fix(resource-graph,merger): match full (iface, rn) tuple in 4 sites (LS-A-17/18/19) (#156)

Four sites in meld-core either dropped the interface dimension of the
(component, interface, resource_name) tuple or used substring/suffix
matching where exact match was required. All led to silent cross-
resource confusion or wrong-handle-table routing with no host trap.

LS-A-17a — resource_graph.rs definer purge (lines 279-308). The
cleanup filter ignored the iface when removing defines_cache entries.
A component importing `[resource-rep]X` from interface I_x AND defining
its own `[resource-rep]X` in unrelated interface I_y lost the
(comp, I_y, X) definer entry.

LS-A-17b — resource_graph.rs terminal-exporter pass (lines 242-264).
`to_also_imports_resource` checked any iface, mis-classifying a
definer as a re-exporter when the consumer imported any unrelated
resource interface (e.g. wasi:io/poll).

LS-A-18 — resource_graph.rs first pass (~lines 124-172) only stripped
`[resource-rep]` and `[resource-new]` prefixes. A re-exporter that
imports `[resource-drop]Y` for a foreign resource Y never registered
Y in the graph; the drop call then routed to the first matching
handle-table fallback (LS-A-15 family), invoking a foreign dtor on a
foreign rep.

LS-A-19 — merger.rs::add_unresolved_imports dedup-skip path used
`imp.name.ends_with(rn)`. Two distinct resources sharing a suffix
(`float` / `bigfloat`) collided into the same tracking entry.

Fixes:
- definer purge: filter by (idx == from_comp && iface == ri && r == rn)
- terminal exporter: scope to_also_imports check to the iface under
  attribution (and [export]-prefixed variants)
- first-pass: extracted ResourcePrefixKind enum; handle Drop arm as
  ImportsFrom edge (matches second pass)
- merger dedup: exact-match against format!("[resource-{rep,new}]{rn}")

Tests (3 new):
- ls_a_17_definer_survives_unrelated_import_with_same_resource_name
- ls_a_17_terminal_definer_with_unrelated_resource_import
- ls_a_18_drop_on_foreign_resource_registers_node_for_reexporter

LS-A-17/18/19 added to safety/stpa/loss-scenarios.yaml. Discovered by
the post-v0.8.0 Mythos delta-pass sweep on resource_graph.rs and
merger.rs.

Refs: LS-A-17, LS-A-18 (UCA-F-2, H-1, H-3), LS-A-19 (UCA-M-9, H-1, H-10)

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: avrabe

CHANGELOG.md

@@ -6,6 +6,28 @@ All notable changes to this project will be documented in this file.
 
 ### Fixed
 
+- **Resource graph + merger key-matching bugs** (LS-A-17, LS-A-18, LS-A-19;
+  UCA-F-2 / UCA-M-9). Four sites in `meld-core` either dropped the
+  interface dimension of `(component, interface, resource_name)` tuples
+  or used substring/suffix matching where exact match was required:
+  - `resource_graph.rs` definer purge ignored the iface when removing
+    defines_cache entries, purging legitimate definers when an
+    unrelated component imported a resource sharing the name.
+  - `resource_graph.rs` terminal-exporter pass used over-broad
+    `to_also_imports_resource` check that classified a component as a
+    re-exporter if any of its imports carried any resource interface.
+  - `resource_graph.rs` only registered resource nodes for
+    `[resource-drop]X` imports on pure-consumer components; re-exporters
+    that dropped a foreign resource had their drop calls invisible to
+    the graph.
+  - `merger.rs::add_unresolved_imports` dedup-skip path matched
+    `imp.name.ends_with(rn)`, so two resources sharing a suffix (e.g.
+    `float` / `bigfloat`) collided into the same tracking entry.
+  All four led to silent cross-resource confusion or wrong-handle-table
+  routing with no host trap. Fixes scope each comparison to the full
+  `(comp, iface, rn)` tuple or use exact-match against the full
+  `[resource-{rep,new,drop}]<name>` import string.
+
 - **HashMap iteration non-determinism in resource / realloc fallbacks**
   (LS-A-15, UCA-M-10, H-7 / H-3 / H-4.3). Three sites resolved
   cross-component routing via `HashMap::iter().find(...)`, which picks

meld-core/src/merger.rs

@@ -2144,26 +2144,36 @@ impl Merger {
                         // Still record per-component resource tracking: find the
                         // func index already assigned to this resource name.
                         let eff_field = &dedup_key.1;
+                        // Exact-match the full `[resource-{rep,new}]<name>`
+                        // import name. The prior `ends_with(rn)` matched any
+                        // resource whose name had `rn` as a suffix (e.g.
+                        // `rn = "float"` collided with both
+                        // `[resource-rep]float` and `[resource-rep]bigfloat`),
+                        // letting `resource_rep_by_component` track the
+                        // wrong import for the wrong-suffix collision — silent
+                        // cross-resource confusion (LS-A-19).
                         if let Some(rn) = eff_field.strip_prefix("[resource-rep]") {
+                            let expected = format!("[resource-rep]{rn}");
                             if let Some(&idx) =
                                 merged.resource_rep_by_component.values().find(|&&idx| {
-                                    merged.imports.get(idx as usize).is_some_and(|imp| {
-                                        imp.name.starts_with("[resource-rep]")
-                                            && imp.name.ends_with(rn)
-                                    })
+                                    merged
+                                        .imports
+                                        .get(idx as usize)
+                                        .is_some_and(|imp| imp.name == expected)
                                 })
                             {
                                 merged
                                     .resource_rep_by_component
                                     .insert((unresolved.component_idx, rn.to_string()), idx);
                             }
                         } else if let Some(rn) = eff_field.strip_prefix("[resource-new]") {
+                            let expected = format!("[resource-new]{rn}");
                             if let Some(&idx) =
                                 merged.resource_new_by_component.values().find(|&&idx| {
-                                    merged.imports.get(idx as usize).is_some_and(|imp| {
-                                        imp.name.starts_with("[resource-new]")
-                                            && imp.name.ends_with(rn)
-                                    })
+                                    merged
+                                        .imports
+                                        .get(idx as usize)
+                                        .is_some_and(|imp| imp.name == expected)
                                 })
                             {
                                 merged