SNT-377 review fixups

- Tighten BinaryMismatch decisionExtra assertion to lock the contract.
- Document the critical-system-binaries short-circuit with the security
  property it relies on (CS_KILL/CS_HARD enforcement).
- Drop redundant per-test mockCodesignChecker.teamID stubs in
  testTeamID(Allow|Block)Rule (the validateExecEvent fixture already
  mirrors target identity onto the mock); tighten the fixture comment
  to discourage adding new ones.

Author: mlw

Source/santad/SNTExecutionControllerTest.mm

@@ -236,15 +236,21 @@ - (void)validateExecEvent:(SNTAction)wantAction
     messageSetupBlock(&esMsg);
   }
 
-  // Configure mockCodesignChecker to match procExec's identity so that
-  // VerifyIdentity returns kMatch and does not short-circuit policy evaluation.
-  // Tests in this file are not exercising identity verification; that is covered
-  // by the +verifyIdentityForTargetProc:fd:csInfo: tests at the bottom of
+  // Auto-mirror target identity onto the mock codesign checker so that
+  // VerifyIdentity returns kMatch and doesn't short-circuit policy evaluation.
+  // Tests in this file aren't exercising identity verification — that's covered
+  // by the +verifyIdentityForTargetProc:fd:csInfo: tests in
   // SNTPolicyProcessorTest.mm.
+  //
+  // Tests should set target identity via messageSetupBlock and let this fixture
+  // mirror it onto the mock. Do NOT add per-test OCMStubs for cdhash, teamID,
+  // or signingID — OCMock resolves stubs FIFO, so a per-test stub added before
+  // validateExecEvent runs would shadow the mirror below and silently trip
+  // kMismatch if its value differs from what messageSetupBlock writes onto
+  // target.
   {
     const es_process_t* target = esMsg.event.exec.target;
     NSString* cdhexStr = santa::StringToNSString(santa::BufToHexString(target->cdhash, 20));
-    // Stubs below must mirror target identity; otherwise verifyIdentity short-circuits.
     OCMStub([self.mockCodesignChecker cdhash]).andReturn(cdhexStr);
     if (target->team_id.length > 0) {
       OCMStub([self.mockCodesignChecker teamID]).andReturn(@(target->team_id.data));
@@ -453,9 +459,6 @@ - (void)testSigningIDBlockRule {
 }
 
 - (void)testTeamIDAllowRule {
-  // Must match target->team_id set in messageSetup; otherwise verifyIdentity short-circuits.
-  OCMStub([self.mockCodesignChecker teamID]).andReturn(@(kExampleTeamID));
-
   SNTRule* rule = [[SNTRule alloc] init];
   rule.state = SNTRuleStateAllow;
   rule.type = SNTRuleTypeTeamID;
@@ -470,9 +473,6 @@ - (void)testTeamIDAllowRule {
 }
 
 - (void)testTeamIDBlockRule {
-  // Must match target->team_id set in messageSetup; otherwise verifyIdentity short-circuits.
-  OCMStub([self.mockCodesignChecker teamID]).andReturn(@(kExampleTeamID));
-
   SNTRule* rule = [[SNTRule alloc] init];
   rule.state = SNTRuleStateBlock;
   rule.type = SNTRuleTypeTeamID;

Source/santad/SNTPolicyProcessor.mm

@@ -589,7 +589,10 @@ + (IdentityVerifyResult)verifyIdentityForTargetProc:(const es_process_t*)targetP
         (NSDictionary* _Nullable (^_Nullable)(NSDictionary* _Nullable entitlements))
             entitlementsFilterCallback {
   // If the binary is a critical system binary, don't check its signature.
-  // The binary was validated at startup when the rule table was initialized.
+  // Critical binaries are SIP or tamper protected and were validated at
+  // startup when the rule table was initialized; the kernel's CS_KILL/CS_HARD
+  // enforcement guarantees the SigningID matched here can only be issued for
+  // legitimately-signed binaries with that identity.
   SNTCachedDecision* systemCd = [self.ruleTable.criticalSystemBinaries[cd.signingID] copy];
   if (systemCd) {
     systemCd.decisionClientMode = configState.clientMode;

Source/santad/SNTPolicyProcessorTest.mm

@@ -1358,7 +1358,8 @@ - (void)testOuter_Unsigned_StatMismatch_ReturnsBlockBinaryMismatch {
                                                 cachedDecision:nil];
 
   XCTAssertEqual(cd.decision, SNTEventStateBlockBinaryMismatch);
-  XCTAssertNotNil(cd.decisionExtra);
+  XCTAssertEqualObjects(cd.decisionExtra,
+                        @"Binary identity mismatch between ES event and on-disk file");
   XCTAssertFalse(cd.holdAndAsk, @"mismatch must never be TouchID-overridable");
   XCTAssertNotEqual(cd.decision & SNTEventStateBlock, (SNTEventState)0);
   XCTAssertEqual(cd.decision & SNTEventStateAllow, (SNTEventState)0);