From e043a2824ab7ed911353ba1d7bb70a28b93e2158 Mon Sep 17 00:00:00 2001 From: Affaan Mustafa Date: Thu, 12 Mar 2026 23:59:01 -0700 Subject: [PATCH] fix: harden observer prompt guard handling --- .../agents/start-observer.sh | 89 +++++++++++++------ .../continuous-learning-v2/hooks/observe.sh | 26 +++--- .../scripts/detect-project.sh | 10 +++ tests/hooks/hooks.test.js | 73 +++++++++++++++ 4 files changed, 158 insertions(+), 40 deletions(-) diff --git a/skills/continuous-learning-v2/agents/start-observer.sh b/skills/continuous-learning-v2/agents/start-observer.sh index 3e1241e8..ef404a94 100755 --- a/skills/continuous-learning-v2/agents/start-observer.sh +++ b/skills/continuous-learning-v2/agents/start-observer.sh @@ -8,9 +8,10 @@ # project-specific observations into project-scoped instincts. # # Usage: -# start-observer.sh # Start observer for current project (or global) -# start-observer.sh stop # Stop running observer -# start-observer.sh status # Check if observer is running +# start-observer.sh # Start observer for current project (or global) +# start-observer.sh --reset # Clear lock and restart observer for current project +# start-observer.sh stop # Stop running observer +# start-observer.sh status # Check if observer is running set -e @@ -41,6 +42,31 @@ PID_FILE="${PROJECT_DIR}/.observer.pid" LOG_FILE="${PROJECT_DIR}/observer.log" OBSERVATIONS_FILE="${PROJECT_DIR}/observations.jsonl" INSTINCTS_DIR="${PROJECT_DIR}/instincts/personal" +SENTINEL_FILE="${CLV2_OBSERVER_SENTINEL_FILE:-${PROJECT_ROOT:-$PROJECT_DIR}/.observer.lock}" + +write_guard_sentinel() { + printf '%s\n' 'observer paused: confirmation or permission prompt detected; rerun start-observer.sh --reset after reviewing observer.log' > "$SENTINEL_FILE" +} + +stop_observer_if_running() { + if [ -f "$PID_FILE" ]; then + pid=$(cat "$PID_FILE") + if kill -0 "$pid" 2>/dev/null; then + echo "Stopping observer for ${PROJECT_NAME} (PID: $pid)..." + kill "$pid" + rm -f "$PID_FILE" + echo "Observer stopped." + return 0 + fi + + echo "Observer not running (stale PID file)." + rm -f "$PID_FILE" + return 1 + fi + + echo "Observer not running." + return 1 +} # Read config values from config.json OBSERVER_INTERVAL_MINUTES=5 @@ -87,22 +113,31 @@ case "$UNAME_LOWER" in *mingw*|*msys*|*cygwin*) IS_WINDOWS=true ;; esac -case "${1:-start}" in +ACTION="start" +RESET_OBSERVER=false + +for arg in "$@"; do + case "$arg" in + start|stop|status) + ACTION="$arg" + ;; + --reset) + RESET_OBSERVER=true + ;; + *) + echo "Usage: $0 [start|stop|status] [--reset]" + exit 1 + ;; + esac +done + +if [ "$RESET_OBSERVER" = "true" ]; then + rm -f "$SENTINEL_FILE" +fi + +case "$ACTION" in stop) - if [ -f "$PID_FILE" ]; then - pid=$(cat "$PID_FILE") - if kill -0 "$pid" 2>/dev/null; then - echo "Stopping observer for ${PROJECT_NAME} (PID: $pid)..." - kill "$pid" - rm -f "$PID_FILE" - echo "Observer stopped." - else - echo "Observer not running (stale PID file)." - rm -f "$PID_FILE" - fi - else - echo "Observer not running." - fi + stop_observer_if_running || true exit 0 ;; @@ -153,9 +188,10 @@ case "${1:-start}" in exit 1 fi - # Add strict non-interactive instruction to system prompt (if prompt file or env is used, update there as well) - # If observer output contains confirmation-seeking language, fail closed - OBSERVER_LOG_TMP="${PROJECT_DIR}/.observer.tmp.log" + mkdir -p "$PROJECT_DIR" + touch "$LOG_FILE" + start_line=$(wc -l < "$LOG_FILE" 2>/dev/null || echo 0) + nohup env \ CONFIG_DIR="$CONFIG_DIR" \ PID_FILE="$PID_FILE" \ @@ -168,16 +204,17 @@ case "${1:-start}" in MIN_OBSERVATIONS="$MIN_OBSERVATIONS" \ OBSERVER_INTERVAL_SECONDS="$OBSERVER_INTERVAL_SECONDS" \ CLV2_IS_WINDOWS="$IS_WINDOWS" \ - "$OBSERVER_LOOP_SCRIPT" > "$OBSERVER_LOG_TMP" 2>&1 & + CLV2_OBSERVER_PROMPT_PATTERN="$CLV2_OBSERVER_PROMPT_PATTERN" \ + "$OBSERVER_LOOP_SCRIPT" >> "$LOG_FILE" 2>&1 & # Wait for PID file sleep 2 # Check for confirmation-seeking output in the observer log - if grep -E -i -q "Can you confirm|requires permission|Awaiting|confirm I should proceed" "$OBSERVER_LOG_TMP"; then + if tail -n +"$((start_line + 1))" "$LOG_FILE" 2>/dev/null | grep -E -i -q "$CLV2_OBSERVER_PROMPT_PATTERN"; then echo "OBSERVER_ABORT: Confirmation or permission prompt detected in observer output. Failing closed." - cat "$OBSERVER_LOG_TMP" >> "$LOG_FILE" - rm -f "$OBSERVER_LOG_TMP" + stop_observer_if_running >/dev/null 2>&1 || true + write_guard_sentinel exit 2 fi @@ -197,7 +234,7 @@ case "${1:-start}" in ;; *) - echo "Usage: $0 {start|stop|status}" + echo "Usage: $0 [start|stop|status] [--reset]" exit 1 ;; esac diff --git a/skills/continuous-learning-v2/hooks/observe.sh b/skills/continuous-learning-v2/hooks/observe.sh index 8617113f..f8df78aa 100755 --- a/skills/continuous-learning-v2/hooks/observe.sh +++ b/skills/continuous-learning-v2/hooks/observe.sh @@ -33,12 +33,9 @@ resolve_python_cmd() { return 0 fi - # FIX: Windows Git Bash — check known Python install paths directly - # because `command -v python` triggers the Microsoft Store alias instead - for win_py in \ - "/c/Users/$USER/AppData/Local/Programs/Python/Python311/python" \ - "/c/Users/$USER/AppData/Local/Programs/Python/Python312/python" \ - "/c/Users/$USER/AppData/Local/Programs/Python/Python310/python"; do + # FIX: Windows Git Bash — probe Python install paths directly because + # `command -v python` can hit the Microsoft Store alias instead. + for win_py in /c/Users/"$USER"/AppData/Local/Programs/Python/Python3*/python; do if [ -x "$win_py" ]; then printf '%s\n' "$win_py" return 0 @@ -105,9 +102,11 @@ CONFIG_DIR="${HOME}/.claude/homunculus" OBSERVATIONS_FILE="${PROJECT_DIR}/observations.jsonl" MAX_FILE_SIZE_MB=10 -# FIX: SENTINEL_FILE must be defined AFTER PROJECT_DIR is set by detect-project.sh -# Previously it was defined at the top before PROJECT_DIR existed, making it empty/broken -SENTINEL_FILE="${PROJECT_DIR}/.observer.lock" +SENTINEL_FILE="${CLV2_OBSERVER_SENTINEL_FILE:-${PROJECT_ROOT:-$PROJECT_DIR}/.observer.lock}" + +write_guard_sentinel() { + printf '%s\n' 'observer paused: confirmation or permission prompt detected; rerun start-observer.sh --reset after reviewing observer.log' > "$SENTINEL_FILE" +} # Skip if disabled globally if [ -f "$CONFIG_DIR/disabled" ]; then @@ -213,13 +212,12 @@ if [ -f "$OBSERVATIONS_FILE" ]; then fi fi -# FIX: Detect confirmation/permission prompts in observer output and fail closed. +# Detect confirmation/permission prompts in observer output and fail closed. # A non-interactive background observer must never ask for user confirmation. -# If detected: log once, write sentinel to suppress all future retries, exit non-zero. -if echo "$PARSED" | grep -E -i -q "Can you confirm|requires permission|Awaiting|confirm I should proceed|once granted access|grant.*access"; then +if echo "$PARSED" | grep -E -i -q "$CLV2_OBSERVER_PROMPT_PATTERN"; then echo "[observe] OBSERVER_ABORT: Confirmation or permission prompt detected in observer output. This observer run is non-actionable." >&2 echo "[observe] Writing sentinel to suppress retries: ${SENTINEL_FILE}" >&2 - echo "$PARSED" > "$SENTINEL_FILE" + write_guard_sentinel exit 2 fi @@ -267,4 +265,4 @@ for pid_file in "${PROJECT_DIR}/.observer.pid" "${CONFIG_DIR}/.observer.pid"; do fi done -exit 0 \ No newline at end of file +exit 0 diff --git a/skills/continuous-learning-v2/scripts/detect-project.sh b/skills/continuous-learning-v2/scripts/detect-project.sh index 6f88deb0..ed1988c5 100755 --- a/skills/continuous-learning-v2/scripts/detect-project.sh +++ b/skills/continuous-learning-v2/scripts/detect-project.sh @@ -46,6 +46,9 @@ _CLV2_PYTHON_CMD="$(_clv2_resolve_python_cmd 2>/dev/null || true)" CLV2_PYTHON_CMD="$_CLV2_PYTHON_CMD" export CLV2_PYTHON_CMD +CLV2_OBSERVER_PROMPT_PATTERN='Can you confirm|requires permission|Awaiting (user confirmation|confirmation|approval|permission)|confirm I should proceed|once granted access|grant.*access' +export CLV2_OBSERVER_PROMPT_PATTERN + _clv2_detect_project() { local project_root="" local project_name="" @@ -216,3 +219,10 @@ PROJECT_ID="$_CLV2_PROJECT_ID" PROJECT_NAME="$_CLV2_PROJECT_NAME" PROJECT_ROOT="$_CLV2_PROJECT_ROOT" PROJECT_DIR="$_CLV2_PROJECT_DIR" + +if [ -n "$PROJECT_ROOT" ]; then + CLV2_OBSERVER_SENTINEL_FILE="${PROJECT_ROOT}/.observer.lock" +else + CLV2_OBSERVER_SENTINEL_FILE="${PROJECT_DIR}/.observer.lock" +fi +export CLV2_OBSERVER_SENTINEL_FILE diff --git a/tests/hooks/hooks.test.js b/tests/hooks/hooks.test.js index 540d5084..dec8d15b 100644 --- a/tests/hooks/hooks.test.js +++ b/tests/hooks/hooks.test.js @@ -2211,6 +2211,22 @@ async function runTests() { passed++; else failed++; + if ( + test('continuous-learning-v2 observer scripts share prompt guard config and start-observer supports reset', () => { + const observeSource = fs.readFileSync(path.join(__dirname, '..', '..', 'skills', 'continuous-learning-v2', 'hooks', 'observe.sh'), 'utf8'); + const startObserverSource = fs.readFileSync(path.join(__dirname, '..', '..', 'skills', 'continuous-learning-v2', 'agents', 'start-observer.sh'), 'utf8'); + const detectProjectSource = fs.readFileSync(path.join(__dirname, '..', '..', 'skills', 'continuous-learning-v2', 'scripts', 'detect-project.sh'), 'utf8'); + + assert.ok(detectProjectSource.includes('CLV2_OBSERVER_PROMPT_PATTERN='), 'detect-project.sh should export a shared observer prompt pattern'); + assert.ok(observeSource.includes('CLV2_OBSERVER_PROMPT_PATTERN'), 'observe.sh should use the shared observer prompt pattern'); + assert.ok(startObserverSource.includes('CLV2_OBSERVER_PROMPT_PATTERN'), 'start-observer.sh should use the shared observer prompt pattern'); + assert.ok(startObserverSource.includes('--reset'), 'start-observer.sh should document or support an explicit reset flag'); + assert.ok(!startObserverSource.includes('.observer.tmp.log'), 'start-observer.sh should not leave the observer writing to a temp log file'); + }) + ) + passed++; + else failed++; + if (await asyncTest('observe.sh falls back to legacy output fields when tool_response is null', async () => { const homeDir = createTestDir(); const projectDir = createTestDir(); @@ -2248,6 +2264,63 @@ async function runTests() { } })) passed++; else failed++; + if (await asyncTest('observe.sh does not trip the observer lock for generic Awaiting output', async () => { + const homeDir = createTestDir(); + const projectDir = createTestDir(); + const observePath = path.join(__dirname, '..', '..', 'skills', 'continuous-learning-v2', 'hooks', 'observe.sh'); + const payload = JSON.stringify({ + tool_name: 'Bash', + tool_input: { command: 'echo waiting' }, + tool_response: 'Awaiting build completion from CI', + session_id: 'session-awaiting-generic', + cwd: projectDir + }); + + try { + const result = await runShellScript(observePath, ['post'], payload, { + HOME: homeDir, + CLAUDE_PROJECT_DIR: projectDir + }, projectDir); + + assert.strictEqual(result.code, 0, `observe.sh should not fail closed for generic Awaiting output, stderr: ${result.stderr}`); + assert.ok(!fs.existsSync(path.join(projectDir, '.observer.lock')), 'generic Awaiting output should not create the observer lock sentinel'); + } finally { + cleanupTestDir(homeDir); + cleanupTestDir(projectDir); + } + })) passed++; else failed++; + + if (await asyncTest('observe.sh writes a scrubbed sentinel when confirmation prompts are detected', async () => { + const homeDir = createTestDir(); + const projectDir = createTestDir(); + const observePath = path.join(__dirname, '..', '..', 'skills', 'continuous-learning-v2', 'hooks', 'observe.sh'); + const payload = JSON.stringify({ + tool_name: 'Bash', + tool_input: { command: 'echo guarded' }, + tool_response: 'Awaiting user confirmation before proceeding. token=supersecretvalue123456', + session_id: 'session-awaiting-confirmation', + cwd: projectDir + }); + + try { + const result = await runShellScript(observePath, ['post'], payload, { + HOME: homeDir, + CLAUDE_PROJECT_DIR: projectDir + }, projectDir); + + const sentinelPath = path.join(projectDir, '.observer.lock'); + assert.strictEqual(result.code, 2, `observe.sh should fail closed when a confirmation prompt is detected, stderr: ${result.stderr}`); + assert.ok(fs.existsSync(sentinelPath), 'confirmation prompts should create the observer lock sentinel'); + + const sentinelContent = fs.readFileSync(sentinelPath, 'utf8'); + assert.ok(/confirmation|permission/i.test(sentinelContent), 'sentinel should record the reason it was created'); + assert.ok(!sentinelContent.includes('supersecretvalue123456'), 'sentinel should not persist raw secrets from observer output'); + } finally { + cleanupTestDir(homeDir); + cleanupTestDir(projectDir); + } + })) passed++; else failed++; + if (await asyncTest('matches .tsx extension for type checking', async () => { const testDir = createTestDir(); const testFile = path.join(testDir, 'component.tsx');