@smilintux/skcapstone 0.1.0 → 0.2.3

package/tests/test_scheduled_tasks.py

@@ -0,0 +1,451 @@
+"""Tests for skcapstone.scheduled_tasks — cron-like scheduler."""
+
+from __future__ import annotations
+
+import threading
+import time
+from datetime import datetime, timedelta, timezone
+from pathlib import Path
+from unittest.mock import MagicMock, patch, call
+
+import pytest
+
+from skcapstone.scheduled_tasks import (
+    ScheduledTask,
+    TaskScheduler,
+    build_scheduler,
+    make_backend_reprobe_task,
+    make_heartbeat_task,
+    make_memory_promotion_task,
+    make_profile_freshness_task,
+)
+
+
+# ---------------------------------------------------------------------------
+# ScheduledTask unit tests
+# ---------------------------------------------------------------------------
+
+
+class TestScheduledTaskIsDue:
+    def test_never_run_is_always_due(self):
+        task = ScheduledTask(name="x", interval_seconds=60, callback=lambda: None)
+        assert task.is_due() is True
+
+    def test_recently_run_is_not_due(self):
+        task = ScheduledTask(name="x", interval_seconds=60, callback=lambda: None)
+        task.last_run = datetime.now(timezone.utc)
+        assert task.is_due() is False
+
+    def test_overdue_is_due(self):
+        task = ScheduledTask(name="x", interval_seconds=60, callback=lambda: None)
+        task.last_run = datetime.now(timezone.utc) - timedelta(seconds=61)
+        assert task.is_due() is True
+
+    def test_exactly_at_interval_is_due(self):
+        task = ScheduledTask(name="x", interval_seconds=60, callback=lambda: None)
+        task.last_run = datetime.now(timezone.utc) - timedelta(seconds=60)
+        assert task.is_due() is True
+
+    def test_custom_now_reference(self):
+        task = ScheduledTask(name="x", interval_seconds=60, callback=lambda: None)
+        task.last_run = datetime(2026, 1, 1, 12, 0, 0, tzinfo=timezone.utc)
+        future = datetime(2026, 1, 1, 12, 2, 0, tzinfo=timezone.utc)  # 120s later
+        assert task.is_due(now=future) is True
+
+
+class TestScheduledTaskRun:
+    def test_successful_run_increments_count(self):
+        calls = []
+        task = ScheduledTask(name="t", interval_seconds=1, callback=lambda: calls.append(1))
+        task.run()
+        assert task.run_count == 1
+        assert task.error_count == 0
+        assert task.last_error is None
+        assert len(calls) == 1
+
+    def test_successful_run_sets_last_run(self):
+        before = datetime.now(timezone.utc)
+        task = ScheduledTask(name="t", interval_seconds=1, callback=lambda: None)
+        task.run()
+        after = datetime.now(timezone.utc)
+        assert task.last_run is not None
+        assert before <= task.last_run <= after
+
+    def test_failed_run_records_error(self):
+        def _boom():
+            raise ValueError("something broke")
+
+        task = ScheduledTask(name="t", interval_seconds=1, callback=_boom)
+        task.run()
+        assert task.error_count == 1
+        assert task.run_count == 0
+        assert "something broke" in task.last_error
+
+    def test_failed_run_still_updates_last_run(self):
+        """last_run must be set even when the callback raises, so the interval resets."""
+        task = ScheduledTask(name="t", interval_seconds=1, callback=lambda: 1 / 0)
+        task.run()
+        assert task.last_run is not None
+
+    def test_successive_runs_accumulate_count(self):
+        counter = {"n": 0}
+
+        def _inc():
+            counter["n"] += 1
+
+        task = ScheduledTask(name="t", interval_seconds=0, callback=_inc)
+        for _ in range(5):
+            task.run()
+        assert task.run_count == 5
+        assert counter["n"] == 5
+
+    def test_cleared_error_after_recovery(self):
+        state = {"fail": True}
+
+        def _flaky():
+            if state["fail"]:
+                raise RuntimeError("transient")
+
+        task = ScheduledTask(name="t", interval_seconds=0, callback=_flaky)
+        task.run()
+        assert task.last_error is not None
+
+        state["fail"] = False
+        task.run()
+        assert task.last_error is None
+        assert task.run_count == 1
+        assert task.error_count == 1
+
+
+# ---------------------------------------------------------------------------
+# TaskScheduler tests
+# ---------------------------------------------------------------------------
+
+
+class TestTaskSchedulerRegister:
+    def test_register_returns_task(self, tmp_path):
+        stop = threading.Event()
+        scheduler = TaskScheduler(tmp_path, stop)
+        task = scheduler.register("ping", 10, lambda: None)
+        assert isinstance(task, ScheduledTask)
+        assert task.name == "ping"
+        assert task.interval_seconds == 10
+
+    def test_register_multiple_tasks(self, tmp_path):
+        stop = threading.Event()
+        scheduler = TaskScheduler(tmp_path, stop)
+        scheduler.register("a", 5, lambda: None)
+        scheduler.register("b", 10, lambda: None)
+        scheduler.register("c", 15, lambda: None)
+        assert len(scheduler.status()) == 3
+
+    def test_status_reflects_unrun_tasks(self, tmp_path):
+        stop = threading.Event()
+        scheduler = TaskScheduler(tmp_path, stop)
+        scheduler.register("mine", 30, lambda: None)
+        status = scheduler.status()
+        assert status[0]["name"] == "mine"
+        assert status[0]["last_run"] is None
+        assert status[0]["run_count"] == 0
+        assert status[0]["error_count"] == 0
+
+
+class TestTaskSchedulerExecution:
+    def test_scheduler_runs_due_task(self, tmp_path):
+        """Scheduler fires a task with 0-second interval within a short window."""
+        stop = threading.Event()
+        fired = threading.Event()
+
+        scheduler = TaskScheduler(tmp_path, stop, tick_interval=0.05)
+        scheduler.register("instant", 0, fired.set)
+        scheduler.start()
+
+        assert fired.wait(timeout=2.0), "Task should have fired within 2 seconds"
+        stop.set()
+
+    def test_scheduler_stops_cleanly(self, tmp_path):
+        stop = threading.Event()
+        scheduler = TaskScheduler(tmp_path, stop, tick_interval=0.05)
+        scheduler.register("noop", 999, lambda: None)
+        t = scheduler.start()
+        stop.set()
+        t.join(timeout=2.0)
+        assert not t.is_alive()
+
+    def test_scheduler_thread_is_daemon(self, tmp_path):
+        stop = threading.Event()
+        scheduler = TaskScheduler(tmp_path, stop, tick_interval=1)
+        t = scheduler.start()
+        assert t.daemon is True
+        stop.set()
+
+    def test_scheduler_skips_not_yet_due_task(self, tmp_path):
+        """A task last run just now should NOT fire again within the tick window."""
+        stop = threading.Event()
+        counter = {"n": 0}
+
+        def _count():
+            counter["n"] += 1
+
+        scheduler = TaskScheduler(tmp_path, stop, tick_interval=0.05)
+        task = scheduler.register("slow", 3600, _count)
+        # Pre-mark as just run so it is NOT due
+        task.last_run = datetime.now(timezone.utc)
+
+        scheduler.start()
+        time.sleep(0.2)
+        stop.set()
+
+        assert counter["n"] == 0, "Task should not have fired — it was just run"
+
+    def test_error_in_task_does_not_crash_scheduler(self, tmp_path):
+        """A raising callback must not kill the scheduler thread."""
+        stop = threading.Event()
+        second_fired = threading.Event()
+
+        def _bad():
+            raise RuntimeError("intentional")
+
+        scheduler = TaskScheduler(tmp_path, stop, tick_interval=0.05)
+        scheduler.register("bad", 0, _bad)
+        scheduler.register("good", 0, second_fired.set)
+        scheduler.start()
+
+        assert second_fired.wait(timeout=2.0), "Scheduler should survive a bad task"
+        stop.set()
+
+
+# ---------------------------------------------------------------------------
+# build_scheduler — registration completeness and intervals
+# ---------------------------------------------------------------------------
+
+
+class TestBuildScheduler:
+    def test_registers_four_standard_tasks(self, tmp_path):
+        stop = threading.Event()
+        scheduler = build_scheduler(tmp_path, stop)
+        names = {s["name"] for s in scheduler.status()}
+        assert names == {
+            "heartbeat_pulse",
+            "backend_reprobe",
+            "memory_promotion_sweep",
+            "profile_freshness_check",
+        }
+
+    def test_heartbeat_interval_is_30s(self, tmp_path):
+        stop = threading.Event()
+        scheduler = build_scheduler(tmp_path, stop)
+        task = next(s for s in scheduler.status() if s["name"] == "heartbeat_pulse")
+        assert task["interval_seconds"] == 30
+
+    def test_backend_reprobe_interval_is_5min(self, tmp_path):
+        stop = threading.Event()
+        scheduler = build_scheduler(tmp_path, stop)
+        task = next(s for s in scheduler.status() if s["name"] == "backend_reprobe")
+        assert task["interval_seconds"] == 300
+
+    def test_memory_promotion_interval_is_hourly(self, tmp_path):
+        stop = threading.Event()
+        scheduler = build_scheduler(tmp_path, stop)
+        task = next(s for s in scheduler.status() if s["name"] == "memory_promotion_sweep")
+        assert task["interval_seconds"] == 3600
+
+    def test_profile_freshness_interval_is_daily(self, tmp_path):
+        stop = threading.Event()
+        scheduler = build_scheduler(tmp_path, stop)
+        task = next(s for s in scheduler.status() if s["name"] == "profile_freshness_check")
+        assert task["interval_seconds"] == 86400
+
+
+# ---------------------------------------------------------------------------
+# Individual task callback tests
+# ---------------------------------------------------------------------------
+
+
+class TestMemoryPromotionTask:
+    def test_calls_sweep_and_logs_promotions(self, tmp_path):
+        mock_result = MagicMock()
+        mock_result.scanned = 10
+        mock_result.promoted = [MagicMock(), MagicMock()]  # 2 promoted
+
+        mock_engine = MagicMock()
+        mock_engine.sweep.return_value = mock_result
+
+        callback = make_memory_promotion_task(tmp_path)
+
+        # PromotionEngine is imported lazily inside the closure via
+        # `from .memory_promoter import PromotionEngine` — patch the source.
+        with patch("skcapstone.memory_promoter.PromotionEngine", return_value=mock_engine) as MockEngine:
+            callback()
+            MockEngine.assert_called_once_with(tmp_path)
+            mock_engine.sweep.assert_called_once()
+
+    def test_no_promotions_does_not_raise(self, tmp_path):
+        mock_result = MagicMock()
+        mock_result.scanned = 5
+        mock_result.promoted = []
+
+        mock_engine = MagicMock()
+        mock_engine.sweep.return_value = mock_result
+
+        callback = make_memory_promotion_task(tmp_path)
+        with patch("skcapstone.memory_promoter.PromotionEngine", return_value=mock_engine):
+            callback()  # should not raise
+
+    def test_import_error_propagates_as_exception(self, tmp_path):
+        """If PromotionEngine raises on import the task should propagate (caught by runner)."""
+        callback = make_memory_promotion_task(tmp_path)
+        with patch("skcapstone.memory_promoter.PromotionEngine", side_effect=RuntimeError("unavailable")):
+            with pytest.raises(RuntimeError, match="unavailable"):
+                callback()
+
+
+class TestBackendReprobeTask:
+    def test_calls_probe_on_bridge(self):
+        mock_bridge = MagicMock()
+        mock_bridge._available = {"ollama": True, "passthrough": True}
+
+        mock_loop = MagicMock()
+        mock_loop._bridge = mock_bridge
+
+        callback = make_backend_reprobe_task(mock_loop)
+        callback()
+        mock_bridge._probe_available_backends.assert_called_once()
+
+    def test_noop_when_loop_is_none(self):
+        callback = make_backend_reprobe_task(None)
+        callback()  # should not raise
+
+    def test_noop_when_bridge_missing(self):
+        mock_loop = MagicMock(spec=[])  # no _bridge attribute
+        callback = make_backend_reprobe_task(mock_loop)
+        callback()  # should not raise
+
+    def test_noop_when_probe_fn_missing(self):
+        mock_bridge = MagicMock(spec=[])  # no _probe_available_backends
+        mock_loop = MagicMock()
+        mock_loop._bridge = mock_bridge
+        callback = make_backend_reprobe_task(mock_loop)
+        callback()  # should not raise
+
+
+class TestHeartbeatTask:
+    def test_calls_pulse_with_active_state(self):
+        mock_beacon = MagicMock()
+        callback = make_heartbeat_task(mock_beacon, lambda: True)
+        callback()
+        mock_beacon.pulse.assert_called_once_with(consciousness_active=True)
+
+    def test_calls_pulse_with_inactive_state(self):
+        mock_beacon = MagicMock()
+        callback = make_heartbeat_task(mock_beacon, lambda: False)
+        callback()
+        mock_beacon.pulse.assert_called_once_with(consciousness_active=False)
+
+    def test_noop_when_beacon_is_none(self):
+        callback = make_heartbeat_task(None, lambda: True)
+        callback()  # should not raise
+
+    def test_uses_fn_result_dynamically(self):
+        """consciousness_active_fn is called each time, not captured at build time."""
+        mock_beacon = MagicMock()
+        state = {"active": False}
+        callback = make_heartbeat_task(mock_beacon, lambda: state["active"])
+
+        callback()
+        mock_beacon.pulse.assert_called_with(consciousness_active=False)
+
+        state["active"] = True
+        callback()
+        mock_beacon.pulse.assert_called_with(consciousness_active=True)
+
+
+class TestProfileFreshnessTask:
+    def test_fresh_files_produce_no_warning(self, tmp_path, caplog):
+        import logging
+
+        identity_dir = tmp_path / "identity"
+        identity_dir.mkdir()
+        (identity_dir / "identity.json").write_text("{}")
+
+        callback = make_profile_freshness_task(tmp_path, max_age_days=7)
+        with caplog.at_level(logging.WARNING, logger="skcapstone.scheduled_tasks"):
+            callback()
+        assert not any("Profile freshness" in r.message for r in caplog.records)
+
+    def test_stale_identity_triggers_warning(self, tmp_path, caplog):
+        import logging
+        import os
+
+        identity_dir = tmp_path / "identity"
+        identity_dir.mkdir()
+        identity_file = identity_dir / "identity.json"
+        identity_file.write_text("{}")
+
+        # Set mtime to 10 days ago
+        old_mtime = time.time() - (10 * 86400)
+        os.utime(identity_file, (old_mtime, old_mtime))
+
+        callback = make_profile_freshness_task(tmp_path, max_age_days=7)
+        with caplog.at_level(logging.WARNING, logger="skcapstone.scheduled_tasks"):
+            callback()
+
+        warnings = [r.message for r in caplog.records if r.levelno == logging.WARNING]
+        assert any("identity.json" in w for w in warnings)
+
+    def test_stale_model_profile_triggers_warning(self, tmp_path, caplog):
+        import logging
+        import os
+
+        profiles_dir = tmp_path / "data" / "model_profiles"
+        profiles_dir.mkdir(parents=True)
+        profile_file = profiles_dir / "llama3.json"
+        profile_file.write_text("{}")
+
+        old_mtime = time.time() - (15 * 86400)
+        os.utime(profile_file, (old_mtime, old_mtime))
+
+        callback = make_profile_freshness_task(tmp_path, max_age_days=7)
+        with caplog.at_level(logging.WARNING, logger="skcapstone.scheduled_tasks"):
+            callback()
+
+        warnings = [r.message for r in caplog.records if r.levelno == logging.WARNING]
+        assert any("llama3" in w for w in warnings)
+
+    def test_missing_identity_dir_does_not_raise(self, tmp_path):
+        callback = make_profile_freshness_task(tmp_path)
+        callback()  # identity dir absent — should not raise
+
+    def test_missing_profiles_dir_does_not_raise(self, tmp_path):
+        callback = make_profile_freshness_task(tmp_path)
+        callback()  # data/model_profiles absent — should not raise
+
+    def test_custom_max_age_respected(self, tmp_path, caplog):
+        import logging
+        import os
+
+        identity_dir = tmp_path / "identity"
+        identity_dir.mkdir()
+        identity_file = identity_dir / "identity.json"
+        identity_file.write_text("{}")
+
+        # 3 days old
+        old_mtime = time.time() - (3 * 86400)
+        os.utime(identity_file, (old_mtime, old_mtime))
+
+        # max_age_days=2 → should warn
+        callback = make_profile_freshness_task(tmp_path, max_age_days=2)
+        with caplog.at_level(logging.WARNING, logger="skcapstone.scheduled_tasks"):
+            callback()
+
+        warnings = [r.message for r in caplog.records if r.levelno == logging.WARNING]
+        assert any("identity.json" in w for w in warnings)
+
+        # max_age_days=5 → should NOT warn
+        caplog.clear()
+        callback2 = make_profile_freshness_task(tmp_path, max_age_days=5)
+        with caplog.at_level(logging.WARNING, logger="skcapstone.scheduled_tasks"):
+            callback2()
+
+        warnings2 = [r.message for r in caplog.records if r.levelno == logging.WARNING]
+        assert not any("identity.json" in w for w in warnings2)

package/tests/test_security.py

@@ -0,0 +1,250 @@
+"""Security tests for skcapstone.
+
+Covers:
+- Peer name sanitization / path traversal prevention
+- Large message (oversized inbox file) rejection
+- Invalid JSON in inbox files
+
+These map to the findings from the sprint-14 security audit.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import tempfile
+from pathlib import Path
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+from skcapstone.consciousness_loop import (
+    ConsciousnessConfig,
+    ConsciousnessLoop,
+    SystemPromptBuilder,
+    _sanitize_peer_name,
+)
+
+
+# ---------------------------------------------------------------------------
+# _sanitize_peer_name unit tests
+# ---------------------------------------------------------------------------
+
+
+class TestSanitizePeerName:
+    """Unit tests for the _sanitize_peer_name helper."""
+
+    def test_normal_name_passes_through(self):
+        assert _sanitize_peer_name("alice") == "alice"
+
+    def test_alphanumeric_with_dash(self):
+        assert _sanitize_peer_name("agent-007") == "agent-007"
+
+    def test_at_sign_allowed(self):
+        assert _sanitize_peer_name("opus@skworld.io") == "opus@skworld.io"
+
+    def test_dotted_name_allowed(self):
+        assert _sanitize_peer_name("v1.2.3") == "v1.2.3"
+
+    # --- path traversal ---
+
+    def test_slash_stripped(self):
+        result = _sanitize_peer_name("../../../etc/passwd")
+        assert "/" not in result
+        assert ".." not in result or result.count(".") <= 1
+
+    def test_backslash_stripped(self):
+        result = _sanitize_peer_name("..\\Windows\\system32")
+        assert "\\" not in result
+
+    def test_pure_dotdot_rejected(self):
+        """'..'' alone is stripped and falls back to 'unknown'."""
+        result = _sanitize_peer_name("..")
+        # After stripping leading/trailing dots, should be empty → "unknown"
+        assert result == "unknown"
+
+    def test_dotdot_with_slash(self):
+        result = _sanitize_peer_name("../../secret")
+        assert "/" not in result
+        assert result != "../../secret"
+
+    def test_null_byte_stripped(self):
+        result = _sanitize_peer_name("alice\x00evil")
+        assert "\x00" not in result
+
+    def test_empty_string_returns_unknown(self):
+        assert _sanitize_peer_name("") == "unknown"
+
+    def test_none_returns_unknown(self):
+        assert _sanitize_peer_name(None) == "unknown"  # type: ignore[arg-type]
+
+    def test_spaces_stripped(self):
+        result = _sanitize_peer_name("alice bob")
+        assert " " not in result
+
+    def test_length_capped_at_64(self):
+        long_name = "a" * 200
+        result = _sanitize_peer_name(long_name)
+        assert len(result) <= 64
+
+    def test_special_chars_stripped(self):
+        result = _sanitize_peer_name("peer<script>alert(1)</script>")
+        assert "<" not in result
+        assert ">" not in result
+
+
+# ---------------------------------------------------------------------------
+# Path traversal via SystemPromptBuilder._persist_peer_history
+# ---------------------------------------------------------------------------
+
+
+class TestPeerHistoryPathTraversal:
+    """Verify that malicious peer names cannot write outside the conversations dir."""
+
+    def _make_builder(self, tmp_path: Path) -> SystemPromptBuilder:
+        """Return a SystemPromptBuilder backed by tmp_path."""
+        return SystemPromptBuilder(home=tmp_path, max_tokens=4096)
+
+    def test_traversal_peer_stays_inside_conversations(self, tmp_path):
+        """A sender like '../../../etc/passwd' must not escape conversations/."""
+        builder = self._make_builder(tmp_path)
+        conversations_dir = tmp_path / "conversations"
+
+        # Simulate receiving a message from a malicious peer
+        malicious_peer = "../../../etc/passwd"
+        builder.add_to_history(malicious_peer, "user", "hello")
+
+        # Only files inside conversations/ should exist
+        for written_file in conversations_dir.rglob("*"):
+            try:
+                written_file.relative_to(conversations_dir)
+            except ValueError:
+                pytest.fail(
+                    f"Path traversal detected: {written_file} is outside {conversations_dir}"
+                )
+
+    def test_dotdot_peer_sanitized_to_unknown(self, tmp_path):
+        builder = self._make_builder(tmp_path)
+        builder.add_to_history("..", "user", "hi")
+        conversations_dir = tmp_path / "conversations"
+        assert (conversations_dir / "unknown.json").exists()
+
+    def test_slash_in_peer_name_sanitized(self, tmp_path):
+        builder = self._make_builder(tmp_path)
+        builder.add_to_history("a/b/c", "user", "hi")
+        conversations_dir = tmp_path / "conversations"
+        # Should write abc.json (slashes stripped) or similar safe name
+        for f in conversations_dir.iterdir():
+            assert "/" not in f.name
+
+    def test_null_byte_in_peer_name_sanitized(self, tmp_path):
+        builder = self._make_builder(tmp_path)
+        builder.add_to_history("peer\x00evil", "user", "hi")
+        conversations_dir = tmp_path / "conversations"
+        for f in conversations_dir.iterdir():
+            assert "\x00" not in f.name
+
+
+# ---------------------------------------------------------------------------
+# Large message rejection (file-size cap in ConsciousnessLoop._on_inbox_file)
+# ---------------------------------------------------------------------------
+
+
+class TestLargeMessageRejected:
+    """The inbox handler must reject files larger than 1 MB."""
+
+    def _make_loop(self, tmp_path: Path) -> ConsciousnessLoop:
+        config = ConsciousnessConfig(use_inotify=False)
+        loop = ConsciousnessLoop(
+            config=config,
+            home=tmp_path / "agent",
+            shared_root=tmp_path / "shared",
+        )
+        return loop
+
+    def test_oversized_file_is_dropped(self, tmp_path):
+        """A 1.1 MB inbox file must not be processed."""
+        loop = self._make_loop(tmp_path)
+
+        inbox_file = tmp_path / "big.skc.json"
+        # Write 1.1 MB of data — exceeds the 1_000_000 byte cap
+        inbox_file.write_bytes(b"x" * 1_100_000)
+
+        submitted = []
+        loop._executor.submit = lambda fn, *a, **kw: submitted.append((fn, a))  # type: ignore[method-assign]
+
+        loop._on_inbox_file(inbox_file)
+
+        assert submitted == [], "Oversized file should have been dropped without submitting"
+
+    def test_1mb_minus_one_byte_is_processed(self, tmp_path):
+        """A file just below the cap should be attempted (may fail on parse — that's fine)."""
+        loop = self._make_loop(tmp_path)
+
+        inbox_file = tmp_path / "ok.skc.json"
+        # Valid JSON just under the limit
+        payload = json.dumps({"sender": "alice", "payload": {"content": "hi"}})
+        inbox_file.write_text(payload, encoding="utf-8")
+
+        submitted = []
+        original_submit = loop._executor.submit
+
+        def capture_submit(fn, *a, **kw):
+            submitted.append((fn, a))
+            return MagicMock()
+
+        loop._executor.submit = capture_submit  # type: ignore[method-assign]
+        loop._on_inbox_file(inbox_file)
+
+        # Under the cap → should be submitted (even if the envelope later fails)
+        assert len(submitted) == 1, "File under size cap should be submitted for processing"
+
+
+# ---------------------------------------------------------------------------
+# Invalid JSON rejection
+# ---------------------------------------------------------------------------
+
+
+class TestInvalidJsonRejected:
+    """Malformed JSON in the inbox must not crash the consciousness loop."""
+
+    def _make_loop(self, tmp_path: Path) -> ConsciousnessLoop:
+        config = ConsciousnessConfig(use_inotify=False)
+        return ConsciousnessLoop(
+            config=config,
+            home=tmp_path / "agent",
+            shared_root=tmp_path / "shared",
+        )
+
+    def test_invalid_json_does_not_raise(self, tmp_path):
+        """Malformed JSON must be silently dropped, not crash."""
+        loop = self._make_loop(tmp_path)
+        inbox_file = tmp_path / "bad.skc.json"
+        inbox_file.write_text("{invalid json{{", encoding="utf-8")
+
+        # Must not raise
+        loop._on_inbox_file(inbox_file)
+
+    def test_non_dict_json_does_not_raise(self, tmp_path):
+        """A valid JSON array (not a dict) must also be silently dropped."""
+        loop = self._make_loop(tmp_path)
+        inbox_file = tmp_path / "array.skc.json"
+        inbox_file.write_text("[1, 2, 3]", encoding="utf-8")
+
+        loop._on_inbox_file(inbox_file)
+
+    def test_truncated_json_does_not_raise(self, tmp_path):
+        """Truncated / partially-written JSON must be silently dropped."""
+        loop = self._make_loop(tmp_path)
+        inbox_file = tmp_path / "truncated.skc.json"
+        inbox_file.write_text('{"sender": "alice", "payload":', encoding="utf-8")
+
+        loop._on_inbox_file(inbox_file)
+
+    def test_empty_file_does_not_raise(self, tmp_path):
+        """An empty inbox file must not crash."""
+        loop = self._make_loop(tmp_path)
+        inbox_file = tmp_path / "empty.skc.json"
+        inbox_file.write_bytes(b"")
+
+        loop._on_inbox_file(inbox_file)