feat(v1.100 Amendment 3): code-A — G1/AmbiguityConflictExternal orphan-CSF split (#523)

Implements the §63 lattice extension + §64 evidence predicate from the
Amendment 3 doc seed (#522). Decision-layer only.

Lattice changes (engine.go):
  - 3 new rule constants:
    G1/AmbiguityConflictExternal/default          → REFUSE (preserves pre-Amendment-3 hard-stop)
    G1/AmbiguityConflictExternal/OrphanProceed    → PROCEED PanelNative/csf
    G1/AmbiguityConflictExternal/EvidenceMismatch → REFUSE (predicate any-false)
  - decideAmbiguityConflictExternal() function mirrors decideAuthorityNFTBan()
    in shape: Group 2 precedence preserved → quintuple-check (csf + DA + NoRecord +
    --panel-auto-takeover + --accept-orphan-nftban) → §64 predicate delegation.
  - Decide() now calls decideAmbiguityConflictExternal(in) for the
    AuthorityAmbiguous + AmbiguityConflictExternal branch (replaces the
    inline REFUSE).

Evidence predicate (types.go):
  - New ExternalIndicator string field on DecisionInput (carries the
    classifier's external-authority string; required for §62 entry condition).
  - New AllTrueAmendment3() helper on OrphanEvidence: identical to AllTrue()
    EXCEPT row E.12 (NoConflictExternal) is omitted — the §62 entry IS
    AmbiguityConflictExternal so requiring "no conflict external" is
    incompatible by construction.
  - New FailedRowIDAmendment3() helper returns AMD3-E.{N} stable IDs so
    structured logs and Code-D evidence-records distinguish which
    predicate fired.

Test matrix (engine_amendment3_test.go — new file):
  - 15-row §67 matrix (AMD3-1 through AMD3-15) including the 3 auditor-
    required defensive-guard rows: AMD3-13 empty external, AMD3-14 rule-
    label assertion ("amendment-3 orphan-intent" reason substring),
    AMD3-15 multi-external "csf,ufw".
  - TestAmd3_RuleConstants pins canonical rule strings.
  - TestAmd3_AllTrueAmendment3_OmitsE12 verifies E.12 is excluded.
  - TestAmd3_FailedRowIDAmendment3_SkipsE12 verifies row-walk skips E.12.
  - TestAmd3_NilEvidence_AMD3E0 verifies nil-receiver sentinel.

Regression updates (engine_test.go, engine_amendment2_test.go):
  - 2 pre-existing fixtures asserting the old "G1/AmbiguityConflictExternal"
    rule string updated to RuleG1AmbConflictExtDefault. Behavior unchanged
    (still REFUSE); only the rule sub-classifier name shifts. Same pattern
    as Amendment 2's AuthorityNFTBan/default rename.
  - declaredRules() in engine_test.go updated to include the 3 new sub-rule
    constants (RuleG1AmbiguityConflictExt umbrella retained for grep parity).
  - 2 sentinel fixtures added to allFixtures pinning the new
    OrphanProceed and EvidenceMismatch rules for coverage assertion
    (full §67 matrix lives in engine_amendment3_test.go).

NOT touched (in scope per operator):
  - internal/installer/uninstall/* (classifier — semantic unchanged)
  - internal/installer/restore/execute.go (mutation surface unchanged)
  - internal/installer/state/* (state machine unchanged)
  - cmd/nftban-installer/main.go (history gate unchanged)
  - cmd/nftban-installer/flags.go (flag surface unchanged)
  - .github/workflows/* (CI unchanged)
  - §32 11-step ordering (unchanged)
  - Amendment 2's §54 predicate (untouched; AllTrue() preserved for the
    AuthorityNFTBan path; AllTrueAmendment3() is a new sibling)

Test results (lab4):
  - go test ./internal/installer/restore/...    → ok
  - go test ./cmd/nftban-installer/...          → ok
  - go test ./...                                → 64 packages ok, 0 FAIL

No host action. No binary rebuild. No nftban-installer invocation.
dns2 stays in canonical post-Gate-A state.

Closes part of PR-26 final closure path: Gate B retry on dns2 unblocks
once this PR merges + fresh Tier 1 binary is built + reachability monitor
activates + pre-execution Gate B retry audit returns GO.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: itcmsgr

internal/installer/restore/engine.go

@@ -52,6 +52,22 @@ const (
 	RuleG1NFTBanOrphanProceed = "G1/AuthorityNFTBan/OrphanProceed"
 	RuleG1EvidenceMismatch    = "G1/EvidenceMismatch"
 
+	// Group 1 — Amendment 3 split sub-rules (§63). These live ENTIRELY
+	// within Group 1; no later group ever defeats a Group 1 outcome.
+	// §5 precedence holds. Amendment 3 splits the existing
+	// G1/AmbiguityConflictExternal row (above) into:
+	//   - default: REFUSE (unchanged behavior for every flag pattern,
+	//     external authority, panel, prior, or evidence row outside
+	//     the candidate quintuple)
+	//   - orphan-intent-candidate-csf: delegates to §64 predicate
+	//   - OrphanProceed: PROCEED PanelNative/csf when §64 all-true
+	//   - EvidenceMismatch: REFUSE when §64 any-false (distinct from
+	//     the Amendment 2 path's RuleG1EvidenceMismatch so logs and
+	//     Code-D evidence-records can attribute correctly)
+	RuleG1AmbConflictExtDefault          = "G1/AmbiguityConflictExternal/default"
+	RuleG1AmbConflictExtOrphanProceed    = "G1/AmbiguityConflictExternal/OrphanProceed"
+	RuleG1AmbConflictExtEvidenceMismatch = "G1/AmbiguityConflictExternal/EvidenceMismatch"
+
 	// Group 2 — input/flag validity
 	RuleG2PanelAutoWithoutPanel    = "G2/PanelAutoTakeoverWithoutPanel"
 	RuleG2BothRestoreFlags         = "G2/RestoreAndPanelAutoBothSet"
@@ -111,11 +127,7 @@ func Decide(in DecisionInput) DecisionResult {
 		}
 	case uninstall.AuthorityAmbiguous:
 		if in.Ambiguity == uninstall.AmbiguityConflictExternal {
-			return DecisionResult{
-				Output: OutputRefuse,
-				Rule:   RuleG1AmbiguityConflictExt,
-				Reason: "conflicting external authority detected; operator must resolve before any restoration",
-			}
+			return decideAmbiguityConflictExternal(in)
 		}
 		// Fall through to Group 4 (AmbiguityOrphanNFTBan path). Any
 		// other Ambiguity sub-kind is a preflight invariant violation
@@ -414,3 +426,99 @@ func decideAuthorityNFTBan(in DecisionInput) DecisionResult {
 		Reason: "amendment-2 orphan-intent: AuthorityNFTBan + DirectAdmin + strong CSF-disabled evidence; restoring CSF per §53.1",
 	}
 }
+
+// decideAmbiguityConflictExternal implements Amendment 3 §63 Group 1
+// split for Authority=AuthorityAmbiguous + Ambiguity=AmbiguityConflictExternal.
+// The split is ENTIRELY within Group 1; no later group ever defeats a
+// Group 1 outcome. §5 precedence holds.
+//
+// Evaluation order (§63.2):
+//
+//  1. Pre-condition quintuple check — only the specific combination
+//     `ExternalIndicator="csf" + Prior=NoRecord + Panel=DirectAdmin +
+//     PanelAutoTakeover + AcceptOrphanNFTBan` (and Group 2 not
+//     interfering) is the "orphan-intent-candidate-csf" sub-row.
+//     Any other combination → REFUSE with
+//     `G1/AmbiguityConflictExternal/default` (preserves the original
+//     pre-Amendment-3 hard-stop semantics).
+//
+//  2. §64 evidence predicate evaluation — if AllTrueAmendment3() (every
+//     row except E.12, which is omitted because the §62 entry condition
+//     IS AmbiguityConflictExternal), PROCEED with
+//     `G1/AmbiguityConflictExternal/OrphanProceed`. If any row is false,
+//     REFUSE with `G1/AmbiguityConflictExternal/EvidenceMismatch`
+//     (NOT REQUIRE_EXPLICIT_INTENT — same semantic as Amendment 2 §54.2).
+//
+// Group 2 precedence preserved: `--restore-prior-authority +
+// --panel-auto-takeover` (both set) emits `G2/RestoreAndPanelAutoBothSet`;
+// `--panel-auto-takeover` with `PanelPresent=false` emits
+// `G2/PanelAutoTakeoverWithoutPanel`. Both Group 2 rules win over
+// the Amendment 3 split because they're checked here before the
+// candidate-quintuple delegation, in that exact precedence order.
+//
+// Multi-external states (e.g. ExternalIndicator="csf,ufw") and empty
+// strings fall to the default REFUSE per §65 + §67 row AMD3-13/AMD3-15
+// defensive guards. Only single, exact-match "csf" qualifies.
+func decideAmbiguityConflictExternal(in DecisionInput) DecisionResult {
+	// Group 2 precedence: both flags set is an input-validity REFUSE.
+	if in.Flags.Restore && in.Flags.PanelAutoTakeover {
+		return DecisionResult{
+			Output: OutputRefuse,
+			Rule:   RuleG2BothRestoreFlags,
+			Reason: "--restore-prior-authority and --panel-auto-takeover are mutually exclusive; pick one",
+		}
+	}
+
+	// Group 2 precedence: panel-auto without a panel is an input-
+	// validity REFUSE.
+	if in.Flags.PanelAutoTakeover && !in.PanelPresent {
+		return DecisionResult{
+			Output: OutputRefuse,
+			Rule:   RuleG2PanelAutoWithoutPanel,
+			Reason: "--panel-auto-takeover requires a control panel on the host; none detected",
+		}
+	}
+
+	// Candidate-quintuple check for the Amendment 3 orphan-intent-
+	// candidate-csf path. Every condition must hold, else fall through
+	// to the default REFUSE. The quintuple is composite: classifier
+	// already established AuthorityAmbiguous + AmbiguityConflictExternal
+	// (caller); we additionally require ExternalIndicator=="csf"
+	// (single-external, exact-match), Prior=NoRecord, Panel=DirectAdmin,
+	// --panel-auto-takeover, and --accept-orphan-nftban.
+	quintuplePresent := in.ExternalIndicator == "csf" &&
+		in.Prior == PriorStateNoRecord &&
+		in.Panel == detect.PanelDirectAdmin &&
+		in.Flags.PanelAutoTakeover &&
+		in.Flags.AcceptOrphanNFTBan
+
+	if !quintuplePresent {
+		return DecisionResult{
+			Output: OutputRefuse,
+			Rule:   RuleG1AmbConflictExtDefault,
+			Reason: "conflicting external authority detected; operator must resolve before any restoration (default G1 hard-stop)",
+		}
+	}
+
+	// Quintuple present — delegate to the §64 predicate. The
+	// dispatcher MUST have populated in.OrphanEvidence; nil is treated
+	// as "evidence not gathered" → REFUSE/EvidenceMismatch with
+	// AMD3-E.0 (defensive — should never happen if dispatcher follows
+	// §64.3).
+	if in.OrphanEvidence == nil || !in.OrphanEvidence.AllTrueAmendment3() {
+		return DecisionResult{
+			Output: OutputRefuse,
+			Rule:   RuleG1AmbConflictExtEvidenceMismatch,
+			Reason: "amendment-3 evidence predicate did not hold; failing-row=" + in.OrphanEvidence.FailedRowIDAmendment3(),
+		}
+	}
+
+	// All §64.1 rows hold. PROCEED PanelNative/csf — same target as
+	// the Amendment 2 path. PlanFromDecision reuses the existing
+	// panel-static-map (§20.1: PanelDirectAdmin → "csf").
+	return DecisionResult{
+		Output: OutputProceed,
+		Rule:   RuleG1AmbConflictExtOrphanProceed,
+		Reason: "amendment-3 orphan-intent: AmbiguityConflictExternal + DirectAdmin + strong CSF-disabled evidence; restoring CSF per §63.1",
+	}
+}

internal/installer/restore/engine_amendment2_test.go

@@ -323,7 +323,17 @@ func TestAmd2_Section56_1_SplitFixtures(t *testing.T) {
 			wantOut:  OutputRefuse,
 			wantRule: RuleG1AuthorityExternal,
 		},
-		// Row 17 — AmbiguityConflictExternal + orphan flag → REFUSE/G1/AmbiguityConflictExternal (no bypass)
+		// Row 17 — AmbiguityConflictExternal + orphan flag → REFUSE.
+		// Amendment 2's --accept-orphan-nftban does NOT extend to
+		// AmbiguityConflictExternal — the bypass remains scoped to
+		// AuthorityNFTBan only. After Amendment 3 (§63) splits the
+		// G1/AmbiguityConflictExternal row, this fixture asserts the
+		// new sub-rule G1/AmbiguityConflictExternal/default. Note: this
+		// fixture has no ExternalIndicator field set ("" empty), so
+		// even if Amendment 3's quintuple-check were reached, the
+		// empty-external defensive guard (AMD3-13) would also refuse.
+		// The "default" sub-rule fires first (no quintuple match),
+		// preserving the original Amendment-2-era hard-stop semantics.
 		{
 			name: "row17_ambiguity_conflict_no_bypass",
 			input: DecisionInput{
@@ -335,7 +345,7 @@ func TestAmd2_Section56_1_SplitFixtures(t *testing.T) {
 				Flags:        Flags{PanelAutoTakeover: true, AcceptOrphanNFTBan: true},
 			},
 			wantOut:  OutputRefuse,
-			wantRule: RuleG1AmbiguityConflictExt,
+			wantRule: RuleG1AmbConflictExtDefault,
 		},
 		// Row 18 — AmbiguityOrphanNFTBan + panel-auto + orphan-flag → REFUSE/G4.3 (locked by §59 Q2)
 		{