feat(rfc-008): P4d S6 seed-identity coupling guard (REQ-7)#417
Merged
Conversation
Single-source the install seed as ENFORCE_CONFIG_SEED (install-manifest.mjs)
so install.mjs's write and the new guard bind the same bytes (Rule 14): a test
holding its own copy would be a tautology. The guard asserts the seed,
normalized through the real loadEnforceConfig, yields the same `active`
disposition as the absent-file identity {active:true}, so the seed can never
silently diverge from the fail-closed default.
The compare is semantic on `active`, not byte (F4/BL-2). Three composing
assertions rule out a false pass: a schema-valid pin proves the seed is
honor-able, the negative control (active:false) proves loadEnforceConfig
actually reads `active` on the honored branch, and the primary asserts equality.
Adversarial review (3 lenses, each finding independently verified): 0 blockers.
Fixed inline: comment precision (F1) and a second hand-typed seed copy in
test-s4-gate-e2e.mjs (F3) now bound to the const. CI wiring of the guard lands
in S8 (the plan's step 8.1 already names this test in the P12 EXPLICIT set).
Tests: test-enforce-config-seed-identity.mjs 6/6; s4-gate-e2e 5/5;
enforce-config 27/27; install-contract-deploy 36/36; uninstall 14/14;
enforcement-scope 17/17; activation-scoping 13/13; p12-global-clean 6/6.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
lantiscooperdev
left a comment
Collaborator
There was a problem hiding this comment.
Review verdict: ACCEPT (0 blockers)
Reviewed the S6 seed-identity coupling guard across three layers (per-artifact, cross-file, PR-level) plus an adversarial 3-lens pass (test false-pass, Rule-14 drift, REQ-7 conformance) with independent verification of each finding.
What I checked
- Guard correctness / false-pass. The compare is semantic on
active(correct: the seed bytes{active:true}cannot byte-equal{active:true,bps:{}}). The guard is sound: the schema-valid pin establishes honor-ability, and the negative control (active:false) provesloadEnforceConfigactually readsactiveon the honored branch, closing the "both fell through to identity" false-pass class. Reproduced against an always-fail-closed mutant loader: only the negative control catches that, and it ships in the suite. - Rule-14 single-source.
ENFORCE_CONFIG_SEEDis now the sole source of the seed bytes;install.mjsbinds it. A repo-wide grep confirms no other hand-copy survives after the s4 test was bound to the const. - REQ-7 conformance. Semantic
activecompare, normalize/ignorebps, NEW seeds only, no migration, no default change. Matches plan section 14 Group 2. - Cross-platform / wiring.
os.tmpdir+path; no GNU-isms. Import wired correctly; the install seed write is byte-unchanged.
Findings (all non-blocking, dispositioned)
- F1 (nit): the original comment overstated the schema-valid pin. Fixed inline (now credits the negative control).
- F3 (low):
test-s4-gate-e2e.mjsheld a second hand-typed seed copy. Fixed inline (binds the const). - F2 (low): the guard is not in CI until S8 (by design; S8 step 8.1 already names it in the P12 EXPLICIT set).
Tests (all green)
test-enforce-config-seed-identity.mjs 6/6; s4-gate-e2e 5/5; install-contract-deploy 36/36; enforce-config 27/27; uninstall 14/14; enforcement-scope 17/17; activation-scoping 13/13; p12-global-clean 6/6.
No blockers. User approval required to merge (Rule 17).
lantiscooperdev
approved these changes
Jun 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
RFC-008 P4d S6: seed-identity coupling guard (REQ-7)
Closes the S6 slice of
docs/plans/p4d-s5-s8.md. Parents: R5 (per-project enforcement switch), R3 (effective-tier).What
A coupling guard so the install seed can never silently diverge from
loadEnforceConfig's absent-file identity. No data migration and no default change (both still resolve to enforce-ON); the guard turns a future divergence into a loud test failure rather than a silent one (Rule 14).scripts/lib/install-manifest.mjs: newENFORCE_CONFIG_SEEDsingle-source const (the exact bytes install seeds).install.mjs: imports and writes the const at the5b-ec-cfgseed block (was an inline literal); comment updated.tests/test-enforce-config-seed-identity.mjs(new): the guard.tests/test-s4-gate-e2e.mjs: theactive:truerestore step now binds the const (was a second hand-typed copy; review F3).How the guard works (semantic, not byte)
The seed bytes
{active:true}can never byte-equal the object{active:true,bps:{}}, so the compare is on the load-bearingactivefield (F4/BL-2). Three composing assertions rule out a false pass:loadEnforceConfig);active:false) provesloadEnforceConfigactually readsactiveon the honored branch;activeequals the identity'sactive.Verification
Rule-14 check: a repo-wide grep confirms the only remaining copy of the seed bytes is the const definition.
Review (Rule 18 step 6)
Adversarial 3-lens review (test false-pass / Rule-14 drift / REQ-7 conformance), each finding independently verified. 0 blockers.
Out of scope
CI wiring of this guard is S8 (hard dep S6 then S8). No data migration of existing seeded files; no default change.
🤖 Generated with Claude Code