refactor(server): harden failure-path firewall (SanitizedError, DLQ scrub, drop ledger, ENTRY_ANALYZED contract)

[wileland]

Motivation

• Prevent plaintext transcript or model-output fragments from leaking via worker errors, logs, events, or queue payloads by introducing a failure-path firewall and strict contract enforcement.
• Provide a deterministic consumer contract for ENTRY_ANALYZED so downstream consumers can safely rely on schemaVersion and processingStatus semantics.
• Record drops in a structured ledger that contains only safe metadata (no plaintext), enabling auditability without exposing sensitive text.

Description

• Added central contract and types in server/src/utils/failureFirewallContracts.js including ENTRY_ANALYZED_SCHEMA_VERSION, PROCESSING_STATUS, PROCESSING_WARNING_CODE, DROP_REASON_CODE, and a UNANCHORED_SIGNAL schema stub.
• Implemented SanitizedError + utilities in server/src/utils/failureFirewall.js to sanitize errors, fingerprint messages, enforce a job-payload whitelist (entryId,taskId), validate/produce ENTRY_ANALYZED envelopes, and build structured drop-ledger records.
• Hardened orchestration and worker boundaries: agentOrchestration enforces whitelisted job payloads and sanitizes enqueue-failure messages; eventBus.emitEntryAnalyzed now wraps/validates envelopes before emitting; reflection, scribe, and archivist workers enforce whitelists and record only sanitized error metadata (warning codes + fingerprints) instead of raw fragments.
• Added tests and docs: server/src/utils/__tests__/failureFirewall.test.ts (whitelist, schema branching, ledger shape), server/src/orchestration/__tests__/eventBus.contract.test.ts (envelope + canary check), a leak-canary test in server/src/workers/__tests__/reflection.worker.test.ts, and documentation server/docs/run-b-failure-firewall.md.

Testing

• Ran pnpm lint:ci locally and it completed successfully (no JS/TS changes detected).
• Ran node scripts/codex_preflight.mjs --ci and it passed alignment checks.
• Ran focused server test subset with pnpm --filter server exec vitest run src/utils/__tests__/failureFirewall.test.ts src/orchestration/__tests__/eventBus.contract.test.ts src/workers/__tests__/reflection.worker.test.ts and all three test files passed.
• Ran the broader pnpm --filter server test / pnpm test:ci in the sandbox; the full suite failed in this environment due to missing optional runtime test dependencies (examples: express, supertest, mongoose, langfuse, openai, jsonwebtoken), not due to the new firewall logic itself; targeted unit tests for the new contracts passed.

---

Codex Task

[github-actions]

Audit

Audit artifacts not found.

Schema

No drift detected ✅

Codex

No Codex outputs yet.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 11241e8427

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve legacy ENTRY_ANALYZED payload compatibility

This new validation path now rejects payloads that only carry entryId/userId (because toEntryAnalyzedEnvelope defaults missing processingStatus to complete, then validateEntryAnalyzedEnvelope requires non-empty bloomCards), which breaks existing emitters that still send minimal events such as scripts/simulate_nervous_system.js (lines 88-99 and 148-153). In those flows, emitEntryAnalyzed(...) now throws ENTRY_ANALYZED complete status requires cards, so the simulation/experiment path aborts before Crucible side effects can run.

Useful? React with 👍 / 👎.