principles-disciple 1.73.0 → 1.75.0

package/tests/hooks/gate-no-path-write-tool.test.ts

@@ -0,0 +1,172 @@
+/**
+ * Regression test: write tools without file_path must still go through RuleHost.
+ *
+ * PRI-286 P1: After removing confirm-first gate, write tools (apply_patch, patch, etc.)
+ * that have no file_path/path/file/target param must NOT be silently allowed.
+ * They must use a synthetic path `<tool:${toolName}>` and still evaluate via RuleHost.
+ *
+ * Uses vi.hoisted + mock of WorkspaceContext to avoid isolation issues in full suite.
+ * WorkspaceContext is the key — in full suite, other test files initialize the real
+ * context which caches a real EventLogService that doesn't have our mock methods.
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+// vi.hoisted ensures these are available to vi.mock factories at hoist time
+const { mockEvaluate, mockEventLog, mockEvolution } = vi.hoisted(() => {
+  const mockEvaluate = vi.fn().mockReturnValue(undefined);
+  const mockEventLog = {
+    recordRuleHostEvaluated: vi.fn(),
+    recordRuleEnforced: vi.fn(),
+    recordRuleHostBlocked: vi.fn(),
+    recordRuleHostRequireApproval: vi.fn(),
+    recordRuleHostAutoCorrectProposed: vi.fn(),
+    recordRuleHostAutoCorrectApplied: vi.fn(),
+    recordGateBlock: vi.fn(),
+    recordSession: vi.fn(),
+  };
+  const mockEvolution = {
+    getTier: vi.fn().mockReturnValue(3),
+    getPoints: vi.fn().mockReturnValue(200),
+  };
+  return { mockEvaluate, mockEventLog, mockEvolution };
+});
+
+vi.mock('../../src/core/session-tracker.js', () => ({
+  getSession: vi.fn(() => ({ currentGfi: 0 })),
+  trackBlock: vi.fn(),
+  hasRecentThinking: vi.fn(() => false),
+}));
+
+vi.mock('../../src/core/evolution-engine.js', () => ({
+  getEvolutionEngine: vi.fn(() => mockEvolution),
+}));
+
+vi.mock('../../src/core/event-log.js', () => ({
+  EventLogService: { get: vi.fn(() => mockEventLog) },
+}));
+
+vi.mock('../../src/core/rule-host.js', () => ({
+  RuleHost: vi.fn(function(this: any, _stateDir: string, _logger: any) {
+    this.evaluate = mockEvaluate;
+  }),
+}));
+
+vi.mock('../../src/core/principle-tree-ledger.js', () => ({
+  loadLedger: vi.fn(),
+  listImplementationsByLifecycleState: vi.fn(() => []),
+}));
+
+// Mock WorkspaceContext to return a controlled instance with our mockEventLog.
+// This prevents full-suite caching of real WorkspaceContext instances.
+vi.mock('../../src/core/workspace-context.js', () => {
+  return {
+    WorkspaceContext: {
+      fromHookContext: vi.fn((ctx: any) => ({
+        workspaceDir: ctx.workspaceDir,
+        stateDir: ctx.workspaceDir + '/.state',
+        eventLog: mockEventLog,
+        trajectory: {
+          recordGateBlock: vi.fn(),
+          recordPainEvent: vi.fn(),
+          recordSession: vi.fn(),
+        },
+        config: {
+          get: vi.fn().mockReturnValue(undefined),
+        },
+      })),
+    },
+  };
+});
+
+// Dynamic import AFTER mocks are set up
+const { handleBeforeToolCall } = await import('../../src/hooks/gate.js');
+
+const workspaceDir = '/mock/workspace';
+const sessionId = 'test-no-path';
+
+describe('Write tools without file_path must go through RuleHost', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockEvaluate.mockReturnValue(undefined);
+  });
+
+  it('apply_patch with no path triggers RuleHost evaluate', () => {
+    mockEvaluate.mockReturnValue(undefined); // allow
+
+    const result = handleBeforeToolCall(
+      { toolName: 'apply_patch', params: { patch: 'some diff content' } } as any,
+      { workspaceDir, sessionId } as any,
+    );
+
+    // Should not be blocked (RuleHost returned undefined = allow)
+    expect(result).toBeUndefined();
+    // But RuleHost MUST have been called
+    expect(mockEvaluate).toHaveBeenCalledTimes(1);
+    // Verify synthetic path was used
+    const input = mockEvaluate.mock.calls[0][0];
+    expect(input.action.normalizedPath).toBe('<tool:apply_patch>');
+  });
+
+  it('apply_patch with no path: RuleHost block must return block', () => {
+    mockEvaluate.mockReturnValue({
+      decision: 'block',
+      matched: true,
+      reason: 'Test block: write tool without path',
+      ruleId: 'R_TEST',
+      principleId: 'P_TEST',
+    });
+
+    const result = handleBeforeToolCall(
+      { toolName: 'apply_patch', params: { patch: 'dangerous content' } } as any,
+      { workspaceDir, sessionId } as any,
+    );
+
+    expect(result).toBeDefined();
+    expect(result?.block).toBe(true);
+    expect(result?.blockReason).toContain('Test block: write tool without path');
+    expect(mockEvaluate).toHaveBeenCalledTimes(1);
+    expect(mockEvaluate.mock.calls[0][0].action.normalizedPath).toBe('<tool:apply_patch>');
+  });
+
+  it('patch tool with no path triggers RuleHost evaluate', () => {
+    mockEvaluate.mockReturnValue(undefined); // allow
+
+    const result = handleBeforeToolCall(
+      { toolName: 'patch', params: {} } as any,
+      { workspaceDir, sessionId } as any,
+    );
+
+    expect(result).toBeUndefined();
+    expect(mockEvaluate).toHaveBeenCalledTimes(1);
+    expect(mockEvaluate.mock.calls[0][0].action.normalizedPath).toBe('<tool:patch>');
+  });
+
+  it('Write tool with valid file_path still uses real path', () => {
+    mockEvaluate.mockReturnValue(undefined); // allow
+
+    const result = handleBeforeToolCall(
+      { toolName: 'write', params: { file_path: '/mock/workspace/src/app.ts', content: 'x' } } as any,
+      { workspaceDir, sessionId } as any,
+    );
+
+    expect(result).toBeUndefined();
+    expect(mockEvaluate).toHaveBeenCalledTimes(1);
+    expect(mockEvaluate.mock.calls[0][0].action.normalizedPath).toBe('src/app.ts');
+  });
+
+  it('bash with no file target still goes through RuleHost (existing behavior)', () => {
+    mockEvaluate.mockReturnValue(undefined); // allow
+
+    const result = handleBeforeToolCall(
+      { toolName: 'bash', params: { command: 'echo hello' } } as any,
+      { workspaceDir, sessionId } as any,
+    );
+
+    expect(result).toBeUndefined();
+    expect(mockEvaluate).toHaveBeenCalledTimes(1);
+    // Bash without file target uses the full command as path (existing heuristic)
+    const input = mockEvaluate.mock.calls[0][0];
+    expect(input.action.normalizedPath).toContain('echo hello');
+  });
+});

package/src/core/confirm-first-gate.ts

@@ -1,255 +0,0 @@
-/**
- * Confirm-First Gate
- *
- * Hard enforcement for confirm-first Runtime V2 prompt activations.
- * When an owner-approved activation requires confirmation before coding,
- * this gate blocks mutating tools until the session has explicit owner approval.
- *
- * This is NOT a replacement for prompt injection — it's a hard fallback
- * for models that don't follow system prompt behavioral directives.
- *
- * Flow:
- * 1. Prompt hook (before_prompt_build) detects confirm-first directive and caches state
- * 2. Prompt hook detects user approval language and marks session approved
- * 3. Gate hook (before_tool_call) checks cached state synchronously
- */
-
-import { BASH_TOOLS_SET, WRITE_TOOLS } from '../constants/tools.js';
-import { SqliteConfirmFirstStateStore } from '@principles/core/runtime-v2';
-
-/** Per-session confirm-first state */
-interface ConfirmFirstSessionState {
-  active: boolean;
-  principleId?: string;
-}
-
-/** Size cap to prevent memory leaks from abandoned sessions */
-const MAX_SESSION_ENTRIES = 500;
-
-// TODO(PRI-268): stale directive cleanup
-const sessionDirectiveState = new Map<string, ConfirmFirstSessionState>();
-// TODO(PRI-267): per-task approval scope
-const sessionApprovalState = new Map<string, boolean>();
-
-let confirmFirstStore: SqliteConfirmFirstStateStore | null = null;
-
-export function setConfirmFirstStore(store: SqliteConfirmFirstStateStore | null): void {
-  confirmFirstStore = store;
-}
-
-function evictOldestIfFull(map: Map<string, unknown>): void {
-  if (map.size >= MAX_SESSION_ENTRIES) {
-    const firstKey = map.keys().next().value;
-    if (firstKey !== undefined) map.delete(firstKey);
-  }
-}
-
-export interface ConfirmFirstGateResult {
-  action: 'allow' | 'block' | 'skip';
-  reason?: string;
-  nextAction?: string;
-  principleId?: string;
-}
-
-/**
- * Check if a tool is mutating (write, edit, delete, or mutating exec).
- */
-function isMutatingTool(toolName: string, params?: Record<string, unknown>): boolean {
-  // Direct write/edit/delete tools are always mutating
-  if (WRITE_TOOLS.has(toolName)) return true;
-
-  // For exec/bash, only mutating if the command content is mutating
-  if (BASH_TOOLS_SET.has(toolName)) {
-    const command = String(params?.command || params?.args || '');
-    if (!command) return false;
-    return />\s*|>>\s*|\brm\b|\bmv\b|\bmkdir\b|\btouch\b|\bcp\s|\bsed\s+-i|\bchmod\b|\bchown\b|\bdel\s|\bRemove-Item\b|\bSet-Content\b|\bOut-File\b|\bNew-Item\b/.test(command);
-  }
-
-  return false;
-}
-
-/**
- * Detect if user message contains clear approval language.
- * Rejects negated forms (e.g., "don't proceed", "不同意", "确认一下").
- */
-export function detectApprovalMarker(message: string): boolean {
-  const trimmed = message.trim();
-
-  // Negation prefixes — reject if present before approval keywords
-  const zhNegation = /不|别|暂不|先不|无法|不能|没准备好|还没|尚未/;
-  const enNegation = /don'?t|not\s+ready|can'?t|won'?t|stop|hold|cannot|isn'?t|aren'?t|haven'?t|shouldn'?t/i;
-
-  // Single-word Chinese markers require exact match (the word alone, not embedded in a sentence)
-  const zhExactMarkers = /^(?:确认|批准|同意|执行吧|开始执行)$/;
-  // Multi-word Chinese markers
-  const zhPhraseMarkers = /按计划执行|可以执行|就这么做|去执行|照.*做|没问题.*执行/;
-
-  // English markers — unambiguous single-word approvals only
-  const enMarkers = /\bapproved\b|\bgo\s*ahead\b|\blgtm\b/i;
-  // English phrase markers — require explicit approval context
-  const enPhraseMarkers = /\byes,?\s*(do\s+it|proceed|execute)\b|\bdo\s+it\b|\bproceed\s+with\s+the\s+plan\b|\bexecute\s+the\s+plan\b|\bplease\s+proceed\s+with\s+the\s+plan\b/i;
-
-  // Check Chinese
-  if (zhExactMarkers.test(trimmed) || zhPhraseMarkers.test(trimmed)) {
-    // Reject if negation prefix present
-    if (zhNegation.test(trimmed)) return false;
-    return true;
-  }
-
-  // Check English
-  if (enMarkers.test(trimmed) || enPhraseMarkers.test(trimmed)) {
-    if (enNegation.test(trimmed)) return false;
-    return true;
-  }
-
-  return false;
-}
-
-/**
- * Set confirm-first directive state for a session (called from prompt hook).
- */
-export function setConfirmFirstDirective(
-  sessionId: string,
-  active: boolean,
-  principleId?: string,
-): void {
-  evictOldestIfFull(sessionDirectiveState);
-  sessionDirectiveState.set(sessionId, { active, principleId });
-  if (confirmFirstStore) {
-    try {
-      confirmFirstStore.upsertDirective(sessionId, active, principleId ?? null);
-    } catch (storeErr) {
-      console.warn(`[PD:ConfirmFirst] Store write failed for directive (session=${sessionId}), degraded to cache-only: ${String(storeErr)}`);
-    }
-  }
-}
-
-/**
- * Mark a session as approved (called from prompt hook when approval detected).
- */
-export function setConfirmFirstApproval(sessionId: string): void {
-  evictOldestIfFull(sessionApprovalState);
-  sessionApprovalState.set(sessionId, true);
-  if (confirmFirstStore) {
-    try {
-      confirmFirstStore.upsertApproval(sessionId);
-    } catch (storeErr) {
-      console.warn(`[PD:ConfirmFirst] Store write failed for approval (session=${sessionId}), degraded to cache-only: ${String(storeErr)}`);
-    }
-  }
-}
-
-/**
- * Synchronous gate evaluation — checks cached state only.
- * Called from before_tool_call hook (must be synchronous).
- */
-export function evaluateConfirmFirstGateSync(
-  sessionId: string | undefined,
-  toolName: string,
-  params: Record<string, unknown> | undefined,
-): ConfirmFirstGateResult {
-  if (!sessionId) return { action: 'skip' };
-
-  // 1. Check if session is already approved
-  if (sessionApprovalState.get(sessionId)) {
-    return { action: 'allow' };
-  }
-
-  // 2. Check if confirm-first directive is active for this session
-  const directive = sessionDirectiveState.get(sessionId);
-  if (!directive?.active) {
-    return { action: 'skip' };
-  }
-
-  // 3. Check if tool is mutating
-  if (!isMutatingTool(toolName, params)) {
-    return { action: 'allow' };
-  }
-
-  // 4. Block: mutating tool with active confirm-first and no approval
-  return {
-    action: 'block',
-    reason: 'confirm_first_required',
-    nextAction:
-      'Summarize requirements, list ambiguities, propose a plan, and wait for explicit owner approval before mutating files.',
-    principleId: directive.principleId,
-  };
-}
-
-/**
- * Reset state for a session (e.g., on /reset).
- */
-export function resetConfirmFirst(sessionId: string): void {
-  sessionDirectiveState.delete(sessionId);
-  sessionApprovalState.delete(sessionId);
-  if (confirmFirstStore) {
-    try {
-      confirmFirstStore.deleteState(sessionId);
-    } catch (storeErr) {
-      console.warn(`[PD:ConfirmFirst] Store delete failed for session=${sessionId}: ${String(storeErr)}`);
-    }
-  }
-}
-
-/**
- * Check if a session has been approved (for testing).
- */
-export function isSessionApproved(sessionId: string): boolean {
-  return sessionApprovalState.get(sessionId) === true;
-}
-
-/**
- * Check if a session has an active directive (for testing).
- */
-export function hasActiveDirective(sessionId: string): boolean {
-  return sessionDirectiveState.get(sessionId)?.active === true;
-}
-
-/**
- * Clear all state (for testing).
- */
-export function clearAllConfirmFirstState(): void {
-  sessionDirectiveState.clear();
-  sessionApprovalState.clear();
-  if (confirmFirstStore) {
-    try {
-      confirmFirstStore.deleteAllState();
-    } catch (storeErr) {
-      console.warn(`[PD:ConfirmFirst] Store clearAll failed: ${String(storeErr)}`);
-    }
-  }
-}
-
-export function hydrateFromStore(sessionId: string): void {
-  if (!confirmFirstStore) return;
-  if (sessionDirectiveState.has(sessionId)) return;
-
-  try {
-    const record = confirmFirstStore.getState(sessionId);
-    if (!record) return;
-
-    evictOldestIfFull(sessionDirectiveState);
-    sessionDirectiveState.set(sessionId, {
-      active: record.directiveActive,
-      principleId: record.directivePrincipleId ?? undefined,
-    });
-
-    if (record.approvalActive) {
-      evictOldestIfFull(sessionApprovalState);
-      sessionApprovalState.set(sessionId, true);
-    }
-  } catch (storeErr) {
-    console.warn(`[PD:ConfirmFirst] Store hydration failed for session=${sessionId}: ${String(storeErr)}`);
-  }
-}
-
-export function pruneStoreStaleRows(): number {
-  if (!confirmFirstStore) return 0;
-  try {
-    return confirmFirstStore.pruneStaleRows();
-  } catch (storeErr) {
-    console.warn(`[PD:ConfirmFirst] Store pruning failed: ${String(storeErr)}`);
-    return 0;
-  }
-}
-

package/templates/langs/en/skills/plan-script/SKILL.md

@@ -1,32 +0,0 @@
----
-name: plan-script
-description: Create a step-by-step movie-script style execution plan. Includes target files, verification metrics, and rollback strategy.
-disable-model-invocation: true
----
-
-# Plan Script
-
-**Goal**: Produce a "foolproof" executable plan to ensure controlled execution.
-
-Please generate plan in the following structure:
-
-## 1. Target Files (Authorization List)
-- List file paths **uniquely authorized** for modification in this plan.
-- Format: `- path/to/file`
-
-## 2. Steps (Execution Steps)
-1. Operations specific to filenames and tool calls.
-2. Each step includes expected intermediate state.
-
-## 3. Metrics (Verification Metrics)
-- How to quantitatively prove this plan succeeded? (e.g., tests pass, command returns 0, specific string appears in logs).
-
-## 4. Active Mental Models
-- Select exactly **2** meta-cognitive models from `.principles/THINKING_OS.md` that are most relevant to the current task.
-- Format: `- [T-0X] Model Name: Why is it needed for this specific task?`
-
-## 5. Rollback (Rollback Strategy)
-- If step 2 fails, how to one-click restore to safe state?
-
----
-**Action**: Update above content to `PLAN.md` and set `STATUS: READY`.

package/templates/langs/zh/skills/plan-script/SKILL.md

@@ -1,32 +0,0 @@
----
-name: plan-script
-description: Create a step-by-step movie-script style execution plan. Includes target files, verification metrics, and rollback strategy.
-disable-model-invocation: true
----
-
-# Plan Script (计划编排)
-
-**目标**: 产生一份“傻瓜式”可执行计划，确保执行过程受控。
-
-请按以下结构生成计划：
-
-## 1. Target Files (授权清单)
-- 列出本次计划**唯一授权**修改的文件路径。
-- 格式：`- path/to/file`
-
-## 2. Steps (执行步骤)
-1. 具体到文件名和工具调用的操作。
-2. 每个步骤包含预期的中间状态。
-
-## 3. Metrics (验证指标)
-- 如何量化证明本计划成功了？(如：测试通过、命令返回 0、日志出现特定字符串)。
-
-## 4. Active Mental Models (激活的思维模型)
-- 从 `.principles/THINKING_OS.md` 中挑选 **2 个** 最适合当前任务的元认知模型。
-- 格式：`- [T-0X] 模型名称：为什么在这个任务中需要它？`
-
-## 5. Rollback (回滚方案)
-- 如果步骤 2 失败，如何一键恢复到安全状态？
-
----
-**动作**: 请将以上内容更新至 `PLAN.md`，并设置 `STATUS: READY`。

package/templates/workspace/PLAN.md

@@ -1,2 +0,0 @@
-STATUS: DRAFT
-Steps...