test(arp): regression guards for BC-2.16.004 by-construction .expect() invariants [PC-013]#312
Merged
Merged
Conversation
… framing Update doc-comments in mod bc_2_16_004_inv6 and its outer block comment to reflect BC-2.16.004 v1.10: the four .expect() sites are by-construction loud tripwires (not fail-safes), the tests exercise real production paths (entry always present / first_rebind_ts always Some at Step 3), and the module description accurately frames all five tests as finding-count/severity regression guards. Removes all v1.9 "silent skip" / "fail-safe degradation" / "Post-fix if-let" language. No test logic, assertions, or function names changed.
Owner
Author
PR Manager Review Triage — Cycle 1
Verdict: APPROVE — 0 blocking findings. All CI gates pass. Converged in 1 cycle. Summary:
|
Zious11
added a commit
that referenced
this pull request
Jun 24, 2026
Decision D-224 recorded. PC-013 closed: test-only regression-guard PR #312 "test(arp): regression guards for BC-2.16.004 by-construction .expect() invariants [PC-013]" merged to develop at e684889. All 10 CI checks green. Security CWE-400 dismissed (provably-unreachable). Code review 0 blocking (1 cycle). 5 tests in mod bc_2_16_004_inv6. No production code change. Loud .expect() retained per D-223. STATE.md updates: - D-224 appended to Decisions Log - develop_head: 2645139 → e684889 - OPEN ITEMS: PC-013 row → DONE (D-224) - Resolved line: PC-013 added (D-224) - Phase Progress fix cycle row: 1/3 → 2/3 (D-224) - phase_status, current_wave, Status section, RESUME PROCEDURE updated - GROUND-TRUTH HEADs block updated to D-224 STATE-only commit — no BC/story/spec files modified.
This was referenced Jun 24, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PC-013 was originally filed as "ARP
.expect()panic-on-malformed risk." F1 scoping + dedicatedresearch (
pc-013-invariant-idiom.md) disproved the premise: all four.expect()sites inprocess_arpandemit_d1_spoof_finding_implare provably unreachable under single-threadedsafe Rust, and the correct idiom for this class of guarantee is to retain the loud
.expect()as a self-documenting tripwire — not to convert it to a silent skip (which is the fail-open
anti-pattern). The spec was corrected to BC-2.16.004 v1.10, and this PR delivers 5 white-box
regression-guard tests.
No production code change in this PR.
PC-013 Investigation Outcome
Original premise (PC-013): The four
.expect()calls inprocess_arp/emit_d1_spoof_finding_impl(arp.rs lines 555, 576, 642, 827) could panic on malformed input, causing a DoS.Finding after investigation:
All four sites are by-construction invariants, not input-reachable paths:
has_conflictderives frombindings.get(&sender_ip);bindings.get_mut()executes in the same invocation with no interleaving opportunity to remove the entry. Entry is present by construction.emit_d1_spoof_finding_implreturns; no removal can occur between those two statements in single-threaded code.first_rebind_ts = Some(timestamp_secs)before Step 3's.expect()executes. Even after a flap-window reset, Step 2 immediately re-sets the field. AlwaysSomeat the Step 3 site.Rust best practice (Rust Book ch. 9.3, std docs, API Guidelines, community consensus) is to fail loud on broken by-construction invariants. A silent
if letskip reclassifies a library bug as expected behavior and is the fail-open anti-pattern — it masks logic errors and produces partial/incorrect output with no signal.Research decision D-223: keep the
.expect()calls as loud tripwires. The originally-planned silent-skip refactor was rejected. Spec corrected to BC-2.16.004 v1.10 (EC-011 / EC-012).Resolution: No production code change. Spec corrected. 5 regression-guard tests added.
Architecture Changes
graph TD A[src/analyzer/arp.rs] -->|"mod bc_2_16_004_inv6 added (test-only)"| B[5 regression-guard tests] B --> C[EC-011: GARP-conflict path — lines 555/576] B --> D[EC-012: emit_d1_spoof_finding_impl — line 827] B --> E[Non-GARP rebind Step 4 — line 642]No production code changed. All changes are in
#[cfg(test)]blocks.Story Dependencies
graph LR PR310["PR #310 (PC-015 fix, merged)"] --> THIS["This PR (PC-013 tests)"] BC["BC-2.16.004 v1.10"] --> THIS STORY114["STORY-114 AC-018 v1.6"] --> THISPart of bundle
fix-pc-013-014-015. PC-015 (PR #310) already merged todevelop.Spec Traceability
flowchart LR BC["BC-2.16.004 v1.10\n(EC-011, EC-012)"] --> AC["STORY-114 AC-018 v1.6\n(by-construction invariant\nregression guards)"] AC --> TEST["mod bc_2_16_004_inv6\n5 tests in src/analyzer/arp.rs"] TEST --> PROD["Production .expect() sites\nlines 555/576/642/827\n(retained as-is)"]Test Evidence
test_BC_2_16_004_expect_site_no_panic_on_missing_entrytest_BC_2_16_004_garp_conflict_two_findings_regression_guardtest_BC_2_16_004_garp_no_prior_binding_regression_guardtest_BC_2_16_004_expect_site_rebind_ts_always_somefirst_rebind_tsalways Some, correct D1 finding emittedtest_BC_2_16_004_non_garp_rebind_step4_mac_updateAll 5 tests pass:
cargo test --all-targetsgreen.Holdout Evaluation
N/A — evaluated at wave gate.
Adversarial Review
N/A — evaluated at Phase 5.
Security Review
No security findings.
This PR adds only
#[cfg(test)]code. Security review scope:IP_A,MAC_A, etc.) are synthetic test data with no sensitive informationmake_reply,make_garp) constructArpFramestructs directly — no external input parsing.expect()calls in production are provably unreachable by-construction (single-threaded safe Rust, entry presence established in same invocation). The DoS concern (CWE-400) that motivated PC-013 was a false positive — these sites are not reachable by untrusted input. Decision D-223 documents this conclusion.Verdict: PASS — no security issues. No CRITICAL/HIGH/MEDIUM findings.
Risk Assessment
#[cfg(test)]blocks onlyAI Pipeline Metadata
.factory/cycles/fix-pc-013-014-015/research/pc-013-invariant-idiom.mdPre-Merge Checklist
cargo test --all-targetspasses (5 new tests green)cargo clippy --all-targets -- -D warningspassescargo fmt --checkpasses