Files
stack/docs/compaction-refresh/reviews/GATE0-PROBE3-MOS-COATTEST-v-final.md

7.7 KiB
Raw Blame History

GATE0 Probe-3 (#827) — Mos byte-scope-verify CO-ATTESTATION (v-final)

Principal: Mos (orchestrator, merge authority for the mosaic-stack governance lane). Committed under a DISTINCT git identity (mos-orchestrator@mosaic.local) — deliberately NOT the ms-lead-reviewer@mosaic.local lane signer — so this record stands as a distinct-identity co-attestation, not a same-signer duplicate. See "Independence" below.

Verify class: independent provider-byte read (guarded git show <full-40>:path | sha256sum from a read-only clone of mosaicstack/stack). Not a re-build, not a re-run — a byte/scope/hygiene audit of the exact committed objects on the provider branch.

Package under attestation

Artifact Ref
Branch feat/827-gate0-probe
Harness commit-40 2d54a9dd14cb924701b2ae4ed72dae4df760c4e3
Harness p3_d4_focused_run.py sha256 15a154df55273f51301763a984485fd63813f6d1f05d2728abb9fb8b9c040b1a (27366 B)
§3-review-v6 commit-40 23c0caca9b5d44002e6184cd7f2b6c837e8795b2
Review path docs/compaction-refresh/reviews/GATE0-PROBE3-NEW56-S3-REVIEW-v6.md

sha256 re-confirmed against the checked-out object at HEAD:docs/compaction-refresh/probes/p3_d4_focused_run.py (git object id 8c68cd07…) — matches the relayed value byte-for-byte.

Findings — VERDICT: byte-scope + mechanism + hygiene PASS

Anchors. Harness sha256 matches (27366 B). review-v6 (23c0caca) parent == harness commit 2d54a9dd; review touches only the review .md (+82 lines, 1 file). Broker (p3_generation_broker.py) delta vs 48484938… = exactly the 16-line action=="source-invalid" handler purge, byte-stable otherwise.

NEW-6 (GATED_WI_ROOT off-by-one) — CLOSED. resolve_gated_wi_root() selects the worktree by git worktree list --porcelain enumeration, requires a UNIQUE match on HEAD==GATED_WI_HEAD (f400830738998db105107a2a4c69c7f2a2a6fd5d) AND branch==refs/heads/feat/830-compaction-revoke, then fail-closed re-validates (is-inside-work-tree==true, rev-parse HEAD==GATED_WI_HEAD); RuntimeError on ambiguity/mismatch. The HERE.parents[3].parent / "stack-cr-wi3-revoke" off-by-one and the hardcoded /home/hermes/... literal are gone — portable, zero hardcoded path.

NEW-5 (TOCTOU / pinned-executed-bytes) — CLOSED via approach (i), as mandated. The git-object sha256 pin (GATED_LAUNCHER_SHA256 = e950e422…) is the trust anchor. Ordering/marker .find() heuristics are downgraded to explicitly diagnostic-only ("never a substitute for the pin"). In launch_verified_pi() the executed working-tree file is re-hashed against the pin in the statement immediately before Popen (no interleaved yield/IO), and the launcher is executed in place at the pinned worktree path — the higher-risk approach (ii) copy-to-fixture (previously at 7ff63cd5 / 6164dc07) is reverted (the only remaining shutil.copy2 is the legitimate credential copy, not a launcher copy). Residual sub-statement TOCTOU window on a local file inside a non-adversarial operator fixture is within this probe's threat model; the gross precondition→much-later-exec gap homelab flagged is closed.

Hygiene — CLOSED. scrub_fixture_credentials(root) removes the entire .pi/agent subtree in a finally block (nested try/finally, after pi.close() + broker shutdown, before return root) and RuntimeErrors if the scrub fails — credentials are removed from retained evidence; logs retained.

Invariants byte-stable (all INTACT): assertion lease_anchor_registered; file-backed fidelity checks (generation_source=="state-file", state_file_in_fixture_root, MUTATOR_UNVERIFIED, STALE_GENERATION); -O-safe (0 bare assert); allow-list env (0 os.environ.copy); single broker; --runs choices=(3,); ABSENT-sweep (yolo/execRuntime/p3_bank/promote_p2/retry) = 0.

R1 mechanism-fidelity boundary — HELD. D4 exercises #830's real file-backed revocation (generation-{sid}.state / MOSAIC_LEASE_GENERATION_FILE, from 66b1e0a0); .state stays inside the fixture temp root; fixture-socket / child-write-escape / gettempdir isolation preconditions preserved; launcher exec is in place at the pinned worktree (same surface as R1, not a new production/live surface). No path escapes the fixture root. BEYOND-R1 tripwire NOT tripped.

Independence

  • Substantive principal-independence of review-v6 is satisfied by an orchestrator-dispatched, builder-distinct Opus SECREV (ms-secrev-828, byte-only, non-builder) — that IS the substance of Gate-16.
  • The shared ms-lead-reviewer git signer on harness+review commits is evidentiary, not substantive. It is resolved by (1) this Mos co-attestation committed under a distinct identity (mos-orchestrator), and (2) a homelab third-principal verify under its own distinct identity — i.e. three distinct-identity principals of record.
  • The shared signer is a tracked fleet-infra tooling-gap (durable fix = per-lane distinct signers), not a blocker.

Scope of this record — byte-clear, NOT fire-authorization

Producing probe evidence executes the Gate0 mechanism; a byte-clear is not a fire-authorization. This co-attestation clears the bytes/scope/hygiene. FIRE remains gated on: homelab third-principal verify + Mos transparency-to-Jason (real-Pi consumes operator model creds inside the isolated fixture, scrubbed post-run, never emitted) + Mos explicit FIRE GO. Until then: nothing banked, WI-3 #830 held at f4008307 (unmoved), C-hatch armed (if 3× isolation still no-fire / wrong-value / isolation-FAIL → possible Case-C → STOP + escalate to Jason).

Mos verdict: byte-scope + mechanism + hygiene PASS. Co-attestation of record — committed.


⚠️ SUPERSEDED — homelab third-principal FAIL raised a stricter bar (evidence-integrity note)

This co-attestation was byte-clear on the v6 bar ONLY and self-limited above to "byte-clear ONLY, NOT fire-authorization; FIRE remains gated on homelab third-principal verify." Homelab (the required third principal) subsequently returned FAIL @2d54a9dd, and Mos UPHELD it — so the v6 byte-clear this document records is SUPERSEDED and does NOT authorize FIRE.

Homelab's substantively-correct deepening (accepted as gate-strengthening, not softening):

  1. launch_verified_pi hashes the launcher then Popen/execve reopens the path → statement adjacency shrinks but does not eliminate TOCTOU; hashed-snapshot ≠ executed-bytes.
  2. lease_generation.py helper is unpinned, loaded from the mutable worktree → HEAD + launcher-pin do not bind the helper bytes.
  3. p3_generation_broker.py executes from the mutable worktree unhashed → reviewed broker bytes need not be the evidence-producing bytes.

For a fail-closed DO-178C evidence gate, hashed==executed must hold on the FULL executed closure (launcher + helper + broker), which v6 (approach (i) adjacency) does not meet. Mos therefore authorized approach (ii) full-closure materialization (SHA-pin + materialize the full closure into a fixture-private 0700/0600 dir or held verified fds, exec from there, launcher+broker consume the same pinned helper; re-hash==f4008307 pins immediately before exec, fail-closed). This rides the existing R1 authorization + Mos adjudication authority (it deepens isolation of already-authorized touch and stays inside the fixture temp root → R1 owner tripwire not tripped; no fresh owner window).

Live target = v7 (materialized-closure harness, forthcoming). 2d54a9dd / 23c0caca / this co-attestation (12914d8) are SUPERSEDED. A fresh Mos co-attestation will be committed on v7 byte-verify PASS. WI-3 #830 remains HELD at f4008307; nothing banked; C-hatch armed.