eagle-mem 4.12.0 → 4.13.0

package/tests/test_redaction_coverage.sh

@@ -0,0 +1,183 @@
+#!/usr/bin/env bash
+# Regression coverage for the Phase 1 security hardening:
+#  - secrets are redacted BEFORE leaving the machine (LLM provider input,
+#    enrich job file) and before persistence (recall_events, observations)
+#  - configured [redaction] extra_patterns are actually applied by eagle_redact
+#  - orchestration workers default to a non-full-access (safe) autonomy mode
+#  - logs path resolver rejects traversal/symlink/out-of-root references
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+
+tmp_dir=$(mktemp -d "$ROOT_DIR/.tmp-redaction.XXXXXX")
+trap 'rm -rf "$tmp_dir"' EXIT
+
+export HOME="$tmp_dir/home"
+export EAGLE_MEM_DIR="$tmp_dir/eagle-mem"
+export EAGLE_CONFIG_FILE="$EAGLE_MEM_DIR/config.toml"
+mkdir -p "$HOME" "$EAGLE_MEM_DIR"
+
+. "$ROOT_DIR/lib/common.sh"
+"$ROOT_DIR/db/migrate.sh" >/dev/null
+. "$ROOT_DIR/lib/db.sh"
+. "$ROOT_DIR/lib/provider.sh"
+
+# Fake secrets that must never survive redaction.
+FAKE_ANT="sk-ant-FAKEabcdefghijklmnop1234567890"
+FAKE_AWS="AKIAFAKE0000000000AB"
+FAKE_BEARER="Bearer FAKEtokenshouldnotleak123"
+FAKE_OPENAI="sk-FAKE0123456789abcdef0123456789abcdef"
+
+fail() { echo "FAIL: $1" >&2; exit 1; }
+
+assert_no_secret() {
+    local label="$1" haystack="$2"
+    case "$haystack" in
+        *"$FAKE_ANT"*)    fail "$label leaked Anthropic key" ;;
+        *"$FAKE_AWS"*)    fail "$label leaked AWS key" ;;
+        *"FAKEtoken"*)    fail "$label leaked Bearer token" ;;
+        *"$FAKE_OPENAI"*) fail "$label leaked OpenAI key" ;;
+    esac
+}
+
+# ── eagle_redact built-ins ───────────────────────────────────────────────
+redacted=$(printf 'k=%s a=%s h=%s o=%s\n' "$FAKE_ANT" "$FAKE_AWS" "$FAKE_BEARER" "$FAKE_OPENAI" | eagle_redact)
+assert_no_secret "eagle_redact built-ins" "$redacted"
+case "$redacted" in *"[REDACTED]"*) ;; *) fail "eagle_redact produced no [REDACTED] marker" ;; esac
+
+# ── Finding 4: configured extra_patterns are honored ─────────────────────
+cat > "$EAGLE_CONFIG_FILE" <<'TOML'
+[redaction]
+extra_patterns = ["CORPSECRET_[A-Z0-9]+", "INTERNAL-[0-9]+"]
+TOML
+extra_redacted=$(printf 'token CORPSECRET_AB12 and ticket INTERNAL-9988 here\n' | eagle_redact)
+case "$extra_redacted" in
+    *CORPSECRET_AB12*) fail "extra_patterns[0] not applied (CORPSECRET leaked)" ;;
+    *INTERNAL-9988*)   fail "extra_patterns[1] not applied (INTERNAL leaked)" ;;
+esac
+
+# Commented-out default must NOT redact (proves we parse real config, not the doc line).
+cat > "$EAGLE_CONFIG_FILE" <<'TOML'
+[redaction]
+# extra_patterns = ["MY_CUSTOM_SECRET_.*"]
+TOML
+commented=$(printf 'MY_CUSTOM_SECRET_xyz stays visible\n' | eagle_redact)
+case "$commented" in
+    *MY_CUSTOM_SECRET_xyz*) ;;
+    *) fail "commented extra_patterns default was wrongly applied" ;;
+esac
+rm -f "$EAGLE_CONFIG_FILE"
+
+# ── Finding 2: recall_events.prompt_snippet is redacted before insert ────
+project="redaction-project"
+repo="$tmp_dir/repo"; mkdir -p "$repo"
+eagle_upsert_session "redact-session" "$project" "$repo" "test-model" "test" "codex" >/dev/null
+eagle_insert_recall_event "redact-session" "$project" "$repo" "codex" \
+    "please use my key $FAKE_ANT and aws $FAKE_AWS to deploy" \
+    "deploy" 0 0 0 0 "ok" "" >/dev/null
+snippet=$(eagle_db "SELECT prompt_snippet FROM recall_events WHERE session_id='redact-session' LIMIT 1;")
+assert_no_secret "recall_events.prompt_snippet" "$snippet"
+case "$snippet" in *"[REDACTED]"*) ;; *) fail "recall_events.prompt_snippet not redacted" ;; esac
+
+# ── Finding 1: enrich job file written by Stop is redacted ───────────────
+# Drive the Stop hook with a transcript that contains a secret and assert the
+# background enrich job file (and what the enricher would read) is clean.
+transcript="$tmp_dir/transcript.jsonl"
+cat > "$transcript" <<EOF
+{"type":"user","message":{"role":"user","content":"set up deploy"}}
+{"type":"assistant","message":{"role":"assistant","content":[{"type":"text","text":"Using API key $FAKE_ANT and aws $FAKE_AWS for the deploy. Here is what I did."}]}}
+EOF
+mkdir -p "$EAGLE_MEM_DIR/tmp"
+stop_input=$(jq -nc \
+    --arg sid "stop-redact-session" \
+    --arg tp "$transcript" \
+    --arg cwd "$repo" \
+    '{session_id:$sid, transcript_path:$tp, cwd:$cwd}')
+# A provider must be configured so Stop queues a background enrich job. We
+# DISABLE the background enricher itself (EAGLE_MEM_DISABLE_BACKGROUND_ENRICH=1)
+# so the queued job file is left on disk for inspection, and force the defer
+# path with EAGLE_MEM_STOP_ENRICH=0. EAGLE_MEM_PROJECT pins project resolution
+# so the hook does not early-exit in this synthetic environment.
+cat > "$EAGLE_CONFIG_FILE" <<'TOML'
+[provider]
+type = "anthropic"
+TOML
+printf '%s' "$stop_input" | \
+    EAGLE_MEM_PROJECT="$project" \
+    EAGLE_MEM_STOP_ENRICH=0 \
+    EAGLE_MEM_DISABLE_BACKGROUND_ENRICH=1 \
+    EAGLE_AGENT_SOURCE=codex \
+    bash "$ROOT_DIR/hooks/stop.sh" >/dev/null 2>&1 || true
+# The background enricher is disabled from running, so the job file remains for inspection.
+saw_job=0
+for job in "$EAGLE_MEM_DIR"/tmp/summary-enrich.*.json; do
+    [ -f "$job" ] || continue
+    saw_job=1
+    body=$(cat "$job")
+    assert_no_secret "enrich job file" "$body"
+    case "$body" in *"[REDACTED]"*) ;; *) fail "enrich job file was not redacted" ;; esac
+done
+[ "$saw_job" = 1 ] || fail "Stop did not queue a background enrich job file to verify (finding 1)"
+rm -f "$EAGLE_MEM_DIR"/tmp/summary-enrich.*.json 2>/dev/null || true
+rm -f "$EAGLE_CONFIG_FILE"
+
+# Even if no job file was produced in this environment, the redaction path is
+# also unit-tested directly: the exact transformation Stop applies.
+text_with_secret="prefix $FAKE_ANT mid $FAKE_AWS suffix"
+enrich_text=$(printf '%s' "$text_with_secret" | eagle_redact)
+assert_no_secret "Stop enrich_text transform" "$enrich_text"
+
+# ── Finding 3: redact-before-truncate (boundary secret defeats prefix) ───
+# A secret split across the 200-char truncation boundary must still be redacted.
+pad=$(printf 'a%.0s' $(seq 1 190))
+boundary_cmd="curl -H \"Authorization: Bearer ${pad}${FAKE_OPENAI}\""
+# Old order (truncate THEN redact) would cut the token mid-stream; the new order
+# redacts first. Emulate the new order exactly as post-tool-use.sh does.
+new_order=$(printf '%s' "$boundary_cmd" | eagle_redact | cut -c1-200)
+assert_no_secret "redact-before-truncate" "$new_order"
+
+# ── Finding 9: orchestration workers default to safe autonomy ────────────
+eval "$(sed -n '/^orchestrate_worker_autonomy()/,/^}/p' "$ROOT_DIR/scripts/orchestrate.sh")"
+[ -f "$EAGLE_CONFIG_FILE" ] && rm -f "$EAGLE_CONFIG_FILE"
+default_autonomy=$(orchestrate_worker_autonomy)
+[ "$default_autonomy" = "safe" ] || fail "orchestration worker autonomy should default to 'safe', got '$default_autonomy'"
+cat > "$EAGLE_CONFIG_FILE" <<'TOML'
+[orchestration]
+worker_autonomy = "danger"
+TOML
+opt_in_autonomy=$(orchestrate_worker_autonomy)
+[ "$opt_in_autonomy" = "danger" ] || fail "worker_autonomy='danger' should opt into 'danger', got '$opt_in_autonomy'"
+rm -f "$EAGLE_CONFIG_FILE"
+
+# The generated safe run-script must not contain danger-full-access / never / dontAsk.
+project="orch-proj"; name="orch-name"
+eval "$(sed -n '/^orchestrate_worker_run_script()/,/^}/p' "$ROOT_DIR/scripts/orchestrate.sh")"
+safe_script="$tmp_dir/safe-run.sh"
+orchestrate_worker_run_script "$safe_script" "codex" "m" "xhigh" "/wt" "/p.md" "/exit" "/last" "/bin" "lane1" "/log"
+if grep -qE 'danger-full-access|approval_policy="never"' "$safe_script"; then
+    fail "safe-mode codex worker still uses full-access flags"
+fi
+safe_claude="$tmp_dir/safe-claude.sh"
+orchestrate_worker_run_script "$safe_claude" "claude-code" "m" "xhigh" "/wt" "/p.md" "/exit" "/last" "/bin" "lane1" "/log"
+if grep -q 'permission-mode dontAsk' "$safe_claude"; then
+    fail "safe-mode claude worker still uses --permission-mode dontAsk"
+fi
+
+# ── Finding 7: logs path resolver containment ────────────────────────────
+runs_root="$tmp_dir/runs"; mkdir -p "$runs_root"
+echo "log line" > "$runs_root/run1.log"
+secret_dir="$tmp_dir/secret"; mkdir -p "$secret_dir"
+echo "TOPSECRET" > "$secret_dir/secret.log"
+ln -s "$secret_dir/secret.log" "$runs_root/evil.log"
+eval "$(sed -n '/^canonicalize_path()/,/^}/p;/^path_within()/,/^}/p;/^resolve_log_path()/,/^}/p' "$ROOT_DIR/scripts/logs.sh")"
+EAGLE_RUNS_DIR="$runs_root"
+
+valid=$(resolve_log_path "run1" || true)
+[ -n "$valid" ] || fail "logs resolver rejected a valid in-root log"
+
+if resolve_log_path "evil.log" >/dev/null 2>&1; then fail "logs resolver followed a symlink out of root"; fi
+if resolve_log_path "../../etc/passwd" >/dev/null 2>&1; then fail "logs resolver allowed traversal"; fi
+if resolve_log_path "$secret_dir/secret.log" >/dev/null 2>&1; then fail "logs resolver allowed an out-of-root absolute path"; fi
+if resolve_log_path "$runs_root/../secret/secret.log" >/dev/null 2>&1; then fail "logs resolver allowed prefixed traversal"; fi
+
+echo "PASS: redaction + autonomy + log-path containment regression coverage"

package/tests/test_reliability_retention.sh

@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+# Phase 3 reliability hardening regressions:
+#  A. Auto-scan/index in-flight vs freshness marker separation — a crashed or
+#     output-less job must NOT block retry for a day (only a genuine success
+#     sets the freshness marker; the foreground touch is a short-lived debounce).
+#  B. eagle_events retention — the hook-observability table is pruned by age.
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+tmp_dir=$(mktemp -d "$ROOT_DIR/.tmp-reliability.XXXXXX")
+trap 'rm -rf "$tmp_dir"' EXIT
+
+export HOME="$tmp_dir/home"
+export EAGLE_MEM_DIR="$tmp_dir/eagle-mem"
+mkdir -p "$HOME" "$EAGLE_MEM_DIR"
+
+. "$ROOT_DIR/lib/common.sh"
+"$ROOT_DIR/db/migrate.sh" >/dev/null
+. "$ROOT_DIR/lib/db.sh"
+. "$ROOT_DIR/lib/hooks-sessionstart.sh"
+
+pass=0; fail=0
+ok()  { echo "  ok: $1"; pass=$((pass+1)); }
+bad() { echo "  FAIL: $1"; fail=$((fail+1)); }
+assert()     { if eval "$1"; then ok "$2"; else bad "$2"; fi; }
+assert_not() { if eval "$1"; then bad "$2"; else ok "$2"; fi; }
+
+project="test/reliability"
+
+# ── A. In-flight vs freshness ───────────────────────────────────────────────
+# Crashed/output-less job: only the in-flight marker exists, never the freshness one.
+_eagle_state_touch "scan-inflight" "$project"
+assert_not '_eagle_state_fresh "scan" "$project" 1' \
+    "A1: in-flight-only does NOT satisfy the 1-day freshness gate (retry not blocked for a day)"
+assert '_eagle_state_inflight_fresh "scan" "$project" 15' \
+    "A2: a recent in-flight marker debounces concurrent spawns"
+
+# Genuine success sets the freshness marker.
+_eagle_state_touch "scan" "$project"
+assert '_eagle_state_fresh "scan" "$project" 1' \
+    "A3: a success-set freshness marker satisfies the freshness gate"
+
+# A stale in-flight marker (job died long ago) must age out so retry reopens.
+stale_inflight=$(_eagle_state_file "index-inflight" "$project")
+mkdir -p "$(dirname "$stale_inflight")"
+: > "$stale_inflight"
+touch -t 202001010000 "$stale_inflight"
+assert_not '_eagle_state_inflight_fresh "index" "$project" 15' \
+    "A4: a stale in-flight marker is not 'fresh' — retry is allowed after the debounce window"
+
+# ── B. eagle_events retention ───────────────────────────────────────────────
+p1=$(eagle_sql_escape "$project")
+p2=$(eagle_sql_escape "other/project")
+eagle_db "INSERT INTO eagle_events (project, session_id, agent, event_type, status, created_at)
+          VALUES ('$p1','s-old','codex','hook_started','ok', strftime('%Y-%m-%dT%H:%M:%fZ','now','-60 days'));" >/dev/null
+eagle_db "INSERT INTO eagle_events (project, session_id, agent, event_type, status, created_at)
+          VALUES ('$p1','s-new','codex','hook_started','ok', strftime('%Y-%m-%dT%H:%M:%fZ','now'));" >/dev/null
+eagle_db "INSERT INTO eagle_events (project, session_id, agent, event_type, status, created_at)
+          VALUES ('$p2','s-old2','codex','hook_started','ok', strftime('%Y-%m-%dT%H:%M:%fZ','now','-60 days'));" >/dev/null
+
+eagle_prune_events 30 "$project"
+old_p1=$(eagle_db "SELECT COUNT(*) FROM eagle_events WHERE project='$p1' AND session_id='s-old';")
+new_p1=$(eagle_db "SELECT COUNT(*) FROM eagle_events WHERE project='$p1' AND session_id='s-new';")
+old_p2=$(eagle_db "SELECT COUNT(*) FROM eagle_events WHERE project='$p2' AND session_id='s-old2';")
+[ "$old_p1" = "0" ] && ok "B1: old event (60d) pruned for the target project" || bad "B1: old event not pruned (got $old_p1)"
+[ "$new_p1" = "1" ] && ok "B2: recent event retained" || bad "B2: recent event lost (got $new_p1)"
+[ "$old_p2" = "1" ] && ok "B3: project filter — other project's old event untouched" || bad "B3: project filter leaked (got $old_p2)"
+
+eagle_prune_events 30
+old_p2b=$(eagle_db "SELECT COUNT(*) FROM eagle_events WHERE project='$p2' AND session_id='s-old2';")
+[ "$old_p2b" = "0" ] && ok "B4: unscoped prune removes other project's old event" || bad "B4: unscoped prune missed it (got $old_p2b)"
+
+echo ""
+echo "test_reliability_retention: $pass passed, $fail failed"
+[ "$fail" -eq 0 ] || exit 1

package/tests/test_test_runner_no_abort.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+# ═══════════════════════════════════════════════════════════
+# Regression: scripts/test.sh must NOT abort mid-run when a
+# single check fails.
+#
+# Guards against the `set -e` masking bug where the failure
+# accumulator used `((errors++))`. Under `set -euo pipefail`,
+# `((errors++))` returns exit status 1 when the pre-increment
+# value is 0 (post-increment evaluates the old, falsy value),
+# so the FIRST failing check aborted the entire runner —
+# skipping every later check and the failure-count summary.
+# The fix uses the assignment form `errors=$((errors + 1))`,
+# which always returns 0.
+# ═══════════════════════════════════════════════════════════
+set -uo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+TEST_SH="$REPO_DIR/scripts/test.sh"
+
+pass=0
+fail=0
+ok()  { echo "  ok: $1"; pass=$((pass+1)); }
+bad() { echo "  FAIL: $1"; fail=$((fail+1)); }
+
+# 1. The buggy idiom must be gone from the runner's executable code.
+#    Match only non-comment lines so the explanatory comment that names
+#    the old idiom does not trip the check.
+if grep -vE '^\s*#' "$TEST_SH" | grep -qE '\(\(errors\+\+\)\)'; then
+    bad "scripts/test.sh still uses ((errors++)) in code (aborts under set -e)"
+else
+    ok "scripts/test.sh no longer uses ((errors++)) in code"
+fi
+if grep -qF 'errors=$((errors + 1))' "$TEST_SH"; then
+    ok "scripts/test.sh uses the safe assignment form"
+else
+    bad "scripts/test.sh missing safe assignment accumulator"
+fi
+
+# 2. Behavioral proof: replicate the runner's exact accumulation loop
+#    under `set -euo pipefail`, force the FIRST check to fail, and
+#    confirm execution reaches the end with a correct count.
+result=$(
+    set -euo pipefail
+    errors=0
+    run_check() {
+        if eval "$2" >/dev/null 2>&1; then
+            :
+        else
+            errors=$((errors + 1))
+        fi
+    }
+    run_check "first-fails" "false"   # errors goes 0 -> 1
+    run_check "second-ok"   "true"
+    run_check "third-fails"  "false"  # errors goes 1 -> 2
+    echo "REACHED_END errors=$errors"
+)
+status=$?
+
+if [ "$status" -eq 0 ] && printf '%s' "$result" | grep -qF 'REACHED_END errors=2'; then
+    ok "runner reaches summary after failures with correct count (errors=2)"
+else
+    bad "runner aborted early or miscounted (status=$status, out='$result')"
+fi
+
+# 3. Sanity: the old idiom genuinely aborts (proves the test is meaningful).
+#    Run as a separate `bash` process so `set -e` is fully active (a `|| ...`
+#    on a subshell would disable `set -e` inside it and hide the abort).
+control_tmp=$(mktemp)
+cat > "$control_tmp" <<'CTRL'
+set -euo pipefail
+errors=0
+((errors++))          # pre-value 0 -> command returns 1 -> set -e aborts here
+echo "SHOULD_NOT_PRINT"
+CTRL
+control_out=$(bash "$control_tmp" 2>/dev/null); control_status=$?
+rm -f "$control_tmp"
+if [ "$control_status" -ne 0 ] && ! printf '%s' "$control_out" | grep -qF 'SHOULD_NOT_PRINT'; then
+    ok "control: ((errors++)) from 0 aborts under set -e (bug is real)"
+else
+    bad "control: ((errors++)) did not abort (status=$control_status) — test premise invalid"
+fi
+
+echo ""
+echo "test_test_runner_no_abort: $pass passed, $fail failed"
+[ "$fail" -eq 0 ] || exit 1