[ADD] Secret-controlled runtime hardening probes, external-worker sTask lifecycle verification, and integration with CI workflow

Author: Dmi3yy

.github/workflows/ci.yml

@@ -166,6 +166,16 @@ jobs:
       EMCP_MANAGER_PATH: ${{ secrets.EMCP_MANAGER_PATH }}
       EMCP_MANAGER_COOKIE: ${{ secrets.EMCP_MANAGER_COOKIE }}
       EMCP_DISPATCH_CHECK: ${{ secrets.EMCP_DISPATCH_CHECK }}
+      EMCP_RUNTIME_NEGATIVE: ${{ secrets.EMCP_RUNTIME_NEGATIVE }}
+      EMCP_RUNTIME_MODEL_SANITY: ${{ secrets.EMCP_RUNTIME_MODEL_SANITY }}
+      EMCP_RUNTIME_NEGATIVE_REQUIRE_RATE_LIMIT: ${{ secrets.EMCP_RUNTIME_NEGATIVE_REQUIRE_RATE_LIMIT }}
+      EMCP_TEST_JWT_SECRET: ${{ secrets.EMCP_TEST_JWT_SECRET }}
+      EMCP_TEST_JWT_READ_TOKEN: ${{ secrets.EMCP_TEST_JWT_READ_TOKEN }}
+      EMCP_STASK_LIFECYCLE_CHECK: ${{ secrets.EMCP_STASK_LIFECYCLE_CHECK }}
+      EMCP_STASK_EXPECT_EXTERNAL_WORKER: ${{ secrets.EMCP_STASK_EXPECT_EXTERNAL_WORKER }}
+      EMCP_STASK_WORKER_CMD: ${{ secrets.EMCP_STASK_WORKER_CMD }}
+      EMCP_STASK_WORKER_CWD: ${{ secrets.EMCP_STASK_WORKER_CWD }}
+      EMCP_STASK_POLL_ATTEMPTS: ${{ secrets.EMCP_STASK_POLL_ATTEMPTS }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -194,6 +204,15 @@ jobs:
             exit 1
           fi
 
+          lifecycle="${EMCP_STASK_LIFECYCLE_CHECK:-0}"
+          external_worker="${EMCP_STASK_EXPECT_EXTERNAL_WORKER:-0}"
+          if [ "$lifecycle" = "1" ] && [ "$external_worker" != "1" ]; then
+            if [ -z "${EMCP_STASK_WORKER_CMD:-}" ] || [ -z "${EMCP_STASK_WORKER_CWD:-}" ]; then
+              echo "EMCP_STASK_LIFECYCLE_CHECK=1 requires EMCP_STASK_EXPECT_EXTERNAL_WORKER=1 or both EMCP_STASK_WORKER_CMD and EMCP_STASK_WORKER_CWD." >&2
+              exit 1
+            fi
+          fi
+
       - name: Runtime integration checks
         run: |
           set -eu

OPERATIONS.md

@@ -204,3 +204,16 @@ composer run test:integration:runtime
 Optional manager checks:
 - add `EMCP_MANAGER_PATH` and `EMCP_MANAGER_COOKIE`.
 - if both API and manager credentials are provided, script validates both paths.
+
+Optional hardening checks:
+- set `EMCP_RUNTIME_NEGATIVE=1` for 401/403/413/415/429 probes.
+- set `EMCP_RUNTIME_MODEL_SANITY=1` for `evo.model.get(User)` leakage sanity.
+- set `EMCP_RUNTIME_NEGATIVE_REQUIRE_RATE_LIMIT=1` to fail if 429 is not observed.
+
+Optional live sTask lifecycle proof:
+- enable with `EMCP_STASK_LIFECYCLE_CHECK=1`.
+- if target env has its own worker, also set `EMCP_STASK_EXPECT_EXTERNAL_WORKER=1`.
+- if worker must be started by the test host, set:
+  - `EMCP_STASK_WORKER_CMD="php artisan stask:worker"`
+  - `EMCP_STASK_WORKER_CWD="/path/to/evo/core"`
+  - optional `EMCP_STASK_POLL_ATTEMPTS` (default: `20`).

PRD.md

@@ -25,6 +25,7 @@
 - Додано clean-install validation script (`scripts/clean_install_validation.sh`) і інтеграцію в `demo-runtime-proof`.
 - Додано reproducible simulation benchmark suite + leaderboard artifacts (`scripts/benchmark/*`, `build/benchmarks/*`).
 - Додано optional advanced tree tools (`neighbors`, `prev/next siblings`, `children/siblings range`) з контрактними та runtime перевірками.
+- Додано secret-controlled live hardening probes у `runtime-integration` (negative checks, model sanity, optional `sTask` lifecycle з external-worker режимом).
 
 Залишок до RC-1 (core platform hardening):
 - branch protection required-check enforcement для CI runtime jobs (`demo-runtime-proof`, `runtime-integration`) на `release/*`;

SPEC.md

@@ -24,6 +24,7 @@ Current validation snapshot (2026-03-03):
 - Streaming policy now enforces proxy/FPM-safe SSE headers (`Content-Type: text/event-stream`, `Cache-Control: no-cache, no-transform`, `X-Accel-Buffering: no`) with dedicated tests.
 - CI includes migration matrix automation for `sqlite/mysql/pgsql`.
 - CI/check flow now produces reproducible benchmark and leaderboard artifacts.
+- Live runtime integration harness now supports secret-controlled hardening probes: negative transport checks, model-safety sanity, and optional `sTask` lifecycle verification with external-worker mode.
 
 Open RC-1 validation scope:
 - live CI runtime integration jobs are wired for `release/*` pushes (`demo-runtime-proof`, `runtime-integration`), but branch-protection required-check enforcement must be configured in repository settings;

TASKS.md

@@ -234,6 +234,7 @@ DoD:
 - [x] Integration tests for manager/API MCP endpoints.
 - [x] Add runtime integration harness script for manager/API/dispatch verification against deployed environment.
 - [x] Add release-branch CI runtime jobs (`demo-runtime-proof`, `runtime-integration`) with artifacts (`demo/logs.md`, `runtime-live.log`).
+- [x] Wire secret-controlled live runtime hardening probes (`negative`, `model sanity`, optional `sTask lifecycle`) in `runtime-integration` job.
 - [ ] Configure repository branch protection to require `demo-runtime-proof` and `runtime-integration` on `release/*`.
 - [x] Streaming tests under typical PHP-FPM constraints.
 - [x] Async tests for `sTask` path and failover.

scripts/demo_verify.sh

@@ -409,6 +409,9 @@ dispatch_payload_a='{"jsonrpc":"2.0","id":"d1-doc","method":"tools/call","params
 dispatch_payload_b='{"jsonrpc":"2.0","id":"d2-doc","method":"tools/call","params":{"name":"evo.content.search","arguments":{"limit":2,"offset":0}}}'
 dispatch_url="${mcp_url}/dispatch"
 rate_limit_identity_type='api:jwt (sapi.jwt.user_id/sapi.jwt.sub; fallback ip)'
+dispatch_key_run="demo-verify-$(date +%s)-$$"
+dispatch_key_main="${dispatch_key_run}-k1"
+dispatch_key_lifecycle="${dispatch_key_run}-k2"
 
 unauth_headers_file="${TMP_DIR}/unauth.headers"
 unauth_raw=$(curl -sS -D "${unauth_headers_file}" \
@@ -476,21 +479,21 @@ oversized_http_code=$(printf '%s' "${oversized_raw}" | sed -n 's/^__HTTP_CODE__:
 oversized_response=$(printf '%s' "${oversized_raw}" | sed '/^__HTTP_CODE__:/d')
 
 dispatch_a_headers="${TMP_DIR}/dispatch-a.headers"
-dispatch_a_raw=$(mcp_post_with_token_optional_session "${probe_token}" "${dispatch_payload_a}" "${dispatch_a_headers}" "Idempotency-Key: demo-verify-k1" "${dispatch_url}")
+dispatch_a_raw=$(mcp_post_with_token_optional_session "${probe_token}" "${dispatch_payload_a}" "${dispatch_a_headers}" "Idempotency-Key: ${dispatch_key_main}" "${dispatch_url}")
 dispatch_a_http_code=$(printf '%s' "${dispatch_a_raw}" | sed -n 's/^__HTTP_CODE__://p' | tail -n 1)
 dispatch_a_response=$(printf '%s' "${dispatch_a_raw}" | sed '/^__HTTP_CODE__:/d')
 
 dispatch_reuse_headers="${TMP_DIR}/dispatch-reuse.headers"
-dispatch_reuse_raw=$(mcp_post_with_token_optional_session "${probe_token}" "${dispatch_payload_a}" "${dispatch_reuse_headers}" "Idempotency-Key: demo-verify-k1" "${dispatch_url}")
+dispatch_reuse_raw=$(mcp_post_with_token_optional_session "${probe_token}" "${dispatch_payload_a}" "${dispatch_reuse_headers}" "Idempotency-Key: ${dispatch_key_main}" "${dispatch_url}")
 dispatch_reuse_http_code=$(printf '%s' "${dispatch_reuse_raw}" | sed -n 's/^__HTTP_CODE__://p' | tail -n 1)
 dispatch_reuse_response=$(printf '%s' "${dispatch_reuse_raw}" | sed '/^__HTTP_CODE__:/d')
 
 dispatch_conflict_headers="${TMP_DIR}/dispatch-conflict.headers"
-dispatch_conflict_raw=$(mcp_post_with_token_optional_session "${probe_token}" "${dispatch_payload_b}" "${dispatch_conflict_headers}" "Idempotency-Key: demo-verify-k1" "${dispatch_url}")
+dispatch_conflict_raw=$(mcp_post_with_token_optional_session "${probe_token}" "${dispatch_payload_b}" "${dispatch_conflict_headers}" "Idempotency-Key: ${dispatch_key_main}" "${dispatch_url}")
 dispatch_conflict_http_code=$(printf '%s' "${dispatch_conflict_raw}" | sed -n 's/^__HTTP_CODE__://p' | tail -n 1)
 dispatch_conflict_response=$(printf '%s' "${dispatch_conflict_raw}" | sed '/^__HTTP_CODE__:/d')
 
-dispatch_lifecycle_key='demo-verify-k2'
+dispatch_lifecycle_key="${dispatch_key_lifecycle}"
 dispatch_lifecycle_start_headers="${TMP_DIR}/dispatch-lifecycle-start.headers"
 dispatch_lifecycle_start_raw=$(mcp_post_with_token_optional_session "${probe_token}" "${dispatch_payload_a}" "${dispatch_lifecycle_start_headers}" "Idempotency-Key: ${dispatch_lifecycle_key}" "${dispatch_url}")
 dispatch_lifecycle_start_http_code=$(printf '%s' "${dispatch_lifecycle_start_raw}" | sed -n 's/^__HTTP_CODE__://p' | tail -n 1)

tests/Integration/RuntimeIntegrationHttpTest.php

@@ -379,6 +379,7 @@ function runShellCommand(string $command, string $cwd = ''): array
     $rateProbeMaxAttempts = 90;
 }
 $runStaskLifecycleCheck = getenv('EMCP_STASK_LIFECYCLE_CHECK') === '1';
+$staskExpectExternalWorker = getenv('EMCP_STASK_EXPECT_EXTERNAL_WORKER') === '1';
 $staskWorkerCommand = trim((string)getenv('EMCP_STASK_WORKER_CMD'));
 $staskWorkerCwd = trim((string)getenv('EMCP_STASK_WORKER_CWD'));
 $staskPollAttempts = (int)getenv('EMCP_STASK_POLL_ATTEMPTS');
@@ -760,7 +761,8 @@ function runShellCommand(string $command, string $cwd = ''): array
 
     if ($runDispatchCheck) {
         $dispatchUrl = rtrim($url, '/') . '/dispatch';
-        $key = 'runtime-k1';
+        $runKey = bin2hex(random_bytes(6));
+        $key = 'runtime-k1-' . $runKey;
 
         $dispatchA = httpPostJson($dispatchUrl, [
             'jsonrpc' => '2.0',
@@ -836,11 +838,11 @@ function runShellCommand(string $command, string $cwd = ''): array
         }
 
         if ($runStaskLifecycleCheck && $label === 'api') {
-            if ($staskWorkerCommand === '' || $staskWorkerCwd === '') {
-                fail("{$label} sTask lifecycle check requires EMCP_STASK_WORKER_CMD and EMCP_STASK_WORKER_CWD.");
+            if (!$staskExpectExternalWorker && ($staskWorkerCommand === '' || $staskWorkerCwd === '')) {
+                fail("{$label} sTask lifecycle check requires EMCP_STASK_WORKER_CMD and EMCP_STASK_WORKER_CWD, or EMCP_STASK_EXPECT_EXTERNAL_WORKER=1.");
             }
 
-            $lifecycleKey = 'runtime-k-lifecycle';
+            $lifecycleKey = 'runtime-k-lifecycle-' . $runKey;
             $dispatchLifecycleStart = httpPostJson($dispatchUrl, [
                 'jsonrpc' => '2.0',
                 'id' => 'dl1',
@@ -864,9 +866,14 @@ function runShellCommand(string $command, string $cwd = ''): array
                 fail("{$label} sTask lifecycle expected async task_id > 0, got " . (string)($dispatchLifecycleStartJson['task_id'] ?? 'null') . '.');
             }
 
-            $workerRun = runShellCommand($staskWorkerCommand, $staskWorkerCwd);
-            if ($workerRun['exit'] !== 0) {
-                fail("{$label} sTask worker command failed (exit {$workerRun['exit']}): " . $workerRun['output']);
+            if ($staskExpectExternalWorker) {
+                info("{$label} sTask lifecycle check: expecting external worker processing.");
+                usleep(700000);
+            } else {
+                $workerRun = runShellCommand($staskWorkerCommand, $staskWorkerCwd);
+                if ($workerRun['exit'] !== 0) {
+                    fail("{$label} sTask worker command failed (exit {$workerRun['exit']}): " . $workerRun['output']);
+                }
             }
 
             $completed = false;

tests/Phase6/CiWorkflowCoverageTest.php

@@ -20,6 +20,8 @@ function assertTrue(bool $condition, string $message): void
     'runtime-integration:',
     'demo-runtime-proof:',
     'migration-matrix:',
+    'EMCP_STASK_LIFECYCLE_CHECK',
+    'EMCP_STASK_EXPECT_EXTERNAL_WORKER',
     'benchmark-artifacts',
     'composer run test:integration:clean-install',
     'scripts/migration_matrix_check.sh sqlite',