@slowdini/slow-powers-opencode 0.2.0 → 0.3.0

package/skills/evaluating-skills/runner/detect-stray-writes.test.ts

@@ -1,9 +1,21 @@
-import { describe, expect, test } from "bun:test";
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import {
+  mkdirSync,
+  readFileSync,
+  realpathSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { detectStrayWrites } from "./detect-stray-writes";
+import {
+  detectLiveSourceReads,
+  detectStrayWrites,
+} from "./detect-stray-writes";
 
 const OUTPUTS = "/work/iteration-1/eval-x/with_skill/outputs";
 const REPO = "/work/repo";
+const LIVE_SKILL = join(REPO, "skills", "mr-review");
 
 describe("detectStrayWrites", () => {
   test("a Write inside the outputs dir is clean", () => {
@@ -87,6 +99,32 @@ describe("detectStrayWrites", () => {
     expect(findings.warnings).toHaveLength(0);
   });
 
+  test("git worktree add is a warning (working tree outside the sandbox)", () => {
+    const findings = detectStrayWrites(
+      [
+        {
+          name: "Bash",
+          args: { command: "git worktree add ../wt -b scratch" },
+          ordinal: 0,
+        },
+      ],
+      OUTPUTS,
+      REPO,
+    );
+    expect(findings.warnings).toHaveLength(1);
+    expect(findings.warnings[0].reason).toMatch(/worktree/i);
+  });
+
+  test("creating a path under .claude is a warning", () => {
+    const findings = detectStrayWrites(
+      [{ name: "Bash", args: { command: "mkdir -p .claude/foo" }, ordinal: 0 }],
+      OUTPUTS,
+      REPO,
+    );
+    expect(findings.warnings).toHaveLength(1);
+    expect(findings.warnings[0].reason).toMatch(/\.claude/i);
+  });
+
   test("read-only tools are never flagged", () => {
     const findings = detectStrayWrites(
       [
@@ -101,3 +139,258 @@ describe("detectStrayWrites", () => {
     expect(findings.warnings).toHaveLength(0);
   });
 });
+
+describe("detectLiveSourceReads", () => {
+  test("a Read of the live SKILL.md is flagged", () => {
+    const findings = detectLiveSourceReads(
+      [
+        {
+          name: "Read",
+          args: { file_path: join(LIVE_SKILL, "SKILL.md") },
+          ordinal: 1,
+        },
+      ],
+      LIVE_SKILL,
+      REPO,
+    );
+    expect(findings).toHaveLength(1);
+    expect(findings[0]).toMatchObject({
+      tool: "Read",
+      path: join(LIVE_SKILL, "SKILL.md"),
+      ordinal: 1,
+    });
+    expect(findings[0].reason).toMatch(/live skill source/i);
+  });
+
+  test("a Read of a staged eval copy is not flagged", () => {
+    const findings = detectLiveSourceReads(
+      [
+        {
+          name: "Read",
+          args: {
+            file_path: join(
+              REPO,
+              ".claude/skills/slow-powers-eval-1-old_skill__mr-review/SKILL.md",
+            ),
+          },
+          ordinal: 0,
+        },
+      ],
+      LIVE_SKILL,
+      REPO,
+    );
+    expect(findings).toHaveLength(0);
+  });
+
+  test("a relative Read path resolving under the live dir is flagged", () => {
+    const findings = detectLiveSourceReads(
+      [
+        {
+          name: "Read",
+          args: { file_path: "skills/mr-review/SKILL.md" },
+          ordinal: 0,
+        },
+      ],
+      LIVE_SKILL,
+      REPO,
+    );
+    expect(findings).toHaveLength(1);
+  });
+
+  test("a Grep scoped to the live dir is flagged", () => {
+    const findings = detectLiveSourceReads(
+      [{ name: "Grep", args: { pattern: "x", path: LIVE_SKILL }, ordinal: 2 }],
+      LIVE_SKILL,
+      REPO,
+    );
+    expect(findings).toHaveLength(1);
+    expect(findings[0].tool).toBe("Grep");
+  });
+
+  test("a Bash command referencing the live dir relatively is flagged", () => {
+    const findings = detectLiveSourceReads(
+      [
+        {
+          name: "Bash",
+          args: { command: "cat skills/mr-review/SKILL.md" },
+          ordinal: 3,
+        },
+      ],
+      LIVE_SKILL,
+      REPO,
+    );
+    expect(findings).toHaveLength(1);
+    expect(findings[0].tool).toBe("Bash");
+    expect(findings[0].command).toBe("cat skills/mr-review/SKILL.md");
+  });
+
+  test("a Bash command referencing the live dir absolutely is flagged", () => {
+    const findings = detectLiveSourceReads(
+      [
+        {
+          name: "Bash",
+          args: { command: `grep -r trigger ${LIVE_SKILL}/` },
+          ordinal: 0,
+        },
+      ],
+      LIVE_SKILL,
+      REPO,
+    );
+    expect(findings).toHaveLength(1);
+  });
+
+  test("a Bash command referencing a staged copy under .claude/skills is not flagged", () => {
+    // --stage-name can stage under the skill's natural name; that path contains
+    // `skills/<name>` but lives under `.claude/`, so it must not match.
+    const findings = detectLiveSourceReads(
+      [
+        {
+          name: "Bash",
+          args: { command: "cat .claude/skills/mr-review/SKILL.md" },
+          ordinal: 0,
+        },
+      ],
+      LIVE_SKILL,
+      REPO,
+    );
+    expect(findings).toHaveLength(0);
+  });
+
+  test("unrelated reads and commands are not flagged", () => {
+    const findings = detectLiveSourceReads(
+      [
+        {
+          name: "Read",
+          args: { file_path: join(OUTPUTS, "x.md") },
+          ordinal: 0,
+        },
+        { name: "Bash", args: { command: "ls skills-workspace" }, ordinal: 1 },
+        {
+          name: "Write",
+          args: { file_path: join(LIVE_SKILL, "SKILL.md") },
+          ordinal: 2,
+        },
+      ],
+      LIVE_SKILL,
+      REPO,
+    );
+    // Write tools are detectStrayWrites' jurisdiction — this check is reads only.
+    expect(findings).toHaveLength(0);
+  });
+});
+
+describe("detect-stray-writes CLI", () => {
+  // realpath: the spawned CLI sees its cwd resolved (macOS /var → /private/var),
+  // so fixture paths must match that form for prefix checks to line up.
+  const FIXTURE_ROOT = join(
+    realpathSync(tmpdir()),
+    `slow-powers-detect-stray-test-${process.pid}`,
+  );
+  const SCRIPT = join(import.meta.dir, "detect-stray-writes.ts");
+
+  beforeAll(() => {
+    mkdirSync(FIXTURE_ROOT, { recursive: true });
+  });
+
+  afterAll(() => {
+    rmSync(FIXTURE_ROOT, { recursive: true, force: true });
+  });
+
+  test("reports live-source reads per run in stray-writes.json", () => {
+    const root = join(FIXTURE_ROOT, "cli-live-reads");
+    const skillDir = join(root, "skill-dir");
+    const skillSub = join(skillDir, "mr-review");
+    mkdirSync(skillSub, { recursive: true });
+    writeFileSync(
+      join(skillSub, "SKILL.md"),
+      "---\nname: mr-review\ndescription: review MRs\n---\n\nbody\n",
+    );
+
+    const cwd = join(root, "work");
+    const iterationDir = join(
+      cwd,
+      "skills-workspace",
+      "mr-review",
+      "iteration-1",
+    );
+    const condDir = join(iterationDir, "eval-e1", "old_skill");
+    mkdirSync(condDir, { recursive: true });
+    writeFileSync(
+      join(iterationDir, "conditions.json"),
+      `${JSON.stringify({
+        mode: "revision",
+        conditions: [
+          { name: "old_skill", skill_path: join(skillSub, "SKILL.md") },
+          { name: "new_skill", skill_path: join(skillSub, "SKILL.md") },
+        ],
+        timestamp: new Date().toISOString(),
+        harness: "claude-code",
+      })}\n`,
+    );
+    writeFileSync(
+      join(condDir, "run.json"),
+      `${JSON.stringify({
+        eval_id: "e1",
+        condition: "old_skill",
+        skill_path: join(skillSub, "SKILL.md"),
+        prompt: "do the task",
+        files: [],
+        final_message: "done",
+        tool_invocations: [
+          {
+            name: "Read",
+            args: { file_path: join(skillSub, "SKILL.md") },
+            ordinal: 0,
+          },
+          {
+            name: "Write",
+            args: { file_path: join(condDir, "outputs", "answer.md") },
+            ordinal: 1,
+          },
+        ],
+      })}\n`,
+    );
+
+    const res = Bun.spawnSync(
+      [
+        "bun",
+        "run",
+        SCRIPT,
+        "--skill-dir",
+        skillDir,
+        "--skill",
+        "mr-review",
+        "--iteration",
+        "1",
+      ],
+      { cwd, stdout: "pipe", stderr: "pipe" },
+    );
+    expect(res.exitCode).toBe(0);
+
+    const report = JSON.parse(
+      readFileSync(join(iterationDir, "stray-writes.json"), "utf8"),
+    ) as {
+      totals: {
+        violations: number;
+        warnings: number;
+        live_source_reads: number;
+      };
+      runs: Array<{
+        eval_id: string;
+        condition: string;
+        live_source_reads: Array<{ tool: string; path?: string }>;
+      }>;
+    };
+    expect(report.totals.live_source_reads).toBe(1);
+    expect(report.totals.violations).toBe(0);
+    expect(report.runs).toHaveLength(1);
+    expect(report.runs[0]).toMatchObject({
+      eval_id: "e1",
+      condition: "old_skill",
+    });
+    expect(report.runs[0].live_source_reads[0]).toMatchObject({
+      tool: "Read",
+      path: join(skillSub, "SKILL.md"),
+    });
+  });
+});

package/skills/evaluating-skills/runner/detect-stray-writes.ts

@@ -1,6 +1,6 @@
 #!/usr/bin/env bun
 import { existsSync, readdirSync, readFileSync, writeFileSync } from "node:fs";
-import { join } from "node:path";
+import { join, relative, resolve } from "node:path";
 import { detectRunContext } from "./context";
 import { classifyBash, isUnder, pathArg, WRITE_TOOLS } from "./sandbox-policy";
 import type { ConditionsRecord, RunRecord, ToolInvocation } from "./types";
@@ -71,6 +71,81 @@ export function detectStrayWrites(
   return { violations, warnings };
 }
 
+/** Read-only tools that carry a target path argument (see `pathArg`). */
+const READ_TOOLS = new Set(["Read", "Glob", "Grep"]);
+
+const LIVE_SOURCE_REASON =
+  "reads the live skill source instead of its staged copy — the arm may be contaminated";
+
+function escapeRegExp(s: string): string {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+/**
+ * Flag tool invocations that read the **live** skill-under-test directory.
+ *
+ * Eval subagents are only ever meant to see the *staged* copy of the skill
+ * (`.claude/skills/<slug>/`, or the inlined SKILL.md under `--no-stage`). A
+ * read of the live source typically means the Skill tool couldn't resolve the
+ * staged slug yet (mid-session registry refresh race) and the agent improvised
+ * — fatal in revision mode, where the old_skill arm then reads new-skill
+ * content. Reads are detected, not blocked: the guard stays read-permissive,
+ * so this surfaces post-hoc as a validity warning.
+ *
+ * - Read-tool calls (Read/Glob/Grep) whose path arg resolves under the live
+ *   dir are flagged; relative paths resolve against `repoRoot`.
+ * - Bash commands that reference the live dir (absolute, or repo-relative
+ *   text) are flagged. A staged copy under `.claude/skills/` can carry the
+ *   same `skills/<name>` relative text (e.g. via `--stage-name`), so that
+ *   prefix is excluded.
+ */
+export function detectLiveSourceReads(
+  invocations: Array<Pick<ToolInvocation, "name" | "args" | "ordinal">>,
+  liveSkillDir: string,
+  repoRoot: string,
+): StrayFinding[] {
+  const findings: StrayFinding[] = [];
+  const liveDir = resolve(liveSkillDir);
+  const rel = relative(repoRoot, liveDir);
+  const relRe = rel.startsWith("..")
+    ? null
+    : new RegExp(
+        // The lookbehind fires at the boundary char itself, so it checks for a
+        // bare `.claude` — the `/` is consumed by the boundary group.
+        `(?<!\\.claude)(^|[\\s'"=:(/])${escapeRegExp(rel)}(/|[\\s'")]|$)`,
+      );
+
+  for (const inv of invocations) {
+    if (READ_TOOLS.has(inv.name)) {
+      const p = pathArg(inv.args);
+      if (p && isUnder(p, liveDir, repoRoot)) {
+        findings.push({
+          tool: inv.name,
+          path: p,
+          ordinal: inv.ordinal,
+          reason: LIVE_SOURCE_REASON,
+        });
+      }
+      continue;
+    }
+
+    if (inv.name === "Bash") {
+      const args = inv.args as { command?: unknown } | undefined;
+      const command = typeof args?.command === "string" ? args.command : "";
+      if (command.includes(liveDir) || relRe?.test(command)) {
+        findings.push({
+          tool: "Bash",
+          command,
+          ordinal: inv.ordinal,
+          reason: LIVE_SOURCE_REASON,
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
 if (import.meta.main) {
   const argv = Bun.argv.slice(2);
   const flag = (name: string): string | undefined => {
@@ -127,10 +202,12 @@ if (import.meta.main) {
     condition: string;
     violations: StrayFinding[];
     warnings: StrayFinding[];
+    live_source_reads: StrayFinding[];
   };
   const runs: RunReport[] = [];
   let totalViolations = 0;
   let totalWarnings = 0;
+  let totalLiveReads = 0;
 
   for (const evalDir of evalDirs) {
     const evalId = evalDir.replace(/^eval-/, "");
@@ -149,23 +226,38 @@ if (import.meta.main) {
       const outputsDir =
         outputsByKey.get(`${evalId}:${cond}`) ?? join(condDir, "outputs");
       const findings = detectStrayWrites(invocations, outputsDir, repoRoot);
-      if (findings.violations.length || findings.warnings.length) {
+      const liveReads = detectLiveSourceReads(
+        invocations,
+        ctx.skillSubdir,
+        repoRoot,
+      );
+      if (
+        findings.violations.length ||
+        findings.warnings.length ||
+        liveReads.length
+      ) {
         runs.push({
           eval_id: evalId,
           condition: cond,
           violations: findings.violations,
           warnings: findings.warnings,
+          live_source_reads: liveReads,
         });
       }
       totalViolations += findings.violations.length;
       totalWarnings += findings.warnings.length;
+      totalLiveReads += liveReads.length;
     }
   }
 
   const report = {
     generated: new Date().toISOString(),
     iteration: Number(iteration),
-    totals: { violations: totalViolations, warnings: totalWarnings },
+    totals: {
+      violations: totalViolations,
+      warnings: totalWarnings,
+      live_source_reads: totalLiveReads,
+    },
     runs,
   };
   const outPath = join(iterationDir, "stray-writes.json");
@@ -182,11 +274,15 @@ if (import.meta.main) {
       console.warn(
         `⚠ ${r.eval_id}/${r.condition}: Bash ${w.reason} (ordinal ${w.ordinal}): ${w.command}`,
       );
+    for (const l of r.live_source_reads)
+      console.warn(
+        `⚠ ${r.eval_id}/${r.condition}: ${l.tool} read the live skill source (ordinal ${l.ordinal}): ${l.path ?? l.command}`,
+      );
   }
-  if (totalViolations === 0 && totalWarnings === 0)
-    console.log("✓ No out-of-bounds writes detected.");
+  if (totalViolations === 0 && totalWarnings === 0 && totalLiveReads === 0)
+    console.log("✓ No out-of-bounds writes or live-source reads detected.");
   else
     console.warn(
-      `\n${totalViolations} violation(s), ${totalWarnings} warning(s). Runs with violations edited files outside their sandbox — treat those data points as tainted.`,
+      `\n${totalViolations} violation(s), ${totalWarnings} warning(s), ${totalLiveReads} live-source read(s). Runs with violations edited files outside their sandbox; runs with live-source reads saw the live skill instead of their staged copy — treat those data points as tainted.`,
     );
 }

package/skills/evaluating-skills/runner/guard/policy.test.ts

@@ -68,4 +68,61 @@ describe("guard decide", () => {
       true,
     );
   });
+
+  test("denies git worktree add (working tree outside the sandbox)", () => {
+    const d = decide(
+      "Bash",
+      { command: "git worktree add ../wt -b scratch" },
+      marker(),
+    );
+    expect(d.allow).toBe(false);
+    expect(d.reason).toMatch(/worktree/i);
+  });
+
+  test("denies Bash that creates a path under .claude via a non-redirect verb", () => {
+    expect(
+      decide("Bash", { command: "mkdir -p .claude/foo" }, marker()).allow,
+    ).toBe(false);
+    expect(
+      decide("Bash", { command: "cp out.txt .claude/bar" }, marker()).allow,
+    ).toBe(false);
+  });
+
+  test("denies Bash that creates a bare skills/ dir", () => {
+    expect(decide("Bash", { command: "mkdir skills" }, marker()).allow).toBe(
+      false,
+    );
+    expect(
+      decide("Bash", { command: "cp -r src ./skills" }, marker()).allow,
+    ).toBe(false);
+  });
+
+  test("still allows reads of .claude (no create verb)", () => {
+    expect(
+      decide("Bash", { command: "cat .claude/settings.json" }, marker()).allow,
+    ).toBe(true);
+    expect(decide("Bash", { command: "ls .claude" }, marker()).allow).toBe(
+      true,
+    );
+  });
+
+  test("allows a create scoped to the .claude/skills staging root (allowed-root escape)", () => {
+    expect(
+      decide(
+        "Bash",
+        { command: "mkdir -p /work/.claude/skills/staged-x" },
+        marker(),
+      ).allow,
+    ).toBe(true);
+  });
+
+  test("does not flag skills-workspace as a bare skills/ write", () => {
+    expect(
+      decide(
+        "Bash",
+        { command: "mkdir -p /work/skills-workspace/x/outputs" },
+        marker(),
+      ).allow,
+    ).toBe(true);
+  });
 });

package/skills/evaluating-skills/runner/promote-baseline.test.ts

@@ -8,6 +8,7 @@ import {
 } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
+import { PROMOTED_MARKER } from "./workspace-teardown";
 
 const FIXTURE_ROOT = join(tmpdir(), `slow-powers-promote-test-${process.pid}`);
 const PROMOTE_TS = join(import.meta.dir, "promote-baseline.ts");
@@ -137,6 +138,56 @@ describe("promote-baseline.ts (--skill-dir, isolated CWD)", () => {
     expect(provenance).toContain("Judge model | unspecified");
   });
 
+  test("drops a .promoted.json marker into the iteration dir for teardown", () => {
+    const root = join(FIXTURE_ROOT, "promote-marker");
+
+    const skillDir = join(root, "skill-dir");
+    const skillSub = join(skillDir, "mr-review");
+    mkdirSync(skillSub, { recursive: true });
+    writeFileSync(
+      join(skillSub, "SKILL.md"),
+      "---\nname: mr-review\ndescription: review MRs\n---\n\nbody\n",
+    );
+
+    const cwd = join(root, "work");
+    const iterationDir = join(
+      cwd,
+      "skills-workspace",
+      "mr-review",
+      "iteration-3",
+    );
+    mkdirSync(iterationDir, { recursive: true });
+    writeJson(join(iterationDir, "benchmark.json"), {
+      delta: { pass_rate: 0 },
+    });
+
+    const res = Bun.spawnSync(
+      [
+        "bun",
+        "run",
+        PROMOTE_TS,
+        "--skill-dir",
+        skillDir,
+        "--skill",
+        "mr-review",
+        "--iteration",
+        "3",
+      ],
+      { cwd, stdout: "pipe", stderr: "pipe" },
+    );
+    expect(res.stderr.toString()).toBe("");
+    expect(res.exitCode).toBe(0);
+
+    const markerPath = join(iterationDir, PROMOTED_MARKER);
+    expect(existsSync(markerPath)).toBe(true);
+    const marker = JSON.parse(readFileSync(markerPath, "utf8")) as {
+      promoted_at: string;
+      baseline_dir: string;
+    };
+    expect(marker.promoted_at).toBeTruthy();
+    expect(marker.baseline_dir).toBe(join(skillSub, "evals", "baseline"));
+  });
+
   test("records agent and judge models in provenance when flags are passed", () => {
     const root = join(FIXTURE_ROOT, "promote-models");
 

package/skills/evaluating-skills/runner/promote-baseline.ts

@@ -10,6 +10,7 @@ import {
 import { join } from "node:path";
 import { detectRunContext } from "./context";
 import type { ConditionsRecord } from "./types";
+import { PROMOTED_MARKER } from "./workspace-teardown";
 
 function die(msg: string): never {
   console.error(`error: ${msg}`);
@@ -120,7 +121,8 @@ export function promoteBaseline(opts: PromoteOptions): {
     "`bun run evals:promote-baseline -- --skill " +
       `${opts.skillName} --iteration <N>` +
       "` after aggregating. The ephemeral workspace (run records, timing,",
-    "dispatch files, produced outputs) stays gitignored under `skills-workspace/`.",
+    "dispatch files, produced outputs) stays gitignored under `skills-workspace/`",
+    "and is reclaimable by `evals:teardown` once promoted (this commit's marker).",
     "",
     "| Field | Value |",
     "|-------|-------|",
@@ -141,6 +143,22 @@ export function promoteBaseline(opts: PromoteOptions): {
   ].join("\n");
   writeFileSync(join(baselineDir, "BASELINE.md"), `${provenance}\n`);
 
+  // Mark the iteration as committed so `teardown` can safely reclaim its
+  // workspace — without this marker teardown preserves the iteration as
+  // uncommitted results.
+  writeFileSync(
+    join(iterationDir, PROMOTED_MARKER),
+    `${JSON.stringify(
+      {
+        promoted_at: new Date().toISOString(),
+        baseline_dir: baselineDir,
+        commit: head,
+      },
+      null,
+      2,
+    )}\n`,
+  );
+
   return { baselineDir, gradingsCopied };
 }