`7e3369e`

Enforce post-build verify scope

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 1 week ago

SHA: 7e3369e75f80072dd903282d8853135cce457831
Parents: 5f3c87e
Tree: be55f2f

2 changed files

Status	File	+	-
M	`src/loader/runtime/hooks.py`	6	6
M	`tests/test_permissions.py`	74	3

src/loader/runtime/hooks.pymodified

      async def pre_tool_use(self, context: HookContext) -> HookResult:
          if context.tool_call.name not in _OBSERVATION_TOOLS:
              return HookResult()
 -        if context.source == "verification":
 -            return HookResult()
          completed_scope = self._completed_artifact_scope()
          if completed_scope is not None:
              if all(path_within_allowed_roots(path, completed_scope) for path in observed_paths):
                  self._sync_completed_scope_state(completed_scope)
                  if (
 -                    context.source != "verification"
 -                    and self._completed_scope_observation_count
 +                    self._completed_scope_observation_count
                      >= self._MAX_COMPLETED_SCOPE_OBSERVATIONS
                  ):
                      roots_preview = ", ".join(f"`{root}`" for root in completed_scope[:2])
                  terminal_state="blocked",
+             )
 +        if context.source == "verification":
 +            return HookResult()
++
          late_stage = self._late_stage_missing_artifact()
          if late_stage is None:
              return HookResult()
              return HookResult()
          if context.tool_call.name not in _OBSERVATION_TOOLS:
              return HookResult()
 -        if context.source == "verification":
 -            return HookResult()
          completed_scope = self._completed_artifact_scope()
          if completed_scope is None:
 +            if context.source == "verification":
 +                return HookResult()
              self._reset_completed_scope_state()
              return HookResult()

tests/test_permissions.pymodified

  @pytest.mark.asyncio
 -async def test_late_reference_drift_hook_allows_verification_reference_reads_after_artifacts_exist(
 +async def test_late_reference_drift_hook_blocks_verification_reference_reads_after_artifacts_exist(
      temp_dir: Path,
  ) -> None:
      registry = create_default_registry(temp_dir)
+         )
+     )
 -    assert result.decision == HookDecision.CONTINUE
 -    assert result.message is None
 +    assert result.decision == HookDecision.DENY
 +    assert result.terminal_state == "blocked"
 +    assert result.message is not None
 +    assert "completed artifact set scope" in result.message
  @pytest.mark.asyncio
      assert "post-build audit loop" in blocked.message
 +@pytest.mark.asyncio
 +async def test_late_reference_drift_hook_blocks_excessive_post_build_self_audits_during_verification(
 +    temp_dir: Path,
 +) -> None:
 +    registry = create_default_registry(temp_dir)
 +    policy = build_permission_policy(
 +        active_mode=PermissionMode.WORKSPACE_WRITE,
 +        workspace_root=temp_dir,
 +        tool_requirements=registry.get_tool_requirements(),
 +    )
 +    dod_store = DefinitionOfDoneStore(temp_dir)
 +    dod = create_definition_of_done("Create a multi-file guide from a reference")
 +    dod.status = "in_progress"
 +    plan_path = temp_dir / "implementation.md"
 +    plan_path.write_text(
 +        "\n".join(
 +            [
 +                "# Implementation Plan",
 +                "",
 +                "## File Changes",
 +                f"- `{temp_dir / 'guide' / 'index.html'}`",
 +                f"- `{temp_dir / 'guide' / 'chapters' / '01-getting-started.html'}`",
 +                f"- `{temp_dir / 'guide' / 'chapters' / '02-installation.html'}`",
 +                "",
 +            ]
 +        )
 +    )
 +    dod.implementation_plan = str(plan_path)
 +    guide_dir = temp_dir / "guide" / "chapters"
 +    guide_dir.mkdir(parents=True, exist_ok=True)
 +    target = guide_dir / "02-installation.html"
 +    (temp_dir / "guide" / "index.html").write_text("<h1>Nginx Guide</h1>\n")
 +    (guide_dir / "01-getting-started.html").write_text("<h1>Getting Started</h1>\n")
 +    target.write_text("<h1>Installation</h1>\n")
 +    dod_path = dod_store.save(dod)
 +    session = FakeSession(active_dod_path=str(dod_path), messages=[])
 +    hook = LateReferenceDriftHook(
 +        dod_store=dod_store,
 +        project_root=temp_dir,
 +        session=session,
 +    )
++
 +    def make_context(index: int) -> HookContext:
 +        return HookContext(
 +            tool_call=ToolCall(
 +                id=f"read-verify-{index}",
 +                name="read",
 +                arguments={"file_path": str(target)},
 +            ),
 +            tool=registry.get("read"),
 +            registry=registry,
 +            permission_policy=policy,
 +            source="verification",
 +        )
++
 +    for index in range(1, 5):
 +        context = make_context(index)
 +        result = await hook.pre_tool_use(context)
 +        assert result.decision == HookDecision.CONTINUE
 +        await hook.post_tool_use(context)
++
 +    blocked = await hook.pre_tool_use(make_context(5))
++
 +    assert blocked.decision == HookDecision.DENY
 +    assert blocked.terminal_state == "blocked"
 +    assert blocked.message is not None
 +    assert "post-build audit loop" in blocked.message
++
++
  @pytest.mark.asyncio
  async def test_late_reference_drift_hook_does_not_treat_empty_output_dir_as_complete_artifact_set(
      temp_dir: Path,