principles-disciple 1.41.0 → 1.43.0

package/src/hooks/message-sanitize.ts

@@ -6,6 +6,21 @@ const INTERNAL_TAG_PATTERNS = [
   /<empathy\s+[^>]*\/?>(?:<\/empathy>)?/gi,
 ];
 
+/**
+ * Type predicate: true if msg is an assistant message with content.
+ * Used for safe narrowing after spread operations on message union.
+ */
+function isAssistantMessageWithContent(
+  msg: unknown
+): msg is { role: 'assistant'; content: string } {
+  return (
+    typeof msg === 'object' &&
+    msg !== null &&
+    (msg as { role?: string }).role === 'assistant' &&
+    typeof (msg as { content?: unknown }).content === 'string'
+  );
+}
+
 export function sanitizeAssistantText(text: string): string {
   let result = text;
   for (const pattern of INTERNAL_TAG_PATTERNS) {
@@ -23,11 +38,10 @@ export function handleBeforeMessageWrite(
   const msg = event.message as { role?: string; content?: unknown } | undefined;
   if (!msg || msg.role !== 'assistant') return;
 
-  if (typeof msg.content === 'string') {
+  if (isAssistantMessageWithContent(msg)) {
     const sanitized = sanitizeAssistantText(msg.content);
     if (sanitized !== msg.content) {
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Reason: message content is dynamically modified, type preserved from event.message union
-      return { message: { ...msg, content: sanitized } as any };
+      return { message: { ...msg, content: sanitized } };
     }
     return;
   }
@@ -39,8 +53,7 @@ export function handleBeforeMessageWrite(
       }
       return part;
     });
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Reason: message content is dynamically modified, type preserved from event.message union
-    return { message: { ...msg, content: next } as any };
+    return { message: { ...msg, content: next } };
   }
 
   return;

package/src/hooks/pain.ts

@@ -131,7 +131,7 @@ export function handleAfterToolCall(
     
     // ── Trust Engine: Record failure ──
      
-    // eslint-disable-next-line @typescript-eslint/no-use-before-define
+     
     const errorType = extractErrorType(event.error || errorText);
     const filePath = params.file_path || params.path || params.file;
     const relPath = typeof filePath === 'string' ? normalizePath(filePath, effectiveWorkspaceDir) : 'unknown';
@@ -194,7 +194,7 @@ export function handleAfterToolCall(
     const session = getSession(sessionId);
     const toolFailureGfi = session?.gfiBySource?.tool_failure || 0;
     
-    // eslint-disable-next-line @typescript-eslint/init-declarations
+     
     let resetState: SessionState;
     if (toolFailureGfi > 0) {
       // Reduce tool_failure source by 50% (relief from successful tool execution)

package/src/hooks/progressive-trust-gate.ts

@@ -87,7 +87,7 @@ export function buildEvolutionGateReason(
  * Internal helper to call the shared block helper with progressive-trust-gate source tag.
  */
  
-// eslint-disable-next-line @typescript-eslint/max-params
+ 
 function block(
   filePath: string,
   reason: string,
@@ -121,7 +121,7 @@ function block(
  * @returns PluginHookBeforeToolCallResult to block, or undefined to allow
  */
  
-// eslint-disable-next-line @typescript-eslint/max-params
+ 
 export function checkProgressiveTrustGate(
   event: PluginHookBeforeToolCallEvent,
   wctx: WorkspaceContext,
@@ -154,7 +154,7 @@ export function checkProgressiveTrustGate(
 
   const currentTier = epDecision.currentTier ?? 1;
    
-  // eslint-disable-next-line @typescript-eslint/no-use-before-define
+   
   const tierName = getTierName(currentTier);
 
   logger.info?.(`[PD_GATE] EP Gate: Tier ${currentTier} (${tierName}), Tool: ${event.toolName}, Risk: ${risky}, Allowed: ${epDecision.allowed}`);

package/src/hooks/prompt.ts

@@ -1,3 +1,5 @@
+ 
+ 
 import * as fs from 'fs';
 import * as path from 'path';
 import type { PluginHookBeforePromptBuildEvent, PluginHookAgentContext, PluginHookBeforePromptBuildResult, PluginLogger, OpenClawPluginApi } from '../openclaw-sdk.js';
@@ -20,6 +22,17 @@ import {
 } from '../core/empathy-keyword-matcher.js';
 import { severityToPenalty, DEFAULT_EMPATHY_KEYWORD_CONFIG } from '../core/empathy-types.js';
 import { CorrectionCueLearner } from '../core/correction-cue-learner.js';
+import type { PluginRuntimeSubagent } from '../service/subagent-workflow/runtime-direct-driver.js';
+
+/**
+ * Type assertion: OpenClaw SDK subagent -> workflow manager subagent type.
+ * Both types are structurally identical but come from different import paths.
+ */
+function toWorkflowSubagent(
+  subagent: NonNullable<OpenClawPluginApi['runtime']>['subagent']
+): PluginRuntimeSubagent {
+  return subagent as unknown as PluginRuntimeSubagent;
+}
 
 // ---------------------------------------------------------------------------
 // Static file cache — avoids re-reading rarely-changing files every message
@@ -590,8 +603,8 @@ The empathy observer subagent handles pain detection independently.
           const empathyManager = new EmpathyObserverWorkflowManager({
             workspaceDir,
             logger: api.logger ?? console,
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Reason: runtimeSubagent has structurally compatible shape but differs from workflow manager's subagent type
-            subagent: runtimeSubagent as any,
+             
+            subagent: toWorkflowSubagent(runtimeSubagent),
           });
           empathyManager.startWorkflow(empathyObserverWorkflowSpec, {
             parentSessionId: sessionId,
@@ -626,8 +639,8 @@ The empathy observer subagent handles pain detection independently.
             const empathyManager = new EmpathyObserverWorkflowManager({
               workspaceDir,
               logger: api.logger ?? console,
-              // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Reason: api.runtime.subagent has structurally compatible shape but differs from workflow manager's subagent type
-              subagent: api.runtime.subagent as any,
+               
+              subagent: toWorkflowSubagent(api.runtime.subagent),
             });
             
             empathyManager.startWorkflow(empathyObserverWorkflowSpec, {

package/src/hooks/subagent.ts

@@ -14,7 +14,7 @@ import type { WorkflowManager } from '../service/subagent-workflow/types.js';
  * Used by the subagent_ended hook to dispatch lifecycle recovery to the right manager.
  */
  
-// eslint-disable-next-line @typescript-eslint/max-params
+ 
 function createWorkflowManagerForType(
     workflowType: string,
     workspaceDir: string,
@@ -25,9 +25,8 @@ function createWorkflowManagerForType(
         info: (m: string) => logger.info(String(m)),
         warn: (m: string) => logger.warn(String(m)),
         error: (m: string) => logger.error(String(m)),
-         
         debug: () => { /* no-op */ },
-    } as unknown as PluginLogger;
+    };
 
     switch (workflowType) {
         case 'empathy-observer':

package/src/hooks/thinking-checkpoint.ts

@@ -41,7 +41,7 @@ export interface ThinkingCheckpointConfig {
  * @returns Block result if thinking required, undefined otherwise
  */
  
-// eslint-disable-next-line @typescript-eslint/max-params
+ 
 export function checkThinkingCheckpoint(
   event: PluginHookBeforeToolCallEvent,
   config: ThinkingCheckpointConfig,

package/src/http/principles-console-route.ts

@@ -1,3 +1,4 @@
+import * as crypto from 'crypto';
 import fs from 'fs';
 import path from 'path';
 import type { IncomingMessage, ServerResponse } from 'node:http';
@@ -96,7 +97,7 @@ function createService(api: OpenClawPluginApi): ControlUiQueryService {
 }
 
  
-// eslint-disable-next-line @typescript-eslint/max-params
+ 
 function handleApiRoute(
   api: OpenClawPluginApi,
   pathname: string,
@@ -105,13 +106,13 @@ function handleApiRoute(
 ): Promise<boolean> | boolean {
   // Check authentication for API routes
    
-  // eslint-disable-next-line @typescript-eslint/no-use-before-define
+   
   if (!validateGatewayAuth(req)) {
     json(res, 401, { error: 'unauthorized', message: 'Valid Gateway token required.' });
     return true;
   }
 
-  // eslint-disable-next-line @typescript-eslint/init-declarations
+   
   let service: ControlUiQueryService;
   try {
     service = createService(api);
@@ -566,7 +567,23 @@ function validateGatewayAuth(req: IncomingMessage): boolean {
   const authHeader = (req.headers?.authorization as string) || '';
   const tokenMatch = /^Bearer\s+(.+)$/i.exec(authHeader);
   const providedToken = tokenMatch?.[1];
-  return providedToken === gatewayToken;
+
+  if (!providedToken) {
+    return false;
+  }
+
+  // Constant-time comparison to prevent timing attacks (per D-07)
+  // Use Buffer comparison — both tokens must be same length for timingSafeEqual
+  const providedBuffer = Buffer.from(providedToken, 'utf8');
+  const expectedBuffer = Buffer.from(gatewayToken, 'utf8');
+
+  if (providedBuffer.length !== expectedBuffer.length) {
+    // Length mismatch — fail fast but without timing leak
+    // Return false immediately rather than letting timingSafeEqual throw
+    return false;
+  }
+
+  return crypto.timingSafeEqual(providedBuffer, expectedBuffer);
 }
 
 /**

package/src/service/central-database.ts

@@ -1,3 +1,4 @@
+ 
 import Database from 'better-sqlite3';
 import fs from 'fs';
 import path from 'path';
@@ -200,7 +201,7 @@ export class CentralDatabase {
   /**
    * Sync data from a single workspace into the central database
    */
-    // eslint-disable-next-line complexity -- complexity 12, refactor candidate
+     
   syncWorkspace(workspaceName: string): number {
     const workspace = this.workspaces.find(w => w.name === workspaceName);
     if (!workspace) {
@@ -714,7 +715,7 @@ export class CentralDatabase {
       syncEnabled: c.sync_enabled === 1,
     }));
   }
-    // eslint-disable-next-line complexity -- complexity 12, refactor candidate
+     
 
   updateWorkspaceConfig(
     workspaceName: string,

package/src/service/central-health-service.ts

@@ -1,3 +1,4 @@
+/* eslint-disable no-console */
 import { getCentralDatabase } from './central-database.js';
 import { HealthQueryService } from './health-query-service.js';
 
@@ -18,7 +19,7 @@ export interface CentralHealthResponse {
  */
 export class CentralHealthService {
    
-  // eslint-disable-next-line @typescript-eslint/class-methods-use-this
+   
   getAllWorkspaceHealth(): CentralHealthResponse {
     const centralDb = getCentralDatabase();
     const workspaces: WorkspaceHealthEntry[] = [];

package/src/service/central-overview-service.ts

@@ -1,3 +1,4 @@
+/* eslint-disable no-console */
 import { getCentralDatabase, type CentralDatabase } from './central-database.js';
 import { getThinkingModelDefinitions } from '../core/thinking-models.js';
 import type { OverviewResponse } from './control-ui-query-service.js';
@@ -24,7 +25,7 @@ export class CentralOverviewService {
   }
 
    
-  // eslint-disable-next-line @typescript-eslint/class-methods-use-this
+   
   dispose(): void {
     // Do NOT dispose centralDb — it's a singleton shared across all requests.
     // Individual services that open per-request connections (e.g. HealthQueryService)
@@ -62,7 +63,7 @@ export class CentralOverviewService {
 
     // D-06: sampleQueue.counters from aggregated_correction_samples GROUP BY review_status
      
-    // eslint-disable-next-line no-useless-assignment
+     
     let sampleCounters: Record<string, number> = {};
     try {
       sampleCounters = this.centralDb.getSampleCountersByStatus();

package/src/service/control-ui-query-service.ts

@@ -255,7 +255,7 @@ export class ControlUiQueryService {
     this.uiDb.dispose();
   }
 
-    // eslint-disable-next-line complexity -- complexity 14, refactor candidate
+     
   getOverview(days = 30): OverviewResponse {
     const stats = this.trajectory.getDataStats();
     const regressionRows = this.uiDb.all<{
@@ -400,7 +400,7 @@ export class ControlUiQueryService {
     };
   }
 
-    // eslint-disable-next-line complexity -- complexity 13, refactor candidate
+     
   listSamples(filters: SampleListFilters = {}): SamplesResponse {
     const page = Math.max(1, Number(filters.page ?? 1));
     const pageSize = clampPageSize(filters.pageSize);

package/src/service/event-log-auditor.ts

@@ -137,7 +137,7 @@ function countAllHooks(filePath: string): Record<string, number> {
  * @param openclawDir - Base OpenClaw directory (e.g., ~/.openclaw)
  * @param expectedToolHooks - Hook names that should appear in the primary workspace
  */
-    // eslint-disable-next-line complexity -- complexity 11, slightly over threshold
+     
 export async function auditEventLogs(
   openclawDir: string,
   expectedToolHooks: string[] = ['before_tool_call', 'after_tool_call'],
@@ -210,7 +210,7 @@ export async function auditEventLogs(
 /**
  * Format audit report for display.
  */
-    // eslint-disable-next-line complexity -- complexity 13, refactor candidate
+     
 export function formatAuditReport(report: AuditReport): string {
   const lines: string[] = [];
   

package/src/service/evolution-query-service.ts

@@ -155,7 +155,7 @@ export class EvolutionQueryService {
    * 注意：不关闭 trajectory，因为它是单例由 TrajectoryRegistry 管理
    */
    
-  // eslint-disable-next-line @typescript-eslint/class-methods-use-this
+   
   dispose(): void {
     // EvolutionQueryService 不拥有 trajectory，所以不关闭它
     // trajectory 是由 TrajectoryRegistry 管理的单例