claude-dev-env 1.62.1 → 1.64.0

package/hooks/blocking/test_verification_verdict_store.py

@@ -11,6 +11,8 @@ import pathlib
 import subprocess
 import sys
 
+import pytest
+
 _HOOK_DIR = pathlib.Path(__file__).parent
 if str(_HOOK_DIR) not in sys.path:
     sys.path.insert(0, str(_HOOK_DIR))
@@ -28,6 +30,10 @@ resolve_merge_base = store_module.resolve_merge_base
 branch_surface_manifest = store_module.branch_surface_manifest
 manifest_sha256 = store_module.manifest_sha256
 workflow_verdict_covers_surface = store_module.workflow_verdict_covers_surface
+minted_verdict_covers_surface = store_module.minted_verdict_covers_surface
+write_verdict = store_module.write_verdict
+worktree_path_for_branch = store_module.worktree_path_for_branch
+empty_surface_hash = store_module.empty_surface_hash
 
 constants_spec = importlib.util.spec_from_file_location(
     "verified_commit_constants",
@@ -38,6 +44,8 @@ assert constants_spec.loader is not None
 constants_module = importlib.util.module_from_spec(constants_spec)
 constants_spec.loader.exec_module(constants_module)
 CORRECTIVE_MESSAGE = constants_module.CORRECTIVE_MESSAGE
+EMPTY_SURFACE_GUARD_MESSAGE = constants_module.EMPTY_SURFACE_GUARD_MESSAGE
+BRANCH_WORKTREE_ABSENT_MESSAGE = constants_module.BRANCH_WORKTREE_ABSENT_MESSAGE
 
 PRODUCTION_SOURCE = "def add(left: int, right: int) -> int:\n    return left + right\n"
 TEST_SOURCE = "def test_add() -> None:\n    assert 1 + 1 == 2\n"
@@ -488,3 +496,227 @@ def test_manifest_hash_cli_prints_live_surface_hash(tmp_path: pathlib.Path) -> N
         text=True,
     )
     assert completed_process.stdout.strip() == expected_hash
+
+
+def _isolate_home(monkeypatch: pytest.MonkeyPatch, fake_home: pathlib.Path) -> None:
+    home_text = str(fake_home)
+    monkeypatch.setenv("HOME", home_text)
+    monkeypatch.setenv("USERPROFILE", home_text)
+    monkeypatch.delenv("HOMEDRIVE", raising=False)
+    monkeypatch.delenv("HOMEPATH", raising=False)
+
+
+def test_minted_verdict_covers_surface_matches_other_worktree_by_hash(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: pathlib.Path
+) -> None:
+    fake_home = tmp_path / "home"
+    fake_home.mkdir()
+    _isolate_home(monkeypatch, fake_home)
+    write_verdict(
+        str(tmp_path / "other" / "worktree"),
+        MATCHING_MANIFEST_SHA256,
+        True,
+        [],
+        "agent-x",
+    )
+    assert minted_verdict_covers_surface(MATCHING_MANIFEST_SHA256) is True
+
+
+def test_minted_verdict_covers_surface_false_for_other_hash(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: pathlib.Path
+) -> None:
+    fake_home = tmp_path / "home"
+    fake_home.mkdir()
+    _isolate_home(monkeypatch, fake_home)
+    write_verdict(
+        str(tmp_path / "other" / "worktree"),
+        OTHER_MANIFEST_SHA256,
+        True,
+        [],
+        "agent-x",
+    )
+    assert minted_verdict_covers_surface(MATCHING_MANIFEST_SHA256) is False
+
+
+def test_minted_verdict_covers_surface_false_for_failing_verdict(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: pathlib.Path
+) -> None:
+    fake_home = tmp_path / "home"
+    fake_home.mkdir()
+    _isolate_home(monkeypatch, fake_home)
+    write_verdict(
+        str(tmp_path / "other" / "worktree"),
+        MATCHING_MANIFEST_SHA256,
+        False,
+        [{"severity": "P0", "summary": "boom"}],
+        "agent-x",
+    )
+    assert minted_verdict_covers_surface(MATCHING_MANIFEST_SHA256) is False
+
+
+def test_minted_verdict_covers_surface_false_when_directory_absent(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: pathlib.Path
+) -> None:
+    fake_home = tmp_path / "home"
+    fake_home.mkdir()
+    _isolate_home(monkeypatch, fake_home)
+    assert minted_verdict_covers_surface(MATCHING_MANIFEST_SHA256) is False
+
+
+def _make_repo_with_branch_worktree(
+    tmp_path: pathlib.Path, branch_name: str
+) -> tuple[pathlib.Path, pathlib.Path]:
+    """Create a repo with a branch checked out in a separate worktree.
+
+    Returns:
+        A tuple of (main worktree path, branch worktree path).
+    """
+    empty_hooks_dir = tmp_path / "nohooks"
+    empty_hooks_dir.mkdir()
+
+    main_dir = tmp_path / "main"
+    main_dir.mkdir()
+    _run_git(main_dir, "init", "--initial-branch=main")
+    _run_git(main_dir, "config", "user.email", "tests@example.com")
+    _run_git(main_dir, "config", "user.name", "Worktree Tests")
+    _run_git(main_dir, "config", "core.hooksPath", str(empty_hooks_dir))
+    (main_dir / "app.py").write_text(PRODUCTION_SOURCE, encoding="utf-8")
+    _run_git(main_dir, "add", "-A")
+    _run_git(main_dir, "commit", "-m", "base")
+
+    origin_dir = tmp_path / "origin.git"
+    subprocess.run(
+        ["git", "init", "--bare", "--initial-branch=main", str(origin_dir)],
+        check=True,
+        capture_output=True,
+        text=True,
+    )
+    _run_git(main_dir, "remote", "add", "origin", str(origin_dir))
+    _run_git(main_dir, "push", "-u", "origin", "main")
+
+    _run_git(main_dir, "branch", branch_name)
+
+    branch_worktree_dir = tmp_path / "branch-worktree"
+    _run_git(main_dir, "worktree", "add", str(branch_worktree_dir), branch_name)
+
+    return main_dir, branch_worktree_dir
+
+
+def test_worktree_path_for_branch_returns_path_when_branch_present(
+    tmp_path: pathlib.Path,
+) -> None:
+    _main_dir, branch_worktree_dir = _make_repo_with_branch_worktree(
+        tmp_path, "feature-x"
+    )
+    resolved_path = worktree_path_for_branch(str(branch_worktree_dir), "feature-x")
+    assert resolved_path is not None
+    assert pathlib.Path(resolved_path).resolve() == branch_worktree_dir.resolve()
+
+
+def test_worktree_path_for_branch_returns_none_when_branch_absent(
+    tmp_path: pathlib.Path,
+) -> None:
+    main_dir, _branch_worktree_dir = _make_repo_with_branch_worktree(
+        tmp_path, "feature-x"
+    )
+    resolved_path = worktree_path_for_branch(str(main_dir), "branch-never-checked-out")
+    assert resolved_path is None
+
+
+def test_empty_surface_hash_equals_hash_of_empty_string() -> None:
+    assert empty_surface_hash() == manifest_sha256("")
+
+
+def test_manifest_hash_cli_empty_surface_writes_guard_message_to_stderr(
+    tmp_path: pathlib.Path,
+) -> None:
+    work_dir = _make_repo_with_origin(tmp_path)
+    completed_process = subprocess.run(
+        [
+            sys.executable,
+            str(_HOOK_DIR / "verification_verdict_store.py"),
+            "--manifest-hash",
+            str(work_dir),
+        ],
+        capture_output=True,
+        text=True,
+    )
+    assert completed_process.returncode != 0
+    assert completed_process.stdout.strip() == ""
+    lowered_stderr = completed_process.stderr.lower()
+    assert "wrong work tree" in lowered_stderr or "empty" in lowered_stderr
+
+
+def test_manifest_hash_cli_empty_surface_prints_nothing_on_stdout(
+    tmp_path: pathlib.Path,
+) -> None:
+    work_dir = _make_repo_with_origin(tmp_path)
+    completed_process = subprocess.run(
+        [
+            sys.executable,
+            str(_HOOK_DIR / "verification_verdict_store.py"),
+            "--manifest-hash",
+            str(work_dir),
+        ],
+        capture_output=True,
+        text=True,
+    )
+    assert completed_process.stdout.strip() == ""
+
+
+def test_manifest_hash_for_branch_cli_prints_same_hash_as_explicit_dir(
+    tmp_path: pathlib.Path,
+) -> None:
+    _main_dir, branch_worktree_dir = _make_repo_with_branch_worktree(
+        tmp_path, "feature-branch"
+    )
+    (branch_worktree_dir / "app.py").write_text(
+        "def add(left: int, right: int) -> int:\n    return left - right\n",
+        encoding="utf-8",
+    )
+    direct_process = subprocess.run(
+        [
+            sys.executable,
+            str(_HOOK_DIR / "verification_verdict_store.py"),
+            "--manifest-hash",
+            str(branch_worktree_dir),
+        ],
+        capture_output=True,
+        text=True,
+        check=True,
+    )
+    branch_process = subprocess.run(
+        [
+            sys.executable,
+            str(_HOOK_DIR / "verification_verdict_store.py"),
+            "--manifest-hash-for-branch",
+            "feature-branch",
+        ],
+        capture_output=True,
+        text=True,
+        check=True,
+        cwd=str(branch_worktree_dir),
+    )
+    assert direct_process.stdout.strip() == branch_process.stdout.strip()
+    assert direct_process.stdout.strip() != ""
+
+
+def test_manifest_hash_for_branch_cli_returns_nonzero_when_branch_absent(
+    tmp_path: pathlib.Path,
+) -> None:
+    main_dir, _branch_worktree_dir = _make_repo_with_branch_worktree(
+        tmp_path, "feature-branch"
+    )
+    completed_process = subprocess.run(
+        [
+            sys.executable,
+            str(_HOOK_DIR / "verification_verdict_store.py"),
+            "--manifest-hash-for-branch",
+            "branch-never-checked-out",
+        ],
+        capture_output=True,
+        text=True,
+        cwd=str(main_dir),
+    )
+    assert completed_process.returncode != 0
+    assert completed_process.stdout.strip() == ""

package/hooks/blocking/test_verified_commit_gate.py

@@ -525,3 +525,46 @@ def test_verification_bypass_marker_allows_an_otherwise_gated_commit(
     assert "VERIFIED_COMMIT_GATE" in capsys.readouterr().out
     _run_gate_main(monkeypatch, "git commit -m x # verify-skip", work_dir)
     assert capsys.readouterr().out == ""
+
+
+def test_minted_verdict_from_other_worktree_allows_commit_by_hash(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: pathlib.Path
+) -> None:
+    fake_home = tmp_path / "home"
+    fake_home.mkdir()
+    _isolate_home(monkeypatch, fake_home)
+    work_dir = _make_gated_repo(tmp_path)
+    live_surface_hash = _live_surface_hash(work_dir)
+    store_module.write_verdict(
+        str(tmp_path / "sibling" / "worktree"),
+        live_surface_hash,
+        True,
+        [],
+        "agent-x",
+    )
+    transcript_path = tmp_path / "projects" / "demo" / "sess1.jsonl"
+    transcript_path.parent.mkdir(parents=True)
+    transcript_path.write_text("", encoding="utf-8")
+    assert deny_reason_for_directory(str(work_dir), str(transcript_path)) is None
+
+
+def test_minted_verdict_from_other_worktree_with_wrong_hash_denies(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: pathlib.Path
+) -> None:
+    fake_home = tmp_path / "home"
+    fake_home.mkdir()
+    _isolate_home(monkeypatch, fake_home)
+    work_dir = _make_gated_repo(tmp_path)
+    store_module.write_verdict(
+        str(tmp_path / "sibling" / "worktree"),
+        "d" * 64,
+        True,
+        [],
+        "agent-x",
+    )
+    transcript_path = tmp_path / "projects" / "demo" / "sess1.jsonl"
+    transcript_path.parent.mkdir(parents=True)
+    transcript_path.write_text("", encoding="utf-8")
+    deny_reason = deny_reason_for_directory(str(work_dir), str(transcript_path))
+    assert deny_reason is not None
+    assert "VERIFIED_COMMIT_GATE" in deny_reason

package/hooks/blocking/test_verifier_verdict_minter.py

@@ -37,6 +37,16 @@ minter_spec.loader.exec_module(minter_module)
 mint_for_payload = minter_module.mint_for_payload
 resolved_subagent_type = minter_module.resolved_subagent_type
 
+store_spec = importlib.util.spec_from_file_location(
+    "verification_verdict_store",
+    _HOOK_DIR / "verification_verdict_store.py",
+)
+assert store_spec is not None
+assert store_spec.loader is not None
+store_module = importlib.util.module_from_spec(store_spec)
+store_spec.loader.exec_module(store_module)
+empty_surface_hash = store_module.empty_surface_hash
+
 constants_spec = importlib.util.spec_from_file_location(
     "verified_commit_constants",
     _HOOK_DIR / "config" / "verified_commit_constants.py",
@@ -191,3 +201,132 @@ def test_settings_deny_verdict_directory_write() -> None:
 
 def test_settings_deny_verdict_directory_edit() -> None:
     assert "Edit($HOME/.claude/verification/**)" in _deny_rules()
+
+
+def test_minter_refuses_when_attested_hash_equals_empty_surface_hash(
+    tmp_path: pathlib.Path,
+) -> None:
+    repo_root = tmp_path / "repo"
+    repo_root.mkdir()
+    _init_repo_with_upstream_and_edit(repo_root)
+    attested_empty = empty_surface_hash()
+    verdict_fence = json.dumps(
+        {"all_pass": True, "findings": [], "manifest_sha256": attested_empty}
+    )
+    agent_transcript = tmp_path / "agent-7.jsonl"
+    agent_transcript.write_text(
+        json.dumps(
+            {
+                "type": "assistant",
+                "message": {
+                    "content": [
+                        {
+                            "type": "text",
+                            "text": f"ok\n```verdict\n{verdict_fence}\n```\n",
+                        }
+                    ]
+                },
+            }
+        )
+        + "\n",
+        encoding="utf-8",
+    )
+    _write_sidecar(agent_transcript, MINTING_AGENT_TYPE)
+    payload = {
+        "agent_transcript_path": str(agent_transcript),
+        "cwd": str(repo_root),
+        "agent_id": "empty-surface-1",
+    }
+    assert mint_for_payload(payload) is None
+
+
+def test_minter_refuses_when_recomputed_surface_is_empty(
+    tmp_path: pathlib.Path,
+) -> None:
+    repo_root = tmp_path / "repo"
+    repo_root.mkdir()
+    subprocess.run(["git", "-C", str(repo_root), "init", "-q"], check=True)
+    subprocess.run(
+        ["git", "-C", str(repo_root), "config", "user.email", "verifier@test"],
+        check=True,
+    )
+    subprocess.run(
+        ["git", "-C", str(repo_root), "config", "user.name", "verifier"],
+        check=True,
+    )
+    (repo_root / "module.py").write_text("answer = 1\n", encoding="utf-8")
+    subprocess.run(["git", "-C", str(repo_root), "add", "-A"], check=True)
+    subprocess.run(
+        ["git", "-C", str(repo_root), "commit", "-qm", "init"], check=True
+    )
+    subprocess.run(
+        ["git", "-C", str(repo_root), "branch", "-f", "origin/main", "HEAD"],
+        check=True,
+    )
+    agent_transcript = tmp_path / "agent-7.jsonl"
+    agent_transcript.write_text(
+        json.dumps(
+            {
+                "type": "assistant",
+                "message": {
+                    "content": [
+                        {
+                            "type": "text",
+                            "text": 'ok\n```verdict\n{"all_pass": true, "findings": []}\n```\n',
+                        }
+                    ]
+                },
+            }
+        )
+        + "\n",
+        encoding="utf-8",
+    )
+    _write_sidecar(agent_transcript, MINTING_AGENT_TYPE)
+    payload = {
+        "agent_transcript_path": str(agent_transcript),
+        "cwd": str(repo_root),
+        "agent_id": "empty-recompute-1",
+    }
+    assert mint_for_payload(payload) is None
+
+
+def test_attested_manifest_hash_binds_over_cwd_surface(tmp_path: pathlib.Path) -> None:
+    repo_root = tmp_path / "repo"
+    repo_root.mkdir()
+    _init_repo_with_upstream_and_edit(repo_root)
+    attested_hash = "c" * 64
+    agent_transcript = tmp_path / "agent-7.jsonl"
+    verdict_fence = json.dumps(
+        {"all_pass": True, "findings": [], "manifest_sha256": attested_hash}
+    )
+    agent_transcript.write_text(
+        json.dumps(
+            {
+                "type": "assistant",
+                "message": {
+                    "content": [
+                        {
+                            "type": "text",
+                            "text": f"ok\n```verdict\n{verdict_fence}\n```\n",
+                        }
+                    ]
+                },
+            }
+        )
+        + "\n",
+        encoding="utf-8",
+    )
+    _write_sidecar(agent_transcript, MINTING_AGENT_TYPE)
+    payload = {
+        "agent_transcript_path": str(agent_transcript),
+        "cwd": str(repo_root),
+        "agent_id": "attest-1",
+    }
+    verdict_path = mint_for_payload(payload)
+    try:
+        assert verdict_path is not None
+        verdict_record = json.loads(verdict_path.read_text(encoding="utf-8"))
+        assert verdict_record["manifest_sha256"] == attested_hash
+    finally:
+        if verdict_path is not None and verdict_path.exists():
+            verdict_path.unlink()