fix(runtime): harden Phase 3 — validate bounds, fix leaks, add tests (#7)

Hardening pass before Phase 4 (Economics):

- Validate hostcall bounds: cap rand_bytes at 64MB and log_emit at 1MB
  to prevent OOM panics (EI-6), check malloc null pointer return
- Reject negative budget/price in checkpoint parsing (RE-3), guard
  int64 overflow in cost calculation
- Fix migration: return error on stale checkpoint deletion failure
  (EI-1), hold lock during instance Close to prevent use-after-close
- Plug memory leaks: copy-to-new-slice on eventlog and replay window
  eviction instead of slice truncation
- Clean stale .tmp files on FSProvider startup (RE-1 crash recovery)
- Add config validation (PricePerSecond, ReplayWindowSize, ReplayMode)
- Remove unused protocol types, consolidate logging in cmd/igord
- Add 13 new tests covering all hardening fixes

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: simonovic86

cmd/igord/main.go

@@ -86,28 +86,28 @@ func main() {
 	logger := logging.NewLogger()
 
 	// Print startup banner
-	logging.Info(logger, "Igor Node starting...")
-	logging.Info(logger, fmt.Sprintf("NodeID: %s", cfg.NodeID))
+	logger.Info("Igor Node starting...")
+	logger.Info("NodeID: " + cfg.NodeID)
 
 	// Initialize P2P node
 	node, err := p2p.NewNode(ctx, cfg, logger)
 	if err != nil {
-		logging.Error(logger, "Failed to create P2P node", "error", err)
+		logger.Error("Failed to create P2P node", "error", err)
 		os.Exit(1)
 	}
 	defer node.Close()
 
 	// Create storage provider
 	storageProvider, err := storage.NewFSProvider(cfg.CheckpointDir, logger)
 	if err != nil {
-		logging.Error(logger, "Failed to create storage provider", "error", err)
+		logger.Error("Failed to create storage provider", "error", err)
 		os.Exit(1)
 	}
 
 	// Create WASM runtime engine for migration service
 	engine, err := runtime.NewEngine(ctx, logger)
 	if err != nil {
-		logging.Error(logger, "Failed to create runtime engine", "error", err)
+		logger.Error("Failed to create runtime engine", "error", err)
 		os.Exit(1)
 	}
 	defer engine.Close(ctx)
@@ -118,46 +118,46 @@ func main() {
 	// If --migrate-agent flag is provided, perform migration
 	if *migrateAgent != "" {
 		if *targetPeer == "" {
-			logging.Error(logger, "Migration requires --to flag with target peer address")
+			logger.Error("Migration requires --to flag with target peer address")
 			os.Exit(1)
 		}
 		if *wasmPath == "" {
-			logging.Error(logger, "Migration requires --wasm flag with WASM binary path")
+			logger.Error("Migration requires --wasm flag with WASM binary path")
 			os.Exit(1)
 		}
 
-		logging.Info(logger, "Initiating agent migration",
+		logger.Info("Initiating agent migration",
 			"agent_id", *migrateAgent,
 			"target", *targetPeer,
 		)
 
 		if err := migrationSvc.MigrateAgent(ctx, *migrateAgent, *wasmPath, *targetPeer); err != nil {
-			logging.Error(logger, "Migration failed", "error", err)
+			logger.Error("Migration failed", "error", err)
 			os.Exit(1)
 		}
 
-		logging.Info(logger, "Migration completed successfully")
+		logger.Info("Migration completed successfully")
 		return
 	}
 
 	// If --run-agent flag is provided, run agent locally
 	if *runAgent != "" {
 		budgetMicrocents := budget.FromFloat(*budgetFlag)
 		if err := runLocalAgent(ctx, cfg, engine, storageProvider, *runAgent, budgetMicrocents, *manifestPath, migrationSvc, logger); err != nil {
-			logging.Error(logger, "Failed to run agent", "error", err)
+			logger.Error("Failed to run agent", "error", err)
 			os.Exit(1)
 		}
 		return
 	}
 
-	logging.Info(logger, "Igor Node ready")
+	logger.Info("Igor Node ready")
 
 	// Block until interrupted
 	sigChan := make(chan os.Signal, 1)
 	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
 	<-sigChan
 
-	logging.Info(logger, "Igor Node shutting down...")
+	logger.Info("Igor Node shutting down...")
 }
 
 // runLocalAgent loads and executes an agent locally with tick loop and checkpointing.
@@ -408,7 +408,7 @@ func runSimulator(wasmPath, manifestPath string, budgetVal float64, ticks int, v
 	}
 	result, err := simulator.Run(ctx, cfg, logger)
 	if err != nil {
-		logging.Error(logger, "Simulation failed", "error", err)
+		logger.Error("Simulation failed", "error", err)
 		os.Exit(1)
 	}
 	simulator.PrintSummary(result, logger)

internal/agent/instance.go

@@ -6,6 +6,7 @@ import (
 	"encoding/binary"
 	"fmt"
 	"log/slog"
+	"math"
 	"os"
 	"time"
 
@@ -263,11 +264,21 @@ func (i *Instance) Tick(ctx context.Context) error {
 		maxSnaps = DefaultReplayWindowSize
 	}
 	if len(i.ReplayWindow) > maxSnaps {
-		i.ReplayWindow = i.ReplayWindow[len(i.ReplayWindow)-maxSnaps:]
+		kept := i.ReplayWindow[len(i.ReplayWindow)-maxSnaps:]
+		fresh := make([]TickSnapshot, len(kept))
+		copy(fresh, kept)
+		i.ReplayWindow = fresh
 	}
 
-	// Calculate and deduct execution cost (nanosecond precision, no float, no truncation)
-	costMicrocents := elapsed.Nanoseconds() * i.PricePerSecond / 1_000_000_000
+	// Calculate and deduct execution cost (nanosecond precision, no float, no truncation).
+	// Guard against int64 overflow: if nanos * price would overflow, cap cost at remaining budget.
+	var costMicrocents int64
+	nanos := elapsed.Nanoseconds()
+	if i.PricePerSecond > 0 && nanos > math.MaxInt64/i.PricePerSecond {
+		costMicrocents = i.Budget
+	} else {
+		costMicrocents = nanos * i.PricePerSecond / 1_000_000_000
+	}
 	i.Budget -= costMicrocents
 
 	observationCount := 0
@@ -398,6 +409,9 @@ func (i *Instance) Resume(ctx context.Context, state []byte) error {
 	}
 
 	ptr := uint32(results[0])
+	if ptr == 0 {
+		return fmt.Errorf("malloc returned null pointer (out of memory)")
+	}
 
 	// Write state to WASM memory
 	ok := i.Module.Memory().Write(ptr, state)
@@ -493,10 +507,18 @@ func ParseCheckpointHeader(checkpoint []byte) (budgetVal int64, price int64, tic
 	if checkpoint[0] != checkpointVersion {
 		return 0, 0, 0, [32]byte{}, nil, fmt.Errorf("unsupported checkpoint version: %d", checkpoint[0])
 	}
+	budgetParsed := int64(binary.LittleEndian.Uint64(checkpoint[1:9]))
+	priceParsed := int64(binary.LittleEndian.Uint64(checkpoint[9:17]))
+	if budgetParsed < 0 {
+		return 0, 0, 0, [32]byte{}, nil, fmt.Errorf("checkpoint contains negative budget: %d", budgetParsed)
+	}
+	if priceParsed < 0 {
+		return 0, 0, 0, [32]byte{}, nil, fmt.Errorf("checkpoint contains negative price: %d", priceParsed)
+	}
 	var hash [32]byte
 	copy(hash[:], checkpoint[25:57])
-	return int64(binary.LittleEndian.Uint64(checkpoint[1:9])),
-		int64(binary.LittleEndian.Uint64(checkpoint[9:17])),
+	return budgetParsed,
+		priceParsed,
 		binary.LittleEndian.Uint64(checkpoint[17:25]),
 		hash,
 		checkpoint[checkpointHeaderLen:],

internal/agent/instance_test.go

@@ -501,6 +501,33 @@ func TestParseCheckpointHeader_EmptyState(t *testing.T) {
 	}
 }
 
+func TestParseCheckpointHeader_NegativeBudget(t *testing.T) {
+	checkpoint := make([]byte, 57)
+	checkpoint[0] = 0x02
+	// Write -1 as budget (all bits set via two's complement)
+	negBudget := int64(-1)
+	binary.LittleEndian.PutUint64(checkpoint[1:9], uint64(negBudget))
+	binary.LittleEndian.PutUint64(checkpoint[9:17], 1000)
+
+	_, _, _, _, _, err := ParseCheckpointHeader(checkpoint)
+	if err == nil {
+		t.Error("expected error for negative budget in checkpoint")
+	}
+}
+
+func TestParseCheckpointHeader_NegativePrice(t *testing.T) {
+	checkpoint := make([]byte, 57)
+	checkpoint[0] = 0x02
+	binary.LittleEndian.PutUint64(checkpoint[1:9], 1000000)
+	negPrice := int64(-500)
+	binary.LittleEndian.PutUint64(checkpoint[9:17], uint64(negPrice))
+
+	_, _, _, _, _, err := ParseCheckpointHeader(checkpoint)
+	if err == nil {
+		t.Error("expected error for negative price in checkpoint")
+	}
+}
+
 func TestParseCheckpointHeader_Corruption(t *testing.T) {
 	tests := []struct {
 		name  string

internal/config/config.go

@@ -1,6 +1,8 @@
 package config
 
 import (
+	"fmt"
+
 	"github.com/google/uuid"
 )
 
@@ -53,9 +55,30 @@ func Load() (*Config, error) {
 		ReplayMode:       "full",
 		ReplayCostLog:    false,
 	}
+	if err := cfg.Validate(); err != nil {
+		return nil, fmt.Errorf("invalid config: %w", err)
+	}
 	return cfg, nil
 }
 
+// Validate checks config invariants.
+func (c *Config) Validate() error {
+	if c.PricePerSecond <= 0 {
+		return fmt.Errorf("PricePerSecond must be positive, got %d", c.PricePerSecond)
+	}
+	if c.ReplayWindowSize < 0 {
+		return fmt.Errorf("ReplayWindowSize must be non-negative, got %d", c.ReplayWindowSize)
+	}
+	if c.VerifyInterval < 0 {
+		return fmt.Errorf("VerifyInterval must be non-negative, got %d", c.VerifyInterval)
+	}
+	validModes := map[string]bool{"off": true, "periodic": true, "on-migrate": true, "full": true}
+	if !validModes[c.ReplayMode] {
+		return fmt.Errorf("ReplayMode must be one of off/periodic/on-migrate/full, got %q", c.ReplayMode)
+	}
+	return nil
+}
+
 // generateNodeID creates a random UUID for the node if one is not provided.
 func generateNodeID() string {
 	return uuid.New().String()

internal/config/config_test.go

@@ -27,3 +27,48 @@ func TestLoad_Defaults(t *testing.T) {
 		t.Errorf("VerifyInterval: got %d, want 5", cfg.VerifyInterval)
 	}
 }
+
+func TestConfig_Validate_DefaultsAreValid(t *testing.T) {
+	cfg, err := Load()
+	if err != nil {
+		t.Fatalf("Load: %v", err)
+	}
+	if err := cfg.Validate(); err != nil {
+		t.Errorf("default config should be valid: %v", err)
+	}
+}
+
+func TestConfig_Validate_ZeroPrice(t *testing.T) {
+	cfg := &Config{PricePerSecond: 0, ReplayMode: "full"}
+	if err := cfg.Validate(); err == nil {
+		t.Error("expected error for zero PricePerSecond")
+	}
+}
+
+func TestConfig_Validate_NegativePrice(t *testing.T) {
+	cfg := &Config{PricePerSecond: -1, ReplayMode: "full"}
+	if err := cfg.Validate(); err == nil {
+		t.Error("expected error for negative PricePerSecond")
+	}
+}
+
+func TestConfig_Validate_InvalidReplayMode(t *testing.T) {
+	cfg := &Config{PricePerSecond: 1000, ReplayMode: "invalid"}
+	if err := cfg.Validate(); err == nil {
+		t.Error("expected error for invalid ReplayMode")
+	}
+}
+
+func TestConfig_Validate_NegativeReplayWindow(t *testing.T) {
+	cfg := &Config{PricePerSecond: 1000, ReplayWindowSize: -1, ReplayMode: "full"}
+	if err := cfg.Validate(); err == nil {
+		t.Error("expected error for negative ReplayWindowSize")
+	}
+}
+
+func TestConfig_Validate_NegativeVerifyInterval(t *testing.T) {
+	cfg := &Config{PricePerSecond: 1000, VerifyInterval: -1, ReplayMode: "full"}
+	if err := cfg.Validate(); err == nil {
+		t.Error("expected error for negative VerifyInterval")
+	}
+}

internal/eventlog/eventlog.go

@@ -87,9 +87,14 @@ func (l *EventLog) SealTick() *TickLog {
 	l.history = append(l.history, sealed)
 	l.current = nil
 
-	// Evict oldest ticks when history exceeds maxTicks bound
+	// Evict oldest ticks when history exceeds maxTicks bound.
+	// Copy to a new slice to release references to evicted TickLogs,
+	// preventing memory leaks from the retained underlying array.
 	if l.maxTicks > 0 && len(l.history) > l.maxTicks {
-		l.history = l.history[len(l.history)-l.maxTicks:]
+		kept := l.history[len(l.history)-l.maxTicks:]
+		fresh := make([]*TickLog, len(kept))
+		copy(fresh, kept)
+		l.history = fresh
 	}
 
 	return sealed

internal/eventlog/eventlog_test.go

@@ -136,6 +136,23 @@ func TestEventLog_Eviction(t *testing.T) {
 	}
 }
 
+func TestEventLog_EvictionReleasesMemory(t *testing.T) {
+	el := NewEventLog(3)
+	for i := uint64(1); i <= 10; i++ {
+		el.BeginTick(i)
+		el.Record(ClockNow, make([]byte, 1024))
+		el.SealTick()
+	}
+	history := el.History()
+	if len(history) != 3 {
+		t.Fatalf("expected 3, got %d", len(history))
+	}
+	// Verify capacity is not leaking (should be exactly 3, not 10)
+	if cap(history) > 3 {
+		t.Errorf("history capacity should be 3, got %d (memory leak)", cap(history))
+	}
+}
+
 func TestEventLog_UnboundedWhenZero(t *testing.T) {
 	el := NewEventLog(0)
 

internal/hostcall/log.go

@@ -8,15 +8,23 @@ import (
 	"github.com/tetratelabs/wazero/api"
 )
 
+// maxLogBytes caps the buffer size for log_emit to prevent excessive memory allocation.
+const maxLogBytes = 1 * 1024 * 1024 // 1 MB
+
 // registerLog adds log_emit to the host module builder.
 // log_emit(ptr i32, len i32): emits a structured log entry.
 // Not a side effect — logging is an observation that produces no
 // externally visible state change.
 func (r *Registry) registerLog(builder wazero.HostModuleBuilder) {
 	builder.NewFunctionBuilder().
 		WithFunc(func(_ context.Context, m api.Module, ptr, length uint32) {
+			if length == 0 || length > maxLogBytes {
+				return
+			}
 			data, ok := m.Memory().Read(ptr, length)
 			if !ok {
+				r.logger.Warn("log_emit: failed to read from WASM memory",
+					"ptr", ptr, "length", length)
 				return
 			}
 

internal/hostcall/rand.go

@@ -9,13 +9,28 @@ import (
 	"github.com/tetratelabs/wazero/api"
 )
 
+// maxRandBytes caps the buffer size for rand_bytes to prevent OOM panics.
+// Matches the WASM linear memory limit (64 MB = 1024 pages × 64 KiB).
+const maxRandBytes = 64 * 1024 * 1024
+
 // registerRand adds rand_bytes to the host module builder.
 // rand_bytes(ptr i32, len i32) -> i32: fills buffer with random bytes.
-// Returns 0 on success, -1 on internal error, -4 if buffer write fails.
+// Returns 0 on success, -1 on internal error, -2 if length exceeds maximum,
+// -4 if buffer write fails.
 // Observation hostcall — recorded in event log for replay (CE-3).
 func (r *Registry) registerRand(builder wazero.HostModuleBuilder) {
 	builder.NewFunctionBuilder().
 		WithFunc(func(_ context.Context, m api.Module, ptr, length uint32) int32 {
+			if length == 0 {
+				return 0
+			}
+			if length > maxRandBytes {
+				r.logger.Warn("rand_bytes: length exceeds maximum",
+					"requested", length,
+					"max", maxRandBytes,
+				)
+				return -2
+			}
 			buf := make([]byte, length)
 			if _, err := crypto_rand.Read(buf); err != nil {
 				r.logger.Error("rand_bytes: crypto/rand.Read failed", "error", err)