Files
wehub-resource-sync 23f7624596
ADR-166 MCP Bridge Security Lock / Static-source security lock (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / Compose default binds loopback + Mongo has auth (push) Failing after 2s
CodeQL Advanced / Analyze (rust) (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / plugin-agent-federation bindHost default (push) Failing after 1s
ADR-166 MCP Bridge Security Lock / Runtime behavior — 401 + terminal gate + fail-closed (push) Failing after 4s
business-pods-smoke / smoke (push) Failing after 1s
all-plugins-smoke / smoke-all (push) Failing after 2s
CI/CD Pipeline / Security & Code Quality (push) Failing after 1s
CI/CD Pipeline / Test Suite (ubuntu-latest) (push) Failing after 1s
CI/CD Pipeline / Build & Package (macos-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (ubuntu-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (windows-latest) (push) Has been skipped
CI/CD Pipeline / Documentation & Examples (push) Failing after 1s
Clone Tracker (14-day rolling) / Snapshot clones for ruflo ecosystem (push) Failing after 1s
CodeQL Advanced / Analyze (actions) (push) Failing after 1s
CodeQL Advanced / Analyze (javascript-typescript) (push) Failing after 1s
federation-peer-rust / stable-noop (push) Failing after 1s
metaharness-ci / score (push) Failing after 1s
metaharness-ci / router-compat (push) Failing after 0s
metaharness-ci / similarity-tests (push) Failing after 0s
no-agentbbs-smoke / smoke-without-agentbbs (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (windows-latest) (push) Has been skipped
codex-integration-audit / Codex integration audit (push) Failing after 1s
helpers-manifest-guard / guard (push) Failing after 1s
🔗 Cross-Agent Integration Tests / 🤝 Agent Coordination Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🧠 Memory Sharing Integration (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🛡️ Fault Tolerance Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / ⚡ Performance Integration Tests (push) Has been skipped
metaharness-ci / mcp-scan (push) Failing after 1s
metaharness-ci / eject-dryrun (push) Failing after 1s
metaharness-ci / metaharness-real-data (push) Failing after 0s
no-cli-optdep-bloat-2561 / guard (push) Failing after 1s
no-metaharness-smoke / smoke-without-metaharness (push) Failing after 1s
no-phantom-agentic-flow-subpath / guard (push) Failing after 1s
🔄 Automated Rollback Manager / 🚨 Failure Detection (push) Failing after 1s
V3 CI/CD Pipeline / Plugin hooks smoke / ubuntu-latest / Node 22 (push) Failing after 1s
V3 CI/CD Pipeline / ruflo-graph-intelligence build + test smoke (#2044, ADR-123) (push) Failing after 1s
CVE Audit Gate / Audit root (critical-blocking) (push) Failing after 2s
cost-tracker-smoke / smoke (push) Failing after 3s
oia-audit-weekly / audit (push) Failing after 2s
ruflo-agent-smoke / ruflo-agent structural smoke (push) Failing after 1s
📊 Status Badges Update / 📊 Update Status Badges (push) Failing after 1s
V3 CI/CD Pipeline / Static regression guards (#2267 YAML + (push) Failing after 1s
V3 CI/CD Pipeline / Test V3 Packages (push) Failing after 0s
V3 CI/CD Pipeline / agent_execute provider routing smoke (#2042) (push) Failing after 0s
CVE Audit Gate / Audit v3 (critical-blocking) (push) Failing after 1s
federation-peer-rust / stable-native (push) Failing after 2s
🔗 Cross-Agent Integration Tests / 🚀 Integration Test Setup (push) Failing after 2s
neural-trader-smoke / runtime-smoke (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (macos-latest) (push) Has been skipped
V3 CI/CD Pipeline / Build V3 (ubuntu-latest) (push) Has been skipped
V3 CI/CD Pipeline / Type Check V3 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 24 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 22 (push) Failing after 2s
V3 CI/CD Pipeline / browser rvf create flag smoke (#2015) (push) Failing after 0s
V3 CI/CD Pipeline / Dependency review (#2046) (push) Has been skipped
V3 CI/CD Pipeline / Supply-chain audit (#2046) (push) Failing after 0s
V3 CI/CD Pipeline / witness marker drift smoke (#2021) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader portfolio CG smoke (#2068, ADR-126 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader backtest signing smoke (#2068, ADR-126 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / kg-extract type-import classification smoke (#2049) (push) Failing after 0s
V3 CI/CD Pipeline / witness verify precondition smoke (#1880) (push) Failing after 2s
V3 CI/CD Pipeline / neural-trader pipeline risk-gate smoke (#2068, ADR-126 Phase 5) (push) Failing after 0s
V3 CI/CD Pipeline / neural-trader feature attribution smoke (#2068, ADR-126 Phase 6) (push) Failing after 0s
V3 CI/CD Pipeline / plugin-registry signature verification smoke (#1922, CWE-347) (push) Failing after 4s
V3 CI/CD Pipeline / memory stats legacy-DB smoke (#2120) (push) Failing after 4s
V3 CI/CD Pipeline / github deprecated actions smoke (#2089, ADR-127 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / graph query + pathfinder smoke (ADR-130 P2+P5) (push) Has been skipped
V3 CI/CD Pipeline / graph trajectory hooks smoke (ADR-130 P3) (push) Has been skipped
V3 CI/CD Pipeline / graph plugin adapter smoke (ADR-130 P4) (push) Has been skipped
V3 CI/CD Pipeline / graph benchmark (ADR-130 P6) (push) Has been skipped
V3 CI/CD Pipeline / statusline generator delegation smoke (#2195) (push) Failing after 1s
V3 CI/CD Pipeline / wizard init regression guard (#2206 (push) Failing after 1s
V3 CI/CD Pipeline / memory no-stray-db smoke (ADR-125 P7) (push) Failing after 1s
V3 CI/CD Pipeline / github-safe injection smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github actions pin smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github attribution opt-in smoke (#2089, ADR-127 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / pre-bash hook safety smoke (#2017) (push) Failing after 1s
V3 CI/CD Pipeline / Memory import smoke / ubuntu-latest (push) Failing after 0s
V3 CI/CD Pipeline / MCP protocol smoke / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / ruvllm WASM auto-init smoke (#2086) (push) Failing after 4s
V3 CI/CD Pipeline / MCP paired-tool round-trip smoke (#1889) (push) Failing after 1s
V3 CI/CD Pipeline / Plugin package install-safety (#1902/#1903/#1904) (push) Failing after 1s
V3 CI/CD Pipeline / Tool description discoverability (ADR-112) (push) Failing after 3s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (22) (push) Failing after 1s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (24) (push) Failing after 1s
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Vector-index dimension audit (#1947) (push) Failing after 0s
V3 CI/CD Pipeline / Hook-command install safety (#1921) (push) Failing after 1s
V3 CI/CD Pipeline / ToolOutputGuardrail smoke (ADR-131, (push) Failing after 1s
V3 CI/CD Pipeline / init-bundle invariants smoke (#2095, ADR-128 Phase 5) (push) Failing after 1s
V3 CI/CD Pipeline / wasm provider bridge smoke (ADR-129 P1) (push) Failing after 2s
V3 CI/CD Pipeline / wasm gallery CRUD smoke (ADR-129 P3) (push) Failing after 1s
V3 CI/CD Pipeline / wasm plugin bridge smoke (ADR-129 P4) (push) Failing after 0s
V3 CI/CD Pipeline / wasm compose smoke (ADR-129 P2) (push) Failing after 4s
V3 CI/CD Pipeline / graph schema smoke (ADR-130 P1) (push) Failing after 0s
Validate Marketplace / validate (push) Failing after 1s
🔍 Verification Pipeline / 🚀 Setup Verification (push) Failing after 1s
🔍 Verification Pipeline / 🛡️ Security Verification (push) Has been skipped
🔍 Verification Pipeline / 📝 Code Quality (push) Has been skipped
🔍 Verification Pipeline / 🧪 Test Verification (${{ matrix.os }}, Node ${{ matrix.node }}) (push) Has been skipped
🔍 Verification Pipeline / 🏗️ Build Verification (push) Has been skipped
🔍 Verification Pipeline / 📚 Documentation Verification (push) Has been skipped
CVE Audit Gate / High-severity report (warn only) (push) Has been cancelled
🔄 Automated Rollback Manager / 🔄 Execute Rollback (push) Has been cancelled
🔄 Automated Rollback Manager / ✅ Post-Rollback Verification (push) Has been cancelled
🔄 Automated Rollback Manager / 📊 Rollback Monitoring (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / windows-latest (push) Has been cancelled
🔄 Automated Rollback Manager / ⏳ Manual Rollback Approval (push) Has been cancelled
V3 CI/CD Pipeline / MCP protocol smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Memory import smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / ubuntu-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Publish to npm (alpha) (push) Has been cancelled
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / macos-latest / Node 22 (push) Has been cancelled
V3 CI/CD Pipeline / Plugin hooks smoke / macos-latest / Node 22 (push) Has been cancelled
CI/CD Pipeline / Deploy & Release (push) Has been cancelled
CI/CD Pipeline / CI Status (push) Has been cancelled
🔗 Cross-Agent Integration Tests / 📊 Integration Test Report (push) Has been cancelled
🔄 Automated Rollback Manager / 🔍 Pre-Rollback Validation (push) Has been cancelled
🔍 Verification Pipeline / ⚡ Performance Verification (push) Has been cancelled
🔍 Verification Pipeline / 📊 Verification Report (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:02:19 +08:00

175 lines
8.2 KiB
JavaScript
Executable File

#!/usr/bin/env node
/**
* Regression guard for ruvnet/ruflo#1883 + #1884.
*
* #1883 — memory_import_claude `allProjects=false` failed under WSL because
* project-hash derivation only POSIX-slash-replaced cwd. We now try
* multiple candidate hashes (POSIX, WSL-translated `/mnt/<d>/` →
* `<D>-...`, leading-dash-stripped, space-replaced) and accept an
* explicit `projectPath` override.
*
* #1884 — keys produced by memory_import_claude included raw frontmatter
* names + section titles, which could contain shell-metacharacters
* in validateMemoryInput's dangerous-pattern set. memory_delete then
* rejected those keys, stranding them. We now sanitize at write-time
* via sanitizeMemoryKey.
*
* This script does three things:
* 1. Static dist scan — assert sanitizeMemoryKey + resolveProjectMemoryDir
* are present in dist and called from the import handler. Catches
* regressions where the helpers exist but stop being called.
* 2. Property check — for every char in DANGEROUS_KEY_CHARS, sanitize and
* assert the result passes validateMemoryInput's regex. Proves the
* write-path → delete-path round-trip can never strand a key again.
* 3. WSL-fixture check — feed a synthetic `/mnt/c/Users/x/Project Name`
* through resolveProjectMemoryDir's candidate generator and assert the
* Claude-Code Windows hash form is among the candidates.
*
* Combined with witness markers (#1883-cli, #1884-cli) — which attest that
* the marker substrings are present in dist — this is the three-way coverage
* (#1874 pattern: dist scan + behavioral + cryptographic) that gates these
* regressions.
*/
import { readFileSync, existsSync } from 'node:fs';
import { resolve } from 'node:path';
import { pathToFileURL } from 'node:url';
const REPO_ROOT = resolve(process.argv[2] ?? process.cwd());
const DIST = resolve(REPO_ROOT, 'v3/@claude-flow/cli/dist/src/mcp-tools/memory-tools.js');
let failed = 0;
const fail = (m) => { console.error(`FAIL: ${m}`); failed++; };
const pass = (m) => console.log(`ok: ${m}`);
if (!existsSync(DIST)) {
fail(`${DIST} not found — run \`npm --prefix v3/@claude-flow/cli run build\` first`);
process.exit(1);
}
const distSrc = readFileSync(DIST, 'utf-8');
// ---------- 1. Static dist scan ----------
const requiredMarkers = [
// #1884 — sanitizer helper present and called from the two storeEntry sites
{ id: '#1884-helper-defined', re: /function sanitizeMemoryKey\s*\(/, hint: 'sanitizeMemoryKey() must be defined in dist' },
{ id: '#1884-call-site-1', re: /sanitizeMemoryKey\(`claude:\$\{memFile\.project\}:\$\{name\}`\)/, hint: 'first storeEntry import-key must go through sanitizeMemoryKey' },
{ id: '#1884-call-site-2', re: /sanitizeMemoryKey\(`claude:\$\{memFile\.project\}:\$\{name\}:\$\{sectionTitle\.slice\(0,\s*50\)\}`\)/, hint: 'second (sectioned) storeEntry import-key must go through sanitizeMemoryKey' },
// #1883 — multi-candidate resolver present, WSL branch present, override plumbed
{ id: '#1883-resolver-defined', re: /function resolveProjectMemoryDir\s*\(/, hint: 'resolveProjectMemoryDir() must be defined in dist' },
{ id: '#1883-wsl-branch', re: /\/\^\\\/mnt\\\/\(\[a-z\]\)\(\\\/\.\*\)\?\$\/i/, hint: 'WSL /mnt/<drive>/ regex must be present in dist' },
{ id: '#1883-override-input', re: /projectPathOverride\s*=\s*input\.projectPath/, hint: 'memory_import_claude must read projectPath from input' },
{ id: '#1883-resolver-call', re: /resolveProjectMemoryDir\(claudeProjectsDir,\s*projectPathOverride\)/, hint: 'import handler must call resolveProjectMemoryDir' },
];
for (const marker of requiredMarkers) {
if (marker.re.test(distSrc)) pass(`${marker.id} — dist contains required code`);
else fail(`${marker.id}${marker.hint}`);
}
// Negative-attestation: the legacy single-line POSIX hash logic should be gone.
// `cwd.replace(/\//g, '-')` was the entire normalization before #1883.
const legacy = /const projectHash = cwd\.replace\(\/\\\/\/g,\s*['"]-['"]\);/;
if (legacy.test(distSrc)) {
fail('#1883-regression — legacy single-line POSIX-only hash logic is back; resolveProjectMemoryDir was removed or bypassed');
} else {
pass('#1883-no-regression — legacy POSIX-only normalization no longer present in dist');
}
// ---------- 2. Property check: sanitizer round-trips through validator ----------
//
// Use the same regex literal as the dist — DANGEROUS_KEY_CHARS / _PATTERN
// share their pattern, so the property test can use one source of truth that
// matches what shipped (the static-scan section above asserts the dist still
// declares them).
const dangerousChars = /[;&|`$(){}[\]<>!#\\\0]|\.\.[/\\]/g;
const dangerousPattern = /[;&|`$(){}[\]<>!#\\\0]|\.\.[/\\]/;
// Confirm the dist literal we're mirroring is byte-identical to what we declare here.
const distRegexLine = '/[;&|`$(){}[\\]<>!#\\\\\\0]|\\.\\.[/\\\\]/';
if (!distSrc.includes('const DANGEROUS_KEY_CHARS = /[;&|`$(){}[\\]<>!#\\\\\\0]|\\.\\.[/\\\\]/g;')) {
fail('#1884-regex-mirror — DANGEROUS_KEY_CHARS literal in dist no longer matches the test mirror; update both together');
} else {
pass('#1884-regex-mirror — DANGEROUS_KEY_CHARS literal in dist matches test mirror');
}
// Mimic sanitizeMemoryKey
const sanitize = (k) => k.replace(dangerousChars, '_').slice(0, 1024);
// Property: every char in the dangerous set, embedded in a realistic import
// key, must produce a sanitized key that passes the delete-path validator.
const dangerousSamples = [
';', '&', '|', '`', '$', '(', ')', '{', '}', '[', ']',
'<', '>', '!', '#', '\\', '\0', '../', '..\\',
];
// Realistic markdown-section-shaped strings
const realistic = [
'Foo (bar)!',
'Section #1',
'A & B',
'${malicious}',
'`shell`',
'../etc/passwd',
'name<tag>value',
'list[0]',
];
let propFail = 0;
for (const sample of [...dangerousSamples, ...realistic]) {
const importKey = `claude:project:name:${sample}`;
const sanitized = sanitize(importKey);
if (dangerousPattern.test(sanitized)) {
console.error(` property fail: sanitize(${JSON.stringify(importKey)}) = ${JSON.stringify(sanitized)} still matches DANGEROUS_KEY_PATTERN`);
propFail++;
}
}
if (propFail === 0) pass(`#1884-property — sanitizer output passes validator for ${dangerousSamples.length + realistic.length} adversarial inputs`);
else fail(`#1884-property — ${propFail} sanitized key(s) still rejected by validator`);
// ---------- 3. WSL fixture check ----------
//
// Replicate the candidate-generation loop with a synthetic WSL cwd and
// assert the Claude-Code Windows hash form is among the candidates.
function deriveCandidates(source) {
const candidates = new Set();
candidates.add(source.replace(/\//g, '-'));
const wsl = source.match(/^\/mnt\/([a-z])(\/.*)?$/i);
if (wsl) {
const drive = wsl[1].toUpperCase();
const rest = (wsl[2] ?? '').replace(/\//g, '-').replace(/ /g, '-');
candidates.add(`${drive}-${rest}`);
}
candidates.add(source.replace(/\//g, '-').replace(/^-+/, ''));
candidates.add(source.replace(/\//g, '-').replace(/ /g, '-'));
return candidates;
}
const wslCwd = '/mnt/c/Users/tobia/OneDrive/Desktop/Claude Stuff';
const candidates = deriveCandidates(wslCwd);
const expectedWindowsHash = 'C--Users-tobia-OneDrive-Desktop-Claude-Stuff';
if (candidates.has(expectedWindowsHash)) {
pass(`#1883-wsl-fixture — candidate set includes Claude-Code Windows hash for ${wslCwd}`);
} else {
fail(`#1883-wsl-fixture — expected ${expectedWindowsHash} in candidate set, got: ${[...candidates].join(' | ')}`);
}
// macOS/Linux POSIX cwd should still produce the legacy hash in candidate set
// so existing-deployment compatibility holds.
const posixCwd = '/Users/alice/projects/ruflo';
const posixCandidates = deriveCandidates(posixCwd);
if (posixCandidates.has('-Users-alice-projects-ruflo')) {
pass(`#1883-posix-compat — legacy POSIX hash still in candidate set for ${posixCwd}`);
} else {
fail(`#1883-posix-compat — legacy POSIX hash missing from candidate set; would break existing macOS/Linux installs`);
}
// ---------- Summary ----------
if (failed > 0) {
console.error(`\n${failed} regression check(s) failed for #1883/#1884`);
process.exit(1);
}
console.log('\nall #1883/#1884 regression guards green');