principles-disciple 1.40.0 → 1.42.0

package/src/core/principle-compiler/ledger-registrar.ts

@@ -0,0 +1,107 @@
+/**
+ * Ledger Registrar (Task 4)
+ *
+ * Registers a compiled rule into the principle tree ledger:
+ * 1. Creates a LedgerRule with type 'gate', enforcement 'block', status 'proposed'
+ * 2. Creates an Implementation with type 'code', lifecycleState 'candidate'
+ *
+ * IDEMPOTENCY: If the rule already exists, returns existing registration.
+ * ROLLBACK: If implementation creation fails after rule creation, attempts cleanup.
+ */
+
+import { createRule, createImplementation, loadLedger, deleteRule, type LedgerRule } from '../principle-tree-ledger.js';
+
+export interface RegisterInput {
+  principleId: string;
+  codeContent: string;
+  coversCondition: string;
+}
+
+export interface RegisterResult {
+  success: boolean;
+  ruleId: string;
+  implementationId: string;
+  codePath: string;
+}
+
+/**
+ * Register a compiled rule for a principle in the ledger.
+ *
+ * Idempotent: if rule already exists, returns existing registration.
+ * Atomic: if implementation creation fails, rolls back the rule.
+ */
+export function registerCompiledRule(stateDir: string, input: RegisterInput): RegisterResult {
+  const { principleId, codeContent, coversCondition } = input;
+
+  const ruleId = `R_${principleId}_auto`;
+  const implementationId = `IMPL_${principleId}_auto`;
+  const codePath = `compiled-rules/${principleId}/rule.ts`;
+
+  // Idempotency: skip if rule already exists
+  const existingLedger = loadLedger(stateDir);
+  if (existingLedger.tree.rules[ruleId]) {
+    const existingRule = existingLedger.tree.rules[ruleId];
+    return {
+      success: true,
+      ruleId,
+      implementationId: existingRule.implementationIds[0] ?? implementationId,
+      codePath,
+    };
+  }
+
+  const now = new Date().toISOString();
+
+  // Step 1: Create the rule
+  const rule: LedgerRule = {
+    id: ruleId,
+    version: 1,
+    name: `Auto-compiled rule for ${principleId}`,
+    description: `Automatically compiled gate rule generated from principle ${principleId}`,
+    type: 'gate',
+    triggerCondition: coversCondition,
+    enforcement: 'block',
+    action: codeContent,
+    principleId,
+    status: 'proposed',
+    coverageRate: 0,
+    falsePositiveRate: 0,
+    implementationIds: [],
+    createdAt: now,
+    updatedAt: now,
+  };
+
+  createRule(stateDir, rule);
+
+  // Step 2: Create the implementation (with rollback on failure)
+  try {
+    const implementation = {
+      id: implementationId,
+      ruleId,
+      type: 'code' as const,
+      path: codePath,
+      version: '1',
+      coversCondition,
+      coveragePercentage: 100,
+      lifecycleState: 'active' as const,
+      createdAt: now,
+      updatedAt: now,
+    };
+
+    createImplementation(stateDir, implementation);
+  } catch (implError) {
+    // Rollback: remove the orphaned rule
+    try {
+      deleteRule(stateDir, ruleId);
+    } catch {
+      // Best-effort rollback — log but don't mask the original error
+    }
+    throw implError;
+  }
+
+  return {
+    success: true,
+    ruleId,
+    implementationId,
+    codePath,
+  };
+}

package/src/core/principle-compiler/template-generator.ts

@@ -0,0 +1,108 @@
+/**
+ * Template Generator for Principle Compiler
+ *
+ * Generates RuleHost sandbox code from PainPattern descriptors.
+ * Produces self-contained JS modules with `export const meta` and
+ * `export function evaluate(input)` that can be loaded at runtime.
+ *
+ * SECURITY: All interpolated values use JSON.stringify or safe helpers
+ * to prevent code injection through principleId, coversCondition, or regex patterns.
+ */
+
+export interface PainPattern {
+  toolName: string;
+  pathRegex?: string;
+  commandRegex?: string;
+  contentRegex?: string;
+  errorType?: string;
+}
+
+/**
+ * Derives the auto-rule display name from a principle ID.
+ */
+function toAutoName(principleId: string): string {
+  return `Auto_${principleId}`;
+}
+
+/**
+ * Derives the auto-rule ID from a principle ID.
+ * Must match ledger-registrar convention: "P_066" => "R_P_066_auto"
+ */
+function toAutoRuleId(principleId: string): string {
+  return `R_${principleId}_auto`;
+}
+
+/**
+ * Builds a single `if` branch for a pain pattern.
+ *
+ * SECURITY: Uses `new RegExp(JSON.stringify(...))` instead of regex literals
+ * to prevent code injection through pathRegex/commandRegex/contentRegex values.
+ * principleId in reason uses JSON.stringify to prevent string breakout.
+ */
+function buildBranch(principleId: string, pattern: PainPattern): string {
+  const conditions: string[] = [];
+
+  conditions.push(`input.action.toolName === ${JSON.stringify(pattern.toolName)}`);
+
+  if (pattern.pathRegex) {
+    conditions.push(`new RegExp(${JSON.stringify(pattern.pathRegex)}).test(input.action.normalizedPath || '')`);
+  }
+
+  if (pattern.commandRegex) {
+    conditions.push(`new RegExp(${JSON.stringify(pattern.commandRegex)}).test(input.action.paramsSummary.command || '')`);
+  }
+
+  if (pattern.contentRegex) {
+    conditions.push(
+      `new RegExp(${JSON.stringify(pattern.contentRegex)}).test(input.action.paramsSummary.content || input.action.paramsSummary.new_string || '')`,
+    );
+  }
+
+  const guard = conditions.join(' && ');
+  const reason = `[${principleId}] Blocked by auto-generated rule`;
+
+  return (
+    `  if (${guard}) {\n` +
+    `    return { decision: 'block', matched: true, reason: ${JSON.stringify(reason)} };\n` +
+    `  }`
+  );
+}
+
+/**
+ * Generates sandbox-ready JS code from a principle ID and pain patterns.
+ *
+ * Returns `null` when `patterns` is empty.
+ */
+export function generateFromTemplate(
+  principleId: string,
+  coversCondition: string,
+  patterns: PainPattern[],
+): string | null {
+  if (patterns.length === 0) {
+    return null;
+  }
+
+  const name = toAutoName(principleId);
+  const ruleId = toAutoRuleId(principleId);
+  const compiledAt = new Date().toISOString();
+
+  const branches = patterns
+    .map((p) => buildBranch(principleId, p))
+    .join('\n');
+
+  return (
+    `// Auto-generated by Principle Compiler\n` +
+    `export const meta = {\n` +
+    `  name: ${JSON.stringify(name)},\n` +
+    `  version: '1.0.0',\n` +
+    `  ruleId: ${JSON.stringify(ruleId)},\n` +
+    `  coversCondition: ${JSON.stringify(coversCondition)},\n` +
+    `  compiledAt: ${JSON.stringify(compiledAt)},\n` +
+    `  sourcePrincipleId: ${JSON.stringify(principleId)},\n` +
+    `};\n\n` +
+    `export function evaluate(input) {\n` +
+    `${branches}\n` +
+    `  return { matched: false };\n` +
+    `}\n`
+  );
+}

package/src/core/reflection/reflection-context.ts

@@ -0,0 +1,228 @@
+/**
+ * ReflectionContextCollector — Unified Pipeline Input
+ * ====================================================
+ *
+ * PURPOSE: Collect all grounding context for a principle into a single
+ * ReflectionContext object. This is the input to the nocturnal reflection
+ * pipeline: principle + painEvents + sessionSnapshot + lineage.
+ *
+ * DESIGN DECISIONS:
+ * - If a principle has no derivedFromPainIds, collect() returns null
+ *   (nothing to ground code on).
+ * - painId -> sessionId resolution is a known gap. For now, we attempt
+ *   best-effort lookup but return what we have with sessionSnapshot = null
+ *   if we can't resolve.
+ *
+ * REUSES:
+ * - principle-tree-ledger: loadLedger() for principle lookup
+ * - nocturnal-trajectory-extractor: for session snapshots
+ * - trajectory: TrajectoryDatabase for pain event queries
+ */
+
+import { loadLedger, type LedgerPrinciple } from '../principle-tree-ledger.js';
+import {
+  NocturnalTrajectoryExtractor,
+  type NocturnalPainEvent,
+  type NocturnalSessionSnapshot,
+} from '../nocturnal-trajectory-extractor.js';
+import type { TrajectoryDatabase } from '../trajectory.js';
+import type { Principle } from '../../types/principle-tree-schema.js';
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+/**
+ * Unified reflection context for the nocturnal pipeline.
+ */
+export interface ReflectionContext {
+  /** The principle being reflected upon */
+  principle: Principle;
+  /** Pain events associated with this principle (via derivedFromPainIds) */
+  painEvents: NocturnalPainEvent[];
+  /** Session snapshot if resolvable, null otherwise */
+  sessionSnapshot: NocturnalSessionSnapshot | null;
+  /** Lineage metadata connecting principle to source pain signals */
+  lineage: {
+    sourcePainIds: string[];
+    sessionId: string | null;
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Collector
+// ---------------------------------------------------------------------------
+
+/**
+ * Collects ReflectionContext for principles by joining ledger data with
+ * trajectory data.
+ */
+export class ReflectionContextCollector {
+  private readonly stateDir: string;
+  private readonly trajectory: TrajectoryDatabase;
+
+  constructor(stateDir: string, trajectory: TrajectoryDatabase) {
+    this.stateDir = stateDir;
+    this.trajectory = trajectory;
+  }
+
+  /**
+   * Collect full reflection context for a single principle.
+   *
+   * Returns null if:
+   * - The principle is not found in the ledger
+   * - The principle has no derivedFromPainIds (nothing to ground on)
+   */
+  collect(principleId: string): ReflectionContext | null {
+    const ledger = loadLedger(this.stateDir);
+    const principle = ledger.tree.principles[principleId];
+
+    if (!principle) {
+      return null;
+    }
+
+    if (!principle.derivedFromPainIds || principle.derivedFromPainIds.length === 0) {
+      return null;
+    }
+
+    return this.buildContext(principle);
+  }
+
+  /**
+   * Collect reflection contexts for multiple principles, optionally filtered.
+   *
+   * Skips principles without derivedFromPainIds.
+   */
+  collectBatch(filter?: { status?: string }): ReflectionContext[] {
+    const ledger = loadLedger(this.stateDir);
+    const principles = Object.values(ledger.tree.principles);
+
+    const results: ReflectionContext[] = [];
+
+    for (const principle of principles) {
+      // Apply status filter if provided
+      if (filter?.status && principle.status !== filter.status) {
+        continue;
+      }
+
+      // Skip principles without pain grounding
+      if (!principle.derivedFromPainIds || principle.derivedFromPainIds.length === 0) {
+        continue;
+      }
+
+      const ctx = this.buildContext(principle);
+      if (ctx) {
+        results.push(ctx);
+      }
+    }
+
+    return results;
+  }
+
+  // -----------------------------------------------------------------------
+  // Private helpers
+  // -----------------------------------------------------------------------
+
+  /**
+   * Build a ReflectionContext from a principle.
+   *
+   * Attempts to resolve painIds to sessions via best-effort lookup.
+   * Since painId -> sessionId mapping is a known gap, we may return
+   * empty painEvents and null sessionSnapshot.
+   */
+  private buildContext(principle: LedgerPrinciple): ReflectionContext {
+    const sourcePainIds = principle.derivedFromPainIds;
+
+    // Best-effort: try to find a session containing pain events related to this principle.
+    // The pain_events table uses auto-increment IDs, not the string painIds stored in
+    // derivedFromPainIds. This is the known gap — for now we attempt session resolution
+    // but gracefully handle the case where we can't match.
+    const { painEvents, sessionId } = this.resolvePainEvents(sourcePainIds);
+
+    // If we found a session, get the snapshot
+    let sessionSnapshot: NocturnalSessionSnapshot | null = null;
+    if (sessionId) {
+      const extractor = new NocturnalTrajectoryExtractor(this.trajectory);
+      sessionSnapshot = extractor.getNocturnalSessionSnapshot(sessionId);
+    }
+
+    return {
+      principle,
+      painEvents,
+      sessionSnapshot,
+      lineage: {
+        sourcePainIds,
+        sessionId,
+      },
+    };
+  }
+
+  /**
+   * Attempt to resolve painIds to actual pain events and a session.
+   *
+   * Two-phase strategy:
+   * 1. Exact ID match: sourcePainIds are stringified pain_events row IDs.
+   *    If any match String(pe.id) exactly, use those and stop.
+   * 2. Heuristic fallback: substring match on reason/origin fields.
+   *    Only used when no exact matches are found.
+   */
+  private resolvePainEvents(sourcePainIds: string[]): {
+    painEvents: NocturnalPainEvent[];
+    sessionId: string | null;
+  } {
+    const sessions = this.trajectory.listRecentSessions({ limit: 100 });
+    const sourcePainIdSet = new Set(sourcePainIds);
+
+    const exactMatches: NocturnalPainEvent[] = [];
+    const heuristicMatches: NocturnalPainEvent[] = [];
+    let exactSessionId: string | null = null;
+    let heuristicSessionId: string | null = null;
+
+    for (const session of sessions) {
+      const sessionPainEvents = this.trajectory.listPainEventsForSession(session.sessionId);
+
+      for (const pe of sessionPainEvents) {
+        // Phase 1: exact ID match
+        if (sourcePainIdSet.has(String(pe.id))) {
+          exactMatches.push({
+            source: pe.source,
+            score: pe.score,
+            severity: pe.severity,
+            reason: pe.reason,
+            createdAt: pe.createdAt,
+          });
+          if (!exactSessionId) {
+            exactSessionId = session.sessionId;
+          }
+          continue;
+        }
+
+        // Phase 2: heuristic substring match on reason/origin only
+        const peText = [pe.reason, pe.origin].filter(Boolean);
+        const isMatch = sourcePainIds.some((painId) =>
+          peText.some((field) => field?.includes(painId)),
+        );
+
+        if (isMatch) {
+          heuristicMatches.push({
+            source: pe.source,
+            score: pe.score,
+            severity: pe.severity,
+            reason: pe.reason,
+            createdAt: pe.createdAt,
+          });
+          if (!heuristicSessionId) {
+            heuristicSessionId = session.sessionId;
+          }
+        }
+      }
+    }
+
+    // Prefer exact matches over heuristic matches
+    if (exactMatches.length > 0) {
+      return { painEvents: exactMatches, sessionId: exactSessionId };
+    }
+
+    return { painEvents: heuristicMatches, sessionId: heuristicSessionId };
+  }
+}

package/src/hooks/message-sanitize.ts

@@ -6,6 +6,21 @@ const INTERNAL_TAG_PATTERNS = [
   /<empathy\s+[^>]*\/?>(?:<\/empathy>)?/gi,
 ];
 
+/**
+ * Type predicate: true if msg is an assistant message with content.
+ * Used for safe narrowing after spread operations on message union.
+ */
+function isAssistantMessageWithContent(
+  msg: unknown
+): msg is { role: 'assistant'; content: string } {
+  return (
+    typeof msg === 'object' &&
+    msg !== null &&
+    (msg as { role?: string }).role === 'assistant' &&
+    typeof (msg as { content?: unknown }).content === 'string'
+  );
+}
+
 export function sanitizeAssistantText(text: string): string {
   let result = text;
   for (const pattern of INTERNAL_TAG_PATTERNS) {
@@ -23,11 +38,10 @@ export function handleBeforeMessageWrite(
   const msg = event.message as { role?: string; content?: unknown } | undefined;
   if (!msg || msg.role !== 'assistant') return;
 
-  if (typeof msg.content === 'string') {
+  if (isAssistantMessageWithContent(msg)) {
     const sanitized = sanitizeAssistantText(msg.content);
     if (sanitized !== msg.content) {
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Reason: message content is dynamically modified, type preserved from event.message union
-      return { message: { ...msg, content: sanitized } as any };
+      return { message: { ...msg, content: sanitized } };
     }
     return;
   }
@@ -39,8 +53,7 @@ export function handleBeforeMessageWrite(
       }
       return part;
     });
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Reason: message content is dynamically modified, type preserved from event.message union
-    return { message: { ...msg, content: next } as any };
+    return { message: { ...msg, content: next } };
   }
 
   return;

package/src/hooks/prompt.ts

@@ -20,6 +20,17 @@ import {
 } from '../core/empathy-keyword-matcher.js';
 import { severityToPenalty, DEFAULT_EMPATHY_KEYWORD_CONFIG } from '../core/empathy-types.js';
 import { CorrectionCueLearner } from '../core/correction-cue-learner.js';
+import type { PluginRuntimeSubagent } from '../service/subagent-workflow/runtime-direct-driver.js';
+
+/**
+ * Type assertion: OpenClaw SDK subagent -> workflow manager subagent type.
+ * Both types are structurally identical but come from different import paths.
+ */
+function toWorkflowSubagent(
+  subagent: NonNullable<OpenClawPluginApi['runtime']>['subagent']
+): PluginRuntimeSubagent {
+  return subagent as unknown as PluginRuntimeSubagent;
+}
 
 // ---------------------------------------------------------------------------
 // Static file cache — avoids re-reading rarely-changing files every message
@@ -590,8 +601,8 @@ The empathy observer subagent handles pain detection independently.
           const empathyManager = new EmpathyObserverWorkflowManager({
             workspaceDir,
             logger: api.logger ?? console,
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Reason: runtimeSubagent has structurally compatible shape but differs from workflow manager's subagent type
-            subagent: runtimeSubagent as any,
+             
+            subagent: toWorkflowSubagent(runtimeSubagent),
           });
           empathyManager.startWorkflow(empathyObserverWorkflowSpec, {
             parentSessionId: sessionId,
@@ -626,8 +637,8 @@ The empathy observer subagent handles pain detection independently.
             const empathyManager = new EmpathyObserverWorkflowManager({
               workspaceDir,
               logger: api.logger ?? console,
-              // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Reason: api.runtime.subagent has structurally compatible shape but differs from workflow manager's subagent type
-              subagent: api.runtime.subagent as any,
+               
+              subagent: toWorkflowSubagent(api.runtime.subagent),
             });
             
             empathyManager.startWorkflow(empathyObserverWorkflowSpec, {

package/src/hooks/subagent.ts

@@ -14,7 +14,7 @@ import type { WorkflowManager } from '../service/subagent-workflow/types.js';
  * Used by the subagent_ended hook to dispatch lifecycle recovery to the right manager.
  */
  
-// eslint-disable-next-line @typescript-eslint/max-params
+ 
 function createWorkflowManagerForType(
     workflowType: string,
     workspaceDir: string,
@@ -25,9 +25,8 @@ function createWorkflowManagerForType(
         info: (m: string) => logger.info(String(m)),
         warn: (m: string) => logger.warn(String(m)),
         error: (m: string) => logger.error(String(m)),
-         
         debug: () => { /* no-op */ },
-    } as unknown as PluginLogger;
+    };
 
     switch (workflowType) {
         case 'empathy-observer':

package/src/http/principles-console-route.ts

@@ -1,3 +1,4 @@
+import * as crypto from 'crypto';
 import fs from 'fs';
 import path from 'path';
 import type { IncomingMessage, ServerResponse } from 'node:http';
@@ -96,7 +97,7 @@ function createService(api: OpenClawPluginApi): ControlUiQueryService {
 }
 
  
-// eslint-disable-next-line @typescript-eslint/max-params
+ 
 function handleApiRoute(
   api: OpenClawPluginApi,
   pathname: string,
@@ -105,13 +106,13 @@ function handleApiRoute(
 ): Promise<boolean> | boolean {
   // Check authentication for API routes
    
-  // eslint-disable-next-line @typescript-eslint/no-use-before-define
+   
   if (!validateGatewayAuth(req)) {
     json(res, 401, { error: 'unauthorized', message: 'Valid Gateway token required.' });
     return true;
   }
 
-  // eslint-disable-next-line @typescript-eslint/init-declarations
+   
   let service: ControlUiQueryService;
   try {
     service = createService(api);
@@ -566,7 +567,23 @@ function validateGatewayAuth(req: IncomingMessage): boolean {
   const authHeader = (req.headers?.authorization as string) || '';
   const tokenMatch = /^Bearer\s+(.+)$/i.exec(authHeader);
   const providedToken = tokenMatch?.[1];
-  return providedToken === gatewayToken;
+
+  if (!providedToken) {
+    return false;
+  }
+
+  // Constant-time comparison to prevent timing attacks (per D-07)
+  // Use Buffer comparison — both tokens must be same length for timingSafeEqual
+  const providedBuffer = Buffer.from(providedToken, 'utf8');
+  const expectedBuffer = Buffer.from(gatewayToken, 'utf8');
+
+  if (providedBuffer.length !== expectedBuffer.length) {
+    // Length mismatch — fail fast but without timing leak
+    // Return false immediately rather than letting timingSafeEqual throw
+    return false;
+  }
+
+  return crypto.timingSafeEqual(providedBuffer, expectedBuffer);
 }
 
 /**