Commit graph

12 commits

Author SHA1 Message Date
jedarden
319f81aaa3 test(bf-21hw8): add bounded predictor tests for PNG and TIFF
Add 4 new tests to verify PNG and TIFF predictor functions use row-by-row
processing with bounded peak memory (2x stride), never pre-allocating full
output buffers inside tests.

- test_png_predictor_budget_enforcement_small_fixture: 200-byte fixture,
  100-byte budget, verifies truncation at row boundary
- test_tiff_predictor_2_budget_enforcement_small_fixture: 160-byte fixture,
  80-byte budget, verifies row-by-row processing for grayscale
- test_png_predictor_multiple_selectors_budget_per_row: 25-byte fixture
  with all PNG selector types, verifies per-row budget checking
- test_tiff_predictor_2_rgb_budget_enforcement: 45-byte RGB fixture,
  verifies multi-byte pixel handling with budget enforcement

All fixtures are under 250 bytes, no full-buffer pre-allocation, tests
mirror the row-by-row discipline from bf-49wmw production fix.

Closes bf-21hw8
2026-05-23 13:35:57 -04:00
jedarden
98193ff098 test(bf-4xk2v): bound decompression-bomb tests with minimal crafted inputs
- Fix test_bomb_limit_flate to actually test early abort behavior
- Use 200-byte pattern (not large buffers) that compresses to ~50 bytes
- Set bomb_limit to 50 bytes to force truncation
- Assert output.len() < pattern.len() to verify truncation occurred
- Add documentation explaining the minimal input approach

Per bf-4xk2v: "Decompression-bomb and max_decompress_bytes tests must
trigger the STREAM_BOMB abort WITHOUT building the multi-GB decoded output
in memory. Use minimal crafted inputs and assert the byte-budget limit fires
early. Never pre-size a Vec to the claimed or decompressed length."

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-23 13:30:48 -04:00
jedarden
64efdd594e feat(pdftract-5u8bp): implement SVG clip generator
Implement SVG clip generator for --receipts=svg mode. Generates
self-contained SVG documents from TTF/OTF glyph outlines via
ttf-parser, with proper coordinate transform (PDF bottom-left
origin to SVG top-left origin) and color space conversion.

Components:
- SvgGenerator: filters glyphs by bbox, extracts outlines
- SvgPathBuilder: ttf-parser::OutlineBuilder impl for SVG paths
- pdf_color_to_css(): DeviceRGB/Gray/CMYK to CSS colors

Acceptance criteria:
- SVG validates via quick-xml parse roundtrip
- Aggregate size <= 500 KB for 100 receipts (test passes)
- No external resource references (self-contained)
- Handles missing glyph outlines gracefully
- Coordinate transform unit-tested: (220, 432) → (20, 8)

Also fix unstable as_str() → as_ref() in stream.rs test.

Closes pdftract-5u8bp

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-23 03:43:19 -04:00
jedarden
210c40de8c feat(pdftract-mcp): add MCP server implementation changes
Changes from Phase 6.7 child beads that were not committed earlier:

- Add subtle dependency for constant-time token comparison
- Add root directory for path-traversal protection in HTTP+SSE transport
- Update MCP server state to support --root flag
- Minor fixes and improvements across MCP modules

These changes support the 7 closed child beads:
- pdftract-5xq16: JSON-RPC 2.0 framing layer
- pdftract-67tm8: stdio transport
- pdftract-g0ro2: HTTP+SSE transport
- pdftract-24kut: transport mutual exclusion enforcement
- pdftract-1rami: tool catalog (10 tools)
- pdftract-6696g: path-traversal protection
- pdftract-zltqd: bearer-token auth

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-23 03:09:56 -04:00
jedarden
6a35bdd869 feat(pdftract-29z7b): implement unified diagnostic system + CLI commands
- Added `cmd_explain_diagnostic` function to CLI for detailed diagnostic code explanation
- Added `--list-diagnostics` and `--explain-diagnostic <code>` CLI commands
- Verified all Phase 1.1-1.5 modules use unified DiagCode (lexer, parser, xref, stream, catalog, outline, pages)
- DIAGNOSTIC_CATALOG provides metadata for all 61 diagnostic codes
- Diagnostic struct size: 56 bytes (within 48-64 target range)
- emit! macro provides ergonomic diagnostic emission
- INV-8 maintained: no panics in error paths

All diagnostic codes follow naming convention:
- STRUCT_*: PDF structure errors
- STREAM_*: Stream decoder errors
- XREF_*: Cross-reference table errors
- ENCRYPTION_*: Encryption-related errors
- OCR_*: OCR pipeline errors
- REMOTE_*: Remote source errors
- PAGE_*: Page-level errors
- FONT_*: Font pipeline errors
- GSTATE_*: Graphics state errors
- LAYOUT_*: Layout and reading order errors
- MCP_*: MCP server errors
- CACHE_*: Cache errors

References: Phase 1.6 (error recovery), INV-8, Phase 0.4 (clippy enforces doc comments)
2026-05-22 22:38:31 -04:00
jedarden
1959ff2446 feat(pdftract-3uu6v): implement LZWDecode with /EarlyChange parameter
- Add LZWDecoder filter using lzw crate v0.10
- Support /EarlyChange parameter (default 1, late 0)
  - Early change (1): Adobe/TIFF variant, code size increases BEFORE
  - Late change (0): GIF variant, code size increases AFTER
- Full predictor support (TIFF predictor 2, PNG predictors 10-15)
- Bomb limit protection with partial bytes on exceed
- INV-8 maintained: partial bytes returned on decode errors
- 23 tests pass (19 unit tests + 4 proptests)
- Fixtures generated using lzw crate for verification

Acceptance criteria:
- Critical test /EarlyChange=0 byte-perfect: PASS
- LZWDecode without /DecodeParms defaults: PASS
- LZWDecode + /Predictor 12: PASS
- Truncated stream partial bytes: PASS
- Bomb limit honored: PASS
- proptest no panic: PASS
- INV-8 maintained: PASS

Refs: Plan Phase 1.5 line 1142, PDF spec 7.4.4

Co-Authored-By: Claude Code <noreply@anthropic.com>
2026-05-22 22:38:31 -04:00
jedarden
e94f2abec4 fix(bf-49wmw): fix PNG-predictor unbounded pre-allocation
- Remove Vec::with_capacity(num_rows * row_size) pre-allocation in apply_png_predictors
- Remove Vec::with_capacity(data.len()) pre-allocation in apply_tiff_predictor_2
- Add MAX_ROW_BYTES (64 KB) to bound row size calculation
- Add is_row_size_clamped() check to detect suspicious PDF parameters
- Add max_output parameter to predictor functions for budget enforcement
- Track flate output separately, count predictor output against doc_counter
- Lower DEFAULT_MAX_DECOMPRESS_BYTES from 2GB to 512MiB

Row-by-row processing ensures peak memory stays at 2x stride regardless
of image height, preventing OOM from malicious PDF parameters.

Co-Authored-By: Claude Code <noreply@anthropic.com>
2026-05-22 17:26:27 -04:00
jedarden
9aa26a449e docs(pdftract-49f8): establish Cargo.lock policy and documentation
This commit implements the Cargo.lock policy for reproducible builds
across all workspace members (pdftract-core, pdftract-cli, pdftract-py).

Changes:
- Add CONTRIBUTING.md with lockfile-update workflow documentation
- Add .renovaterc.json for weekly lockfile-only PRs (human-gated)
- Add crates/pdftract-core/README.md with rationale for checked-in lockfiles
- Add notes/pdftract-49f8.md with verification note

The Argo workflow updates (pdftract-ci.yaml) are committed separately
in the declarative-config repo.

Acceptance criteria:
- PASS: Cargo.lock tracked by git, not in .gitignore
- PASS: Argo workflow templates document --locked/--frozen requirements
- WARN: Enforcement to be completed when placeholder templates are implemented
- WARN: Binary reproducibility verification deferred to pdftract-build-binaries implementation

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-20 18:13:14 -04:00
jedarden
c914eece6e test(pdftract-2bpf6): add FlateDecode predictor tests and proptests
Add missing tests for FlateDecode predictor functionality:
- test_png_predictor_14_rgba_paeth: Verify PNG predictor 14 (Paeth) on 8-bit RGBA
- test_flate_decode_performance_100mb: Performance benchmark (100 MB < 250 ms in release)
- proptest_flate_decode_no_panic: Random byte sequences never panic
- proptest_flate_decode_with_predictor_no_panic: Random predictor params never panic
- proptest_flate_decode_bomb_limit_no_panic: Bomb limits never panic

All acceptance criteria for pdftract-2bpf6 now PASS:
- PNG predictor 15 with all 6 selector types: byte-perfect
- Simple FlateDecode: byte-perfect round-trip
- TIFF predictor 2: 8-bit RGB delta-decoded correctly
- PNG predictor 14 (Paeth) on RGBA: correct output
- Truncated stream: returns partial bytes
- Bomb limit: 3 GB → 2 GB truncation
- Performance: < 250 ms for 100 MB (release mode)
- proptest: 256 random cases × 3 tests, no panics
- INV-8: all error paths return partial bytes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 01:08:21 -04:00
jedarden
b1317457e7 feat(pdftract-3nnqy): implement StreamDecoder trait, filter pipeline, and bomb limit
- StreamDecoder trait with decode() method for filter-specific decoding
- Per-filter implementations: FlateDecoder, ASCII85Decoder, ASCIIHexDecoder, PassthroughDecoder
- decode_stream() function with single and array filter handling
- Filter abbreviation normalization (/A85 -> ASCII85Decode, /Fl -> FlateDecode)
- ExtractionOptions with max_decompress_bytes (default 2 GB)
- Document-level decompression counter with chunked bomb limit checking
- Unknown filter returns raw bytes with STRUCT_UNKNOWN_FILTER diagnostic
- All 183 tests pass

Acceptance criteria:
- decode_stream() handles single-filter and array-filter cases: PASS
- /DecodeParms array correctly paired with /Filter array: PASS
- Critical test [/ASCII85Decode /FlateDecode] applies filters in order: PASS
- Filter abbreviations normalized: PASS
- 2 GB bomb limit with STREAM_BOMB diagnostic: PASS
- Unknown filter passthrough with STRUCT_UNKNOWN_FILTER: PASS
- INV-8 maintained (no panics, partial bytes on error): PASS

Co-Authored-By: Claude Code <noreply@anthropic.com>
2026-05-18 00:34:28 -04:00
jedarden
3c1c44129c feat(pdftract-7nav): add PdfStream helper methods and consolidate stream types
- Add filter(), decode_params(), length() helper methods to PdfStream in types.rs
- Remove duplicate PdfStream definition from stream.rs
- Update decode_stream to use types.rs PdfStream
- Fix stream tests to use PdfDict directly instead of PdfObject::Dict wrapper

Acceptance criteria:
- PdfObject size: 24 bytes (under 32-byte target)
- All 24 object types tests pass
- Name interner deduplicates correctly
- PdfDict preserves insertion order

Refs: pdftract-7nav

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 23:55:47 -04:00
jedarden
b535638104 feat(pdftract-2bsfc): implement document catalog parser with PageLabels number tree
Implement the document catalog parser (/Root traversal) for PDF documents.
The catalog parser extracts all key entries from the document catalog
including Pages, Outlines, MarkInfo, StructTreeRoot, AcroForm, Names,
Metadata, PageLabels, OCProperties, OpenAction, AA, and Version.

Key structures:
- MarkInfo: parses /MarkInfo dictionary with is_tagged, user_properties, suspects
- PageLabelStyle: enum for all label styles (D, R, r, A, a)
- PageLabel: single page label with style, prefix, and start value
- PageLabelsTree: number tree parser for /PageLabels with /Nums and /Kids support
- OcProperties: stub for OCG implementation (delegated to dedicated bead)
- Catalog: main catalog struct with all required and optional fields

Number tree implementation:
- Parses /Nums arrays (leaf nodes with alternating key-value pairs)
- Supports /Kids arrays (internal nodes for recursive tree traversal)
- Provides get_label_with_start() and get_label() methods for lookup
- Correctly formats roman numerals (uppercase/lowercase) and letter sequences

All 27 tests pass including proptests for fuzzing robustness (INV-8).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 23:45:45 -04:00