TCK-00573: Job unit sandbox hardening: NoNewPrivileges, PrivateTmp, Protect*, Restrict*, safe defaults without breaking builds

[Anveio]

ticket_meta:
  schema_version: 2026-01-29
  template_version: 2026-01-29
  ticket:
    id: TCK-00573
    title: 'Job unit sandbox hardening: NoNewPrivileges, PrivateTmp, Protect*, Restrict*, safe defaults without breaking builds'
    status: OPEN
  binds:
    prd_id: PRD-PLACEHOLDER
    rfc_id: RFC-0019
    requirements: []
    evidence_artifacts: []
  custody:
    agent_roles:
    - AGENT_IMPLEMENTER
    responsibility_domains:
    - DOMAIN_SECURITY
    - DOMAIN_RUNTIME
  dependencies:
    tickets:
    - ticket_id: TCK-00530
      reason: Need centralized unit builder.
  scope:
    in_scope:
    - 'Add systemd hardening directives to job units (prefer system-mode backend):'
    - '  - NoNewPrivileges=yes'
    - '  - PrivateTmp=yes'
    - '  - ProtectControlGroups=yes'
    - '  - ProtectKernelTunables=yes'
    - '  - ProtectKernelLogs=yes'
    - '  - RestrictSUIDSGID=yes'
    - '  - LockPersonality=yes'
    - '  - RestrictRealtime=yes'
    - '  - RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 (policy controlled)'
    - '  - SystemCallArchitectures=native'
    - Make hardening policy-driven (FacPolicyV1), with a known-good default profile.
    - Emit unit hardening settings into receipts for audit (hash or normalized list).
    - Stabilize FAC GC bounded-runner coverage for test_gc_plan_skips_running_lanes by using deterministic lane fixtures and lane-dir path checks (not substring matches affected by lane-scoped TMPDIR).
    - Harden GC lane target planning to accept only known lane inventory entries, ignoring unknown lane_id status records.
    out_of_scope:
    - Container sandboxing.
  plan:
    steps:
    - Define hardening profile knobs in policy.
    - Update unit builder.
    - Refactor GC lane target selection tests to use deterministic lane status fixtures and bounded-safe assertions.
    - Constrain idle-lane target collection to known lane IDs and validate with explicit unknown-lane tests.
    - Run gates suite and iteratively tighten without breaking.
  definition_of_done:
    evidence_ids: []
    criteria:
    - Default hardening reduces attack surface measurably (documented directives) while preserving successful gates execution.
    - FAC bounded test runner no longer flakes/fails on test_gc_plan_skips_running_lanes.
    - GC planner ignores unknown lane IDs when generating lane target/log prune candidates.
fac_push_metadata:
  commit_history:
  - short_sha: 60b37ca5
    message: TCK-00573 add systemd sandbox hardening for FAC job units
  - short_sha: 91e74a64
    message: TCK-00573 add TMPDIR to bounded test runner setenv allowlist
  - short_sha: f3a0adc1
    message: 'TCK-00573 backend-aware sandbox hardening: full in system-mode, safe in user-mode'
  - short_sha: 61e9bf1c
    message: TCK-00573 fix clippy doc-markdown lints for hardening directive names
  - short_sha: 0c6b58d5
    message: 'TCK-00573 fix flaky gc test: isolate lane scan from real FAC state'
  - short_sha: 01d5c98d
    message: Stabilize FAC GC lane skip planning under bounded runner
  - short_sha: 326a57c4
    message: 'Fix rebase conflict: add sandbox_hardening field to test added on main'
  - short_sha: a2ea35f6
    message: 'Fix schema count after rebase: ALL_FAC_SCHEMA_IDS is now 14'
  - short_sha: 3bc0a2ae
    message: TCK-00573 enforce sandbox hardening policy in runtime paths and receipt audit
  - short_sha: 93c10b5e
    message: TCK-00573 fix rustfmt and complete review remediation
  - short_sha: 26b6748c
    message: TCK-00573 fix canonicalization collision and remove redundant TMPDIR
  - short_sha: a414c253
    message: 'Fix round 3 review findings: hash integrity, ct_eq, sorted families, CLI constructor, GC cleanup'
  - short_sha: 99cb2229
    message: Include sandbox_hardening_hash in additional denial receipt paths
  - short_sha: 0e22032e
    message: Merge remote-tracking branch 'origin/main' into ticket/RFC-0019/TCK-00573
  - short_sha: dbb3cb7f
    message: 'TCK-00573: injective receipt encoding, gate attestation sandbox binding, and stop_revoke receipt completeness'
  - short_sha: bfe75479
    message: 'TCK-00573 MAJOR-1 fix: bind gate attestation to effective policy sandbox profile'
  - short_sha: ea88550f
    message: 'TCK-00573: bind sandbox_hardening_hash in GateReceipt builder chains'
  - short_sha: 3886f706
    message: Merge remote-tracking branch 'origin/main' into ticket/RFC-0019/TCK-00573
  - short_sha: b5c0ab6d
    message: Revert "Merge remote-tracking branch 'origin/main' into ticket/RFC-0019/TCK-00573"
  - short_sha: f7f0351c
    message: Merge remote-tracking branch 'origin/main' into ticket/RFC-0019/TCK-00573
  - short_sha: 98eba943
    message: Restore Cost Model (TCK-00532) removed by merge contamination; document V2 schema break
  - short_sha: fa72dd62
    message: 'fix(fac): restore receipt cost compatibility and strict digest checks'
  - short_sha: e82275f5
    message: 'refactor(fac): extract observed cost canonicalization helpers'
  - short_sha: 0d55158b
    message: 'fix(fac): reject AF_ without suffix in sandbox policy'
  - short_sha: d6a420f2
    message: 'feat(fac): add sandbox_hardening_hash to GateReceipt'

FAC Gate Status

# apm2-gate-status:v2
sha: d6a420f26405302d4c1086dbb55606d484240079
short_sha: d6a420f2
timestamp: '2026-02-17T03:43:37Z'
all_passed: true
gates:
  - name: 'merge_conflict_main'
    status: PASS
    duration_secs: 0
  - name: 'rustfmt'
    status: PASS
    duration_secs: 3
  - name: 'clippy'
    status: PASS
    duration_secs: 44
  - name: 'doc'
    status: PASS
    duration_secs: 27
  - name: 'test_safety_guard'
    status: PASS
    duration_secs: 0
  - name: 'test'
    status: PASS
    duration_secs: 79
  - name: 'workspace_integrity'
    status: PASS
    duration_secs: 5
  - name: 'review_artifact_lint'
    status: PASS
    duration_secs: 0

[Anveio]

# apm2-review-verdict:v1
schema: apm2.review.verdict.v1
pr: 704
sha: a2ea35f667e427b73908d89d5ecb3f6857b2aa54
updated_at: 2026-02-16T17:59:34Z
dimensions:
  code-quality:
    decision: deny
    reason: 'FAIL: 0 blocker, 1 major findings'
    set_by: ubuntu
    set_at: 2026-02-16T17:41:23Z
  security:
    decision: deny
    reason: 'FAIL: 0 blocker, 1 major findings'
    set_by: ubuntu
    set_at: 2026-02-16T17:59:34Z
findings:
- finding_id: f-704-code_quality-1771263682765971-0
  type: code-quality
  severity: MAJOR
  summary: GC tests remove directory creation logic but assert target discovery
  risk: Tests will fail or pass vacuously if collect_idle_lane_targets returns empty list (false positive for filtering logic).
  impact: Regression in GC logic could go unnoticed.
  location: crates/apm2-core/src/fac/gc.rs
  body: The new tests  and  assert that  finds targets (e.g. ). However, the diff removes the  and  calls that created these directories on disk. Since  checks for directory existence (), it will return an empty list if the directories are missing. This likely causes the tests to fail their assertions (e.g. ). Ensure the test setup creates the necessary directory structure (, ) for the idle lanes before collection.
  evidence_digest: 119c1c623ce7c6ec808888c571e9d28c701648a482efce2a6d2e81694271c73d
  evidence_pointer: none
  timestamp: 2026-02-16T17:41:22Z
- finding_id: f-704-code_quality-1771263682908205-0
  type: code-quality
  severity: NIT
  summary: Verified schema count update after rebase
  risk: None (fix for CI).
  impact: None.
  location: crates/apm2-core/src/schema_registry/fac_schemas.rs
  body: Verified that the update to  count (13 -> 14) is correct and reflects the state of the codebase after rebase on main. This ensures CI passes.
  evidence_digest: 72d9183427e261a8bc64c0a0a199ec3af63da36663e57efda1aca7facdef7e33
  evidence_pointer: none
  timestamp: 2026-02-16T17:41:22Z
- finding_id: f-704-security-1771264131485621-0
  type: security
  severity: MAJOR
  summary: Sandbox hardening policy is defined but not enforced in runtime unit construction
  risk: An operator can configure restrictive FacPolicyV1.sandbox_hardening (for example, removing AF_INET/AF_INET6) expecting egress reduction, but runtime paths still build SystemdUnitProperties with SandboxHardeningProfile::default(). Untrusted build.rs/proc-macro execution can retain broader network/syscall surface than policy intended.
  impact: 'Containment policy bypass on FAC execution paths: jobs may run with unexpectedly broad authority, increasing exfiltration and lateral-movement opportunities in hostile repository code.'
  location: crates/apm2-cli/src/commands/fac_review/bounded_test_runner.rs:131; crates/apm2-cli/src/commands/fac_worker.rs:2072; crates/apm2-core/src/fac/systemd_properties.rs:369
  body: 'The PR introduces FacPolicyV1.sandbox_hardening and from_lane_profile_with_hardening(), but production callsites do not consume it. Bounded test runner hard-codes SandboxHardeningProfile::default(), and worker paths still call from_lane_profile(...) without policy hardening. The helper is only exercised in tests, so policy customization is currently non-effective. Remediation: plumb FacPolicyV1.sandbox_hardening through all SystemdUnitProperties construction sites (gates/pipeline/worker), assert command properties reflect non-default profiles in user+system backends, and fail closed when policy hardening cannot be applied.'
  evidence_digest: d9911a5c00d6859209033b61d09bec231207eb8d6074a3e23b56ff4a448f0ecf
  evidence_pointer: none
  timestamp: 2026-02-16T17:48:51Z
- finding_id: f-704-security-1771264138697872-0
  type: security
  severity: MINOR
  summary: Sandbox hardening receipt field is never populated by runtime receipt emitters
  risk: Receipt consumers cannot verify which sandbox hardening profile was actually applied because sandbox_hardening_hash is defined/validated but never written by producers. A runtime hardening drift can go undetected in audit pipelines.
  impact: 'Measurement-integrity gap for containment evidence: forensic and governance workflows lose cryptographic binding between executed unit hardening and recorded FAC job receipts.'
  location: crates/apm2-core/src/fac/receipt.rs:710; crates/apm2-cli/src/commands/fac_worker.rs:4487
  body: 'The PR adds sandbox_hardening_hash to FacJobReceiptV1 and builder validation, but no runtime producer calls .sandbox_hardening_hash(...). Repository-wide references show definition/validation sites only, so persisted receipts carry None and cannot attest hardening configuration. Remediation: compute hash from the effective SystemdUnitProperties.sandbox_hardening used for each job and set it in all emit_job_receipt paths; add a regression test that persisted receipts include the expected hash and fail closed on malformed/mismatched values.'
  evidence_digest: a1d483da54dcd750584f5c1091ecb6a7c5f760f0b3e1532f8b358cca8bc7f2d3
  evidence_pointer: none
  timestamp: 2026-02-16T17:48:58Z
- finding_id: f-704-security-1771264761764098-0
  type: security
  severity: MAJOR
  summary: Sandbox hardening policy is not enforced by production command builders
  risk: Operators can configure restrictive sandbox_hardening values (for example limiting RestrictAddressFamilies), but the prepared diff only introduces policy fields/tests and still constructs runtime properties from default hardening in production paths. A malicious job can exploit this policy bypass to retain AF_INET/AF_INET6 network capability even when policy intends to deny it.
  impact: Policy-level sandbox controls are not authoritative at runtime, so FAC jobs may run with broader privileges than configured. This weakens containment guarantees and enables data exfiltration paths that operators believe are blocked.
  location: crates/apm2-cli/src/commands/fac_review/bounded_test_runner.rs:128
  body: 'The diff adds FacPolicyV1::sandbox_hardening and SystemdUnitProperties::from_lane_profile_with_hardening, but production wiring is missing: bounded_test_runner still hard-codes SandboxHardeningProfile::default() and no production integration in the diff threads policy.sandbox_hardening into unit property construction. In practice, policy mutations do not change emitted systemd sandbox directives. Remediate by threading the effective policy hardening profile through all production systemd property constructors (worker and review bounded-runner paths) and adding integration tests that prove a non-default policy changes generated --property directives.'
  evidence_digest: a1d619d9b8a282e4984ec0025cf8a11163fd792e9c46dc9f43be68ad835d0d3c
  evidence_pointer: none
  timestamp: 2026-02-16T17:59:21Z
- finding_id: f-704-security-1771264770974031-0
  type: security
  severity: MINOR
  summary: Sandbox hardening receipt hash is introduced but not emitted by this diff
  risk: The diff adds sandbox_hardening_hash to receipt schema and canonical hashing, but no producer wiring is included in the reviewed changes. If runtime hardening is weakened or diverges from policy, receipts remain unable to prove which hardening profile was actually applied.
  impact: Forensics and compliance lose an integrity signal for sandbox configuration, making hardening regressions harder to detect from receipts alone.
  location: crates/apm2-core/src/fac/receipt.rs:701
  body: This PR extends FacJobReceiptV1 with sandbox_hardening_hash and validates/hash-binds it when present, but the prepared diff does not update receipt emission paths to set the field. As a result, the new audit field will stay None in existing producer flows touched by this PR scope. Remediate by computing the hash from the effective SandboxHardeningProfile used for the unit and setting builder.sandbox_hardening_hash(...) in all FAC job receipt producers, with an integration test asserting the field is populated for successful executions.
  evidence_digest: dd3448bb0002548f7b072d57208d79316cc605392ebaba930b63f1c2c1bb901b
  evidence_pointer: none
  timestamp: 2026-02-16T17:59:30Z

[Anveio]

# apm2-review-verdict:v1
schema: apm2.review.verdict.v1
pr: 704
sha: 93c10b5e3233ece9e2bf865b504109c4900d9039
updated_at: 2026-02-16T19:04:18Z
dimensions:
  code-quality:
    decision: deny
    reason: 'FAIL: 1 major finding regarding canonicalization collisions in FacJobReceiptV1. Redundant TMPDIR in allowlist also noted.'
    set_by: ubuntu
    set_at: 2026-02-16T19:04:18Z
  security:
    decision: approve
    reason: 'PASS: The PR correctly implements policy-driven sandbox hardening for FAC job units (TCK-00573). It enforces backend-aware hardening, correctly binds the hardening profile hash to signed receipts, and hardens the GC planner against unknown lane IDs. All security invariants (INV-SBX-001, INV-SBX-002, INV-SBX-003) are satisfied. One MINOR finding regarding non-injective canonical encoding for trailing optional fields was recorded, but it is an existing pattern with low immediate exploit risk.'
    set_by: ubuntu
    set_at: 2026-02-16T19:03:38Z
findings:
- finding_id: f-704-code_quality-1771268654837495-0
  type: code-quality
  severity: MAJOR
  summary: Canonicalization collision in FacJobReceiptV1 optional fields
  risk: Non-injective serialization allows different receipt payloads to produce the same content hash, breaking content-addressed integrity.
  impact: Violates security invariant INV-F-03; allows potential receipt substitution or data corruption in CAS.
  location: crates/apm2-core/src/fac/receipt.rs:canonical_bytes
  body: The optional fields moved_job_path, containment, and sandbox_hardening_hash are appended to the canonical byte stream using a shared 1u8 presence marker but without a 0u8 absence marker. This causes collisions when one field is present and another is absent with identical content (e.g., a path matching a hash string). To fix this while preserving backward compatibility for old receipts, each new optional field must use a unique marker byte or a proper two-state presence bit (0/1) for all fields in the sequence.
  evidence_digest: cf76d36c08cbd8da3f3e98da86baaefca778da00827c0ae1560b23e56b7a4822
  evidence_pointer: none
  timestamp: 2026-02-16T19:04:14Z
- finding_id: f-704-code_quality-1771268654962507-0
  type: code-quality
  severity: NIT
  summary: Redundant TMPDIR entry in systemd setenv allowlist
  risk: Minor maintainability and readability issue.
  impact: None on functionality.
  location: crates/apm2-cli/src/commands/fac_review/bounded_test_runner.rs:SYSTEMD_SETENV_ALLOWLIST_EXACT
  body: The TMPDIR variable is listed twice in the SYSTEMD_SETENV_ALLOWLIST_EXACT array. Remove the redundant second entry.
  evidence_digest: 53b032f4d32cd26a439b75d5d82ffce2a4c9a0b65456a29f4f3a963a17c55f7f
  evidence_pointer: none
  timestamp: 2026-02-16T19:04:14Z
- finding_id: f-704-security-1771268614977060-0
  type: security
  severity: MINOR
  summary: Non-injective canonical encoding for trailing optional fields in FacJobReceiptV1
  risk: The canonical_bytes() and canonical_bytes_v2() methods omit absence markers (0u8) for trailing optional fields (moved_job_path, containment, sandbox_hardening_hash). This creates a potential preimage collision where a receipt with [FieldA=Some(X), FieldB=None] has the same canonical representation as [FieldA=None, FieldB=Some(X)] if X is a valid representation for both.
  impact: Theoretical signature malleability where a signature for one receipt could be presented as valid for a structurally different receipt. In practice, existing fields use distinct string prefixes (relative paths vs b3-256 hashes) that mitigate the collision risk.
  location: crates/apm2-core/src/fac/receipt.rs
  body: The canonicalization logic should be updated in a future schema version to use explicit absence markers for all optional fields, regardless of their position. For the current PR, this is a continuation of an existing pattern used for backward compatibility, and the immediate risk is low due to field value constraints.
  evidence_digest: 92bf054f2c268fdb3dc0cca052ade35f5336bb9835cfd9815cb64ef1b52305ef
  evidence_pointer: none
  timestamp: 2026-02-16T19:03:34Z

[Anveio]

# apm2-review-verdict:v1
schema: apm2.review.verdict.v1
pr: 704
sha: 26b6748c5e781f52b85ccecb8955c38ad4cd51bf
updated_at: 2026-02-16T19:20:25Z
dimensions:
  code-quality:
    decision: deny
    reason: 'FAIL: 1 blocker, 1 major finding. Violation of INV-SBX-001 in bounded_test_runner.rs and backward compatibility break in FacJobReceiptV1 hashing.'
    set_by: ubuntu
    set_at: 2026-02-16T19:20:02Z
  security:
    decision: deny
    reason: 'FAIL: 1 blocker, 1 minor, 1 nit findings. The implementation of sandbox_hardening_hash in FacJobReceiptV1 breaks backwards compatibility for existing receipt integrity verification by adding a mandatory presence marker to the v1 canonicalization scheme. Additionally, non-constant-time hash comparisons were found in the receipt index.'
    set_by: ubuntu
    set_at: 2026-02-16T19:20:25Z
findings:
- finding_id: f-704-code_quality-1771269597126770-0
  type: code-quality
  severity: BLOCKER
  summary: INV-SBX-001 Violation in bounded_test_runner.rs
  risk: Bypasses centralized security logic and reintroduces hard-coded defaults.
  impact: Violates a core security invariant intended to ensure all job units use policy-driven hardening and consistent resource defaults.
  location: crates/apm2-cli/src/commands/fac_review/bounded_test_runner.rs:122
  body: 'The limits_to_properties function manually constructs SystemdUnitProperties with hard-coded defaults (io_weight: 100, kill_mode: ''control-group'') instead of using the mandatory from_lane_profile_with_hardening constructor. This violates [INV-SBX-001]. If manual construction is necessary for CLI-driven limits, a dedicated constructor should be added to SystemdUnitProperties to avoid field-level hard-coding in caller sites.'
  evidence_digest: 976ba1e87f930a828dcd3d7ae72c342c97353c93e0f02f85985b46dcc81d25e8
  evidence_pointer: none
  timestamp: 2026-02-16T19:19:57Z
- finding_id: f-704-code_quality-1771269597254708-0
  type: code-quality
  severity: MAJOR
  summary: Backward compatibility break in FacJobReceiptV1 hashing
  risk: Existing receipts will fail hash verification if re-canonicalized.
  impact: Breaks content-addressed integrity for all receipts stored before this change, as re-computing the content_hash will yield a different value due to the new trailing 0u8 marker.
  location: crates/apm2-core/src/fac/receipt.rs:842
  body: In canonical_bytes (v1 and v2), adding a 0u8 presence marker for sandbox_hardening_hash when it is None breaks backward compatibility. Other trailing optional fields (moved_job_path, containment) intentionally omit the marker when None to keep old hashes stable. This field should follow that pattern unless a breaking change to V1 hashes is explicitly intended and documented.
  evidence_digest: ad060dd850a8c069008bd493ba331c9ca04b585fecc95858cb5442af56e4cc41
  evidence_pointer: none
  timestamp: 2026-02-16T19:19:57Z
- finding_id: f-704-code_quality-1771269597380513-0
  type: code-quality
  severity: NIT
  summary: Redundant check in gc.rs
  risk: Slightly less efficient iteration.
  impact: No functional impact, but adds redundant logic.
  location: crates/apm2-core/src/fac/gc.rs:200
  body: collect_idle_lane_targets checks is_known_lane for each status, but the statuses list is already filtered to known lanes by load_lane_statuses(..., &known_lane_ids). The check is redundant.
  evidence_digest: 2ffa38cf3352403f87640f59f57dbf9476f424a04db31127ddb197452cb042a0
  evidence_pointer: none
  timestamp: 2026-02-16T19:19:57Z
- finding_id: f-704-code_quality-1771269597504524-0
  type: code-quality
  severity: NIT
  summary: Missing sandbox_hardening_hash in early denial receipts
  risk: Reduced audit trail completeness for denied jobs.
  impact: Denial receipts emitted before lane admission do not record the hardening profile that would have been used.
  location: crates/apm2-cli/src/commands/fac_worker.rs:1185
  body: Early emit_job_receipt calls in process_job (e.g., for budget denial) pass None for sandbox_hardening_hash even though the policy (and thus the profile) is available. Passing Some(policy.sandbox_hardening.content_hash_hex()) would provide a better audit trail.
  evidence_digest: 456952fcf9675579e803a0906f2bc3f107d94a9d55d2231616d0ab03d9ebc6a4
  evidence_pointer: none
  timestamp: 2026-02-16T19:19:57Z
- finding_id: f-704-security-1771269621823473-0
  type: security
  severity: BLOCKER
  summary: Broken Hash Integrity for Existing Receipts
  risk: Adding a mandatory 0u8 presence marker for sandbox_hardening_hash in canonical_bytes (v1 and v2) changes the preimage for all existing receipts where this field is None. Recomputed hashes will mismatch original content-addressed filenames.
  impact: Verification of all existing production evidence will fail in lookup_job_receipt, has_receipt_for_job, and rebuild_from_store, causing the system to treat existing receipts as corrupt or non-existent.
  location: crates/apm2-core/src/fac/receipt.rs:821
  body: 'Remediation: In FacJobReceiptV1::canonical_bytes (v1), omit the presence marker when sandbox_hardening_hash is None, matching the pattern of preceding trailing optional fields (moved_job_path, containment). This preserves the hash for existing receipts. To properly fix injective encoding risks, introduce a v3 hashing scheme for new receipts instead of modifying v1/v2 in-place.'
  evidence_digest: 9f773aad3b1ac13bf79be1704785e30bdb2f8bfc34aa618ff6eb099866d180d4
  evidence_pointer: none
  timestamp: 2026-02-16T19:20:21Z
- finding_id: f-704-security-1771269621953811-0
  type: security
  severity: MINOR
  summary: Non-Constant-Time Hash Comparison in receipt_index.rs
  risk: verify_receipt_integrity uses the standard == operator to compare hex-encoded cryptographic digests, which is variable-time.
  impact: Violates the module security contract (INV-PC-001) requiring ct_eq for all digest comparisons. While public digests mitigate exploitation, it sets a dangerous precedent for authority-bearing checks.
  location: crates/apm2-core/src/fac/receipt_index.rs:645
  body: 'Remediation: Convert hex strings to bytes or use subtle::ConstantTimeEq::ct_eq for digest comparisons in verify_receipt_integrity.'
  evidence_digest: cce401b48646ee9668492902c1fd97e85179fdf4cec7f32e63196758cd9ad3b3
  evidence_pointer: none
  timestamp: 2026-02-16T19:20:21Z
- finding_id: f-704-security-1771269622082325-0
  type: security
  severity: NIT
  summary: Non-Canonical Sorting of Address Families
  risk: SandboxHardeningProfile::content_hash computes the BLAKE3 digest over an unsorted Vec<String>, making the policy hash sensitive to the order of elements.
  impact: Policy hash instability where functionally identical policies (same address families, different order) produce different digests, complicating audit and consistency checks.
  location: crates/apm2-core/src/fac/systemd_properties.rs:215
  body: 'Remediation: Sort the restrict_address_families vector before computing the content hash, matching the canonicalization pattern used for environment vectors in FacPolicyV1.'
  evidence_digest: 13b310f6ed23227728ea2c003d8f69c83ddbc4f197b055e668b225041033f2d2
  evidence_pointer: none
  timestamp: 2026-02-16T19:20:22Z

[Anveio]

# apm2-review-verdict:v1
schema: apm2.review.verdict.v1
pr: 704
sha: 99cb2229990be8c1ef0a0a093cb147c067b58328
updated_at: 2026-02-16T20:21:07Z
dimensions:
  code-quality:
    decision: approve
    reason: 'PASS: Validated SandboxHardeningProfile implementation, policy enforcement, and receipt binding (TCK-00573). One MINOR finding on missing hash in revocation receipts, one NIT on policy validation.'
    set_by: ubuntu
    set_at: 2026-02-16T20:21:07Z
  security:
    decision: deny
    reason: 'FAIL: 3 major findings. 1) FacJobReceiptV1 canonicalization is non-injective for trailing optionals (collision risk). 2) GateReceipt missing sandbox_hardening_hash (audit gap). 3) GateResourcePolicy missing sandbox_hardening (cache isolation gap).'
    set_by: ubuntu
    set_at: 2026-02-16T20:19:21Z
findings:
- finding_id: f-704-code_quality-1771272824613989-0
  type: code-quality
  severity: NIT
  summary: Repetitive calculation of sandbox_hardening_hash in fac_worker.rs
  risk: Code duplication reduces maintainability slightly.
  impact: No runtime impact; purely a code style/cleanliness observation.
  location: crates/apm2-cli/src/commands/fac_worker.rs:process_job
  body: The  is called repeatedly (approx 19 times) in multiple denial paths within . Consider calculating it once at the top of the function to reduce code duplication and ensure consistency.
  evidence_digest: 205fb69937687ab2c72aae5549b9ecbfeb9848e976444ce01cf27bd93acf0c73
  evidence_pointer: none
  timestamp: 2026-02-16T20:13:44Z
- finding_id: f-704-code_quality-1771273260788017-0
  type: code-quality
  severity: MINOR
  summary: Revocation receipts missing sandbox_hardening_hash (INV-SBX-002)
  risk: 'Audit trail gap: cannot verify hardening profile for revoked/stopped jobs.'
  impact: Incomplete compliance evidence for TCK-00573; revoked malicious jobs lack proof of containment.
  location: crates/apm2-cli/src/commands/fac_worker.rs:handle_stop_revoke
  body: The 'handle_stop_revoke' function emits completion receipts for stopped/revoked jobs but passes 'None' for 'sandbox_hardening_hash'. Since this function is called from 'process_job' where the 'FacPolicyV1' is available, the hash should be passed down and included in the receipt to maintain a complete audit trail as required by INV-SBX-002.
  evidence_digest: c318870d93d68a8bced01eb1c48009fbe89d8ef045d3df0f199b706097b890b5
  evidence_pointer: none
  timestamp: 2026-02-16T20:21:00Z
- finding_id: f-704-code_quality-1771273260910552-0
  type: code-quality
  severity: NIT
  summary: SandboxHardeningProfile allows duplicate address families
  risk: Low risk; canonicalization handles it, but allows unclean policy.
  impact: Policy definitions may contain redundant entries.
  location: crates/apm2-core/src/fac/systemd_properties.rs:validate
  body: The 'validate()' method checks for length and format but does not verify uniqueness of 'restrict_address_families'. While 'content_hash()' provides determinism via sorting, allowing duplicates in the stored policy is untidy. Consider enforcing uniqueness in validation.
  evidence_digest: 7b8d2a9f6940140c5cb97ef833e47fca76a24d1791012d0ac0b4bf9d652514d3
  evidence_pointer: none
  timestamp: 2026-02-16T20:21:00Z
- finding_id: f-704-security-1771273100394251-0
  type: security
  severity: MAJOR
  summary: Injective Encoding Violation in FacJobReceiptV1 Canonicalization
  risk: Non-injective encoding allows different optional field combinations to produce identical hashes (e.g. moved_job_path vs sandbox_hardening_hash).
  impact: Breaks cryptographic integrity binding and content-addressing; different receipt states collide in the ledger.
  location: crates/apm2-core/src/fac/receipt.rs
  body: The trailing optional fields (moved_job_path, containment, sandbox_hardening_hash) are appended to the canonical bytes using the same 1u8 presence marker and no absent marker. A receipt with moved_job_path=X and sandbox_hardening_hash=None produces the same bytes as one with moved_job_path=None and sandbox_hardening_hash=X. Use unique type-specific markers (e.g. 3u8 for sandbox_hardening_hash) to ensure distinct byte streams while preserving backward compatibility for None cases.
  evidence_digest: 528cd6c51744c943fc6a1a390741de1a7594b0e6c317ff690a4221a3955df592
  evidence_pointer: none
  timestamp: 2026-02-16T20:18:20Z
- finding_id: f-704-security-1771273100604821-0
  type: security
  severity: MAJOR
  summary: Missing Sandbox Hardening Hash in GateReceipt
  risk: GateReceipt does not record the sandbox hardening profile used during execution, breaking the audit trail for gates.
  impact: Gate executions (manual or direct dispatch) lack verifiable evidence of the execution environment's security posture.
  location: crates/apm2-core/src/fac/receipt.rs
  body: The GateReceipt schema and builder were not updated to include sandbox_hardening_hash. Gates run outside the worker context (e.g. apm2 fac gates) produce signed receipts that do not cryptographically bind to the sandbox hardening profile used, preventing later audit of the execution containment.
  evidence_digest: 8492a8eb31e660919aa8ba900afa4dc52a90079c5a304ea6f31cd4fd47f7dde8
  evidence_pointer: none
  timestamp: 2026-02-16T20:18:20Z
- finding_id: f-704-security-1771273100793306-0
  type: security
  severity: MAJOR
  summary: Sandbox Hardening missing from Gate Attestation
  risk: Changing sandbox hardening policy does not trigger gate cache misses, allowing reuse of results across different environments.
  impact: Stale gate results from insecure environments can be incorrectly reused in secure environments (and vice-versa).
  location: crates/apm2-cli/src/commands/fac_review/gate_attestation.rs
  body: GateResourcePolicy does not include sandbox_hardening. Consequently, compute_gate_attestation produces the same attestation_digest regardless of hardening settings. This allows incorrect cache hits when the SandboxHardeningProfile is modified between runs.
  evidence_digest: 96ef6c2ca088f5f44a71686a0736fbaa909f8e98b86380647a6e22283cec23b7
  evidence_pointer: none
  timestamp: 2026-02-16T20:18:20Z
- finding_id: f-704-security-1771273100921328-0
  type: security
  severity: NIT
  summary: Redundant Hash Computation in execute_warm_job
  risk: Low-impact performance overhead and code duplication.
  impact: Minor maintenance burden.
  location: crates/apm2-cli/src/commands/fac_worker.rs
  body: execute_warm_job re-computes sandbox_hardening_hash_str which was already computed by its caller (process_job). Pass the hash as an argument instead.
  evidence_digest: 389c7d47e786431e449e3dbf7eb826e2afac2e736f833d1572bdcaa46d134c06
  evidence_pointer: none
  timestamp: 2026-02-16T20:18:20Z

[Anveio]

# apm2-review-verdict:v1
schema: apm2.review.verdict.v1
pr: 704
sha: dbb3cb7fd9ac452209915e5141f592e5936e7a13
updated_at: 2026-02-16T21:11:35Z
dimensions:
  code-quality:
    decision: deny
    reason: 'FAIL: 0 blocker, 1 major findings'
    set_by: ubuntu
    set_at: 2026-02-16T21:11:35Z
  security:
    decision: approve
    reason: 'PASS: Validated sandbox hardening profile, canonical hash binding in receipts, backend-aware property generation, and GC scope restriction.'
    set_by: ubuntu
    set_at: 2026-02-16T21:04:46Z
findings:
- finding_id: f-704-code_quality-1771276290820823-0
  type: code-quality
  severity: MAJOR
  summary: Gate attestation binds default sandbox profile instead of the effective policy profile
  risk: Attestation/resource digests can claim one sandbox posture while bounded tests actually run with another, breaking cache-key integrity and audit trust.
  impact: Gate cache reuse can cross hardening-profile changes, allowing stale results from differently hardened executions to be treated as equivalent.
  location: crates/apm2-cli/src/commands/fac_review/gates.rs:577; crates/apm2-cli/src/commands/fac_review/evidence.rs:1660
  body: 'Both attestation call sites compute sandbox_hardening_hash from SandboxHardeningProfile::default(), but execution uses policy.sandbox_hardening (gates.rs:519, evidence.rs:951). This violates policy-driven binding for attestation and can produce false cache hits when policy hardening is customized. Required action: derive the hash from the exact profile passed into build_systemd_bounded_test_command (or carry that hash through PipelineTestCommand), and add regression tests that mutate FacPolicyV1.sandbox_hardening (for example private_tmp=false) to prove attestation/resource digest changes and cache reuse is denied across profile drift.'
  evidence_digest: 90d7350b1dd0bddf820eac98a60cdac6eda752b37df4ca47cd357a4b60c153ab
  evidence_pointer: none
  timestamp: 2026-02-16T21:11:30Z

[Anveio]

# apm2-review-verdict:v1
schema: apm2.review.verdict.v1
pr: 704
sha: bfe7547975aae0c8347fa4dcfd800bbb58b4a98e
updated_at: 2026-02-16T21:27:45Z
dimensions:
  code-quality:
    decision: deny
    reason: 'FAIL: 1 major finding (GateReceipt missing sandbox hardening binding)'
    set_by: ubuntu
    set_at: 2026-02-16T21:27:09Z
  security:
    decision: approve
    reason: 'PASS: TCK-00573 Systemd Sandbox Hardening implementation verified. All prior findings (MAJOR-1, NIT-3) remediated. Hardening is policy-driven, audited via receipts, and fails closed.'
    set_by: ubuntu
    set_at: 2026-02-16T21:27:45Z
findings:
- finding_id: f-704-code_quality-1771277223461933-0
  type: code-quality
  severity: MAJOR
  summary: GateReceipt omitted sandbox_hardening_hash in worker
  risk: 'Audit gap: GateReceipts do not bind the hardening profile used, breaking the chain of custody for security configuration.'
  impact: Downstream verification cannot prove which hardening profile was active during execution for GateReceipts.
  location: crates/apm2-cli/src/commands/fac_worker.rs
  body: |-
    In  (Step 9) and , the  is constructed but  is never called, leaving the field as . The  variable is available in both scopes.

    The  struct was updated in  to include this field (TCK-00573), and the ticket requires 'Emit unit hardening settings into receipts for audit'. This must be populated in all production receipt emission paths.

    **Remediation:**
    Update both  chains in  to call .
  evidence_digest: 3d741e2fc738754279c822bfe8a2869a0f0b07de007b0f4907fd3efac83bf1c4
  evidence_pointer: none
  timestamp: 2026-02-16T21:27:03Z
- finding_id: f-704-code_quality-1771277223621570-0
  type: code-quality
  severity: NIT
  summary: GateReceiptBuilder usage in tests not updated
  risk: Tests do not cover the new field.
  impact: Low impact for tests, but good practice to verify.
  location: crates/apm2-cli/tests/tck_00511_fac_worker.rs
  body: The test  uses  but does not seem to set . While not critical for the production fix, updating the test to verify the field's presence would prevent regression.
  evidence_digest: b201a9cbb3ff8fb383750a0457788894425bff97959e5361f0abfab2006e5605
  evidence_pointer: none
  timestamp: 2026-02-16T21:27:03Z
- finding_id: f-704-security-1771277265286136-0
  type: security
  severity: NIT
  summary: Verified remediation of stale attestation binding (MAJOR-1)
  risk: Stale gate results from insecure environments could be reused if attestation ignores hardening profile.
  impact: Low (remediation verified).
  location: crates/apm2-cli/src/commands/fac_review/gates.rs
  body: Validated that gates.rs and evidence.rs now compute sandbox_hardening_hash from the effective policy profile and include it in GateResourcePolicy, ensuring attestation binds to the actual hardening configuration.
  evidence_digest: fca87533fffa4fdbd0aac700eea9780683abfb8591193499c3d42a874565c367
  evidence_pointer: none
  timestamp: 2026-02-16T21:27:45Z
- finding_id: f-704-security-1771277265428444-0
  type: security
  severity: NIT
  summary: Verified constant-time receipt hash comparison (INV-PC-001)
  risk: Timing side-channels in digest comparison could allow signature forgery.
  impact: Low (remediation verified).
  location: crates/apm2-core/src/fac/receipt_index.rs
  body: Validated that receipt_index.rs uses ct_eq for receipt digest verification, preventing timing side-channels.
  evidence_digest: 97dffcff392b989dd161f41d43a8672ef02b605b27e01b08b1a4796e93624a78
  evidence_pointer: none
  timestamp: 2026-02-16T21:27:45Z
- finding_id: f-704-security-1771277265564946-0
  type: security
  severity: NIT
  summary: Verified hardening profile validation (NIT-3)
  risk: Duplicate address families could create ambiguity or hash collisions.
  impact: Low (remediation verified).
  location: crates/apm2-core/src/fac/systemd_properties.rs
  body: Validated that SandboxHardeningProfile::validate enforces uniqueness of restrict_address_families entries.
  evidence_digest: b735f80ae967843dd3da9a150b838ac7313ec5efe346b61fabf7397dfb03be84
  evidence_pointer: none
  timestamp: 2026-02-16T21:27:45Z
- finding_id: f-704-security-1771277265703148-0
  type: security
  severity: NIT
  summary: Verified injective receipt encoding (MAJOR-1)
  risk: Collision in canonical byte representation could allow signature reuse.
  impact: Low (remediation verified).
  location: crates/apm2-core/src/fac/receipt.rs
  body: Validated that FacJobReceiptV1 and GateReceipt use distinct type-specific markers (3u8/4u8) for optional fields, ensuring canonical byte injectivity.
  evidence_digest: 5ab4f4646ba3005d4156bd587ac21cd3f05e8ce3ce34495d60c7398e5924dfd0
  evidence_pointer: none
  timestamp: 2026-02-16T21:27:45Z

[Anveio]

# apm2-review-verdict:v1
schema: apm2.review.verdict.v1
pr: 704
sha: f7f0351c6efa21bf7c42b3ca52ae387dee3351a9
updated_at: 2026-02-16T21:47:55Z
dimensions:
  code-quality:
    decision: deny
    reason: 'FAIL: 1 blocker finding (Unauthorized removal of Cost Model TCK-00532), 1 major finding (V2 Receipt Incompatibility).'
    set_by: ubuntu
    set_at: 2026-02-16T21:47:55Z
  security:
    decision: deny
    reason: 'FAIL: 1 major finding (Scope Integrity: Unexplained deletion of Cost Model). TCK-00573 (Sandbox Hardening) should not delete TCK-00532 (Cost Model) without explicit documentation.'
    set_by: ubuntu
    set_at: 2026-02-16T21:47:48Z
findings:
- finding_id: f-704-code_quality-1771278467875666-0
  type: code-quality
  severity: BLOCKER
  summary: Unauthorized removal of Cost Model (TCK-00532)
  risk: Functional regression and violation of ticket scope. The cost model features (dynamic estimation, calibration) delivered in TCK-00532 are removed without authorization.
  impact: Worker queue admission reverts to hardcoded cost '1', disabling adaptive backpressure and calibration logic. This is a major functional regression not described in TCK-00573.
  location: crates/apm2-core/src/economics/cost_model.rs
  body: 'The PR deletes ''crates/apm2-core/src/economics/cost_model.rs'', removes the ''cost_model'' field from ''SchedulerStateV1'', and strips calibration logic from ''fac_worker.rs''. \n\nTCK-00573 is strictly scoped to ''Job unit sandbox hardening'' and ''GC lane target planning''. There is no mention of removing the cost model in the ticket description, plan, or acceptance criteria. \n\nAction required: Revert the removal of the cost model logic. If this removal is intended, it must be tracked in a separate ticket or explicitly added to the TCK-00573 scope with justification.'
  evidence_digest: d9071029375692e3c8d01ff4e8b4f74a6db3b1b80771bfd0c2b84c47fea4af95
  evidence_pointer: none
  timestamp: 2026-02-16T21:47:47Z
- finding_id: f-704-code_quality-1771278468022315-0
  type: code-quality
  severity: MAJOR
  summary: Breaking change to FacJobReceiptV1 V2 canonical wire format
  risk: Invalidation of existing V2 receipts; verification failure for previously persisted evidence.
  impact: Any receipt persisted with the previous V2 format (positional 0/1 markers) will fail verification against the new logic (tagged markers). This breaks the integrity audit trail for existing V2 artifacts.
  location: crates/apm2-core/src/fac/receipt.rs
  body: The PR changes 'canonical_bytes_v2' to use tagged TLV markers (1u8/2u8/3u8) and removes the explicit '0u8' absence markers used in the previous V2 implementation. While tagged markers are an improvement, changing the serialization format changes the BLAKE3 content hash, breaking verification for any existing V2 receipts.\n\nIf V2 receipts are already in production use, this change requires a schema version bump (e.g., 'canonical_bytes_v3') to preserve verification of V2 data. If V2 is strictly experimental and no artifacts exist, this must be explicitly stated in the PR description to waive the compatibility requirement.
  evidence_digest: 06522d265e4169d8c381e26e105cd371640dda00accfbc814873340c0a4c8a2e
  evidence_pointer: none
  timestamp: 2026-02-16T21:47:48Z
- finding_id: f-704-code_quality-1771278468166997-0
  type: code-quality
  severity: NIT
  summary: Robust Sandbox Hardening Implementation (TCK-00573)
  risk: None
  impact: Improved security posture.
  location: crates/apm2-core/src/fac/systemd_properties.rs
  body: The implementation of 'SandboxHardeningProfile' and its integration into 'SystemdUnitProperties' is correct and robust. \n\n- Validation of address families prevents DoS.\n- Policy-driven configuration allows flexibility.\n- User-mode fallback ('no_new_privileges' only) prevents breakage in unprivileged environments.\n- Receipt binding ('sandbox_hardening_hash') ensures auditability.\n\nThis finding records successful verification of the primary ticket scope.
  evidence_digest: b91efacde31a9e45a0c962c1122d09878c2f228a3378312c264f9a97f9c54378
  evidence_pointer: none
  timestamp: 2026-02-16T21:47:48Z
- finding_id: f-704-security-1771278454434367-0
  type: security
  severity: MAJOR
  summary: Unexplained deletion of Cost Model (Scope Integrity)
  risk: The PR deletes 'crates/apm2-core/src/economics/cost_model.rs' and removes cost calibration logic from 'fac_worker.rs'. This functionality (TCK-00532) appears unrelated to TCK-00573 (Sandbox Hardening). If accidental, this is a regression. If intentional, it lacks documentation/justification in the ticket or commit messages.
  impact: Loss of job cost estimation and calibration functionality in the worker. Potential verification gap if cost model tests were relied upon.
  location: crates/apm2-core/src/economics/cost_model.rs
  body: Restore the 'economics/cost_model.rs' module and the calibration logic in 'fac_worker.rs'. If this deletion is intended (e.g., a revert), it must be documented in the PR description and TCK-00573 ticket as a dependency/decision.
  evidence_digest: a9d524ee3fab84dd62028031a134c14b245cdce2f62feddc15d8a4ad824aafd0
  evidence_pointer: none
  timestamp: 2026-02-16T21:47:34Z
- finding_id: f-704-security-1771278454574928-0
  type: security
  severity: NIT
  summary: Sandbox Hardening implementation verified (TCK-00573)
  risk: None (Positive verification)
  impact: None
  location: crates/apm2-core/src/fac/systemd_properties.rs
  body: 'Verified: 1) ''SandboxHardeningProfile'' defaults to safe hardening. 2) Profile is policy-driven via ''FacPolicyV1''. 3) Hash is bound to receipts. 4) Injective encoding (markers 1u8, 2u8, 3u8) prevents canonicalization collisions. 5) User-mode backend correctly filters unsafe directives.'
  evidence_digest: 944d0f282daf8b027206fcb4a9514f5e816ad11615ac030827d709f4533ede0b
  evidence_pointer: none
  timestamp: 2026-02-16T21:47:34Z

[Anveio]

# apm2-review-verdict:v1
schema: apm2.review.verdict.v1
pr: 704
sha: 98eba94342303a9a1353d272bf13f97b1a109f10
updated_at: 2026-02-16T22:25:43Z
dimensions:
  code-quality:
    decision: deny
    reason: 'FAIL: 2 BLOCKER findings (TCK-00532 regression and Ledger Integrity Break). 1 NIT.'
    set_by: ubuntu
    set_at: 2026-02-16T22:25:43Z
  security:
    decision: approve
    reason: 'PASS: no blocker or major findings'
    set_by: ubuntu
    set_at: 2026-02-16T22:22:51Z
findings:
- finding_id: f-704-code_quality-1771280689695139-0
  type: code-quality
  severity: BLOCKER
  summary: 'TCK-00532 Regression: observed_cost field removed'
  risk: Breaking change for FacJobReceiptV1 serialization; regresses Cost Model features.
  impact: Existing receipts with observed_cost will fail to deserialize (deny_unknown_fields). Cost calibration is disabled.
  location: crates/apm2-core/src/fac/receipt.rs
  body: |-
    The 'observed_cost' field was removed from 'FacJobReceiptV1' and replaced with 'sandbox_hardening_hash'. This breaks backward compatibility because 'FacJobReceiptV1' uses '#[serde(deny_unknown_fields)]'. Any existing receipt with 'observed_cost' will fail to load.

    Additionally, all logic in 'fac_worker.rs' for populating and using the cost model (TCK-00532) has been removed.

    Action: Restore the 'observed_cost' field and associated logic. 'sandbox_hardening_hash' must be added as a *new* optional field, not a replacement.
  evidence_digest: 3370c9954c80a35d7701a755ccebcb79a3875cb1a3a2b7bdf3ca8109b351a854
  evidence_pointer: none
  timestamp: 2026-02-16T22:24:49Z
- finding_id: f-704-code_quality-1771280717765644-0
  type: code-quality
  severity: BLOCKER
  summary: 'Ledger Integrity Break: canonical_bytes() hash changed'
  risk: Changing '1u8' to '2u8' marker for containment trace invalidates hashes of existing receipts.
  impact: Verification of existing persisted receipts will fail. Ledger integrity check will fail.
  location: crates/apm2-core/src/fac/receipt.rs
  body: |-
    The 'canonical_bytes()' method (V1) was modified to use '2u8' as a marker for the 'containment' field, replacing the historical '1u8'. This changes the computed content hash for any existing receipt that has a containment trace.

    'canonical_bytes()' MUST remain bit-for-bit compatible with historical data to preserve ledger integrity.

    Action: Revert the marker change in 'canonical_bytes()'. Use the new type-specific markers ('2u8', '3u8') ONLY in 'canonical_bytes_v2()' or a new schema version.
  evidence_digest: a0c7efa1f215ebe175d35fb1de349d7dd8974c51e56f4429f3786223999bd89a
  evidence_pointer: none
  timestamp: 2026-02-16T22:25:17Z
- finding_id: f-704-code_quality-1771280736504893-0
  type: code-quality
  severity: NIT
  summary: 'Inconsistent Validation: GateReceiptBuilder uses weak hash check'
  risk: Validation in GateReceiptBuilder is weaker than FacJobReceiptV1Builder (checks length/prefix but not hex content).
  impact: Malformed hashes (non-hex chars) could technically pass builder validation, though unlikely to be generated.
  location: crates/apm2-cli/src/commands/fac_review/gate_attestation.rs
  body: |-
    GateReceiptBuilder checks '!hash.starts_with(...) || hash.len() != 71' but does not verify that the suffix is valid hex.

    FacJobReceiptV1Builder uses 'is_strict_b3_256_digest' which is more robust.

    Action: Update GateReceiptBuilder to use 'is_strict_b3_256_digest' (or equivalent) for consistency.
  evidence_digest: 457ee8931f27eaa741edd79fb55cb047d6c6f5b0c18ca02746ce120232dbbb11
  evidence_pointer: none
  timestamp: 2026-02-16T22:25:36Z

[Anveio]

# apm2-review-verdict:v1
schema: apm2.review.verdict.v1
pr: 704
sha: e82275f507e4903df1d483192b76b4aa52a6b37f
updated_at: 2026-02-16T23:09:16Z
dimensions:
  code-quality:
    decision: deny
    reason: 'FAIL: 2 major findings (missing proto field for sandbox_hardening_hash in GateReceipt, AGENTS.md/code mismatch for v1 canonical markers) and 1 nit.'
    set_by: ubuntu
    set_at: 2026-02-16T23:08:45Z
  security:
    decision: deny
    reason: 'prepare failed: no review inputs available'
    set_by: ubuntu
    set_at: 2026-02-16T23:09:16Z
findings:
- finding_id: f-704-code_quality-1771282020383415-0
  type: code-quality
  severity: NIT
  summary: Duplicate field initializers in SystemdUnitProperties
  risk: Code cleanliness and maintainability.
  impact: Compiler warning (E0062) and potential confusion during future refactors.
  location: crates/apm2-core/src/fac/systemd_properties.rs
  body: The constructor  initializes  and  correctly, but there seems to be a risk of copy-paste errors or duplicate initializers if the struct evolves. Ensure no fields are initialized twice (though the compiler usually catches this).
  evidence_digest: f037885953841b900cfa30e192ce8254bfa84d9454f7ece06ef773ef7f80c2f3
  evidence_pointer: none
  timestamp: 2026-02-16T22:47:00Z
- finding_id: f-704-code_quality-1771282055195649-0
  type: code-quality
  severity: MINOR
  summary: GateReceipt proto definition missing sandbox_hardening_hash
  risk: Information loss during Proto serialization/deserialization.
  impact: Audit trail gap if GateReceipt is transmitted or persisted via Proto (e.g. legacy IPC or alternative stores).
  location: crates/apm2-core/src/fac/receipt.rs
  body: The  implementation explicitly sets , noting that the Proto wire format does not carry it. While  is primarily used in JSON contexts (cache, evidence bundle), the Proto definition should eventually be updated to maintain parity and prevent data loss in any Proto-based flows.
  evidence_digest: 042efe8f016b8200623504b954b6f24059f21e6291c728acf5fabdcfd9bcd4cd
  evidence_pointer: none
  timestamp: 2026-02-16T22:47:35Z
- finding_id: f-704-code_quality-1771282055335238-0
  type: code-quality
  severity: NIT
  summary: V2 receipt canonicalization schema break
  risk: Incompatibility with pre-existing V2 receipts.
  impact: Hash mismatch for any existing V2 receipts.
  location: crates/apm2-core/src/fac/receipt.rs
  body: The  implementation changes trailing optional field markers from positional (0/1) to type-specific (1/2/3). This is a schema break. Accepted based on the  assertion that V2 is not yet deployed to production.
  evidence_digest: 0f5913e2415e8bba32efd8da9e50b8c8dc96675e5c4b694d07c31285cb49c945
  evidence_pointer: none
  timestamp: 2026-02-16T22:47:35Z
- finding_id: f-704-code_quality-1771282609804072-0
  type: code-quality
  severity: MAJOR
  summary: Sandbox hardening validation accepts an empty AF suffix
  risk: currently accepts  entries like , so malformed policy data can pass validation.
  impact: Invalid policy can be persisted and later fail at transient-unit creation (), causing runtime denials instead of fail-fast policy rejection.
  location: crates/apm2-core/src/fac/systemd_properties.rs:155
  body: 'Counterexample: a profile containing  passes the current predicate because  is true and  is vacuously true on an empty suffix. Required action: require at least one character after  (for example  or ), and add a regression test that  is rejected by both  and .'
  evidence_digest: ccc3917ff75df481b739c5b2aeda9bc26c43694779e529f9132828d4d07e6b21
  evidence_pointer: none
  timestamp: 2026-02-16T22:56:49Z
- finding_id: f-704-code_quality-1771282626262805-0
  type: code-quality
  severity: MAJOR
  summary: Sandbox hardening validator allows AF_ with empty suffix
  risk: Validator allows malformed address family tokens to pass policy validation.
  impact: Malformed policies can be accepted and persisted, then cause systemd unit start failure at runtime.
  location: crates/apm2-core/src/fac/systemd_properties.rs:155
  body: 'Counterexample: restrict_address_families containing AF_ passes validate because the current predicate checks prefix AF_ but does not require any characters after the prefix. Required action: reject empty suffix values and add regression tests in systemd_properties and policy validation.'
  evidence_digest: b11f9d0bf9e7ba97bc7fe1930176c53a1a66b6275fc977806c1f567cecbf2508
  evidence_pointer: none
  timestamp: 2026-02-16T22:57:06Z
- finding_id: f-704-code_quality-1771283304568269-0
  type: code-quality
  severity: MAJOR
  summary: Missing sandbox_hardening_hash in GateReceipt Proto
  risk: Data loss during wire transfer and ledger emission.
  impact: Gate receipts in the ledger will lack the sandbox hardening hash, breaking auditability and verification of the execution environment security posture.
  location: proto/kernel_events.proto
  body: Add 'optional string sandbox_hardening_hash = 15;' to the GateReceipt message in proto/kernel_events.proto and update the TryFrom/From mappings in crates/apm2-core/src/fac/receipt.rs to correctly translate the field.
  evidence_digest: 4682a9464a2f27f12ecb05811feefb2b90e1819dd8f7fa81344e214d4394184c
  evidence_pointer: none
  timestamp: 2026-02-16T23:08:24Z
- finding_id: f-704-code_quality-1771283310234542-0
  type: code-quality
  severity: MAJOR
  summary: AGENTS.md mismatch and collision risk in v1 canonical bytes
  risk: Non-injective encoding in legacy v1 scheme.
  impact: Incorrect documentation in AGENTS.md regarding v1 markers leads to false security assumptions. Reusing the '1u8' marker for multiple adjacent optional fields in v1 allows potential hash collisions.
  location: crates/apm2-core/src/fac/AGENTS.md
  body: The update to AGENTS.md claims that 'canonical_bytes()' (v1) uses type-specific markers (1u8, 2u8, 3u8). However, the code implementation for v1 uses '1u8' for 'moved_job_path', 'containment', and 'observed_cost', creating a collision risk for these trailing optional fields when some are None. AGENTS.md should be corrected to accurately reflect the legacy v1 behavior, and the 'observed_cost' marker '4u8' used in v2 should be added to the documentation.
  evidence_digest: b870511e1a0b347d49074150912af3387793188096e41f9cf081c6a8243dfc75
  evidence_pointer: none
  timestamp: 2026-02-16T23:08:30Z
- finding_id: f-704-code_quality-1771283321695660-0
  type: code-quality
  severity: NIT
  summary: AGENTS.md missing observed_cost marker documentation
  risk: Incomplete documentation of injective encoding markers.
  impact: Minor impact on developer understanding of the v2 canonical format.
  location: crates/apm2-core/src/fac/AGENTS.md
  body: The 'Injective Trailing Optional Fields' section in AGENTS.md should explicitly list the '4u8' marker used for 'observed_cost' in FacJobReceiptV1::canonical_bytes_v2().
  evidence_digest: 7a18fd474beb7fd5c78ad15fe5f864d6da55cddac3cf675e6ebb970b40353550
  evidence_pointer: none
  timestamp: 2026-02-16T23:08:41Z

[Anveio]

# apm2-review-verdict:v1
schema: apm2.review.verdict.v1
pr: 704
sha: d6a420f26405302d4c1086dbb55606d484240079
updated_at: 2026-02-17T03:49:53Z
dimensions:
  code-quality:
    decision: approve
    reason: 'PASS: Sandbox hardening and GC stabilization requirements met. Implementation is robust, fail-closed, and includes comprehensive regression tests. Canonicalization injective encoding issues resolved.'
    set_by: ubuntu
    set_at: 2026-02-17T03:45:50Z
  security:
    decision: approve
    reason: 'PASS: reviewed PR 704 diff and FAC security surfaces; no blocker or major security findings identified, and hardening/attestation binding changes preserve fail-closed behavior.'
    set_by: ubuntu
    set_at: 2026-02-17T03:49:53Z
findings:
- finding_id: f-704-code_quality-1771299943130757-0
  type: code-quality
  severity: NIT
  summary: Inconsistent optional field markers in AGENTS.md vs code
  risk: Documentation drift can lead to confusion for future maintainers or incorrect assumptions during manual audit.
  impact: Low. The code is correct and injective, but the documentation in AGENTS.md omits the 'observed_cost' marker (4u8) and doesn't explicitly mention the 'moved_job_path' marker (1u8).
  location: crates/apm2-core/src/fac/AGENTS.md:1040
  body: Update crates/apm2-core/src/fac/AGENTS.md to accurately reflect all markers used in injective encoding, specifically including 1u8 for moved_job_path and 4u8 for observed_cost in the V2 scheme.
  evidence_digest: 34536f16c3db28822c9db22e4bee05d27ab6d64900875587d60fe0352c8e1aa1
  evidence_pointer: none
  timestamp: 2026-02-17T03:45:43Z
- finding_id: f-704-code_quality-1771299947119590-0
  type: code-quality
  severity: NIT
  summary: Incomplete doc comment for is_platform_unavailable
  risk: Developers might misunderstand the intent of the method if the documentation is not kept in sync with the implementation.
  impact: Low. The implementation is correct and fail-closed.
  location: crates/apm2-core/src/fac/execution_backend.rs:165
  body: The doc comment for is_platform_unavailable lists 'UserModeUnavailable, SystemModeUnavailable, SystemdRunNotFound, CgroupV2Unavailable' as platform-unavailable variants, but the implementation only matches a subset of these. Ensure the comment accurately reflects the matched variants.
  evidence_digest: 5077ab82ae5e6c33d760de4db2c74e4d51e7153d32127a9731c371818fcbbfcc
  evidence_pointer: none
  timestamp: 2026-02-17T03:45:47Z