terraphim_hooks 1.16.34

Unified hooks infrastructure for Terraphim AI - knowledge graph-based text replacement and validation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245

//! Knowledge graph based command validation service.
//!
//! This module provides validation capabilities using Aho-Corasick automaton
//! matching against knowledge graph patterns.

use std::time::Instant;

use crate::replacement::ReplacementService;
use crate::validation_types::{ValidationError, ValidationResult};
use terraphim_types::Thesaurus;

/// Command validation service.
///
/// Validates commands and operations against knowledge graph patterns
/// using high performance Aho-Corasick automaton matching.
#[derive(Debug, Clone)]
pub struct ValidationService {
    replacement_service: ReplacementService,
}

impl ValidationService {
    /// Create a new validation service with the provided command pattern thesaurus.
    pub fn new(command_thesaurus: Thesaurus) -> Self {
        Self {
            replacement_service: ReplacementService::new(command_thesaurus),
        }
    }

    /// Validate a command string.
    ///
    /// Returns a validation result indicating if the command should be allowed,
    /// warned, blocked, or modified.
    pub fn validate(&self, command: &str) -> ValidationResult {
        let start = Instant::now();

        let matches = match self.replacement_service.find_matches(command) {
            Ok(matches) => matches,
            Err(e) => {
                let duration = start.elapsed().as_millis() as u64;
                return ValidationResult::fail_open(
                    command.to_string(),
                    ValidationError {
                        message: e.to_string(),
                        code: None,
                    },
                    duration,
                );
            }
        };

        let duration = start.elapsed().as_millis() as u64;

        if matches.is_empty() {
            return ValidationResult::allow(command.to_string(), duration);
        }

        // For v1 implementation, first match wins.
        // More complex rule evaluation will be added in future versions.
        let first_match = &matches[0];
        let normalized = first_match.normalized_term.value.as_str();

        match normalized {
            "allow" => ValidationResult::allow(command.to_string(), duration),
            "warn" => ValidationResult::warn(
                command.to_string(),
                format!("Matched warning pattern: {}", first_match.term),
                duration,
            ),
            "block" => ValidationResult::block(
                command.to_string(),
                format!("Blocked by pattern: {}", first_match.term),
                duration,
            ),
            _ => ValidationResult::modify(
                command.to_string(),
                command.replace(&first_match.term, normalized),
                duration,
            ),
        }
    }

    /// Validate a command with fail-open semantics.
    ///
    /// If validation fails internally, always returns Allow outcome
    /// with error information attached.
    pub fn validate_fail_open(&self, command: &str) -> ValidationResult {
        self.validate(command)
    }

    /// Check if a command contains any validation patterns.
    ///
    /// Returns true if any pattern matches, false otherwise.
    pub fn has_matches(&self, command: &str) -> bool {
        self.replacement_service.contains_matches(command)
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use terraphim_types::{NormalizedTerm, NormalizedTermValue};

    fn create_test_thesaurus() -> Thesaurus {
        let mut thesaurus = Thesaurus::new("command_validation".to_string());

        // Allow patterns
        let allow_term = NormalizedTerm::new(1u64, NormalizedTermValue::from("allow"));
        thesaurus.insert(NormalizedTermValue::from("cargo build"), allow_term.clone());
        thesaurus.insert(NormalizedTermValue::from("cargo test"), allow_term.clone());

        // Warning patterns
        let warn_term = NormalizedTerm::new(2u64, NormalizedTermValue::from("warn"));
        thesaurus.insert(NormalizedTermValue::from("sudo"), warn_term.clone());
        thesaurus.insert(NormalizedTermValue::from("curl"), warn_term.clone());

        // Block patterns
        let block_term = NormalizedTerm::new(3u64, NormalizedTermValue::from("block"));
        thesaurus.insert(NormalizedTermValue::from("rm -rf /"), block_term.clone());
        thesaurus.insert(
            NormalizedTermValue::from("dd if=/dev/zero"),
            block_term.clone(),
        );

        // Modify patterns
        let bun_term = NormalizedTerm::new(4u64, NormalizedTermValue::from("bun"));
        thesaurus.insert(NormalizedTermValue::from("npm"), bun_term.clone());
        thesaurus.insert(NormalizedTermValue::from("yarn"), bun_term.clone());

        thesaurus
    }

    #[test]
    fn test_validate_allow() {
        let service = ValidationService::new(create_test_thesaurus());
        let result = service.validate("cargo build --release");

        assert!(result.is_allowed());
        assert!(!result.should_block());
        assert!(!result.is_modified());
        assert!(result.error.is_none());
    }

    #[test]
    fn test_validate_warn() {
        let service = ValidationService::new(create_test_thesaurus());
        let result = service.validate("sudo systemctl restart nginx");

        assert!(result.is_allowed());
        assert!(!result.should_block());
        assert!(!result.is_modified());

        if let crate::ValidationOutcome::Warn(msg) = result.outcome {
            assert!(msg.contains("sudo"));
        } else {
            panic!("Expected Warn outcome");
        }
    }

    #[test]
    fn test_validate_block() {
        let service = ValidationService::new(create_test_thesaurus());
        let result = service.validate("rm -rf /var/log");

        assert!(!result.is_allowed());
        assert!(result.should_block());
        assert!(!result.is_modified());

        if let crate::ValidationOutcome::Block(reason) = result.outcome {
            assert!(reason.contains("rm -rf /"));
        } else {
            panic!("Expected Block outcome");
        }
    }

    #[test]
    fn test_validate_modify() {
        let service = ValidationService::new(create_test_thesaurus());
        let result = service.validate("npm install express");

        assert!(result.is_allowed());
        assert!(!result.should_block());
        assert!(result.is_modified());
        assert_eq!(result.final_text(), "bun install express");

        if let crate::ValidationOutcome::Modify(modified) = result.outcome {
            assert_eq!(modified, "bun install express");
        } else {
            panic!("Expected Modify outcome");
        }
    }

    #[test]
    fn test_validate_no_matches() {
        let service = ValidationService::new(create_test_thesaurus());
        let result = service.validate("ls -la");

        assert!(result.is_allowed());
        assert!(!result.should_block());
        assert!(!result.is_modified());
        assert!(result.error.is_none());
    }

    #[test]
    fn test_has_matches() {
        let service = ValidationService::new(create_test_thesaurus());

        assert!(service.has_matches("cargo build"));
        assert!(service.has_matches("sudo"));
        assert!(service.has_matches("rm -rf /"));
        assert!(service.has_matches("npm install"));
        assert!(!service.has_matches("ls -la"));
    }

    #[test]
    fn test_validate_fail_open() {
        let service = ValidationService::new(create_test_thesaurus());
        let result = service.validate_fail_open("rm -rf /");

        // Should still block even with fail-open
        assert!(result.should_block());
    }

    #[test]
    fn test_validate_latency() {
        let service = ValidationService::new(create_test_thesaurus());

        // Warm up caches to reduce noise from one-time setup costs.
        let _ = service.validate("cargo build --release --all-targets");

        // Run 1000 iterations to measure performance
        let start = std::time::Instant::now();
        for _ in 0..1000 {
            let _ = service.validate("cargo build --release --all-targets");
        }
        let duration = start.elapsed();

        // Average should stay comfortably below a multi-millisecond regression.
        let avg_ns = duration.as_nanos() / 1000;
        assert!(
            avg_ns < 5_000_000,
            "Average validation time {}ns > 5ms",
            avg_ns
        );
    }
}