fix: improve WASM guard trap detection and logging for integrity audit W-2

Copilot · lpcox · web-flow · commit 81bb2f92b3b3 · 2026-03-28T00:08:17.000Z
Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/420f2df5-ad00-457a-869c-8f0e41731e6f Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
diff --git a/.github/workflows/integrity-filtering-audit.md b/.github/workflows/integrity-filtering-audit.md
@@ -98,17 +98,25 @@ For each downloaded artifact set, check:
    over-filtering or misconfiguration.
 
 3. **Guard errors**: Search gateway logs for `ERROR`, `Phase .* failed`,
-   `guard not initialized`, or `unknown REST endpoint`.
+   `guard not initialized`, `unknown REST endpoint`, or `WASM guard trap`.
 
-4. **Scope violations**: Check if any response contains data from repositories
+4. **WASM guard panics**: Search for `wasm error:` in gateway logs. A Rust guard
+   panic produces a `wasm error: unreachable` trap. After such a trap, the guard
+   marks itself permanently failed and all subsequent requests return an error until
+   the gateway is restarted. Look for `WASM guard trap` entries in `mcp-gateway.log`.
+
+5. **Scope violations**: Check if any response contains data from repositories
    NOT in the workflow's `allowed-repos` policy.
 
 ```bash
 # Example: Count DIFC events in JSONL
 grep -c 'difc_integrity' "$TMPDIR"/*/mcp-logs/rpc-messages.jsonl 2>/dev/null || echo "0"
 
-# Example: Find guard errors
-grep -iE 'error|failed|blocked|unknown' "$TMPDIR"/*/mcp-logs/mcp-gateway.log 2>/dev/null | head -20
+# Example: Find guard errors (including WASM traps)
+grep -iE 'error|failed|blocked|unknown|wasm error:|WASM guard trap' "$TMPDIR"/*/mcp-logs/mcp-gateway.log 2>/dev/null | head -20
+
+# Example: Specifically search for WASM guard panics
+grep -iE 'wasm error:|WASM guard trap|unreachable' "$TMPDIR"/*/mcp-logs/mcp-gateway.log 2>/dev/null
 ```
 
 ### Step 4: Classify Findings
@@ -117,7 +125,7 @@ Classify each finding by severity:
 - 🔴 **Critical**: Data leak (out-of-scope data returned), guard bypass, or
   labeling failure that could expose unauthorized data
 - 🟡 **Warning**: Over-filtering (legitimate data blocked), unscoped tags,
-  or zero DIFC events in a run that should have filtering
+  zero DIFC events in a run that should have filtering, or WASM guard trap
 - 🟢 **Info**: Normal filtering behavior, expected blocks, or configuration notes
 
 ### Step 5: Create Summary Issue
diff --git a/internal/guard/wasm.go b/internal/guard/wasm.go
@@ -40,9 +40,19 @@ type WasmGuard struct {
 	// Backend caller provided to the guard via host functions
 	backend BackendCaller
 
-	// mu serializes all calls to the WASM module
-	// WASM modules are single-threaded and cannot handle concurrent calls
+	// mu serializes all calls to the WASM module.
+	// WASM modules are single-threaded and cannot handle concurrent calls.
+	// All exported methods (LabelAgent, LabelResource, LabelResponse) hold mu
+	// for their entire duration, including any nested calls to callWasmFunction.
 	mu sync.Mutex
+
+	// failed and failedErr are set when the WASM module encounters a trap
+	// (e.g. unreachable instruction from a Rust panic). Once failed, all
+	// subsequent calls return an error immediately because the module's
+	// internal state may be corrupted.
+	// Both fields are accessed only while mu is held.
+	failed    bool
+	failedErr error
 }
 
 // NewWasmGuard creates a new WASM guard from a WASM binary file
@@ -781,8 +791,25 @@ func parsePathLabeledResponse(responseJSON []byte, originalData interface{}) (di
 	return pld.ToCollectionLabeledData(), nil
 }
 
-// callWasmFunction calls an exported function in the WASM module
+// isWasmTrap reports whether err is a WASM execution trap such as the
+// "wasm error: unreachable" produced when a Rust-compiled guard panics.
+func isWasmTrap(err error) bool {
+	return err != nil && strings.Contains(err.Error(), "wasm error:")
+}
+
+// callWasmFunction calls an exported function in the WASM module.
+// Precondition: g.mu must be held by the caller. All public methods
+// (LabelAgent, LabelResource, LabelResponse) hold g.mu for their entire
+// duration, satisfying this requirement.
 func (g *WasmGuard) callWasmFunction(ctx context.Context, funcName string, inputJSON []byte) ([]byte, error) {
+	// If the module has already trapped, refuse further calls immediately.
+	// A WASM trap may corrupt the module's internal state (e.g. the global
+	// policy context stored by label_agent), so all subsequent calls are
+	// unsafe until the guard is reloaded.
+	if g.failed {
+		return nil, fmt.Errorf("WASM guard '%s' is unavailable after a previous trap: %w", g.name, g.failedErr)
+	}
+
 	fn := g.module.ExportedFunction(funcName)
 	if fn == nil {
 		return nil, fmt.Errorf("function %s not exported from WASM module", funcName)
@@ -809,6 +836,14 @@ func (g *WasmGuard) callWasmFunction(ctx context.Context, funcName string, input
 	for attempt := 0; attempt < maxRetries; attempt++ {
 		result, requiredSize, err := g.tryCallWasmFunction(ctx, fn, mem, inputJSON, outputSize)
 		if err != nil {
+			if isWasmTrap(err) {
+				// A WASM trap (e.g. unreachable from a Rust panic) leaves the
+				// module in an undefined state. Log it prominently and mark the
+				// guard as permanently failed so callers get a clear error.
+				logger.LogError("backend", "WASM guard trap: guard=%s, func=%s, error=%v", g.name, funcName, err)
+				g.failed = true
+				g.failedErr = err
+			}
 			return nil, err
 		}
 
diff --git a/internal/guard/wasm_test.go b/internal/guard/wasm_test.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/binary"
 	"encoding/json"
+	"errors"
 	"testing"
 	"time"
 
@@ -1021,3 +1022,62 @@ func TestJSONMarshaling(t *testing.T) {
 		assert.Contains(t, string(inputJSON), "tool_result")
 	})
 }
+
+func TestIsWasmTrap(t *testing.T) {
+	t.Run("nil error is not a trap", func(t *testing.T) {
+		assert.False(t, isWasmTrap(nil))
+	})
+
+	t.Run("generic error is not a trap", func(t *testing.T) {
+		assert.False(t, isWasmTrap(errors.New("some error")))
+	})
+
+	t.Run("wrapped error containing wasm error is a trap", func(t *testing.T) {
+		err := errors.New("WASM function call failed: wasm error: unreachable")
+		assert.True(t, isWasmTrap(err))
+	})
+
+	t.Run("wasm error integer divide by zero is a trap", func(t *testing.T) {
+		err := errors.New("wasm error: integer divide by zero")
+		assert.True(t, isWasmTrap(err))
+	})
+
+	t.Run("wasm error out of bounds is a trap", func(t *testing.T) {
+		err := errors.New("wasm error: out of bounds memory access")
+		assert.True(t, isWasmTrap(err))
+	})
+}
+
+func TestWasmGuardFailedState(t *testing.T) {
+	t.Run("failed guard returns error immediately for callWasmFunction", func(t *testing.T) {
+		// Build a minimal valid WasmGuard by hand to exercise the failed-state path
+		// without needing a full WASM binary.
+		originalErr := errors.New("WASM function call failed: wasm error: unreachable")
+		g := &WasmGuard{
+			name:      "test-guard",
+			failed:    true,
+			failedErr: originalErr,
+		}
+
+		ctx := context.Background()
+		_, err := g.callWasmFunction(ctx, "label_response", []byte(`{}`))
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "unavailable after a previous trap")
+		assert.Contains(t, err.Error(), "test-guard")
+	})
+
+	t.Run("failed guard wraps original trap error", func(t *testing.T) {
+		originalErr := errors.New("WASM function call failed: wasm error: unreachable")
+		g := &WasmGuard{
+			name:      "my-guard",
+			failed:    true,
+			failedErr: originalErr,
+		}
+
+		ctx := context.Background()
+		_, err := g.callWasmFunction(ctx, "label_agent", []byte(`{}`))
+		require.Error(t, err)
+		// The original trap error should be reachable via errors.Is / errors.As
+		assert.ErrorIs(t, err, originalErr)
+	})
+}
