: [] }", () => {
+    const result = compileSource("job q { find /world/x | save /world/out }");
+    expect(result.program).toBeDefined();
+    expect(result.diagnostics).toEqual([]);
+  });
+
+  it("multiple type errors collected as AshDiagnostic[] with correct code", () => {
+    // save → where is a type mismatch; also check code field
+    const result = compileSource("job q { save /world/out | where x > 1 }");
+    expect(result.diagnostics.length).toBeGreaterThan(0);
+    expect(result.diagnostics[0].code).toBe("ASH_TYPE_MISMATCH");
+  });
+
+  it("unknown command suggestion includes available commands list", () => {
+    // We need a program with an unknown command — but parser won't produce one.
+    // Instead, test via checkProhibitedPatterns directly with a crafted program.
+    // The compileSource path catches this at the type-check stage.
+    // For this test, use the toDiagnostics helper indirectly.
+    const prog = parse("job q { find /world/x }");
+    // Manually inject unknown stage
+    (prog.jobs[0].pipeline as any).push({ kind: "xyzzy" });
+    const errors = checkProhibitedPatterns(prog);
+    expect(errors.length).toBeGreaterThan(0);
+    expect(errors[0].message).toContain("xyzzy");
+  });
+
+  it("annotation error returns ASH_ANNOTATION_INVALID code", () => {
+    const result = compileSource("@approval(robot)\njob q { find /world/x }");
+    expect(result.diagnostics.some(d => d.code === "ASH_ANNOTATION_INVALID")).toBe(true);
+  });
+
+  // Bad
+  it("unterminated string → ASH_SYNTAX_UNTERMINATED + line/column", () => {
+    const result = compileSource('job q { output "hello }');
+    expect(result.program).toBeUndefined();
+    expect(result.diagnostics).toHaveLength(1);
+    expect(result.diagnostics[0].code).toBe("ASH_SYNTAX_UNTERMINATED");
+    expect(result.diagnostics[0].line).toBeDefined();
+    expect(result.diagnostics[0].column).toBeDefined();
+  });
+
+  it("illegal character → ASH_SYNTAX_UNEXPECTED + line/column", () => {
+    const result = compileSource("job q { find /world/x & }");
+    expect(result.program).toBeUndefined();
+    expect(result.diagnostics).toHaveLength(1);
+    expect(result.diagnostics[0].code).toBe("ASH_SYNTAX_UNEXPECTED");
+    expect(result.diagnostics[0].line).toBeDefined();
+  });
+
+  it("parser error (missing {) → ASH_SYNTAX_UNEXPECTED + location", () => {
+    const result = compileSource("job q find /world/x }");
+    expect(result.program).toBeUndefined();
+    expect(result.diagnostics).toHaveLength(1);
+    expect(result.diagnostics[0].code).toBe("ASH_SYNTAX_UNEXPECTED");
+  });
+
+  it("unknown command → ASH_UNKNOWN_COMMAND + suggestion", () => {
+    const prog = parse("job q { find /world/x }");
+    (prog.jobs[0].pipeline as any).push({ kind: "savee" });
+    const errors = checkProhibitedPatterns(prog);
+    expect(errors[0].message).toContain("savee");
+  });
+
+  it("type mismatch (save | where) → ASH_TYPE_MISMATCH + stage", () => {
+    const result = compileSource("job q { save /world/out | where x > 1 }");
+    const diag = result.diagnostics.find(d => d.code === "ASH_TYPE_MISMATCH");
+    expect(diag).toBeDefined();
+    expect(diag!.stage).toBe(1);
+  });
+
+  it("undefined variable → ASH_UNDEFINED_VAR", () => {
+    const result = compileSource("job q { find /world/x | where x > $missing }");
+    // This is a runtime error currently, so compileSource won't catch it at compile time.
+    // undefined var is detected at runtime. For compile-time, we check let duplicates.
+    // Adjust: duplicate variable test
+    expect(result.diagnostics).toEqual([]); // no compile-time error for undefined var (runtime)
+  });
+
+  it("duplicate variable → ASH_DUPLICATE_VAR", () => {
+    const result = compileSource("let x = 1\nlet x = 2\njob q { find /world/x }");
+    expect(result.program).toBeUndefined();
+    expect(result.diagnostics[0].code).toBe("ASH_DUPLICATE_VAR");
+  });
+
+  // Edge
+  it("empty source → { program, diagnostics: [] }", () => {
+    const result = compileSource("");
+    expect(result.program).toBeDefined();
+    expect(result.diagnostics).toEqual([]);
+  });
+
+  it("multiple stages multiple errors collected in same diagnostics[]", () => {
+    // Two type errors: save | where | map (save→where mismatch, and save→map mismatch)
+    const result = compileSource("job q { save /world/out | where x > 1 | map name }");
+    // At least one type mismatch
+    expect(result.diagnostics.filter(d => d.code === "ASH_TYPE_MISMATCH").length).toBeGreaterThanOrEqual(1);
+  });
+
+  it("lexer error stops further processing (no parser/type-check)", () => {
+    const result = compileSource('job q { output "unterminated');
+    expect(result.program).toBeUndefined();
+    expect(result.diagnostics).toHaveLength(1);
+    // Only lexer error, no parser error
+    expect(result.diagnostics[0].code).toBe("ASH_SYNTAX_UNTERMINATED");
+  });
+
+  // Security
+  // Route DAG validation
+  it("route: target job not found → error diagnostic", () => {
+    const result = compileSource('job main { find /data | route type { "a" -> job nonexistent } }');
+    expect(result.diagnostics.some(d => d.message.includes("nonexistent"))).toBe(true);
+  });
+
+  it("route: valid targets → no error", () => {
+    const result = compileSource('job main { find /data | route type { "a" -> job handler } }\njob handler { save /world/out }');
+    const routeErrors = result.diagnostics.filter(d => d.message.includes("Route"));
+    expect(routeErrors).toHaveLength(0);
+  });
+
+  it("route: cycle detection (A→B→A) → error", () => {
+    const result = compileSource('job a { find /data | route type { "x" -> job b } }\njob b { find /data | route type { "y" -> job a } }');
+    expect(result.diagnostics.some(d => d.message.includes("cycle"))).toBe(true);
+  });
+
+  it("lookup: stdin=object_stream, stdout=object_stream", () => {
+    const result = compileSource("job q { find /data | lookup /customers on cust_id | save /out }");
+    const typeErrors = result.diagnostics.filter(d => d.code === "ASH_TYPE_MISMATCH");
+    expect(typeErrors).toHaveLength(0);
+  });
+
+  it("diagnostic message does not leak internal stack trace", () => {
+    const result = compileSource('job q { output "unterminated');
+    for (const d of result.diagnostics) {
+      expect(d.message).not.toMatch(/at\s+\w+\s*\(/); // no stack frames
+      expect(d.message).not.toContain("Error:");
+    }
+  });
+
+  it("trigger job compiles without diagnostics", () => {
+    const result = compileSource("job handler on /data/inbox:created { find /data/inbox | save /out }");
+    const errors = result.diagnostics.filter(d => d.code !== "ASH_TYPE_MISMATCH");
+    expect(errors).toHaveLength(0);
+  });
+
+  it("trigger job: compiled program includes trigger metadata", () => {
+    const result = compileSource("job handler on /data/inbox:created { find /data/inbox | save /out }");
+    expect(result.program?.jobs[0].trigger).toEqual({ kind: "event", path: "/data/inbox", event: "created" });
+  });
+
+  it("cron trigger compiles without diagnostics", () => {
+    const result = compileSource('job ticker on cron("*/5 * * * *") { find /data | save /out }');
+    const errors = result.diagnostics.filter(d => d.code !== "ASH_TYPE_MISMATCH");
+    expect(errors).toHaveLength(0);
+  });
+
+  it("cron trigger: compiled program includes cron metadata", () => {
+    const result = compileSource('job ticker on cron("0 * * * *") { find /data | save /out }');
+    expect(result.program?.jobs[0].trigger).toEqual({ kind: "cron", expression: "0 * * * *" });
+  });
+
+  it("cron trigger does not trigger event-loop detection", () => {
+    const result = compileSource('job writer on cron("*/5 * * * *") { find /data | save /data }');
+    const loopErrors = result.diagnostics.filter(d => d.message.includes("event loop"));
+    expect(loopErrors).toHaveLength(0);
+  });
+
+  it("event trigger + save to same path still triggers event-loop detection", () => {
+    const result = compileSource("job loop on /data:created { find /data | save /data }");
+    expect(result.diagnostics.some(d => d.message.includes("event loop"))).toBe(true);
+  });
+});
+
+describe("Hardening: stress-test edge cases", () => {
+  // 1. Duplicate job names
+  it("duplicate job name → error", () => {
+    const result = compileSource("job q { find /a | save /b }\njob q { find /c | save /d }");
+    expect(result.diagnostics.some(d => d.message.includes("Duplicate job name"))).toBe(true);
+  });
+
+  // 2. @retry hard limit (error)
+  it("@retry(999999) → error for exceeding hard limit", () => {
+    const result = compileSource("@retry(999999)\njob q { find /a | save /b }");
+    expect(result.diagnostics.some(d => d.message.includes("retry") && d.severity !== "warning")).toBe(true);
+  });
+
+  it("@retry(10) → passes without warning", () => {
+    const result = compileSource("@retry(10)\njob q { find /a | save /b }");
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  // 3. @approval conflict
+  it("@approval(human) + @approval(auto) on same job → error", () => {
+    const result = compileSource("@approval(human)\n@approval(auto)\njob q { find /a | save /b }");
+    expect(result.diagnostics.some(d => d.message.includes("@approval") && d.message.includes("conflict"))).toBe(true);
+  });
+
+  // 4. Path traversal ../ (error — no legitimate use)
+  it("path with .. → error", () => {
+    const result = compileSource("job q { find /data/../secrets | save /out }");
+    expect(result.diagnostics.some(d => d.message.includes("..") && d.severity !== "warning")).toBe(true);
+  });
+
+  it("normal path → no warning", () => {
+    const result = compileSource("job q { find /data/users | save /out }");
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  // 5. Empty job → warning
+  it("empty job body → warning", () => {
+    const result = compileSource("job empty { }");
+    expect(result.diagnostics.some(d => d.message.includes("empty") && d.severity === "warning")).toBe(true);
+  });
+
+  // 6. Division by zero / Infinity / NaN at compile time (literal expressions)
+  it("literal division by zero → warning", () => {
+    const result = compileSource("job q { find /a | map { x: 1 / 0 } | save /b }");
+    expect(result.diagnostics.some(d => d.message.includes("division by zero") && d.severity === "warning")).toBe(true);
+  });
+
+  // 7. Reserved keywords as job names → error
+  it("keyword 'find' as job name → parse error", () => {
+    const result = compileSource("job find { find /a | save /b }");
+    expect(result.diagnostics.length).toBeGreaterThan(0);
+  });
+
+  it("keyword 'route' as job name → parse error", () => {
+    const result = compileSource("job route { find /a | save /b }");
+    expect(result.diagnostics.length).toBeGreaterThan(0);
+  });
+
+  it("keyword 'job' as job name → parse error", () => {
+    const result = compileSource("job job { find /a | save /b }");
+    expect(result.diagnostics.length).toBeGreaterThan(0);
+  });
+
+  it("non-keyword job name → passes", () => {
+    const result = compileSource("job my_etl { find /a | save /b }");
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  // 8. Prototype chain safety tested in compiler.test.ts (runtime behavior)
+
+  // 9. $ in paths → warning (bare $ only, not ${...} templates)
+  it("path containing bare $ → warning", () => {
+    const result = compileSource("job q { find /data/$evil | save /out }");
+    expect(result.diagnostics.some(d => d.message.includes("$") && d.severity === "warning")).toBe(true);
+  });
+
+  it("path with ${template} → no warning (template interpolation allowed)", () => {
+    // Use string concat to avoid JS template literal interpolation
+    const src = "job q { find /data/" + "${id}" + " | save /out }";
+    const result = compileSource(src);
+    const dollarWarnings = result.diagnostics.filter(d =>
+      d.message.includes("$") && d.message.includes("variable interpolation"),
+    );
+    expect(dollarWarnings).toHaveLength(0);
+  });
+
+  it("path with ${nested.field} → no warning", () => {
+    const src = "job q { find /data/" + "${data.messageId}" + " | save /out }";
+    const result = compileSource(src);
+    const dollarWarnings = result.diagnostics.filter(d =>
+      d.message.includes("$") && d.message.includes("variable interpolation"),
+    );
+    expect(dollarWarnings).toHaveLength(0);
+  });
+
+  it("action with template path and caps → skip compile-time cap check", () => {
+    const src = "@caps(read /data/*, exec /api/*)\njob q { find /data/x | action /api/" + "${method}" + " }";
+    const result = compileSource(src);
+    // Template path should NOT trigger CAP_DENIED (runtime check instead)
+    const capDenied = result.diagnostics.filter(d =>
+      d.code === "ASH_CAP_DENIED" && d.message.includes("${"),
+    );
+    expect(capDenied).toHaveLength(0);
+  });
+
+  // 10. Pipeline depth limit → warning
+  it("pipeline with >30 stages → warning", () => {
+    const stages = Array.from({ length: 35 }, () => "where x > 1").join(" | ");
+    const result = compileSource(`job q { find /a | ${stages} | save /b }`);
+    expect(result.diagnostics.some(d => d.message.includes("stages") && d.severity === "warning")).toBe(true);
+  });
+
+  it("pipeline with 5 stages + @caps → no warning", () => {
+    const result = compileSource("@caps(read /a/* write /b/* write /c/*)\njob q { find /a | where x > 1 | map name | tee /b | save /c }");
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  // 11. Fanout nesting depth → warning
+  it("fanout nested >3 levels → warning", () => {
+    const result = compileSource(`
+job q {
+  find /a | fanout {
+    fanout {
+      fanout {
+        fanout { save /deep1, save /deep2 },
+        save /b
+      },
+      save /c
+    },
+    save /d
+  }
+}
+    `);
+    expect(result.diagnostics.some(d => d.message.includes("fanout") && d.severity === "warning")).toBe(true);
+  });
+
+  // 12. Job name length limit
+  it("job name > 64 chars → warning", () => {
+    const longName = "a".repeat(65);
+    const result = compileSource(`job ${longName} { find /a | save /b }`);
+    expect(result.diagnostics.some(d => d.message.includes("64 characters") && d.severity === "warning")).toBe(true);
+  });
+
+  it("job name 10 chars → no warning", () => {
+    const result = compileSource("job short_name { find /a | save /b }");
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  // 13. Program job count limit
+  it("program with >50 jobs → warning", () => {
+    const jobs = Array.from({ length: 55 }, (_, i) => `job j${i} { find /a | save /b${i} }`).join("\n");
+    const result = compileSource(jobs);
+    expect(result.diagnostics.some(d => d.message.includes("50 jobs") && d.severity === "warning")).toBe(true);
+  });
+
+  it("program with 3 jobs → no warning", () => {
+    const result = compileSource(`
+job a { find /a | save /b }
+job b { find /c | save /d }
+job c { find /e | save /f }
+    `);
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  // 14. Fanout total branch count limit (anti-DDoS)
+  it("fanout with >10 branches → warning", () => {
+    const branches = Array.from({ length: 12 }, (_, i) => `save /out${i}`).join(", ");
+    const result = compileSource(`job q { find /a | fanout { ${branches} } }`);
+    expect(result.diagnostics.some(d => d.message.includes("branches") && d.severity === "warning")).toBe(true);
+  });
+
+  it("fanout with 3 branches → no warning", () => {
+    const result = compileSource("job q { find /a | fanout { save /x, save /y, save /z } }");
+    expect(result.diagnostics).toHaveLength(0);
+  });
+});
+
+// ── @caps: capability-based path security ──
+
+describe("@caps: capability-based security", () => {
+  // ── Annotation validation ──
+
+  it("@caps with valid args → passes", () => {
+    const result = compileSource(`
+@caps(read /data/*, write /out/*)
+job q { find /data/users | save /out/clean }
+    `);
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  it("@caps with no args → error", () => {
+    const result = compileSource(`
+@caps()
+job q { find /a | save /b }
+    `);
+    expect(result.diagnostics.some(d => d.message.includes("@caps"))).toBe(true);
+  });
+
+  it("@caps with odd number of args → error", () => {
+    const result = compileSource(`
+@caps(read /data/* write)
+job q { find /data/x | save /out }
+    `);
+    expect(result.diagnostics.some(d => d.message.includes("pairs"))).toBe(true);
+  });
+
+  it("@caps with invalid operation → error", () => {
+    const result = compileSource(`
+@caps(delete /data/*)
+job q { find /data/x | save /out }
+    `);
+    expect(result.diagnostics.some(d => d.message.includes("delete"))).toBe(true);
+  });
+
+  // ── Static path checking ──
+
+  it("find path within caps → passes", () => {
+    const result = compileSource(`
+@caps(read /data/*)
+job q { find /data/users | save /out }
+    `);
+    // save /out not in caps → should fail
+    expect(result.diagnostics.some(d => d.code === "ASH_CAP_DENIED")).toBe(true);
+  });
+
+  it("find path outside caps → denied", () => {
+    const result = compileSource(`
+@caps(read /allowed/*)
+job q { find /secret/users | save /out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.code === "ASH_CAP_DENIED" && d.message.includes("/secret/users"),
+    )).toBe(true);
+  });
+
+  it("save path within caps → passes", () => {
+    const result = compileSource(`
+@caps(read /data/*, write /out/*)
+job q { find /data/users | save /out/clean }
+    `);
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  it("save path outside caps → denied", () => {
+    const result = compileSource(`
+@caps(read /data/*, write /out/*)
+job q { find /data/users | save /forbidden/path }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.code === "ASH_CAP_DENIED" && d.message.includes("/forbidden/path"),
+    )).toBe(true);
+  });
+
+  it("action path needs exec cap", () => {
+    const result = compileSource(`
+@caps(read /data/*, exec /api/enrich)
+job q { find /data/in | action /api/enrich | save /out }
+    `);
+    // action OK but save /out not covered
+    expect(result.diagnostics.some(d =>
+      d.code === "ASH_CAP_DENIED" && d.message.includes("/out"),
+    )).toBe(true);
+    // action /api/enrich should NOT be denied
+    expect(result.diagnostics.some(d =>
+      d.code === "ASH_CAP_DENIED" && d.message.includes("/api/enrich"),
+    )).toBe(false);
+  });
+
+  it("action path without exec cap → denied", () => {
+    const result = compileSource(`
+@caps(read /data/*)
+job q { find /data/in | action /api/enrich | save /out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.code === "ASH_CAP_DENIED" && d.message.includes("/api/enrich"),
+    )).toBe(true);
+  });
+
+  it("tee path needs write cap", () => {
+    const result = compileSource(`
+@caps(read /data/*, write /backup/*, write /out/*)
+job q { find /data/in | tee /backup/snap | save /out/clean }
+    `);
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  it("publish path needs write cap", () => {
+    const result = compileSource(`
+@caps(read /data/*, write /events/*)
+job q { find /data/in | publish /events/out }
+    `);
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  it("lookup path needs read cap", () => {
+    const result = compileSource(`
+@caps(read /data/*, write /out/*)
+job q { find /data/orders | lookup /data/customers on customer_id | save /out/enriched }
+    `);
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  it("lookup path outside read caps → denied", () => {
+    const result = compileSource(`
+@caps(read /data/orders, write /out/*)
+job q { find /data/orders | lookup /data/customers on customer_id | save /out/enriched }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.code === "ASH_CAP_DENIED" && d.message.includes("/data/customers"),
+    )).toBe(true);
+  });
+
+  // ── Glob matching ──
+
+  it("wildcard * matches nested paths", () => {
+    const result = compileSource(`
+@caps(read /ha/sensors/*)
+job q { find /ha/sensors/temperature/bedroom | save /out }
+    `);
+    // find OK, save /out denied
+    expect(result.diagnostics.some(d =>
+      d.code === "ASH_CAP_DENIED" && d.message.includes("/ha/sensors/"),
+    )).toBe(false);
+  });
+
+  it("exact path match without wildcard", () => {
+    const result = compileSource(`
+@caps(read /data/users, write /out/clean)
+job q { find /data/users | save /out/clean }
+    `);
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  it("exact path doesn't match sub-paths", () => {
+    const result = compileSource(`
+@caps(read /data)
+job q { find /data/users | save /out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.code === "ASH_CAP_DENIED" && d.message.includes("/data/users"),
+    )).toBe(true);
+  });
+
+  // ── No @caps → no check (backwards compatible) ──
+
+  it("job without @caps → no cap checking", () => {
+    const result = compileSource("job q { find /anything | save /anywhere }");
+    expect(result.diagnostics.filter(d => d.code === "ASH_CAP_DENIED")).toHaveLength(0);
+  });
+
+  // ── Fanout paths checked recursively ──
+
+  it("fanout branches checked against caps", () => {
+    const result = compileSource(`
+@caps(read /data/*, write /out/*)
+job q { find /data/in | fanout { save /out/a, save /out/b } }
+    `);
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  it("fanout branch with denied path → error", () => {
+    const result = compileSource(`
+@caps(read /data/*, write /out/*)
+job q { find /data/in | fanout { save /out/a, save /forbidden/b } }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.code === "ASH_CAP_DENIED" && d.message.includes("/forbidden/b"),
+    )).toBe(true);
+  });
+});
+
+describe("white-hat hardening — round 3", () => {
+  // ── Fix 1: @readonly must block tee ──
+
+  it("@readonly + tee → READONLY_VIOLATION", () => {
+    const result = compileSource(`
+@readonly
+job q { find /data/x | tee /data/backup | count | save /out }
+    `);
+    // tee is a write operation — should trigger readonly violation
+    expect(result.diagnostics.some(d =>
+      d.code === "ASH_READONLY_VIOLATION" && d.message.includes("tee"),
+    )).toBe(true);
+  });
+
+  // ── Fix 2: @readonly propagates to route targets ──
+
+  it("@readonly job routes to writing job → error", () => {
+    const result = compileSource(`
+@readonly
+job safe { find /data/x | route type { "a" -> job writer } }
+job writer { save /out/stolen }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.code === "ASH_READONLY_VIOLATION" && d.message.includes("writer"),
+    )).toBe(true);
+  });
+
+  it("@readonly job routes to readonly-safe job → ok", () => {
+    const result = compileSource(`
+@readonly
+job safe { find /data/x | route type { "a" -> job counter } }
+job counter { count | output "done" }
+    `);
+    const readonlyErrors = result.diagnostics.filter(d => d.code === "ASH_READONLY_VIOLATION");
+    expect(readonlyErrors).toHaveLength(0);
+  });
+
+  // ── Fix 3: event loop detection — on + save to same path ──
+
+  it("on /path:created + save /path → event loop warning", () => {
+    const result = compileSource(`
+job loop on /data/raw:created { find /data/raw | save /data/raw }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("event loop") || d.message.includes("trigger path"),
+    )).toBe(true);
+  });
+
+  it("on /path:created + tee /path → event loop warning", () => {
+    const result = compileSource(`
+job loop on /data/raw:created { find /data/raw | tee /data/raw | save /data/out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("event loop") || d.message.includes("trigger path"),
+    )).toBe(true);
+  });
+
+  it("on /path:created + save /other → no warning", () => {
+    const result = compileSource(`
+job ok on /data/raw:created { find /data/raw | save /data/clean }
+    `);
+    const loopWarnings = result.diagnostics.filter(d =>
+      d.message.includes("event loop") || d.message.includes("trigger path"),
+    );
+    expect(loopWarnings).toHaveLength(0);
+  });
+
+  // ── Fix 4: action calling /.actions/run or /.actions/exec → self-recursion error ──
+
+  it("action /.actions/run → self-recursion error", () => {
+    const result = compileSource(`
+job q { find /data/x | action /.actions/run | save /out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("self-referenc") || d.message.includes("recursion"),
+    )).toBe(true);
+  });
+
+  it("action /.actions/exec → self-recursion error", () => {
+    const result = compileSource(`
+job q { find /data/x | action /.actions/exec | save /out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("self-referenc") || d.message.includes("recursion"),
+    )).toBe(true);
+  });
+
+  it("action /api/normal → no warning", () => {
+    const result = compileSource(`
+job q { find /data/x | action /api/normal | save /out }
+    `);
+    const recursionWarnings = result.diagnostics.filter(d =>
+      d.message.includes("self-referenc") || d.message.includes("recursion"),
+    );
+    expect(recursionWarnings).toHaveLength(0);
+  });
+
+  it("action /.actions/agent-run → allowed (budget-constrained LLM loop)", () => {
+    const result = compileSource(`
+job q { find /data/x | action /.actions/agent-run | save /out }
+    `);
+    const recursionWarnings = result.diagnostics.filter(d =>
+      d.message.includes("self-referenc") || d.message.includes("recursion"),
+    );
+    expect(recursionWarnings).toHaveLength(0);
+  });
+
+  // ── Fix 5: NaN/Infinity expression warning ──
+
+  it("division that may produce NaN/Infinity → warning", () => {
+    const result = compileSource(`
+job q { find /data/x | map { ratio: score / total } | save /out }
+    `);
+    // Division by a field that could be zero — warning about potential NaN
+    expect(result.diagnostics.some(d =>
+      d.message.includes("NaN") || d.message.includes("division"),
+    )).toBe(true);
+  });
+});
+
+describe("black-hat hardening — round 4", () => {
+  // ── Fix 1: mixed annotation deception warning ──
+
+  it("@readonly job + non-readonly writing job → mixed security warning", () => {
+    const result = compileSource(`
+@readonly
+job monitor { find /data/x | output "status ok" }
+job backdoor { find /data/x | save /secret/out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("mixed security"),
+    )).toBe(true);
+  });
+
+  it("@readonly + @approval(auto) + hidden writer → deception warning", () => {
+    const result = compileSource(`
+@readonly @approval(auto)
+job safe_monitor { find /data/x | output "all good" }
+job install_backdoor { save /scripts/evil }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("mixed security"),
+    )).toBe(true);
+  });
+
+  it("all @readonly jobs → no mixed security warning", () => {
+    const result = compileSource(`
+@readonly
+job a { find /data/x | count }
+@readonly
+job b { find /data/y | output "done" }
+    `);
+    const mixed = result.diagnostics.filter(d => d.message.includes("mixed security"));
+    expect(mixed).toHaveLength(0);
+  });
+
+  it("no @readonly jobs → no mixed security warning", () => {
+    const result = compileSource(`
+job a { find /data/x | save /out/a }
+job b { find /data/y | save /out/b }
+    `);
+    const mixed = result.diagnostics.filter(d => d.message.includes("mixed security"));
+    expect(mixed).toHaveLength(0);
+  });
+
+  it("@readonly + non-readonly without writes → no warning", () => {
+    const result = compileSource(`
+@readonly
+job monitor { find /data/x | output "ok" }
+job counter { find /data/y | count }
+    `);
+    const mixed = result.diagnostics.filter(d => d.message.includes("mixed security"));
+    expect(mixed).toHaveLength(0);
+  });
+
+  // ── Fix 2: JS reserved field names → environment fingerprinting ──
+
+  it("map constructor → prototype pollution error", () => {
+    const result = compileSource(`
+job q { find /data/x | map constructor | save /out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("constructor") && d.message.includes("prototype pollution"),
+    )).toBe(true);
+  });
+
+  it("map __proto__ → prototype pollution error", () => {
+    const result = compileSource(`
+job q { find /data/x | map __proto__ | save /out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("__proto__") && d.message.includes("prototype pollution"),
+    )).toBe(true);
+  });
+
+  it("map { x: constructor } expression → JS reserved warning", () => {
+    const result = compileSource(`
+job q { find /data/x | map { x: constructor } | save /out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("constructor") && d.message.includes("JavaScript"),
+    )).toBe(true);
+  });
+
+  it("where constructor > 0 → prototype pollution error", () => {
+    const result = compileSource(`
+job q { find /data/x | where constructor > 0 | save /out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("constructor") && d.message.includes("prototype pollution"),
+    )).toBe(true);
+  });
+
+  it("map name → no JS reserved warning", () => {
+    const result = compileSource(`
+job q { find /data/x | map name | save /out }
+    `);
+    const jsWarnings = result.diagnostics.filter(d => d.message.includes("JavaScript"));
+    expect(jsWarnings).toHaveLength(0);
+  });
+
+  it("where age > 18 → no JS reserved warning", () => {
+    const result = compileSource(`
+job q { find /data/x | where age > 18 | save /out }
+    `);
+    const jsWarnings = result.diagnostics.filter(d => d.message.includes("JavaScript"));
+    expect(jsWarnings).toHaveLength(0);
+  });
+
+  // ── Fix 3: TOCTOU — sourceHash in compileSource result ──
+
+  it("compileSource returns sourceHash", () => {
+    const result = compileSource("job q { find /data/x | save /out }");
+    expect(result.sourceHash).toBeDefined();
+    expect(typeof result.sourceHash).toBe("string");
+    expect(result.sourceHash!.length).toBeGreaterThan(0);
+  });
+
+  it("same source → same sourceHash", () => {
+    const r1 = compileSource("job q { find /data/x | save /out }");
+    const r2 = compileSource("job q { find /data/x | save /out }");
+    expect(r1.sourceHash).toBe(r2.sourceHash);
+  });
+
+  it("different source → different sourceHash", () => {
+    const r1 = compileSource("job q { find /data/x | save /out }");
+    const r2 = compileSource("job q { find /data/x | save /out2 }");
+    expect(r1.sourceHash).not.toBe(r2.sourceHash);
+  });
+});
+
+describe("black-hat hardening — round 5 (semantic trust chain)", () => {
+  // ── Fix #15: strict equality in where clauses ──
+
+  it("where with strict equality: same types match", () => {
+    const result = compileSource('job q { find /data/x | where name == "alice" | save /out }');
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  // ── Fix #11/#22: let pipeline restrictions ──
+
+  it("let pipeline with save → error (writes in let bindings never legitimate)", () => {
+    const result = compileSource(`
+let stolen = find /data/secret | save /stolen
+job q { find /data/x | save /out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("let") && (d.message.includes("write") || d.message.includes("save")),
+    )).toBe(true);
+  });
+
+  it("let pipeline with tee → error", () => {
+    const result = compileSource(`
+let x = find /data/raw | tee /data/leaked
+job q { find /data/x | save /out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("let") && (d.message.includes("write") || d.message.includes("tee")),
+    )).toBe(true);
+  });
+
+  it("let pipeline with publish → error", () => {
+    const result = compileSource(`
+let x = find /data/raw | publish /events/out
+job q { find /data/x | save /out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("let") && (d.message.includes("write") || d.message.includes("publish")),
+    )).toBe(true);
+  });
+
+  it("let pipeline with find only → no error", () => {
+    const result = compileSource(`
+let x = find /data/users | count
+job q { find /data/x | save /out }
+    `);
+    const letErrors = result.diagnostics.filter(d =>
+      d.message.includes("let") && d.message.includes("write"),
+    );
+    expect(letErrors).toHaveLength(0);
+  });
+
+  it("let pipeline with find + @approval job → pre-approval warning", () => {
+    const result = compileSource(`
+let recon = find /data/secret | count
+@approval(human)
+job safe { find /data/x | save /out }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("let") && d.message.includes("approval"),
+    )).toBe(true);
+  });
+
+  it("let pipeline with find + no @approval → no pre-approval warning", () => {
+    const result = compileSource(`
+let x = find /data/users | count
+job q { find /data/x | save /out }
+    `);
+    const approvalWarnings = result.diagnostics.filter(d =>
+      d.message.includes("let") && d.message.includes("approval"),
+    );
+    expect(approvalWarnings).toHaveLength(0);
+  });
+
+  // ── Fix #18: param write-gate warning ──
+
+  it("$param in where clause before save → param write-gate warning", () => {
+    const result = compileSource(`
+param mode = "safe"
+job executor { find /data/x | where mode == $mode | save /data/wiped }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("param") && d.message.includes("write"),
+    )).toBe(true);
+  });
+
+  it("$param in where clause without writes → no warning", () => {
+    const result = compileSource(`
+param threshold = 50
+job reader { find /data/x | where score > $threshold | count }
+    `);
+    const paramWarnings = result.diagnostics.filter(d =>
+      d.message.includes("param") && d.message.includes("write"),
+    );
+    expect(paramWarnings).toHaveLength(0);
+  });
+
+  it("$param in where clause with downstream tee → warning", () => {
+    const result = compileSource(`
+param mode = "safe"
+job q { find /data/x | where status == $mode | tee /out/leak | count }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("param") && d.message.includes("write"),
+    )).toBe(true);
+  });
+
+  it("param exists but not used in where → no warning", () => {
+    const result = compileSource(`
+param limit = 100
+job q { find /data/x | save /out }
+    `);
+    const paramWarnings = result.diagnostics.filter(d =>
+      d.message.includes("param") && d.message.includes("write"),
+    );
+    expect(paramWarnings).toHaveLength(0);
+  });
+
+  // ── Fix A11: param duplicate + param/let collision ──
+
+  it("duplicate param name → parse error", () => {
+    const result = compileSource("param x = 1\nparam x = 2\njob q { find /data | save /out }");
+    expect(result.diagnostics.some(d => d.message.includes("Duplicate param"))).toBe(true);
+  });
+
+  it("param + let same name → parse error", () => {
+    const result = compileSource("param x = 1\nlet x = 2\njob q { find /data | save /out }");
+    expect(result.diagnostics.some(d => d.message.includes("conflicts"))).toBe(true);
+  });
+
+  it("let + param same name → parse error", () => {
+    const result = compileSource("let x = 1\nparam x = 2\njob q { find /data | save /out }");
+    expect(result.diagnostics.some(d => d.message.includes("conflicts"))).toBe(true);
+  });
+});
+
+describe("black-hat hardening — round 6 (compiler implementation attacks)", () => {
+  // ── 核弹4: __proto__ as map OUTPUT key (not just value) ──
+
+  it("map { __proto__: value } → prototype pollution error", () => {
+    const result = compileSource("job q { find /data | map { __proto__: name } | save /out }");
+    expect(result.diagnostics.some(d =>
+      d.message.includes("__proto__") && d.message.includes("prototype pollution"),
+    )).toBe(true);
+  });
+
+  it("map { constructor: value } → prototype pollution error", () => {
+    const result = compileSource("job q { find /data | map { constructor: age } | save /out }");
+    expect(result.diagnostics.some(d =>
+      d.message.includes("constructor") && d.message.includes("prototype pollution"),
+    )).toBe(true);
+  });
+
+  it("map { safe_key: __proto__ } → JS reserved value warning (already worked)", () => {
+    const result = compileSource("job q { find /data | map { x: __proto__ } | save /out }");
+    expect(result.diagnostics.some(d =>
+      d.message.includes("__proto__") && d.message.includes("JavaScript"),
+    )).toBe(true);
+  });
+
+  it("map { normal: name } → no JS reserved warning", () => {
+    const result = compileSource("job q { find /data | map { label: name } | save /out }");
+    const jsWarnings = result.diagnostics.filter(d => d.message.includes("JavaScript") || d.message.includes("pollution"));
+    expect(jsWarnings).toHaveLength(0);
+  });
+
+  // ── 核弹5: fanout duplicate write path ──
+
+  it("fanout with two branches writing to same path → warning", () => {
+    const result = compileSource(`
+job q { find /data | fanout { save /out/target, save /out/target } }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("fanout") && d.message.includes("/out/target") && d.message.includes("branches writing"),
+    )).toBe(true);
+  });
+
+  it("fanout with branches writing to different paths → no warning", () => {
+    const result = compileSource(`
+job q { find /data | fanout { save /out/a, save /out/b } }
+    `);
+    const dupWarnings = result.diagnostics.filter(d => d.message.includes("branches writing"));
+    expect(dupWarnings).toHaveLength(0);
+  });
+
+  it("fanout: tee + save to same path across branches → warning", () => {
+    const result = compileSource(`
+job q { find /data | fanout { tee /out/x | save /a, save /out/x } }
+    `);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("/out/x") && d.message.includes("branches writing"),
+    )).toBe(true);
+  });
+
+  // ── 核弹13: tee chain amplification ──
+
+  it("pipeline with >5 tee stages → data amplification warning", () => {
+    const tees = Array.from({ length: 7 }, (_, i) => `tee /out/t${i}`).join(" | ");
+    const result = compileSource(`job q { find /data | ${tees} | save /final }`);
+    expect(result.diagnostics.some(d =>
+      d.message.includes("tee") && d.message.includes("amplification"),
+    )).toBe(true);
+  });
+
+  it("pipeline with 3 tee stages → no warning", () => {
+    const result = compileSource("job q { find /data | tee /a | tee /b | tee /c | save /out }");
+    const teeWarnings = result.diagnostics.filter(d => d.message.includes("amplification"));
+    expect(teeWarnings).toHaveLength(0);
+  });
+});
+
+describe("regression round 7: remaining compiler issues", () => {
+  // ── Issue 1: __proto__/constructor/prototype as map key → ERROR (not just warning) ──
+
+  it("map { __proto__: expr } → error (blocks compilation)", () => {
+    const result = compileSource("job q { find /data | map { __proto__: name } | save /out }");
+    const protoErrors = result.diagnostics.filter(d =>
+      d.message.includes("__proto__") && d.message.includes("prototype pollution") && d.severity !== "warning",
+    );
+    expect(protoErrors.length).toBeGreaterThan(0);
+  });
+
+  it("map { constructor: expr } → error (blocks compilation)", () => {
+    const result = compileSource("job q { find /data | map { constructor: age } | save /out }");
+    const protoErrors = result.diagnostics.filter(d =>
+      d.message.includes("constructor") && d.message.includes("prototype pollution") && d.severity !== "warning",
+    );
+    expect(protoErrors.length).toBeGreaterThan(0);
+  });
+
+  it("map { prototype: expr } → error (blocks compilation)", () => {
+    const result = compileSource("job q { find /data | map { prototype: name } | save /out }");
+    const protoErrors = result.diagnostics.filter(d =>
+      d.message.includes("prototype") && d.message.includes("pollution") && d.severity !== "warning",
+    );
+    expect(protoErrors.length).toBeGreaterThan(0);
+  });
+
+  // ── Issue 2: JS reserved words as map key → warning ──
+
+  it("map { delete: expr } → JS reserved warning", () => {
+    const result = compileSource("job q { find /data | map { delete: name } | save /out }");
+    expect(result.diagnostics.some(d =>
+      d.message.includes("delete") && d.message.includes("JavaScript"),
+    )).toBe(true);
+  });
+
+  it("map { return: expr } → JS reserved warning", () => {
+    const result = compileSource("job q { find /data | map { return: name } | save /out }");
+    expect(result.diagnostics.some(d =>
+      d.message.includes("return") && d.message.includes("JavaScript"),
+    )).toBe(true);
+  });
+
+  it("map { class: expr } → JS reserved warning", () => {
+    const result = compileSource("job q { find /data | map { class: name } | save /out }");
+    expect(result.diagnostics.some(d =>
+      d.message.includes("class") && d.message.includes("JavaScript"),
+    )).toBe(true);
+  });
+
+  it("map { safe_key: value } → no warning", () => {
+    const result = compileSource("job q { find /data | map { label: name } | save /out }");
+    const jsWarnings = result.diagnostics.filter(d =>
+      d.message.includes("JavaScript") || d.message.includes("pollution"),
+    );
+    expect(jsWarnings).toHaveLength(0);
+  });
+
+  // ── Issue 3: map duplicate key → parse error ──
+
+  it("map { a: x, a: y } → duplicate key error", () => {
+    const result = compileSource("job q { find /data | map { a: x, a: y } | save /out }");
+    expect(result.diagnostics.some(d => d.message.includes("Duplicate map key"))).toBe(true);
+  });
+
+  it("map { a: x, b: y } → no error", () => {
+    const result = compileSource("job q { find /data | map { a: x, b: y } | save /out }");
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  // ── Issue 4: @timeout hard limit ──
+
+  it("@timeout(99999999) → exceeds hard limit error", () => {
+    const result = compileSource("@timeout(99999999)\njob q { find /a | save /b }");
+    expect(result.diagnostics.some(d => d.message.includes("@timeout") && d.message.includes("hard limit"))).toBe(true);
+  });
+
+  it("@timeout(3600001) → exceeds hard limit error", () => {
+    const result = compileSource("@timeout(3600001)\njob q { find /a | save /b }");
+    expect(result.diagnostics.some(d => d.message.includes("@timeout") && d.message.includes("hard limit"))).toBe(true);
+  });
+
+  it("@timeout(60000) → passes", () => {
+    const result = compileSource("@timeout(60000)\njob q { find /a | save /b }");
+    expect(result.diagnostics).toHaveLength(0);
+  });
+
+  it("@timeout(3600000) → passes (exactly 1 hour)", () => {
+    const result = compileSource("@timeout(3600000)\njob q { find /a | save /b }");
+    expect(result.diagnostics).toHaveLength(0);
+  });
+});
+
+// ── Regression round 8: combination attacks ──
+
+describe("regression round 8 — combination attacks", () => {
+
+  // ── Issue 1: Duplicate annotation detection ──
+
+  it("duplicate @timeout → error (audit deception)", () => {
+    const result = compileSource("@timeout(1000)\n@timeout(999999)\njob q { find /a | save /b }");
+    expect(result.diagnostics.some(d =>
+      d.message.includes("@timeout") && d.message.includes("appears 2 times"),
+    )).toBe(true);
+  });
+
+  it("duplicate @retry → error", () => {
+    const result = compileSource("@retry(3)\n@retry(99)\njob q { find /a | save /b }");
+    expect(result.diagnostics.some(d =>
+      d.message.includes("@retry") && d.message.includes("appears 2 times"),
+    )).toBe(true);
+  });
+
+  it("duplicate @on_error → error", () => {
+    const result = compileSource("@on_error(skip)\n@on_error(fail)\njob q { find /a | save /b }");
+    expect(result.diagnostics.some(d =>
+      d.message.includes("@on_error") && d.message.includes("appears 2 times"),
+    )).toBe(true);
+  });
+
+  it("triple @readonly → error", () => {
+    const result = compileSource("@readonly\n@readonly\n@readonly\njob q { find /a | save /b }");
+    expect(result.diagnostics.some(d =>
+      d.message.includes("@readonly") && d.message.includes("appears 3 times"),
+    )).toBe(true);
+  });
+
+  it("single @timeout → no duplicate error", () => {
+    const result = compileSource("@timeout(5000)\njob q { find /a | save /b }");
+    expect(result.diagnostics.filter(d => d.message.includes("appears")).length).toBe(0);
+  });
+
+  // ── Issue 2: Route without fallback → warning ──
+
+  it("route without default branch → warning about silent drop", () => {
+    const result = compileSource('job main { find /data | route level { "safe" -> job handle_safe, "danger" -> job handle_danger } }\njob handle_safe { save /safe }\njob handle_danger { save /danger }');
+    expect(result.diagnostics.some(d =>
+      d.message.includes("no default branch") && d.message.includes("silently dropped"),
+    )).toBe(true);
+  });
+
+  it("route with default branch → no warning", () => {
+    const result = compileSource('job main { find /data | route level { "safe" -> job handle_safe, _ -> job fallback } }\njob handle_safe { save /safe }\njob fallback { save /fallback }');
+    expect(result.diagnostics.filter(d => d.message.includes("no default branch")).length).toBe(0);
+  });
+
+  // ── Issue 3: -Infinity / NaN bypass in where comparisons ──
+
+  // ── Issue 3: -Infinity / NaN / Infinity where bypass — runtime tests in compiler.test.ts ──
+  // (Static analysis can't catch these; they're runtime evaluation guards)
+});
+
+describe("Relative action diagnostics", () => {
+  it("relative action without upstream find → ASH_RELATIVE_ACTION_NO_FIND error", () => {
+    const result = compileSource(
+      '@caps(exec /ha/*)\n@budget(actions 10)\njob q { action turn_off }',
+    );
+    expect(result.diagnostics.some(d => d.code === "ASH_RELATIVE_ACTION_NO_FIND")).toBe(true);
+  });
+
+  it("relative action without @caps → ASH_UNCAPPED_ACTION", () => {
+    const result = compileSource(
+      'job q { find /ha/lights | action turn_off }',
+    );
+    expect(result.diagnostics.some(d => d.code === "ASH_UNCAPPED_ACTION")).toBe(true);
+  });
+
+  it("relative action without @budget → ASH_ACTION_AMPLIFICATION error", () => {
+    const result = compileSource(
+      '@caps(read /ha/* exec /ha/*)\njob q { find /ha/lights | action turn_off }',
+    );
+    const ampDiag = result.diagnostics.filter(d => d.code === "ASH_ACTION_AMPLIFICATION");
+    // Should have an error-level amplification diagnostic (not just warning)
+    expect(ampDiag.some(d => d.severity !== "warning")).toBe(true);
+  });
+
+  it("relative action with @caps + @budget → warning (permitted)", () => {
+    const result = compileSource(
+      '@caps(read /ha/* exec /ha/*)\n@budget(actions 100)\njob q { find /ha/lights | action turn_off }',
+    );
+    const ampDiag = result.diagnostics.filter(d =>
+      d.code === "ASH_ACTION_AMPLIFICATION" && d.severity === "warning",
+    );
+    expect(ampDiag.length).toBeGreaterThan(0);
+  });
+});