principles-disciple 1.123.0 → 1.125.0

package/tests/core/code-implementation-storage.test.ts

@@ -5,9 +5,7 @@ import * as path from 'path';
 import {
   deleteImplementationAssetDir,
   getImplementationAssetRoot,
-  loadManifest,
   writeManifest,
-  loadEntrySource,
   createImplementationAssetDir,
   writeEntrySource,
   type CodeImplementationManifest,
@@ -63,47 +61,6 @@ describe('CodeImplementationStorage', () => {
     });
   });
 
-  // -------------------------------------------------------------------------
-  // loadManifest
-  // -------------------------------------------------------------------------
-
-  describe('loadManifest', () => {
-    it('returns null when no manifest file exists', () => {
-      const result = loadManifest(stateDir, 'nonexistent');
-      expect(result).toBeNull();
-    });
-
-    it('returns parsed manifest when manifest file exists', () => {
-      const implId = 'IMPL_002';
-      const manifest: CodeImplementationManifest = {
-        version: '1.0.0',
-        entryFile: 'entry.js',
-        createdAt: '2026-01-01T00:00:00.000Z',
-        updatedAt: '2026-01-01T00:00:00.000Z',
-        replaySampleRefs: [],
-        lastEvalReportRef: null,
-      };
-
-      // Write directly (bypass writeManifest to test load independently)
-      const assetRoot = getImplementationAssetRoot(stateDir, implId);
-      fs.mkdirSync(assetRoot, { recursive: true });
-      fs.writeFileSync(path.join(assetRoot, 'manifest.json'), JSON.stringify(manifest), 'utf-8');
-
-      const result = loadManifest(stateDir, implId);
-      expect(result).toEqual(manifest);
-    });
-
-    it('returns null for corrupted manifest JSON', () => {
-      const implId = 'IMPL_003';
-      const assetRoot = getImplementationAssetRoot(stateDir, implId);
-      fs.mkdirSync(assetRoot, { recursive: true });
-      fs.writeFileSync(path.join(assetRoot, 'manifest.json'), 'not-valid-json{{{', 'utf-8');
-
-      const result = loadManifest(stateDir, implId);
-      expect(result).toBeNull();
-    });
-  });
-
   // -------------------------------------------------------------------------
   // writeManifest
   // -------------------------------------------------------------------------
@@ -177,67 +134,6 @@ describe('CodeImplementationStorage', () => {
     });
   });
 
-  // -------------------------------------------------------------------------
-  // loadEntrySource
-  // -------------------------------------------------------------------------
-
-  describe('loadEntrySource', () => {
-    it('returns null when no manifest exists', () => {
-      const result = loadEntrySource(stateDir, 'nonexistent');
-      expect(result).toBeNull();
-    });
-
-    it('returns null when manifest exists but entry file does not', () => {
-      const implId = 'IMPL_007';
-      const assetRoot = getImplementationAssetRoot(stateDir, implId);
-      fs.mkdirSync(assetRoot, { recursive: true });
-
-      // Write manifest pointing to a non-existent entry file
-      const manifest: CodeImplementationManifest = {
-        version: '1.0.0',
-        entryFile: 'nonexistent.js',
-        createdAt: '2026-01-01T00:00:00.000Z',
-        updatedAt: '2026-01-01T00:00:00.000Z',
-        replaySampleRefs: [],
-        lastEvalReportRef: null,
-      };
-      fs.writeFileSync(
-        path.join(assetRoot, 'manifest.json'),
-        JSON.stringify(manifest),
-        'utf-8',
-      );
-
-      const result = loadEntrySource(stateDir, implId);
-      expect(result).toBeNull();
-    });
-
-    it('returns file content when entry file exists', () => {
-      const implId = 'IMPL_008';
-      const assetRoot = getImplementationAssetRoot(stateDir, implId);
-      fs.mkdirSync(assetRoot, { recursive: true });
-
-      const entryContent = 'export function evaluate() { return true; }';
-      fs.writeFileSync(path.join(assetRoot, 'entry.js'), entryContent, 'utf-8');
-
-      const manifest: CodeImplementationManifest = {
-        version: '1.0.0',
-        entryFile: 'entry.js',
-        createdAt: '2026-01-01T00:00:00.000Z',
-        updatedAt: '2026-01-01T00:00:00.000Z',
-        replaySampleRefs: [],
-        lastEvalReportRef: null,
-      };
-      fs.writeFileSync(
-        path.join(assetRoot, 'manifest.json'),
-        JSON.stringify(manifest),
-        'utf-8',
-      );
-
-      const result = loadEntrySource(stateDir, implId);
-      expect(result).toBe(entryContent);
-    });
-  });
-
   // -------------------------------------------------------------------------
   // createImplementationAssetDir
   // -------------------------------------------------------------------------
@@ -300,7 +196,9 @@ describe('CodeImplementationStorage', () => {
         artificerArtifactId: 'artifact-1',
       });
 
-      const loaded = loadManifest(stateDir, implId);
+      // Verify persisted manifest contains lineage
+      const assetRoot = getImplementationAssetRoot(stateDir, implId);
+      const loaded = JSON.parse(fs.readFileSync(path.join(assetRoot, 'manifest.json'), 'utf-8'));
       expect(loaded?.lineage).toMatchObject({
         sourcePainIds: ['pain:gate:1'],
         sourceGateBlockIds: ['gate:write:1'],
@@ -344,22 +242,23 @@ describe('CodeImplementationStorage', () => {
       expect(fs.existsSync(reportPath)).toBe(true);
     });
 
-    it('manifest is loadable via loadManifest after creation', () => {
+    it('manifest is persisted with correct version after creation', () => {
       const implId = 'IMPL_014';
       createImplementationAssetDir(stateDir, implId, '4.0.0');
 
-      const loaded = loadManifest(stateDir, implId);
+      const assetRoot = getImplementationAssetRoot(stateDir, implId);
+      const loaded = JSON.parse(fs.readFileSync(path.join(assetRoot, 'manifest.json'), 'utf-8'));
       expect(loaded).not.toBeNull();
-      expect(loaded!.version).toBe('4.0.0');
-      expect(loaded!.entryFile).toBe('entry.js');
+      expect(loaded.version).toBe('4.0.0');
+      expect(loaded.entryFile).toBe('entry.js');
     });
 
-    it('entry source is loadable via loadEntrySource after creation', () => {
+    it('entry source is persisted after creation', () => {
       const implId = 'IMPL_015';
       createImplementationAssetDir(stateDir, implId, '1.0.0');
 
-      const source = loadEntrySource(stateDir, implId);
-      expect(source).not.toBeNull();
+      const assetRoot = getImplementationAssetRoot(stateDir, implId);
+      const source = fs.readFileSync(path.join(assetRoot, 'entry.js'), 'utf-8');
       expect(source).toContain('export const meta');
       expect(source).toContain('export function evaluate');
     });
@@ -370,7 +269,8 @@ describe('CodeImplementationStorage', () => {
         entrySource: 'export const meta = { name: "x", version: "1", ruleId: "R", coversCondition: "c" }; export function evaluate() { return { decision: "allow", matched: false, reason: "ok" }; }',
       });
 
-      const source = loadEntrySource(stateDir, implId);
+      const assetRoot = getImplementationAssetRoot(stateDir, implId);
+      const source = fs.readFileSync(path.join(assetRoot, 'entry.js'), 'utf-8');
       expect(source).toContain('export const meta');
       expect(source).not.toContain('placeholder');
     });
@@ -383,7 +283,9 @@ describe('CodeImplementationStorage', () => {
 
       writeEntrySource(stateDir, implId, 'export const meta = { name: "updated", version: "1", ruleId: "R", coversCondition: "c" }; export function evaluate() { return { decision: "allow", matched: false, reason: "updated" }; }');
 
-      expect(loadEntrySource(stateDir, implId)).toContain('updated');
+      const assetRoot = getImplementationAssetRoot(stateDir, implId);
+      const source = fs.readFileSync(path.join(assetRoot, 'entry.js'), 'utf-8');
+      expect(source).toContain('updated');
     });
 
     it('removes the asset directory through deleteImplementationAssetDir', () => {

package/tests/core/rule-host-adversarial-output.test.ts

@@ -0,0 +1,242 @@
+/**
+ * PRI-437 Slice 5: Invalid tier/adversarial diagnostics cannot corrupt output
+ *
+ * PURPOSE: Verify that adversarial RuleCode cannot corrupt the RuleHost output
+ * or merge logic through:
+ *   1. Prototype pollution in diagnostics field
+ *   2. Invalid tier in input (non-number epTier)
+ *   3. Adversarial correctionProposal with prototype pollution
+ *
+ * ERR risk mitigation:
+ *   - ERR-001: no `as` bypass on untrusted VM output
+ *   - ERR-013: Object.hasOwn for untrusted keys
+ *   - ERR-005: validate array element types
+ *
+ * Test approach:
+ *   - Real SQLite activation with adversarial RuleCode
+ *   - Real RuleHost.evaluate() (public interface)
+ *   - Verify output is either rejected (undefined) or safely contained
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import { SqliteConnection, SqliteActivationStateStore } from '@principles/core/runtime-v2';
+import type { RuleHostInput } from '@principles/core/runtime-v2';
+import { RuleHost } from '../../src/core/rule-host.js';
+
+// ── Test helpers ───────────────────────────────────────────────────────────
+
+let tempWorkspaceDir: string;
+let tempStateDir: string;
+let sqliteConn: SqliteConnection;
+
+function setupTempDirs(): void {
+  const baseTmp = os.tmpdir();
+  tempWorkspaceDir = fs.mkdtempSync(path.join(baseTmp, 'pd-rulehost-adversarial-'));
+  tempStateDir = path.join(tempWorkspaceDir, '.principles');
+  fs.mkdirSync(tempStateDir, { recursive: true });
+}
+
+function insertRuleArtifact(
+  artifactId: string,
+  ruleId: string,
+  sourceTaskId: string,
+  code: string,
+): void {
+  const db = sqliteConn.getDb();
+  const now = new Date().toISOString();
+  const contentJson = JSON.stringify({
+    principleId: `P_${ruleId}`,
+    ruleId,
+    implementationCode: code,
+    goldenTrace: { traceId: `trace-${ruleId}`, cases: [], createdAt: now, version: 1 },
+    ruleHostGateDecision: 'accepted_shadow',
+    affectedTools: ['write_file'],
+    painReasonSummary: 'Test: adversarial',
+  });
+
+  db.prepare(`
+    INSERT INTO pi_artifacts (artifact_id, artifact_kind, source_task_id, source_principle_id, source_rule_id, lineage_artifact_ids, validation_status, content_json, created_at, updated_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(
+    artifactId, 'rule', sourceTaskId, `P_${ruleId}`, ruleId,
+    '[]', 'validated', contentJson, now, now,
+  );
+}
+
+async function insertActivation(
+  activationId: string,
+  artifactId: string,
+  ruleId: string,
+): Promise<void> {
+  const store = new SqliteActivationStateStore(sqliteConn);
+  const now = new Date().toISOString();
+  await store.recordActivation({
+    activationId,
+    idempotencyKey: `${artifactId}::code_tool_hook`,
+    artifactId,
+    channel: 'code_tool_hook',
+    action: 'code_tool_hook_shadow_activate',
+    targetRef: `impl://${ruleId}`,
+    activatedAt: now,
+    deactivatedAt: null,
+  });
+}
+
+function makeInput(normalizedPath: string, epTier?: unknown): RuleHostInput {
+  return {
+    action: {
+      toolName: 'write_file',
+      normalizedPath,
+      paramsSummary: { path: normalizedPath },
+    },
+    workspace: { isRiskPath: false, planStatus: 'NONE' as const, hasPlanFile: false },
+    session: { sessionId: 'test-session-adversarial', currentGfi: 0, recentThinking: false },
+    evolution: { epTier: epTier as number },
+    derived: { estimatedLineChanges: 1, bashRisk: 'safe' as const },
+  };
+}
+
+// ── Setup / Teardown ───────────────────────────────────────────────────────
+
+beforeEach(() => {
+  setupTempDirs();
+  sqliteConn = new SqliteConnection(tempWorkspaceDir);
+  sqliteConn.getDb();
+});
+
+afterEach(() => {
+  try { sqliteConn?.close(); } catch { /* best-effort */ }
+  try { fs.rmSync(tempWorkspaceDir, { recursive: true, force: true }); } catch { /* Windows */ }
+});
+
+// ── Slice 5: Adversarial diagnostics cannot corrupt output ─────────────────
+
+describe('PRI-437 Slice 5: Invalid tier/adversarial diagnostics cannot corrupt output', () => {
+  it('prototype pollution in diagnostics field is rejected by validator', async () => {
+    const RULE_ID = 'R_TEST_PROTO_005';
+    const ARTIFACT_ID = 'art-proto-005';
+    const ACTIVATION_ID = `act_code_${RULE_ID}`;
+
+    // RuleCode that tries to inject __proto__ as an own property in diagnostics
+    const ADVERSARIAL_CODE = `
+function evaluate(input, helpers) {
+  var diag = {};
+  Object.defineProperty(diag, '__proto__', { value: { polluted: true }, enumerable: true, configurable: true });
+  Object.defineProperty(diag, 'constructor', { value: { polluted: true }, enumerable: true, configurable: true });
+  return { decision: 'block', matched: true, reason: 'adversarial', diagnostics: diag };
+}
+var meta = { name: 'proto-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+
+    insertRuleArtifact(ARTIFACT_ID, RULE_ID, 'task-proto-005', ADVERSARIAL_CODE);
+    await insertActivation(ACTIVATION_ID, ARTIFACT_ID, RULE_ID);
+
+    const warnCalls: string[] = [];
+    const spyLogger = {
+      warn: (message: string) => { warnCalls.push(message); },
+      error: () => {},
+      info: () => {},
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+    const result = ruleHost.evaluate(makeInput('/etc/passwd'));
+
+    // PRI-437 fail-closed contract: adversarial results must be rejected entirely,
+    // resulting in conservative degradation (undefined). Not "accepted but sanitized".
+    expect(result).toBeUndefined();
+
+    // Must emit warn evidence about the invalid result
+    expect(warnCalls.length).toBeGreaterThan(0);
+  });
+
+  it('invalid tier (string) in input does not corrupt output validation', async () => {
+    const RULE_ID = 'R_TEST_TIER_005';
+    const ARTIFACT_ID = 'art-tier-005';
+    const ACTIVATION_ID = `act_code_${RULE_ID}`;
+
+    // RuleCode that tries to use epTier as a string and produces invalid output
+    const ADVERSARIAL_CODE = `
+function evaluate(input, helpers) {
+  var tier = input.evolution.epTier;
+  // If tier is a string, try to use it to bypass validation
+  if (typeof tier === 'string') {
+    return { decision: 'BLOCK', matched: 'yes', reason: 123 };
+  }
+  return { decision: 'block', matched: true, reason: 'valid block' };
+}
+var meta = { name: 'tier-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+
+    insertRuleArtifact(ARTIFACT_ID, RULE_ID, 'task-tier-005', ADVERSARIAL_CODE);
+    await insertActivation(ACTIVATION_ID, ARTIFACT_ID, RULE_ID);
+
+    const warnCalls: string[] = [];
+    const spyLogger = {
+      warn: (message: string) => { warnCalls.push(message); },
+      error: () => {},
+      info: () => {},
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+
+    // Pass invalid tier (string instead of number)
+    const result = ruleHost.evaluate(makeInput('/etc/passwd', 'invalid_tier_string'));
+
+    // The invalid output (decision='BLOCK' instead of 'block', matched='yes' instead of boolean)
+    // must be rejected by the validator → undefined (conservative degradation)
+    expect(result).toBeUndefined();
+
+    // Must emit warn evidence about the invalid result
+    expect(warnCalls.length).toBeGreaterThan(0);
+    const invalidWarn = warnCalls.find(m =>
+      m.toLowerCase().includes('invalid') ||
+      m.toLowerCase().includes('evaluation failed')
+    );
+    expect(invalidWarn).toBeDefined();
+  });
+
+  it('adversarial correctionProposal with prototype pollution is rejected', async () => {
+    const RULE_ID = 'R_TEST_CORR_005';
+    const ARTIFACT_ID = 'art-corr-005';
+    const ACTIVATION_ID = `act_code_${RULE_ID}`;
+
+    // RuleCode that returns auto_correct with adversarial correctionProposal
+    const ADVERSARIAL_CODE = `
+function evaluate(input, helpers) {
+  var proposal = {
+    ruleId: '${RULE_ID}',
+    correctedFields: [{ field: 'file_path', reason: 'x' }],
+    proposedParams: { file_path: '/safe/path' },
+    applicationMode: 'live',
+    confidence: 0.9,
+  };
+  // Try to inject __proto__ into the proposal
+  Object.defineProperty(proposal, '__proto__', { value: { polluted: true }, enumerable: true });
+  return { decision: 'auto_correct', matched: true, reason: 'adversarial correction', correctionProposal: proposal };
+}
+var meta = { name: 'corr-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+
+    insertRuleArtifact(ARTIFACT_ID, RULE_ID, 'task-corr-005', ADVERSARIAL_CODE);
+    await insertActivation(ACTIVATION_ID, ARTIFACT_ID, RULE_ID);
+
+    const warnCalls: string[] = [];
+    const spyLogger = {
+      warn: (message: string) => { warnCalls.push(message); },
+      error: () => {},
+      info: () => {},
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+    const result = ruleHost.evaluate(makeInput('/etc/passwd'));
+
+    // PRI-437 fail-closed contract: adversarial correctionProposal must be rejected
+    // entirely, resulting in conservative degradation (undefined).
+    expect(result).toBeUndefined();
+
+    // Must emit warn evidence
+    expect(warnCalls.length).toBeGreaterThan(0);
+  });
+});

package/tests/core/rule-host-autocorrect-vm.test.ts

@@ -0,0 +1,163 @@
+/**
+ * PRI-437 Adversarial Self-Review: Valid auto_correct from VM must be accepted
+ *
+ * PURPOSE: Verify that a valid auto_correct proposal created INSIDE the vm
+ * context is accepted by the validator (not rejected due to prototype realm
+ * mismatch).
+ *
+ * CONTEXT: validateCorrectionProposal uses isPlainObject which checks
+ * Object.getPrototypeOf() === Object.prototype. VM-created objects have
+ * prototypes from the VM realm, not the host realm, so isPlainObject
+ * returns false and rejects all VM-created proposals.
+ *
+ * ERR risk mitigation:
+ *   - ERR-001: no `as` bypass on untrusted VM output
+ *   - ERR-002: fail-closed with reason (not silent rejection)
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import { SqliteConnection, SqliteActivationStateStore } from '@principles/core/runtime-v2';
+import type { RuleHostInput } from '@principles/core/runtime-v2';
+import { RuleHost } from '../../src/core/rule-host.js';
+
+let tempWorkspaceDir: string;
+let tempStateDir: string;
+let sqliteConn: SqliteConnection;
+
+function setupTempDirs(): void {
+  const baseTmp = os.tmpdir();
+  tempWorkspaceDir = fs.mkdtempSync(path.join(baseTmp, 'pd-rulehost-autocorrect-'));
+  tempStateDir = path.join(tempWorkspaceDir, '.principles');
+  fs.mkdirSync(tempStateDir, { recursive: true });
+}
+
+function insertRuleArtifact(
+  artifactId: string,
+  ruleId: string,
+  sourceTaskId: string,
+  code: string,
+): void {
+  const db = sqliteConn.getDb();
+  const now = new Date().toISOString();
+  const contentJson = JSON.stringify({
+    principleId: `P_${ruleId}`,
+    ruleId,
+    implementationCode: code,
+    goldenTrace: { traceId: `trace-${ruleId}`, cases: [], createdAt: now, version: 1 },
+    ruleHostGateDecision: 'accepted_shadow',
+    affectedTools: ['write_file'],
+    painReasonSummary: 'Test: auto_correct',
+  });
+
+  db.prepare(`
+    INSERT INTO pi_artifacts (artifact_id, artifact_kind, source_task_id, source_principle_id, source_rule_id, lineage_artifact_ids, validation_status, content_json, created_at, updated_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(
+    artifactId, 'rule', sourceTaskId, `P_${ruleId}`, ruleId,
+    '[]', 'validated', contentJson, now, now,
+  );
+}
+
+async function insertActivation(
+  activationId: string,
+  artifactId: string,
+  ruleId: string,
+): Promise<void> {
+  const store = new SqliteActivationStateStore(sqliteConn);
+  const now = new Date().toISOString();
+  await store.recordActivation({
+    activationId,
+    idempotencyKey: `${artifactId}::code_tool_hook`,
+    artifactId,
+    channel: 'code_tool_hook',
+    action: 'code_tool_hook_shadow_activate',
+    targetRef: `impl://${ruleId}`,
+    activatedAt: now,
+    deactivatedAt: null,
+  });
+}
+
+function makeInput(normalizedPath: string): RuleHostInput {
+  return {
+    action: {
+      toolName: 'write_file',
+      normalizedPath,
+      paramsSummary: { path: normalizedPath },
+    },
+    workspace: { isRiskPath: false, planStatus: 'NONE' as const, hasPlanFile: false },
+    session: { sessionId: 'test-session-autocorrect', currentGfi: 0, recentThinking: false },
+    evolution: { epTier: 0 },
+    derived: { estimatedLineChanges: 1, bashRisk: 'safe' as const },
+  };
+}
+
+beforeEach(() => {
+  setupTempDirs();
+  sqliteConn = new SqliteConnection(tempWorkspaceDir);
+  sqliteConn.getDb();
+});
+
+afterEach(() => {
+  try { sqliteConn?.close(); } catch { /* best-effort */ }
+  try { fs.rmSync(tempWorkspaceDir, { recursive: true, force: true }); } catch { /* Windows */ }
+});
+
+describe('PRI-437 Adversarial Self-Review: Valid auto_correct from VM must be accepted', () => {
+  it('valid auto_correct proposal created inside VM is accepted (not rejected by isPlainObject)', async () => {
+    const RULE_ID = 'R_TEST_AUTOCORRECT_VALID';
+    const ARTIFACT_ID = 'art-autocorrect-valid';
+    const ACTIVATION_ID = `act_code_${RULE_ID}`;
+
+    // RuleCode that returns a valid auto_correct proposal.
+    // The proposal object is created INSIDE the vm context, so its prototype
+    // is the VM realm's Object.prototype, not the host's.
+    const VALID_AUTOCORRECT_CODE = `
+function evaluate(input, helpers) {
+  return {
+    decision: 'auto_correct',
+    matched: true,
+    reason: 'path should be within workspace',
+    correctionProposal: {
+      ruleId: '${RULE_ID}',
+      correctedFields: [{ field: 'file_path', original: input.action.normalizedPath, proposed: '/safe/path', reason: 'redirect to safe path' }],
+      proposedParams: { file_path: '/safe/path' },
+      applicationMode: 'shadow',
+      confidence: 0.9,
+      notifyAgent: true
+    }
+  };
+}
+var meta = { name: 'autocorrect-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+
+    insertRuleArtifact(ARTIFACT_ID, RULE_ID, 'task-autocorrect-valid', VALID_AUTOCORRECT_CODE);
+    await insertActivation(ACTIVATION_ID, ARTIFACT_ID, RULE_ID);
+
+    const warnCalls: string[] = [];
+    const spyLogger = {
+      warn: (message: string) => { warnCalls.push(message); },
+      error: () => {},
+      info: () => {},
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+    const result = ruleHost.evaluate(makeInput('/etc/passwd'));
+
+    // The valid auto_correct proposal MUST be accepted — not rejected due to
+    // VM prototype realm mismatch.
+    expect(result).toBeDefined();
+    expect(result?.decision).toBe('auto_correct');
+    expect(result?.matched).toBe(true);
+    expect(result?.correctionProposal).toBeDefined();
+    expect(result?.correctionProposal?.ruleId).toBe(RULE_ID);
+
+    // No warnings should be emitted about invalid results
+    const invalidWarn = warnCalls.find(m =>
+      m.toLowerCase().includes('invalid') ||
+      m.toLowerCase().includes('must be a plain object')
+    );
+    expect(invalidWarn).toBeUndefined();
+  });
+});