@mmnto/totem 1.14.14 → 1.14.16

package/dist/compile-lesson.test.js

@@ -488,6 +488,7 @@ describe('buildCompiledRule smoke gate (mmnto/totem#1408)', () => {
             engine: 'ast-grep',
             astGrepPattern: 'debugger',
             badExample: 'const x = 1;\n',
+            goodExample: '// placeholder\n',
         };
         const result = buildCompiledRule(parsed, lesson, existingByHash, {
             enforceSmokeGate: true,
@@ -517,6 +518,7 @@ describe('buildCompiledRule smoke gate (mmnto/totem#1408)', () => {
             engine: 'ast-grep',
             astGrepPattern: 'debugger',
             badExample: 'debugger;\n',
+            goodExample: '// placeholder\n',
         };
         const result = buildCompiledRule(parsed, lesson, existingByHash, {
             enforceSmokeGate: true,
@@ -531,6 +533,7 @@ describe('buildCompiledRule smoke gate (mmnto/totem#1408)', () => {
             engine: 'regex',
             pattern: 'console\\.log',
             badExample: 'console.log("debug")',
+            goodExample: '// placeholder\n',
         };
         const result = buildCompiledRule(parsed, lesson, existingByHash, {
             enforceSmokeGate: true,
@@ -549,9 +552,11 @@ describe('buildCompiledRule smoke gate (mmnto/totem#1408)', () => {
         const result = buildCompiledRule(parsed, lesson, existingByHash, {
             enforceSmokeGate: true,
             badExampleOverride: 'console.log("bad")',
+            goodExampleOverride: 'logger.info("good")',
         });
         expect(result.rule).not.toBeNull();
         expect(result.rule.badExample).toBe('console.log("bad")');
+        expect(result.rule.goodExample).toBe('logger.info("good")');
     });
     it('Pipeline 1 is unaffected (gate is opt-in via enforceSmokeGate)', () => {
         // Without the option flag, buildCompiledRule must behave exactly as before.
@@ -593,6 +598,7 @@ describe('compound rule smoke gate (mmnto-ai/totem#1409)', () => {
                 },
             },
             badExample: 'for (let i = 0; i < 10; i++) {\n  const inside = i * 2;\n}',
+            goodExample: '// placeholder\n',
         };
         const result = buildCompiledRule(parsed, compoundLesson, existingByHash, {
             enforceSmokeGate: true,
@@ -622,6 +628,7 @@ describe('compound rule smoke gate (mmnto-ai/totem#1409)', () => {
                 },
             },
             badExample: 'for (let i = 0; i < 10; i++) {\n  const inside = i * 2;\n}',
+            goodExample: '// placeholder\n',
         };
         const result = buildCompiledRule(parsed, compoundLesson, existingByHash, {
             enforceSmokeGate: true,
@@ -654,6 +661,183 @@ describe('compound rule smoke gate (mmnto-ai/totem#1409)', () => {
         expect(result.rejectReason).toContain('badExample');
     });
 });
+// ─── over-matching check (mmnto-ai/totem#1580) ───────
+describe('buildCompiledRule goodExample over-matching check', () => {
+    it('rejects a regex rule that fires on its goodExample', () => {
+        const parsed = {
+            compilable: true,
+            message: 'No console.log',
+            engine: 'regex',
+            pattern: 'console\\.log',
+            // badExample exercises the pattern (matches) — gate under-match passes.
+            badExample: 'console.log("debug")',
+            // goodExample also matches the pattern, which means the rule is
+            // over-broad and fires on known-correct code. The gate must reject.
+            goodExample: 'console.log("intentional system message")',
+        };
+        const result = buildCompiledRule(parsed, lesson, existingByHash, {
+            enforceSmokeGate: true,
+        });
+        expect(result.rule).toBeNull();
+        expect(result.rejectReason).toContain('smoke gate');
+        expect(result.rejectReason).toContain('matches goodExample');
+        expect(result.rejectReason).toContain('over-matching');
+    });
+    it('rejects an ast-grep rule that fires on its goodExample', () => {
+        const parsed = {
+            compilable: true,
+            message: 'No debugger',
+            engine: 'ast-grep',
+            astGrepPattern: 'debugger',
+            badExample: 'debugger;',
+            goodExample: 'debugger;\n// should have been removed before commit',
+        };
+        const result = buildCompiledRule(parsed, lesson, existingByHash, {
+            enforceSmokeGate: true,
+        });
+        expect(result.rule).toBeNull();
+        expect(result.rejectReason).toContain('matches goodExample');
+    });
+    it('accepts a regex rule whose pattern fires on badExample but not goodExample', () => {
+        const parsed = {
+            compilable: true,
+            message: 'No console.log',
+            engine: 'regex',
+            pattern: 'console\\.log',
+            badExample: 'console.log("debug")',
+            goodExample: 'logger.info("intentional")',
+        };
+        const result = buildCompiledRule(parsed, lesson, existingByHash, {
+            enforceSmokeGate: true,
+        });
+        expect(result.rule).not.toBeNull();
+        expect(result.rule.goodExample).toBe('logger.info("intentional")');
+    });
+    it('rejects a rule that is missing goodExample (required for Pipeline 2/3)', () => {
+        const parsed = {
+            compilable: true,
+            message: 'No console.log',
+            engine: 'regex',
+            pattern: 'console\\.log',
+            badExample: 'console.log("debug")',
+            // goodExample absent — caller did not supply it and schema
+            // layer was bypassed. Gate must still reject.
+        };
+        const result = buildCompiledRule(parsed, lesson, existingByHash, {
+            enforceSmokeGate: true,
+        });
+        expect(result.rule).toBeNull();
+        expect(result.rejectReason).toContain('smoke gate');
+        expect(result.rejectReason).toContain('missing goodExample');
+    });
+    it('honors goodExampleOverride so Pipeline 3 can reuse its Good snippet', () => {
+        const parsed = {
+            compilable: true,
+            message: 'No console.log',
+            engine: 'regex',
+            pattern: 'console\\.log',
+            badExample: 'console.log("bad")',
+            // No goodExample on parsed; caller supplies it via override.
+        };
+        const result = buildCompiledRule(parsed, lesson, existingByHash, {
+            enforceSmokeGate: true,
+            goodExampleOverride: 'logger.info("good")',
+        });
+        expect(result.rule).not.toBeNull();
+        expect(result.rule.goodExample).toBe('logger.info("good")');
+    });
+    it('persists goodExample on the CompiledRule when the gate accepts', () => {
+        const parsed = {
+            compilable: true,
+            message: 'No debugger',
+            engine: 'ast-grep',
+            astGrepPattern: 'debugger',
+            badExample: 'debugger;',
+            goodExample: 'const x = 1;',
+        };
+        const result = buildCompiledRule(parsed, lesson, existingByHash, {
+            enforceSmokeGate: true,
+        });
+        expect(result.rule).not.toBeNull();
+        expect(result.rule.goodExample).toBe('const x = 1;');
+    });
+    it('falls back to parsed.goodExample when goodExampleOverride is undefined', () => {
+        // Pins the Pipeline 3 contract: the call site passes `undefined`
+        // (not an empty string) when snippets.good is empty, so buildCompiledRule's
+        // `options.goodExampleOverride ?? parsed.goodExample` correctly resolves
+        // to the LLM-echoed value.
+        const parsed = {
+            compilable: true,
+            message: 'No console.log',
+            engine: 'regex',
+            pattern: 'console\\.log',
+            badExample: 'console.log("bad")',
+            goodExample: 'logger.info("from parsed")',
+        };
+        const result = buildCompiledRule(parsed, lesson, existingByHash, {
+            enforceSmokeGate: true,
+            goodExampleOverride: undefined,
+        });
+        expect(result.rule).not.toBeNull();
+        expect(result.rule.goodExample).toBe('logger.info("from parsed")');
+    });
+    it('rejects a whitespace-only goodExample with missing-goodexample (parity with schema refine)', () => {
+        // Shield flagged on mmnto-ai/totem#1591: `if (!effectiveGoodExample)`
+        // treats `'   '` as truthy, and runSmokeGate's early-return on
+        // `trim().length === 0` then reports matched: false, so a
+        // whitespace-only goodExample would otherwise pass the gate with
+        // zero coverage. The `.trim().length > 0` guard closes the hole.
+        const parsed = {
+            compilable: true,
+            message: 'No console.log',
+            engine: 'regex',
+            pattern: 'console\\.log',
+            badExample: 'console.log("bad")',
+            goodExample: '   \t\n  ',
+        };
+        const result = buildCompiledRule(parsed, lesson, existingByHash, {
+            enforceSmokeGate: true,
+        });
+        expect(result.rule).toBeNull();
+        expect(result.rejectReason).toContain('missing goodExample');
+    });
+    it('rejects a whitespace-only badExample with missing-badexample (symmetric guard)', () => {
+        const parsed = {
+            compilable: true,
+            message: 'No console.log',
+            engine: 'regex',
+            pattern: 'console\\.log',
+            badExample: '   \t\n  ',
+            goodExample: 'logger.info("good")',
+        };
+        const result = buildCompiledRule(parsed, lesson, existingByHash, {
+            enforceSmokeGate: true,
+        });
+        expect(result.rule).toBeNull();
+        expect(result.rejectReason).toContain('missing badExample');
+    });
+    it('empty-string goodExampleOverride clobbers parsed.goodExample (the trap the Pipeline 3 guard exists to prevent)', () => {
+        // Nullish coalescing (`??`) treats `''` as defined, so passing an
+        // empty string override suppresses the parsed value. This test pins
+        // that behavior so the Pipeline 3 call site's .length guard in
+        // compile-lesson.ts (snippets.good.length > 0 ? ... : undefined)
+        // stays load-bearing.
+        const parsed = {
+            compilable: true,
+            message: 'No console.log',
+            engine: 'regex',
+            pattern: 'console\\.log',
+            badExample: 'console.log("bad")',
+            goodExample: 'logger.info("from parsed")',
+        };
+        const result = buildCompiledRule(parsed, lesson, existingByHash, {
+            enforceSmokeGate: true,
+            goodExampleOverride: '',
+        });
+        expect(result.rule).toBeNull();
+        expect(result.rejectReason).toContain('missing goodExample');
+    });
+});
 // ─── buildManualRule ────────────────────────────────
 describe('buildManualRule', () => {
     it('returns null rule for lessons without manual patterns', () => {
@@ -750,6 +934,7 @@ describe('compileLesson', () => {
                 // wants the rule to compile, so give the helper a known-good
                 // snippet that matches the pattern.
                 badExample: 'console.log("debug")',
+                goodExample: '// placeholder\n',
             }
             : null),
         runOrchestrator: vi.fn().mockResolvedValue(response),
@@ -803,6 +988,7 @@ describe('compileLesson', () => {
                 message: 'No console.log',
                 engine: 'regex',
                 badExample: 'console.log("debug")',
+                goodExample: '// placeholder\n',
             }),
             runOrchestrator: vi.fn().mockResolvedValue('{"compilable": true}'),
             existingByHash: new Map(),
@@ -863,6 +1049,7 @@ describe('compileLesson', () => {
                 message: 'No console.log',
                 engine: 'regex',
                 badExample: 'console.log("debug")',
+                goodExample: '// placeholder\n',
             }),
             runOrchestrator: vi.fn().mockResolvedValue('{"compilable": true}'),
             existingByHash: new Map(),
@@ -1108,6 +1295,7 @@ describe('compileLesson with inline examples', () => {
                 message: 'No console.log',
                 engine: 'regex',
                 badExample: 'console.log("debug")',
+                goodExample: '// placeholder\n',
             }
             : null),
         runOrchestrator: vi.fn().mockResolvedValue(response),
@@ -1353,6 +1541,7 @@ describe('compileLesson Pipeline 2 verify-retry', () => {
             message: 'No console.log',
             engine: 'regex',
             badExample: 'console.log("debug")',
+            goodExample: '// placeholder\n',
         })
             .mockReturnValueOnce({
             compilable: true,
@@ -1360,6 +1549,7 @@ describe('compileLesson Pipeline 2 verify-retry', () => {
             message: 'No console.log',
             engine: 'regex',
             badExample: 'console.log("debug")',
+            goodExample: '// placeholder\n',
         });
         const orchestratorMock = vi
             .fn()
@@ -1394,6 +1584,7 @@ describe('compileLesson Pipeline 2 verify-retry', () => {
             message: 'No console.log',
             engine: 'regex',
             badExample: 'console.log("debug")',
+            goodExample: '// placeholder\n',
         });
         const orchestratorMock = vi.fn().mockResolvedValue('always-bad');
         const deps = {
@@ -1524,6 +1715,7 @@ describe('compileLesson Pipeline 2 verify-retry', () => {
             message: 'No console.log',
             engine: 'regex',
             badExample: 'zzz_only_matches_itself',
+            goodExample: '// placeholder\n',
         })
             .mockReturnValueOnce({
             compilable: true,
@@ -1531,6 +1723,7 @@ describe('compileLesson Pipeline 2 verify-retry', () => {
             message: 'No console.log',
             engine: 'regex',
             badExample: 'console.log("x")',
+            goodExample: '// placeholder\n',
         });
         const orchestratorMock = vi
             .fn()
@@ -1574,6 +1767,7 @@ describe('compileLesson Pipeline 2 verify-retry', () => {
             message: 'No console.log',
             engine: 'regex',
             badExample: 'zzz_only_matches_itself',
+            goodExample: '// placeholder\n',
         });
         const orchestratorMock = vi.fn().mockResolvedValue('always-misses');
         const deps = {
@@ -1602,6 +1796,7 @@ describe('compileLesson Pipeline 2 verify-retry', () => {
             message: 'Invalid regex test',
             engine: 'regex',
             badExample: 'any string',
+            goodExample: '// placeholder\n',
         });
         const orchestratorMock = vi.fn().mockResolvedValue('invalid-regex-output');
         const deps = {
@@ -1645,6 +1840,7 @@ describe('compileLesson unverified flag', () => {
             engine: 'regex',
             severity: 'error',
             badExample: 'console.log(x)',
+            goodExample: '// placeholder\n',
         });
         const orchestratorMock = vi.fn().mockResolvedValue('{"compilable": true}');
         const deps = {
@@ -1674,6 +1870,7 @@ describe('compileLesson unverified flag', () => {
             message: 'No console.log',
             engine: 'regex',
             badExample: 'console.log(x)',
+            goodExample: '// placeholder\n',
         });
         const orchestratorMock = vi.fn().mockResolvedValue('{"compilable": true}');
         const deps = {
@@ -1689,17 +1886,23 @@ describe('compileLesson unverified flag', () => {
             expect(result.rule.severity).toBe('warning');
         }
     });
-    it('leaves unverified absent when the lesson carries a non-empty Example Hit', async () => {
-        // Invariant #1: presence of Example Hit produces unverified: undefined.
-        // The serialized JSON omits the field — `canonicalStringify`
-        // (key-sorted JSON.stringify) writes nothing for undefined values so
-        // pre-#1480 manifest hashes stay stable.
+    it('ships Pipeline 2 rules as unverified: true even when the lesson carries a non-empty Example Hit (ADR-089 zero-trust default, mmnto-ai/totem#1581)', async () => {
+        // Pre-#1581 invariant: presence of Example Hit produced
+        // unverified: undefined. Post-#1581: LLM-generated rules (Pipeline 2
+        // and Pipeline 3) always ship unverified: true regardless of Example
+        // Hit presence. The LLM cannot self-certify structural invariants;
+        // Example Hit/Miss is an LLM-produced artifact of the compile process,
+        // not a human sign-off. Activation requires `totem rule promote
+        // <hash>` or the ADR-091 Stage 4 Codebase Verifier in 1.16.0.
+        // Pipeline 1 (manual) keeps its pre-#1581 conditional semantics; see
+        // the Pipeline 1 test below.
         const parseMock = vi.fn().mockReturnValue({
             compilable: true,
             pattern: 'console\\.log',
             message: 'No console.log',
             engine: 'regex',
             badExample: 'console.log(x)',
+            goodExample: '// placeholder\n',
         });
         const orchestratorMock = vi.fn().mockResolvedValue('{"compilable": true}');
         const deps = {
@@ -1711,7 +1914,7 @@ describe('compileLesson unverified flag', () => {
         const result = await compileLesson(lessonWithExampleHit, 'system prompt', deps);
         expect(result.status).toBe('compiled');
         if (result.status === 'compiled') {
-            expect(result.rule.unverified).toBeUndefined();
+            expect(result.rule.unverified).toBe(true);
         }
     });
     it('treats an Example Hit that is whitespace-only as absent for the unverified flag', async () => {
@@ -1730,13 +1933,18 @@ describe('compileLesson unverified flag', () => {
         };
         const parseMock = vi.fn().mockReturnValue({
             compilable: true,
-            // Pattern that matches any string — including the trimmed-empty
-            // Example Hit — so verifyRuleExamples passes and we can assert
-            // on the unverified flag without the verify branch interfering.
-            pattern: '.*',
+            // Pattern that matches both the trimmed-empty Example Hit (via
+            // `^$`) AND the badExample "anything" (via `\banything\b`) so
+            // verifyRuleExamples passes without interference. The goodExample
+            // `// placeholder` is constructed to not satisfy either alternative
+            // so the mmnto-ai/totem#1580 over-matching check also passes.
+            // No trailing newline on goodExample so the line-split doesn't
+            // produce an empty trailing line that would match `^$`.
+            pattern: '^$|\\banything\\b',
             message: 'msg',
             engine: 'regex',
             badExample: 'anything',
+            goodExample: '// placeholder',
         });
         const orchestratorMock = vi.fn().mockResolvedValue('{"compilable": true}');
         const deps = {
@@ -1860,6 +2068,7 @@ describe('compileLesson trace events', () => {
             message: 'No console.log',
             engine: 'regex',
             badExample: 'console.log("x")',
+            goodExample: '// placeholder\n',
         });
         const orchestratorMock = vi.fn().mockResolvedValue('attempt-1');
         const deps = {
@@ -1894,6 +2103,7 @@ describe('compileLesson trace events', () => {
             message: 'No console.log',
             engine: 'regex',
             badExample: 'zzz_only_matches_itself',
+            goodExample: '// placeholder\n',
         });
         const orchestratorMock = vi.fn().mockResolvedValue('always-misses');
         const deps = {
@@ -1958,6 +2168,7 @@ describe('compileLesson trace events', () => {
             message: 'bad regex',
             engine: 'regex',
             badExample: 'anything',
+            goodExample: '// placeholder\n',
         });
         const orchestratorMock = vi.fn().mockResolvedValue('invalid-regex-output');
         const deps = {
@@ -2007,6 +2218,7 @@ describe('compileLesson trace events', () => {
             message: 'No console.log',
             engine: 'regex',
             badExample: 'console.log("x")',
+            goodExample: '// placeholder\n',
         });
         const orchestratorMock = vi.fn().mockResolvedValue('pipeline-3-response');
         const deps = {