feat(evaluator): implement relative offset resolution (#38)

[unclesp1d3r]

Summary

Implements OffsetSpec::Relative evaluator support per #38 using GNU file/libmagic semantics. Threads a "previous match end" anchor through EvaluationContext, advances it after each successful match by the bytes consumed (variable-width types include c-string NUL terminators and pstring length prefixes), and resolves Relative(delta) as last_match_end + delta with bounds and overflow checks.

Impact: 21 files changed (1984 insertions, 213 deletions). 945 lib tests + 14 relative-offset integration tests + 11 other integration suites + 163 doctests, all green. Clippy clean with -D warnings. CI: 22 pass, 0 failures, mergeable.

Review rounds completed: 4 internal passes (ce:review autofix, pr-review-toolkit ×2, Copilot PR reviewer). 0 critical/high findings outstanding.

Key design decisions

• Anchor is global-shared across child recursion, not save/restored. Siblings see the anchor wherever the deepest descendant of the previous sibling left it — matches GNU file semantics. The anchor value may increase or decrease as successive rules match at different positions; it is not a high-watermark. Documented in GOTCHAS.md §3.8.
• Top-level relative offsets resolve from anchor 0. Non-negative deltas behave like Absolute(N); negative deltas underflow to InvalidOffset (NOT interpreted like Absolute(-N)'s from-end semantics). Called out explicitly in the rustdoc for both resolve_offset and evaluate_single_rule.
• Pascal-string consumption is clamped against the remaining buffer. Prevents attacker-controlled length prefixes (e.g., \xFF\xFF\xFF\xFF) from poisoning the anchor to usize::MAX and silently suppressing all subsequent relative-offset rules. Found by adversarial review (SEC-001 / ADV-001), regression-tested with both BE and LE oversized-prefix cases. Documented as a reusable learning in docs/solutions/security-issues/pstring-anchor-poisoning.md.
• Fixed-width bytes_consumed is also bounds-checked. Per Copilot reviewer feedback, added offset.checked_add(width) <= buffer.len() guard so the helper is infallible regardless of caller discipline — no relying on "the engine only calls this after a successful read" as the only line of defense.
• Engine-internal items are pub(crate): bytes_consumed, last_match_end() getter, set_last_match_end() setter, and resolve_offset_with_context are deliberately not stable API surface. The anchor-threading contract is internal and shouldn't lock in semver guarantees.

Behavior changes

OffsetSpec::Relative previously returned EvaluationError::UnsupportedType. It now resolves:

Entry point	Relative(N) for N ≥ 0	Relative(-N) for N > 0
evaluate_rules + EvaluationContext	Resolves against actual last_match_end + N	last_match_end - N if in bounds, else InvalidOffset
evaluate_single_rule (no context)	Resolves to absolute N	InvalidOffset (anchor 0 underflow)
resolve_offset (no context)	Same as evaluate_single_rule	Same as evaluate_single_rule

Callers with existing error-handling code that pattern-matched UnsupportedType for relative offsets must remove that arm. Documented in the rustdoc for all three entry points.

Implementation

• EvaluationContext::last_match_end field with pub(crate) getter/setter, cleared by reset() alongside current_offset and recursion_depth
• evaluator::types::bytes_consumed (pub(crate)) with buffer clamping for both fixed-width and variable-width (c-string, pstring) branches; string_bytes_consumed and pstring_bytes_consumed re-derive consumption directly from the buffer (not from Value::String, which can drift via from_utf8_lossy)
• evaluator::offset::relative::resolve_relative_offset with isize::try_from + checked_add_signed bounds, mapping over/underflow to InvalidOffset and out-of-buffer to BufferOverrun
• evaluator::offset::resolve_offset_with_context (pub(crate)) dispatcher; existing resolve_offset (pub) delegates with last_match_end = 0 so existing call sites are unchanged
• evaluator::engine::evaluate_single_rule_with_anchor private helper; evaluate_rules updates the anchor before recursing into children, never saves/restores (GNU file global semantics)
• evaluate_rules graceful-skip arm for child-evaluation errors: debug! → warn! with a tightened comment noting the asymmetry (parent emitted, child silently dropped if the defensive arm fires)

Test coverage

Unit tests (30+ new):

• 4 tests for EvaluationContext::last_match_end (field / clone / reset / set-get)
• 18 tests for bytes_consumed (fixed-width all types, c-string with/without NUL, max_length truncation, pstring 1/2/4-byte BE/LE, /J flag well-formed, /J underflow with multi-byte width, oversized prefix clamping BE+LE, boundary cases, usize::MAX overflow)
• 10 tests for resolve_relative_offset (positive/negative/zero deltas, top-level anchor=0, last-valid-index, underflow, overflow at usize::MAX, target past end, target == buffer.len())
• 5 dispatcher tests in offset/mod.rs (relative via context, top-level default, passthrough for Absolute/FromEnd/Indirect)
• 3 tests in engine/tests.rs pinning evaluate_single_rule contracts (positive delta → absolute N, zero delta → start, negative delta → Err(InvalidOffset))
• 1 test injecting a near-saturation anchor (usize::MAX) via the pub(crate) setter to verify all three Relative variants skip gracefully without panic

Integration tests (14 in tests/relative_offset_evaluation.rs):

• Numeric chain (parent + relative child)
• Positive/negative delta children
• Three-level chain marching forward
• String parent + relative child (NUL terminator accounting)
• PString parent + relative child (prefix accounting)
• Top-level zero anchor
• Sibling propagation at top level
• Non-matching intermediate sibling preserves anchor
• Anchor decreases when later sibling matches at lower position (non-monotonic semantics pinned)
• Context reset between buffers
• Out-of-bounds skip
• Underflow skip

Documentation

• AGENTS.md — "Currently Implemented" / Module Organization / Quick Reference sections updated; docs/solutions/ pointer added for knowledge-store discoverability
• GOTCHAS.md — new §3.8 documents the no-save-restore anchor semantics; §2.1 checklist updated to include bytes_consumed exhaustive-match requirement for new TypeKind variants
• docs/src/evaluator.md — Offset Resolution section rewritten for the two-case Relative behavior; EvaluationContext "Key Methods" split into Public vs Internal (pub(crate)) sections; Implementation Status checklist updated for Evaluator: implement indirect offset resolution #37 and Evaluator: implement relative offset resolution #38
• docs/solutions/security-issues/pstring-anchor-poisoning.md — NEW bug-track solution doc capturing the SEC-001 finding, failed first attempts, generalizable rule ("when advancing internal state by attacker-controlled byte counts, clamp against actual buffer reality, not raw input"), and prevention strategies
• docs/solutions/developer-experience/rust-test-visibility-boundary.md — NEW knowledge-track doc capturing the lesson that tests needing pub(crate) items must live in src/.../tests.rs, not tests/

Scope notes

A handful of files in the diff are incidental and not part of the #38 implementation:

• .bun-version + mise.lock + mise.toml — tool version pins that came in via merge-from-main
• tessl.json — unrelated neonwatty/logo-designer-skill dependency added in commit b1f62fa
• docs/src/architecture.md + docs/src/compatibility.md — Dosu auto-updates from commit 3cf5d5a

Reviewers can skim these; they don't need deep review as part of the #38 work.

Post-Deploy Monitoring & Validation

No additional operational monitoring required. This is a library change to evaluator semantics:

• Runtime impact: magic rules with OffsetSpec::Relative now evaluate correctly instead of erroring with UnsupportedType
• API impact: the public resolve_offset and evaluate_single_rule signatures are unchanged; internal items are pub(crate) and don't lock semver
• Dependency impact: no new Rust crates; the unrelated tessl.json change is documented above
• Performance: bytes_consumed adds one bounds check per successful match (negligible); memchr in string_bytes_consumed is O(n) over a region the existing read_string already scans, so worst case is a bounded 2x constant factor on string matches

Behavior change is documented in the rustdoc and AGENTS.md so downstream callers see the migration note inline.

Review history

1. Initial implementation (c9a89f1) — feature + tests per the plan
2. ce:review autofix pass (b7e5938) — 12 safe_auto fixes including the SEC-001 pstring anchor poisoning fix, visibility narrowing to pub(crate), doc gaps on context reuse
3. Third-pass polish (4ebd9b7) — pr-review-toolkit feedback: "monotonic" wording fix, recursion_depth in context-reuse warning, 2 new tests
4. Copilot PR review (cd3a5e0) — bounds guard on fixed-width bytes_consumed, Relative negative-delta clarification, debug_assert! wording fix, docs/src/evaluator.md Public/Internal method split
5. Compound docs (41c75c3) — pstring-anchor-poisoning learning + docs/solutions/ discoverability pointer in AGENTS.md
6. Fourth-pass pr-review-toolkit (58210ab) — 6 findings: stale resolve_offset equivalence claim in docs/src/evaluator.md, log::warn! style consistency, evaluate_single_rule(Relative(-1)) test coverage, stale comments, implementation status checklist
7. Test visibility boundary learning (03f389b) — Rust developer-experience solution doc capturing the tests/ vs src/.../tests.rs gotcha hit during implementation

Test Plan

• All plan units complete (6 of 6)
• All plan requirements (R1-R9) verified met
• just ci-check passes locally
• cargo test passes (945 lib + 14 integration + 11 other suites + 163 doctest)
• cargo clippy --all-targets -- -D warnings clean
• cargo fmt --check clean
• 4 internal review rounds addressed
• CI green on push (22 pass, 7 release skipping, 0 failures)
• Maintainer review

Closes #38

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🏷️ Required labels (at least one) (3)

• rust
• testing
• compatibility

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: dab101e1-ba4b-46e4-851a-84827e313058

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 38-evaluator-implement-relative-offset-resolution

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Require conventional commit format per https://www.conventionalcommits.org/en/v1.0.0/. Skipped for bots.

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?!?:

🟢 Full CI must pass

Wonderful, this rule succeeded.

All CI checks must pass. Release-plz PRs are exempt because they only bump versions and changelogs (code was already tested on main), and GITHUB_TOKEN-triggered force-pushes suppress CI.

• check-success = coverage
• check-success = quality
• check-success = test
• check-success = test-cross-platform (macos-latest, macOS)
• check-success = test-cross-platform (ubuntu-22.04, Linux)
• check-success = test-cross-platform (ubuntu-latest, Linux)
• check-success = test-cross-platform (windows-latest, Windows)

🟢 Do not merge outdated PRs

Wonderful, this rule succeeded.

Make sure PRs are within 10 commits of the base branch before merging

• #commits-behind <= 10

[dosubot]

Related Documentation

3 document(s) may need updating based on files changed in this PR:

libMagic-rs

architecture /libmagic-rs/blob/main/docs/src/architecture.md — ⏳ Awaiting Merge

compatibility /libmagic-rs/blob/main/docs/src/compatibility.md — ⏳ Awaiting Merge

evaluator /libmagic-rs/blob/main/docs/src/evaluator.md — ⏳ Awaiting Merge

Note: You must be authenticated to accept/decline updates.

^{How did I do? Any feedback?}

[Copilot]

Pull request overview

Implements evaluator support for OffsetSpec::Relative (issue #38) by threading a “previous match end” anchor through EvaluationContext and using it during offset resolution, aligning behavior with GNU file/libmagic relative-offset semantics.

Changes:

• Add relative-offset resolution (last_match_end + delta) with overflow/underflow + bounds checks and a context-aware offset dispatcher.
• Track and advance EvaluationContext::last_match_end after each successful match using new types::bytes_consumed (including C-string NUL and pstring prefix semantics).
• Add extensive unit + integration tests and update project documentation/tooling pins.

Reviewed changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
src/evaluator/offset/relative.rs	Implements relative offset resolution with error mapping and unit tests.
src/evaluator/offset/mod.rs	Adds resolve_offset_with_context and makes resolve_offset delegate with anchor=0; updates tests/docs.
src/evaluator/mod.rs	Extends EvaluationContext with last_match_end getter/setter and reset behavior.
src/evaluator/engine/mod.rs	Threads anchor into rule evaluation and advances it via bytes_consumed; documents behavior.
src/evaluator/types/mod.rs	Adds bytes_consumed + helpers for string/pstring consumption (anchor advancement).
src/evaluator/types/tests.rs	Adds unit tests for bytes_consumed.
src/evaluator/tests.rs	Adds tests for EvaluationContext::last_match_end and reset/clone behavior.
tests/relative_offset_evaluation.rs	Integration tests covering relative chains, nesting, bounds failures, and context reset.
GOTCHAS.md	Documents relative-offset anchor semantics (no save/restore across recursion).
AGENTS.md	Updates evaluator/offset module docs and “currently implemented” feature list.
mise.toml	Pins several dev tool versions (was latest for some).
mise.lock	Updates lockfile to match tool pin changes.
.bun-version	Bumps Bun version to 1.3.11.

[codecov]

Codecov Report

❌ Patch coverage is 90.00000% with 23 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/evaluator/offset/relative.rs	89.13%	10 Missing ⚠️
src/evaluator/types/mod.rs	86.11%	10 Missing ⚠️
src/evaluator/engine/mod.rs	85.71%	3 Missing ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Copilot reviewed 16 out of 18 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 16 out of 18 changed files in this pull request and generated 4 comments.

[Copilot]

Pull request overview

Copilot reviewed 17 out of 19 changed files in this pull request and generated 4 comments.

[Copilot]

In the Magic File Format Compatibility matrix, both offset-related rows look inconsistent with current implementation details:

• Indirect offsets is marked as “📋 Planned”, but resolve_indirect_offset is implemented and the parser grammar already supports (base.type) syntax.
• Relative offsets is marked “✅ Complete”, but magic-file &+N/&-N parsing is still TODO (relative offsets are only reachable programmatically via the AST).
  Consider adjusting the table to reflect this split (e.g., indirect ✅, relative 🔄/partial with a note that evaluation is implemented but parser wiring is pending).

[Copilot]

The “Implementation Status” checklist is redundant/inconsistent:

• It already has “Offset resolution (absolute, relative, from-end)”, which includes relative offsets.
• It then lists “Relative offset support …” twice (lines 566 and 575).
  Consider collapsing these into a single relative-offset bullet (or keeping only the more specific anchor-tracking line) to avoid confusion about what’s actually newly implemented.

[Copilot]

Pull request overview

Copilot reviewed 19 out of 21 changed files in this pull request and generated 4 comments.

[Copilot]

In this EvaluationContext snippet, current_offset is described as being used for "relative calculations", but relative offsets now resolve via the GNU file anchor (last_match_end). If current_offset is no longer used for relative offset resolution (and isn’t used by evaluate_rules), consider rewording this comment to avoid suggesting it drives OffsetSpec::Relative semantics (or documenting what current_offset is used for today).