siloqy/prod/tests/test_pink_invalid_intent_guard.py

"""Kernel-level finiteness guard: non-finite (inf/NaN) intents must be rejected
with INVALID_INTENT, never crash the kernel ("Rust kernel returned null string").

Two layers (defense in depth):
- Python bridge (ExecutionKernel.process_intent): rejects non-finite/insane fields
  before the FFI call, naming the offending field for source-location.
- Rust kernel (FFI): a payload that fails to parse (incl. the Infinity/NaN tokens
  serde rejects) or a result that fails to serialize returns a clean INVALID_INTENT
  outcome instead of a null string.
"""

from __future__ import annotations

from datetime import datetime, timezone

import pytest

from prod.clean_arch.dita_v2 import (
    ExecutionKernel, InMemoryControlPlane, KernelCommandType, KernelControlSnapshot,
    KernelMode, KernelVerbosity, MemoryKernelJournal, MockVenueAdapter, MockVenueScenario,
    TradeSide,
)
from prod.clean_arch.dita_v2.contracts import KernelDiagnosticCode, KernelIntent
from prod.clean_arch.dita_v2.rust_backend import _get_rust, _intent_to_payload


def _kernel():
    return ExecutionKernel(
        control_plane=InMemoryControlPlane(
            KernelControlSnapshot(mode=KernelMode.DEBUG, verbosity=KernelVerbosity.TRACE)
        ),
        venue=MockVenueAdapter(MockVenueScenario(emit_fill_on_submit=True, partial_fill_ratio=1.0)),
        journal=MemoryKernelJournal(),
    )


def _intent(size, price, lev=3.0):
    return KernelIntent(
        timestamp=datetime.now(timezone.utc), intent_id="i", trade_id="T", slot_id=0,
        asset="BTCUSDT", side=TradeSide.SHORT, action=KernelCommandType.ENTER,
        reference_price=price, target_size=size, leverage=lev, exit_leg_ratios=(1.0,), reason="X",
    )


@pytest.mark.parametrize("size,price,lev,field", [
    (float("inf"), 100.0, 3.0, "target_size"),
    (float("nan"), 100.0, 3.0, "target_size"),
    (0.1, float("inf"), 3.0, "reference_price"),
    (0.1, 100.0, float("nan"), "leverage"),
    (-0.1, 100.0, 3.0, "target_size"),
])
def test_bridge_rejects_nonfinite_intent(size, price, lev, field):
    out = _kernel().process_intent(_intent(size, price, lev))
    assert out.accepted is False
    assert out.diagnostic_code == KernelDiagnosticCode.INVALID_INTENT
    assert out.details.get("field") == field


def test_finite_intent_still_accepted():
    out = _kernel().process_intent(_intent(0.15, 100000.0))
    assert out.accepted is True
    assert out.diagnostic_code == KernelDiagnosticCode.OK


def test_rust_kernel_rejects_nonfinite_payload_without_null_crash():
    # Bypass the Python bridge guard: hand a non-finite payload straight to the
    # Rust FFI (json.dumps emits the Infinity token serde rejects). The kernel
    # must return a clean INVALID_INTENT outcome, not a null string.
    k = _kernel()
    payload = _intent_to_payload(_intent(float("inf"), 100.0))
    res = _get_rust().process_intent(k._backend, payload, mode="NORMAL", verbosity="QUIET")
    assert res["outcome"]["diagnostic_code"] == "INVALID_INTENT"
    assert res["outcome"]["accepted"] is False
PINK DITAv2: kernel-level finiteness guard (no more null-string crash on inf/NaN) The aborted hard cutover crash-looped with "Rust kernel returned null string" from process_intent on the first live trading step. Root cause (reproduced): a non-finite (inf/NaN) numeric field reaching the kernel — Python json.dumps emits the Infinity/NaN token, serde_json rejects it at parse, and the FFI returned null. Magnitude is fine; only finiteness was the problem. Defense in depth, kernel catches it: - Rust FFI (lib.rs): dita_kernel_process_intent_json / _on_venue_event_json now return a clean INVALID_INTENT KernelResult on parse failure (incl. Infinity/NaN tokens) AND on serialize failure (a non-finite produced internally) — never a null string. - Python bridge (rust_backend.py): ExecutionKernel.process_intent validates intent finiteness/bounds (target_size, reference_price, limit_price, leverage, exit_leg_ratios; size>=0) BEFORE the FFI and rejects INVALID_INTENT, naming the offending field+value. - contracts.py: add KernelDiagnosticCode.INVALID_INTENT. - pink_direct.py: on INVALID_INTENT, log full upstream provenance (snapshot.price, capital, leverage, sizes) so the numerical SOURCE can be located on the next live run. - on_venue_event bridge tolerates the fallback's null slot (uses the live slot). Verified: kernel recompiled; offline 65 + 7 new guard tests green (no regression); direct-FFI inf payload -> INVALID_INTENT (no null crash). NOTE: this turns the cutover crash into a clean rejection — the upstream source of the non-finite (the live run's inf) still needs locating, now aided by the provenance log. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-05-31 09:10:13 +02:00			`"""Kernel-level finiteness guard: non-finite (inf/NaN) intents must be rejected`
			`with INVALID_INTENT, never crash the kernel ("Rust kernel returned null string").`

			`Two layers (defense in depth):`
			`- Python bridge (ExecutionKernel.process_intent): rejects non-finite/insane fields`
			`before the FFI call, naming the offending field for source-location.`
			`- Rust kernel (FFI): a payload that fails to parse (incl. the Infinity/NaN tokens`
			`serde rejects) or a result that fails to serialize returns a clean INVALID_INTENT`
			`outcome instead of a null string.`
			`"""`

			`from __future__ import annotations`

			`from datetime import datetime, timezone`

			`import pytest`

			`from prod.clean_arch.dita_v2 import (`
			`ExecutionKernel, InMemoryControlPlane, KernelCommandType, KernelControlSnapshot,`
			`KernelMode, KernelVerbosity, MemoryKernelJournal, MockVenueAdapter, MockVenueScenario,`
			`TradeSide,`
			`)`
			`from prod.clean_arch.dita_v2.contracts import KernelDiagnosticCode, KernelIntent`
			`from prod.clean_arch.dita_v2.rust_backend import _get_rust, _intent_to_payload`


			`def _kernel():`
			`return ExecutionKernel(`
			`control_plane=InMemoryControlPlane(`
			`KernelControlSnapshot(mode=KernelMode.DEBUG, verbosity=KernelVerbosity.TRACE)`
			`),`
			`venue=MockVenueAdapter(MockVenueScenario(emit_fill_on_submit=True, partial_fill_ratio=1.0)),`
			`journal=MemoryKernelJournal(),`
			`)`


			`def _intent(size, price, lev=3.0):`
			`return KernelIntent(`
			`timestamp=datetime.now(timezone.utc), intent_id="i", trade_id="T", slot_id=0,`
			`asset="BTCUSDT", side=TradeSide.SHORT, action=KernelCommandType.ENTER,`
			`reference_price=price, target_size=size, leverage=lev, exit_leg_ratios=(1.0,), reason="X",`
			`)`


			`@pytest.mark.parametrize("size,price,lev,field", [`
			`(float("inf"), 100.0, 3.0, "target_size"),`
			`(float("nan"), 100.0, 3.0, "target_size"),`
			`(0.1, float("inf"), 3.0, "reference_price"),`
			`(0.1, 100.0, float("nan"), "leverage"),`
			`(-0.1, 100.0, 3.0, "target_size"),`
			`])`
			`def test_bridge_rejects_nonfinite_intent(size, price, lev, field):`
			`out = _kernel().process_intent(_intent(size, price, lev))`
			`assert out.accepted is False`
			`assert out.diagnostic_code == KernelDiagnosticCode.INVALID_INTENT`
			`assert out.details.get("field") == field`


			`def test_finite_intent_still_accepted():`
			`out = _kernel().process_intent(_intent(0.15, 100000.0))`
			`assert out.accepted is True`
			`assert out.diagnostic_code == KernelDiagnosticCode.OK`


			`def test_rust_kernel_rejects_nonfinite_payload_without_null_crash():`
			`# Bypass the Python bridge guard: hand a non-finite payload straight to the`
			`# Rust FFI (json.dumps emits the Infinity token serde rejects). The kernel`
			`# must return a clean INVALID_INTENT outcome, not a null string.`
			`k = _kernel()`
			`payload = _intent_to_payload(_intent(float("inf"), 100.0))`
			`res = _get_rust().process_intent(k._backend, payload, mode="NORMAL", verbosity="QUIET")`
			`assert res["outcome"]["diagnostic_code"] == "INVALID_INTENT"`
			`assert res["outcome"]["accepted"] is False`