teleo-infrastructure/tests/test_apply_proposal.py
twentyOne2x fed5cb0805 Add guarded canonical claim application
- Normalize rich proposals into atomic reviewed canonical graph bundles with exact row verification.
- Harden reviewer/apply roles, upgrade ACLs, and prove generic plus Helmer lifecycles in isolated PostgreSQL.
- Publish repo-native VPS/GCP/Cory skills and live-readonly GCP inventory without changing the live VPS runtime.

`.agents/skills/crabbox/SKILL.md`
`.agents/skills/teleo-gcp-parity-ops/SKILL.md`
`.agents/skills/teleo-kb-db-change-workflow/SKILL.md`
`.agents/skills/teleo-leo-onboarding/SKILL.md`
`.agents/skills/teleo-vps-runtime-ops/SKILL.md`
`.agents/skills/working-leo-cory-outcomes/SKILL.md`
`docs/reports/leo-working-state-20260709/approve-claim-clone-canary-current.json`
`docs/reports/leo-working-state-20260709/approve-claim-clone-canary-current.md`
`docs/reports/leo-working-state-20260709/current-truth-index.md`
`docs/reports/leo-working-state-20260709/gcp-cloud-sql-t3-live-readonly-current.json`
`docs/reports/leo-working-state-20260709/gcp-cloud-sql-t3-live-readonly-current.md`
`docs/reports/leo-working-state-20260709/gcp-cloudsql-studio-parity-gate-current.json`
`docs/reports/leo-working-state-20260709/gcp-cloudsql-studio-parity-gate-current.md`
`docs/reports/leo-working-state-20260709/gcp-parallel-delegation-current.json`
`docs/reports/leo-working-state-20260709/helmer-approve-claim-clone-canary-current.json`
`docs/reports/leo-working-state-20260709/helmer-approve-claim-normalization-current.json`
`docs/reports/leo-working-state-20260709/skill-pack-manifest.json`
`docs/reports/leo-working-state-20260709/skill-pack-readme.md`
`docs/reports/leo-working-state-20260709/working-leo-current-state-20260709.md`
`docs/reports/leo-working-state-20260709/working-leo-definition-20260709.md`
`docs/reports/leo-working-state-20260709/working-leo-execution-plan-current.md`
`scripts/apply_proposal.py`
`scripts/apply_worker.py`
`scripts/approve_proposal.py`
`scripts/kb_apply_prereqs.sql`
`scripts/kb_proposal_normalize.py`
`scripts/probe_gcp_db_parity.py`
`scripts/run_approve_claim_clone_canary.py`
`scripts/run_approve_claim_isolated_container_canary.sh`
`tests/test_apply_proposal.py`
`tests/test_apply_worker.py`
`tests/test_approve_proposal.py`
`tests/test_kb_apply_prereqs.py`
`tests/test_kb_proposal_normalize.py`
`tests/test_kb_proposal_routes.py`
`tests/test_probe_gcp_db_parity.py`
`tests/test_repo_skill_pack.py`
2026-07-10 17:49:37 +02:00

501 lines
19 KiB
Python

"""Unit tests for scripts/apply_proposal.py.
Pure tests: exercise the SQL builders, payload validation, and dispatch without
a live database. Runnable under pytest or standalone (`python3 tests/test_apply_proposal.py`).
"""
import sys
from pathlib import Path
try:
import pytest
except ImportError: # standalone fallback so the file runs without pytest installed
import contextlib
import types
pytest = types.SimpleNamespace()
@contextlib.contextmanager
def _raises(exc):
try:
yield
except exc:
return
raise AssertionError(f"expected {exc.__name__} to be raised")
pytest.raises = _raises
REPO_ROOT = Path(__file__).resolve().parents[1]
sys.path.insert(0, str(REPO_ROOT / "scripts"))
import apply_proposal as ap # noqa: E402
def _approval_meta(proposal_type, apply_payload):
return {
"proposal_type": proposal_type,
"payload": {"apply_payload": apply_payload},
"reviewed_by_handle": "m3ta",
"reviewed_by_agent_id": None,
"reviewed_at": "2026-07-10T00:00:00+00:00",
"review_note": "Reviewed exact strict payload.",
}
# --- literals ------------------------------------------------------------- #
def test_sql_literal_escapes_single_quotes():
assert ap.sql_literal("O'Brien") == "E'O''Brien'"
def test_sql_literal_escapes_backslashes_independently_of_session_mode():
assert ap.sql_literal("a\\b'c") == "E'a\\\\b''c'"
def test_sql_literal_none_is_null():
assert ap.sql_literal(None) == "null"
def test_sql_literal_bool_and_number():
assert ap.sql_literal(True) == "true"
assert ap.sql_literal(0.5) == "0.5"
# --- revise_strategy ------------------------------------------------------ #
def _revise_payload():
return {
"apply_payload": {
"agent_id": "11111111-1111-1111-1111-111111111111",
"strategy": {
"diagnosis": "Species-level inflection.",
"guiding_policy": "Build Teleo as a multi-agent public intelligence.",
"proximate_objectives": ["route before creating", "keep KB calibrated"],
},
"strategy_nodes": [
{"node_type": "diagnosis", "title": "Inflection", "body": "b1", "rank": 1},
{"node_type": "policy", "title": "Multi-agent PI", "body": "b2", "rank": 1},
],
}
}
def test_revise_strategy_sql_shape():
payload = _revise_payload()["apply_payload"]
sql = ap.build_revise_strategy_sql(payload, "pid-1", "kb-apply", _approval_meta("revise_strategy", payload))
assert sql.startswith("begin;")
assert sql.rstrip().endswith("commit;")
# deactivate old, insert versioned active, retire nodes, insert new nodes
assert "update public.strategies" in sql
assert "active = false" in sql
assert "coalesce(max(version), 0) + 1" in sql
assert "update public.strategy_nodes" in sql
assert "insert into public.strategy_nodes" in sql
# ledger + invariant
assert "kb_stage.finish_approved_proposal" in sql
assert "exactly one active strategy" in sql
# proximate_objectives rendered as jsonb
assert "::jsonb" in sql
def test_revise_strategy_requires_agent_id():
payload = _revise_payload()["apply_payload"]
del payload["agent_id"]
with pytest.raises(ValueError):
ap.build_revise_strategy_sql(payload, "pid-1", None, _approval_meta("revise_strategy", payload))
def test_revise_strategy_rejects_bad_node_type():
payload = _revise_payload()["apply_payload"]
payload["strategy_nodes"][0]["node_type"] = "manifesto"
with pytest.raises(ValueError):
ap.build_revise_strategy_sql(payload, "pid-1", None, _approval_meta("revise_strategy", payload))
# --- add_edge ------------------------------------------------------------- #
def test_add_edge_sql_dedup_guard():
payload = {"from_claim": "aaaa", "to_claim": "bbbb", "edge_type": "supersedes", "weight": 0.9}
sql = ap.build_add_edge_sql(payload, "pid-2", None, _approval_meta("add_edge", payload))
assert "insert into public.claim_edges" in sql
assert "not exists" in sql
assert "::edge_type" in sql
assert "kb_stage.finish_approved_proposal" in sql
assert "pg_advisory_xact_lock" in sql
def test_add_edge_semantic_row_accepts_match_and_rejects_weight_mismatch():
payload = {"from_claim": "aaaa", "to_claim": "bbbb", "edge_type": "supports", "weight": 0.9}
sql = ap.build_add_edge_sql(payload, "pid-2", None, _approval_meta("add_edge", payload))
verify = sql[sql.index("do $verify$") : sql.index("kb_stage.finish_approved_proposal")]
assert "weight is not distinct from 0.9" in verify
assert "weight is distinct from 0.9" in verify
assert "claim_edge row does not match strict apply payload" in verify
assert sql.startswith("begin;")
assert sql.rstrip().endswith("commit;")
assert sql.index("raise exception 'apply_proposal: claim_edge row") < sql.index(
"kb_stage.finish_approved_proposal"
)
def test_add_edge_rejects_self_loop():
payload = {"from_claim": "same", "to_claim": "same", "edge_type": "supports"}
with pytest.raises(ValueError):
ap.build_add_edge_sql(payload, "pid-2", None, _approval_meta("add_edge", payload))
# --- attach_evidence ------------------------------------------------------ #
def test_attach_evidence_sql_with_source_id():
payload = {"evidence": [{"claim_id": "cccc", "source_id": "dddd", "role": "grounds", "weight": 0.78}]}
sql = ap.build_attach_evidence_sql(payload, "pid-3", None, _approval_meta("attach_evidence", payload))
assert "insert into public.claim_evidence" in sql
assert "::evidence_role" in sql
assert "not exists" in sql
def test_attach_evidence_semantic_row_accepts_match_and_rejects_weight_mismatch():
payload = {
"evidence": [
{"claim_id": "cccc", "source_id": "dddd", "role": "grounds", "weight": 0.78}
]
}
sql = ap.build_attach_evidence_sql(
payload, "pid-3", None, _approval_meta("attach_evidence", payload)
)
verify = sql[sql.index("do $verify$") : sql.index("kb_stage.finish_approved_proposal")]
assert "weight is not distinct from 0.78" in verify
assert "weight is distinct from 0.78" in verify
assert "evidence row % does not match strict apply payload" in verify
assert sql.startswith("begin;")
assert sql.rstrip().endswith("commit;")
assert sql.index("raise exception 'apply_proposal: evidence row") < sql.index(
"kb_stage.finish_approved_proposal"
)
def test_attach_evidence_requires_source_id():
payload = {"evidence": [{"claim_id": "cccc"}]}
with pytest.raises(ValueError):
ap.build_attach_evidence_sql(payload, "pid-3", None, _approval_meta("attach_evidence", payload))
# --- approve_claim canonical bundle -------------------------------------- #
def _approve_claim_bundle():
claim_a = "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa"
claim_b = "bbbbbbbb-bbbb-4bbb-8bbb-bbbbbbbbbbbb"
source_a = "cccccccc-cccc-4ccc-8ccc-cccccccccccc"
source_b = "dddddddd-dddd-4ddd-8ddd-dddddddddddd"
return {
"contract_version": 2,
"agent_id": "11111111-1111-4111-8111-111111111111",
"claims": [
{
"id": claim_a,
"type": "structural",
"text": "Canonical claim A",
"status": "open",
"confidence": 0.8,
"tags": ["test", "working-leo"],
"created_by": None,
},
{
"id": claim_b,
"type": "concept",
"text": "Canonical claim B",
"status": "open",
"confidence": None,
"tags": [],
"created_by": None,
},
],
"sources": [
{
"id": source_a,
"source_type": "paper",
"url": "https://example.test/a",
"storage_path": None,
"excerpt": "Evidence A",
"hash": "hash-a",
"created_by": None,
},
{
"id": source_b,
"source_type": "observation",
"url": None,
"storage_path": None,
"excerpt": "Evidence B",
"hash": "hash-b",
"created_by": None,
},
],
"evidence": [
{"claim_id": claim_a, "source_id": source_a, "role": "grounds", "weight": 0.9},
{"claim_id": claim_b, "source_id": source_b, "role": "illustrates", "weight": None},
],
"edges": [
{"from_claim": claim_a, "to_claim": claim_b, "edge_type": "supports", "weight": 0.7}
],
"reasoning_tools": [
{
"id": "eeeeeeee-eeee-4eee-8eee-eeeeeeeeeeee",
"agent_id": None,
"name": "Canonical test tool",
"description": "A strict reasoning-tool row.",
"category": "test",
}
],
}
def test_approve_claim_bundle_sql_is_atomic_and_row_verified():
payload = _approve_claim_bundle()
sql = ap.build_approve_claim_sql(
payload,
"99999999-9999-4999-8999-999999999999",
None,
_approval_meta("approve_claim", payload),
)
assert sql.startswith("begin;")
assert sql.rstrip().endswith("commit;")
assert "insert into public.claims" in sql
assert "insert into public.sources" in sql
assert "insert into public.claim_evidence" in sql
assert "insert into public.claim_edges" in sql
assert "insert into public.reasoning_tools" in sql
assert "source hash collision" in sql
assert "claim row does not match strict apply payload" in sql
assert "source row does not match strict apply payload" in sql
assert "reasoning tool row does not match strict apply payload" in sql
assert "kb_stage.finish_approved_proposal" in sql
def test_approve_claim_semantic_rows_accept_matches_and_reject_payload_mismatches():
payload = _approve_claim_bundle()
sql = ap.build_approve_claim_sql(
payload,
"99999999-9999-4999-8999-999999999999",
None,
_approval_meta("approve_claim", payload),
)
verify = sql[sql.index("do $verify$") : sql.index("kb_stage.finish_approved_proposal")]
assert "weight is not distinct from 0.9" in verify
assert "weight is distinct from 0.9" in verify
assert "weight is not distinct from 0.7" in verify
assert "weight is distinct from 0.7" in verify
assert "weight is not distinct from null" in verify
assert "weight is distinct from null" in verify
expected_creator = "E'11111111-1111-4111-8111-111111111111'::uuid"
assert f"created_by is not distinct from {expected_creator}" in verify
assert f"created_by is distinct from {expected_creator}" in verify
assert "approve_claim: evidence row does not match strict apply payload" in verify
assert "approve_claim: edge row does not match strict apply payload" in verify
assert sql.startswith("begin;")
assert sql.rstrip().endswith("commit;")
assert sql.index("raise exception 'approve_claim: evidence row") < sql.index(
"kb_stage.finish_approved_proposal"
)
def test_approve_claim_bundle_rejects_duplicate_source_hashes():
payload = _approve_claim_bundle()
payload["sources"][1]["hash"] = payload["sources"][0]["hash"]
with pytest.raises(ValueError):
ap.build_approve_claim_sql(
payload,
"99999999-9999-4999-8999-999999999999",
None,
_approval_meta("approve_claim", payload),
)
def test_approve_claim_bundle_rejects_invalid_enum_and_self_edge():
payload = _approve_claim_bundle()
payload["claims"][0]["type"] = "vibes"
with pytest.raises(ValueError):
ap.build_approve_claim_sql(
payload,
"99999999-9999-4999-8999-999999999999",
None,
_approval_meta("approve_claim", payload),
)
payload = _approve_claim_bundle()
payload["edges"][0]["to_claim"] = payload["edges"][0]["from_claim"]
with pytest.raises(ValueError):
ap.build_approve_claim_sql(
payload,
"99999999-9999-4999-8999-999999999999",
None,
_approval_meta("approve_claim", payload),
)
def test_approve_claim_rejects_unknown_keys_and_contract_versions():
payload = _approve_claim_bundle()
payload["contract_version"] = 1
with pytest.raises(ValueError):
ap.build_approve_claim_sql(
payload,
"99999999-9999-4999-8999-999999999999",
None,
_approval_meta("approve_claim", payload),
)
payload = _approve_claim_bundle()
payload["contract_version"] = 2
payload["claimz"] = payload.pop("claims")
with pytest.raises(ValueError):
ap.build_approve_claim_sql(
payload,
"99999999-9999-4999-8999-999999999999",
None,
_approval_meta("approve_claim", payload),
)
def test_approve_claim_verifies_superseded_by_and_pins_string_mode():
payload = _approve_claim_bundle()
payload["contract_version"] = 2
payload["claims"][0]["superseded_by"] = None
sql = ap.build_approve_claim_sql(
payload,
"99999999-9999-4999-8999-999999999999",
None,
_approval_meta("approve_claim", payload),
)
assert "superseded_by" in sql
assert "set local standard_conforming_strings = on" in sql.lower()
def test_apply_sql_locks_and_binds_approval_before_canonical_write():
payload = _approve_claim_bundle()
payload["contract_version"] = 2
proposal = {
"id": "99999999-9999-4999-8999-999999999999",
"proposal_type": "approve_claim",
"status": "approved",
"payload": {"apply_payload": payload},
"reviewed_by_handle": "m3ta",
"reviewed_by_agent_id": None,
"reviewed_at": "2026-07-10T00:00:00+00:00",
"review_note": "Reviewed exact strict payload.",
}
sql = ap.build_apply_sql(proposal, "kb-apply")
assert "kb_stage.assert_approved_proposal" in sql
assert "kb_stage.finish_approved_proposal" in sql
assert sql.index("kb_stage.assert_approved_proposal") < sql.index("insert into public.claims")
assert sql.index("insert into public.claims") < sql.index("kb_stage.finish_approved_proposal")
assert "Reviewed exact strict payload." in sql
def test_build_apply_sql_requires_review_provenance():
proposal = {
"id": "99999999-9999-4999-8999-999999999999",
"proposal_type": "approve_claim",
"status": "approved",
"payload": {"apply_payload": _approve_claim_bundle()},
}
with pytest.raises(ValueError):
ap.build_apply_sql(proposal, "kb-apply")
def test_approve_claim_dispatch_and_prerequisite_grants():
proposal = {
"id": "99999999-9999-4999-8999-999999999999",
"proposal_type": "approve_claim",
"payload": {"apply_payload": _approve_claim_bundle()},
}
proposal.update(_approval_meta("approve_claim", proposal["payload"]["apply_payload"]))
sql = ap.build_apply_sql(proposal, None)
assert "insert into public.claims" in sql
assert "approve_claim" in ap.APPLYABLE_TYPES
prereqs = (REPO_ROOT / "scripts" / "kb_apply_prereqs.sql").read_text(encoding="utf-8")
assert "grant select, insert on public.claims to kb_apply" in prereqs.lower()
assert "grant select, insert on public.sources to kb_apply" in prereqs.lower()
assert "grant select, insert on public.reasoning_tools to kb_apply" in prereqs.lower()
# --- dispatch + guards ---------------------------------------------------- #
def test_build_apply_sql_requires_apply_payload():
proposal = {"id": "pid", "proposal_type": "add_edge", "payload": {"rationale": "x"}}
with pytest.raises(ValueError):
ap.build_apply_sql(proposal, None)
def test_build_apply_sql_rejects_unsupported_type():
proposal = {"id": "pid", "proposal_type": "reject_claim", "payload": {"apply_payload": {}}}
with pytest.raises(ValueError):
ap.build_apply_sql(proposal, None)
def test_assert_applyable_blocks_pending():
with pytest.raises(SystemExit):
ap.assert_applyable({"id": "pid", "status": "pending_review"})
def test_assert_applyable_blocks_already_applied():
with pytest.raises(SystemExit):
ap.assert_applyable({"id": "pid", "status": "applied"})
def test_assert_applyable_allows_approved():
ap.assert_applyable({"id": "pid", "status": "approved"}) # no raise
# --- ledger flip: concurrency guard + FK stamp --------------------------- #
def test_ledger_transition_uses_payload_bound_security_functions():
payload = {"from_claim": "a", "to_claim": "b", "edge_type": "supports"}
sql = ap.build_add_edge_sql(payload, "pid", None, _approval_meta("add_edge", payload))
assert "kb_stage.assert_approved_proposal" in sql
assert "kb_stage.finish_approved_proposal" in sql
assert sql.index("kb_stage.assert_approved_proposal") < sql.index("insert into public.claim_edges")
assert sql.index("insert into public.claim_edges") < sql.index("kb_stage.finish_approved_proposal")
prereqs = (REPO_ROOT / "scripts" / "kb_apply_prereqs.sql").read_text(encoding="utf-8").lower()
assert "status = 'approved'" in prereqs
assert "for update" in prereqs
assert "payload = p_payload" in prereqs
def test_ledger_flip_stamps_agent_fk():
payload = {"from_claim": "a", "to_claim": "b", "edge_type": "supports"}
sql = ap.build_add_edge_sql(payload, "pid", "kb-apply", _approval_meta("add_edge", payload))
# Hard resolve into a variable + NOT-NULL assert, never a silent inline
# subselect that would stamp NULL on an unresolved handle.
assert "kb_stage.finish_approved_proposal" in sql
assert "'kb-apply'" in sql
def test_build_apply_sql_defaults_applied_by_to_service_agent():
payload = {"from_claim": "a", "to_claim": "b", "edge_type": "supports"}
proposal = {
"id": "pid",
"proposal_type": "add_edge",
"payload": {"apply_payload": payload},
}
proposal.update(_approval_meta("add_edge", payload))
sql = ap.build_apply_sql(proposal, None)
assert f"E'{ap.SERVICE_AGENT_HANDLE}'" in sql
def test_load_password_accepts_live_db_password_key(tmp_path):
secrets_file = tmp_path / "kb-apply.env"
secrets_file.write_text("KB_APPLY_DB_PASSWORD=live-secret\n", encoding="utf-8")
assert ap.load_password(str(secrets_file)) == "live-secret"
if __name__ == "__main__":
import traceback
failures = 0
for name, fn in sorted(globals().items()):
if name.startswith("test_") and callable(fn):
try:
fn()
print(f"PASS {name}")
except Exception:
failures += 1
print(f"FAIL {name}")
traceback.print_exc()
sys.exit(1 if failures else 0)