ci: Fix CodeQL build failure caused by ASan conflict#8
Merged
Conversation
Debug build enables ASan (-fsanitize=address), which crashes when protoc runs during protobuf code generation — ASan runtime conflicts with CodeQL's own instrumentation. Switch to Release since CodeQL does its own analysis and doesn't need sanitizers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
scc-tw
added a commit
that referenced
this pull request
Apr 19, 2026
Lands the capability/evidence/appraisal surface doc 14 defines and
wires it into vm_stub_entry so registry entries with a non-zero
provider_requirement_hash now run the full evaluate_policy_requirement
gate instead of the interim zero-hash short-circuit installed during
Stage 8.
Provider surface (runtime/include/provider.hpp)
- TrustProvider abstract interface with get_capabilities() /
attest_runtime() / bind_artifact() entry points per doc 14 §3.
- CapabilityStatement, ProviderEvidence, PolicyRequirement,
ProviderResult, VerifiedArtifactContext structs carry exactly the
fields doc 14 §4–§7 pin; no "tier" / "provider-class string"
leaks into the public surface.
- ProviderError enum is limited to the 5 public codes doc 14 §9.1
authorises so tier / family / provider identity cannot reach
unauthenticated callers.
Baseline provider (runtime/src/provider/local_embedded.cpp)
- LocalEmbeddedProvider declares ProviderClass::LocalEmbedded,
hardware_bound=false, non_exportable_key=false, freshness=None,
attestation=None, recovery=self-service, supported_policy_floors=
{Debug, Standard}. Producers that require highsec / hardware /
remote-attestation are rejected by evaluate_policy_requirement()
before any evidence exchange.
- appraise() implements doc 14 §11's evidence-binding rule:
evidence.package_binding_record_hash /
resolved_profile_table_hash / policy_requirement_hash must match
the VerifiedArtifactContext the gate verified independently.
Evidence claiming a provider class different from the
capability's class is rejected so a local_embedded instance
cannot masquerade as local_tpm (doc 10 §4).
- PolicyRequirement canonicalises to a fixed little-endian layout
and hashes under VMPilot::DomainLabels::Hash::PolicyRequirement.
The hash is what RuntimeSpecializationRegistry.entries[].provider
_requirement_hash commits to, so the runtime reconstructs the
requirement from UBR + registry context at dispatch time and
rejects any divergence from the registry-committed hash.
vm_stub_entry integration
- non-zero provider_requirement_hash now:
· derives PolicyRequirement from UBR.requested_policy_id +
family_id,
· checks derived hash == entry.provider_requirement_hash (any
drift = fail_closed()),
· builds VerifiedArtifactContext from the already-verified PBR
canonical bytes + resolved_profile_table_hash,
· calls evaluate_policy_requirement on the installed provider,
· accepts only ProviderStatus::Satisfied; any other status or
any evidence binding failure collapses to fail_closed().
- Default installation uses the built-in LocalEmbeddedProvider;
install_provider_for_testing() lets tests inject alternates
without touching the singleton getter.
Tests (runtime/test/integration/test_provider_local.cpp)
- 11 cases exercising doc 14 §10's required behaviours:
capability shape, highsec rejection (#1), minimal satisfaction
path (#2), cloud-evidence-as-local rejection / provider_class
claim mismatch (#3), evidence bound to mismatched package hash
(#8), disallowed provider class in allowed_provider_classes, and
provider-swap-does-not-change-UBR-verification (#5).
- policy_requirement_hash determinism + domain-separation test
locks the canonical serializer in place so registry producers
and the runtime agree bit-for-bit on requirement commitments.
All 87 previously-green runtime integration tests remain green.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Debug, which enables ASan (-fsanitize=address)protocexecutes to generate.pb.ccfiles, ASan runtime conflicts with CodeQL's instrumentation, crashing the buildRelease— CodeQL has its own analysis and doesn't need sanitizersTest plan
🤖 Generated with Claude Code