fix(guard): use UTF-8 safe string truncation in output preview logging (#3713)

lpcox · web-flow · commit b950a22d36a1 · 2026-04-13T09:26:55.000-07:00
## Summary Fixes #3711 — the WASM guard panics on multi-byte UTF-8 characters in tool response previews, poisoning the entire session. ## Root cause `label_response` in `lib.rs` truncates serialized JSON for debug logging using byte-index slicing (`&output_json[..500]`). When byte 500 falls in the middle of a multi-byte UTF-8 code point (CJK = 3 bytes, emoji = 4 bytes), Rust panics with "byte index is not a char boundary". Since this runs inside the WASM guest, the panic becomes a trap that permanently poisons the guard instance. ## Changes **New helper** — `safe_preview(s, max_bytes) -> &str`: - Uses `str::floor_char_boundary()` (stable since Rust 1.80) to find the nearest valid character boundary at or before the byte limit - Returns the full string when shorter than the limit **Three call sites fixed** in `label_response`: | Location | Before | After | |----------|--------|-------| | Path-specific output preview (~L808) | `&output_json[..500]` — **panics** | `safe_preview(&output_json, 500)` | | General output preview (~L939) | `&output_json[..500]` — **panics** | `safe_preview(&output_json, 500)` | | Input preview (~L752) | `from_utf8(&bytes[..500])` — silent drop | `safe_preview(full_str, 500)` — always logs | **8 unit tests** covering: - ASCII strings (under, at, and over the 500-byte limit) - CJK characters (3-byte UTF-8) crossing the boundary - Emoji (4-byte UTF-8) crossing the boundary - Accented characters (2-byte UTF-8) at exact boundary - Mixed ASCII + CJK content simulating real JSON payloads - Empty string edge case ## Evidence Discovered in `moeru-ai/airi` PR triage workflow ([run #24311673575](https://github.com/moeru-ai/airi/actions/runs/24311673575)) — a PR with a Chinese body caused the guard to crash, and all subsequent MCP calls failed with "WASM guard is unavailable after a previous trap". ## Verification `make agent-finished` passes — all unit + integration tests green.
diff --git a/guards/github-guard/rust-guard/src/lib.rs b/guards/github-guard/rust-guard/src/lib.rs
@@ -26,6 +26,23 @@ use std::sync::Mutex;
 const POLICY_SCOPE_ALL: &str = "all";
 const POLICY_SCOPE_PUBLIC: &str = "public";
 
+/// Maximum number of bytes to include in a log preview of serialized JSON.
+const PREVIEW_MAX_BYTES: usize = 500;
+
+/// Truncate a string to at most `max_bytes` bytes on a valid UTF-8 character
+/// boundary. Returns the full string when it is shorter than the limit.
+fn safe_preview(s: &str, max_bytes: usize) -> &str {
+    if s.len() <= max_bytes {
+        return s;
+    }
+
+    let mut end = max_bytes;
+    while end > 0 && !s.is_char_boundary(end) {
+        end -= 1;
+    }
+    &s[..end]
+}
+
 /// Global policy context for WASM runtime entry points.
 ///
 /// `label_agent` stores the parsed policy here; `label_resource` and
@@ -748,9 +765,22 @@ pub extern "C" fn label_response(
     // Read input bytes
     let input_bytes = unsafe { slice::from_raw_parts(input_ptr as *const u8, input_len as usize) };
 
-    // Log first 500 chars of input to debug structure
-    let preview_len = std::cmp::min(500, input_bytes.len());
-    if let Ok(preview) = std::str::from_utf8(&input_bytes[..preview_len]) {
+    // Log a bounded preview of the input for debugging.
+    // Only decode up to PREVIEW_MAX_BYTES so logging stays cheap, and
+    // if the prefix ends mid-codepoint, fall back to the valid UTF-8 prefix.
+    let preview_bytes = &input_bytes[..input_bytes.len().min(PREVIEW_MAX_BYTES)];
+    let preview = match std::str::from_utf8(preview_bytes) {
+        Ok(s) => s,
+        Err(e) => {
+            let valid_up_to = e.valid_up_to();
+            if valid_up_to == 0 {
+                ""
+            } else {
+                std::str::from_utf8(&preview_bytes[..valid_up_to]).unwrap_or("")
+            }
+        }
+    };
+    if !preview.is_empty() {
         log_info(&format!("    input_preview={}", preview));
     }
 
@@ -804,11 +834,7 @@ pub extern "C" fn label_response(
         };
 
         // Log output preview for debugging
-        let output_preview = if output_json.len() > 500 {
-            &output_json[..500]
-        } else {
-            &output_json
-        };
+        let output_preview = safe_preview(&output_json, PREVIEW_MAX_BYTES);
         log_info(&format!("    path_output_preview={}", output_preview));
 
         if output_json.len() as u32 > output_size {
@@ -935,11 +961,7 @@ pub extern "C" fn label_response(
     };
 
     // Log output preview for debugging
-    let output_preview = if output_json.len() > 500 {
-        &output_json[..500]
-    } else {
-        &output_json
-    };
+    let output_preview = safe_preview(&output_json, PREVIEW_MAX_BYTES);
     log_info(&format!("    output_preview={}", output_preview));
 
     if output_json.len() as u32 > output_size {
@@ -1177,4 +1199,87 @@ mod tests {
             final_integrity
         );
     }
+
+    // === UTF-8 safe preview tests (issue #3711) ===
+
+    #[test]
+    fn test_safe_preview_ascii_under_limit() {
+        let s = "hello";
+        assert_eq!(safe_preview(s, 500), "hello");
+    }
+
+    #[test]
+    fn test_safe_preview_ascii_at_limit() {
+        let s = "a".repeat(500);
+        assert_eq!(safe_preview(&s, 500), s.as_str());
+    }
+
+    #[test]
+    fn test_safe_preview_ascii_over_limit() {
+        let s = "a".repeat(600);
+        assert_eq!(safe_preview(&s, 500).len(), 500);
+    }
+
+    #[test]
+    fn test_safe_preview_cjk_boundary() {
+        // Each CJK character is 3 bytes in UTF-8. Build a string where byte 500
+        // falls in the middle of a character (500 is not divisible by 3).
+        // 166 chars = 498 bytes, 167 chars = 501 bytes.
+        let cjk = "中".repeat(167); // 501 bytes
+        assert_eq!(cjk.len(), 501);
+
+        let preview = safe_preview(&cjk, 500);
+        // Must truncate to 498 bytes (166 chars) — the last valid boundary before 500.
+        assert_eq!(preview.len(), 498);
+        assert_eq!(preview.chars().count(), 166);
+    }
+
+    #[test]
+    fn test_safe_preview_emoji_boundary() {
+        // 🎉 is 4 bytes in UTF-8. 125 emojis = 500 bytes exactly (boundary safe).
+        // 126 emojis = 504 bytes; truncating at 500 would split the 126th emoji.
+        let emoji = "🎉".repeat(126); // 504 bytes
+        assert_eq!(emoji.len(), 504);
+
+        let preview = safe_preview(&emoji, 500);
+        // Must truncate to 500 bytes (125 complete emojis).
+        assert_eq!(preview.len(), 500);
+        assert_eq!(preview.chars().count(), 125);
+    }
+
+    #[test]
+    fn test_safe_preview_mixed_content_near_boundary() {
+        // Simulate a JSON string with ASCII keys and a CJK value crossing byte 500.
+        // {"body":"<padding>中中中..."}
+        let prefix = "{\"body\":\"";      // 9 bytes
+        let padding = "x".repeat(489);    // 489 bytes — total so far: 498
+        let cjk_tail = "中中中中中";       // 5 × 3 = 15 bytes — subtotal: 513
+
+        let json = format!("{}{}{}\"}}",  prefix, padding, cjk_tail); // +3 bytes for "\"}}" => 516 total
+        assert!(json.len() > 500);
+
+        let preview = safe_preview(&json, 500);
+        // Byte 498 is the start of the first CJK char (498..501). Byte 500 is
+        // mid-character, so floor_char_boundary(500) should give 498.
+        assert_eq!(preview.len(), 498);
+        // Verify it's valid UTF-8 (implicit — it's a &str).
+        assert!(preview.ends_with('x'));
+    }
+
+    #[test]
+    fn test_safe_preview_empty_string() {
+        assert_eq!(safe_preview("", 500), "");
+    }
+
+    #[test]
+    fn test_safe_preview_two_byte_chars() {
+        // é is 2 bytes in UTF-8. 250 chars = 500 bytes (exact boundary).
+        // 251 chars = 502 bytes; byte 500 is the first byte of the 251st char.
+        let accented = "é".repeat(251); // 502 bytes
+        assert_eq!(accented.len(), 502);
+
+        let preview = safe_preview(&accented, 500);
+        assert_eq!(preview.len(), 500);
+        assert_eq!(preview.chars().count(), 250);
+    }
 }
