tractatus

john/tractatus

Fork 0

Commit graph

Author	SHA1	Message	Date
TheFlow	d854ac85e2	feat(research): add cross-environment audit log sync infrastructure Implements privacy-preserving synchronization of production audit logs to development for comprehensive governance research analysis. Backend Components: - SyncMetadata.model.js: Track sync state and statistics - audit-sanitizer.util.js: Privacy sanitization utility - Redacts credentials, API keys, user identities - Sanitizes file paths and violation content - Preserves statistical patterns for research - sync-prod-audit-logs.js: CLI sync script - Incremental sync with deduplication - Dry-run mode for testing - Configurable date range - AuditLog.model.js: Enhanced schema with environment tracking - environment field (development/production/staging) - sync_metadata tracking (original_id, synced_from, etc.) - New indexes for cross-environment queries - audit.controller.js: New /api/admin/audit-export endpoint - Privacy-sanitized export for cross-environment sync - Environment filter support in getAuditLogs - MemoryProxy.service.js: Environment tagging in auditDecision() - Tags new logs with NODE_ENV or override - Sets is_local flag for tracking Frontend Components: - audit-analytics.html: Environment filter dropdown - audit-analytics.js: Environment filter query parameter handling Research Benefits: - Combine dev and prod governance statistics - Longitudinal analysis across environments - Validate framework consistency - Privacy-preserving data sharing Security: - API-based export (not direct DB access) - Admin-only endpoints with JWT authentication - Comprehensive credential redaction - One-way sync (production → development) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-27 12:11:16 +13:00
TheFlow	29f50124b5	fix: MongoDB persistence and inst_016-018 content validation enforcement This commit implements critical fixes to stabilize the MongoDB persistence layer and adds inst_016-018 content validation to BoundaryEnforcer as specified in instruction history. ## Context - First session using Anthropic's new API Memory system - Fixed 3 MongoDB persistence test failures - Implemented BoundaryEnforcer inst_016-018 trigger logic per user request - All unit tests now passing (61/61 BoundaryEnforcer, 25/25 BlogCuration) ## Fixes ### 1. CrossReferenceValidator: Port Regex Enhancement - File: src/services/CrossReferenceValidator.service.js:203 - Issue: Regex couldn't extract port from "port 27017" (space-delimited format) - Fix: Changed `/port[:=]\s(\d{4,5})/i` to `/port[:\s=]\s(\d{4,5})/i` - Result: Now matches "port: X", "port = X", and "port X" formats - Tests: 28/28 CrossReferenceValidator tests passing ### 2. BlogCuration: MongoDB Method Correction - File: src/services/BlogCuration.service.js:187 - Issue: Called non-existent `Document.findAll()` method - Fix: Changed to `Document.list({ limit: 20, skip: 0 })` - Result: BlogCuration can now fetch existing documents for topic generation - Tests: 25/25 BlogCuration tests passing ### 3. MemoryProxy: Optional Anthropic API Integration - File: src/services/MemoryProxy.service.js - Issue: Treated Anthropic Memory Tool API as mandatory, causing errors without API key - Fix: Made Anthropic client optional with graceful degradation - Architecture: MongoDB (required) + Anthropic API (optional enhancement) - Result: System functions fully without CLAUDE_API_KEY environment variable ### 4. AuditLog Model: Duplicate Index Fix - File: src/models/AuditLog.model.js:132 - Issue: Mongoose warning about duplicate timestamp index - Fix: Removed inline `index: true`, kept TTL index definition at line 149 - Result: No more Mongoose duplicate index warnings ### 5. BlogCuration Tests: Mock API Correction - File: tests/unit/BlogCuration.service.test.js - Issue: Tests mocked non-existent `generateBlogTopics()` function - Fix: Updated mocks to use actual `sendMessage()` and `extractJSON()` methods - Result: All 25 BlogCuration tests passing ## New Features ### 6. BoundaryEnforcer: inst_016-018 Content Validation (MAJOR) - File: src/services/BoundaryEnforcer.service.js:508-580 - Purpose: Prevent fabricated statistics, absolute guarantees, and unverified claims - Implementation: Added `_checkContentViolations()` private method - Enforcement Rules: - inst_017: Blocks absolute assurance terms (guarantee, 100% secure, never fails) - inst_016: Blocks statistics/ROI/$ amounts without sources - inst_018: Blocks production claims (production-ready, battle-tested) without evidence - Mechanism: All violations classified as VALUES boundary violations (honesty/transparency) - Tests: 22 new comprehensive tests in tests/unit/BoundaryEnforcer.test.js - Result: 61/61 BoundaryEnforcer tests passing ### Regex Pattern for inst_016 (Statistics Detection): ```regex /\d+(\.\d+)?%\|\$[\d,]+\|\d+x\sroi\|payback\s(period)?\sof\s\d+\|\d+[\s-](month\|year)s?\spayback\|\d+(\.\d+)?m\s*(saved\|savings)/i ``` ### Detection Examples: - ✅ BLOCKS: "This system guarantees 100% security" - ✅ BLOCKS: "Delivers 1315% ROI without sources" - ✅ BLOCKS: "Production-ready framework" (without testing_evidence) - ✅ ALLOWS: "Research shows 85% improvement [source: example.com]" - ✅ ALLOWS: "Validated framework with testing_evidence provided" ## MongoDB Models (New Files) - src/models/AuditLog.model.js - Audit log persistence with TTL - src/models/GovernanceRule.model.js - Governance rules storage - src/models/SessionState.model.js - Session state tracking - src/models/VerificationLog.model.js - Verification logs - src/services/AnthropicMemoryClient.service.js - Optional API integration ## Test Results - BoundaryEnforcer: 61/61 tests passing (22 new inst_016-018 tests) - BlogCuration: 25/25 tests passing - CrossReferenceValidator: 28/28 tests passing ## Framework Compliance - ✅ Implements inst_016, inst_017, inst_018 enforcement - ✅ Addresses 2025-10-09 framework failure (fabricated statistics on leader.html) - ✅ All content generation now subject to honesty/transparency validation - ✅ Human approval required for statistical claims without sources 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-11 00:17:03 +13:00

Author

SHA1

Message

Date

TheFlow

d854ac85e2

feat(research): add cross-environment audit log sync infrastructure

Implements privacy-preserving synchronization of production audit logs
to development for comprehensive governance research analysis.

Backend Components:
- SyncMetadata.model.js: Track sync state and statistics
- audit-sanitizer.util.js: Privacy sanitization utility
  - Redacts credentials, API keys, user identities
  - Sanitizes file paths and violation content
  - Preserves statistical patterns for research
- sync-prod-audit-logs.js: CLI sync script
  - Incremental sync with deduplication
  - Dry-run mode for testing
  - Configurable date range
- AuditLog.model.js: Enhanced schema with environment tracking
  - environment field (development/production/staging)
  - sync_metadata tracking (original_id, synced_from, etc.)
  - New indexes for cross-environment queries
- audit.controller.js: New /api/admin/audit-export endpoint
  - Privacy-sanitized export for cross-environment sync
  - Environment filter support in getAuditLogs
- MemoryProxy.service.js: Environment tagging in auditDecision()
  - Tags new logs with NODE_ENV or override
  - Sets is_local flag for tracking

Frontend Components:
- audit-analytics.html: Environment filter dropdown
- audit-analytics.js: Environment filter query parameter handling

Research Benefits:
- Combine dev and prod governance statistics
- Longitudinal analysis across environments
- Validate framework consistency
- Privacy-preserving data sharing

Security:
- API-based export (not direct DB access)
- Admin-only endpoints with JWT authentication
- Comprehensive credential redaction
- One-way sync (production → development)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-27 12:11:16 +13:00

TheFlow

29f50124b5

fix: MongoDB persistence and inst_016-018 content validation enforcement

This commit implements critical fixes to stabilize the MongoDB persistence layer
and adds inst_016-018 content validation to BoundaryEnforcer as specified in
instruction history.

## Context
- First session using Anthropic's new API Memory system
- Fixed 3 MongoDB persistence test failures
- Implemented BoundaryEnforcer inst_016-018 trigger logic per user request
- All unit tests now passing (61/61 BoundaryEnforcer, 25/25 BlogCuration)

## Fixes

### 1. CrossReferenceValidator: Port Regex Enhancement
- **File**: src/services/CrossReferenceValidator.service.js:203
- **Issue**: Regex couldn't extract port from "port 27017" (space-delimited format)
- **Fix**: Changed `/port[:=]\s*(\d{4,5})/i` to `/port[:\s=]\s*(\d{4,5})/i`
- **Result**: Now matches "port: X", "port = X", and "port X" formats
- **Tests**: 28/28 CrossReferenceValidator tests passing

### 2. BlogCuration: MongoDB Method Correction
- **File**: src/services/BlogCuration.service.js:187
- **Issue**: Called non-existent `Document.findAll()` method
- **Fix**: Changed to `Document.list({ limit: 20, skip: 0 })`
- **Result**: BlogCuration can now fetch existing documents for topic generation
- **Tests**: 25/25 BlogCuration tests passing

### 3. MemoryProxy: Optional Anthropic API Integration
- **File**: src/services/MemoryProxy.service.js
- **Issue**: Treated Anthropic Memory Tool API as mandatory, causing errors without API key
- **Fix**: Made Anthropic client optional with graceful degradation
- **Architecture**: MongoDB (required) + Anthropic API (optional enhancement)
- **Result**: System functions fully without CLAUDE_API_KEY environment variable

### 4. AuditLog Model: Duplicate Index Fix
- **File**: src/models/AuditLog.model.js:132
- **Issue**: Mongoose warning about duplicate timestamp index
- **Fix**: Removed inline `index: true`, kept TTL index definition at line 149
- **Result**: No more Mongoose duplicate index warnings

### 5. BlogCuration Tests: Mock API Correction
- **File**: tests/unit/BlogCuration.service.test.js
- **Issue**: Tests mocked non-existent `generateBlogTopics()` function
- **Fix**: Updated mocks to use actual `sendMessage()` and `extractJSON()` methods
- **Result**: All 25 BlogCuration tests passing

## New Features

### 6. BoundaryEnforcer: inst_016-018 Content Validation (MAJOR)
- **File**: src/services/BoundaryEnforcer.service.js:508-580
- **Purpose**: Prevent fabricated statistics, absolute guarantees, and unverified claims
- **Implementation**: Added `_checkContentViolations()` private method
- **Enforcement Rules**:
  - **inst_017**: Blocks absolute assurance terms (guarantee, 100% secure, never fails)
  - **inst_016**: Blocks statistics/ROI/$ amounts without sources
  - **inst_018**: Blocks production claims (production-ready, battle-tested) without evidence
- **Mechanism**: All violations classified as VALUES boundary violations (honesty/transparency)
- **Tests**: 22 new comprehensive tests in tests/unit/BoundaryEnforcer.test.js
- **Result**: 61/61 BoundaryEnforcer tests passing

### Regex Pattern for inst_016 (Statistics Detection):
```regex
/\d+(\.\d+)?%|\$[\d,]+|\d+x\s*roi|payback\s*(period)?\s*of\s*\d+|\d+[\s-]*(month|year)s?\s*payback|\d+(\.\d+)?m\s*(saved|savings)/i
```

### Detection Examples:
- ✅ BLOCKS: "This system guarantees 100% security"
- ✅ BLOCKS: "Delivers 1315% ROI without sources"
- ✅ BLOCKS: "Production-ready framework" (without testing_evidence)
- ✅ ALLOWS: "Research shows 85% improvement [source: example.com]"
- ✅ ALLOWS: "Validated framework with testing_evidence provided"

## MongoDB Models (New Files)
- src/models/AuditLog.model.js - Audit log persistence with TTL
- src/models/GovernanceRule.model.js - Governance rules storage
- src/models/SessionState.model.js - Session state tracking
- src/models/VerificationLog.model.js - Verification logs
- src/services/AnthropicMemoryClient.service.js - Optional API integration

## Test Results
- BoundaryEnforcer: 61/61 tests passing (22 new inst_016-018 tests)
- BlogCuration: 25/25 tests passing
- CrossReferenceValidator: 28/28 tests passing

## Framework Compliance
- ✅ Implements inst_016, inst_017, inst_018 enforcement
- ✅ Addresses 2025-10-09 framework failure (fabricated statistics on leader.html)
- ✅ All content generation now subject to honesty/transparency validation
- ✅ Human approval required for statistical claims without sources

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-11 00:17:03 +13:00

2 commits