@@ -491,6 +491,8 @@ const FORMULA_EXAMPLE_GROUPS: &[FormulaExampleGroup] = &[
491491 r#"always([+ROTATE_DATABASE_PASSWORD] true -> eventually(<+NOTIFY_DATABASE_OWNER> true))"#,
492492 r#"always([+SERVICE_ACCOUNT_KEY_COMPROMISED] true -> (<+REVOKE_SERVICE_ACCOUNT_KEY> true | <+DISABLE_SERVICE_ACCOUNT> true))"#,
493493 r#"always([+REVOKE_SERVICE_ACCOUNT_KEY] true -> eventually(<+NOTIFY_SERVICE_OWNER> true))"#,
494+ r#"always([+CONTAINER_REGISTRY_TOKEN_LEAKED] true -> (<+ROTATE_REGISTRY_TOKEN> true | <+DISABLE_REGISTRY_PUSH> true))"#,
495+ r#"always([+ROTATE_REGISTRY_TOKEN] true -> eventually(<+NOTIFY_REGISTRY_OWNER> true))"#,
494496 r#"next(<+APPROVE> true)"#,
495497 r#"next((<+APPROVE> true | [<+REJECT>] true))"#,
496498 r#"<+WAIT> true until <+APPROVE> true"#,
@@ -4991,6 +4993,18 @@ F2: formula generated_2 {
49914993 ));
49924994 }
49934995
4996+ #[test]
4997+ fn synthesis_list_includes_container_registry_token_leak_prompt_examples() {
4998+ let output = synthesis_list_text();
4999+
5000+ assert!(output.contains(
5001+ "always([+CONTAINER_REGISTRY_TOKEN_LEAKED] true -> (<+ROTATE_REGISTRY_TOKEN> true | <+DISABLE_REGISTRY_PUSH> true))"
5002+ ));
5003+ assert!(output.contains(
5004+ "always([+ROTATE_REGISTRY_TOKEN] true -> eventually(<+NOTIFY_REGISTRY_OWNER> true))"
5005+ ));
5006+ }
5007+
49945008 #[test]
49955009 fn synthesis_list_includes_escrow_progression_prompt_examples() {
49965010 let output = synthesis_list_text();
@@ -14920,6 +14934,22 @@ gfp(X, []((X)) & ([<+ARCHIVE>] true))
1492014934 verify_synthesized_model(&model, &formulas).unwrap();
1492114935 }
1492214936
14937+ #[test]
14938+ fn verify_synthesized_model_accepts_container_registry_token_leak_prompt_examples() {
14939+ let formulas = parse_formula_strings(&[
14940+ "always([+CONTAINER_REGISTRY_TOKEN_LEAKED] true -> (<+ROTATE_REGISTRY_TOKEN> true | <+DISABLE_REGISTRY_PUSH> true))"
14941+ .to_string(),
14942+ "always([+ROTATE_REGISTRY_TOKEN] true -> eventually(<+NOTIFY_REGISTRY_OWNER> true))"
14943+ .to_string(),
14944+ ]);
14945+ let model = modality_lang::formula_synthesis::synthesize_from_formulas(
14946+ "ContainerRegistryTokenLeak",
14947+ &formulas,
14948+ );
14949+
14950+ verify_synthesized_model(&model, &formulas).unwrap();
14951+ }
14952+
1492314953 #[test]
1492414954 fn verify_synthesized_model_accepts_mixed_alternatives_with_signer_requirement() {
1492514955 let formulas = parse_formula_strings(&[
0 commit comments