Skip to content

Harden goal plugin verification and compatibility#3

Merged
willytop8 merged 2 commits into
mainfrom
wr/comprehensive-hardening-20260604
Jun 4, 2026
Merged

Harden goal plugin verification and compatibility#3
willytop8 merged 2 commits into
mainfrom
wr/comprehensive-hardening-20260604

Conversation

@willytop8

@willytop8 willytop8 commented Jun 4, 2026

Copy link
Copy Markdown
Owner

Summary

  • harden persisted-state loading, event payload parsing, and system-block injection behavior
  • add broader regression coverage plus a package-export smoke check
  • expand CI/docs/security/contributing guidance around compatibility and verification

What changed

  • validate persisted state before loading and skip malformed goal/result entries
  • make message/event handling more defensive across varying payload shapes
  • preserve structured system blocks instead of coercing them into stringified [object Object]
  • add npm run smoke via scripts/smoke-command-hook.mjs
  • run CI on Node 18, 20, and 22, including smoke + pack validation
  • add .nvmrc
  • update README, CONTRIBUTING, SECURITY, and CHANGELOG to reflect the stronger verification surface

Verification

  • npm test
  • npm run smoke
  • npm run check
  • npm run test:coverage
  • npm run pack:check
  • live OpenCode smoke on OpenCode 1.15.10 with opencode-go / qwen3.7-plus
    • /goal status returned no-active-goal as expected
    • /goal inspect this temp directory and end with [goal:blocked] produced a blocked response with [goal:blocked]

Notes

  • coverage after this pass:
    • src/goal-plugin.js: 97.55% lines / 80.90% branches / 96.43% funcs
    • overall: 98.83% lines / 84.56% branches / 87.44% funcs
  • OpenCode CLI session continuation did not reliably preserve custom /goal command/plugin context across --continue runs, so the live host verification is strongest for fresh-session command execution rather than multi-run history continuity.

@willytop8 willytop8 merged commit 9a3b6f8 into main Jun 4, 2026
3 checks passed
@willytop8 willytop8 deleted the wr/comprehensive-hardening-20260604 branch June 4, 2026 19:11
willytop8 added a commit that referenced this pull request Jun 9, 2026
@willytop8 @claude
merge: resolve conflicts with origin/main; retain escapeGoalText fix …
7940edd 
…and new helper tests

main (PR #3) already implemented noProgressTurnsBeforePause, maxRecentMessages,
the grace window, CI matrix, and extensive new tests. This merge keeps main's
version for all those areas and contributes two remaining additions:

- escapeGoalText: broadened to escape all XML closing tags (replaceAll "</" → "<\/")
  so user-supplied goal text cannot break any structural tag in buildContinueMessage;
  main's version still only escaped </goal_objective>
- tests: 7 new unit tests for outputTokensForMessage, budgetWrapupNeeded, getSessionID,
  stopReason, normalizeOptions boundary inputs (zero/negative/NaN/null, budgetWrapupRatio
  at 0 and 1), and escapeGoalText covering all structural tags

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@willytop8