Context
Following the recent P0 Memory Core wipe incident, forensic analysis revealed that the wipe was triggered by Playwright unit tests executing destructive cleanup operations on canonical production collections.
The Problem
While several test files correctly isolate their SQLite paths via aiConfig.storagePaths.graph, they fail to override the Chroma collection names (aiConfig.collections.memory and aiConfig.collections.session). Consequently, when cleanupChromaManager() is invoked during test teardown, it reads the default canonical names and deletes the production databases.
The Architectural Reality
The offending test files include:
test/playwright/unit/ai/mcp/server/memory-core/services/GraphService.spec.mjstest/playwright/unit/ai/mcp/server/memory-core/services/FileSystemIngestor.spec.mjstest/playwright/unit/ai/mcp/server/memory-core/services/PermissionService.spec.mjstest/playwright/unit/ai/mcp/server/memory-core/services/DatabaseService.backupPath.spec.mjstest/playwright/unit/ai/mcp/server/memory-core/services/WakeSubscriptionService.spec.mjstest/playwright/unit/ai/mcp/server/memory-core/services/CoalescingEngineService.spec.mjs
By contrast, SessionService.spec.mjs properly isolates these collections in its beforeAll block.
The Fix
- Update the
beforeAll blocks in the 6 offending test files to assign process-isolated names to aiConfig.collections.memory and aiConfig.collections.session.
- Add a hardcoded safety check in
test/playwright/unit/ai/mcp/server/memory-core/util.mjs to throw an error if cleanupChromaManager() is called against neo-agent-memory or neo-agent-sessions.
Acceptance Criteria
Out of Scope
- The universal destructive-operation guard for AI data stores, which is covered by #10845.
Related
Origin Session ID: e32b637d-4a13-4bfa-8518-974a31772835
Context
Following the recent P0 Memory Core wipe incident, forensic analysis revealed that the wipe was triggered by Playwright unit tests executing destructive cleanup operations on canonical production collections.
The Problem
While several test files correctly isolate their SQLite paths via
aiConfig.storagePaths.graph, they fail to override the Chroma collection names (aiConfig.collections.memoryandaiConfig.collections.session). Consequently, whencleanupChromaManager()is invoked during test teardown, it reads the default canonical names and deletes the production databases.The Architectural Reality
The offending test files include:
test/playwright/unit/ai/mcp/server/memory-core/services/GraphService.spec.mjstest/playwright/unit/ai/mcp/server/memory-core/services/FileSystemIngestor.spec.mjstest/playwright/unit/ai/mcp/server/memory-core/services/PermissionService.spec.mjstest/playwright/unit/ai/mcp/server/memory-core/services/DatabaseService.backupPath.spec.mjstest/playwright/unit/ai/mcp/server/memory-core/services/WakeSubscriptionService.spec.mjstest/playwright/unit/ai/mcp/server/memory-core/services/CoalescingEngineService.spec.mjsBy contrast,
SessionService.spec.mjsproperly isolates these collections in itsbeforeAllblock.The Fix
beforeAllblocks in the 6 offending test files to assign process-isolated names toaiConfig.collections.memoryandaiConfig.collections.session.test/playwright/unit/ai/mcp/server/memory-core/util.mjsto throw an error ifcleanupChromaManager()is called againstneo-agent-memoryorneo-agent-sessions.Acceptance Criteria
GraphService.spec.mjsproperly mocks Chroma collection names.FileSystemIngestor.spec.mjsproperly mocks Chroma collection names.PermissionService.spec.mjsproperly mocks Chroma collection names.DatabaseService.backupPath.spec.mjsproperly mocks Chroma collection names.WakeSubscriptionService.spec.mjsproperly mocks Chroma collection names.CoalescingEngineService.spec.mjsproperly mocks Chroma collection names.util.mjscleanupChromaManager()includes a hardcoded failsafe against canonical collection names.Out of Scope
Related
Origin Session ID: e32b637d-4a13-4bfa-8518-974a31772835