TCK-00614: FAC projection-model merge safety: required status simplification + regression tests

[Anveio]

ticket_meta:
  schema_version: 2026-01-29
  template_version: 2026-01-29
  ticket:
    id: TCK-00614
    title: 'FAC projection-model merge safety: required status simplification + regression tests'
    status: OPEN
  binds:
    prd_id: PRD-PLACEHOLDER
    rfc_id: RFC-0019
    requirements: []
    evidence_artifacts: []
  custody:
    agent_roles:
    - AGENT_IMPLEMENTER
    responsibility_domains:
    - DOMAIN_RUNTIME
    - DOMAIN_SECURITY
    - DOMAIN_CI
  dependencies:
    tickets:
    - ticket_id: TCK-00613
      reason: Continuation of FAC hardening; this ticket scopes CI/ruleset enforcement invariants for projection mode.
  root_cause_analysis:
    summary: |
      INCIDENT: INC-2026-02-17-FAC-AUTOMERGE-FAILOPEN (SEV-1)

      The structural failure was not auto-merge itself; it was that GitHub did not
      treat failing/pending FAC-related signals as required merge blockers.

      In GitHub, auto-merge only waits on REQUIRED checks. If a check is failing but
      not required, merge can still proceed when required checks are satisfied.

      For PRs #704/#709/#710, FAC/preflight signals were failing or skipped while
      merge still proceeded. In projection terms, authoritative merge state was not
      mapped to a single required status context.

      Resolution in this branch is to simplify CI wiring so GitHub is projection-only
      and blocks strictly on one authoritative status: `apm2 / Forge Admission Cycle`.
scope:
  in_scope:
  - id: S1_REVERT_BRANCH_STATE
    title: 'Revert PR #711 merge commit on this branch'
    detail: |
      Reverted commit `7f17f7da2906cb173f64286a28b640f679c62117` using
      `git revert -m 1`, producing commit `f2370301...`, to remove the immediate
      merge-behavior change from this branch baseline before hardening.
  - id: S2_SIMPLIFY_FAC_WORKFLOW
    title: Make Forge Admission Cycle GitHub workflow projection-only
    detail: |
      `.github/workflows/forge-admission-cycle.yml` was simplified:
      - removed `pull_request_target` trigger path
      - removed Rust FAC execution path (`cargo run ... apm2-cli ...`)
      - kept a manual `workflow_dispatch` projection diagnostic job

      GitHub no longer computes FAC verdicts in this workflow.
  - id: S3_REQUIRE_SINGLE_AUTHORITATIVE_STATUS
    title: Require only `apm2 / Forge Admission Cycle` on main ruleset
    detail: |
      `.github/rulesets/protect-main.json` now requires exactly one status check:
      - `apm2 / Forge Admission Cycle`

      `strict_required_status_checks_policy` remains enabled.
  - id: S4_REGRESSION_TESTS_FOR_CI_POLICY
    title: Add CI merge-policy invariants test suite
    detail: |
      Added `crates/apm2-cli/tests/ci_merge_policy_invariants.rs` to assert:
      - protect-main ruleset requires only `apm2 / Forge Admission Cycle`
      - strict required checks policy is true
      - forge-admission-cycle workflow is projection-only (no PR trigger,
        no CLI-driven FAC execution in workflow)
  - id: S5_COMPILE_FIX_UNBLOCKING_VALIDATION
    title: Fix receipt call type mismatch to unblock workspace validation
    detail: |
      In `crates/apm2-cli/src/commands/fac_worker.rs`, updated a receipt emission
      call to use `emit_job_receipt_with_observed_cost(...)` so the observed cost
      type matches the function contract.
  out_of_scope:
  - Changing CLI auto-merge behavior in fac push.
  - Reintroducing GitHub-side FAC verdict computation via Rust binary execution.
  - Adding additional required checks beyond `apm2 / Forge Admission Cycle` in this ticket.
plan:
  steps:
  - id: STEP_01
    title: Reset branch to intended baseline
    detail: 'Revert PR #711 merge commit from this branch.'
  - id: STEP_02
    title: Simplify projection workflow
    detail: Replace FAC workflow logic with projection-only manual diagnostics.
  - id: STEP_03
    title: Harden required-check policy
    detail: Set main ruleset to one authoritative required status context.
  - id: STEP_04
    title: Lock behavior with regression tests
    detail: Add tests that fail on workflow/ruleset drift away from projection model.
  - id: STEP_05
    title: Run full validation gates
    detail: |
      Validate with:
      - `cargo fmt --all`
      - `cargo test -p apm2-cli`
      - `cargo clippy --workspace --all-targets --all-features -- -D warnings`
      - `cargo doc --workspace --no-deps`
      - `cargo test --workspace`
definition_of_done:
  evidence_ids: []
  criteria:
  - 'Branch contains revert commit for PR #711 merge commit.'
  - Forge Admission Cycle workflow is projection-only and not triggered by PR events.
  - Main ruleset requires only `apm2 / Forge Admission Cycle` with strict required checks enabled.
  - Regression tests assert workflow/ruleset invariants and pass.
  - Workspace validation commands complete successfully.
notes:
  context: |
    This ticket update intentionally narrows scope to what is implemented in this
    branch. It records the decision to treat GitHub as projection-only and to bind
    merge blocking to one authoritative FAC status context emitted by apm2 logic.

    Modified files tied to this ticket:
    - `.github/workflows/forge-admission-cycle.yml`
    - `.github/rulesets/protect-main.json`
    - `crates/apm2-cli/tests/ci_merge_policy_invariants.rs`
    - `crates/apm2-cli/src/commands/fac_worker.rs`
  security: default-deny, fail-closed required status enforcement
fac_push_metadata:
  commit_history:
  - short_sha: f2370301
    message: 'Revert "Merge pull request #711 from guardian-intelligence/ticket/RFC-0019/TCK-00573"'
  - short_sha: 5ad45d76
    message: 'TCK-00614: simplify FAC projection CI and lock required-status invariants'

FAC Gate Status

# apm2-gate-status:v2
sha: 5ad45d7631ae91b1ed04ec6c4d2d9ae8710042ee
short_sha: 5ad45d76
timestamp: '2026-02-17T04:37:50Z'
all_passed: true
gates:
  - name: 'merge_conflict_main'
    status: PASS
    duration_secs: 0
  - name: 'rustfmt'
    status: PASS
    duration_secs: 47
  - name: 'clippy'
    status: PASS
    duration_secs: 61
  - name: 'doc'
    status: PASS
    duration_secs: 40
  - name: 'test'
    status: PASS
    duration_secs: 117
  - name: 'workspace_integrity'
    status: PASS
    duration_secs: 0

[Anveio]

# apm2-review-verdict:v1
schema: apm2.review.verdict.v1
pr: 712
sha: 5ad45d7631ae91b1ed04ec6c4d2d9ae8710042ee
updated_at: 2026-02-17T04:48:31Z
dimensions:
  code-quality:
    decision: deny
    reason: 'FAIL: 2 blocker, 1 major findings'
    set_by: ubuntu
    set_at: 2026-02-17T04:48:12Z
  security:
    decision: deny
    reason: 'FAIL: 1 blocker finding. Mandatory sandbox hardening hash binding is missing in the  path in , violating security invariant INV-SBX-002.'
    set_by: ubuntu
    set_at: 2026-02-17T04:48:31Z
findings:
- finding_id: f-712-code_quality-1771303662155013-0
  type: code-quality
  severity: BLOCKER
  summary: 'Missing requirement: Regression tests assert workflow/ruleset invariants and pass'
  risk: The ticket requires passing regression tests as a merge-safety guard; without execution evidence, the guard can be assumed while failing.
  impact: A broken CI-policy invariant test can allow unsafe workflow/ruleset drift to merge, reintroducing fail-open behavior.
  location: documents/work/tickets/TCK-00614.yaml
  body: The diff adds the ci_merge_policy_invariants test file, but the change set does not include verifiable evidence that this test was executed successfully for this PR. TCK-00614 definition_of_done explicitly requires the regression tests to pass. Add machine-verifiable evidence for cargo test -p apm2-cli --test ci_merge_policy_invariants tied to this PR run.
  evidence_digest: de1db1f5b8dd3311dbe95b49bdc579396ffd0da4674d63ddc7852eb2de9a284b
  evidence_pointer: none
  timestamp: 2026-02-17T04:47:42Z
- finding_id: f-712-code_quality-1771303672108972-0
  type: code-quality
  severity: BLOCKER
  summary: 'Missing requirement: Workspace validation commands complete successfully'
  risk: Without proof that full workspace validation ran clean, regressions in linting, docs, or tests can ship behind policy-only changes.
  impact: Main can accept CI-policy edits while hidden build or test breakage remains unresolved, increasing integration risk.
  location: documents/work/tickets/TCK-00614.yaml
  body: TCK-00614 definition_of_done requires successful completion of cargo fmt --all, cargo test -p apm2-cli, cargo clippy --workspace --all-targets --all-features -- -D warnings, cargo doc --workspace --no-deps, and cargo test --workspace. The diff contains no verifiable execution evidence or receipt proving this validation set passed for this PR. Attach machine-verifiable proof for the full command set.
  evidence_digest: 71fcfa580efbc0fe72d681aa402c7240541809a8c9a467895d88b4967f623f4d
  evidence_pointer: none
  timestamp: 2026-02-17T04:47:52Z
- finding_id: f-712-code_quality-1771303683805257-0
  type: code-quality
  severity: MAJOR
  summary: Projection-policy regression test can miss forbidden workflow drift
  risk: The guard test uses narrow substring checks, so policy-violating workflow edits can pass while reintroducing forbidden PR-triggered or CLI-computed FAC paths.
  impact: Future changes can silently weaken fail-closed merge protection and recreate the same incident class this ticket is intended to prevent.
  location: crates/apm2-cli/tests/ci_merge_policy_invariants.rs
  body: 'The test forge_workflow_does_not_compute_fac_with_rust_binary_or_pr_triggers only rejects pull_request_target, the exact text cargo run --quiet -p apm2-cli, and fac preflight. Counterexample: adding on: pull_request plus cargo run -p apm2-cli -- fac review ... would still satisfy this test. Strengthen the assertion by parsing the workflow trigger map and rejecting any PR event trigger (pull_request and pull_request_target), and by matching command intent (cargo run + apm2-cli + fac) instead of a single exact string variant.'
  evidence_digest: cbb7d50cfa309c100844cf2eb569f329f38d6aa6b518fc294da55eada87b122c
  evidence_pointer: none
  timestamp: 2026-02-17T04:48:03Z
- finding_id: f-712-security-1771303671906769-0
  type: security
  severity: BLOCKER
  summary: Mandatory sandbox hardening hash binding missing in execute_queued_gates_job
  risk: Violation of mandatory security invariant INV-SBX-002. Gates jobs executed by the worker produce job receipts that do not cryptographically bind the sandbox hardening profile used during execution. An attacker could tamper with the node-local policy to disable hardening for gates execution, and the resulting job receipt would not reflect this compromise, creating a critical audit gap in the Forge Admission Cycle evidence trail.
  impact: Critical loss of auditability and integrity binding for gates evidence. All gates evidence produced via the worker queue is affected. Authoritative verification of the execution environment security posture is impossible for these jobs.
  location: crates/apm2-cli/src/commands/fac_worker.rs:1485
  body: Update the signature of  to accept  and pass it to all internal calls of  and . Ensure the call site in  passes the hoisted  to the function.
  evidence_digest: 04d831e3f66faaeacae53992d5425e79d0f814cdaaaea156c943b47fab6fde5e
  evidence_pointer: none
  timestamp: 2026-02-17T04:47:51Z
- finding_id: f-712-security-1771303682700772-0
  type: security
  severity: BLOCKER
  summary: Mandatory sandbox hardening hash binding missing in execute_queued_gates_job
  risk: Violation of mandatory security invariant INV-SBX-002. Gates jobs executed by the worker produce job receipts that do not cryptographically bind the sandbox hardening profile used during execution. An attacker could tamper with the node-local policy to disable hardening for gates execution, and the resulting job receipt would not reflect this compromise, creating a critical audit gap in the Forge Admission Cycle evidence trail.
  impact: Critical loss of auditability and integrity binding for gates evidence. All gates evidence produced via the worker queue is affected. Authoritative verification of the execution environment security posture is impossible for these jobs.
  location: crates/apm2-cli/src/commands/fac_worker.rs:1485
  body: 'Update the signature of `execute_queued_gates_job` to accept `sbx_hash: &str` and pass it to all internal calls of `emit_job_receipt` and `emit_job_receipt_with_observed_cost`. Ensure the call site in `process_job` passes the hoisted `sbx_hash` to the function.'
  evidence_digest: fd335f03aa6655fef8d3baa2a75570d048e927e921475e109b9cb70303b238df
  evidence_pointer: none
  timestamp: 2026-02-17T04:48:02Z
- finding_id: f-712-security-1771303693250970-0
  type: security
  severity: MINOR
  summary: Incomplete integrity binding for unsafe_direct flag in V1 receipts
  risk: The  function allows receipts to be verified using either the V1 or V2 hashing scheme. Since the V1 scheme explicitly excludes the  field from the canonical preimage, an attacker who can modify receipts in the CAS can flip the  flag without changing the V1 content hash. If the attacker also controls the non-authoritative receipt index, they can point to the tampered receipt using its V1 hash, effectively bypassing the V2 integrity binding for this field.
  impact: Integrity of the  flag cannot be guaranteed for receipts using the V1 hashing scheme. While this flag is currently only used for display purposes, it constitutes a structural weakness in the evidence integrity chain.
  location: crates/apm2-core/src/fac/receipt_index.rs:731
  body: Consider phasing out V1 hash support for new receipts and ensuring that any logic relying on  explicitly checks that the receipt was verified using the V2 scheme.
  evidence_digest: 5c40d1b42e8ebb2d1dd43f80d45b77b73953b53c6211f21e8a1dfb399e41488d
  evidence_pointer: none
  timestamp: 2026-02-17T04:48:13Z
- finding_id: f-712-security-1771303702434550-0
  type: security
  severity: MINOR
  summary: Incomplete integrity binding for unsafe_direct flag in V1 receipts
  risk: The `verify_receipt_integrity` function allows receipts to be verified using either the V1 or V2 hashing scheme. Since the V1 scheme explicitly excludes the `unsafe_direct` field from the canonical preimage, an attacker who can modify receipts in the CAS can flip the `unsafe_direct` flag without changing the V1 content hash. If the attacker also controls the non-authoritative receipt index, they can point to the tampered receipt using its V1 hash, effectively bypassing the V2 integrity binding for this field.
  impact: Integrity of the `unsafe_direct` flag cannot be guaranteed for receipts using the V1 hashing scheme. While this flag is currently only used for display purposes, it constitutes a structural weakness in the evidence integrity chain.
  location: crates/apm2-core/src/fac/receipt_index.rs:731
  body: Consider phasing out V1 hash support for new receipts and ensuring that any logic relying on `unsafe_direct` explicitly checks that the receipt was verified using the V2 scheme.
  evidence_digest: d095df9a5d334ad0e2ec44fb06487b39c703924b88ceeded88e0c76a6efd2f4f
  evidence_pointer: none
  timestamp: 2026-02-17T04:48:22Z