feat(v1.100 Amendment 3): code-B — dispatcher wires ExternalIndicator + Amendment-3 OrphanEvidence gathering (#527)

itcmsgr · claude · web-flow · commit 7c9b409d557e · 2026-04-29T16:52:59.000+03:00
* feat(v1.100 Amendment 3): code-B — dispatcher wires ExternalIndicator + Amendment-3 OrphanEvidence gathering Closes the dispatcher-side wiring gap surfaced by the post-merge audit of Amendment-3-code-A (PR #523). Without this PR, the engine's G1/AmbiguityConflictExternal split (added in PR #523) cannot be reached because the dispatcher does not (a) plumb auth.External into DecisionInput.ExternalIndicator, and (b) trigger gatherOrphanEvidence on the Amendment 3 quintuple shape. cmd/-side wiring only. Decision-layer engine.go untouched. Contract.md untouched. Mutation surfaces unchanged. State machine, exit codes, classifier, and CI all unchanged. Changes: cmd/nftban-installer/restore_decide.go (+50/-13) - DecisionInput initializer now sets ExternalIndicator: auth.External so the engine's §62 entry condition (external == "csf") can be evaluated. - OrphanEvidence-gathering condition extended to recognize EITHER candidate quintuple: * Amendment 2 (§54.3): AuthorityNFTBan + NoRecord + DA + flags * Amendment 3 (§62): AuthorityAmbiguous + ConflictExternal + external=="csf" + NoRecord + DA + flags - Diagnostic log line now reports both predicates (amd2_all_true, amd2_failed_row, amd3_all_true, amd3_failed_row) for observability; the engine consumes whichever is appropriate per the entry path. cmd/nftban-installer/restore_decide_evidence.go (+47/-3) - E.2 reframed per Amendment 3 §64.1: bool is true under EITHER Amendment 2's AuthorityNFTBan entry OR Amendment 3's AuthorityAmbiguous + AmbiguityConflictExternal + external=="csf" entry. Both candidate quintuples produce E.2=true; all other classifier states produce E.2=false (defensive — empty external, non-csf external, multi-external, OrphanNFTBan ambiguity, and AuthorityExternal all fail E.2). - E.13 evaluation tightened to match §54.1 / §64.1 wording exactly ("no AmbiguityOrphanNFTBan" — not the looser "no AuthorityAmbiguous" that conflated the two Amendment 3 ambiguity sub-kinds). Amendment 2 behavior preserved (its entry implies Ambiguity==None which is != OrphanNFTBan). cmd/nftban-installer/restore_decide_amendment3_test.go (NEW, +200) - TestAmd3Dispatcher_E2Reframed_AllTrueAmendment3_True confirms the Amendment 3 entry condition produces E.2=true and AllTrueAmendment3 passes (and Amendment 2's AllTrue() correctly fails because E.12 cannot be true under the §62 entry by construction). - TestAmd3Dispatcher_E2_FalseWhenMisclassified pins 7 classifier shapes: amd2-path-true, amd3-path-true, empty-external-false, ufw-external-false, multi-external-false, OrphanNFTBan-false, AuthorityExternal-false. - TestAmd3Dispatcher_FailedRow_Amendment3 verifies FailedRowIDAmendment3() returns "" on happy path and AMD3-E.7 when E.7 is mutated false. NOT touched: - internal/installer/restore/engine.go (lattice unchanged) - internal/installer/restore/types.go (struct unchanged) - internal/installer/restore/contract.md (no amendment) - internal/installer/uninstall/* (classifier unchanged) - internal/installer/state/* (state machine unchanged) - cmd/nftban-installer/main.go (history gate unchanged) - cmd/nftban-installer/flags.go (flag surface unchanged) - .github/workflows/* (CI unchanged) Test results (lab4): - go test ./cmd/nftban-installer/... → ok - go test ./internal/installer/restore/... → ok - go test ./... → 64 packages ok, 0 FAIL No host action. No binary rebuild. dns2 stays in canonical post-Gate-A state. Unblocks Gate B retry once a fresh Tier 1 binary is built from post-merge HEAD, distributed to dns2, signoff captured, reachability monitor activated, and pre-execution Gate B audit returns GO. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * refactor(v1.100 Amendment 3): code-B — split into separate gatherOrphanEvidenceAmendment3 helper per auditor recommendation Per auditor pre-draft review: implement Sub-gap 2a as a separate gatherOrphanEvidenceAmendment3() helper rather than a mode-conditional inside the existing gatherOrphanEvidence(). Mirrors the AllTrue() vs AllTrueAmendment3() split that PR #523 introduced in types.go and the decideAuthorityNFTBan() vs decideAmbiguityConflictExternal() split in engine.go. "Two helpers, shared rows, different entry-condition filling" — symmetric with the engine pattern. Refactor changes (no behavior delta vs the prior code-B commit on this branch): cmd/nftban-installer/restore_decide_evidence.go - populateSharedOrphanEvidenceRows(): private helper populates all rows EXCEPT E.2 (the entry-condition row). - gatherOrphanEvidence(): Amendment 2 — calls shared helper + sets E.2 = (Authority == AuthorityNFTBan). Restored to Amendment-2-byte-clean E.2 evaluation. - gatherOrphanEvidenceAmendment3(): Amendment 3 — calls shared helper + sets E.2 = (AuthorityAmbiguous + ConflictExternal + external == "csf"). New sibling helper. - E.13 retained at the contract-wording-exact form (Ambiguity != AmbiguityOrphanNFTBan); shared by both helpers via the populate function. cmd/nftban-installer/restore_decide.go - Dispatcher's evidence-gathering now switches on the candidate type: amd2Candidate calls gatherOrphanEvidence (unchanged from pre-Amendment-3 main); amd3Candidate calls gatherOrphanEvidenceAmendment3. - Diagnostic log line is now amendment-specific (no dual-predicate noise) — clearer audit trail per amendment. cmd/nftban-installer/restore_decide_amendment3_test.go - Renamed and reorganized test cases to test the two helpers independently: * TestGatherOrphanEvidenceAmendment3_* tests the Amendment 3 helper specifically (rejects Amendment 2 entry, accepts §62 entry, AMD3-E.2 attribution on external=ufw, omits E.12). * TestGatherOrphanEvidence_Amendment2Unchanged regression-tests the Amendment 2 helper: still strict on AuthorityNFTBan, rejects Amendment 3 entry. Why two helpers (auditor reasoning): - Audit-chain clarity: one helper per amendment, mirroring the engine.go and types.go split structure. - Each helper's CI grep gates and tests can reason about it independently. - No runtime classifier-state coupling between the dispatcher's inspection and the evidence-gathering. - Symmetric with AllTrue()/AllTrueAmendment3() in types.go. Test results (lab4): - go test ./cmd/nftban-installer/... → ok - go test ./internal/installer/restore/... → ok - go test ./... → 64 packages ok, 0 FAIL No host action. No engine.go change. No contract.md change. No new mutation surface. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/cmd/nftban-installer/restore_decide.go b/cmd/nftban-installer/restore_decide.go
@@ -134,22 +134,56 @@ func runRestoreDecide(ctx context.Context, exec executor.Executor, sf *state.Sta
 		},
 		PanelPresent: panelPresent,
 		Panel:        panel,
+		// Amendment 3 §62 entry condition: the engine consumes the
+		// classifier's external-authority string so the
+		// G1/AmbiguityConflictExternal/orphan-intent-candidate-csf
+		// sub-row can gate on `external == "csf"` (single, exact).
+		// Carrying it on every restore-mode invocation is cheap; the
+		// engine ignores it on every lattice path other than the
+		// Amendment 3 quintuple.
+		ExternalIndicator: auth.External,
 	}
 
-	// 6b. Amendment 2 §54.3: gather orphan-restore evidence ONLY when
-	// the candidate triple is otherwise present. This avoids
-	// unnecessary live reads on every restore-mode invocation, and
-	// preserves the §51.3 Option B boundary (no iptables introspection)
-	// by only running the predicate where it matters.
-	if auth.State == uninstall.AuthorityNFTBan &&
+	// 6b. Gather orphan-restore evidence ONLY when an orphan-intent
+	// candidate quintuple is otherwise present. Two entry conditions
+	// trigger evidence-gathering:
+	//
+	//   (i) Amendment 2 §54.3 — AuthorityNFTBan + NoRecord + DirectAdmin
+	//       + --panel-auto-takeover + --accept-orphan-nftban
+	//   (ii) Amendment 3 §62 — AuthorityAmbiguous + AmbiguityConflictExternal
+	//       + external=="csf" + NoRecord + DirectAdmin
+	//       + --panel-auto-takeover + --accept-orphan-nftban
+	//
+	// Both candidates share the same flag pair, the same panel, the
+	// same prior state, the same evidence-row set (§54 = §54/§64 except
+	// E.2 reframed and E.12 omitted — handled by the dispatcher inside
+	// gatherOrphanEvidence). The dispatcher avoids unnecessary live
+	// reads on every restore-mode invocation by only running the
+	// predicate where it matters, preserving the §51.3 Option B
+	// boundary (no iptables introspection).
+	amd2Candidate := auth.State == uninstall.AuthorityNFTBan &&
+		priorState == restore.PriorStateNoRecord &&
+		panel == detect.PanelDirectAdmin &&
+		cfg.panelAutoTakeover &&
+		cfg.acceptOrphanNFTBan
+	amd3Candidate := auth.State == uninstall.AuthorityAmbiguous &&
+		auth.Ambiguity == uninstall.AmbiguityConflictExternal &&
+		auth.External == "csf" &&
 		priorState == restore.PriorStateNoRecord &&
 		panel == detect.PanelDirectAdmin &&
 		cfg.panelAutoTakeover &&
-		cfg.acceptOrphanNFTBan {
+		cfg.acceptOrphanNFTBan
+	switch {
+	case amd2Candidate:
 		ev := gatherOrphanEvidence(exec, log, panel, auth, probe, cfg)
 		input.OrphanEvidence = &ev
-		log.Info("restore decide: orphan-evidence gathered all_true=%v failed_row=%q",
+		log.Info("restore decide: orphan-evidence gathered (amendment-2 path) all_true=%v failed_row=%q",
 			ev.AllTrue(), ev.FailedRowID())
+	case amd3Candidate:
+		ev := gatherOrphanEvidenceAmendment3(exec, log, panel, auth, probe, cfg)
+		input.OrphanEvidence = &ev
+		log.Info("restore decide: orphan-evidence gathered (amendment-3 path) all_true=%v failed_row=%q",
+			ev.AllTrueAmendment3(), ev.FailedRowIDAmendment3())
 	}
 
 	// 7. Evaluate — pure, deterministic, no side effects.
diff --git a/cmd/nftban-installer/restore_decide_amendment3_test.go b/cmd/nftban-installer/restore_decide_amendment3_test.go
@@ -0,0 +1,266 @@
+// =============================================================================
+// NFTBan v1.100 Amendment 3 — Dispatcher integration tests
+// =============================================================================
+// SPDX-License-Identifier: MPL-2.0
+// meta:name="installer-restore-decide-amendment3-test"
+// meta:type="test"
+// meta:owner="Antonios Voulvoulis <contact@nftban.com>"
+// meta:created_date="2026-04-29"
+// meta:description="Amendment 3 dispatcher-side wiring (ExternalIndicator + reframed E.2 + separate helper)"
+// meta:inventory.files="cmd/nftban-installer/restore_decide_amendment3_test.go"
+// meta:inventory.binaries=""
+// meta:inventory.env_vars=""
+// meta:inventory.config_files=""
+// meta:inventory.systemd_units=""
+// meta:inventory.network=""
+// meta:inventory.privileges="none"
+// =============================================================================
+//
+// Confirms the dispatcher correctly:
+//
+//   1. Plumbs ClassifyResult.External into DecisionInput.ExternalIndicator
+//      so the engine's G1/AmbiguityConflictExternal split sees the
+//      §62 entry condition string.
+//
+//   2. Calls the Amendment 3 evidence helper (gatherOrphanEvidenceAmendment3)
+//      on the Amendment 3 quintuple shape, NOT the Amendment 2 helper
+//      (auditor-recommended separate-helper structure).
+//
+//   3. Calls the Amendment 2 evidence helper (gatherOrphanEvidence)
+//      on the Amendment 2 quintuple shape (regression — Amendment 2
+//      path unchanged).
+//
+//   4. Reframes E.2 in the Amendment 3 helper so AllTrueAmendment3()
+//      returns true on the §62 happy path.
+//
+//   5. Keeps gatherOrphanEvidence's E.2 strictly evaluating
+//      AuthorityNFTBan (Amendment 2 unchanged).
+//
+// =============================================================================
+package main
+
+import (
+	"testing"
+
+	"github.com/itcmsgr/nftban/internal/installer/detect"
+	"github.com/itcmsgr/nftban/internal/installer/logging"
+	"github.com/itcmsgr/nftban/internal/installer/uninstall"
+)
+
+// amd3HappyAuth returns a ClassifyResult shaped for the §62 Amendment 3
+// entry condition: AuthorityAmbiguous + AmbiguityConflictExternal +
+// external=="csf". Mirrors how dns2 looks post-canonical-install.
+func amd3HappyAuth() *uninstall.ClassifyResult {
+	return &uninstall.ClassifyResult{
+		State:     uninstall.AuthorityAmbiguous,
+		Ambiguity: uninstall.AmbiguityConflictExternal,
+		External:  "csf",
+	}
+}
+
+// TestGatherOrphanEvidenceAmendment3_E2Reframed_AllTrueAmendment3_True
+// confirms the Amendment 3 helper sets E.2=true on the §62 entry
+// condition and AllTrueAmendment3() returns true on the happy path.
+// Also verifies E.12 is correctly false (entry condition IS
+// AmbiguityConflictExternal) and that AllTrue() (Amendment 2 predicate)
+// returns false on this fixture (because E.12 is required-true by §54.1).
+func TestGatherOrphanEvidenceAmendment3_E2Reframed_AllTrueAmendment3_True(t *testing.T) {
+	log := logging.New("/dev/null", false)
+	ev := gatherOrphanEvidenceAmendment3(happyExec(), log, detect.PanelDirectAdmin, amd3HappyAuth(), happyProbe(), happyCfg())
+
+	if !ev.E2AuthorityNFTBan {
+		t.Errorf("E.2 = false on Amendment 3 entry condition; want true (reframed per §64.1)")
+	}
+	if !ev.AllTrueAmendment3() {
+		t.Errorf("AllTrueAmendment3() = false; failed row=%s", ev.FailedRowIDAmendment3())
+	}
+	if ev.E12NoConflictExternal {
+		t.Errorf("E.12 = true on Amendment 3 entry; want false (entry condition IS AmbiguityConflictExternal)")
+	}
+	if ev.AllTrue() {
+		t.Errorf("AllTrue() = true on Amendment 3 entry; want false (Amendment 2 predicate requires E.12=true)")
+	}
+}
+
+// TestGatherOrphanEvidenceAmendment3_E2FalseOnNonQualifying confirms
+// that the Amendment 3 helper's E.2 is conservative: ONLY fires when
+// the full §62 entry condition (AuthorityAmbiguous + ConflictExternal
+// + external=="csf") is present.
+func TestGatherOrphanEvidenceAmendment3_E2FalseOnNonQualifying(t *testing.T) {
+	cases := []struct {
+		name string
+		auth *uninstall.ClassifyResult
+		want bool
+	}{
+		{
+			name: "amd3_path_authority_ambiguous_csf",
+			auth: &uninstall.ClassifyResult{
+				State:     uninstall.AuthorityAmbiguous,
+				Ambiguity: uninstall.AmbiguityConflictExternal,
+				External:  "csf",
+			},
+			want: true,
+		},
+		{
+			name: "amd2_path_authority_nftban_FAILS_amendment3_helper",
+			auth: &uninstall.ClassifyResult{
+				State:     uninstall.AuthorityNFTBan,
+				Ambiguity: uninstall.AmbiguityNone,
+				External:  "",
+			},
+			want: false, // gatherOrphanEvidenceAmendment3 ONLY accepts §62 entry
+		},
+		{
+			name: "external_empty_defensive",
+			auth: &uninstall.ClassifyResult{
+				State:     uninstall.AuthorityAmbiguous,
+				Ambiguity: uninstall.AmbiguityConflictExternal,
+				External:  "",
+			},
+			want: false,
+		},
+		{
+			name: "external_ufw_out_of_scope",
+			auth: &uninstall.ClassifyResult{
+				State:     uninstall.AuthorityAmbiguous,
+				Ambiguity: uninstall.AmbiguityConflictExternal,
+				External:  "ufw",
+			},
+			want: false,
+		},
+		{
+			name: "external_multi_csf_ufw",
+			auth: &uninstall.ClassifyResult{
+				State:     uninstall.AuthorityAmbiguous,
+				Ambiguity: uninstall.AmbiguityConflictExternal,
+				External:  "csf,ufw",
+			},
+			want: false,
+		},
+		{
+			name: "ambiguity_orphan_nftban",
+			auth: &uninstall.ClassifyResult{
+				State:     uninstall.AuthorityAmbiguous,
+				Ambiguity: uninstall.AmbiguityOrphanNFTBan,
+				External:  "csf",
+			},
+			want: false,
+		},
+		{
+			name: "authority_external",
+			auth: &uninstall.ClassifyResult{
+				State:    uninstall.AuthorityExternal,
+				External: "csf",
+			},
+			want: false,
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			log := logging.New("/dev/null", false)
+			ev := gatherOrphanEvidenceAmendment3(happyExec(), log, detect.PanelDirectAdmin, c.auth, happyProbe(), happyCfg())
+			if ev.E2AuthorityNFTBan != c.want {
+				t.Errorf("E.2 = %v; want %v", ev.E2AuthorityNFTBan, c.want)
+			}
+		})
+	}
+}
+
+// TestGatherOrphanEvidence_Amendment2Unchanged confirms the Amendment 2
+// helper's E.2 still evaluates strictly AuthorityNFTBan. This is the
+// regression check for §66.2 — Amendment 2 path stays passing.
+func TestGatherOrphanEvidence_Amendment2Unchanged(t *testing.T) {
+	cases := []struct {
+		name string
+		auth *uninstall.ClassifyResult
+		want bool
+	}{
+		{
+			name: "amd2_authority_nftban_true",
+			auth: &uninstall.ClassifyResult{
+				State:     uninstall.AuthorityNFTBan,
+				Ambiguity: uninstall.AmbiguityNone,
+			},
+			want: true,
+		},
+		{
+			name: "amd3_classifier_does_NOT_qualify_amendment2_E2",
+			auth: &uninstall.ClassifyResult{
+				State:     uninstall.AuthorityAmbiguous,
+				Ambiguity: uninstall.AmbiguityConflictExternal,
+				External:  "csf",
+			},
+			want: false, // Amendment 2 helper rejects Amendment 3 entry
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			log := logging.New("/dev/null", false)
+			ev := gatherOrphanEvidence(happyExec(), log, detect.PanelDirectAdmin, c.auth, happyProbe(), happyCfg())
+			if ev.E2AuthorityNFTBan != c.want {
+				t.Errorf("E.2 = %v; want %v", ev.E2AuthorityNFTBan, c.want)
+			}
+		})
+	}
+}
+
+// TestGatherOrphanEvidenceAmendment3_FailedRow confirms
+// FailedRowIDAmendment3() returns AMD3-E.{N} on per-row failures and
+// "" on the happy path. E.12 is omitted from the Amendment 3 walk so
+// its falseness must not trigger a failed-row return.
+func TestGatherOrphanEvidenceAmendment3_FailedRow(t *testing.T) {
+	log := logging.New("/dev/null", false)
+
+	ev := gatherOrphanEvidenceAmendment3(happyExec(), log, detect.PanelDirectAdmin, amd3HappyAuth(), happyProbe(), happyCfg())
+	if id := ev.FailedRowIDAmendment3(); id != "" {
+		t.Errorf("FailedRowIDAmendment3 on happy path = %q; want \"\"", id)
+	}
+
+	exec := happyExec()
+	delete(exec.Files, "/usr/sbin/csf.disabled")
+	ev = gatherOrphanEvidenceAmendment3(exec, log, detect.PanelDirectAdmin, amd3HappyAuth(), happyProbe(), happyCfg())
+	if id := ev.FailedRowIDAmendment3(); id != "AMD3-E.7" {
+		t.Errorf("FailedRowIDAmendment3 with E.7 absent = %q; want %q", id, "AMD3-E.7")
+	}
+}
+
+// TestGatherOrphanEvidenceAmendment3_E2_FalseOnNonCSFExternal pins
+// the AMD3-7-equivalent gating: external != "csf" → E.2 = false →
+// AllTrueAmendment3 false → FailedRowIDAmendment3 == AMD3-E.2.
+func TestGatherOrphanEvidenceAmendment3_E2_FalseOnNonCSFExternal(t *testing.T) {
+	log := logging.New("/dev/null", false)
+	auth := &uninstall.ClassifyResult{
+		State:     uninstall.AuthorityAmbiguous,
+		Ambiguity: uninstall.AmbiguityConflictExternal,
+		External:  "ufw",
+	}
+	ev := gatherOrphanEvidenceAmendment3(happyExec(), log, detect.PanelDirectAdmin, auth, happyProbe(), happyCfg())
+	if ev.E2AuthorityNFTBan {
+		t.Errorf("E.2 = true on external=ufw; want false")
+	}
+	if ev.AllTrueAmendment3() {
+		t.Errorf("AllTrueAmendment3 = true on external=ufw; want false")
+	}
+	if id := ev.FailedRowIDAmendment3(); id != "AMD3-E.2" {
+		t.Errorf("FailedRowIDAmendment3 on external=ufw = %q; want %q", id, "AMD3-E.2")
+	}
+}
+
+// TestGatherOrphanEvidenceAmendment3_OmitsE12 carries the §66.2
+// invariant from the engine_amendment3_test.go suite into the
+// dispatcher integration: AllTrueAmendment3() must NOT consider
+// E.12 even when it is false.
+func TestGatherOrphanEvidenceAmendment3_OmitsE12(t *testing.T) {
+	log := logging.New("/dev/null", false)
+	ev := gatherOrphanEvidenceAmendment3(happyExec(), log, detect.PanelDirectAdmin, amd3HappyAuth(), happyProbe(), happyCfg())
+
+	// On Amendment 3 entry, E.12 is false (entry IS ConflictExternal).
+	if ev.E12NoConflictExternal {
+		t.Fatalf("invariant: E.12 must be false on Amendment 3 entry; got true")
+	}
+	// AllTrueAmendment3 must still pass — E.12 omitted from predicate.
+	if !ev.AllTrueAmendment3() {
+		t.Errorf("AllTrueAmendment3 = false despite E.12 omission; failed row=%s", ev.FailedRowIDAmendment3())
+	}
+}
diff --git a/cmd/nftban-installer/restore_decide_evidence.go b/cmd/nftban-installer/restore_decide_evidence.go
