Ajay Krishnan
69cfff55b2
Eleven source files moved from ajent-rails:lib/opencode/rails/ to
opencode-rails:lib/opencode/ (flat layout — modules are Opencode::*, not
Opencode::Rails::*; matches opencode-ruby).
artifact.rb 63 LOC
exchange.rb 77 LOC
impostor.rb 48 LOC
message_artifacts.rb 133 LOC
sandbox_file.rb 81 LOC
sandbox.rb 71 LOC
session.rb 168 LOC
tool_display.rb 423 LOC
transform.rb 77 LOC
turn.rb 642 LOC
uploaded_files_prompt.rb 85 LOC
----
total 1,868 LOC
Surgical Rails strips:
exchange.rb:
Rails.event.notify(name, payload)
-> Opencode::Instrumentation.instrument(name, payload) { }
message_artifacts.rb (1 call), turn.rb (6 calls):
Rails.error.report(error, **opts)
-> Opencode::ErrorReporter.report(error, **opts)
Comments/docstrings referencing Rails.error.report / Rails.event left
in place — they document how to wire the host adapter.
ActiveSupport core_ext requires expanded in lib/opencode-rails.rb to
cover Numeric#seconds, Hash#deep_stringify_keys, String#squish/truncate,
String#demodulize. Bundle install + smoke load confirms all 12
gem-provided constants resolve cleanly.
49 lines
1.8 KiB
Ruby
49 lines
1.8 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
module Opencode
|
|
# An ActiveStorage::Attachment on an assistant message that uses a
|
|
# trusted Transform's destination filename but fails the transform's
|
|
# `#trusted?` predicate. In plain English: a same-named attachment
|
|
# that wasn't produced by the host-trusted renderer pipeline.
|
|
#
|
|
# Where impostors come from:
|
|
#
|
|
# 1. A previous job retry attached the destination filename via the
|
|
# tool-extracted path (the agent wrote a file with that name and
|
|
# it landed before the trusted render did).
|
|
# 2. A pre-substrate code path persisted an agent-authored HTML file
|
|
# with the destination filename (the historical AIGL exploit
|
|
# surface that motivated the trust boundary in the first place).
|
|
# 3. A previous transform version stamped different metadata and the
|
|
# trust check now correctly rejects it.
|
|
#
|
|
# The Impostor knows how to remove itself. The orchestrator just asks
|
|
# "are there impostors of this transform on this message?" and tells
|
|
# each one to `purge!`. Purging is a verb that belongs to the
|
|
# impostor — it's the noun whose state the purge mutates.
|
|
class Impostor
|
|
# Finds impostors of `transform` on `message` — attachments whose
|
|
# filename matches the transform's destination but whose contents
|
|
# fail the transform's trust predicate.
|
|
def self.for(message:, transform:)
|
|
target = transform.destination_filename
|
|
message.artifacts
|
|
.select { |a| a.filename.to_s == target }
|
|
.reject { |a| transform.trusted?(a) }
|
|
.map { |a| new(attachment: a) }
|
|
end
|
|
|
|
def initialize(attachment:)
|
|
@attachment = attachment
|
|
end
|
|
|
|
def purge!
|
|
@attachment.purge
|
|
end
|
|
|
|
def filename
|
|
@attachment.filename.to_s
|
|
end
|
|
end
|
|
end
|