Skip to content

feat(rfc-008): P4d S6 seed-identity coupling guard (REQ-7)#417

Merged
lantiscooperdev merged 1 commit into
mainfrom
feat/rfc-008-p4d-s6-seed-identity
Jun 21, 2026
Merged

feat(rfc-008): P4d S6 seed-identity coupling guard (REQ-7)#417
lantiscooperdev merged 1 commit into
mainfrom
feat/rfc-008-p4d-s6-seed-identity

Conversation

@lantisprime

@lantisprime lantisprime commented Jun 21, 2026

Copy link
Copy Markdown
Owner

RFC-008 P4d S6: seed-identity coupling guard (REQ-7)

Closes the S6 slice of docs/plans/p4d-s5-s8.md. Parents: R5 (per-project enforcement switch), R3 (effective-tier).

What

A coupling guard so the install seed can never silently diverge from loadEnforceConfig's absent-file identity. No data migration and no default change (both still resolve to enforce-ON); the guard turns a future divergence into a loud test failure rather than a silent one (Rule 14).

  • scripts/lib/install-manifest.mjs: new ENFORCE_CONFIG_SEED single-source const (the exact bytes install seeds).
  • install.mjs: imports and writes the const at the 5b-ec-cfg seed block (was an inline literal); comment updated.
  • tests/test-enforce-config-seed-identity.mjs (new): the guard.
  • tests/test-s4-gate-e2e.mjs: the active:true restore step now binds the const (was a second hand-typed copy; review F3).

How the guard works (semantic, not byte)

The seed bytes {active:true} can never byte-equal the object {active:true,bps:{}}, so the compare is on the load-bearing active field (F4/BL-2). Three composing assertions rule out a false pass:

  • a schema-valid pin proves the seed is honor-able (would not hit a fail-closed branch of loadEnforceConfig);
  • the negative control (active:false) proves loadEnforceConfig actually reads active on the honored branch;
  • the primary asserts the seed's active equals the identity's active.

Verification

Test Result
test-enforce-config-seed-identity.mjs (new guard) 6/6
test-s4-gate-e2e.mjs (real install + real deployed stop-gate) 5/5
test-install-contract-deploy.mjs (T4 seed content + schema) 36/36
test-enforce-config.mjs (loadEnforceConfig regression) 27/27
test-uninstall-enforcement.mjs 14/14
test-enforcement-scope.mjs 17/17
test-activation-scoping-e2e.mjs 13/13
test-p12-global-clean.mjs 6/6

Rule-14 check: a repo-wide grep confirms the only remaining copy of the seed bytes is the const definition.

Review (Rule 18 step 6)

Adversarial 3-lens review (test false-pass / Rule-14 drift / REQ-7 conformance), each finding independently verified. 0 blockers.

  • F1 (nit): comment overstated the schema-valid pin. Fixed inline (now credits the negative control).
  • F3 (low): a second hand-typed seed copy in the s4 test. Fixed inline (binds the const).
  • F2 (low): the guard is not wired into CI until S8 (by design; S8 step 8.1 already names this test in the P12 EXPLICIT set). No new issue.

Out of scope

CI wiring of this guard is S8 (hard dep S6 then S8). No data migration of existing seeded files; no default change.

🤖 Generated with Claude Code

@lantisprime @claude
feat(rfc-008): P4d S6 seed-identity coupling guard (REQ-7)
05a586f 
Single-source the install seed as ENFORCE_CONFIG_SEED (install-manifest.mjs)
so install.mjs's write and the new guard bind the same bytes (Rule 14): a test
holding its own copy would be a tautology. The guard asserts the seed,
normalized through the real loadEnforceConfig, yields the same `active`
disposition as the absent-file identity {active:true}, so the seed can never
silently diverge from the fail-closed default.

The compare is semantic on `active`, not byte (F4/BL-2). Three composing
assertions rule out a false pass: a schema-valid pin proves the seed is
honor-able, the negative control (active:false) proves loadEnforceConfig
actually reads `active` on the honored branch, and the primary asserts equality.

Adversarial review (3 lenses, each finding independently verified): 0 blockers.
Fixed inline: comment precision (F1) and a second hand-typed seed copy in
test-s4-gate-e2e.mjs (F3) now bound to the const. CI wiring of the guard lands
in S8 (the plan's step 8.1 already names this test in the P12 EXPLICIT set).

Tests: test-enforce-config-seed-identity.mjs 6/6; s4-gate-e2e 5/5;
enforce-config 27/27; install-contract-deploy 36/36; uninstall 14/14;
enforcement-scope 17/17; activation-scoping 13/13; p12-global-clean 6/6.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
lantiscooperdev
lantiscooperdev reviewed Jun 21, 2026
View reviewed changes

@lantiscooperdev lantiscooperdev left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review verdict: ACCEPT (0 blockers)

Reviewed the S6 seed-identity coupling guard across three layers (per-artifact, cross-file, PR-level) plus an adversarial 3-lens pass (test false-pass, Rule-14 drift, REQ-7 conformance) with independent verification of each finding.

What I checked

  • Guard correctness / false-pass. The compare is semantic on active (correct: the seed bytes {active:true} cannot byte-equal {active:true,bps:{}}). The guard is sound: the schema-valid pin establishes honor-ability, and the negative control (active:false) proves loadEnforceConfig actually reads active on the honored branch, closing the "both fell through to identity" false-pass class. Reproduced against an always-fail-closed mutant loader: only the negative control catches that, and it ships in the suite.
  • Rule-14 single-source. ENFORCE_CONFIG_SEED is now the sole source of the seed bytes; install.mjs binds it. A repo-wide grep confirms no other hand-copy survives after the s4 test was bound to the const.
  • REQ-7 conformance. Semantic active compare, normalize/ignore bps, NEW seeds only, no migration, no default change. Matches plan section 14 Group 2.
  • Cross-platform / wiring. os.tmpdir + path; no GNU-isms. Import wired correctly; the install seed write is byte-unchanged.

Findings (all non-blocking, dispositioned)

  • F1 (nit): the original comment overstated the schema-valid pin. Fixed inline (now credits the negative control).
  • F3 (low): test-s4-gate-e2e.mjs held a second hand-typed seed copy. Fixed inline (binds the const).
  • F2 (low): the guard is not in CI until S8 (by design; S8 step 8.1 already names it in the P12 EXPLICIT set).

Tests (all green)

test-enforce-config-seed-identity.mjs 6/6; s4-gate-e2e 5/5; install-contract-deploy 36/36; enforce-config 27/27; uninstall 14/14; enforcement-scope 17/17; activation-scoping 13/13; p12-global-clean 6/6.

No blockers. User approval required to merge (Rule 17).

@lantiscooperdev lantiscooperdev merged commit a256b13 into main Jun 21, 2026
3 checks passed
@lantisprime lantisprime deleted the feat/rfc-008-p4d-s6-seed-identity branch June 21, 2026 10:25
@lantisprime lantisprime mentioned this pull request Jun 21, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lantiscooperdev lantiscooperdev lantiscooperdev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lantisprime @lantiscooperdev