Learning/debug mode, trust-duration dashboard, P1 security fixes + coverage#36
Merged
Conversation
Opt-in {ask|deny|honordefault} governing the validator-UNREACHABLE case
separately from default_decision; default ask preserves current fail-closed
behavior. Stripped from untrusted repo config via the existing validator subtree.
… honor unavailable knob - fileedit_candidate_paths only treats single-line non-content-key values as whole paths (keeps key-agnostic patch-header extraction incl. apply_patch's command field), so a file whose body mentions a protected path is no longer denied. - The four L1-unavailable arms resolve via on_validator_unavailable instead of always forcing ask; default ask is unchanged.
…l '>' or reads Replace the over-broad redirect/copy globs with a token-based destination check: flags only real redirection targets (excludes fd-dups and input '<') and cp/mv/tee/dd-of destinations by path component, so '->' arrows, '2>&1', and cp/mv reading FROM a protected dir are no longer false-denied.
…e-dest extractor - A whitelisted read carrying an output file-redirection no longer auto-allows (falls to Ask); fd-dups and /dev device targets are excluded so `cat x 2>/dev/null` and `cat x 2>&1` still allow (F-1). - Expose pure `bash_write_destinations` for the hook's canonicalizing guard (F-4).
…uleType read - create_snapshot and create_snapshot_if_no_recent_auto_summary redact summary and key_facts via redact_secrets before INSERT (single chokepoint) (F-2). - row_to_learned_rule strict-parses rule_type; unknown rows are dropped (warn, redacted) instead of defaulting to Allow; get_rule_by_pattern unknown→None (F-3).
…g tests - New Bash-write-destination guard resolves symlinks/~/relative (via the shared path_resolves_into_protected_dir helper, also used by the FileEdit guard) and denies writes into protected config dirs before L0 — closes the symlink bypass (F-4). - Test run helper also scrubs CLX_HOOK_HOST so the envelope-sniff tests are deterministic regardless of ambient env (F-7).
…flag, divergence - schema v10 learning_events table + redaction-choke-point record API + COUNT-guard retention; LearningEvent/DecisionOrigin/EffectiveConfig types + classify_divergence. - validator.learning_mode flag (default off) + CLX_LEARNING_MODE env override (trust-gated). - relocate NEVER_AUTO_WHITELIST to clx-core so the CLI suggestion filter can reuse it.
- Best-effort capture beside every decision emit (22 sites), gated by a single bool so the off-path opens no DB and writes nothing; never alters a decision. - Site-assigned DecisionOrigin drives the divergence flag; errors/degraded arms recorded as such. Redaction happens at the clx-core sink.
…suggestions - report shows decision/divergence/kind counts + deterministic rule suggestions (diverged-ask patterns), excluding never-auto-whitelist/secret-bearing/compound; unavailable-event count keys off the authoritative Error/Degraded kind.
- Expose validator.trust_mode_default_duration and trust_mode_max_duration as NumberU64 fields (section 0), mirroring layer1_timeout_ms; config + CLI already honored them, only the dashboard UI was missing. - Cross-field validation on save: default must not exceed max (both directions).
…earn) The test asserted the pre-Issue-9 contract (L1 deny increments denial_count); Issue 9 deliberately made automated denials early-return before learning, so the test now pins the documented behavior: no learned rule is created.
…, recall substring fallback, and StorageBackend wiring
…d degradation behavior tests
…ration regression comment
…/credentials tools Also tightens clx-core query/recall behavior tests. Removed one ineffective FTS-sabotage test (DROP from a 2nd connection didn't break the server FTS); the degraded substring-fallback path is covered at the engine level.
Merged
blackaxgit
added a commit
that referenced
this pull request
Jun 10, 2026
Bumps the workspace to **0.12.0** (Cargo.toml + Cargo.lock + CHANGELOG). This is the release-trigger that was missed: the v0.12.0 bump was pushed to PR #36 *after* it had already been squash-merged, so the bump never reached `main` and `release-plz` never tagged. The feature/security content from #36 is already on `main`; this PR adds only the version bump. On merge: `release-plz` reads `0.12.0` from `Cargo.toml`, creates+pushes tag `v0.12.0`, which triggers `release.yml` to build the arm64 macOS binary and publish the GitHub Release + Homebrew. Pre-merge gates: cargo-deny advisories ok; secret scan clean; workspace at 0.12.0. Co-authored-by: blackax <blackaxgit@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Accumulated work on top of v0.11.1 (16 commits), in four groups. Full suite green: 2610 passed / 0 failed; clippy
-D warningsclean; fmt clean; gitleaks clean.Security fixes (P1, were live in v0.11.1)
echo x > ~/.bashrc) no longer auto-allows; falls to Ask. fd-dups and/dev/*targets excluded.create_snapshotand the auto-summary sink now redactsummary/key_facts(secrets no longer reach the recall store).RuleTyperead — a corrupt/unknownrule_typerow is dropped, not silently materialized asAllow(closes a fail-open into L0).../~before the protected-dir check (symlink-alias bypass closed); sharedpath_resolves_into_protected_dirhelper (dedup with the FileEdit guard).on_validator_unavailableknob (defaultask).Feature: learning/debug mode (opt-in, observe-only)
validator.learning_mode(+CLX_LEARNING_MODE), off by default, trust-gated. When on, captures every PreToolUse decision + rationale + a divergence flag + errors/degraded events into a newlearning_eventstable (schema v10), redacted at the sink, with COUNT-guard retention.clx learningCLI:report(decision/divergence/kind counts + deterministic rule/config suggestions),list,export --json,clear.Feature: trust-duration in the dashboard
trust_mode_default_duration/trust_mode_max_durationeditable in the dashboard Validator settings (config + CLI already honored them), with cross-fielddefault ≤ maxvalidation.Test coverage (honest ceiling, no theater)
clx learning68→99%; F-4 real-guard wiring test added.l1_denye2e was aligned with the documented Issue-9 contract (automated denials never learn).Notes
docs/).Test plan
scripts/test.sh all(lint + nextest + insta + coverage gate) — green locally.