test(analyzer): TLS reassembly F6 hardening — Kani VP-039 proofs, fuzz target, 12 mutation-gap tests#345
Merged
Merged
Conversation
…6 C2S/S2C themes) Adds mod f6_hardening (11 deterministic tests) to tests/tls_analyzer_tests.rs to close 11 of the 13 surviving mutation-testing gaps identified in the TLS handshake- reassembly delta (STORY-144/145/146, Phase F6). One site is unkillable: C2S 950:59 `Ok(_)` arm is dead code (parse_tls_handshake_msg_client_hello always wraps success in ClientHello; Ok(non-ClientHello) for msg_type=0x01 cannot occur). Themes covered: Theme 1 (C2S 829:64, S2C 998:64 >→>=): exact-MAX_BUF accumulation accepted Theme 2 (C2S 829:41, S2C 998:41 +→*): 4+18432 vs 4×18432 arithmetic distinguisher Theme 3 (C2S 900:37, S2C 1036:37 >→>=): body_len==MAX_BUF not triggering Decision-4 Theme 4 (S2C 1079:59 +=→-=,+=→*=): parse_errors+1 via ServerHelloV13Draft18 Theme 5 (S2C 1030:67 <<→>>): body_len high-byte <<16 vs >>16 lane Theme 6 (C2S 911:38, S2C 1047:38 -→+): partial-trailing carry retained after consumed>0 Theme 6c (S2C 1155:43 >→>=): S2C exact-fill no-drop (mirrors C2S EC-005) All 11 new tests GREEN; full suite passes (0 failures); clippy clean; fmt clean.
…7 <<8→>>8) Adds test_BC_2_07_041_s2c_body_len_mid_byte_shift_left_not_right to mod f6_hardening. The previous Theme-5 test pinned the HIGH-byte lane (1029:70 <<16→>>16); the actual surviving mutant was the MIDDLE-byte lane (1030:67 <<8→>>8). body_len = 384 = 0x000180 (middle byte 0x01 ≠ 0). Delivers 387 bytes (one short of a complete 384-body message). With correct <<8: body_len=384, 387 < 388 → incomplete, carry retained at 387. With >>8 mutant: body_len=128, 387 ≥ 132 → dispatched, carry drained. Assertions: server_hs_carry_len==387 AND parse_errors unchanged. All 12 mod f6_hardening tests GREEN; full suite passes (0 failures); clippy clean (manual_repeat_n fixed); fmt clean.
Owner
Author
Review Cycle 1 TriageBoth reviews returned APPROVE in cycle 1. Zero blocking findings. Convergence achieved.
Summary: 0 blocking findings. All CRITICAL/HIGH security gates clear. PR reviewer and security reviewer both APPROVE. Proceeding to CI gate. |
6 tasks
Zious11
added a commit
that referenced
this pull request
Jul 1, 2026
…#346) chore(deps): bump anyhow 1.0.102 → 1.0.103 (clears RUSTSEC-2026-0190) **Epic:** N/A — standalone security advisory clearance **Mode:** maintenance (dep-bump variant) **Convergence:** N/A — Cargo.lock-only change    Bumps `anyhow` from 1.0.102 to 1.0.103 to clear the unsoundness advisory RUSTSEC-2026-0190 (anyhow ≤ 1.0.102). The change is Cargo.lock-only — the existing `anyhow = "1"` SemVer constraint in Cargo.toml already admits 1.0.103, so no manifest edit is required. All CI gates (build, test, clippy, fmt, cargo deny, cargo audit) are green on the feature branch. --- ## Architecture Changes ```mermaid graph TD CargoLock["Cargo.lock"] -->|version bump| Anyhow["anyhow 1.0.102 → 1.0.103"] style Anyhow fill:#90EE90 ``` **ADR:** None required — minor patch version bump within existing `anyhow = "1"` SemVer constraint. No API surface change. No source file modifications. --- ## Story Dependencies ```mermaid graph LR ThisPR["chore/anyhow-rustsec-2026-0190\n this PR"] --> NoDeps["No downstream blockers"] style ThisPR fill:#FFD700 ``` No upstream story dependencies. This is an independent security advisory clearance decoupled from F6 PR #345. --- ## Spec Traceability N/A — This is a Cargo.lock-only dependency version bump. No behavioral contracts, acceptance criteria, or story spec apply. Traceability is entirely via the RUSTSEC advisory reference below. | Advisory | Affected Version | Fixed Version | Status | |----------|-----------------|---------------|--------| | RUSTSEC-2026-0190 | anyhow ≤ 1.0.102 | anyhow 1.0.103 | CLEARED | --- ## Test Evidence ### Coverage Summary | Check | Result | Notes | |-------|--------|-------| | `cargo build` | PASS | debug + release | | `cargo test --all-targets` | PASS | full suite | | `cargo clippy --all-targets -- -D warnings` | PASS | no new warnings | | `cargo fmt --check` | PASS | no format drift | | `cargo deny check advisories` | PASS | previously FAILED on RUSTSEC-2026-0190 | | `cargo audit` | PASS | 0 vulnerabilities, 193 deps scanned | ```mermaid graph LR Build["cargo build"] --> PassBuild["PASS"] Test["cargo test --all-targets"] --> PassTest["PASS"] Clippy["cargo clippy -D warnings"] --> PassClippy["PASS"] Fmt["cargo fmt --check"] --> PassFmt["PASS"] Deny["cargo deny check advisories"] --> PassDeny["PASS (was FAIL)"] Audit["cargo audit (193 deps)"] --> PassAudit["PASS 0 vulns"] style PassBuild fill:#90EE90 style PassTest fill:#90EE90 style PassClippy fill:#90EE90 style PassFmt fill:#90EE90 style PassDeny fill:#90EE90 style PassAudit fill:#90EE90 ``` **New tests:** 0 added (no source changes — test suite is unchanged) **Regressions:** 0 --- ## Holdout Evaluation N/A — evaluated at wave gate. Dep-bump does not require holdout evaluation. --- ## Adversarial Review N/A — evaluated at Phase 5. Dep-bump does not go through adversarial review pipeline. --- ## Security Review ```mermaid graph LR Critical["Critical: 0"] High["High: 0"] Medium["Medium: 0"] Low["Low: 0"] style Critical fill:#90EE90 style High fill:#90EE90 style Medium fill:#90EE90 style Low fill:#87CEEB ``` **Security advisory clearance:** This PR's *sole purpose* is security remediation. | Tool | Result | Detail | |------|--------|--------| | `cargo audit` | CLEAN | 0 vulnerabilities across 193 deps | | `cargo deny check advisories` | advisories ok | RUSTSEC-2026-0190 cleared | | SAST (Semgrep) | N/A | Cargo.lock-only change; no Rust source modified | | Dependency diff | 2 lines | version + checksum only (anyhow 1.0.102 → 1.0.103) | **RUSTSEC-2026-0190 (CWE-119/CWE-704, OWASP A06):** Unsoundness in `anyhow::Error::downcast_mut` in versions ≤ 1.0.102 — a safe-Rust caller can trigger undefined behaviour via invalid `&mut T` aliasing through the context chain. Fixed upstream in commit `6e8c000` (anyhow 1.0.103). No code-level changes required in this repository. Security reviewer verdict: **NO BLOCKING FINDINGS**. Diff confirmed Cargo.lock-only; new SHA-256 checksum structurally valid (64 hex chars). --- ## Risk Assessment & Deployment ### Blast Radius - **Systems affected:** None — `anyhow` is an error-handling utility; 1.0.103 is a pure bug-fix patch release with no API surface change. - **User impact:** No behavioral change at runtime; the fix eliminates a theoretical unsoundness in the library internals. - **Data impact:** None. - **Risk Level:** LOW ### Performance Impact No performance impact expected. anyhow 1.0.103 is a patch-level advisory fix with no algorithmic changes. ### Rollback ```bash # Revert is trivially safe — just re-lock to 1.0.102 git revert f5a7d6e git push origin develop ``` Note: rolling back reintroduces RUSTSEC-2026-0190. Preferred resolution is to keep 1.0.103. ### Feature Flags None — no feature flags involved. --- ## Traceability | Requirement | Verification | Status | |-------------|-------------|--------| | RUSTSEC-2026-0190 cleared | `cargo deny check advisories` → advisories ok | PASS | | No regressions introduced | `cargo test --all-targets` full suite | PASS | | No new Clippy warnings | `cargo clippy --all-targets -D warnings` | PASS | --- ## AI Pipeline Metadata ```yaml ai-generated: true pipeline-mode: maintenance (dep-bump variant) factory-version: "1.0.0" pipeline-stages: dep-bump-implementation: completed security-advisory-clearance: completed ci-validation: completed convergence-metrics: N/A models-used: coordinator: claude-sonnet-4-6 generated-at: "2026-06-30" ``` --- ## Pre-Merge Checklist - [x] All CI status checks passing (build, test, clippy, fmt, deny, audit, semantic-PR, action-pin-gate) - [x] Coverage delta neutral (Cargo.lock-only; no source change) - [x] No critical/high security findings unresolved (RUSTSEC-2026-0190 cleared) - [x] Rollback procedure validated (trivial single-commit revert) - [x] No feature flags required - [ ] Human merge authorization pending (autonomy classifier: human-authorize)
Zious11
added a commit
that referenced
this pull request
Jul 1, 2026
…ta convergence starting Phase transition: F6 targeted hardening → DONE. Cycle now entering F7. Facts recorded: - develop HEAD advanced 8b52046 → 52907bc (PRs #345+#346 merged 2026-07-01) - PR #345 squash d7f0ef4: 12 mutation-gap tests (mod f6_hardening), 100% real-gap kill rate — all 13 previously-surviving C2S/S2C symmetric theme mutants caught; 2 provably-equivalent survivors at tls.rs:950:59 documented - PR #346 squash 52907bc: anyhow 1.0.102→1.0.103, RUSTSEC-2026-0190 cleared, cargo deny advisories PASS - Kani VP-039: 3 non-vacuous proofs PASS (cursor OOB, no usize overflow, carry bounded) - Fuzz: 1.9M execs, 0 crashes Open items resolved: - F6-MUTATION-GAPS-001: RESOLVED (D-314) - RUSTSEC-2026-0190: RESOLVED (D-314) - SEC-002/SEC-006: closed-by-design (mod f6_hardening themes 1+2+6 pin behavior) New process-gap logged: - PG-MUTANTS-JOBS-001: cargo mutants --jobs 8 masks real survivors as timeouts D-314 added. Session Resume Checkpoint updated to F7 starting. F6 in-progress narrative archived to cycles/fix-tls-clienthello-frag/burst-log.md. STATE.md trimmed from 286 → 200 lines (size discipline maintained). No open worktrees.
This was referenced Jul 1, 2026
Merged
Zious11
added a commit
that referenced
this pull request
Jul 1, 2026
## Summary
Gitflow back-merge: syncs the v0.11.1 release-only fixups (Cargo.toml
version 0.11.0 → 0.11.1,
Cargo.lock own-package line, CHANGELOG.md `[0.11.1]` section) from the
v0.11.1 release back into
`develop`, per CLAUDE.md gitflow policy ("ensure develop contains those
commits after a release").
**No code changes.** The TLS reassembly fix, buffer-saturation
telemetry, formal hardening, and
anyhow bump are already on `develop` (PRs #341 / #343 / #344 / #345 /
#346). This PR carries only
the 3-file release delta that `develop` was missing after the
squash-merge into `main`.
This closes finding **B1** from the last release: `main` / `develop`
version divergence.
---
## What Changed
| File | Change |
|------|--------|
| `Cargo.toml` | `version` field: `"0.11.0"` → `"0.11.1"` |
| `Cargo.lock` | Own-package version line updated to match |
| `CHANGELOG.md` | `## [0.11.1] - 2026-07-01` section added (Fixed +
Added + Security entries for STORY-144/145/146 + anyhow bump) |
---
## Architecture Changes
```mermaid
graph TD
subgraph "v0.11.1 release (main @ e8a8a2d)"
M[main]
end
subgraph "develop (pre-backmerge @ 52907bc)"
D[develop — has all v0.11.1 code, missing version+changelog]
end
subgraph "chore/backmerge-v0.11.1 (HEAD 2f91829)"
BM[+Cargo.toml 0.11.1\n+Cargo.lock\n+CHANGELOG [0.11.1]]
end
M -->|release delta| BM
D -->|base| BM
BM -->|squash-merge| D2[develop — fully synced]
style BM fill:#90EE90
style D2 fill:#90EE90
```
---
## Story Dependencies
```mermaid
graph LR
PR341[PR #341 STORY-144 — merged] --> DEV[develop @ 52907bc]
PR343[PR #343 STORY-145 — merged] --> DEV
PR344[PR #344 STORY-146 — merged] --> DEV
PR345[PR #345 F6 hardening — merged] --> DEV
PR346[PR #346 anyhow — merged] --> DEV
DEV --> BM[chore/backmerge-v0.11.1]
BM -->|this PR| DEV2[develop — version+changelog synced]
style PR341 fill:#90EE90
style PR343 fill:#90EE90
style PR344 fill:#90EE90
style PR345 fill:#90EE90
style PR346 fill:#90EE90
```
No story spec. This is a gitflow maintenance operation, not a feature
delivery.
---
## Spec Traceability
N/A — this PR does not implement behavioral contracts. It carries the
version bump and CHANGELOG
entry that correspond to the already-merged BCs (BC-2.07.038–043), which
are fully traced in PRs
#341, #343, #344, #345, #346.
---
## Test Evidence
- 2232 tests pass on `develop` @ 52907bc (CI: test, clippy, fmt, audit,
deny, action-pin-gate all
green on the upstream commit).
- This PR adds no code — only `Cargo.toml` version string, `Cargo.lock`
version line, and
`CHANGELOG.md` documentation. No test changes required.
- Verification: `cargo check`, `cargo build --release`, `cargo test
--all-targets`, `cargo clippy`
all confirmed clean on the implementation commits already on `develop`.
---
## Demo Evidence
N/A — no behavioral changes. Demo evidence for each AC is already
present in
`docs/demo-evidence/STORY-144/`, `docs/demo-evidence/STORY-145/`, and
`docs/demo-evidence/STORY-146/` from the upstream PRs.
---
## Holdout Evaluation
N/A — evaluated at wave gate for STORY-144/145/146. This PR carries no
new behavior.
---
## Adversarial Review
N/A — evaluated at Phase 5 for STORY-144/145/146. Diff is 3 lines of
metadata.
---
## Security Review
No attack surface change. Diff is limited to:
1. `version = "0.11.1"` in Cargo.toml
2. Matching version line in Cargo.lock
3. CHANGELOG documentation text
```mermaid
graph LR
Critical["Critical: 0"]
High["High: 0"]
Medium["Medium: 0"]
Low["Low: 0"]
style Critical fill:#90EE90
style High fill:#90EE90
style Medium fill:#90EE90
style Low fill:#90EE90
```
---
## Risk Assessment
- **Blast radius:** Zero runtime impact. No compiled code changes —
version metadata and
documentation only.
- **Performance impact:** None.
- **Behavioral change:** None. Post-squash, `develop` will report
`version = "0.11.1"` in
`Cargo.toml`, matching `main` and the published crate tag `e8a8a2d`.
- **Rollback:** If this PR is reverted, `develop` returns to showing
`0.11.0` — no functional
consequence, but the version divergence finding B1 would reopen.
---
## AI Pipeline Metadata
- Pipeline mode: Gitflow back-merge (maintenance operation)
- Source: `chore/backmerge-v0.11.1` HEAD `2f91829`
- Base: `develop` @ `52907bc`
- Merge strategy: squash (required — `develop` has
`required_linear_history`)
- Release tag: `e8a8a2d` (v0.11.1 on `main`, GitHub Release published)
- Upstream PRs (all merged): #341, #343, #344, #345, #346
---
## Pre-Merge Checklist
- [x] Diff verified: exactly 3 files (Cargo.toml version, Cargo.lock
version line, CHANGELOG.md)
- [x] No code changes — version metadata + documentation only
- [x] All upstream feature PRs merged to develop (#341, #343, #344,
#345, #346)
- [x] `develop` CI confirmed green @ 52907bc (2232 tests, clippy, fmt,
audit, deny, pin-gate)
- [x] Branch pushed to remote: `chore/backmerge-v0.11.1` @ `2f91829`
- [x] PR title follows semantic PR convention: `chore: back-merge
v0.11.1 release into develop`
- [x] Base branch: `develop`
- [x] Merge strategy: squash (consistent with project convention +
required_linear_history)
- [ ] CI green on this PR (awaiting CI run)
- [ ] pr-reviewer approval
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
F6 Targeted Hardening: TLS Handshake-Message Reassembly
Phase: F6 (targeted hardening) — verification and test additions only
Cycle: fix-tls-clienthello-frag
Branch:
fix/f6-tls-hardeningBase:
develop@8b52046Severity: N/A — no bug fix; this is formal verification gap-closure
This PR closes the F6 targeted-hardening loop for the TLS handshake-message carry-reassembly
logic introduced in STORY-144 (ClientToServer) and STORY-145 (ServerToClient). Production logic
was frozen at F5 convergence and confirmed sound; this PR adds only verification artifacts and
mutation-gap tests. Zero production-code changes (
git diff origin/develop src/= 0 linesexcept
#[cfg(kani)]-gated proof code that the stable build never compiles).What This PR Delivers
graph TD A["fix/f6-tls-hardening<br/>5 commits"] --> B["d085db2<br/>Fuzz target<br/>fuzz_tls_reassembly.rs"] A --> C["07865cb<br/>Kani proofs<br/>kani_proofs_vp039"] A --> D["cd005f8<br/>fuzz Cargo.lock sync<br/>mutants ignore config"] A --> E["fabaf40<br/>11 mutation-gap tests<br/>mod f6_hardening"] A --> F["f284c09<br/>Theme-5 mid-byte fix<br/>+ clippy manual_repeat_n"] style B fill:#d4edda style C fill:#d4edda style D fill:#e8e8e8 style E fill:#d4edda style F fill:#d4eddaSpec Traceability
flowchart LR BC038["BC-2.07.038\nC2S carry-reassembly"] --> AC_step1["AC: Step-1 overflow guard\n(> not >=)"] BC039["BC-2.07.039\nC2S overflow counter"] --> AC_d4["AC: Decision-4\nbody_len spoof guard"] BC041["BC-2.07.041\nS2C carry-reassembly"] --> AC_shift["AC: mid-byte shift\n(<< 8 not >> 8)"] BC043["BC-2.07.043\nbuffer saturation drops"] --> AC_sat["AC: exact-fill\nno spurious drop"] VP039["VP-039\nKani carry-drain\nloop safety"] --> KH1["verify_drain_loop_cursor_safety"] VP039 --> KH2["verify_no_usize_overflow_on_advance"] VP039 --> KH3["verify_carry_bounded_after_append"] AC_step1 --> T1["Theme 1: exact-MAX_BUF accepted\n(2 tests C2S+S2C)"] AC_d4 --> T3["Theme 3: Decision-4\nbody_len guard\n(2 tests C2S+S2C)"] AC_shift --> T5["Theme 5: mid-byte shift\nleft not right\n(2 tests high+mid-byte)"] AC_sat --> T6["Theme 6: partial-trailing\ncarry retained\n(2 tests C2S+S2C)"] T1 & T3 & T5 & T6 --> Impl["tests/tls_analyzer_tests.rs\nmod f6_hardening (12 tests)"]Verification Evidence
Kani Formal Proofs (VP-039)
Three harnesses in
src/analyzer/tls.rs#[cfg(kani)] mod kani_proofs_vp039. Gated behind#[cfg(kani)]— the stable toolchain build never compiles this code. All proofs non-vacuous(DF-KANI-NONVACUITY-001 satisfied via
kani::cover!annotations).verify_drain_loop_cursor_safetyusizeunderflow oncarry.len() - consumed; drain rangeconsumed <= carry.len()always valid; loop terminates. Non-vacuous: dispatched≥1, iters≥2, Decision-4 path, partial trailing, full consumption all covered.#[kani::unwind(5)]verify_no_usize_overflow_on_advanceconsumed.checked_add(4 + body_len)never wraps for anyconsumed ≤ MAX_BUF,body_len ≤ MAX_BUF. Non-vacuous: advance both ≤ and > MAX_BUF reached.verify_carry_bounded_after_appendcarry_len_before + payload_lendoes not overflow; carry never exceedsMAX_BUFafter append. Non-vacuous: clear path, append-below-cap, and exact-MAX_BUF all covered.Aggregate: 3/3 harnesses VERIFICATION SUCCESSFUL, 0 failures, 0 counterexamples.
Fuzz Testing
New target
fuzz/fuzz_targets/fuzz_tls_reassembly.rsadded tofuzz/Cargo.toml.Exercises
TlsAnalyzer::on_data(both C2S and S2C),try_parse_records, andsummarize()onfully-arbitrary byte sequences sliced into variable-length segments, alternating direction to
force cross-segment carry reassembly. A panic / OOB / arithmetic-overflow / OOM anywhere is a
fuzz finding.
Verdict: PASS — 0 crashes in ~1.9M executions.
Run command:
cargo +nightly fuzz run fuzz_tls_reassembly -- -max_total_time=180 -rss_limit_mb=2048Mutation Testing (mod f6_hardening)
The F5 convergence mutation run identified 13 real-gap surviving mutants across 6 symmetric
C2S/S2C themes in
src/analyzer/tls.rs. All 13 were confirmed genuine (non-equivalent) bymanual mutation re-verification.
Post-F6-hardening result: 100% of real-gap mutants CAUGHT.
829:64/ S2C998:64>→>=falsely rejects exact-MAX_BUF filltest_BC_2_07_039_c2s_step1_exact_max_buf_accepted,test_BC_2_07_041_s2c_step1_exact_max_buf_accepted829:41/ S2C998:41test_BC_2_07_039_c2s_step1_additive_not_multiplicative,test_BC_2_07_041_s2c_step1_additive_not_multiplicative900:37/ S2C1036:37>boundarytest_BC_2_07_038_c2s_decision4_body_len_max_buf_not_spoof,test_BC_2_07_041_s2c_decision4_body_len_max_buf_not_spoof1079:59test_BC_2_07_041_s2c_parse_errors_inc_ok_non_server_hello_v13draft181029:70<< 16(correct) vs>> 16(mutant)test_BC_2_07_041_s2c_body_len_high_byte_shift_left_not_right1030:67<< 8(correct) vs>> 8(mutant)test_BC_2_07_041_s2c_body_len_mid_byte_shift_left_not_right911:38/ S2C1047:38test_BC_2_07_038_c2s_incomplete_body_partial_trailing_carry_retained,test_BC_2_07_041_s2c_incomplete_body_partial_trailing_carry_retained1155:43test_BC_2_07_043_s2c_exact_fill_no_drop2 provably-equivalent survivors remain at
tls.rs:950:59(C2SOk(non-ClientHello)arm).Documented as structurally unreachable: the
Okpath at that site can only return aClientHelloorErr; a non-ClientHelloOkis dead code. These are accepted; no gap.Methodology note:
cargo-mutantsmust run at--jobs 1or low concurrency on this suite.At
--jobs 8, load-induced timeouts mask survivors as ambiguous. Serial run is authoritative.Regression Suite
cargo test --all-targetsf6_hardening)cargo clippy --all-targets -- -D warningscargo fmt --checkSecurity Review
Result: APPROVE — security-reviewer completed full manual review of the PR diff.
CWE-400 (Uncontrolled Resource Consumption) is the primary risk for the TLS carry-reassembly
logic. This PR MITIGATES it: the three Kani proofs formally cover the Step-1 pre-append overflow
guard, the Decision-4 body_len-spoof guard, and the cursor-advance arithmetic. The fuzz harness
covers both C2S and S2C directions with the buffer-saturation tail-drop path. Production guards
at tls.rs:829/998 (Step-1) and tls.rs:900/1036 (Decision-4) remain unchanged and were formally
verified. Zero new attack surface — all additions are test/verification artifacts.
Advisory findings (non-blocking):
drain_loop_modelDecision-4 branch omitscarry.clear()and overflow counter increment — documentation gap only. Production safety is preserved; post-loop drain is guarded by!decision4_firedin both model and production.wrap_handshake_recordtest helper lacksdebug_assert!(len <= 0xFFFF). No current caller passes >65535 bytes; deferred as a future guard improvement.Risk Assessment
#[cfg(kani)]-gated (not compiled by stable); tests are CI-only; fuzz target is a separate crategit diff origin/develop src/analyzer/tls.rsshows only new#[cfg(kani)]-gated blockRollback:
git revert f284c09 fabaf40 07865cb d085db2if any test proves problematic.Demo Evidence
N/A — verification-only PR. No user-visible behavior changes. Demo recording not applicable.
Holdout Evaluation
N/A — evaluated at wave gate. No new behavioral contracts introduced.
Adversarial Review
N/A — evaluated at Phase 5. This PR is targeted gap-closure from F6 formal hardening output.
AI Pipeline Metadata
f284c09develop@8b52046Pre-Merge Checklist
#[cfg(kani)]-gated additions tosrc/analyzer/tls.rs)f6_hardeningtests named per factory conventioncargo test --all-targetsgreen on branch HEAD (2232 passed)cargo fmt --checkcleancargo clippy --all-targets -- -D warningsclean