Add decision effect constants and generateId utility

Addressed comments in PR:

- Add EFFECT_ALLOW/EFFECT_DENY constants to DecisionTypes.sys.mjs
- Replace hardcoded effect strings across security modules
- Add generateId(prefix) utility to SecurityUtils.sys.mjs
- Update SmartWindowIntegration and smartwindow.mjs to use generateId

Author: randy-concepcion

browser/components/smartwindow/content/smartwindow.mjs

@@ -14,6 +14,7 @@ import {
   CHAT_HISTORY_CONVERSATION_SELECTED_EVENT,
 } from "chrome://browser/content/smartwindow/chat-history.mjs";
 import { deleteInsight, getInsightSummariesForPrompt } from "./insights.mjs";
+import { generateId } from "chrome://global/content/ml/security/SecurityUtils.sys.mjs";
 
 const { ChatHistory, ChatHistoryConversation } = ChromeUtils.importESModule(
   "resource:///modules/smartwindow/ChatHistory.sys.mjs"
@@ -56,7 +57,7 @@ try {
 } catch (e) {
   // Actor already registered - this is expected if Smart Window
   // has been opened before in this browser session
-  if (!e.message?.includes("already registered")) {
+  if (!e.message?.toLowerCase().includes("already registered")) {
     console.error("Failed to register SmartWindowMeta actor:", e);
   }
 }
@@ -116,7 +117,7 @@ class SmartWindowPage {
     // Initialize security orchestrator (if enabled)
     // Creates the SessionLedger that tracks trusted URLs across tabs
     // Only initialize if Smart Window security is enabled
-    const sessionId = `smart-window-${Date.now()}-${Math.random().toString(36).slice(2, 11)}`;
+    const sessionId = generateId("smart-window");
     const securityEnabled = Services.prefs.getBoolPref("browser.smartwindow.security.enabled", true);
 
     if (securityEnabled) {

browser/components/smartwindow/content/utils.mjs

@@ -18,6 +18,7 @@ ChromeUtils.defineESModuleGetters(lazy, {
 import { createEngine } from "chrome://global/content/ml/EngineProcess.sys.mjs";
 import { SmartAssistEngine } from "moz-src:///browser/components/genai/SmartAssistEngine.sys.mjs";
 import { deleteInsight, findRelatedInsight, generateInsightsFromDirectChat } from "chrome://browser/content/smartwindow/insights.mjs";
+import { EFFECT_DENY } from "chrome://global/content/ml/security/DecisionTypes.sys.mjs";
 
 const { ChatHistoryMessage } = ChromeUtils.importESModule(
   "resource:///modules/smartwindow/ChatHistory.sys.mjs"
@@ -602,7 +603,7 @@ async function checkToolSecurity(toolName, toolParams, requestId) {
       },
     });
 
-    if (decision.effect === "deny") {
+    if (decision.effect === EFFECT_DENY) {
       return {
         allowed: false,
         reason: `Security policy blocked this action: ${decision.reason} (${decision.code})`,

toolkit/components/ml/security/DecisionTypes.sys.mjs

@@ -98,6 +98,10 @@ export class SecurityPolicyError extends Error {
   }
 }
 
+// Decision effect constants
+export const EFFECT_ALLOW = "allow";
+export const EFFECT_DENY = "deny";
+
 // Standard denial codes for consistent error handling across the security layer.
 export const DenialCodes = Object.freeze({
   // URL not present in the request-scoped link ledger.
@@ -131,7 +135,7 @@ export const ReasonPhrases = Object.freeze({
  */
 export const allow = () =>
   /** @type {SecurityDecisionAllow} */ ({
-    effect: "allow",
+    effect: EFFECT_ALLOW,
   });
 
 /**
@@ -150,7 +154,7 @@ export const deny = (
   policyId = "block-unseen-links"
 ) =>
   /** @type {SecurityDecisionDeny} */ ({
-    effect: "deny",
+    effect: EFFECT_DENY,
     policyId,
     code,
     reason,
@@ -163,12 +167,12 @@ export const deny = (
  * @param {SecurityDecision | undefined | null} decision - Decision to check
  * @returns {boolean} True if decision is allow
  */
-export const isAllow = decision => decision?.effect === "allow";
+export const isAllow = decision => decision?.effect === EFFECT_ALLOW;
 
 /**
  * Type guard: checks if a decision is a deny.
  *
  * @param {SecurityDecision | undefined | null} decision - Decision to check
  * @returns {boolean} True if decision is deny
  */
-export const isDeny = decision => decision?.effect === "deny";
+export const isDeny = decision => decision?.effect === EFFECT_DENY;

toolkit/components/ml/security/PolicyEvaluator.sys.mjs

@@ -3,6 +3,8 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 import {
+  EFFECT_ALLOW,
+  EFFECT_DENY,
   allow,
   deny,
 } from "chrome://global/content/ml/security/DecisionTypes.sys.mjs";
@@ -78,7 +80,7 @@ export class PolicyEvaluator {
    * @param {boolean} policy.enabled - Whether policy is active
    * @param {object} policy.match - Match criteria
    * @param {Array} policy.conditions - Conditions to evaluate
-   * @param {string} policy.effect - "deny" or "allow"
+   * @param {string} policy.effect - EFFECT_DENY or EFFECT_ALLOW
    * @param {object} policy.onDeny - Denial information
    * @param {object} action - Action being evaluated
    * @param {object} context - Request context
@@ -97,7 +99,7 @@ export class PolicyEvaluator {
       const result = ConditionEvaluator.evaluate(condition, action, context);
 
       if (!result) {
-        if (policy.effect === "deny") {
+        if (policy.effect === EFFECT_DENY) {
           return deny(policy.onDeny.code, policy.onDeny.reason, {
             policyId: policy.id,
             failedCondition: condition.type,
@@ -112,7 +114,7 @@ export class PolicyEvaluator {
       }
     }
 
-    if (policy.effect === "deny") {
+    if (policy.effect === EFFECT_DENY) {
       return null;
     }
 
@@ -152,7 +154,7 @@ export class PolicyEvaluator {
 
       appliedPolicies++;
 
-      if (decision.effect === "deny") {
+      if (decision.effect === EFFECT_DENY) {
         console.warn(
           `[PolicyEvaluator] Policy ${policy.id} denied action:`,
           decision.reason
@@ -210,12 +212,12 @@ export class PolicyEvaluator {
     if (!Array.isArray(policy.conditions)) {
       errors.push("Field 'conditions' must be an array");
     }
-    if (policy.effect !== "deny" && policy.effect !== "allow") {
+    if (policy.effect !== EFFECT_DENY && policy.effect !== EFFECT_ALLOW) {
       errors.push("Field 'effect' must be 'deny' or 'allow'");
     }
 
     // Conditional requirements
-    if (policy.effect === "deny" && !policy.onDeny) {
+    if (policy.effect === EFFECT_DENY && !policy.onDeny) {
       errors.push("Field 'onDeny' required when effect is 'deny'");
     }
     if (policy.onDeny && (!policy.onDeny.code || !policy.onDeny.reason)) {

toolkit/components/ml/security/SecurityLogger.sys.mjs

@@ -2,6 +2,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+import { EFFECT_DENY } from "chrome://global/content/ml/security/DecisionTypes.sys.mjs";
+
 const logConsole = console.createInstance({
   maxLogLevelPref: "browser.ml.logLevel",
   prefix: "SecurityLogger",
@@ -33,7 +35,7 @@ export class SecurityLogger {
         `[${phase}] Security evaluation error:`,
         error.message || error
       );
-    } else if (decision.effect === "deny") {
+    } else if (decision.effect === EFFECT_DENY) {
       logConsole.warn(
         `[${phase}] DENY: ${decision.code} - ${decision.reason} (${durationMs}ms)`
       );

toolkit/components/ml/security/SecurityOrchestrator.sys.mjs

@@ -5,6 +5,7 @@
 import { SessionLedger } from "chrome://global/content/ml/security/SecurityUtils.sys.mjs";
 import { SecurityLogger } from "chrome://global/content/ml/security/SecurityLogger.sys.mjs";
 import {
+  EFFECT_ALLOW,
   allow,
   deny,
 } from "chrome://global/content/ml/security/DecisionTypes.sys.mjs";
@@ -221,13 +222,13 @@ export class SecurityOrchestrator {
           action,
           context,
           decision: {
-            effect: "allow",
+            effect: EFFECT_ALLOW,
             reason: "Security disabled via kill switch",
           },
           durationMs: Date.now() - startTime,
           killSwitchBypass: true,
         });
-        return { effect: "allow" };
+        return { effect: EFFECT_ALLOW };
       }
 
       const policies = this.#policies.get(phase);

toolkit/components/ml/security/SecurityUtils.sys.mjs

@@ -10,6 +10,7 @@
  * - eTLD+1 (effective top-level domain) validation
  * - TabLedger: Per-tab trusted URL storage
  * - SessionLedger: Container for all tab ledgers in a Smart Window session
+ * - Unique ID generation (given a prefix)
  *
  * Security Model:
  * ---------------
@@ -436,3 +437,13 @@ export class SessionLedger {
     return this.tabs.size;
   }
 }
+
+/**
+ * Generates a unique ID with the given prefix.
+ *
+ * @param {string} prefix - Prefix for the ID (e.g., "req", "session")
+ * @returns {string} Unique ID like "req-1234567890-abc123def"
+ */
+export function generateId(prefix) {
+  return `${prefix}-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
+}

toolkit/components/ml/security/SmartWindowIntegration.sys.mjs

@@ -2,7 +2,7 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-import { SessionLedger } from "chrome://global/content/ml/security/SecurityUtils.sys.mjs";
+import { SessionLedger, generateId } from "chrome://global/content/ml/security/SecurityUtils.sys.mjs";
 
 const logConsole = console.createInstance({
   maxLogLevelPref: "browser.ml.logLevel",
@@ -27,7 +27,7 @@ let gSessionId = null;
  */
 export function initSecurityLayer(sessionId = null) {
   if (!sessionId) {
-    sessionId = `smart-window-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
+    sessionId = generateId("smart-window");
   }
 
   gSessionId = sessionId;
@@ -176,7 +176,7 @@ export function getRequestContext(
   });
 
   const actualRequestId =
-    requestId || `req-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
+    requestId || generateId("req");
 
   return {
     linkLedger,