@mmnto/totem 1.14.10 → 1.14.12

package/dist/compile-lesson.test.js

@@ -1,5 +1,5 @@
 import { describe, expect, it, vi } from 'vitest';
-import { buildCompiledRule, buildManualRule, compileLesson, validateAstGrepPattern, verifyRuleExamples, } from './compile-lesson.js';
+import { buildCompiledRule, buildManualRule, compileLesson, isSecurityContext, validateAstGrepPattern, verifyRuleExamples, } from './compile-lesson.js';
 import { CompilerOutputSchema } from './compiler-schema.js';
 // ─── Helpers ────────────────────────────────────────
 const lesson = {
@@ -767,6 +767,13 @@ describe('compileLesson', () => {
     });
     // ─── Smoke gate on Pipeline 2 (mmnto/totem#1408) ──
     it('Pipeline 2 rejects a rule whose LLM output omits badExample', async () => {
+        // Post-ADR-088 (mmnto-ai/totem#1479): missing badExample short-circuits
+        // to `status: 'skipped'` with reasonCode `'missing-badexample'` rather
+        // than `'failed'`. The Layer 4 explicit-failure contract requires every
+        // skipped lesson to carry a machine-readable reason; emitting `'failed'`
+        // would drop the entry without a trace. No retry because the compiler
+        // system prompt already requires the field (mmnto-ai/totem#1409) and
+        // retrying won't teach the LLM to emit a field it just omitted.
         const deps = {
             parseCompilerResponse: vi.fn().mockReturnValue({
                 compilable: true,
@@ -780,7 +787,12 @@ describe('compileLesson', () => {
             callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
         };
         const result = await compileLesson(lesson, 'system prompt', deps);
-        expect(result.status).toBe('failed');
+        expect(result.status).toBe('skipped');
+        if (result.status === 'skipped') {
+            expect(result.reasonCode).toBe('missing-badexample');
+            expect(result.reason).toContain('missing badExample');
+        }
+        expect(deps.runOrchestrator).toHaveBeenCalledTimes(1);
         expect(deps.callbacks.onWarn).toHaveBeenCalledWith(lesson.heading, expect.stringContaining('smoke gate'));
     });
     it('Pipeline 2 accepts a rule whose LLM output supplies a matching badExample', async () => {
@@ -900,7 +912,11 @@ describe('compileLesson', () => {
         const result = await compileLesson(lesson, 'system prompt', deps);
         expect(result.status).toBe('noop');
     });
-    it('returns failed when parseCompilerResponse returns null', async () => {
+    it('returns skipped with pattern-syntax-invalid when parseCompilerResponse returns null', async () => {
+        // mmnto-ai/totem#1481: the Pipeline 2 parse-failure exit route was
+        // upgraded from 'failed' to 'skipped' with a machine-readable
+        // reasonCode so ADR-088 Layer 4 telemetry sees every LLM-output
+        // parse error rather than losing them to the 'failed' bucket.
         const deps = {
             parseCompilerResponse: vi.fn().mockReturnValue(null),
             runOrchestrator: vi.fn().mockResolvedValue('bad response'),
@@ -908,7 +924,10 @@ describe('compileLesson', () => {
             callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
         };
         const result = await compileLesson(lesson, 'system prompt', deps);
-        expect(result.status).toBe('failed');
+        expect(result.status).toBe('skipped');
+        if (result.status === 'skipped') {
+            expect(result.reasonCode).toBe('pattern-syntax-invalid');
+        }
         expect(deps.callbacks.onWarn).toHaveBeenCalled();
     });
     it('returns skipped for non-compilable lessons', async () => {
@@ -1216,7 +1235,10 @@ describe('compileLesson Pipeline 3 (Bad/Good snippets)', () => {
                 // Pattern matches neither Bad nor Good - smoke gate catches this
                 // before the old self-verification step ever runs. Pre-#1408 the
                 // test asserted on the self-verification message; post-#1408 the
-                // smoke gate is the earlier (and stricter) filter.
+                // smoke gate is the earlier (and stricter) filter. mmnto-ai/totem#1481
+                // further promotes the smoke-gate zero-match branch from 'failed'
+                // to 'skipped' with reasonCode 'pattern-syntax-invalid' so Layer 4
+                // telemetry gets a machine-readable entry.
                 pattern: 'this_matches_nothing_at_all',
                 message: 'Wrong pattern',
                 engine: 'regex',
@@ -1226,7 +1248,11 @@ describe('compileLesson Pipeline 3 (Bad/Good snippets)', () => {
             callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
         };
         const result = await compileLesson(pipeline3Lesson, 'system prompt', deps);
-        expect(result.status).toBe('failed');
+        expect(result.status).toBe('skipped');
+        if (result.status === 'skipped') {
+            expect(result.reasonCode).toBe('pattern-zero-match');
+            expect(result.reason).toContain('smoke gate');
+        }
         expect(deps.callbacks.onWarn).toHaveBeenCalledWith(pipeline3Lesson.heading, expect.stringContaining('smoke gate'));
     });
     it('passes self-verification when pattern matches Bad but not Good', async () => {
@@ -1290,7 +1316,9 @@ describe('compileLesson Pipeline 3 (Bad/Good snippets)', () => {
         const result = await compileLesson(pipeline3Lesson, 'system prompt', deps);
         expect(result.status).toBe('noop');
     });
-    it('returns failed when LLM response cannot be parsed', async () => {
+    it('returns skipped with pattern-syntax-invalid when Pipeline 3 LLM response cannot be parsed', async () => {
+        // mmnto-ai/totem#1481: Pipeline 3 parse-failure now lands in the ledger
+        // with a machine-readable reasonCode per ADR-088 Layer 4.
         const deps = {
             parseCompilerResponse: vi.fn().mockReturnValue(null),
             runOrchestrator: vi.fn().mockResolvedValue('bad response'),
@@ -1298,8 +1326,728 @@ describe('compileLesson Pipeline 3 (Bad/Good snippets)', () => {
             callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
         };
         const result = await compileLesson(pipeline3Lesson, 'system prompt', deps);
-        expect(result.status).toBe('failed');
+        expect(result.status).toBe('skipped');
+        if (result.status === 'skipped') {
+            expect(result.reasonCode).toBe('pattern-syntax-invalid');
+        }
         expect(deps.callbacks.onWarn).toHaveBeenCalledWith(pipeline3Lesson.heading, expect.stringContaining('Pipeline 3'));
     });
 });
+// ─── Pipeline 2 Layer 3 verify-retry loop (ADR-088, mmnto-ai/totem#1479) ──
+describe('compileLesson Pipeline 2 verify-retry', () => {
+    const lesson = {
+        index: 0,
+        heading: 'No console.log in production code',
+        body: 'Do not use console.log in production.',
+        hash: 'h-retry',
+    };
+    it('retries after smoke-gate zero-match and succeeds when a later attempt produces a matching pattern', async () => {
+        // Attempt 1 returns a pattern that does not match the badExample.
+        // Attempt 2 returns a pattern that does. Expected outcome: compiled,
+        // two orchestrator calls, retry feedback threaded into attempt 2.
+        const parseMock = vi
+            .fn()
+            .mockReturnValueOnce({
+            compilable: true,
+            pattern: 'never_matches_xyz',
+            message: 'No console.log',
+            engine: 'regex',
+            badExample: 'console.log("debug")',
+        })
+            .mockReturnValueOnce({
+            compilable: true,
+            pattern: 'console\\.log',
+            message: 'No console.log',
+            engine: 'regex',
+            badExample: 'console.log("debug")',
+        });
+        const orchestratorMock = vi
+            .fn()
+            .mockResolvedValueOnce('attempt-1')
+            .mockResolvedValueOnce('attempt-2');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lesson, 'system prompt', deps);
+        expect(result.status).toBe('compiled');
+        expect(orchestratorMock).toHaveBeenCalledTimes(2);
+        // The retry-directive must appear in the user prompt of attempt 2 and
+        // must not appear in attempt 1. The directive carries the failed
+        // pattern and the badExample so the LLM can correct its output.
+        const userPrompt1 = orchestratorMock.mock.calls[0][0];
+        const userPrompt2 = orchestratorMock.mock.calls[1][0];
+        expect(userPrompt1).not.toContain('Previous Attempt Failed Verification');
+        expect(userPrompt2).toContain('Previous Attempt Failed Verification');
+        expect(userPrompt2).toContain('never_matches_xyz');
+        expect(userPrompt2).toContain('console.log("debug")');
+    });
+    it('returns skipped with reasonCode verify-retry-exhausted after MAX_VERIFY_ATTEMPTS failures', async () => {
+        // Every attempt returns a pattern that does not match the badExample.
+        // Expected outcome: skipped, reasonCode 'verify-retry-exhausted',
+        // exactly 3 orchestrator calls.
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: true,
+            pattern: 'never_matches_xyz',
+            message: 'No console.log',
+            engine: 'regex',
+            badExample: 'console.log("debug")',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('always-bad');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lesson, 'system prompt', deps);
+        expect(result.status).toBe('skipped');
+        if (result.status === 'skipped') {
+            expect(result.reasonCode).toBe('verify-retry-exhausted');
+            expect(result.reason).toContain('Verify retry exhausted after 3 attempts');
+        }
+        expect(orchestratorMock).toHaveBeenCalledTimes(3);
+    });
+    it('rejects a security-context rule without retry when verify fails', async () => {
+        // securityContext: true + zero-match on attempt 1. Zero tolerance per
+        // ADR-088 Decision 3 means no retry. Expected outcome: skipped,
+        // reasonCode 'security-rule-rejected', exactly 1 orchestrator call.
+        //
+        // mmnto-ai/totem#1480 added an upfront Example-Hit short-circuit for
+        // security context, so this test uses a lesson body that includes a
+        // non-empty Example Hit block. That keeps the test exercising the
+        // verify-path security branch, not the new no-example-hit short-circuit.
+        const securityLesson = {
+            index: 0,
+            heading: 'No shell injection in spawn',
+            body: [
+                'Do not pass untrusted input to spawn with shell: true.',
+                '**Example Hit:** spawn("sh", ["-c", userInput])',
+            ].join('\n'),
+            hash: 'h-security-verify',
+        };
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: true,
+            pattern: 'never_matches_xyz',
+            message: 'Security rule that failed to verify',
+            engine: 'regex',
+            badExample: 'spawn("sh", ["-c", userInput])',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('security-bad');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+            securityContext: true,
+        };
+        const result = await compileLesson(securityLesson, 'system prompt', deps);
+        expect(result.status).toBe('skipped');
+        if (result.status === 'skipped') {
+            expect(result.reasonCode).toBe('security-rule-rejected');
+            expect(result.reason).toContain('zero matches');
+        }
+        expect(orchestratorMock).toHaveBeenCalledTimes(1);
+        expect(deps.callbacks.onWarn).toHaveBeenCalledWith(securityLesson.heading, expect.stringContaining('Security rule rejected on verify failure'));
+    });
+    it('does not retry when the smoke-gate rejection is missing badExample (short-circuit to skipped)', async () => {
+        // Missing badExample is a structural-output failure. Retrying cannot
+        // teach the LLM to emit a field it just omitted. Expected outcome:
+        // skipped, reasonCode 'missing-badexample', exactly 1 orchestrator
+        // call. Same contract exercised by the pre-retry test above but
+        // explicitly scoped to the retry-loop branch.
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: true,
+            pattern: 'console\\.log',
+            message: 'No console.log',
+            engine: 'regex',
+            // no badExample
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('no-badexample');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lesson, 'system prompt', deps);
+        expect(result.status).toBe('skipped');
+        if (result.status === 'skipped') {
+            expect(result.reasonCode).toBe('missing-badexample');
+        }
+        expect(orchestratorMock).toHaveBeenCalledTimes(1);
+    });
+    it('propagates non-compilable LLM verdict with reasonCode out-of-scope', async () => {
+        // Conceptual/architectural lessons that the LLM classifies as
+        // non-compilable. ADR-088 Layer 4 requires a machine-readable reason.
+        // mmnto-ai/totem#1481 renamed `'non-compilable'` to `'out-of-scope'`
+        // to align the internal reason code with the persisted enum.
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: false,
+            reason: 'Architectural principle, not a pattern.',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('{"compilable": false}');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lesson, 'system prompt', deps);
+        expect(result.status).toBe('skipped');
+        if (result.status === 'skipped') {
+            expect(result.reasonCode).toBe('out-of-scope');
+            expect(result.reason).toBe('Architectural principle, not a pattern.');
+        }
+        expect(orchestratorMock).toHaveBeenCalledTimes(1);
+    });
+    it('retries when Example Hit/Miss verification fails and succeeds on a later attempt', async () => {
+        // ADR-088 AC (mmnto-ai/totem#1479): "verifies every LLM-generated pattern
+        // against the lesson's Example Hit block. Zero-match triggers a retry."
+        // Attempt 1 produces a pattern that passes the smoke gate (matches its
+        // own badExample) but does NOT match the lesson's Example Hit.
+        // verifyRuleExamples fails; the retry path fires. Attempt 2 returns a
+        // pattern that matches both the badExample and the Example Hit.
+        const lessonWithExample = {
+            index: 0,
+            heading: 'No console.log in production',
+            body: 'Do not use console.log in production.\n**Example Hit:** console.log(x)',
+            hash: 'h-retry-verify',
+        };
+        const parseMock = vi
+            .fn()
+            .mockReturnValueOnce({
+            compilable: true,
+            pattern: 'zzz_only_matches_itself',
+            message: 'No console.log',
+            engine: 'regex',
+            badExample: 'zzz_only_matches_itself',
+        })
+            .mockReturnValueOnce({
+            compilable: true,
+            pattern: 'console\\.log',
+            message: 'No console.log',
+            engine: 'regex',
+            badExample: 'console.log("x")',
+        });
+        const orchestratorMock = vi
+            .fn()
+            .mockResolvedValueOnce('attempt-1')
+            .mockResolvedValueOnce('attempt-2');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lessonWithExample, 'system prompt', deps);
+        expect(result.status).toBe('compiled');
+        expect(orchestratorMock).toHaveBeenCalledTimes(2);
+        // The retry directive must reflect the Example Hit failure (generic
+        // wording so it can serve both smoke-gate and verify failures), it
+        // must carry the prior pattern so the LLM sees what it produced, and
+        // — when the failure source is verifyRuleExamples — the "Code
+        // snippet the pattern had to match" field must show the missed
+        // Example Hit line, not the LLM's own badExample (which the pattern
+        // did match, since the smoke gate passed).
+        const userPrompt2 = orchestratorMock.mock.calls[1][0];
+        expect(userPrompt2).toContain('Previous Attempt Failed Verification');
+        expect(userPrompt2).toContain('zzz_only_matches_itself'); // pattern field
+        expect(userPrompt2).toContain('console.log(x)'); // missed Example Hit
+    });
+    it('exhausts retries when Example Hit/Miss verification fails on every attempt', async () => {
+        // Same Example Hit lesson as above, but the LLM never produces a
+        // pattern that matches the lesson's Example Hit. Three attempts, each
+        // passing the smoke gate but failing verifyRuleExamples. Expected
+        // outcome: skipped, reasonCode 'verify-retry-exhausted'.
+        const lessonWithExample = {
+            index: 0,
+            heading: 'No console.log in production',
+            body: 'Do not use console.log in production.\n**Example Hit:** console.log(x)',
+            hash: 'h-verify-exhaust',
+        };
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: true,
+            pattern: 'zzz_only_matches_itself',
+            message: 'No console.log',
+            engine: 'regex',
+            badExample: 'zzz_only_matches_itself',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('always-misses');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lessonWithExample, 'system prompt', deps);
+        expect(result.status).toBe('skipped');
+        if (result.status === 'skipped') {
+            expect(result.reasonCode).toBe('verify-retry-exhausted');
+        }
+        expect(orchestratorMock).toHaveBeenCalledTimes(3);
+    });
+    it('returns skipped with pattern-syntax-invalid when the LLM emits an invalid regex (validator rejection)', async () => {
+        // Validator-level rejection (ADR-088 Layer 4, mmnto-ai/totem#1481).
+        // Retrying an invalid regex produces more invalid regexes and wastes
+        // tokens, so no retry fires. Pre-#1481 this returned 'failed'; post-
+        // #1481 it returns 'skipped' with reasonCode 'pattern-syntax-invalid'
+        // so the ledger carries a machine-readable record per the Layer 4
+        // explicit-failure contract.
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: true,
+            pattern: '[unclosed-bracket-class',
+            message: 'Invalid regex test',
+            engine: 'regex',
+            badExample: 'any string',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('invalid-regex-output');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lesson, 'system prompt', deps);
+        expect(result.status).toBe('skipped');
+        if (result.status === 'skipped') {
+            expect(result.reasonCode).toBe('pattern-syntax-invalid');
+            expect(result.reason).toContain('Rejected regex');
+        }
+        expect(orchestratorMock).toHaveBeenCalledTimes(1);
+    });
+});
+// ─── ADR-088 Phase 1 Layer 3: unverified flag (mmnto-ai/totem#1480) ──
+describe('compileLesson unverified flag', () => {
+    const lessonWithoutExampleHit = {
+        index: 0,
+        heading: 'Use err not error in catch blocks',
+        body: 'Always use `err` as the variable name in catch blocks.',
+        hash: 'h-no-example',
+    };
+    const lessonWithExampleHit = {
+        index: 0,
+        heading: 'No console.log in production',
+        body: 'Do not ship console.log.\n**Example Hit:** console.log(x)',
+        hash: 'h-with-example',
+    };
+    it('flags non-security Pipeline 2 rules as unverified when the lesson has no Example Hit', async () => {
+        // Invariant #2: non-security rule without Example Hit ships with
+        // `unverified: true`. Severity passes through from the LLM output —
+        // no warning-downgrade happens here. A doctor advisory for
+        // `unverified: true` + `severity: 'error'` combos ships with #1483.
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: true,
+            pattern: 'console\\.log',
+            message: 'No console.log',
+            engine: 'regex',
+            severity: 'error',
+            badExample: 'console.log(x)',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('{"compilable": true}');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lessonWithoutExampleHit, 'system prompt', deps);
+        expect(result.status).toBe('compiled');
+        if (result.status === 'compiled') {
+            expect(result.rule.unverified).toBe(true);
+            expect(result.rule.severity).toBe('error');
+        }
+    });
+    it('applies the general omitted-severity default on an unverified rule', async () => {
+        // Companion to the severity-pass-through invariant. When the LLM emits
+        // no severity, buildCompiledRule applies the general `'warning'`
+        // default (compile-lesson.ts line ~299: `parsed.severity ?? 'warning'`).
+        // That default is not ADR-088 specific: it fires for any rule without
+        // an emitted severity, unverified or not. Pinning it here guards
+        // against a future ADR-088 change that tries to force severity in
+        // addition to the existing default.
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: true,
+            pattern: 'console\\.log',
+            message: 'No console.log',
+            engine: 'regex',
+            badExample: 'console.log(x)',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('{"compilable": true}');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lessonWithoutExampleHit, 'system prompt', deps);
+        expect(result.status).toBe('compiled');
+        if (result.status === 'compiled') {
+            expect(result.rule.unverified).toBe(true);
+            expect(result.rule.severity).toBe('warning');
+        }
+    });
+    it('leaves unverified absent when the lesson carries a non-empty Example Hit', async () => {
+        // Invariant #1: presence of Example Hit produces unverified: undefined.
+        // The serialized JSON omits the field — `canonicalStringify`
+        // (key-sorted JSON.stringify) writes nothing for undefined values so
+        // pre-#1480 manifest hashes stay stable.
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: true,
+            pattern: 'console\\.log',
+            message: 'No console.log',
+            engine: 'regex',
+            badExample: 'console.log(x)',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('{"compilable": true}');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lessonWithExampleHit, 'system prompt', deps);
+        expect(result.status).toBe('compiled');
+        if (result.status === 'compiled') {
+            expect(result.rule.unverified).toBeUndefined();
+        }
+    });
+    it('treats an Example Hit that is whitespace-only as absent for the unverified flag', async () => {
+        // Edge case from spec: `**Example Hit:**   ` (whitespace-only value) is
+        // treated as no ground truth for the `unverified` signal. `trim()` on
+        // every extracted line before counting guards against false-negatives
+        // on whitespace-only examples. (The existing verify step still runs
+        // against whatever extractRuleExamples returns, so the test pattern
+        // matches the empty string to avoid tangling the test with verify
+        // semantics — scope is the unverified flag only.)
+        const lessonEmptyExample = {
+            index: 0,
+            heading: 'Edge case lesson',
+            body: 'Body text.\n**Example Hit:**   ',
+            hash: 'h-empty-example',
+        };
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: true,
+            // Pattern that matches any string — including the trimmed-empty
+            // Example Hit — so verifyRuleExamples passes and we can assert
+            // on the unverified flag without the verify branch interfering.
+            pattern: '.*',
+            message: 'msg',
+            engine: 'regex',
+            badExample: 'anything',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('{"compilable": true}');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lessonEmptyExample, 'system prompt', deps);
+        expect(result.status).toBe('compiled');
+        if (result.status === 'compiled') {
+            expect(result.rule.unverified).toBe(true);
+        }
+    });
+    it('rejects security-context lessons that lack an Example Hit with security-rule-rejected', async () => {
+        // Invariant #3: security-context lesson without Example Hit produces
+        // no rule; ledger entry carries reasonCode 'security-rule-rejected'.
+        // No orchestrator call fires (short-circuit before Pipeline 2).
+        const orchestratorMock = vi.fn();
+        const deps = {
+            parseCompilerResponse: vi.fn(),
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+            securityContext: true,
+        };
+        const result = await compileLesson(lessonWithoutExampleHit, 'system prompt', deps);
+        expect(result.status).toBe('skipped');
+        if (result.status === 'skipped') {
+            expect(result.reasonCode).toBe('security-rule-rejected');
+            expect(result.reason).toContain('Example Hit');
+        }
+        expect(orchestratorMock).not.toHaveBeenCalled();
+    });
+    it('flags Pipeline 1 manual rules as unverified when the lesson has no Example Hit', async () => {
+        // Pipeline 1 consistency (design doc Open Question 2, resolution (a)):
+        // manual rules authored without an Example Hit ship unverified too.
+        // The #1414 backfill sweep will eliminate this population eventually.
+        const manualLessonNoExample = {
+            index: 0,
+            heading: 'No console.log in production',
+            body: '**Pattern:** `console\\.log`\n**Engine:** regex\n**Severity:** warning\n**Scope:** **/*.ts',
+            hash: 'h-manual-no-example',
+        };
+        const deps = {
+            parseCompilerResponse: vi.fn(),
+            runOrchestrator: vi.fn(),
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(manualLessonNoExample, 'system prompt', deps);
+        expect(result.status).toBe('compiled');
+        if (result.status === 'compiled') {
+            expect(result.rule.unverified).toBe(true);
+        }
+        expect(deps.runOrchestrator).not.toHaveBeenCalled();
+    });
+});
+// ─── ADR-088 Decision 3: security-context signal (mmnto-ai/totem#1480) ──
+describe('isSecurityContext', () => {
+    // Covers both signals the helper accepts. The `deps.securityContext`
+    // branch is exercised end-to-end by compileLesson tests above; the
+    // `rule.immutable === true` branch is defense-in-depth for pack-merged
+    // rules (ADR-089) and cannot reach compileLesson's public surface today
+    // because CompilerOutput has no immutable field and the manual pattern
+    // parser does not parse `**Immutable:**`. Unit tests on the helper lock
+    // both signals so a future CompilerOutput or parser change cannot drop
+    // the rule-based branch silently.
+    const baseDeps = {
+        parseCompilerResponse: vi.fn(),
+        runOrchestrator: vi.fn(),
+        existingByHash: new Map(),
+    };
+    it('returns true when deps.securityContext is true', () => {
+        expect(isSecurityContext({ ...baseDeps, securityContext: true }, null)).toBe(true);
+    });
+    it('returns true when the built rule carries immutable: true', () => {
+        expect(isSecurityContext(baseDeps, { immutable: true })).toBe(true);
+    });
+    it('returns true when both signals are present', () => {
+        expect(isSecurityContext({ ...baseDeps, securityContext: true }, { immutable: true })).toBe(true);
+    });
+    it('returns false when neither signal is present', () => {
+        expect(isSecurityContext(baseDeps, null)).toBe(false);
+        expect(isSecurityContext(baseDeps, { immutable: false })).toBe(false);
+        expect(isSecurityContext(baseDeps, {})).toBe(false);
+    });
+});
+// ─── Layer-trace events (mmnto-ai/totem#1482) ────────────
+describe('compileLesson trace events', () => {
+    it('Pipeline 1 manual compile emits a single layer-1 result event', async () => {
+        // Invariant: Pipeline 1 is deterministic (no LLM, no retry). One event,
+        // outcome 'compiled', layer 1.
+        const deps = {
+            parseCompilerResponse: vi.fn(),
+            runOrchestrator: vi.fn(),
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(manualLesson, 'system prompt', deps);
+        expect(result.status).toBe('compiled');
+        expect(result.trace).toBeDefined();
+        expect(result.trace).toHaveLength(1);
+        expect(result.trace[0]).toMatchObject({
+            layer: 1,
+            action: 'result',
+            outcome: 'compiled',
+        });
+        expect(deps.runOrchestrator).not.toHaveBeenCalled();
+    });
+    it('Pipeline 2 first-try compile emits generate + verify(MATCH) + result(compiled)', async () => {
+        const lessonOk = {
+            index: 0,
+            heading: 'No console.log in production',
+            body: 'Do not use console.log.\n**Example Hit:** console.log(x)',
+            hash: 'h-trace-first-try',
+        };
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: true,
+            pattern: 'console\\.log',
+            message: 'No console.log',
+            engine: 'regex',
+            badExample: 'console.log("x")',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('attempt-1');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lessonOk, 'system prompt', deps);
+        expect(result.status).toBe('compiled');
+        expect(result.trace).toBeDefined();
+        expect(result.trace).toHaveLength(3);
+        const [gen, verify, res] = result.trace;
+        expect(gen).toMatchObject({ layer: 3, action: 'generate', outcome: 'attempt-1' });
+        expect(gen.patternHash).toMatch(/^[0-9a-f]{16}$/);
+        expect(verify).toMatchObject({ layer: 3, action: 'verify', outcome: 'MATCH' });
+        expect(res).toMatchObject({ layer: 3, action: 'result', outcome: 'compiled' });
+    });
+    it('Pipeline 2 verify-retry-exhausted emits generate+verify per attempt plus retry scheduling and terminal result', async () => {
+        // Three attempts, each passing smoke gate but failing verifyRuleExamples.
+        // Trace should contain (generate, verify, retry) for attempts 1 and 2, then
+        // (generate, verify, result) for attempt 3.
+        const lessonWithExample = {
+            index: 0,
+            heading: 'No console.log in production',
+            body: 'Do not use console.log in production.\n**Example Hit:** console.log(x)',
+            hash: 'h-trace-exhaust',
+        };
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: true,
+            pattern: 'zzz_only_matches_itself',
+            message: 'No console.log',
+            engine: 'regex',
+            badExample: 'zzz_only_matches_itself',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('always-misses');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lessonWithExample, 'system prompt', deps);
+        expect(result.status).toBe('skipped');
+        expect(result.trace).toBeDefined();
+        // 3 attempts × (generate + verify) = 6 events, plus 2 retry events between
+        // the first two attempts, plus 1 terminal result = 9 events total.
+        const actions = result.trace.map((e) => e.action);
+        expect(actions).toEqual([
+            'generate',
+            'verify',
+            'retry',
+            'generate',
+            'verify',
+            'retry',
+            'generate',
+            'verify',
+            'result',
+        ]);
+        const terminal = result.trace[result.trace.length - 1];
+        expect(terminal).toMatchObject({
+            layer: 3,
+            action: 'result',
+            outcome: 'skipped',
+            reasonCode: 'verify-retry-exhausted',
+        });
+    });
+    it('Pipeline 2 out-of-scope skip emits a single layer-3 result event with reasonCode', async () => {
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: false,
+            reason: 'Architectural principle, not a pattern.',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('{"compilable": false}');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lesson, 'system prompt', deps);
+        expect(result.status).toBe('skipped');
+        expect(result.trace).toHaveLength(1);
+        expect(result.trace[0]).toMatchObject({
+            layer: 3,
+            action: 'result',
+            outcome: 'skipped',
+            reasonCode: 'out-of-scope',
+        });
+    });
+    it('Pipeline 2 validator rejection emits generate + verify(validator-rejected) + result(skipped)', async () => {
+        // Invalid regex is terminal. No retry fires. Trace should show the
+        // generate event then the validator-rejected verify event then result.
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: true,
+            pattern: '[unclosed-bracket',
+            message: 'bad regex',
+            engine: 'regex',
+            badExample: 'anything',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('invalid-regex-output');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(lesson, 'system prompt', deps);
+        expect(result.status).toBe('skipped');
+        const actions = result.trace.map((e) => e.action);
+        expect(actions).toEqual(['generate', 'verify', 'result']);
+        expect(result.trace[1]).toMatchObject({
+            layer: 3,
+            action: 'verify',
+            outcome: 'validator-rejected',
+        });
+        expect(result.trace[2]).toMatchObject({
+            layer: 3,
+            action: 'result',
+            outcome: 'skipped',
+            reasonCode: 'pattern-syntax-invalid',
+        });
+    });
+    it('Pipeline 3 example-based compile emits generate + verify + result events at layer 2', async () => {
+        const pipeline3Lesson = {
+            index: 0,
+            heading: 'Example-based lesson',
+            body: [
+                'Do not use console.log.',
+                '',
+                '**Bad:**',
+                '```ts',
+                'console.log("x")',
+                '```',
+                '',
+                '**Good:**',
+                '```ts',
+                'log.info("x")',
+                '```',
+            ].join('\n'),
+            hash: 'h-trace-pipeline3',
+        };
+        const parseMock = vi.fn().mockReturnValue({
+            compilable: true,
+            pattern: 'console\\.log',
+            message: 'No console.log',
+            engine: 'regex',
+            badExample: 'console.log("x")',
+        });
+        const orchestratorMock = vi.fn().mockResolvedValue('pipeline-3-response');
+        const deps = {
+            parseCompilerResponse: parseMock,
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+        };
+        const result = await compileLesson(pipeline3Lesson, 'system prompt', deps);
+        expect(result.status).toBe('compiled');
+        const actions = result.trace.map((e) => e.action);
+        expect(actions).toEqual(['generate', 'verify', 'result']);
+        // Pipeline 3 emits at layer 2 per the design doc reservation.
+        expect(result.trace[0].layer).toBe(2);
+        expect(result.trace[0].patternHash).toMatch(/^[0-9a-f]{16}$/);
+    });
+    it('security-context short-circuit emits a single result event with security-rule-rejected', async () => {
+        const securityLesson = {
+            index: 0,
+            heading: 'No shell injection',
+            body: 'Never pass user input to spawn.',
+            hash: 'h-trace-security-short-circuit',
+        };
+        const orchestratorMock = vi.fn();
+        const deps = {
+            parseCompilerResponse: vi.fn(),
+            runOrchestrator: orchestratorMock,
+            existingByHash: new Map(),
+            callbacks: { onWarn: vi.fn(), onDim: vi.fn() },
+            securityContext: true,
+        };
+        const result = await compileLesson(securityLesson, 'system prompt', deps);
+        expect(result.status).toBe('skipped');
+        expect(result.trace).toHaveLength(1);
+        expect(result.trace[0]).toMatchObject({
+            layer: 3,
+            action: 'result',
+            outcome: 'skipped',
+            reasonCode: 'security-rule-rejected',
+        });
+        expect(orchestratorMock).not.toHaveBeenCalled();
+    });
+});
 //# sourceMappingURL=compile-lesson.test.js.map