Commit 50dbeeb
committed
fix(encryption): PR782 r3 codex P2 — narrow IsEncryptionRelevantOpcode to exclude OpRegistration
PR #782 round-3 codex P2 finding (Exclude registration opcode
from sidecar gap predicate).
## codex r3 P2 — IsEncryptionRelevantOpcode false positive on registration
The previous predicate range [OpEncryptionMin, OpEncryptionMax]
included OpRegistration (0x03). But ApplyRegistration in
applier.go only mutates writer-registry rows via SetRegistryRow;
it NEVER calls WriteSidecar. So a gap containing OpRegistration
entries does not actually need to refuse — the sidecar IS
consistent because the sidecar's raft_applied_index is not
advanced by registration applies (only WriteSidecar moves it).
The design's §5.5 enumeration agrees: the listed sidecar-relevant
opcodes are `rotate-dek`, `rewrap-deks`, `bootstrap-encryption`,
`enable-storage-envelope`, `enable-raft-envelope`, `retire-dek`
— notably NOT `register-writer`. The predicate range was wrong.
Concrete impact of the bug: every restart after the first
RegisterEncryptionWriter would fire ErrSidecarBehindRaftLog and
refuse to boot, because:
- registration entries bump engine.AppliedIndex but not
sidecar.RaftAppliedIndex
- the gap therefore exists and contains OpRegistration
- the previous predicate classified that as relevant
- the guard would fire → cluster boot loop
Fix: narrow the range to [OpBootstrap, OpEncryptionMax] =
[0x04, 0x07]. OpRegistration (0x03) is explicitly excluded with
a clear IMPORTANT block in the godoc explaining why and pointing
at ApplyRegistration as the authoritative reference.
## Semantic change — caller audit
IsEncryptionRelevantOpcode's return value changes for opcode=0x03
(true → false). Per the cron directive, audited all callers:
- audit.go (definition, updated)
- audit_test.go (tests, updated to assert the new behavior:
OpRegistration explicitly classified NOT relevant)
- errors.go (docstring on ErrSidecarBehindRaftLog updated to
reflect the narrowed range AND explicitly note that 0x03
OpRegistration is excluded)
No production caller exists yet (the predicate is consumed by
GuardSidecarBehindRaftLog whose only caller is 6C-2c, not yet
landed). The 6C-2c scanner author will see the corrected
predicate from day one.
## Verification
- go test -race -timeout=60s ./internal/encryption/... — PASS
(including the new TestIsEncryptionRelevantOpcode_KnownRanges
sub-test "OpRegistration_0x03_NOT_relevant" that pins the
exclusion explicitly)
- golangci-lint run ./internal/encryption/... — 0 issues
## Test additions
- TestIsEncryptionRelevantOpcode_AllRangeMembers now asserts
OpRegistration is NOT relevant before iterating the
sidecar-mutating range.
- TestIsEncryptionRelevantOpcode_KnownRanges adds a dedicated
"OpRegistration_0x03_NOT_relevant" sub-test for grep-able
regression anchoring.1 parent 8945b77 commit 50dbeeb
3 files changed
Lines changed: 83 additions & 31 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
9 | | - | |
10 | | - | |
11 | | - | |
12 | | - | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
13 | 34 | | |
14 | 35 | | |
15 | 36 | | |
| |||
24 | 45 | | |
25 | 46 | | |
26 | 47 | | |
27 | | - | |
28 | | - | |
29 | | - | |
30 | | - | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
31 | 52 | | |
32 | 53 | | |
33 | 54 | | |
34 | | - | |
| 55 | + | |
35 | 56 | | |
36 | 57 | | |
37 | | - | |
| 58 | + | |
38 | 59 | | |
39 | 60 | | |
40 | 61 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
10 | 10 | | |
11 | 11 | | |
12 | 12 | | |
13 | | - | |
14 | | - | |
15 | | - | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
16 | 18 | | |
17 | 19 | | |
18 | 20 | | |
19 | 21 | | |
20 | | - | |
| 22 | + | |
21 | 23 | | |
22 | 24 | | |
23 | 25 | | |
24 | 26 | | |
25 | 27 | | |
26 | 28 | | |
27 | 29 | | |
28 | | - | |
| 30 | + | |
29 | 31 | | |
30 | 32 | | |
31 | 33 | | |
32 | | - | |
| 34 | + | |
33 | 35 | | |
34 | 36 | | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
35 | 47 | | |
36 | | - | |
37 | | - | |
| 48 | + | |
| 49 | + | |
38 | 50 | | |
39 | | - | |
| 51 | + | |
40 | 52 | | |
41 | 53 | | |
42 | 54 | | |
| |||
49 | 61 | | |
50 | 62 | | |
51 | 63 | | |
52 | | - | |
53 | | - | |
54 | | - | |
55 | | - | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
56 | 72 | | |
57 | 73 | | |
58 | 74 | | |
59 | 75 | | |
60 | 76 | | |
61 | | - | |
62 | 77 | | |
63 | 78 | | |
64 | 79 | | |
65 | 80 | | |
66 | 81 | | |
67 | 82 | | |
68 | 83 | | |
69 | | - | |
| 84 | + | |
70 | 85 | | |
71 | 86 | | |
72 | 87 | | |
73 | 88 | | |
74 | 89 | | |
75 | | - | |
| 90 | + | |
76 | 91 | | |
77 | 92 | | |
78 | 93 | | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
79 | 106 | | |
80 | 107 | | |
81 | 108 | | |
82 | | - | |
| 109 | + | |
83 | 110 | | |
84 | 111 | | |
85 | 112 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
178 | 178 | | |
179 | 179 | | |
180 | 180 | | |
181 | | - | |
182 | | - | |
183 | | - | |
184 | | - | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
185 | 189 | | |
186 | 190 | | |
187 | 191 | | |
| |||
0 commit comments