feat: enforce workspace guard to prevent operations from project root

- Added `workspaceGuard.ts` to manage project root checks.
- Implemented `assertNotProjectRootWorkspace` to throw errors if operations are attempted from the project root.
- Updated various modules to include `workspaceRoot` in delegation trace entries.
- Modified `defaultTraceDir` to assert that it is not called from the project root.
- Added tests to ensure that operations from the project root are correctly blocked.

Author: lhy0718

ISSUES.md

@@ -77,11 +77,13 @@ export async function persistDelegationContract(
 }
 
 export function appendDelegationTrace(entry: {
+  workspaceRoot: string;
   runId: string;
   node: string | null;
   detail: string;
   decision: "allow_with_trace" | "require_review" | "hard_stop";
 }): void {
+  const traceDir = path.join(entry.workspaceRoot, ".autolabos", "governance", "traces");
   appendGovernanceTrace({
     timestamp: new Date().toISOString(),
     runId: entry.runId,
@@ -92,7 +94,7 @@ export function appendDelegationTrace(entry: {
     decision: entry.decision,
     matchedSlotId: null,
     detail: entry.detail
-  });
+  }, traceDir);
 }
 
 export async function prepareDelegationContractForRun(options: {
@@ -110,6 +112,7 @@ export async function prepareDelegationContractForRun(options: {
   const validation = validateDelegationContract(contract, policy);
   if (!validation.valid) {
     appendDelegationTrace({
+      workspaceRoot: options.workspaceRoot,
       runId: options.runId,
       node: options.node,
       decision: "require_review",
@@ -123,6 +126,7 @@ export async function prepareDelegationContractForRun(options: {
 
   const targetPath = await persistDelegationContract(options.workspaceRoot, options.runId, contract);
   appendDelegationTrace({
+    workspaceRoot: options.workspaceRoot,
     runId: options.runId,
     node: options.node,
     decision: "allow_with_trace",

src/governance/delegationContract.ts

@@ -2,6 +2,7 @@ import { appendFileSync, existsSync, mkdirSync, readFileSync } from "node:fs";
 import path from "node:path";
 
 import type { EvidenceScreeningResult, GovernanceDecision } from "./policyTypes.js";
+import { assertNotProjectRootWorkspace } from "../workspaceGuard.js";
 
 export interface GovernanceTraceEntry {
   timestamp: string;
@@ -16,7 +17,9 @@ export interface GovernanceTraceEntry {
 }
 
 function defaultTraceDir(): string {
-  return path.join(process.cwd(), ".autolabos", "governance", "traces");
+  const cwd = process.cwd();
+  assertNotProjectRootWorkspace(cwd, "Governance trace logging");
+  return path.join(cwd, ".autolabos", "governance", "traces");
 }
 
 export function appendGovernanceTrace(

src/governance/governanceTrace.ts

@@ -1774,6 +1774,7 @@ export class InteractionSession {
       const controller = new AutonomousRunController(this.runStore, this.orchestrator, this.eventStream);
       const outcome = await controller.runOvernight(run.id, buildDefaultOvernightPolicy(), { abortSignal });
       appendDelegationTrace({
+        workspaceRoot: this.workspaceRoot,
         runId: run.id,
         node: run.currentNode,
         decision: "allow_with_trace",
@@ -1818,6 +1819,7 @@ export class InteractionSession {
       const policy = buildDefaultAutonomousPolicy();
       const outcome = await controller.runAutonomous(run.id, policy, { abortSignal });
       appendDelegationTrace({
+        workspaceRoot: this.workspaceRoot,
         runId: run.id,
         node: run.currentNode,
         decision: "allow_with_trace",

src/interaction/InteractionSession.ts

@@ -34,6 +34,7 @@ import { recoverCollectEnrichmentJobs } from "../core/nodes/collectPapers.js";
 import { detectExecutionProfile } from "./executionProfile.js";
 import { resolveNodeOptionsForPackage } from "../core/stateGraph/defaults.js";
 import { loadExplorationConfig } from "../core/exploration/explorationConfig.js";
+import { assertNotProjectRootWorkspace } from "../workspaceGuard.js";
 
 export interface AutoLabOSRuntime {
   paths: AppPaths;
@@ -65,7 +66,9 @@ export async function bootstrapAutoLabOSRuntime(opts?: {
   allowInteractiveSetup?: boolean;
   nodeOptionPackageName?: NodeOptionPackageName;
 }): Promise<RuntimeBootstrap> {
-  const paths = resolveAppPaths(opts?.cwd || process.cwd());
+  const cwd = opts?.cwd || process.cwd();
+  assertNotProjectRootWorkspace(cwd);
+  const paths = resolveAppPaths(cwd);
   const executionProfile = await detectExecutionProfile();
   const firstRunSetup = !(await configExists(paths));
 

src/runtime/createRuntime.ts

@@ -3535,6 +3535,7 @@ export class TerminalApp {
       const controller = new AutonomousRunController(this.runStore, this.orchestrator, this.eventStream);
       const outcome = await controller.runOvernight(run.id, buildDefaultOvernightPolicy(), { abortSignal });
       appendDelegationTrace({
+        workspaceRoot: process.cwd(),
         runId: run.id,
         node: run.currentNode,
         decision: "allow_with_trace",
@@ -3589,6 +3590,7 @@ export class TerminalApp {
       const policy = buildDefaultAutonomousPolicy();
       const outcome = await controller.runAutonomous(run.id, policy, { abortSignal });
       appendDelegationTrace({
+        workspaceRoot: process.cwd(),
         runId: run.id,
         node: run.currentNode,
         decision: "allow_with_trace",

src/tui/TerminalApp.ts

@@ -0,0 +1,21 @@
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+const PROJECT_ROOT = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
+
+export function getProjectRoot(): string {
+  return PROJECT_ROOT;
+}
+
+export function isProjectRootWorkspace(cwd: string): boolean {
+  return path.resolve(cwd) === PROJECT_ROOT;
+}
+
+export function assertNotProjectRootWorkspace(cwd: string, operation = "AutoLabOS"): void {
+  if (!isProjectRootWorkspace(cwd)) {
+    return;
+  }
+  throw new Error(
+    `${operation} must not run from the repository root (${PROJECT_ROOT}). Use test/ or another workspace directory instead.`
+  );
+}

src/workspaceGuard.ts

@@ -2,9 +2,16 @@ import { mkdtempSync } from "node:fs";
 import os from "node:os";
 import path from "node:path";
 
-import { describe, expect, it } from "vitest";
+import { afterEach, describe, expect, it } from "vitest";
 
 import { appendGovernanceTrace, readGovernanceTrace } from "../src/governance/governanceTrace.js";
+import { getProjectRoot } from "../src/workspaceGuard.js";
+
+const ORIGINAL_CWD = process.cwd();
+
+afterEach(() => {
+  process.chdir(ORIGINAL_CWD);
+});
 
 describe("governance trace", () => {
   it("appends and reads a trace entry", () => {
@@ -66,4 +73,22 @@ describe("governance trace", () => {
     expect(entries[0].inputSummary).toBe("one");
     expect(entries[1].inputSummary).toBe("two");
   });
+
+  it("refuses to use the project root as the default trace directory", () => {
+    process.chdir(getProjectRoot());
+
+    expect(() =>
+      appendGovernanceTrace({
+        timestamp: "2026-04-03T00:00:00.000Z",
+        runId: "run-root",
+        node: "review",
+        inputSummary: "root",
+        screeningResult: null,
+        triggeredRules: [],
+        decision: "allow_with_trace",
+        matchedSlotId: null,
+        detail: "should not write at project root"
+      })
+    ).toThrow("must not run from the repository root");
+  });
 });

tests/governanceTrace.test.ts

@@ -261,7 +261,7 @@ describe("paperSelection", () => {
     const selection = await selectPapersForAnalysis({
       llm: new SequenceResponseLlm([
         new Error(
-          '2026-03-12T08:56:03.104783Z  WARN codex_core::shell_snapshot: Failed to delete shell snapshot at "/Users/hanyonglee/.codex/shell_snapshots/tmp": Os { code: 2, kind: NotFound, message: "No such file or directory" }'
+          '2026-03-12T08:56:03.104783Z  WARN codex_core::shell_snapshot: Failed to delete shell snapshot at "<home>/.codex/shell_snapshots/tmp": Os { code: 2, kind: NotFound, message: "No such file or directory" }'
         ),
         '{"ordered_paper_ids":["p2","p1"]}'
       ]),
@@ -356,7 +356,7 @@ describe("paperSelection", () => {
     const selection = await selectPapersForAnalysis({
       llm: new SequenceResponseLlm([
         new Error(
-          '2026-03-12T08:56:03.104783Z  WARN codex_core::shell_snapshot: Failed to delete shell snapshot at "/Users/hanyonglee/.codex/shell_snapshots/tmp": Os { code: 2, kind: NotFound, message: "No such file or directory" }\n' +
+          '2026-03-12T08:56:03.104783Z  WARN codex_core::shell_snapshot: Failed to delete shell snapshot at "<home>/.codex/shell_snapshots/tmp": Os { code: 2, kind: NotFound, message: "No such file or directory" }\n' +
             "2026-03-12T08:56:03.586264Z  WARN codex_core::codex: startup websocket prewarm setup failed: You've hit your usage limit for GPT-5.3-Codex-Spark. Switch to another model now, or try again at 8:24 PM."
         )
       ]),

tests/paperSelection.test.ts

@@ -0,0 +1,15 @@
+import { describe, expect, it } from "vitest";
+
+import { bootstrapAutoLabOSRuntime } from "../src/runtime/createRuntime.js";
+import { getProjectRoot } from "../src/workspaceGuard.js";
+
+describe("runtime bootstrap workspace guard", () => {
+  it("refuses to bootstrap from the repository root", async () => {
+    await expect(
+      bootstrapAutoLabOSRuntime({
+        cwd: getProjectRoot(),
+        allowInteractiveSetup: false
+      })
+    ).rejects.toThrow("must not run from the repository root");
+  });
+});