principles-disciple 1.124.0 → 1.126.0

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "principles-disciple",
   "name": "Principles Disciple",
   "description": "Evolutionary programming agent framework with strategic guardrails and reflection loops.",
-  "version": "1.124.0",
+  "version": "1.126.0",
   "activation": {
     "onCapabilities": [
       "hook"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "principles-disciple",
-  "version": "1.124.0",
+  "version": "1.126.0",
   "description": "Native OpenClaw plugin for Principles Disciple",
   "type": "module",
   "main": "./dist/bundle.js",

package/src/core/event-log.ts

@@ -28,6 +28,7 @@ import type {
   RuleHostAutoCorrectProposedEventData,
   RuleHostAutoCorrectAppliedEventData,
   RuntimeV2PromptActivationsInjectedEventData,
+  RuleHostUnhealthyEventData,
 } from '../types/event-types.js';
 import { createEmptyDailyStats } from '../types/event-types.js';
 import { atomicWriteFileSync } from '../utils/io.js';
@@ -210,6 +211,18 @@ export class EventLog {
     this.record('runtime_v2_prompt_activations_injected', 'injected', data.sessionId, data);
   }
 
+  /**
+   * PRI-437: Record that an approved rule failed to compile or load.
+   *
+   * This is NOT just a logger.warn — the unhealthy state is persisted to EventLog
+   * so it's visible to CLI (pd runtime health) and Console API.
+   *
+   * ERR-002: degradation includes a reason and nextAction (not silent).
+   */
+  recordRuleHostUnhealthy(data: RuleHostUnhealthyEventData): void {
+    this.record('rulehost_unhealthy', 'failure', undefined, data);
+  }
+
   /**
    * Redact telemetry-sensitive string values in event data before persistence.
    * Applies redactTelemetryString to known high-risk fields (filePath, command,

package/src/core/rule-host.ts

@@ -26,8 +26,10 @@
 
 import { createRuleHostHelpers } from '@principles/core/runtime-v2';
 import { mergeDecisions } from '@principles/core/runtime-v2';
+import { validateRuleHostResult } from '@principles/core/runtime-v2';
 import { SqliteConnection } from '@principles/core/runtime-v2';
 import { loadRuleImplementationModule } from './rule-implementation-runtime.js';
+import { EventLogService } from './event-log.js';
 import type {
   RuleHostInput,
   RuleHostResult,
@@ -64,6 +66,7 @@ export class RuleHost {
   private readonly stateDir: string;
   private readonly logger: RuleHostLogger;
   private readonly workspaceDir: string | null;
+  private readonly implementationSources = new Map<string, { activationId: string; artifactId: string; ruleId: string }>();
 
   constructor(stateDir: string, logger: RuleHostLogger = console, options?: RuleHostOptions) {
     this.stateDir = stateDir;
@@ -83,7 +86,23 @@ export class RuleHost {
   evaluate(input: RuleHostInput): RuleHostResult | undefined {
     try {
       const activeImpls = this._loadActiveCodeImplementations();
-      return mergeDecisions(activeImpls, input, this.logger);
+      return mergeDecisions(activeImpls, input, {
+        warn: this.logger.warn,
+        onImplementationUnhealthy: (impl, reason) => {
+          const source = this.implementationSources.get(impl.implId);
+          if (!source) {
+            this.logger.warn?.(`[RuleHost] No source mapping for implId=${impl.implId}, cannot record unhealthy event`);
+            return;
+          }
+          this._recordUnhealthy(
+            source.activationId,
+            source.artifactId,
+            source.ruleId,
+            reason,
+            'Fix the RuleCode runtime error or return shape, then re-activate the rule',
+          );
+        },
+      });
     } catch (hostError: unknown) {
       // Conservative degradation: log and return undefined (D-08)
       this.logger.warn?.(
@@ -134,6 +153,7 @@ export class RuleHost {
    * All data from SQLite is treated as unknown and validated before use.
    */
   private _loadFromActivationsTable(workspaceDir: string): LoadedImplementation[] {
+    this.implementationSources.clear();
     const sqliteConn = new SqliteConnection(workspaceDir);
     try {
       const db = sqliteConn.getDb();
@@ -197,6 +217,19 @@ export class RuleHost {
             `reason=at most one active activation per rule is allowed ` +
             `nextAction=deactivate all but one activation for this target_ref`
           );
+          for (const r of group) {
+            const activationId = typeof r['activation_id'] === 'string' ? r['activation_id'] : '';
+            const artifactId = typeof r['artifact_id'] === 'string' ? r['artifact_id'] : '';
+            if (activationId && artifactId) {
+              this._recordUnhealthy(
+                activationId,
+                artifactId,
+                targetRef,
+                `duplicate active activation for target_ref ${targetRef}`,
+                'Deactivate all but one activation for this target_ref',
+              );
+            }
+          }
         } else {
           validRows.push(group[0]);
         }
@@ -241,10 +274,13 @@ export class RuleHost {
           const implId = `act-impl-${activationId}`;
           const moduleExports = loadRuleImplementationModule(implementationCode, implId);
 
-          if (!moduleExports || typeof moduleExports.evaluate !== 'function') {
+          if (!moduleExports || typeof moduleExports.callEvaluate !== 'function') {
+            const reason = 'compiled module has no evaluate function';
             this.logger.warn?.(
-              `[RuleHost] Activation ${activationId}: compiled module has no evaluate function, skipping`
+              `[RuleHost] Activation ${activationId}: ${reason}, skipping`
             );
+            this._recordUnhealthy(activationId, artifactId, ruleId, reason,
+              'Fix the RuleCode to export an evaluate(input, helpers) function, then re-activate');
             continue;
           }
 
@@ -258,10 +294,11 @@ export class RuleHost {
             ? moduleExports.meta
             : fallbackMeta;
 
-          const rawEvaluate = moduleExports.evaluate as (
-            _input: RuleHostInput,
-            _helpers: ReturnType<typeof createRuleHostHelpers>
-          ) => RuleHostResult;
+          // PRI-437: Use callEvaluate (vm-context-bounded) instead of raw evaluate.
+          // callEvaluate runs the invocation INSIDE the vm context with a time
+          // boundary, terminating infinite loops and excessive computation.
+          const boundedCallEvaluate = moduleExports.callEvaluate;
+          this.implementationSources.set(implId, { activationId, artifactId, ruleId });
 
           loaded.push({
             implId,
@@ -269,7 +306,15 @@ export class RuleHost {
             meta,
             evaluate: (input: RuleHostInput): RuleHostResult => {
               const frozenHelpers = createRuleHostHelpers(input);
-              const result = rawEvaluate(input, frozenHelpers);
+              // PRI-437: Execute inside vm context with timeout boundary.
+              const rawResult = boundedCallEvaluate(input, frozenHelpers);
+              const validation = validateRuleHostResult(rawResult);
+              if (!validation.valid) {
+                throw new Error(
+                  `[RuleHost] Activation ${activationId} returned invalid RuleHostResult: ${validation.errors.join('; ')}`
+                );
+              }
+              const result = rawResult as RuleHostResult;
               if (result.matched && (result.decision === 'block' || result.decision === 'requireApproval')) {
                 result.ruleId = ruleId;
                 result.principleId = meta.ruleId ?? ruleId;
@@ -278,9 +323,16 @@ export class RuleHost {
             },
           });
         } catch (loadError: unknown) {
+          const reason = `compilation failed: ${String(loadError)}`;
           this.logger.warn?.(
-            `[RuleHost] Failed to load activation ${activationId}: ${String(loadError)}`
+            `[RuleHost] Failed to load activation ${activationId}: ${reason}`
           );
+          // ruleId is declared inside the try block and may not be assigned yet;
+          // fall back to sourceRuleId or artifactId (both available in scope)
+          this._recordUnhealthy(activationId, artifactId,
+            sourceRuleId ?? artifactId,
+            reason,
+            'Fix the RuleCode syntax/compilation error, then re-activate the rule');
         }
       }
 
@@ -293,4 +345,42 @@ export class RuleHost {
       }
     }
   }
+
+  /**
+   * PRI-437: Record an unhealthy activation state to EventLog.
+   *
+   * This makes compile/load failures visible to CLI (pd runtime health) and
+   * Console API — NOT just a logger.warn that's silently skipped.
+   *
+   * ERR-002: degradation includes a reason and nextAction (not silent).
+   * Failures in EventLog recording are caught and logged (never throw).
+   */
+  private _recordUnhealthy(
+    activationId: string,
+    artifactId: string,
+    ruleId: string,
+    reason: string,
+    nextAction: string,
+  ): void {
+    try {
+      // Pass undefined as logger: RuleHostLogger only has warn(), but EventLog
+      // calls this.logger.error() without optional chaining. Passing the
+      // RuleHostLogger directly would cause TypeError if EventLog tried to
+      // log an internal error. EventLog's logger is optional; RuleHost already
+      // logs its own warnings for the unhealthy event.
+      const eventLog = EventLogService.get(this.stateDir);
+      eventLog.recordRuleHostUnhealthy({
+        activationId,
+        artifactId,
+        ruleId,
+        reason,
+        nextAction,
+      });
+    } catch (recordError: unknown) {
+      // EventLog recording must never break RuleHost evaluation
+      this.logger.warn?.(
+        `[RuleHost] Failed to record unhealthy event for activation ${activationId}: ${String(recordError)}`
+      );
+    }
+  }
 }

package/src/core/rule-implementation-runtime.ts

@@ -1,10 +1,58 @@
 import { nodeVm } from '../utils/node-vm-polyfill.js';
+import { spawnSync } from 'node:child_process';
 
 export interface RuleImplementationModuleExports {
   meta?: unknown;
   evaluate?: unknown;
+  /**
+   * Call evaluate(input, helpers) INSIDE the vm context with a time boundary.
+   *
+   * PRI-437: The evaluate() function extracted from a vm context executes in
+   * the vm realm, but a direct host-realm call has NO timeout protection —
+   * an infinite loop in RuleCode would hang the host process forever.
+   *
+   * callEvaluate runs the invocation inside the vm context via
+   * Script.runInContext({ timeout }), which terminates infinite loops.
+   *
+   * Throws on timeout, compilation error, or if evaluate is missing.
+   */
+  callEvaluate?: (input: unknown, helpers: unknown) => unknown;
 }
 
+/** Timeout (ms) for compiling RuleCode (defining evaluate + meta). */
+const COMPILE_TIMEOUT_MS = 1000;
+
+/** Timeout (ms) for executing evaluate(input, helpers) inside the vm. */
+const EVALUATE_PROCESS_TIMEOUT_MS = 3000;
+const EVALUATE_PROCESS_OUTPUT_BYTES = 1024 * 1024;
+
+const EVALUATION_PROCESS_SOURCE = String.raw`
+const vm = require('node:vm');
+try {
+  const workerData = JSON.parse(require('node:fs').readFileSync(0, 'utf8'));
+  const context = vm.createContext(Object.create(null));
+  new vm.Script(workerData.source, { filename: workerData.filename }).runInContext(context, { timeout: 1000 });
+  const input = workerData.input;
+  const helpers = Object.freeze({
+    isRiskPath: () => input.workspace.isRiskPath,
+    getToolName: () => input.action.toolName,
+    getEstimatedLineChanges: () => input.derived.estimatedLineChanges,
+    getBashRisk: () => input.derived.bashRisk,
+    hasPlanFile: () => input.workspace.hasPlanFile,
+    getPlanStatus: () => input.workspace.planStatus,
+    getEpTier: () => input.evolution.epTier,
+  });
+  context.__pdCallInput = input;
+  context.__pdCallHelpers = helpers;
+  const result = new vm.Script('__pdRuleModule.evaluate(__pdCallInput, __pdCallHelpers)', { filename: workerData.filename + '.call' })
+    .runInContext(context, { timeout: 1000 });
+  process.stdout.write(JSON.stringify({ ok: true, result }));
+} catch (error) {
+  process.stdout.write(JSON.stringify({ ok: false, error: String(error) }));
+  process.exitCode = 1;
+}
+`;
+
 function normalizeImplementationSource(sourceCode: string): string {
   const withoutExports = sourceCode
     .replace(/export\s+const\s+meta\s*=/, 'const meta =')
@@ -17,6 +65,10 @@ globalThis.__pdRuleModule = {
 };`;
 }
 
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+
 export function loadRuleImplementationModule(
   sourceCode: string,
   filename: string,
@@ -26,13 +78,68 @@ export function loadRuleImplementationModule(
     filename,
   });
 
+  // Compile phase: define evaluate + meta (timeout-bounded)
   script.runInContext(context, {
-    timeout: 1000,
+    timeout: COMPILE_TIMEOUT_MS,
     displayErrors: true,
   });
 
   const moduleExports = (context as { __pdRuleModule?: RuleImplementationModuleExports }).__pdRuleModule;
-  delete (context as { __pdRuleModule?: RuleImplementationModuleExports }).__pdRuleModule;
+  // Note: keep __pdRuleModule on the context so callEvaluate can reference it.
+  // We do NOT delete it here — it's needed for subsequent evaluate calls.
+
+  const hasEvaluate = typeof moduleExports?.evaluate === 'function';
+  const meta = moduleExports?.meta;
+
+  if (!hasEvaluate) {
+    // No evaluate function — return early with no callEvaluate
+    return { meta, evaluate: moduleExports?.evaluate };
+  }
+
+  // PRI-437: Create a context-aware caller that runs evaluate INSIDE the vm
+  // context with a time boundary. This terminates infinite loops and
+  // excessive computation that would otherwise hang the host process.
+  //
+  // The callEvaluate function:
+  //   1. Sets input and helpers as context globals (sandboxed)
+  //   2. Compiles a tiny call script
+  //   3. Runs it in the context with EVALUATE_TIMEOUT_MS
+  //   4. Cleans up globals
+  //   5. Returns the raw result (validation happens in the caller)
+  const normalizedSource = normalizeImplementationSource(sourceCode);
+  const callEvaluate = (input: unknown, _helpers: unknown): unknown => {
+    const child = spawnSync(process.execPath, [
+      '--max-old-space-size=32',
+      '-e',
+      EVALUATION_PROCESS_SOURCE,
+    ], {
+      input: JSON.stringify({ source: normalizedSource, filename, input }),
+      encoding: 'utf8',
+      timeout: EVALUATE_PROCESS_TIMEOUT_MS,
+      maxBuffer: EVALUATE_PROCESS_OUTPUT_BYTES,
+      windowsHide: true,
+    });
+    if (child.error) {
+      throw new Error(`RuleCode process failed: ${child.error.message}`);
+    }
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(child.stdout);
+    } catch {
+      const stderr = child.stderr.trim().slice(0, 500);
+      throw new Error(`RuleCode process exited without a valid result${stderr ? `: ${stderr}` : ''}`);
+    }
+    if (!isRecord(parsed) || !Object.hasOwn(parsed, 'ok') || parsed['ok'] !== true || !Object.hasOwn(parsed, 'result')) {
+      const reason = isRecord(parsed) && Object.hasOwn(parsed, 'error') && typeof parsed['error'] === 'string'
+        ? parsed['error'] : 'RuleCode process failed';
+      throw new Error(reason);
+    }
+    return parsed['result'];
+  };
 
-  return moduleExports ?? {};
+  return {
+    meta,
+    evaluate: moduleExports?.evaluate,
+    callEvaluate,
+  };
 }

package/src/types/event-types.ts

@@ -23,6 +23,7 @@ export type {
   RuleHostAutoCorrectProposedEventData,
   RuleHostAutoCorrectAppliedEventData,
   RuntimeV2PromptActivationsInjectedEventData,
+  RuleHostUnhealthyEventData,
   ToolCallStats,
   ErrorStats,
   PainStats,

package/src/utils/io.ts

@@ -66,16 +66,34 @@ export function normalizePath(filePath: string, projectDir: string): string {
     }
   }
 
-   
-   
+  // POSIX absolute paths (e.g., /etc/passwd) are NOT recognized as absolute
+  // by path.isAbsolute() on Windows. When both the project dir and the file
+  // path are POSIX paths, use path.posix for relative computation.
+  const isPosixAbsolute = normalizedFilePath.startsWith('/') && !fileIsWin;
+  const projectIsPosix = !projectIsWin;
+
   let rel: string;
   if (projectIsWin) {
     const projectAbs = path.resolve(projectDir);
-    const fileAbs = path.isAbsolute(normalizedFilePath) ? normalizedFilePath : path.join(projectAbs, normalizedFilePath);
-    rel = path.relative(projectAbs, fileAbs);
+    if (isPosixAbsolute) {
+      // POSIX absolute path on Windows project: cannot resolve relative to project,
+      // return as-is (path is outside the project directory).
+      rel = normalizedFilePath;
+    } else {
+      const fileAbs = path.isAbsolute(normalizedFilePath)
+        ? normalizedFilePath
+        : path.join(projectAbs, normalizedFilePath);
+      rel = path.relative(projectAbs, fileAbs);
+    }
+  } else if (projectIsPosix && isPosixAbsolute) {
+    // Both project and file are POSIX → use path.posix
+    const projectPosix = projectDir.replace(/\\/g, '/');
+    rel = path.posix.relative(projectPosix, normalizedFilePath);
   } else {
     const projectPosix = projectDir.replace(/\\/g, '/');
-    const filePosix = path.isAbsolute(normalizedFilePath) ? normalizedFilePath : path.posix.join(projectPosix, normalizedFilePath.replace(/\\/g, '/'));
+    const filePosix = path.isAbsolute(normalizedFilePath)
+      ? normalizedFilePath
+      : path.posix.join(projectPosix, normalizedFilePath.replace(/\\/g, '/'));
     rel = path.posix.relative(projectPosix, filePosix);
   }
 

package/tests/core/rule-host-adversarial-output.test.ts

@@ -0,0 +1,242 @@
+/**
+ * PRI-437 Slice 5: Invalid tier/adversarial diagnostics cannot corrupt output
+ *
+ * PURPOSE: Verify that adversarial RuleCode cannot corrupt the RuleHost output
+ * or merge logic through:
+ *   1. Prototype pollution in diagnostics field
+ *   2. Invalid tier in input (non-number epTier)
+ *   3. Adversarial correctionProposal with prototype pollution
+ *
+ * ERR risk mitigation:
+ *   - ERR-001: no `as` bypass on untrusted VM output
+ *   - ERR-013: Object.hasOwn for untrusted keys
+ *   - ERR-005: validate array element types
+ *
+ * Test approach:
+ *   - Real SQLite activation with adversarial RuleCode
+ *   - Real RuleHost.evaluate() (public interface)
+ *   - Verify output is either rejected (undefined) or safely contained
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import { SqliteConnection, SqliteActivationStateStore } from '@principles/core/runtime-v2';
+import type { RuleHostInput } from '@principles/core/runtime-v2';
+import { RuleHost } from '../../src/core/rule-host.js';
+
+// ── Test helpers ───────────────────────────────────────────────────────────
+
+let tempWorkspaceDir: string;
+let tempStateDir: string;
+let sqliteConn: SqliteConnection;
+
+function setupTempDirs(): void {
+  const baseTmp = os.tmpdir();
+  tempWorkspaceDir = fs.mkdtempSync(path.join(baseTmp, 'pd-rulehost-adversarial-'));
+  tempStateDir = path.join(tempWorkspaceDir, '.principles');
+  fs.mkdirSync(tempStateDir, { recursive: true });
+}
+
+function insertRuleArtifact(
+  artifactId: string,
+  ruleId: string,
+  sourceTaskId: string,
+  code: string,
+): void {
+  const db = sqliteConn.getDb();
+  const now = new Date().toISOString();
+  const contentJson = JSON.stringify({
+    principleId: `P_${ruleId}`,
+    ruleId,
+    implementationCode: code,
+    goldenTrace: { traceId: `trace-${ruleId}`, cases: [], createdAt: now, version: 1 },
+    ruleHostGateDecision: 'accepted_shadow',
+    affectedTools: ['write_file'],
+    painReasonSummary: 'Test: adversarial',
+  });
+
+  db.prepare(`
+    INSERT INTO pi_artifacts (artifact_id, artifact_kind, source_task_id, source_principle_id, source_rule_id, lineage_artifact_ids, validation_status, content_json, created_at, updated_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(
+    artifactId, 'rule', sourceTaskId, `P_${ruleId}`, ruleId,
+    '[]', 'validated', contentJson, now, now,
+  );
+}
+
+async function insertActivation(
+  activationId: string,
+  artifactId: string,
+  ruleId: string,
+): Promise<void> {
+  const store = new SqliteActivationStateStore(sqliteConn);
+  const now = new Date().toISOString();
+  await store.recordActivation({
+    activationId,
+    idempotencyKey: `${artifactId}::code_tool_hook`,
+    artifactId,
+    channel: 'code_tool_hook',
+    action: 'code_tool_hook_shadow_activate',
+    targetRef: `impl://${ruleId}`,
+    activatedAt: now,
+    deactivatedAt: null,
+  });
+}
+
+function makeInput(normalizedPath: string, epTier?: unknown): RuleHostInput {
+  return {
+    action: {
+      toolName: 'write_file',
+      normalizedPath,
+      paramsSummary: { path: normalizedPath },
+    },
+    workspace: { isRiskPath: false, planStatus: 'NONE' as const, hasPlanFile: false },
+    session: { sessionId: 'test-session-adversarial', currentGfi: 0, recentThinking: false },
+    evolution: { epTier: epTier as number },
+    derived: { estimatedLineChanges: 1, bashRisk: 'safe' as const },
+  };
+}
+
+// ── Setup / Teardown ───────────────────────────────────────────────────────
+
+beforeEach(() => {
+  setupTempDirs();
+  sqliteConn = new SqliteConnection(tempWorkspaceDir);
+  sqliteConn.getDb();
+});
+
+afterEach(() => {
+  try { sqliteConn?.close(); } catch { /* best-effort */ }
+  try { fs.rmSync(tempWorkspaceDir, { recursive: true, force: true }); } catch { /* Windows */ }
+});
+
+// ── Slice 5: Adversarial diagnostics cannot corrupt output ─────────────────
+
+describe('PRI-437 Slice 5: Invalid tier/adversarial diagnostics cannot corrupt output', () => {
+  it('prototype pollution in diagnostics field is rejected by validator', async () => {
+    const RULE_ID = 'R_TEST_PROTO_005';
+    const ARTIFACT_ID = 'art-proto-005';
+    const ACTIVATION_ID = `act_code_${RULE_ID}`;
+
+    // RuleCode that tries to inject __proto__ as an own property in diagnostics
+    const ADVERSARIAL_CODE = `
+function evaluate(input, helpers) {
+  var diag = {};
+  Object.defineProperty(diag, '__proto__', { value: { polluted: true }, enumerable: true, configurable: true });
+  Object.defineProperty(diag, 'constructor', { value: { polluted: true }, enumerable: true, configurable: true });
+  return { decision: 'block', matched: true, reason: 'adversarial', diagnostics: diag };
+}
+var meta = { name: 'proto-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+
+    insertRuleArtifact(ARTIFACT_ID, RULE_ID, 'task-proto-005', ADVERSARIAL_CODE);
+    await insertActivation(ACTIVATION_ID, ARTIFACT_ID, RULE_ID);
+
+    const warnCalls: string[] = [];
+    const spyLogger = {
+      warn: (message: string) => { warnCalls.push(message); },
+      error: () => {},
+      info: () => {},
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+    const result = ruleHost.evaluate(makeInput('/etc/passwd'));
+
+    // PRI-437 fail-closed contract: adversarial results must be rejected entirely,
+    // resulting in conservative degradation (undefined). Not "accepted but sanitized".
+    expect(result).toBeUndefined();
+
+    // Must emit warn evidence about the invalid result
+    expect(warnCalls.length).toBeGreaterThan(0);
+  });
+
+  it('invalid tier (string) in input does not corrupt output validation', async () => {
+    const RULE_ID = 'R_TEST_TIER_005';
+    const ARTIFACT_ID = 'art-tier-005';
+    const ACTIVATION_ID = `act_code_${RULE_ID}`;
+
+    // RuleCode that tries to use epTier as a string and produces invalid output
+    const ADVERSARIAL_CODE = `
+function evaluate(input, helpers) {
+  var tier = input.evolution.epTier;
+  // If tier is a string, try to use it to bypass validation
+  if (typeof tier === 'string') {
+    return { decision: 'BLOCK', matched: 'yes', reason: 123 };
+  }
+  return { decision: 'block', matched: true, reason: 'valid block' };
+}
+var meta = { name: 'tier-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+
+    insertRuleArtifact(ARTIFACT_ID, RULE_ID, 'task-tier-005', ADVERSARIAL_CODE);
+    await insertActivation(ACTIVATION_ID, ARTIFACT_ID, RULE_ID);
+
+    const warnCalls: string[] = [];
+    const spyLogger = {
+      warn: (message: string) => { warnCalls.push(message); },
+      error: () => {},
+      info: () => {},
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+
+    // Pass invalid tier (string instead of number)
+    const result = ruleHost.evaluate(makeInput('/etc/passwd', 'invalid_tier_string'));
+
+    // The invalid output (decision='BLOCK' instead of 'block', matched='yes' instead of boolean)
+    // must be rejected by the validator → undefined (conservative degradation)
+    expect(result).toBeUndefined();
+
+    // Must emit warn evidence about the invalid result
+    expect(warnCalls.length).toBeGreaterThan(0);
+    const invalidWarn = warnCalls.find(m =>
+      m.toLowerCase().includes('invalid') ||
+      m.toLowerCase().includes('evaluation failed')
+    );
+    expect(invalidWarn).toBeDefined();
+  });
+
+  it('adversarial correctionProposal with prototype pollution is rejected', async () => {
+    const RULE_ID = 'R_TEST_CORR_005';
+    const ARTIFACT_ID = 'art-corr-005';
+    const ACTIVATION_ID = `act_code_${RULE_ID}`;
+
+    // RuleCode that returns auto_correct with adversarial correctionProposal
+    const ADVERSARIAL_CODE = `
+function evaluate(input, helpers) {
+  var proposal = {
+    ruleId: '${RULE_ID}',
+    correctedFields: [{ field: 'file_path', reason: 'x' }],
+    proposedParams: { file_path: '/safe/path' },
+    applicationMode: 'live',
+    confidence: 0.9,
+  };
+  // Try to inject __proto__ into the proposal
+  Object.defineProperty(proposal, '__proto__', { value: { polluted: true }, enumerable: true });
+  return { decision: 'auto_correct', matched: true, reason: 'adversarial correction', correctionProposal: proposal };
+}
+var meta = { name: 'corr-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+
+    insertRuleArtifact(ARTIFACT_ID, RULE_ID, 'task-corr-005', ADVERSARIAL_CODE);
+    await insertActivation(ACTIVATION_ID, ARTIFACT_ID, RULE_ID);
+
+    const warnCalls: string[] = [];
+    const spyLogger = {
+      warn: (message: string) => { warnCalls.push(message); },
+      error: () => {},
+      info: () => {},
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+    const result = ruleHost.evaluate(makeInput('/etc/passwd'));
+
+    // PRI-437 fail-closed contract: adversarial correctionProposal must be rejected
+    // entirely, resulting in conservative degradation (undefined).
+    expect(result).toBeUndefined();
+
+    // Must emit warn evidence
+    expect(warnCalls.length).toBeGreaterThan(0);
+  });
+});