principles-disciple 1.124.0 → 1.125.0

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "principles-disciple",
   "name": "Principles Disciple",
   "description": "Evolutionary programming agent framework with strategic guardrails and reflection loops.",
-  "version": "1.124.0",
+  "version": "1.125.0",
   "activation": {
     "onCapabilities": [
       "hook"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "principles-disciple",
-  "version": "1.124.0",
+  "version": "1.125.0",
   "description": "Native OpenClaw plugin for Principles Disciple",
   "type": "module",
   "main": "./dist/bundle.js",

package/src/core/event-log.ts

@@ -28,6 +28,7 @@ import type {
   RuleHostAutoCorrectProposedEventData,
   RuleHostAutoCorrectAppliedEventData,
   RuntimeV2PromptActivationsInjectedEventData,
+  RuleHostUnhealthyEventData,
 } from '../types/event-types.js';
 import { createEmptyDailyStats } from '../types/event-types.js';
 import { atomicWriteFileSync } from '../utils/io.js';
@@ -210,6 +211,18 @@ export class EventLog {
     this.record('runtime_v2_prompt_activations_injected', 'injected', data.sessionId, data);
   }
 
+  /**
+   * PRI-437: Record that an approved rule failed to compile or load.
+   *
+   * This is NOT just a logger.warn — the unhealthy state is persisted to EventLog
+   * so it's visible to CLI (pd runtime health) and Console API.
+   *
+   * ERR-002: degradation includes a reason and nextAction (not silent).
+   */
+  recordRuleHostUnhealthy(data: RuleHostUnhealthyEventData): void {
+    this.record('rulehost_unhealthy', 'failure', undefined, data);
+  }
+
   /**
    * Redact telemetry-sensitive string values in event data before persistence.
    * Applies redactTelemetryString to known high-risk fields (filePath, command,

package/src/core/rule-host.ts

@@ -26,8 +26,10 @@
 
 import { createRuleHostHelpers } from '@principles/core/runtime-v2';
 import { mergeDecisions } from '@principles/core/runtime-v2';
+import { validateRuleHostResult } from '@principles/core/runtime-v2';
 import { SqliteConnection } from '@principles/core/runtime-v2';
 import { loadRuleImplementationModule } from './rule-implementation-runtime.js';
+import { EventLogService } from './event-log.js';
 import type {
   RuleHostInput,
   RuleHostResult,
@@ -241,10 +243,13 @@ export class RuleHost {
           const implId = `act-impl-${activationId}`;
           const moduleExports = loadRuleImplementationModule(implementationCode, implId);
 
-          if (!moduleExports || typeof moduleExports.evaluate !== 'function') {
+          if (!moduleExports || typeof moduleExports.callEvaluate !== 'function') {
+            const reason = 'compiled module has no evaluate function';
             this.logger.warn?.(
-              `[RuleHost] Activation ${activationId}: compiled module has no evaluate function, skipping`
+              `[RuleHost] Activation ${activationId}: ${reason}, skipping`
             );
+            this._recordUnhealthy(activationId, artifactId, ruleId, reason,
+              'Fix the RuleCode to export an evaluate(input, helpers) function, then re-activate');
             continue;
           }
 
@@ -258,10 +263,10 @@ export class RuleHost {
             ? moduleExports.meta
             : fallbackMeta;
 
-          const rawEvaluate = moduleExports.evaluate as (
-            _input: RuleHostInput,
-            _helpers: ReturnType<typeof createRuleHostHelpers>
-          ) => RuleHostResult;
+          // PRI-437: Use callEvaluate (vm-context-bounded) instead of raw evaluate.
+          // callEvaluate runs the invocation INSIDE the vm context with a time
+          // boundary, terminating infinite loops and excessive computation.
+          const boundedCallEvaluate = moduleExports.callEvaluate;
 
           loaded.push({
             implId,
@@ -269,7 +274,18 @@ export class RuleHost {
             meta,
             evaluate: (input: RuleHostInput): RuleHostResult => {
               const frozenHelpers = createRuleHostHelpers(input);
-              const result = rawEvaluate(input, frozenHelpers);
+              // PRI-437: Execute inside vm context with timeout boundary.
+              // If the RuleCode infinite-loops or exceeds the time budget,
+              // vm throws an error that is caught by the caller (mergeDecisions
+              // try/catch), resulting in conservative degradation (undefined).
+              const rawResult = boundedCallEvaluate(input, frozenHelpers);
+              const validation = validateRuleHostResult(rawResult);
+              if (!validation.valid) {
+                throw new Error(
+                  `[RuleHost] Activation ${activationId} returned invalid RuleHostResult: ${validation.errors.join('; ')}`
+                );
+              }
+              const result = rawResult as RuleHostResult;
               if (result.matched && (result.decision === 'block' || result.decision === 'requireApproval')) {
                 result.ruleId = ruleId;
                 result.principleId = meta.ruleId ?? ruleId;
@@ -278,9 +294,16 @@ export class RuleHost {
             },
           });
         } catch (loadError: unknown) {
+          const reason = `compilation failed: ${String(loadError)}`;
           this.logger.warn?.(
-            `[RuleHost] Failed to load activation ${activationId}: ${String(loadError)}`
+            `[RuleHost] Failed to load activation ${activationId}: ${reason}`
           );
+          // ruleId is declared inside the try block and may not be assigned yet;
+          // fall back to sourceRuleId or artifactId (both available in scope)
+          this._recordUnhealthy(activationId, artifactId,
+            sourceRuleId ?? artifactId,
+            reason,
+            'Fix the RuleCode syntax/compilation error, then re-activate the rule');
         }
       }
 
@@ -293,4 +316,42 @@ export class RuleHost {
       }
     }
   }
+
+  /**
+   * PRI-437: Record an unhealthy activation state to EventLog.
+   *
+   * This makes compile/load failures visible to CLI (pd runtime health) and
+   * Console API — NOT just a logger.warn that's silently skipped.
+   *
+   * ERR-002: degradation includes a reason and nextAction (not silent).
+   * Failures in EventLog recording are caught and logged (never throw).
+   */
+  private _recordUnhealthy(
+    activationId: string,
+    artifactId: string,
+    ruleId: string,
+    reason: string,
+    nextAction: string,
+  ): void {
+    try {
+      // Pass undefined as logger: RuleHostLogger only has warn(), but EventLog
+      // calls this.logger.error() without optional chaining. Passing the
+      // RuleHostLogger directly would cause TypeError if EventLog tried to
+      // log an internal error. EventLog's logger is optional; RuleHost already
+      // logs its own warnings for the unhealthy event.
+      const eventLog = EventLogService.get(this.stateDir);
+      eventLog.recordRuleHostUnhealthy({
+        activationId,
+        artifactId,
+        ruleId,
+        reason,
+        nextAction,
+      });
+    } catch (recordError: unknown) {
+      // EventLog recording must never break RuleHost evaluation
+      this.logger.warn?.(
+        `[RuleHost] Failed to record unhealthy event for activation ${activationId}: ${String(recordError)}`
+      );
+    }
+  }
 }

package/src/core/rule-implementation-runtime.ts

@@ -3,8 +3,27 @@ import { nodeVm } from '../utils/node-vm-polyfill.js';
 export interface RuleImplementationModuleExports {
   meta?: unknown;
   evaluate?: unknown;
+  /**
+   * Call evaluate(input, helpers) INSIDE the vm context with a time boundary.
+   *
+   * PRI-437: The evaluate() function extracted from a vm context executes in
+   * the vm realm, but a direct host-realm call has NO timeout protection —
+   * an infinite loop in RuleCode would hang the host process forever.
+   *
+   * callEvaluate runs the invocation inside the vm context via
+   * Script.runInContext({ timeout }), which terminates infinite loops.
+   *
+   * Throws on timeout, compilation error, or if evaluate is missing.
+   */
+  callEvaluate?: (input: unknown, helpers: unknown) => unknown;
 }
 
+/** Timeout (ms) for compiling RuleCode (defining evaluate + meta). */
+const COMPILE_TIMEOUT_MS = 1000;
+
+/** Timeout (ms) for executing evaluate(input, helpers) inside the vm. */
+const EVALUATE_TIMEOUT_MS = 1000;
+
 function normalizeImplementationSource(sourceCode: string): string {
   const withoutExports = sourceCode
     .replace(/export\s+const\s+meta\s*=/, 'const meta =')
@@ -26,13 +45,56 @@ export function loadRuleImplementationModule(
     filename,
   });
 
+  // Compile phase: define evaluate + meta (timeout-bounded)
   script.runInContext(context, {
-    timeout: 1000,
+    timeout: COMPILE_TIMEOUT_MS,
     displayErrors: true,
   });
 
   const moduleExports = (context as { __pdRuleModule?: RuleImplementationModuleExports }).__pdRuleModule;
-  delete (context as { __pdRuleModule?: RuleImplementationModuleExports }).__pdRuleModule;
+  // Note: keep __pdRuleModule on the context so callEvaluate can reference it.
+  // We do NOT delete it here — it's needed for subsequent evaluate calls.
+
+  const hasEvaluate = typeof moduleExports?.evaluate === 'function';
+  const meta = moduleExports?.meta;
+
+  if (!hasEvaluate) {
+    // No evaluate function — return early with no callEvaluate
+    return { meta, evaluate: moduleExports?.evaluate };
+  }
+
+  // PRI-437: Create a context-aware caller that runs evaluate INSIDE the vm
+  // context with a time boundary. This terminates infinite loops and
+  // excessive computation that would otherwise hang the host process.
+  //
+  // The callEvaluate function:
+  //   1. Sets input and helpers as context globals (sandboxed)
+  //   2. Compiles a tiny call script
+  //   3. Runs it in the context with EVALUATE_TIMEOUT_MS
+  //   4. Cleans up globals
+  //   5. Returns the raw result (validation happens in the caller)
+  const callScript = new nodeVm.Script(
+    '__pdRuleModule.evaluate(__pdCallInput, __pdCallHelpers)',
+    { filename: `${filename}.call` },
+  );
+
+  const callEvaluate = (input: unknown, helpers: unknown): unknown => {
+    (context as { __pdCallInput?: unknown }).__pdCallInput = input;
+    (context as { __pdCallHelpers?: unknown }).__pdCallHelpers = helpers;
+    try {
+      return callScript.runInContext(context, {
+        timeout: EVALUATE_TIMEOUT_MS,
+        displayErrors: true,
+      });
+    } finally {
+      try { delete (context as { __pdCallInput?: unknown }).__pdCallInput; } catch { /* noop */ }
+      try { delete (context as { __pdCallHelpers?: unknown }).__pdCallHelpers; } catch { /* noop */ }
+    }
+  };
 
-  return moduleExports ?? {};
+  return {
+    meta,
+    evaluate: moduleExports?.evaluate,
+    callEvaluate,
+  };
 }

package/src/types/event-types.ts

@@ -23,6 +23,7 @@ export type {
   RuleHostAutoCorrectProposedEventData,
   RuleHostAutoCorrectAppliedEventData,
   RuntimeV2PromptActivationsInjectedEventData,
+  RuleHostUnhealthyEventData,
   ToolCallStats,
   ErrorStats,
   PainStats,

package/tests/core/rule-host-adversarial-output.test.ts

@@ -0,0 +1,242 @@
+/**
+ * PRI-437 Slice 5: Invalid tier/adversarial diagnostics cannot corrupt output
+ *
+ * PURPOSE: Verify that adversarial RuleCode cannot corrupt the RuleHost output
+ * or merge logic through:
+ *   1. Prototype pollution in diagnostics field
+ *   2. Invalid tier in input (non-number epTier)
+ *   3. Adversarial correctionProposal with prototype pollution
+ *
+ * ERR risk mitigation:
+ *   - ERR-001: no `as` bypass on untrusted VM output
+ *   - ERR-013: Object.hasOwn for untrusted keys
+ *   - ERR-005: validate array element types
+ *
+ * Test approach:
+ *   - Real SQLite activation with adversarial RuleCode
+ *   - Real RuleHost.evaluate() (public interface)
+ *   - Verify output is either rejected (undefined) or safely contained
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import { SqliteConnection, SqliteActivationStateStore } from '@principles/core/runtime-v2';
+import type { RuleHostInput } from '@principles/core/runtime-v2';
+import { RuleHost } from '../../src/core/rule-host.js';
+
+// ── Test helpers ───────────────────────────────────────────────────────────
+
+let tempWorkspaceDir: string;
+let tempStateDir: string;
+let sqliteConn: SqliteConnection;
+
+function setupTempDirs(): void {
+  const baseTmp = os.tmpdir();
+  tempWorkspaceDir = fs.mkdtempSync(path.join(baseTmp, 'pd-rulehost-adversarial-'));
+  tempStateDir = path.join(tempWorkspaceDir, '.principles');
+  fs.mkdirSync(tempStateDir, { recursive: true });
+}
+
+function insertRuleArtifact(
+  artifactId: string,
+  ruleId: string,
+  sourceTaskId: string,
+  code: string,
+): void {
+  const db = sqliteConn.getDb();
+  const now = new Date().toISOString();
+  const contentJson = JSON.stringify({
+    principleId: `P_${ruleId}`,
+    ruleId,
+    implementationCode: code,
+    goldenTrace: { traceId: `trace-${ruleId}`, cases: [], createdAt: now, version: 1 },
+    ruleHostGateDecision: 'accepted_shadow',
+    affectedTools: ['write_file'],
+    painReasonSummary: 'Test: adversarial',
+  });
+
+  db.prepare(`
+    INSERT INTO pi_artifacts (artifact_id, artifact_kind, source_task_id, source_principle_id, source_rule_id, lineage_artifact_ids, validation_status, content_json, created_at, updated_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(
+    artifactId, 'rule', sourceTaskId, `P_${ruleId}`, ruleId,
+    '[]', 'validated', contentJson, now, now,
+  );
+}
+
+async function insertActivation(
+  activationId: string,
+  artifactId: string,
+  ruleId: string,
+): Promise<void> {
+  const store = new SqliteActivationStateStore(sqliteConn);
+  const now = new Date().toISOString();
+  await store.recordActivation({
+    activationId,
+    idempotencyKey: `${artifactId}::code_tool_hook`,
+    artifactId,
+    channel: 'code_tool_hook',
+    action: 'code_tool_hook_shadow_activate',
+    targetRef: `impl://${ruleId}`,
+    activatedAt: now,
+    deactivatedAt: null,
+  });
+}
+
+function makeInput(normalizedPath: string, epTier?: unknown): RuleHostInput {
+  return {
+    action: {
+      toolName: 'write_file',
+      normalizedPath,
+      paramsSummary: { path: normalizedPath },
+    },
+    workspace: { isRiskPath: false, planStatus: 'NONE' as const, hasPlanFile: false },
+    session: { sessionId: 'test-session-adversarial', currentGfi: 0, recentThinking: false },
+    evolution: { epTier: epTier as number },
+    derived: { estimatedLineChanges: 1, bashRisk: 'safe' as const },
+  };
+}
+
+// ── Setup / Teardown ───────────────────────────────────────────────────────
+
+beforeEach(() => {
+  setupTempDirs();
+  sqliteConn = new SqliteConnection(tempWorkspaceDir);
+  sqliteConn.getDb();
+});
+
+afterEach(() => {
+  try { sqliteConn?.close(); } catch { /* best-effort */ }
+  try { fs.rmSync(tempWorkspaceDir, { recursive: true, force: true }); } catch { /* Windows */ }
+});
+
+// ── Slice 5: Adversarial diagnostics cannot corrupt output ─────────────────
+
+describe('PRI-437 Slice 5: Invalid tier/adversarial diagnostics cannot corrupt output', () => {
+  it('prototype pollution in diagnostics field is rejected by validator', async () => {
+    const RULE_ID = 'R_TEST_PROTO_005';
+    const ARTIFACT_ID = 'art-proto-005';
+    const ACTIVATION_ID = `act_code_${RULE_ID}`;
+
+    // RuleCode that tries to inject __proto__ as an own property in diagnostics
+    const ADVERSARIAL_CODE = `
+function evaluate(input, helpers) {
+  var diag = {};
+  Object.defineProperty(diag, '__proto__', { value: { polluted: true }, enumerable: true, configurable: true });
+  Object.defineProperty(diag, 'constructor', { value: { polluted: true }, enumerable: true, configurable: true });
+  return { decision: 'block', matched: true, reason: 'adversarial', diagnostics: diag };
+}
+var meta = { name: 'proto-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+
+    insertRuleArtifact(ARTIFACT_ID, RULE_ID, 'task-proto-005', ADVERSARIAL_CODE);
+    await insertActivation(ACTIVATION_ID, ARTIFACT_ID, RULE_ID);
+
+    const warnCalls: string[] = [];
+    const spyLogger = {
+      warn: (message: string) => { warnCalls.push(message); },
+      error: () => {},
+      info: () => {},
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+    const result = ruleHost.evaluate(makeInput('/etc/passwd'));
+
+    // PRI-437 fail-closed contract: adversarial results must be rejected entirely,
+    // resulting in conservative degradation (undefined). Not "accepted but sanitized".
+    expect(result).toBeUndefined();
+
+    // Must emit warn evidence about the invalid result
+    expect(warnCalls.length).toBeGreaterThan(0);
+  });
+
+  it('invalid tier (string) in input does not corrupt output validation', async () => {
+    const RULE_ID = 'R_TEST_TIER_005';
+    const ARTIFACT_ID = 'art-tier-005';
+    const ACTIVATION_ID = `act_code_${RULE_ID}`;
+
+    // RuleCode that tries to use epTier as a string and produces invalid output
+    const ADVERSARIAL_CODE = `
+function evaluate(input, helpers) {
+  var tier = input.evolution.epTier;
+  // If tier is a string, try to use it to bypass validation
+  if (typeof tier === 'string') {
+    return { decision: 'BLOCK', matched: 'yes', reason: 123 };
+  }
+  return { decision: 'block', matched: true, reason: 'valid block' };
+}
+var meta = { name: 'tier-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+
+    insertRuleArtifact(ARTIFACT_ID, RULE_ID, 'task-tier-005', ADVERSARIAL_CODE);
+    await insertActivation(ACTIVATION_ID, ARTIFACT_ID, RULE_ID);
+
+    const warnCalls: string[] = [];
+    const spyLogger = {
+      warn: (message: string) => { warnCalls.push(message); },
+      error: () => {},
+      info: () => {},
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+
+    // Pass invalid tier (string instead of number)
+    const result = ruleHost.evaluate(makeInput('/etc/passwd', 'invalid_tier_string'));
+
+    // The invalid output (decision='BLOCK' instead of 'block', matched='yes' instead of boolean)
+    // must be rejected by the validator → undefined (conservative degradation)
+    expect(result).toBeUndefined();
+
+    // Must emit warn evidence about the invalid result
+    expect(warnCalls.length).toBeGreaterThan(0);
+    const invalidWarn = warnCalls.find(m =>
+      m.toLowerCase().includes('invalid') ||
+      m.toLowerCase().includes('evaluation failed')
+    );
+    expect(invalidWarn).toBeDefined();
+  });
+
+  it('adversarial correctionProposal with prototype pollution is rejected', async () => {
+    const RULE_ID = 'R_TEST_CORR_005';
+    const ARTIFACT_ID = 'art-corr-005';
+    const ACTIVATION_ID = `act_code_${RULE_ID}`;
+
+    // RuleCode that returns auto_correct with adversarial correctionProposal
+    const ADVERSARIAL_CODE = `
+function evaluate(input, helpers) {
+  var proposal = {
+    ruleId: '${RULE_ID}',
+    correctedFields: [{ field: 'file_path', reason: 'x' }],
+    proposedParams: { file_path: '/safe/path' },
+    applicationMode: 'live',
+    confidence: 0.9,
+  };
+  // Try to inject __proto__ into the proposal
+  Object.defineProperty(proposal, '__proto__', { value: { polluted: true }, enumerable: true });
+  return { decision: 'auto_correct', matched: true, reason: 'adversarial correction', correctionProposal: proposal };
+}
+var meta = { name: 'corr-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+
+    insertRuleArtifact(ARTIFACT_ID, RULE_ID, 'task-corr-005', ADVERSARIAL_CODE);
+    await insertActivation(ACTIVATION_ID, ARTIFACT_ID, RULE_ID);
+
+    const warnCalls: string[] = [];
+    const spyLogger = {
+      warn: (message: string) => { warnCalls.push(message); },
+      error: () => {},
+      info: () => {},
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+    const result = ruleHost.evaluate(makeInput('/etc/passwd'));
+
+    // PRI-437 fail-closed contract: adversarial correctionProposal must be rejected
+    // entirely, resulting in conservative degradation (undefined).
+    expect(result).toBeUndefined();
+
+    // Must emit warn evidence
+    expect(warnCalls.length).toBeGreaterThan(0);
+  });
+});

package/tests/core/rule-host-autocorrect-vm.test.ts

@@ -0,0 +1,163 @@
+/**
+ * PRI-437 Adversarial Self-Review: Valid auto_correct from VM must be accepted
+ *
+ * PURPOSE: Verify that a valid auto_correct proposal created INSIDE the vm
+ * context is accepted by the validator (not rejected due to prototype realm
+ * mismatch).
+ *
+ * CONTEXT: validateCorrectionProposal uses isPlainObject which checks
+ * Object.getPrototypeOf() === Object.prototype. VM-created objects have
+ * prototypes from the VM realm, not the host realm, so isPlainObject
+ * returns false and rejects all VM-created proposals.
+ *
+ * ERR risk mitigation:
+ *   - ERR-001: no `as` bypass on untrusted VM output
+ *   - ERR-002: fail-closed with reason (not silent rejection)
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import { SqliteConnection, SqliteActivationStateStore } from '@principles/core/runtime-v2';
+import type { RuleHostInput } from '@principles/core/runtime-v2';
+import { RuleHost } from '../../src/core/rule-host.js';
+
+let tempWorkspaceDir: string;
+let tempStateDir: string;
+let sqliteConn: SqliteConnection;
+
+function setupTempDirs(): void {
+  const baseTmp = os.tmpdir();
+  tempWorkspaceDir = fs.mkdtempSync(path.join(baseTmp, 'pd-rulehost-autocorrect-'));
+  tempStateDir = path.join(tempWorkspaceDir, '.principles');
+  fs.mkdirSync(tempStateDir, { recursive: true });
+}
+
+function insertRuleArtifact(
+  artifactId: string,
+  ruleId: string,
+  sourceTaskId: string,
+  code: string,
+): void {
+  const db = sqliteConn.getDb();
+  const now = new Date().toISOString();
+  const contentJson = JSON.stringify({
+    principleId: `P_${ruleId}`,
+    ruleId,
+    implementationCode: code,
+    goldenTrace: { traceId: `trace-${ruleId}`, cases: [], createdAt: now, version: 1 },
+    ruleHostGateDecision: 'accepted_shadow',
+    affectedTools: ['write_file'],
+    painReasonSummary: 'Test: auto_correct',
+  });
+
+  db.prepare(`
+    INSERT INTO pi_artifacts (artifact_id, artifact_kind, source_task_id, source_principle_id, source_rule_id, lineage_artifact_ids, validation_status, content_json, created_at, updated_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(
+    artifactId, 'rule', sourceTaskId, `P_${ruleId}`, ruleId,
+    '[]', 'validated', contentJson, now, now,
+  );
+}
+
+async function insertActivation(
+  activationId: string,
+  artifactId: string,
+  ruleId: string,
+): Promise<void> {
+  const store = new SqliteActivationStateStore(sqliteConn);
+  const now = new Date().toISOString();
+  await store.recordActivation({
+    activationId,
+    idempotencyKey: `${artifactId}::code_tool_hook`,
+    artifactId,
+    channel: 'code_tool_hook',
+    action: 'code_tool_hook_shadow_activate',
+    targetRef: `impl://${ruleId}`,
+    activatedAt: now,
+    deactivatedAt: null,
+  });
+}
+
+function makeInput(normalizedPath: string): RuleHostInput {
+  return {
+    action: {
+      toolName: 'write_file',
+      normalizedPath,
+      paramsSummary: { path: normalizedPath },
+    },
+    workspace: { isRiskPath: false, planStatus: 'NONE' as const, hasPlanFile: false },
+    session: { sessionId: 'test-session-autocorrect', currentGfi: 0, recentThinking: false },
+    evolution: { epTier: 0 },
+    derived: { estimatedLineChanges: 1, bashRisk: 'safe' as const },
+  };
+}
+
+beforeEach(() => {
+  setupTempDirs();
+  sqliteConn = new SqliteConnection(tempWorkspaceDir);
+  sqliteConn.getDb();
+});
+
+afterEach(() => {
+  try { sqliteConn?.close(); } catch { /* best-effort */ }
+  try { fs.rmSync(tempWorkspaceDir, { recursive: true, force: true }); } catch { /* Windows */ }
+});
+
+describe('PRI-437 Adversarial Self-Review: Valid auto_correct from VM must be accepted', () => {
+  it('valid auto_correct proposal created inside VM is accepted (not rejected by isPlainObject)', async () => {
+    const RULE_ID = 'R_TEST_AUTOCORRECT_VALID';
+    const ARTIFACT_ID = 'art-autocorrect-valid';
+    const ACTIVATION_ID = `act_code_${RULE_ID}`;
+
+    // RuleCode that returns a valid auto_correct proposal.
+    // The proposal object is created INSIDE the vm context, so its prototype
+    // is the VM realm's Object.prototype, not the host's.
+    const VALID_AUTOCORRECT_CODE = `
+function evaluate(input, helpers) {
+  return {
+    decision: 'auto_correct',
+    matched: true,
+    reason: 'path should be within workspace',
+    correctionProposal: {
+      ruleId: '${RULE_ID}',
+      correctedFields: [{ field: 'file_path', original: input.action.normalizedPath, proposed: '/safe/path', reason: 'redirect to safe path' }],
+      proposedParams: { file_path: '/safe/path' },
+      applicationMode: 'shadow',
+      confidence: 0.9,
+      notifyAgent: true
+    }
+  };
+}
+var meta = { name: 'autocorrect-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+
+    insertRuleArtifact(ARTIFACT_ID, RULE_ID, 'task-autocorrect-valid', VALID_AUTOCORRECT_CODE);
+    await insertActivation(ACTIVATION_ID, ARTIFACT_ID, RULE_ID);
+
+    const warnCalls: string[] = [];
+    const spyLogger = {
+      warn: (message: string) => { warnCalls.push(message); },
+      error: () => {},
+      info: () => {},
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+    const result = ruleHost.evaluate(makeInput('/etc/passwd'));
+
+    // The valid auto_correct proposal MUST be accepted — not rejected due to
+    // VM prototype realm mismatch.
+    expect(result).toBeDefined();
+    expect(result?.decision).toBe('auto_correct');
+    expect(result?.matched).toBe(true);
+    expect(result?.correctionProposal).toBeDefined();
+    expect(result?.correctionProposal?.ruleId).toBe(RULE_ID);
+
+    // No warnings should be emitted about invalid results
+    const invalidWarn = warnCalls.find(m =>
+      m.toLowerCase().includes('invalid') ||
+      m.toLowerCase().includes('must be a plain object')
+    );
+    expect(invalidWarn).toBeUndefined();
+  });
+});