fix(observability): discriminator-lock the oneOf schema; align cockpit to 0.5.0

Three schema-validator tests were failing because the inbound-event
oneOf permitted fall-through: a tool.call with a missing required
field, or a runtime.metrics with a bad-type field, would be rescued by
the permissive generic branch. Add a branchIsStrictConst() guard and
rewrite the loop so once a strict-const branch claims a given type,
fall-through to the generic branch is forbidden. Also constrain
genericVariant.type to the 30 known Rust Event discriminators.

Bump inspector/Cargo.toml 0.1.0 -> 0.5.0 so the Rust cockpit matches
the Node SDK version reported by package.json. Cargo.lock regenerated
by cargo build --release.

Tests: 403 pass, 0 fail (was 400 / 3).

Author: klaiderman

docs/event-schema.json

@@ -25,11 +25,45 @@
       "minimum": 0
     },
     "genericVariant": {
-      "description": "Permissive fallback for any event whose type isn't well-typed in the oneOf below. Required: type (any string), time. Both producer (TS) and consumer (Rust) accept any type string here so wire-format extensions don't require a schema bump in lockstep. The Rust GenericPayload mirrors this — unknown discriminators round-trip via the flattened extras map.",
+      "description": "Fallback for known event types that aren't well-typed in the strict oneOf above. The `type` enum mirrors the Rust Event enum in inspector/src/event.rs exactly — unknown discriminators are rejected on BOTH sides (the Rust enum has no #[serde(other)] catch-all, and this validator now matches). Strict-branch types (runtime.metrics, tool.call, hydra.veto, pech.ledger, task.updated, code.modified, request.approval) are intentionally excluded from this enum: those types must satisfy their strict branch and cannot fall through to the generic permissive shape.",
       "type": "object",
       "required": ["type", "time"],
       "properties": {
-        "type": { "type": "string" },
+        "type": {
+          "type": "string",
+          "enum": [
+            "session.started",
+            "session.opened",
+            "session.closed",
+            "session.ended",
+            "phase.entered",
+            "phase.completed",
+            "plugin.loaded",
+            "plugin.health",
+            "tool.result",
+            "tool.error",
+            "sylph.veto",
+            "crow.trust",
+            "djinn.anchor",
+            "djinn.drift",
+            "gorgon.hotspot",
+            "naga.spec_check",
+            "lich.review",
+            "emu.context_update",
+            "task.created",
+            "task.started",
+            "task.blocked",
+            "task.completed",
+            "task.failed",
+            "code.generated",
+            "file.created",
+            "file.modified",
+            "test.run",
+            "test.passed",
+            "test.failed",
+            "pr.created"
+          ]
+        },
         "time": { "$ref": "#/definitions/time" },
         "session_id": { "type": "string" },
         "task_id": { "type": "string" },

inspector/Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "enchanter-inspector"
-version = "0.1.0"
+version = "0.5.0"
 edition = "2021"
 default-run = "enchanter"
 description = "Terminal-first TUI cockpit for the Enchanter AI runtime"

inspector/Cargo.toml

@@ -111,6 +111,20 @@ function branchTypeMatches(branch: SchemaNode, value: unknown): boolean {
   return false;
 }
 
+/** Is this branch a strict-discriminator branch (its `type` property pins a
+ *  single `const`)? Used to enforce no-fallthrough: when the input's `type`
+ *  matches a strict branch's const, only that branch may match — we will not
+ *  fall through to the generic permissive variant. Mirrors the Rust
+ *  serde(tag = "type") enum dispatch in inspector/src/event.rs, which has no
+ *  #[serde(other)] catch-all. */
+function branchIsStrictConst(branch: SchemaNode): boolean {
+  const properties = branch.properties as Record<string, SchemaNode> | undefined;
+  if (!properties) return false;
+  const typeSchema = properties.type;
+  if (!typeSchema) return false;
+  return Object.prototype.hasOwnProperty.call(typeSchema, 'const');
+}
+
 function ok(): ValidationResult {
   return { ok: true };
 }
@@ -184,27 +198,44 @@ function check(node: SchemaNode, value: unknown, path: string[]): ValidationResu
     }
   }
 
-  // oneOf — first match wins. If none match, prefer the failure from the
-  // branch whose `type` discriminator (const or enum) matched the input —
-  // that's the branch the producer "intended" to satisfy. Otherwise fall
-  // back to the deepest-path failure.
+  // oneOf — discriminator-aware. If a strict-const branch matches the
+  // input's `type` field, only that branch is allowed: failures there
+  // do NOT fall through to the generic permissive variant. This mirrors
+  // the Rust serde(tag = "type") enum dispatch on the consumer side and
+  // closes a hole where malformed strict events (missing required fields,
+  // wrong-type values) were silently rescued by the generic branch.
+  //
+  // When no strict branch's discriminator matches, the generic branch is
+  // tried; its own `type` enum decides whether the event is a known generic
+  // discriminator or an unknown event class that must be rejected.
   if (Array.isArray(schema.oneOf)) {
+    const branches = schema.oneOf as SchemaNode[];
+
+    // Look for a strict-const branch whose const matches the input's type.
+    for (const rawBranch of branches) {
+      const branch = deref(rawBranch);
+      if (branchIsStrictConst(branch) && branchTypeMatches(branch, value)) {
+        // Locked in: this is the only branch allowed to match. Return its
+        // result verbatim — no fallthrough to other branches (incl. generic).
+        const result = check(branch, value, path);
+        return result.ok ? ok() : result;
+      }
+    }
+
+    // No strict branch claimed this `type`. Try every remaining branch
+    // (non-strict-const, i.e. the generic variant). Pick the deepest-path
+    // failure as the best diagnostic if none match.
     let bestFail: ValidationResult | null = null;
-    let bestIntended = false;
-    for (const branch of schema.oneOf) {
-      const result = check(branch as SchemaNode, value, path);
+    for (const rawBranch of branches) {
+      const branch = deref(rawBranch);
+      if (branchIsStrictConst(branch)) continue; // already eliminated above
+      const result = check(branch, value, path);
       if (result.ok) return ok();
-      const intended = branchTypeMatches(deref(branch as SchemaNode), value);
-      const replace =
+      if (
         bestFail === null ||
-        (intended && !bestIntended) ||
-        (intended === bestIntended &&
-          !bestFail.ok &&
-          !result.ok &&
-          result.path.length > bestFail.path.length);
-      if (replace) {
+        (!bestFail.ok && !result.ok && result.path.length > bestFail.path.length)
+      ) {
         bestFail = result;
-        bestIntended = intended;
       }
     }
     if (bestFail !== null) return bestFail;