principles-disciple 1.124.0 → 1.126.0

package/tests/core/rule-host-validation.test.ts

@@ -0,0 +1,315 @@
+/**
+ * PRI-437: Harden RuleHost execution validation, isolation and activation health
+ *
+ * TDD vertical slices:
+ *   1. Malformed VM results never enforce and create unhealthy evidence
+ *   2. Valid decisions work through public before-tool-call hook
+ *   3. Infinite loop and memory allocation terminate without taking down host
+ *   4. Approved compile failure is visible in health, CLI JSON and Console API
+ *   5. Invalid tier/adversarial diagnostics cannot corrupt output
+ *
+ * Tests verify through public interfaces:
+ *   - Real SQLite store (SqliteConnection + SqliteActivationStateStore)
+ *   - Real RuleHost.evaluate()
+ *   - No mocking of private internals
+ *
+ * ERR risk mitigation:
+ *   - ERR-001: no `as` bypass at trust boundary — VM output validated as unknown
+ *   - ERR-002: no catch-and-degrade — malformed results emit structured unhealthy evidence
+ *   - ERR-013: Object.hasOwn for untrusted object key checks
+ *   - ERR-024: validator wired into production path, not just demo/test
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import { SqliteConnection, SqliteActivationStateStore } from '@principles/core/runtime-v2';
+import type { RuleHostInput } from '@principles/core/runtime-v2';
+import { RuleHost } from '../../src/core/rule-host.js';
+
+// ── Test helpers (shared with rule-host-sqlite-source.test.ts pattern) ──────
+
+const RULE_ID = 'R_TEST_PRI437_001';
+const ARTIFACT_ID = 'art-pri437-001';
+const ACTIVATION_ID = `act_code_${RULE_ID}`;
+
+let tempWorkspaceDir: string;
+let tempStateDir: string;
+let sqliteConn: SqliteConnection;
+
+function setupTempDirs(): void {
+  const baseTmp = os.tmpdir();
+  tempWorkspaceDir = fs.mkdtempSync(path.join(baseTmp, 'pd-rulehost-pri437-'));
+  tempStateDir = path.join(tempWorkspaceDir, '.principles');
+  fs.mkdirSync(tempStateDir, { recursive: true });
+}
+
+function insertRuleArtifact(overrides?: {
+  artifactId?: string;
+  ruleId?: string;
+  contentJson?: string;
+  validationStatus?: string;
+  sourceTaskId?: string;
+}): void {
+  const artifactId = overrides?.artifactId ?? ARTIFACT_ID;
+  const ruleId = overrides?.ruleId ?? RULE_ID;
+  const validationStatus = overrides?.validationStatus ?? 'validated';
+  const sourceTaskId = overrides?.sourceTaskId ?? 'task-pri437-001';
+  const db = sqliteConn.getDb();
+  const now = new Date().toISOString();
+
+  const contentJson = overrides?.contentJson ?? JSON.stringify({
+    principleId: 'P_TEST_PRI437',
+    ruleId,
+    implementationCode: '',
+    goldenTrace: {
+      traceId: 'trace-pri437',
+      cases: [],
+      createdAt: now,
+      version: 1,
+    },
+    ruleHostGateDecision: 'accepted_shadow',
+    affectedTools: ['write_file'],
+    painReasonSummary: 'Test: PRI-437',
+  });
+
+  db.prepare(`
+    INSERT INTO pi_artifacts (artifact_id, artifact_kind, source_task_id, source_principle_id, source_rule_id, lineage_artifact_ids, validation_status, content_json, created_at, updated_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(
+    artifactId,
+    'rule',
+    sourceTaskId,
+    'P_TEST_PRI437',
+    ruleId,
+    '[]',
+    validationStatus,
+    contentJson,
+    now,
+    now,
+  );
+}
+
+async function insertCodeToolHookActivation(overrides?: {
+  activationId?: string;
+  artifactId?: string;
+  ruleId?: string;
+  deactivatedAt?: string | null;
+}): Promise<void> {
+  const activationId = overrides?.activationId ?? ACTIVATION_ID;
+  const artifactId = overrides?.artifactId ?? ARTIFACT_ID;
+  const ruleId = overrides?.ruleId ?? RULE_ID;
+  const store = new SqliteActivationStateStore(sqliteConn);
+  const now = new Date().toISOString();
+
+  await store.recordActivation({
+    activationId,
+    idempotencyKey: `${artifactId}::code_tool_hook`,
+    artifactId,
+    channel: 'code_tool_hook',
+    action: 'code_tool_hook_shadow_activate',
+    targetRef: `impl://${ruleId}`,
+    activatedAt: now,
+    deactivatedAt: overrides?.deactivatedAt ?? null,
+  });
+}
+
+function makeInput(normalizedPath: string): RuleHostInput {
+  return {
+    action: {
+      toolName: 'write_file',
+      normalizedPath,
+      paramsSummary: { path: normalizedPath },
+    },
+    workspace: {
+      isRiskPath: false,
+      planStatus: 'NONE',
+      hasPlanFile: false,
+    },
+    session: {
+      sessionId: 'test-session',
+      currentGfi: 0,
+      recentThinking: false,
+    },
+    evolution: {
+      epTier: 1,
+    },
+    derived: {
+      estimatedLineChanges: 1,
+      bashRisk: 'safe' as const,
+    },
+  };
+}
+
+function makeContentJson(ruleId: string, code: string): string {
+  return JSON.stringify({
+    principleId: 'P_TEST_PRI437',
+    ruleId,
+    implementationCode: code,
+    goldenTrace: {
+      traceId: 'trace-pri437',
+      cases: [],
+      createdAt: new Date().toISOString(),
+      version: 1,
+    },
+    ruleHostGateDecision: 'accepted_shadow',
+    affectedTools: ['write_file'],
+    painReasonSummary: 'Test: PRI-437',
+  });
+}
+
+// ── Setup / Teardown ───────────────────────────────────────────────────────
+
+beforeEach(() => {
+  setupTempDirs();
+  sqliteConn = new SqliteConnection(tempWorkspaceDir);
+  sqliteConn.getDb();
+});
+
+afterEach(() => {
+  try { sqliteConn?.close(); } catch { /* best-effort */ }
+  try { fs.rmSync(tempWorkspaceDir, { recursive: true, force: true }); } catch { /* Windows */ }
+});
+
+// ── Slice 1: Malformed VM results never enforce and create unhealthy evidence ─
+
+describe('PRI-437 Slice 1: Malformed VM results never enforce and create unhealthy evidence', () => {
+  it('malformed result with non-string reason does not enforce and emits unhealthy evidence', async () => {
+    // RuleCode returns { matched: true, decision: 'block', reason: 42 } — reason is a number, not a string
+    const MALFORMED_CODE = `
+function evaluate(input, helpers) {
+  return { matched: true, decision: 'block', reason: 42 };
+}
+var meta = { name: 'malformed-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+    insertRuleArtifact({ contentJson: makeContentJson(RULE_ID, MALFORMED_CODE) });
+    await insertCodeToolHookActivation();
+
+    const warnCalls: string[] = [];
+    const spyLogger: { warn: (_message: string) => void } = {
+      warn: (message: string) => { warnCalls.push(message); },
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+    const result = ruleHost.evaluate(makeInput('/etc/passwd'));
+
+    // Malformed result must NOT enforce — no block returned
+    expect(result).toBeUndefined();
+
+    // Unhealthy evidence must be emitted via logger.warn
+    expect(warnCalls.length).toBeGreaterThan(0);
+    const unhealthyWarn = warnCalls.find(m =>
+      m.toLowerCase().includes('invalid') ||
+      m.toLowerCase().includes('malformed') ||
+      m.toLowerCase().includes('unhealthy') ||
+      m.toLowerCase().includes('validation')
+    );
+    expect(unhealthyWarn).toBeDefined();
+  });
+
+  it('malformed result with non-boolean matched does not enforce and emits unhealthy evidence', async () => {
+    // RuleCode returns { matched: "yes", decision: 'block', reason: 'valid' } — matched is a string
+    const MALFORMED_CODE = `
+function evaluate(input, helpers) {
+  return { matched: "yes", decision: 'block', reason: 'Blocked: system directory' };
+}
+var meta = { name: 'malformed-matched', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+    insertRuleArtifact({ contentJson: makeContentJson(RULE_ID, MALFORMED_CODE) });
+    await insertCodeToolHookActivation();
+
+    const warnCalls: string[] = [];
+    const spyLogger: { warn: (_message: string) => void } = {
+      warn: (message: string) => { warnCalls.push(message); },
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+    const result = ruleHost.evaluate(makeInput('/etc/passwd'));
+
+    expect(result).toBeUndefined();
+    expect(warnCalls.length).toBeGreaterThan(0);
+    const unhealthyWarn = warnCalls.find(m =>
+      m.toLowerCase().includes('invalid') ||
+      m.toLowerCase().includes('malformed') ||
+      m.toLowerCase().includes('unhealthy') ||
+      m.toLowerCase().includes('validation')
+    );
+    expect(unhealthyWarn).toBeDefined();
+  });
+
+  it('malformed result with invalid decision does not enforce and emits unhealthy evidence', async () => {
+    // RuleCode returns { matched: true, decision: 'execute', reason: 'valid' } — decision is not one of the four
+    const MALFORMED_CODE = `
+function evaluate(input, helpers) {
+  return { matched: true, decision: 'execute', reason: 'do it' };
+}
+var meta = { name: 'malformed-decision', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+    insertRuleArtifact({ contentJson: makeContentJson(RULE_ID, MALFORMED_CODE) });
+    await insertCodeToolHookActivation();
+
+    const warnCalls: string[] = [];
+    const spyLogger: { warn: (_message: string) => void } = {
+      warn: (message: string) => { warnCalls.push(message); },
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+    const result = ruleHost.evaluate(makeInput('/etc/passwd'));
+
+    expect(result).toBeUndefined();
+    expect(warnCalls.length).toBeGreaterThan(0);
+    const unhealthyWarn = warnCalls.find(m =>
+      m.toLowerCase().includes('invalid') ||
+      m.toLowerCase().includes('malformed') ||
+      m.toLowerCase().includes('unhealthy') ||
+      m.toLowerCase().includes('validation')
+    );
+    expect(unhealthyWarn).toBeDefined();
+  });
+
+  it('null return from evaluate does not enforce and emits unhealthy evidence', async () => {
+    const MALFORMED_CODE = `
+function evaluate(input, helpers) {
+  return null;
+}
+var meta = { name: 'null-return', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+    insertRuleArtifact({ contentJson: makeContentJson(RULE_ID, MALFORMED_CODE) });
+    await insertCodeToolHookActivation();
+
+    const warnCalls: string[] = [];
+    const spyLogger: { warn: (_message: string) => void } = {
+      warn: (message: string) => { warnCalls.push(message); },
+    };
+
+    const ruleHost = new RuleHost(tempStateDir, spyLogger, { workspaceDir: tempWorkspaceDir });
+    const result = ruleHost.evaluate(makeInput('/etc/passwd'));
+
+    expect(result).toBeUndefined();
+    expect(warnCalls.length).toBeGreaterThan(0);
+  });
+
+  it('valid block result still enforces correctly (no false positive rejection)', async () => {
+    const VALID_CODE = `
+function evaluate(input, helpers) {
+  var p = input.action.normalizedPath || '';
+  if (p.startsWith('/etc')) {
+    return { decision: 'block', matched: true, reason: 'Blocked: system directory' };
+  }
+  return { decision: 'allow', matched: false, reason: 'Not matched' };
+}
+var meta = { name: 'valid-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+    insertRuleArtifact({ contentJson: makeContentJson(RULE_ID, VALID_CODE) });
+    await insertCodeToolHookActivation();
+
+    const ruleHost = new RuleHost(tempStateDir, console, { workspaceDir: tempWorkspaceDir });
+    const result = ruleHost.evaluate(makeInput('/etc/passwd'));
+
+    expect(result).toBeDefined();
+    expect(result?.decision).toBe('block');
+    expect(result?.matched).toBe(true);
+    expect(result?.reason).toBe('Blocked: system directory');
+    expect(result?.ruleId).toBe(RULE_ID);
+  });
+});

package/tests/core/rule-implementation-runtime.test.ts

@@ -34,4 +34,16 @@ describe('rule-implementation-runtime', () => {
 
     expect((globalThis as Record<string, unknown>).__pdRuleHostLeak).toBeUndefined();
   });
+
+  it('contains memory-exhausting evaluation in a resource-limited worker', () => {
+    const moduleExports = loadRuleImplementationModule(
+      `export function evaluate() {
+        const memoryBomb = new Array(100_000_000).fill('x');
+        return { decision: 'allow', matched: false, reason: String(memoryBomb.length) };
+      }`,
+      'rule-memory-limit.js',
+    );
+
+    expect(() => moduleExports.callEvaluate?.({}, {})).toThrow(/worker|memory|heap|timed out|exited without a valid result/i);
+  });
 });

package/tests/hooks/gate-rule-host-real-pipeline.test.ts

@@ -0,0 +1,190 @@
+/**
+ * PRI-437 Slice 2: Valid decisions work through public before-tool-call hook
+ *
+ * PURPOSE: Verify that valid RuleHost decisions (block/allow) flow correctly
+ * through the real handleBeforeToolCall public hook with real SQLite activations.
+ *
+ * This test exercises the FULL public path:
+ *   real SQLite activation → real RuleHost.evaluate() → validateRuleHostResult()
+ *   → real handleBeforeToolCall() → block/allow result
+ *
+ * No mocking of RuleHost, SQLite, or gate internals.
+ *
+ * ERR risk mitigation:
+ *   - ERR-024: validator is wired into the production path (verified end-to-end)
+ *   - ERR-048: activation write (SQLite) connects to read (RuleHost) connects to enforcement (gate)
+ *   - ERR-002: valid decisions must NOT be silently degraded
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import { SqliteConnection, SqliteActivationStateStore } from '@principles/core/runtime-v2';
+import { handleBeforeToolCall } from '../../src/hooks/gate.js';
+import type { PluginHookBeforeToolCallEvent, PluginHookToolContext } from '../../src/openclaw-sdk.js';
+import { WorkspaceContext } from '../../src/core/workspace-context.js';
+
+// ── Test helpers ───────────────────────────────────────────────────────────
+
+const RULE_ID = 'R_TEST_GATE_002';
+const ARTIFACT_ID = 'art-gate-002';
+const ACTIVATION_ID = `act_code_${RULE_ID}`;
+
+const BLOCK_CODE = `
+function evaluate(input, helpers) {
+  var p = input.action.normalizedPath || '';
+  if (p.indexOf('/etc/') === 0 || p === '/etc') {
+    return { decision: 'block', matched: true, reason: 'GATE_BLOCK_002: system directory' };
+  }
+  return { decision: 'allow', matched: false, reason: 'Not matched' };
+}
+var meta = { name: 'gate-test-rule', version: '1', ruleId: '${RULE_ID}', coversCondition: 'all' };
+`;
+
+let tempWorkspaceDir: string;
+let tempStateDir: string;
+let sqliteConn: SqliteConnection;
+
+function setupTempDirs(): void {
+  const baseTmp = os.tmpdir();
+  tempWorkspaceDir = fs.mkdtempSync(path.join(baseTmp, 'pd-gate-real-'));
+  tempStateDir = path.join(tempWorkspaceDir, '.principles');
+  fs.mkdirSync(tempStateDir, { recursive: true });
+}
+
+function insertRuleArtifact(): void {
+  const db = sqliteConn.getDb();
+  const now = new Date().toISOString();
+  const contentJson = JSON.stringify({
+    principleId: 'P_TEST_GATE_002',
+    ruleId: RULE_ID,
+    implementationCode: BLOCK_CODE,
+    goldenTrace: {
+      traceId: 'trace-gate-002',
+      cases: [],
+      createdAt: now,
+      version: 1,
+    },
+    ruleHostGateDecision: 'accepted_shadow',
+    affectedTools: ['write_file'],
+    painReasonSummary: 'Test: block /etc writes via gate',
+  });
+
+  db.prepare(`
+    INSERT INTO pi_artifacts (artifact_id, artifact_kind, source_task_id, source_principle_id, source_rule_id, lineage_artifact_ids, validation_status, content_json, created_at, updated_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(
+    ARTIFACT_ID,
+    'rule',
+    'task-gate-002',
+    'P_TEST_GATE_002',
+    RULE_ID,
+    '[]',
+    'validated',
+    contentJson,
+    now,
+    now,
+  );
+}
+
+async function insertActivation(): Promise<void> {
+  const store = new SqliteActivationStateStore(sqliteConn);
+  const now = new Date().toISOString();
+  await store.recordActivation({
+    activationId: ACTIVATION_ID,
+    idempotencyKey: `${ARTIFACT_ID}::code_tool_hook`,
+    artifactId: ARTIFACT_ID,
+    channel: 'code_tool_hook',
+    action: 'code_tool_hook_shadow_activate',
+    targetRef: `impl://${RULE_ID}`,
+    activatedAt: now,
+    deactivatedAt: null,
+  });
+}
+
+// ── Setup / Teardown ───────────────────────────────────────────────────────
+
+beforeEach(() => {
+  setupTempDirs();
+  WorkspaceContext.clearCache();
+  sqliteConn = new SqliteConnection(tempWorkspaceDir);
+  sqliteConn.getDb();
+});
+
+afterEach(() => {
+  WorkspaceContext.clearCache();
+  try { sqliteConn?.close(); } catch { /* best-effort */ }
+  try { fs.rmSync(tempWorkspaceDir, { recursive: true, force: true }); } catch { /* Windows */ }
+});
+
+// ── Slice 2: Valid decisions through public hook ───────────────────────────
+
+describe('PRI-437 Slice 2: Valid decisions work through public before-tool-call hook', () => {
+  it('valid block decision from SQLite activation → handleBeforeToolCall returns block result', async () => {
+    // Setup: real SQLite activation with valid blocking code
+    insertRuleArtifact();
+    await insertActivation();
+
+    // Exercise the PUBLIC hook with a real event targeting /etc/passwd
+    const event: PluginHookBeforeToolCallEvent = {
+      toolName: 'write_file',
+      params: { file_path: '/etc/passwd', content: 'malicious' },
+    };
+
+    const ctx: PluginHookToolContext = {
+      workspaceDir: tempWorkspaceDir,
+      sessionId: 'test-session-gate-002',
+      logger: { warn: () => {}, error: () => {}, info: () => {} },
+    };
+
+    const result = handleBeforeToolCall(event, ctx);
+
+    // Verify: block decision is enforced through the public hook
+    expect(result).toBeDefined();
+    expect(result?.block).toBe(true);
+    expect(result?.blockReason).toContain('GATE_BLOCK_002: system directory');
+  });
+
+  it('valid allow (no match) from SQLite activation → handleBeforeToolCall returns undefined', async () => {
+    insertRuleArtifact();
+    await insertActivation();
+
+    // Exercise the PUBLIC hook with a safe path that does NOT match the block rule
+    const event: PluginHookBeforeToolCallEvent = {
+      toolName: 'write_file',
+      params: { file_path: '/safe/project/file.txt', content: 'safe content' },
+    };
+
+    const ctx: PluginHookToolContext = {
+      workspaceDir: tempWorkspaceDir,
+      sessionId: 'test-session-gate-002',
+      logger: { warn: () => {}, error: () => {}, info: () => {} },
+    };
+
+    const result = handleBeforeToolCall(event, ctx);
+
+    // Verify: no block (allow passes through)
+    expect(result).toBeUndefined();
+  });
+
+  it('no SQLite activation → handleBeforeToolCall returns undefined (no opinion)', async () => {
+    // Artifact exists but no activation
+    insertRuleArtifact();
+
+    const event: PluginHookBeforeToolCallEvent = {
+      toolName: 'write_file',
+      params: { file_path: '/etc/passwd', content: 'malicious' },
+    };
+
+    const ctx: PluginHookToolContext = {
+      workspaceDir: tempWorkspaceDir,
+      sessionId: 'test-session-gate-002',
+      logger: { warn: () => {}, error: () => {}, info: () => {} },
+    };
+
+    const result = handleBeforeToolCall(event, ctx);
+
+    // No activation → RuleHost returns undefined → gate allows
+    expect(result).toBeUndefined();
+  });
+});