40 lines
2.6 KiB
Markdown
40 lines
2.6 KiB
Markdown
# ProhibitedPatternAnalyzer (Static Purity Analysis)
|
|
|
|
## Module
|
|
Policy
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Static purity analysis detecting prohibited patterns (ambient IO, clock access, etc.) in evaluation code.
|
|
|
|
## Implementation Details
|
|
- **ProhibitedPatternAnalyzer**: `src/Policy/StellaOps.Policy.Engine/DeterminismGuard/ProhibitedPatternAnalyzer.cs`
|
|
- Regex-based detection of non-deterministic patterns in source code
|
|
- Prohibited pattern categories:
|
|
- Wall-clock access: `DateTime.Now`, `DateTime.UtcNow`, `DateTimeOffset.Now`, `DateTimeOffset.UtcNow`
|
|
- Random number generation: `Random`, `RandomNumberGenerator`
|
|
- Network access: `HttpClient`, `WebRequest`, `TcpClient`, `UdpClient`
|
|
- Filesystem access: `File.`, `Directory.`, `Path.GetTempPath`
|
|
- Line-by-line scanning with comment line skipping (lines starting with `//` or `///`)
|
|
- Returns list of `ProhibitedPatternMatch` with line number, pattern name, matched text
|
|
- **DeterminismGuardService**: `src/Policy/StellaOps.Policy.Engine/DeterminismGuard/DeterminismGuardService.cs`
|
|
- `AnalyzeSource(sourceCode)` invokes ProhibitedPatternAnalyzer to find violations
|
|
- `CreateScope()` creates a determinism guard scope for runtime monitoring
|
|
- `ValidateContext<T>()` validates evaluation context for determinism
|
|
- Combines ProhibitedPatternAnalyzer (static) and RuntimeDeterminismMonitor (runtime)
|
|
- **RuntimeDeterminismMonitor**: `src/Policy/StellaOps.Policy.Engine/DeterminismGuard/RuntimeDeterminismMonitor.cs` -- runtime monitoring companion
|
|
- **GuardedPolicyEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/Determinization/DeterminizationGate.cs` -- gate that uses determinism guards in evaluation pipeline
|
|
|
|
## E2E Test Plan
|
|
- [ ] Analyze source code containing `DateTime.Now`; verify prohibited pattern detected with correct line number
|
|
- [ ] Analyze source code containing `new Random()`; verify prohibited pattern detected
|
|
- [ ] Analyze source code containing `HttpClient`; verify network access pattern detected
|
|
- [ ] Analyze source code containing `File.ReadAllText`; verify filesystem pattern detected
|
|
- [ ] Analyze source code with prohibited pattern in a comment line (`// DateTime.Now`); verify NOT detected (comment skipped)
|
|
- [ ] Analyze clean source code with no prohibited patterns; verify empty results
|
|
- [ ] Analyze source code with multiple violations on different lines; verify all detected with correct line numbers
|
|
- [ ] Verify DeterminismGuardService.AnalyzeSource returns results from ProhibitedPatternAnalyzer
|
|
- [ ] Create determinism guard scope; use TimeProvider instead of DateTime.Now; verify no violations
|