Block fake session IDs from creating saved library entries - PR 11.246

Author: DavidQ

docs/dev/reports/PR_11_246_block_fake_session_save_report.md

@@ -0,0 +1,66 @@
+# PR_11_246 — Block Fake Session IDs From Creating Saved Library Entries
+
+## Summary
+Updated Workspace V2 Session Library Save/Overwrite to require exact session ID resolution from `sessionStorage` by entered `hostContextId`. This blocks fake/arbitrary IDs from creating or overwriting saved library entries.
+
+## Files Changed
+- `tools/workspace-v2/index.js`
+- `tests/runtime/V2BlockFakeSessionSave.test.mjs`
+
+## Implementation Details
+- Save/Overwrite source resolution is now strict:
+  - `readSessionPayloadForLibraryWrite(sessionId)` reads only `sessionStorage[sessionId]` and validates parsed JSON payload.
+  - Removed active-payload fallback path for Save/Overwrite when entered ID does not resolve exactly.
+- Save behavior:
+  - existing library ID -> `Saved session already exists. Use Overwrite Session.`
+  - non-existing ID with valid `sessionStorage` payload -> `Saved session created.`
+  - unknown/fake ID -> `Session ID does not resolve to a valid Workspace V2 session.`
+- Overwrite behavior:
+  - unknown/fake ID -> `Session ID does not resolve to a valid Workspace V2 session.`
+  - valid resolvable ID but no saved entry -> `Saved session not found. Use Save Session to create it first.`
+  - valid resolvable ID with saved entry -> `Saved session overwritten.`
+- Added stale invalid fake-entry cleanup helper:
+  - `cleanupStaleInvalidSavedEntries(library)`
+  - removes only high-confidence stale fake host-like IDs that:
+    - do not resolve to matching `sessionStorage` payload, and
+    - do not match payload host context metadata or tool metadata.
+  - preserves valid saved entries, including custom user labels.
+
+## Validation Commands Run
+```powershell
+node --check tools/workspace-v2/index.js
+node --check tests/runtime/V2BlockFakeSessionSave.test.mjs
+node --check tests/runtime/V2SaveLibraryFromRecentSession.test.mjs
+node tests/runtime/V2BlockFakeSessionSave.test.mjs
+node tests/runtime/V2SaveLibraryFromRecentSession.test.mjs
+node tests/runtime/V2SavedSessionDeleteFeedback.test.mjs
+```
+
+## Validation Results
+- `node --check tools/workspace-v2/index.js` -> PASS
+- `node --check tests/runtime/V2BlockFakeSessionSave.test.mjs` -> PASS
+- `node --check tests/runtime/V2SaveLibraryFromRecentSession.test.mjs` -> PASS
+- `node tests/runtime/V2BlockFakeSessionSave.test.mjs` -> PASS
+  - output: `tmp/v2-block-fake-session-save-results.json`
+  - failures: `[]`
+- `node tests/runtime/V2SaveLibraryFromRecentSession.test.mjs` -> PASS
+  - output: `tmp/v2-save-library-from-recent-session-results.json`
+  - failures: `[]`
+- `node tests/runtime/V2SavedSessionDeleteFeedback.test.mjs` -> PASS
+  - output: `tmp/v2-saved-session-delete-feedback-results.json`
+  - failures: `[]`
+
+## Requirement Coverage
+- Fake unknown ID cannot create saved entry -> PASS
+- Fake unknown ID cannot overwrite saved entry -> PASS
+- Valid recent/sessionStorage ID can be saved -> PASS
+- Duplicate save is blocked -> PASS
+- Overwrite valid existing saved ID succeeds -> PASS
+- Active payload is not saved under unrelated input ID -> PASS
+- Stale invalid fake-entry cleanup preserves valid saved entries -> PASS
+
+## Full Samples Smoke
+Skipped.
+
+Reason: scope is limited to Workspace V2 Session Library Save/Overwrite behavior and targeted runtime tests; no schemas/samples/games/shared sample infrastructure changed.
+

tests/runtime/V2BlockFakeSessionSave.test.mjs

@@ -0,0 +1,224 @@
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import path from "node:path";
+import { execFileSync } from "node:child_process";
+import { fileURLToPath, pathToFileURL } from "node:url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const repoRoot = path.resolve(__dirname, "..", "..");
+const jsPath = path.join(repoRoot, "tools", "workspace-v2", "index.js");
+const resultsPath = path.join(repoRoot, "tmp", "v2-block-fake-session-save-results.json");
+
+function readText(filePath) {
+  return fs.readFileSync(filePath, "utf8");
+}
+
+function checkSyntax(filePath) {
+  try {
+    execFileSync(process.execPath, ["--check", filePath], {
+      cwd: repoRoot,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    return { ok: true, error: "" };
+  } catch (error) {
+    return { ok: false, error: (error?.stderr || error?.stdout || error?.message || "").toString().trim() };
+  }
+}
+
+function isValidPayload(payload) {
+  return Boolean(payload && typeof payload === "object" && !Array.isArray(payload));
+}
+
+function readSessionPayloadForLibraryWrite(sessionId, storageMap) {
+  const id = typeof sessionId === "string" ? sessionId.trim() : "";
+  if (!id) return null;
+  const raw = storageMap[id];
+  if (typeof raw !== "string") return null;
+  try {
+    const parsed = JSON.parse(raw);
+    return isValidPayload(parsed) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+
+function looksLikeWorkspaceHostContextId(sessionId) {
+  const id = typeof sessionId === "string" ? sessionId.trim() : "";
+  if (!id) return false;
+  return /-v2-\d{13}-[a-z0-9]{8}$/i.test(id);
+}
+
+function cleanupStaleInvalidSavedEntries(library, storageMap) {
+  const nextLibrary = { ...library };
+  const removed = [];
+  Object.keys(nextLibrary).forEach((sessionId) => {
+    const payload = nextLibrary[sessionId];
+    if (!isValidPayload(payload)) return;
+    if (!looksLikeWorkspaceHostContextId(sessionId)) return;
+    const storagePayload = readSessionPayloadForLibraryWrite(sessionId, storageMap);
+    const hasMatchingStorage = isValidPayload(storagePayload);
+    const payloadHostContextId = typeof payload.hostContextId === "string" ? payload.hostContextId.trim() : "";
+    const payloadToolId = typeof payload.toolId === "string" ? payload.toolId.trim() : "";
+    const idMatchesPayloadHostContext = Boolean(payloadHostContextId && payloadHostContextId === sessionId);
+    const idMatchesToolMetadata = Boolean(payloadToolId && sessionId.startsWith(`${payloadToolId}-`));
+    if (!hasMatchingStorage && !idMatchesPayloadHostContext && !idMatchesToolMetadata) {
+      delete nextLibrary[sessionId];
+      removed.push(sessionId);
+    }
+  });
+  return { nextLibrary, removed };
+}
+
+function simulateSave(inputId, library, storageMap) {
+  const sessionId = typeof inputId === "string" ? inputId.trim() : "";
+  const nextLibrary = { ...library };
+  if (!sessionId) return { message: "Enter a session ID before saving.", nextLibrary };
+  if (Object.prototype.hasOwnProperty.call(nextLibrary, sessionId)) {
+    return { message: "Saved session already exists. Use Overwrite Session.", nextLibrary };
+  }
+  const payload = readSessionPayloadForLibraryWrite(sessionId, storageMap);
+  if (!isValidPayload(payload)) {
+    return { message: "Session ID does not resolve to a valid Workspace V2 session.", nextLibrary };
+  }
+  nextLibrary[sessionId] = payload;
+  return { message: "Saved session created.", nextLibrary };
+}
+
+function simulateOverwrite(inputId, library, storageMap) {
+  const sessionId = typeof inputId === "string" ? inputId.trim() : "";
+  const nextLibrary = { ...library };
+  if (!sessionId) return { message: "Enter a session ID before overwriting.", nextLibrary };
+  const payload = readSessionPayloadForLibraryWrite(sessionId, storageMap);
+  if (!isValidPayload(payload)) {
+    return { message: "Session ID does not resolve to a valid Workspace V2 session.", nextLibrary };
+  }
+  if (!Object.prototype.hasOwnProperty.call(nextLibrary, sessionId)) {
+    return { message: "Saved session not found. Use Save Session to create it first.", nextLibrary };
+  }
+  nextLibrary[sessionId] = payload;
+  return { message: "Saved session overwritten.", nextLibrary };
+}
+
+export function run() {
+  const failures = [];
+  const jsExists = fs.existsSync(jsPath);
+  const js = jsExists ? readText(jsPath) : "";
+  const jsSyntax = checkSyntax(jsPath);
+  const testSyntax = checkSyntax(path.join(repoRoot, "tests", "runtime", "V2BlockFakeSessionSave.test.mjs"));
+
+  if (!jsExists) failures.push("Missing tools/workspace-v2/index.js.");
+  if (!jsSyntax.ok) failures.push("tools/workspace-v2/index.js failed syntax check.");
+  if (!testSyntax.ok) failures.push("tests/runtime/V2BlockFakeSessionSave.test.mjs failed syntax check.");
+
+  const requiredTokens = [
+    "readSessionPayloadForLibraryWrite(sessionId)",
+    "looksLikeWorkspaceHostContextId(sessionId)",
+    "cleanupStaleInvalidSavedEntries(library)",
+    "Session ID does not resolve to a valid Workspace V2 session.",
+    "Saved session already exists. Use Overwrite Session.",
+    "Saved session not found. Use Save Session to create it first.",
+    "Saved session created.",
+    "Saved session overwritten."
+  ];
+  requiredTokens.forEach((token) => {
+    if (!js.includes(token)) failures.push(`Missing required implementation token/message: ${token}`);
+  });
+
+  const validId = "asset-browser-v2-1777676088718-3eff5h3y";
+  const fakeId = "fake-manager-v2-1777676067919-bzuo73di";
+  const storage = {
+    [validId]: JSON.stringify({ version: "v2", toolId: "asset-browser-v2", payloadJson: { source: "sessionStorage" } })
+  };
+  const activePayload = { version: "v2", toolId: "asset-browser-v2", payloadJson: { source: "active-only" } };
+
+  const saveFake = simulateSave(fakeId, {}, storage);
+  if (saveFake.message !== "Session ID does not resolve to a valid Workspace V2 session.") {
+    failures.push("Fake unknown ID should not create saved entry.");
+  }
+  if (Object.prototype.hasOwnProperty.call(saveFake.nextLibrary, fakeId)) {
+    failures.push("Fake unknown ID unexpectedly created saved entry.");
+  }
+
+  const overwriteFake = simulateOverwrite(fakeId, { [validId]: { version: "v2", toolId: "asset-browser-v2" } }, storage);
+  if (overwriteFake.message !== "Session ID does not resolve to a valid Workspace V2 session.") {
+    failures.push("Fake unknown ID should not overwrite saved entry.");
+  }
+
+  const saveValid = simulateSave(validId, {}, storage);
+  if (saveValid.message !== "Saved session created." || !Object.prototype.hasOwnProperty.call(saveValid.nextLibrary, validId)) {
+    failures.push("Valid recent/sessionStorage ID should be saved.");
+  }
+
+  const duplicateSave = simulateSave(validId, saveValid.nextLibrary, storage);
+  if (duplicateSave.message !== "Saved session already exists. Use Overwrite Session.") {
+    failures.push("Duplicate save should be blocked.");
+  }
+
+  const overwriteValid = simulateOverwrite(validId, saveValid.nextLibrary, storage);
+  if (overwriteValid.message !== "Saved session overwritten.") {
+    failures.push("Overwrite valid existing saved ID should succeed.");
+  }
+
+  const saveUnknownWithActive = simulateSave(fakeId, {}, {});
+  if (saveUnknownWithActive.message !== "Session ID does not resolve to a valid Workspace V2 session.") {
+    failures.push("Active payload fallback must not save under unrelated ID.");
+  }
+  if (activePayload.payloadJson.source !== "active-only") {
+    failures.push("Test fixture mutated unexpectedly.");
+  }
+
+  const libraryBeforeCleanup = {
+    [fakeId]: { version: "v2", toolId: "asset-browser-v2", payloadJson: { old: true } },
+    [validId]: { version: "v2", toolId: "asset-browser-v2", payloadJson: { valid: true } },
+    "custom-user-label": { version: "v2", toolId: "asset-browser-v2", payloadJson: { custom: true } },
+    "palette-manager-v2-1777676088718-zzzzzzzz": { version: "v2", toolId: "palette-manager-v2", payloadJson: { keep: true } }
+  };
+  const cleanupResult = cleanupStaleInvalidSavedEntries(libraryBeforeCleanup, storage);
+  if (Object.prototype.hasOwnProperty.call(cleanupResult.nextLibrary, fakeId)) {
+    failures.push("Stale invalid fake entry should be cleaned up.");
+  }
+  if (!Object.prototype.hasOwnProperty.call(cleanupResult.nextLibrary, validId)) {
+    failures.push("Valid saved entry should not be removed by cleanup.");
+  }
+  if (!Object.prototype.hasOwnProperty.call(cleanupResult.nextLibrary, "custom-user-label")) {
+    failures.push("Custom valid saved entry should not be removed by cleanup.");
+  }
+  if (!Object.prototype.hasOwnProperty.call(cleanupResult.nextLibrary, "palette-manager-v2-1777676088718-zzzzzzzz")) {
+    failures.push("Host-like entry with matching tool metadata should not be removed.");
+  }
+
+  fs.mkdirSync(path.dirname(resultsPath), { recursive: true });
+  fs.writeFileSync(resultsPath, `${JSON.stringify({
+    generatedAt: new Date().toISOString(),
+    failures,
+    checks: {
+      jsExists,
+      jsSyntax,
+      testSyntax
+    },
+    scenarios: {
+      saveFake,
+      overwriteFake,
+      saveValid,
+      duplicateSave,
+      overwriteValid,
+      saveUnknownWithActive,
+      cleanupResult
+    }
+  }, null, 2)}\n`, "utf8");
+
+  console.log(`v2 block-fake-session-save results: ${resultsPath}`);
+  assert.equal(failures.length, 0, `V2 block-fake-session-save failures: ${failures.join(" | ")}`);
+  return { failures };
+}
+
+if (process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href) {
+  try {
+    const summary = run();
+    console.log(JSON.stringify(summary, null, 2));
+  } catch (error) {
+    console.error(error);
+    process.exitCode = 1;
+  }
+}

tools/workspace-v2/index.js

@@ -223,15 +223,52 @@ class WorkspaceV2SessionProducer {
   }
 
   readSessionPayloadForLibraryWrite(sessionId) {
-    const recentPayload = this.readSessionPayloadFromRecentSessionId(sessionId);
-    if (this.isValidSessionPayload(recentPayload)) {
-      return recentPayload;
+    if (typeof sessionId !== "string" || !sessionId.trim()) {
+      return null;
     }
-    const activePayload = this.readActiveSessionPayloadForLibraryActions();
-    if (this.isValidSessionPayload(activePayload)) {
-      return activePayload;
+    const raw = sessionStorage.getItem(sessionId.trim());
+    if (typeof raw !== "string") {
+      return null;
     }
-    return null;
+    const parsed = this.safeParseJson(raw);
+    if (!parsed.ok || !this.isValidSessionPayload(parsed.value)) {
+      return null;
+    }
+    return parsed.value;
+  }
+
+  looksLikeWorkspaceHostContextId(sessionId) {
+    if (typeof sessionId !== "string" || !sessionId.trim()) {
+      return false;
+    }
+    return /-v2-\d{13}-[a-z0-9]{8}$/i.test(sessionId.trim());
+  }
+
+  cleanupStaleInvalidSavedEntries(library) {
+    if (!library || typeof library !== "object" || Array.isArray(library)) {
+      return false;
+    }
+    let removedAny = false;
+    Object.keys(library).forEach((sessionId) => {
+      const payload = library[sessionId];
+      if (!this.isValidSessionPayload(payload)) {
+        return;
+      }
+      if (!this.looksLikeWorkspaceHostContextId(sessionId)) {
+        return;
+      }
+      const storagePayload = this.readSessionPayloadForLibraryWrite(sessionId);
+      const hasMatchingStorage = this.isValidSessionPayload(storagePayload);
+      const payloadHostContextId = typeof payload.hostContextId === "string" ? payload.hostContextId.trim() : "";
+      const payloadToolId = typeof payload.toolId === "string" ? payload.toolId.trim() : "";
+      const idMatchesPayloadHostContext = payloadHostContextId && payloadHostContextId === sessionId;
+      const idMatchesToolMetadata = payloadToolId && sessionId.startsWith(`${payloadToolId}-`);
+      if (!hasMatchingStorage && !idMatchesPayloadHostContext && !idMatchesToolMetadata) {
+        delete library[sessionId];
+        removedAny = true;
+      }
+    });
+    return removedAny;
   }
 
   fixturePathForTool(toolId) {
@@ -388,6 +425,9 @@ class WorkspaceV2SessionProducer {
       this.libraryEmptyState.textContent = "Session library is invalid. Fix stored JSON or clear v2-session-library.";
       return;
     }
+    if (this.cleanupStaleInvalidSavedEntries(library)) {
+      localStorage.setItem(this.libraryStorageKey, JSON.stringify(library));
+    }
     const sessionNames = Object.keys(library).sort((left, right) => left.localeCompare(right));
     this.sessionListNode.replaceChildren();
     this.libraryEmptyState.hidden = sessionNames.length > 0;
@@ -1728,11 +1768,6 @@ class WorkspaceV2SessionProducer {
       this.setLibraryStatus(overwriteExisting ? "Enter a session ID before overwriting." : "Enter a session ID before saving.");
       return;
     }
-    const payloadForWrite = this.readSessionPayloadForLibraryWrite(sessionName);
-    if (!this.isValidSessionPayload(payloadForWrite)) {
-      this.setLibraryStatus("Session ID does not resolve to a valid Workspace V2 session.");
-      return;
-    }
     const library = this.readSessionLibrary();
     if (library === null) {
       return;
@@ -1742,6 +1777,11 @@ class WorkspaceV2SessionProducer {
       this.setLibraryStatus("Saved session already exists. Use Overwrite Session.");
       return;
     }
+    const payloadForWrite = this.readSessionPayloadForLibraryWrite(sessionName);
+    if (!this.isValidSessionPayload(payloadForWrite)) {
+      this.setLibraryStatus("Session ID does not resolve to a valid Workspace V2 session.");
+      return;
+    }
     if (overwriteExisting && !exists) {
       this.setLibraryStatus("Saved session not found. Use Save Session to create it first.");
       return;