10 KiB
GATE0 Probe-3 (#827) — Mos byte-scope-verify CO-ATTESTATION (v9 full-closure, env-isolated + bytecode-pinned)
Principal: Mos (orchestrator, merge authority for the mosaic-stack governance lane).
Committed under a DISTINCT git identity (mos-orchestrator@mosaic.local) — deliberately NOT the
ms-lead-reviewer@mosaic.local lane signer that authored the harness and the §3 review — so this
record stands as a distinct-identity co-attestation. See "Independence".
Verify class: independent provider-byte read (git show <full-40>:path | sha256sum) plus
source-level inspection of the executed mechanism and the v7→v9 delta. Not a re-build, not a re-run.
This SUPERSEDES the v7 co-attestation e08ad03 (and its SUPERSEDED note 2ae379e), which was
byte-clear on the v7 bar and was overtaken by homelab's third-principal FAIL @f609a449 (broker
env-isolation + executed-bytecode-cache) and the resulting B7/B8 bar.
Package under attestation
| Artifact | Ref |
|---|---|
| Branch | feat/827-gate0-probe |
| Harness commit-40 | 1c34e3cb3172acdcd094e683e847d7c984afc96c |
Harness p3_d4_focused_run.py sha256 |
29e5c7bfbe1911b52984bd94c79036bb1200ee82588318367b13c2b1053a0103 (32725 B) |
| §3-review-v9 commit-40 | e1c9a4682da2892ca5f5381012caffe1dd7b43a7 (parent == harness 1c34e3cb, byte-stable; adds only the review .md; ms-secrev-828 authored) |
| Review path | docs/compaction-refresh/reviews/GATE0-PROBE3-V9-LAUNCHERFIX-S3-REVIEW-v9.md |
Pinned closure (all 3 sha256 INDEPENDENTLY recomputed by Mos from git objects == pins == embedded harness constants):
| Member | Source (commit:path) | Pin sha256 | Size |
|---|---|---|---|
launcher launch-runtime.py |
f4008307:packages/mosaic/framework/tools/lease-broker/launch-runtime.py |
e950e422… |
4237 B |
helper lease_generation.py |
f4008307:packages/mosaic/framework/tools/lease-broker/lease_generation.py |
061625402f… |
3769 B |
broker p3_generation_broker.py |
23c0caca:docs/compaction-refresh/probes/p3_generation_broker.py |
4db4fef1… |
— |
f4008307(held WI-3 #830 gated head) is not on origin — recomputed launcher+helper from the localstack-cr-wi3-revokeworktree (HEAD ==f4008307); broker from origin23c0caca.
Findings — VERDICT: byte-scope + mechanism + hygiene PASS (v9 = v7 full-closure + B7 + B8)
The v7→v9 delta is exactly 22 insertions / 2 deletions, confined to the intended B7+B8+B6c surface; every prior invariant is byte-stable (outside the delta) from the v7 verify.
B7 — broker child env-ISOLATED (homelab finding 1 CLOSED). launch_verified_broker (:568) now
passes env=environment (the strict allow-list, :570) — the ambient-os.environ-inheritance hole
is gone — AND runs the broker with -I (:552, isolated: ignores PYTHON*/user-site) + -B
(:553). Both children are env-controlled: the launcher was already env=env at PiRpc (:53).
B8 — executed bytecode PINNED/SUPPRESSED (homelab finding 2 CLOSED). reject_pinned_bytecode
(:498) raises RuntimeError fail-closed if a __pycache__ dir or any *.pyc exists in the pinned
dir, and is called before each consumer (launcher :535, broker :562). Bytecode writes are
disabled via PYTHONDONTWRITEBYTECODE=1 (:729) in the allow-list env and -B on both command
lines. No unpinned .pyc can be executed; only the pinned .py re-hash governs.
B6c — launcher sibling-import PRESERVED (v8 regression FIXED). v8 over-applied -I to the
launcher; on Py3.11+ -I implies -P, dropping the script dir from sys.path[0], so the pinned
launcher's bare from lease_generation import (launch-runtime.py:15) would ModuleNotFoundError. v9
uses -s (:514) + -B (:515) on the launcher (NO -I) — neither touches sys.path[0], so the
sibling import still resolves to pinned/lease_generation.py. Mos empirically re-verified on host
Py3.11.2 (throwaway, not the harness): -I launcher → ModuleNotFoundError; -s+PYTHONNOUSERSITE
→ import OK. The launcher's env isolation comes from the PiRpc env= allow-list, NOT -I, so
dropping -I does not reopen B7. My earlier constraint-(c) assumption ("-I does not strip the
script dir") was FALSIFIED for 3.11+; the author≠reviewer gate (ms-secrev-828) caught it — recorded.
B5 conjunction (load-bearing repair) — HELD, all three legs (byte-stable from v7):
(a) materialized from pinned git-object bytes via materialize_closure/git_object_bytes, sha256==pin
fail-closed; (b) pinned/ mkdir(0o700) + O_EXCL|O_CLOEXEC 0o600, no writable window — now also
reject_pinned_bytecode closes the .pyc side-channel; (c) re-hash == pin IMMEDIATELY before each
exec, no interleaved yield: launcher re-hash (:538) → return PiRpc(command,…) whose __init__
first statement is Popen (:50); broker re-hash (:563) + helper re-hash (:566) → Popen
(:568) on the next line.
B6 — single pinned helper, complete closure. Broker gets --generation-module {closure.generation};
launcher resolves import lease_generation to the sibling pinned copy via sys.path[0].
closure_import_guard (:351, called :433) AST-rejects any non-stdlib import other than
lease_generation. Single broker: launch_verified_broker 1 def (:543) + 1 call (:766).
Invariants (all INTACT): BAR1 GATED_WI_HEAD == f4008307 (:36) and merge-base --is-ancestor 66b1e0a0 f4008307 = YES (file-backed .state revocation fidelity present); fidelity
generation_source=='state-file' (:639), state_file_in_fixture_root (:641),
MUTATOR_UNVERIFIED (:650), STALE_GENERATION (:651); lease_anchor_registered (:593);
-O-safe (0 bare assert); --runs choices=(3,) (:838); allow-list env (0 os.environ.copy);
ABSENT-sweep (yolo/execRuntime/p3_bank/promote_p2/retry) = 0; the only shutil.copy2
(:708) is the .pi/agent credential copy, not a closure copy.
Closure = exactly 3 files, materialized inside the fixture root. No path escapes the fixture temp
root; no live/default broker; .state fixture-bound. R1 owner tripwire NOT tripped — B7/B8
deepen isolation/binding of an already-authorized touch, they do not widen the touched surface.
Independence
Substantive principal-independence of review-v9 is satisfied by an orchestrator-dispatched,
builder-distinct Opus SECREV (ms-secrev-828, byte-only, non-builder, non-Mos). The shared
ms-lead-reviewer git signer on harness+review commits is evidentiary, not substantive — resolved by
(1) this Mos co-attestation under a distinct identity (mos-orchestrator) and (2) a homelab
third-principal verify under its own distinct identity = three distinct-identity principals of record.
Shared signer = tracked fleet-infra tooling-gap (durable fix = per-lane distinct signers), not a blocker.
Scope of this record — byte-clear, NOT fire-authorization
Producing probe evidence executes the Gate0 mechanism; a byte-clear is not a fire-authorization.
This clears bytes / scope / mechanism / hygiene on the v9 (full-closure + B7 + B8) bar. FIRE
remains gated on: homelab third-principal re-verify (4th round, own distinct identity) + Mos
transparency-to-Jason + Mos explicit FIRE GO. Until then: nothing banked, WI-3 #830 held at
f4008307 (unmoved), C-hatch armed (materialized-closure rig still no-fire / wrong-value /
assertion-FAIL / isolation-FAIL → possible Case-C → STOP + escalate to Jason).
Mos verdict: v9 full-closure + B7 + B8 byte-scope + mechanism + hygiene PASS. Co-attestation of record — committed.
⚠️ SUPERSEDED — homelab v9 4th-round FAIL @1c34e3cb raised a stricter startup-closure bar
This co-attestation was byte-clear on the v9 (env-iso + bytecode-pin) bar ONLY and self-limited above to "byte-clear NOT fire-authorization; FIRE remains gated on homelab 4th-round re-verify." Homelab (the required third principal) returned FAIL @1c34e3cb (static, nothing executed), and Mos UPHELD it after independently confirming the finding in-source AND empirically on host Py3.11.2 — so the v9 byte-clear this document records is SUPERSEDED and does NOT authorize FIRE.
Residual startup-closure hole (empirically reproduced by Mos; accepted as gate-STRENGTHENING):
neither child carries -S, so CPython imports the site module before the script runs. -s
(launcher) suppresses only user-site; -I (broker) implies -s -E -P but NOT -S. Proven:
[-s -B ] no_site=0 site_imported=True ← v9 launcher: site runs
[-I -B ] no_site=0 site_imported=True ← v9 broker: -I does NOT imply -S
[-s -S -B] no_site=1 site_imported=False ← v10 launcher fix (sibling import STILL resolves)
[-I -S -B] no_site=1 site_imported=False ← v10 broker fix (additive)
System-site executable .pth lines + sitecustomize/usercustomize can therefore run unpinned startup
code before the exact launcher/broker and outside closure_import_guard, while every hash +
reject_pinned_bytecode + import-guard still pass — defeating hashed==executed on the full startup
closure (strictly wider than the module-import closure v9 cleared). A genuine fidelity hole for a
fail-closed DO-178C evidence gate.
Mos authorized the bounded v10 repair: add -S to the launcher (keep -s -B, NOT -I) and
to the broker (keep -I -B) — a minimal 2-line delta; no B6c regression (launcher -s -S -B
sibling import empirically intact; -S does not touch sys.path[0]). Added review bar B9
(no-site startup closure). This rides the existing (ii)-full-closure authorization + R1 + Mos
adjudication (deepens startup-closure isolation of an already-authorized touch, inside the fixture
temp root, no fresh Jason owner-window) and is NOT a Case-C escalation (static pre-fire catch, no
probe fired). A separate FIRE-time constraint is captured: the 3× isolation dispatch must launch
the runner under externally-enforced python -I -S -B (a self-reexec is too late).
Live target = v10 (no-site harness, forthcoming). 1c34e3cb / e1c9a468 / this co-attestation
(f320d075) are SUPERSEDED; the prior 2-of-3 (ms-secrev-828 v9 §3 PASS + f320d075) does NOT
carry — all three distinct-identity principals re-verify the new v10 SHA. A fresh Mos co-attestation
will be committed on v10 byte-verify PASS. WI-3 #830 remains HELD at f4008307; nothing banked;
C-hatch armed (fired-rig only); NO FIRE.