principles-disciple 1.8.0 → 1.8.2

package/tests/fixtures/production-compatibility.test.ts

@@ -0,0 +1,147 @@
+/**
+ * Production Compatibility Tests
+ * 
+ * These tests validate that new code works correctly with production data patterns.
+ * Run with: npm test -- tests/fixtures/production-compatibility.test.ts
+ * 
+ * NOTE: These tests require access to ~/.openclaw directory (production data)
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+import { describe, expect, it, beforeAll } from 'vitest';
+import {
+  loadProductionPainFlag,
+  loadProductionEvolutionQueue,
+  loadProductionPainCandidates,
+  generateTestFixtureFromProduction,
+  validateProductionCompatibility,
+  createMockQueueItem,
+  createMockPainFlag,
+  PRODUCTION_FIXTURES,
+} from './production-mock-generator.js';
+
+// Skip tests if production data not available
+const hasProductionData = fs.existsSync(PRODUCTION_FIXTURES.STATE_DIR);
+
+describe.skipIf(!hasProductionData)('Production Data Compatibility', () => {
+  describe('Data Loading', () => {
+    it('should load production pain_flag', () => {
+      const painFlag = loadProductionPainFlag();
+      // May be null if no active pain
+      if (painFlag) {
+        expect(painFlag).toHaveProperty('score');
+        expect(painFlag).toHaveProperty('source');
+        expect(painFlag).toHaveProperty('reason');
+      }
+    });
+
+    it('should load production evolution_queue', () => {
+      const queue = loadProductionEvolutionQueue();
+      expect(Array.isArray(queue)).toBe(true);
+      
+      if (queue.length > 0) {
+        const item = queue[0];
+        expect(item).toHaveProperty('id');
+        expect(item).toHaveProperty('score');
+        expect(item).toHaveProperty('status');
+        expect(['pending', 'in_progress', 'completed', 'resolved']).toContain(item.status);
+      }
+    });
+
+    it('should load production pain_candidates', () => {
+      const candidates = loadProductionPainCandidates();
+      expect(typeof candidates).toBe('object');
+    });
+  });
+
+  describe('New Field Compatibility', () => {
+    it('should detect missing session_id in pain_flag (expected: fails until production updated)', () => {
+      const result = validateProductionCompatibility();
+      
+      // This test documents the current state - not a failure
+      console.log('Compatibility issues:', result.issues);
+      console.log('Production data:', result.productionData);
+      
+      // New fields are expected to be missing in production
+      if (!result.compatible) {
+        console.log('⚠️  Production data does not have new fields (session_id, agent_id)');
+        console.log('   This is expected after code changes. Production will be updated on next pain event.');
+      }
+    });
+
+    it('should handle queue items without session_id gracefully', () => {
+      const queue = loadProductionEvolutionQueue();
+      
+      for (const item of queue.slice(0, 5)) {
+        // Code should handle missing session_id/agent_id
+        expect(() => {
+          const normalized = {
+            ...item,
+            session_id: item.session_id || undefined,
+            agent_id: item.agent_id || undefined,
+          };
+          return normalized;
+        }).not.toThrow();
+      }
+    });
+  });
+
+  describe('Pattern Extraction', () => {
+    it('should extract patterns from production data', () => {
+      const fixture = generateTestFixtureFromProduction();
+      
+      expect(fixture.patterns).toBeDefined();
+      expect(fixture.patterns.painSources.length).toBeGreaterThanOrEqual(0);
+      
+      console.log('Pain sources:', fixture.patterns.painSources);
+      console.log('Score distribution:', fixture.patterns.scoreDistribution);
+      console.log('Status distribution:', fixture.patterns.statusDistribution);
+    });
+  });
+
+  describe('Mock Generation', () => {
+    it('should create realistic mock queue items', () => {
+      const item = createMockQueueItem({
+        session_id: 'test-session-123',
+        agent_id: 'main',
+      });
+
+      expect(item.session_id).toBe('test-session-123');
+      expect(item.agent_id).toBe('main');
+      expect(item.id).toBeDefined();
+      expect(item.timestamp).toBeDefined();
+    });
+
+    it('should create realistic mock pain flags', () => {
+      const flag = createMockPainFlag({
+        session_id: 'test-session-456',
+        agent_id: 'builder',
+      });
+
+      expect(flag.session_id).toBe('test-session-456');
+      expect(flag.agent_id).toBe('builder');
+      expect(flag.time).toBeDefined();
+    });
+  });
+});
+
+describe('Edge Cases from Production', () => {
+  it('should handle empty evolution queue', () => {
+    const item = createMockQueueItem(); // Uses fallback template
+    expect(item).toBeDefined();
+    expect(item.id).toBeDefined();
+  });
+
+  it('should handle very long reason strings', () => {
+    const longReason = 'A'.repeat(10000);
+    const item = createMockQueueItem({ reason: longReason });
+    expect(item.reason).toBe(longReason);
+  });
+
+  it('should handle special characters in reason', () => {
+    const specialReason = 'Error: "quotes" and \n newlines \t tabs';
+    const item = createMockQueueItem({ reason: specialReason });
+    expect(item.reason).toBe(specialReason);
+  });
+});

package/tests/fixtures/production-mock-generator.ts

@@ -0,0 +1,282 @@
+/**
+ * Production Mock Data Generator
+ * 
+ * Extracts patterns from production data to create realistic test fixtures.
+ * This ensures tests match real-world scenarios and catches edge cases.
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+
+// Production data paths
+const OPENCLAW_HOME = process.env.HOME + '/.openclaw';
+const WORKSPACE_MAIN = OPENCLAW_HOME + '/workspace-main';
+const STATE_DIR = WORKSPACE_MAIN + '/.state';
+
+// Types extracted from production
+export interface ProductionPainFlag {
+  is_risky: string;
+  reason: string;
+  score: string;
+  source: string;
+  time: string;
+  status?: string;
+  task_id?: string;
+  session_id?: string;  // New field
+  agent_id?: string;    // New field
+  trace_id?: string;    // From recent changes
+}
+
+export interface ProductionEvolutionQueueItem {
+  id: string;
+  score: number;
+  source: string;
+  reason: string;
+  trigger_text_preview: string;
+  timestamp: string;
+  enqueued_at: string;
+  status: 'pending' | 'in_progress' | 'completed' | 'resolved';
+  task?: string;
+  started_at?: string;
+  completed_at?: string;
+  resolved_at?: string;
+  assigned_session_key?: string;
+  resolution?: string;
+  session_id?: string;  // New field
+  agent_id?: string;    // New field
+}
+
+export interface ProductionPainCandidate {
+  count: number;
+  status?: string;
+  firstSeen: string;
+  lastSeen?: string;
+  samples: string[];
+}
+
+/**
+ * Load real pain_flag from production
+ */
+export function loadProductionPainFlag(): ProductionPainFlag | null {
+  const painFlagPath = path.join(STATE_DIR, '.pain_flag');
+  if (!fs.existsSync(painFlagPath)) return null;
+
+  const content = fs.readFileSync(painFlagPath, 'utf8');
+  const result: ProductionPainFlag = {} as ProductionPainFlag;
+
+  for (const line of content.split('\n')) {
+    const match = line.match(/^(\w+):\s*(.+)$/);
+    if (match) {
+      (result as any)[match[1]] = match[2];
+    }
+  }
+
+  return result;
+}
+
+/**
+ * Load real evolution queue from production
+ */
+export function loadProductionEvolutionQueue(): ProductionEvolutionQueueItem[] {
+  const queuePath = path.join(STATE_DIR, 'evolution_queue.json');
+  if (!fs.existsSync(queuePath)) return [];
+
+  try {
+    return JSON.parse(fs.readFileSync(queuePath, 'utf8'));
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Load real pain candidates from production
+ */
+export function loadProductionPainCandidates(): Record<string, ProductionPainCandidate> {
+  const candidatesPath = path.join(STATE_DIR, 'pain_candidates.json');
+  if (!fs.existsSync(candidatesPath)) return {};
+
+  try {
+    const data = JSON.parse(fs.readFileSync(candidatesPath, 'utf8'));
+    return data.candidates || {};
+  } catch {
+    return {};
+  }
+}
+
+/**
+ * Sample a JSONL session file for message patterns
+ */
+export function sampleSessionMessages(
+  sessionId: string,
+  agentId: string = 'main',
+  limit: number = 10
+): Array<{ role: string; content: string; timestamp: number }> {
+  const sessionPath = path.join(OPENCLAW_HOME, 'agents', agentId, 'sessions', `${sessionId}.jsonl`);
+  if (!fs.existsSync(sessionPath)) return [];
+
+  const messages: Array<{ role: string; content: string; timestamp: number }> = [];
+
+  try {
+    const lines = fs.readFileSync(sessionPath, 'utf8').split('\n').filter(Boolean);
+    for (const line of lines.slice(0, limit * 3)) { // Read more lines to get enough messages
+      try {
+        const entry = JSON.parse(line);
+        if (entry.type === 'message' && entry.message) {
+          const msg = entry.message;
+          let content = '';
+          if (typeof msg.content === 'string') {
+            content = msg.content;
+          } else if (Array.isArray(msg.content)) {
+            content = msg.content
+              .filter((c: any) => c.type === 'text')
+              .map((c: any) => c.text)
+              .join('\n');
+          }
+
+          // Truncate to reasonable size
+          if (content.length > 500) {
+            content = content.slice(0, 500) + '...';
+          }
+
+          messages.push({
+            role: msg.role,
+            content,
+            timestamp: entry.timestamp || Date.now(),
+          });
+
+          if (messages.length >= limit) break;
+        }
+      } catch {
+        // Skip malformed lines
+      }
+    }
+  } catch {
+    return [];
+  }
+
+  return messages;
+}
+
+/**
+ * Generate realistic test fixtures from production patterns
+ */
+export function generateTestFixtureFromProduction() {
+  const painFlag = loadProductionPainFlag();
+  const queue = loadProductionEvolutionQueue();
+  const candidates = loadProductionPainCandidates();
+
+  // Extract patterns
+  const patterns = {
+    // Pain sources seen in production
+    painSources: [...new Set(queue.map(q => q.source))],
+    
+    // Common error patterns
+    errorPatterns: queue.map(q => ({
+      type: q.source,
+      reasonPreview: q.reason.slice(0, 100),
+    })),
+    
+    // Score distribution
+    scoreDistribution: queue.reduce((acc, q) => {
+      acc[q.score] = (acc[q.score] || 0) + 1;
+      return acc;
+    }, {} as Record<number, number>),
+    
+    // Status distribution
+    statusDistribution: queue.reduce((acc, q) => {
+      acc[q.status] = (acc[q.status] || 0) + 1;
+      return acc;
+    }, {} as Record<string, number>),
+  };
+
+  return {
+    painFlag,
+    queue,
+    candidates,
+    patterns,
+  };
+}
+
+/**
+ * Create a mock evolution queue item based on production patterns
+ */
+export function createMockQueueItem(overrides: Partial<ProductionEvolutionQueueItem> = {}): ProductionEvolutionQueueItem {
+  const queue = loadProductionEvolutionQueue();
+  const template = queue[0] || {
+    id: 'test-001',
+    score: 50,
+    source: 'tool_failure',
+    reason: 'Tool write failed on test.md. Error: Test error.',
+    trigger_text_preview: '',
+    timestamp: new Date().toISOString(),
+    enqueued_at: new Date().toISOString(),
+    status: 'pending',
+  };
+
+  return {
+    ...template,
+    ...overrides,
+    id: overrides.id || `test-${Date.now().toString(36)}`,
+    timestamp: overrides.timestamp || new Date().toISOString(),
+    enqueued_at: overrides.enqueued_at || new Date().toISOString(),
+  };
+}
+
+/**
+ * Create a mock pain flag based on production patterns
+ */
+export function createMockPainFlag(overrides: Partial<ProductionPainFlag> = {}): ProductionPainFlag {
+  const realFlag = loadProductionPainFlag();
+  const template = realFlag || {
+    is_risky: 'false',
+    reason: 'Test pain signal',
+    score: '50',
+    source: 'tool_failure',
+    time: new Date().toISOString(),
+  };
+
+  return {
+    ...template,
+    ...overrides,
+    time: overrides.time || new Date().toISOString(),
+  };
+}
+
+/**
+ * Validate that new code handles production data correctly
+ */
+export function validateProductionCompatibility() {
+  const issues: string[] = [];
+
+  // Check if pain_flag has session_id/agent_id (new fields)
+  const painFlag = loadProductionPainFlag();
+  if (painFlag && !painFlag.session_id) {
+    issues.push('pain_flag missing session_id (new field not yet in production)');
+  }
+  if (painFlag && !painFlag.agent_id) {
+    issues.push('pain_flag missing agent_id (new field not yet in production)');
+  }
+
+  // Check if queue items have session_id/agent_id
+  const queue = loadProductionEvolutionQueue();
+  const missingSessionId = queue.filter(q => !q.session_id);
+  if (missingSessionId.length > 0) {
+    issues.push(`evolution_queue: ${missingSessionId.length}/${queue.length} items missing session_id`);
+  }
+
+  return {
+    compatible: issues.length === 0,
+    issues,
+    productionData: {
+      painFlag,
+      queueCount: queue.length,
+    },
+  };
+}
+
+// Export for use in tests
+export const PRODUCTION_FIXTURES = {
+  OPENCLAW_HOME,
+  WORKSPACE_MAIN,
+  STATE_DIR,
+};

package/tests/hooks/bash-risk-integration.test.ts

@@ -0,0 +1,137 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { analyzeBashCommand } from '../../src/hooks/bash-risk.js';
+
+/**
+ * Integration tests for bash-risk module
+ * Tests zero-width character detection and command chain analysis
+ */
+describe('Bash Risk Analysis - Integration', () => {
+  describe('Zero-width character detection', () => {
+    it('should block commands with zero-width space (U+200B)', () => {
+      // Zero-width space injected between characters
+      const maliciousCmd = 'rm\u200B -rf /';
+      const result = analyzeBashCommand(maliciousCmd, [], [], { warn: vi.fn() });
+      expect(result).toBe('dangerous');
+    });
+
+    it('should block commands with zero-width non-joiner (U+200C)', () => {
+      const maliciousCmd = 'rm\u200C -rf /';
+      const result = analyzeBashCommand(maliciousCmd, [], [], { warn: vi.fn() });
+      expect(result).toBe('dangerous');
+    });
+
+    it('should block commands with zero-width joiner (U+200D)', () => {
+      const maliciousCmd = 'rm\u200D -rf /';
+      const result = analyzeBashCommand(maliciousCmd, [], [], { warn: vi.fn() });
+      expect(result).toBe('dangerous');
+    });
+
+    it('should block commands with word joiner (U+2060)', () => {
+      const maliciousCmd = 'rm\u2060 -rf /';
+      const result = analyzeBashCommand(maliciousCmd, [], [], { warn: vi.fn() });
+      expect(result).toBe('dangerous');
+    });
+
+    it('should block commands with zero-width invisible separator (U+FEFF)', () => {
+      const maliciousCmd = 'rm\uFEFF -rf /';
+      const result = analyzeBashCommand(maliciousCmd, [], [], { warn: vi.fn() });
+      expect(result).toBe('dangerous');
+    });
+
+    it('should block commands with multiple zero-width characters', () => {
+      const maliciousCmd = 'rm\u200B\u200C\u200D -rf /';
+      const result = analyzeBashCommand(maliciousCmd, [], [], { warn: vi.fn() });
+      expect(result).toBe('dangerous');
+    });
+
+    it('should allow normal commands without zero-width characters', () => {
+      const normalCmd = 'rm -rf /tmp/test';
+      const result = analyzeBashCommand(normalCmd, ['^rm\\s'], [], { warn: vi.fn() });
+      expect(result).toBe('safe');
+    });
+
+    it('should detect zero-width characters hidden in normal-looking commands', () => {
+      // Command looks like 'git status' but contains hidden chars
+      const hiddenCmd = 'git\u200B status';
+      const result = analyzeBashCommand(hiddenCmd, [], [], { warn: vi.fn() });
+      expect(result).toBe('dangerous');
+    });
+  });
+
+  describe('Cyrillic homograph attack detection', () => {
+    it('should de-obfuscate Cyrillic characters and match dangerous patterns', () => {
+      // Cyrillic 'р' (U+0440) looks like Latin 'p' - 'g\u0440ush' → 'gpush' then 'push'
+      // After toLowerCase + deobfuscation: 'gpush' won't match dangerous, but 'push' alone might
+      // Actually: '\u0440' maps to 'p' so 'g\u0440ush' → 'gp' + 'ush' = 'gpush' 
+      // Let's use Cyrillic 'е' which maps to 'e': '\u0435' → 'e'
+      const cyrillicCmd = 'r\u0435m -rf /tmp';
+      const result = analyzeBashCommand(cyrillicCmd, [], ['^rem'], { warn: vi.fn() });
+      expect(result).toBe('dangerous');
+    });
+
+    it('should handle Cyrillic а being converted to Latin a', () => {
+      // Cyrillic 'а' (U+0430) maps to Latin 'a' - 's\u0430do' → 'sado'
+      // After de-obfuscation: 'sado' - doesn't match dangerous patterns
+      const mixedCmd = 's\u0430do apt update';
+      const result = analyzeBashCommand(mixedCmd, [], ['^sudo'], { warn: vi.fn() });
+      expect(result).toBe('normal');
+    });
+  });
+
+  describe('Command chain tokenization', () => {
+    it('should detect dangerous commands in chains using &&', () => {
+      const chainCmd = 'echo "hello" && rm -rf /tmp/test';
+      const result = analyzeBashCommand(chainCmd, [], ['rm\\s+-rf'], { warn: vi.fn() });
+      expect(result).toBe('dangerous');
+    });
+
+    it('should detect dangerous commands in chains using ||', () => {
+      const chainCmd = 'ls || rm -rf /tmp/test';
+      const result = analyzeBashCommand(chainCmd, [], ['rm\\s+-rf'], { warn: vi.fn() });
+      expect(result).toBe('dangerous');
+    });
+
+    it('should detect dangerous commands in chains using ;', () => {
+      const chainCmd = 'ls ; rm -rf /tmp/test';
+      const result = analyzeBashCommand(chainCmd, [], ['rm\\s+-rf'], { warn: vi.fn() });
+      expect(result).toBe('dangerous');
+    });
+
+    it('should return safe if no segment matches dangerous patterns', () => {
+      const safeChain = 'echo "hello" && echo "world"';
+      const result = analyzeBashCommand(safeChain, [], ['rm\\s+-rf'], { warn: vi.fn() });
+      expect(result).toBe('normal');
+    });
+  });
+
+  describe('Fail-closed behavior', () => {
+    it('should return dangerous for invalid regex in dangerousPatterns', () => {
+      const cmd = 'ls';
+      const result = analyzeBashCommand(cmd, [], ['[invalid'], { warn: vi.fn() });
+      expect(result).toBe('dangerous'); // Fail-closed
+    });
+
+    it('should ignore invalid regex in safePatterns', () => {
+      const cmd = 'echo hello';
+      const warnFn = vi.fn();
+      const result = analyzeBashCommand(cmd, ['[invalid'], [], { warn: warnFn });
+      // Should not crash, should return normal (not all segments safe)
+      expect(result).toBe('normal');
+      expect(warnFn).toHaveBeenCalled();
+    });
+  });
+
+  describe('Safe pattern override', () => {
+    it('should return safe when all segments match safe patterns', () => {
+      const safeCmd = 'git status';
+      const result = analyzeBashCommand(safeCmd, ['^git\\s+status', '^ls'], []);
+      expect(result).toBe('safe');
+    });
+
+    it('should return normal when not all segments are safe', () => {
+      const mixedCmd = 'git status && rm -rf /tmp';
+      const result = analyzeBashCommand(mixedCmd, ['^git\\s+status'], ['rm\\s+-rf']);
+      expect(result).toBe('dangerous');
+    });
+  });
+});

package/tests/hooks/bash-risk.test.ts

@@ -0,0 +1,81 @@
+import { describe, it, expect, vi } from 'vitest';
+import { analyzeBashCommand } from '../../src/hooks/bash-risk.js';
+
+describe('analyzeBashCommand', () => {
+  it('should return safe for commands matching safe patterns', () => {
+    const result = analyzeBashCommand('npm install lodash', ['^npm\\s+install'], []);
+    expect(result).toBe('safe');
+  });
+
+  it('should return dangerous for commands matching dangerous patterns', () => {
+    const result = analyzeBashCommand('rm -rf /', [], ['rm\\s+.*-rf']);
+    expect(result).toBe('dangerous');
+  });
+
+  it('should return normal for commands not in safe/dangerous lists', () => {
+    const result = analyzeBashCommand('npm install lodash', [], []);
+    expect(result).toBe('normal');
+  });
+
+  it('should de-obfuscate Cyrillic lookalikes', () => {
+    // Using Cyrillic 'rеset' (with Cyrillic 'е' U+0435) instead of 'reset'
+    // This should de-obfuscate to 'git reset --hard' and match the dangerous pattern
+    const result = analyzeBashCommand('git rеset --hard', [], ['git\\s+(push\\s+.*--force|reset\\s+--hard|clean\\s+-fd)']);
+    expect(result).toBe('dangerous');
+  });
+
+  it('should tokenize command chains', () => {
+    const result = analyzeBashCommand('npm install && npm test', ['^npm\\s+install'], ['npm\\s+publish']);
+    expect(result).toBe('normal');
+  });
+
+  it('should fail-closed on invalid dangerous regex', () => {
+    const mockLogger = { warn: vi.fn() };
+    const result = analyzeBashCommand('echo test', ['^echo'], ['invalid('], mockLogger);
+    expect(result).toBe('dangerous'); // Fail-closed behavior
+    expect(mockLogger.warn).toHaveBeenCalledWith(
+      expect.stringContaining('Invalid dangerous bash regex')
+    );
+  });
+
+  it('should ignore safe pattern on invalid safe regex', () => {
+    const mockLogger = { warn: vi.fn() };
+    const result = analyzeBashCommand('echo test', ['invalid('], [], mockLogger);
+    expect(result).toBe('normal'); // Not safe because safe pattern is invalid and ignored
+    expect(mockLogger.warn).toHaveBeenCalledWith(
+      expect.stringContaining('Invalid safe bash regex')
+    );
+  });
+
+  it('should strip $() from commands before pattern matching', () => {
+    const result = analyzeBashCommand('$(npm install)', ['^npm\\s+install'], []);
+    expect(result).toBe('safe');
+  });
+
+  it('should strip backticks from commands before pattern matching', () => {
+    const result = analyzeBashCommand('`npm install`', ['^npm\\s+install'], []);
+    expect(result).toBe('safe');
+  });
+
+  it('should handle command chains with semicolon separator', () => {
+    const result = analyzeBashCommand('npm install ; npm test', ['^npm\\s+install'], ['rm\\s+']);
+    expect(result).toBe('normal'); // Second command not safe
+  });
+
+  it('should handle command chains with OR separator', () => {
+    const result = analyzeBashCommand('npm install || npm test', ['^npm\\s+install'], ['rm\\s+']);
+    expect(result).toBe('normal');
+  });
+
+  it('should convert uppercase Cyrillic to lowercase Latin', () => {
+    // Using uppercase Cyrillic 'Е' (U+0415) which should convert to 'e'
+    // 'git REsET --hard' should become 'git reset --hard' and match the dangerous pattern
+    const result = analyzeBashCommand('git rEsET --hard', [], ['git\\s+(push\\s+.*--force|reset\\s+--hard|clean\\s+-fd)']);
+    expect(result).toBe('dangerous');
+  });
+
+  it('should handle additional confusable Unicode characters', () => {
+    const result = analyzeBashCommand('del node_modules', [], ['rm\\s+']);
+    expect(result).toBe('normal'); // 'del' is not in dangerous patterns
+  });
+});