Summary

PR-8 hardens the AWS IoT provisioning surface: pins the Amazon Root CA1 SHA-256, replaces the wildcard iot:Receive/Subscribe resources in both robot and operator policies with per-Thing scoped resources, validates Thing names against a strict alphanumeric subset before any AWS or filesystem call, and adds a per-socket-timed CA download path that avoids socket.setdefaulttimeout global mutation. The CameraOffloader default presigned-URL TTL drops from 3600s to 60s with a 1-hour cap.

The security story is mostly solid and well-tested (CA pin verification, on-disk re-use raw-checks the pin even under break-glass, O_NOFOLLOW on both read paths, scoped Receive policy regression-pinned). However, two of the four bullets in the PR description do not match what the diff actually does, which is the dominant reviewable concern.

What's good

• CA pinning with break-glass-doesn't-apply-to-on-disk semantics is the right design and is regression-tested.
• _THING_NAME_RE rationale (strict subset of AWS's charset due to NTFS / classic Mac : semantics) is well-documented in both the regex comment and the user-facing provision_robot docstring.
• Scoped-Receive replacement is regression-pinned in test_iot_policy_scope.py so a future refactor that re-introduces topic/strands/* fails loudly.
• _download_with_per_socket_timeout correctly avoids socket.setdefaulttimeout global mutation — a non-obvious but correct improvement.
• 64 KiB body cap on the CA download defeats captive-portal-returns-multi-MB-HTML DoS.
• Symlink-refusal on verify_ca_pin closes the asymmetric gap with _ensure_ca.

Concerns

• PR description claims do not match the diff. Two bullets in the description are unsupported by code in this branch:
  1. "camera_offload.py — privacy kill-switch (STRANDS_MESH_CAMERA_OFFLOAD_DISABLE)" — no code in strands_robots/ reads STRANDS_MESH_CAMERA_OFFLOAD_DISABLE or STRANDS_MESH_CAMERA_DISABLED. The kill-switch tests pass for incidental reasons (see inline). If the kill-switch lands in a sibling PR, say so; otherwise this needs adding.
  2. "ACL on S3 PutObject path" — s3.put_object(...) in camera_offload.py:131-136 is unchanged and passes no ACL= kwarg. If bucket policy / ownership controls satisfy the threat model, drop the bullet; if PutObject ACL was intended, it's missing.
• Reformat noise in __init__.py. Lines 5-7 / 23 / 30 collapse aligned columns to single-spaced text — unrelated to the PR's stated scope. Either keep the original alignment or call it out as deliberate cleanup; right now it just adds diff noise.
• CA pin rotation operationally fragile. The pin tuple is hard-coded with one entry; the comment says rotation "ships as a code change" plus optional STRANDS_MESH_CA_PINS env var. Worth a follow-up issue to either auto-fetch from a signed manifest or document the runbook so on-call doesn't have to re-derive the recompute command at 3 AM.

Verification suggestions

# Confirm no production reader for the advertised kill-switch env var
rg -n 'STRANDS_MESH_CAMERA_(OFFLOAD_)?DISABLED' strands_robots/

# Confirm scoped-Receive really replaces the wildcard everywhere
python -c 'from strands_robots.mesh.iot.provision import _ROBOT_POLICY_DOC, _OPERATOR_POLICY_DOC; import json; print(json.dumps([_ROBOT_POLICY_DOC, _OPERATOR_POLICY_DOC], indent=2))' | rg ':topic/strands/\*'

# Round-trip the CA pin against the canonical URL
python -c "import hashlib, urllib.request as u; print(hashlib.sha256(u.urlopen('https://www.amazontrust.com/repository/AmazonRootCA1.pem').read()).hexdigest())"
# Should match strands_robots.mesh.iot.provision._AMAZON_ROOT_CA1_PINS[0]

hatch run test tests/mesh/test_iot_ca_pin.py tests/mesh/test_iot_policy_scope.py tests/mesh/test_iot_provision.py -v

Summary

This slice tightens the IoT path along the four advertised axes — Amazon Root CA1 SHA-256 pinning (with a per-socket-timeout download path that avoids socket.setdefaulttimeout mutation), a strict ^[a-zA-Z0-9_-]{1,128}$ thing-name regex, removal of iot:Receive wildcards from both robot and operator policies, and a 60s default presigned-URL TTL with a 1-hour ceiling and an explicit-0 regression guard. Implementation matches the description, the R2 scope correction is honest about what was deferred to #249, and the CA-pin / policy-scope logic is well-commented.

The blocker I want to flag is on the camera_offload.py change: the diff replaces transport.put(...) with mesh.publish(...), but Mesh has no publish method (grep -n 'def publish' strands_robots/mesh/core.py returns only publish_step). At runtime this will raise AttributeError, which the surrounding except Exception swallows to a logger.debug, so /ref publishing silently no-ops in production. The test suite passes because every test backs mesh with a MagicMock, and MagicMock().publish(...) works by construction — exactly the false-reassurance pattern the AGENTS.md > Review Learnings (#85) > 'Test import paths must match production' / 'Round-trip tests' rules are designed to surface. That is the one finding that I think must land before merge.

The other inline notes are smaller (asymmetric teardown_thing validation, partial-read in the on-disk CA hash check, and stale comment leftovers) and can be folded into the same fix-up commit.

What's good

• CA pinning design is solid: TUPLE of accepted pins so a rotation can ship in two steps, additive STRANDS_MESH_CA_PINS env var with a _PIN_RE allowlist, body-size cap before hashing, O_NOFOLLOW on the on-disk re-use path, asymmetric break-glass that only applies to download (not on-disk re-use). The verify_ca_pin public helper deliberately ignoring STRANDS_MESH_DISABLE_CA_PIN is the right call for forensic scripts.
• The per-socket-timeout opener (_TimedHTTPSHandler) is a clean alternative to socket.setdefaulttimeout and the comment block explains exactly why the global mutation was wrong.
• IoT policy scope tightening: AllowReceiveScoped enumerates only the topics the robot actually subscribes to (own /cmd, own /response/*, broadcast, safety/estop, +/presence) and OperatorObserveFleet drops the strands/* wildcard. The new test_iot_policy_scope.py also pins regression-style assertions for both.
• The presign-TTL R1 fix (presign_ttl=0 no longer falsy-collapses to env default) has a dedicated 6-case pin test (test_presign_ttl_none_vs_zero.py).
• The R2 changelog is unusually candid about what was promised vs. delivered, including the call-out that the prior kill-switch tests passed for incidental reasons. That's exactly the discipline AGENTS.md asks for.

Concerns

• Test-vs-production drift on the cameras path (see inline). MagicMock masks a missing method on a real Mesh. A proper integration-style test should construct a real Mesh (or a thin protocol-typed fake) and assert that enable_for_mesh does not silently regress /ref publishing.
• teardown_thing is unvalidated (see inline). The new _validate_thing_name is applied to provision_robot and provision_operator but not to the public teardown_thing, which still calls DEFAULT_CERT_DIR / f"{thing_name}.cert.pem". Asymmetric defence.
• Hunk volume vs. PR title. The slice advertises four security fixes but the diff also lands a non-trivial unicode-cleanup pass (… → ..., → → ->, ≤ → <=) in docstrings across provision.py, shadow.py, and __init__.py. Per AGENTS.md these are consistent with the no-emojis-in-user-facing-strings rule, but they obscure the security-critical hunks during review. Consider splitting cosmetic-only hunks into their own PR in the future.
• Stale leftovers in tests/mesh/test_iot_ca_pin.py — the strings "the prior fix-2" (line 153) and "_ensure_ca's the prior fix defence was the actual gap" (line 137) read like editor leftovers from a prior round; they make it harder to grep the test file for the actual concerns being pinned.

Verification suggestions

# Confirm the cameras-path bug. Spin up a tiny smoke that uses a real
# Mesh (no MagicMock) and asserts the /ref publish path actually fires:
python -c '
from unittest.mock import MagicMock, patch
from strands_robots.mesh import Mesh
m = Mesh.__new__(Mesh)
m.peer_id = "smoke"
print("has publish?", hasattr(m, "publish"))
'

# Confirm teardown path traversal:
python -c '
from strands_robots.mesh.iot.provision import _validate_thing_name, teardown_thing
import inspect
src = inspect.getsource(teardown_thing)
print("validates?", "_validate_thing_name" in src)
'

# Confirm CA download size-cap is enforced even with the break-glass set:
STRANDS_MESH_DISABLE_CA_PIN=true pytest tests/mesh/test_iot_ca_pin.py -k oversized -v

Summary

PR #228 hardens the AWS IoT provisioning surface: pins the Amazon Root CA1 SHA-256 (with optional additive operator pins via STRANDS_MESH_CA_PINS), narrows the IoT policies' Receive scope away from strands/* wildcards, adds a strict subset thing-name regex (^[a-zA-Z0-9_-]{1,128}$) applied symmetrically to provision_robot / provision_operator / teardown_thing, replaces the process-global socket.setdefaulttimeout with a per-socket HTTPSHandler, caps the CA download body size, and shortens the camera presigned-URL TTL from 1 hour to 60 s with a fixed presign_ttl=0 falsy bug. The diff also reverts an erroneous mesh.publish(...) call back to transport.put(...) and adds round-trip pin tests for each fix.

The scope discipline is good — the kill-switch and S3 ACL items the original description claimed but didn't implement were correctly demoted to follow-up #249 in R2 rather than rushed in.

What's good

• Pin-test discipline. Every reviewed fix has a dedicated regression test (test_iot_ca_pin.py, test_presign_ttl_none_vs_zero.py, test_teardown_thing_validation.py, test_iot_policy_scope.py). Per AGENTS.md > Review Learnings (#85) > "Pin regression tests for reviewed fixes".
• CA-pin posture is layered correctly. verify_ca_pin deliberately ignores STRANDS_MESH_DISABLE_CA_PIN while _verify_ca_bytes honours it on the download path; symlink rejection (O_NOFOLLOW + explicit is_symlink()) closes the TOCTOU window, and the on-disk re-use path always raw-checks regardless of break-glass.
• Per-socket timeout via custom HTTPSHandler instead of socket.setdefaulttimeout avoids the documented process-global mutation hazard.
• Policy scope tests pin against regression to strands/* wildcard — a future re-broaden will fail the test loudly rather than silently re-leak fleet traffic.
• presign_ttl=0 vs None semantics fixed and pinned with the canonical 6-case test matrix.

Concerns

• teardown_thing cert-file cleanup is bound to DEFAULT_CERT_DIR while provision_robot / provision_operator accept a cert_dir= kwarg — see inline. Users who provisioned with a custom cert_dir will silently leak .cert.pem / .private.key files on teardown. The whole point of adding _validate_thing_name to teardown_thing (R3) was filesystem safety in the cert-cleanup paths, but the symmetry with provision is incomplete.
• Misleading comment on the IoT-side /ref publish (camera_offload.py:271) references a "Zenoh ACL" gate, but this code path runs only when the backend is iot or bridge — the actual gate is the IoT Policy's AllowOwnTopics scope. Per AGENTS.md > Review Learnings (#86) > "Match docstrings to semantics".
• _AMAZON_ROOT_CA1_PINS rotation story is documented but not test-covered. A change adding a second pin while keeping the first one is the canonical CA-rotation rollout; there's no test asserting that two pinned hashes both verify. Consider a regression test that adds a fake second pin via monkeypatch and confirms both hashes pass _hash_matches_pin.
• R4 short-read asymmetry deferred to #251 is acceptable per the round-budget rationale, but the comment block on _ensure_ca (lines 690-697) doesn't reference #251 — a future maintainer touching the single os.read will not know there's an open issue tracking the loop fix. Consider a one-line # tracked: #251 (chunked-read parity with verify_ca_pin).
• Test-side numpy import at module top in test_iot_camera_offload.py (added in this diff) is now unconditional even though the previous file structure imported numpy only inside the test that needed it. If a CI config runs this file without numpy installed, it'll skip the whole module via collection error rather than the targeted tests. Low priority; flagging because the rest of the test surface is careful.

Verification suggestions

# Reproduce the cert_dir orphan: provision with custom dir, teardown, list orphans.
mkdir -p /tmp/strands-orphan-test
python -c "from strands_robots.mesh.iot import provision_robot, teardown_thing; \
provision_robot('test-robot-orphan', cert_dir='/tmp/strands-orphan-test'); \
teardown_thing('test-robot-orphan'); \
import os; print('orphans:', os.listdir('/tmp/strands-orphan-test'))"
# expected (after fix): [] or just AmazonRootCA1.pem; current behaviour: cert + key files remain.

# Confirm the per-socket timeout doesn't leak to the process default.
python -c "import socket; from strands_robots.mesh.iot.provision import _download_with_per_socket_timeout; \
print('before:', socket.getdefaulttimeout()); \
try: _download_with_per_socket_timeout('https://example.com', 1.0, 1024) \
except Exception: pass; \
print('after :', socket.getdefaulttimeout())"

# Spot-check that the operator policy genuinely cannot Receive on /cmd of another thing:
python -m pytest tests/mesh/test_iot_policy_scope.py -v

Summary

This PR closes four real cloud-side gaps in the IoT transport: SHA-256 pinning of AmazonRootCA1.pem (defeats CA-substitution MITM at the canonical URL), an anchored strict-subset thing-name regex applied symmetrically to provision_robot / provision_operator / teardown_thing (defeats path traversal into cert_dir / f"{thing_name}.pem"), per-Resource scope tightening on the robot and operator IoT policies (no more strands/* wildcard iot:Receive), and a 60s default presigned-URL TTL with a 1h ceiling and an explicit-zero fix. The supporting test surface (~850 LOC across 6 files) is generally well-targeted and the §13 changelog is unusually clear about what was deferred and why.

What's good

• Symmetric validation. _validate_thing_name is called as the first line of all three public entry points (provision_robot, provision_operator, teardown_thing); the regex ^[a-zA-Z0-9_-]{1,128}$ is a deliberate strict-subset of AWS's charset (rejects :) and the trade-off is documented in both the docstring and the module-level comment.
• Pin set is a tuple[str, ...]. Designed for rotation: the new pin can land in advance and the old one can be retired in a follow-up. The STRANDS_MESH_CA_PINS env-var supplement is additive (does not replace the built-in tuple), which is the right default. TestMultiPinRotation pins this contract per AGENTS.md > Review Learnings (#85) > "Pin regression tests for reviewed fixes".
• verify_ca_pin is honest about the break-glass. It explicitly does NOT honour STRANDS_MESH_DISABLE_CA_PIN and uses O_NOFOLLOW to defeat symlink-swap TOCTOU. The asymmetric comment block makes the intent clear.
• Per-socket timeout. _download_with_per_socket_timeout correctly avoids socket.setdefaulttimeout() (which is process-global and observable to other threads). The custom HTTPSHandler is the right approach.
• Scope discipline. The R2 changelog calls out that the camera-side privacy kill-switch and S3 PutObject ACL hardening were not actually implemented and were defenestrated to #249 rather than rushed; the bucket-ownership threat model is now documented in the module docstring as the operator's contract. This matches AGENTS.md > Review Learnings (#86) > "Reject silently-dropped kwargs" / no-silent-drops posture.

Concerns

• Deferred-issue load. Five follow-up issues (#249, #251, #252, #253) and the R5b note describe behaviour the reviewer flagged but the author chose not to land in this slice, citing a self-imposed AGENTS.md round-budget ceiling of 3 (R3). The deferrals are clearly tracked, but a couple of them — the cert_dir= kwarg parity in teardown_thing (#252), and the bare except Exception clauses in the same function — are behaviour-of-this-PR concerns the reviewer can land in five lines, not architectural follow-ups. See inline comment on provision.py:503.
• Rotation operationally still needs a release. Pinning the CA hash is the right call, but every fielded copy of strands-robots will fail-closed the day AWS rotates AmazonRootCA1.pem until a new release ships. Worth a single line in the README / CHANGELOG describing the manual STRANDS_MESH_CA_PINS=<new-sha> break-glass operators can use to keep things working pre-release; today this is documented only as a comment in the module.
• CA-fixture autouse breadth. tests/mesh/test_iot_provision.py installs _bypass_ca_for_tests as autouse=True, replacing _ensure_ca with a no-op for every test in the module. Pin coverage lives in a separate file. See inline comment.

Verification suggestions

# Targeted: the new test files.
hatch run test -- \
  tests/mesh/test_iot_ca_pin.py \
  tests/mesh/test_iot_policy_scope.py \
  tests/mesh/test_camera_acl.py \
  tests/mesh/test_presign_ttl_none_vs_zero.py \
  tests/mesh/test_teardown_thing_validation.py

# Sanity-check the pin against the live AWS endpoint (network required):
python -c "import hashlib, urllib.request as u; \
  print(hashlib.sha256(u.urlopen('https://www.amazontrust.com/repository/AmazonRootCA1.pem').read()).hexdigest())"
# Expect: 2c43952ee9e000ff2acc4e2ed0897c0a72ad5fa72c3d934e81741cbd54f05bd1

# Sanity-check that the TTL env var actually clamps (not just the kwarg):
STRANDS_MESH_CAMERA_PRESIGN_TTL=86400 python -c \
  "from strands_robots.mesh.iot.camera_offload import CameraOffloader as C; print(C(bucket='b').presign_ttl)"
# Expect: 3600 + a WARNING.

Summary

This PR hardens the IoT provisioning path with three substantive changes: (1) SHA-256 pinning of the bundled Amazon Root CA1 with a tuple for rotation, (2) a strict thing-name regex applied symmetrically across provision_robot / provision_operator / teardown_thing, and (3) tightening of iot:Receive from a wildcard strands/* to per-thing topic prefixes plus broadcast/safety. Plus operational hygiene: short presigned-URL TTL (60s default, 1h cap), per-socket download timeout, env-var ValueError guard, custom cert_dir parity in teardown_thing, README env-var rows, and an opt-in CA-bypass test fixture so non-provision tests don't silently no-op the pin check.

The scope discipline through R1-R6 is good: kill-switch and S3 ACL hardening were correctly deferred to #249 once it became clear the kill-switch tests passed for incidental reasons (R2). The R5 multi-pin rotation regression test and the # tracked: #251 in-code anchor are both the right shape -- they pin a contract and surface a deferred follow-up at the call site.

What's good

• Pin-rotation contract is regression-tested (TestMultiPinRotation::test_tuple_supports_multiple_pins), so a future "simplify back to str" silently breaks loud.
• _validate_thing_name is applied symmetrically (provision/operator/teardown) -- the R3 fix closing the path-traversal hole on teardown_thing is the right call.
• _ensure_ca honours STRANDS_MESH_DISABLE_CA_PIN only on the download path; on-disk re-use always raw-checks the pin. Documented loudly.
• verify_ca_pin deliberately does NOT honour the break-glass and uses O_NOFOLLOW -- correct asymmetric posture for a forensic helper.
• _download_with_per_socket_timeout replaces the previous socket.setdefaulttimeout (process-global) approach with a per-socket handler. Good thread-safety thinking (AGENTS.md > Review Learnings (#85) > "Lock ALL model/data mutations" / per-socket-not-process-global).
• R6 bypass_ca fixture migration from autouse=True to opt-in via pytestmark on the three classes that exercise provision orchestration is exactly right -- a future refactor that drops _ensure_ca from provision_robot will surface in production-shaped tests instead of being masked by a silent no-op.
• Test surface is substantive: ~850 LOC across 6 files including pin-mismatch, oversized-body, symlink, env-var malformed, none-vs-zero, and policy-scope assertions.

Concerns

• README/code drift on STRANDS_MESH_DISABLE_CA_PIN (see inline) -- the README advertises three values that the code does not accept. The fix is a one-liner.
• OperatorPublishToFleet still uses a * wildcard for the target robot (topic/strands/*/cmd). The PR description's reviewer-focus bullet says "explicit per-thing prefix in Resource, never *" but the operator publish scope was not tightened. Any operator credential can publish a command to any robot; robots have no way to tell operators apart. This is the symmetric companion to the AllowResponseToAnyOperator wildcard in the robot policy. Worth either pinning the design choice in a comment with the threat model (compromised-operator scope is the same as compromised-fleet scope by design) or scoping this to e.g. an operator-scoped sub-topic. Not blocking for this PR but the description claim is inaccurate as it stands.
• teardown_thing(cert_dir=...) does not validate cert_dir. thing_name is regex-validated, but the operator-supplied cert_dir is Path()-coerced and unlinked under without any check that it lives under a sane root. In practice this is a privileged-API kwarg so the threat surface is small, but for symmetry with _validate_thing_name it's worth a one-line Path(cert_dir).resolve() + a sanity check, or at least a docstring note that the caller is trusted.
• _ensure_ca short-read parity with verify_ca_pin (R4 / #251) -- correctly deferred and anchored in-code; mentioning here only because it's the kind of "comes back to bite us" item that an autonomous-agent review checklist should not let drift past two more rounds. The existing #251 carries the suggested code; please make sure it lands before the next deferred slice (#249) absorbs round budget.
• Scope creep into unrelated em-dash / dot-leader cleanup. The non-iot files touched (shadow.py, iot/__init__.py, README's stage 1 wording, several test docstrings) replace … and en-dashes with ASCII. Independently fine and consistent with "no emojis in user-facing strings" (AGENTS.md), but tangling it into a security-hardening PR makes git-blame less useful for the security reviewer two years from now. Future hardening PRs: keep the wire-format / policy diffs in their own commit and the docstring sweep in a separate one.

Verification suggestions

Beyond hatch run test / ruff check:

# Verify the env-var docs match the code accept-set.
grep -nP 'STRANDS_MESH_DISABLE_CA_PIN' README.md strands_robots/mesh/iot/provision.py

# Confirm OperatorPublishToFleet scope intentionally uses the * wildcard.
python -c "from strands_robots.mesh.iot.provision import _OPERATOR_POLICY_DOC; \
import json; print(json.dumps([s for s in _OPERATOR_POLICY_DOC['Statement'] \
if s['Sid']=='OperatorPublishToFleet'], indent=2))"

# Smoke-test the per-socket timeout path doesn't mutate process default.
python -c "import socket; print('default:', socket.getdefaulttimeout()); \
from strands_robots.mesh.iot.provision import _download_with_per_socket_timeout; \
try: _download_with_per_socket_timeout('https://10.255.255.1/', 1.0, 1024)\
except Exception: pass\
print('after:', socket.getdefaulttimeout())"

# Confirm teardown_thing under custom cert_dir actually exercises the new path.
pytest tests/mesh/test_teardown_thing_validation.py::TestTeardownThingCertDirParity -v

Summary

The security-relevant content of this PR is solid: CA pinning with a break-glass that only weakens the download path (on-disk re-use always raw-checks), strict thing-name regex applied symmetrically across provision_robot / provision_operator / teardown_thing, IoT policy scope tightening (no iot:Receive on strands/* for either role), per-socket recv timeout via a one-shot HTTPSHandler (no process-global setdefaulttimeout mutation), short-by-default presigned URL TTL with kwarg-vs-env precedence correctly handling explicit presign_ttl=0. The R7-fix even pinned its own R7 docstring regression with a unit test — that is exactly the AGENTS.md "pin every reviewed fix with a regression test" discipline working as intended.

What's good

• Symmetric _validate_thing_name coverage — teardown_thing now validates before any FS operation (R3), closing the path-traversal-into-cert_dir vector. Pin tests live in test_teardown_thing_validation.py.
• verify_ca_pin has the chunked-read loop that _ensure_ca's re-use path lacks, and refuses symlinks via O_NOFOLLOW + an explicit is_symlink() pre-check. The asymmetry between _verify_ca_bytes (honours break-glass) and verify_ca_pin (does not) is the right call for forensic ground-truth.
• OperatorPublishToFleet wildcard is now annotated as deliberate with both a comment block and a regression test pinning it (R7). A future agent removing the wildcard will fail the pin and have to read the threat-model rationale before proceeding.
• _publish_cameras_once_with_offload widened catches are accurate — separate ImportError for cv2, distinct # noqa: BLE001 justifications per call site (boto3 ClientError vs LeRobot vs numpy/cv2/transport). No bare-except Exception slips.
• Round-budget discipline is loud — R2 and R5 each explicitly defer items rather than rush half-implementations, and the deferred items are filed as issues with reviewer-suggested code already pasted in. R7-fix folding inline (rather than spawning R8) for a same-PR regression is the correct call.

Concerns

• Test surface for the camera-offload /ref consumer side is absent. This PR ships the producer (transport.put(strands/<peer>/camera/<cam>/ref)) and the IoT policy that scopes its writes, but the subscriber contract (who is allowed to read these refs, what happens if the peer_id field disagrees with the topic prefix, what happens on an expired presigned URL) is not exercised here. That is upstream-dependent and #249 captures the kill-switch piece, but a verification test that an unauthorised principal cannot subscribe to camera/+/ref would tighten the slice.
• Round-budget overrun is acknowledged at R6 ("Round budget exceeded, but each fix is mechanical"). That is honest, and the R6 fixes are indeed mechanical — but R7 then introduced a docstring regression that R7-fix had to repair, and the docstring repair is itself incomplete (see inline on provision.py:515). This is the failure mode AGENTS.md round-budget guidance exists to prevent. Worth surfacing as a process-level note for the next slice.
• Three deferred issues against this slice (#249 ACL hardening / kill-switch, #251 short-read parity, #253 subscribe/receive asymmetry doc) all carry security-relevant follow-up work. None individually is blocking, but the cumulative deferral surface is large enough that the project board should treat them as unblocked-on-merge rather than long-tail.

Verification suggestions

# 1. Confirm the docstring really is malformed (Sphinx will complain):
python -c 'from strands_robots.mesh.iot.provision import teardown_thing; help(teardown_thing)'

# 2. Smoke-test the break-glass on the download path with garbage bytes:
STRANDS_MESH_DISABLE_CA_PIN=true python -c '
from unittest.mock import patch
from strands_robots.mesh.iot import provision
from pathlib import Path
import tempfile, os
with tempfile.TemporaryDirectory() as d:
    with patch("strands_robots.mesh.iot.provision._download_with_per_socket_timeout", return_value=b"completely-not-a-cert"):
        provision._ensure_ca(Path(d) / "ca.pem")
        print("WROTE:", (Path(d) / "ca.pem").read_bytes()[:32])
'
# Expect: "WROTE: b'completely-not-a-cert'" -- demonstrating the break-glass writes ANY bytes <=64KB.

# 3. Run the new pin tests in isolation:
pytest tests/mesh/test_iot_ca_pin.py tests/mesh/test_teardown_thing_validation.py tests/mesh/test_iot_policy_scope.py tests/mesh/test_presign_ttl_none_vs_zero.py -q

Summary

Part 8/9 of the #195 split. Tightens the AWS IoT provisioning surface against the cloud-side threat model: SHA-256 pinning for the Amazon Root CA1 download (defeats DNS / BGP / captive-portal CA substitution), a strict ^[a-zA-Z0-9_-]{1,128}$ thing-name regex applied symmetrically across provision_robot / provision_operator / teardown_thing (closes path-traversal via cert filenames), per-socket recv timeout that avoids the process-global socket.setdefaulttimeout mutation, scope-tightening of iot:Receive on the robot policy (no more strands/* wildcard), and a default presigned-URL TTL drop from 3600s to 60s.

The scope is coherent and the security posture genuinely improves. The R2 decision to drop the unimplemented camera kill-switch and S3 ACL bullets rather than rush them is the right call; deferring them to #249 with explicit acceptance criteria preserves the value of the implemented pieces. The R7-fix-2 incident (a pin test that asserted only on substring presence and missed an indentation regression in the same docstring) is exactly the AGENTS.md > Review Learnings (#85) > 'Pin regression tests for reviewed fixes' pattern -- the structural pin in test_cleandoc_renders_consistent_indentation is the right repair.

What's good

• Symmetric _validate_thing_name across all three public entry points (provision_robot, provision_operator, teardown_thing) -- closes the path-traversal vector.
• _AMAZON_ROOT_CA1_PINS is a tuple, not a string, so a CA rotation can ship as a code-only change that adds the new pin alongside the old one. The STRANDS_MESH_CA_PINS env-var lets fleet operators stage a new pin ahead of the next release, with regex-validated 64-char lowercase hex.
• _download_with_per_socket_timeout avoids socket.setdefaulttimeout (process-global) and instead bakes the timeout into a one-shot HTTPSHandler -- correct fix for the threading concern.
• verify_ca_pin uses O_NOFOLLOW and chunked reads; _ensure_ca re-use path uses O_NOFOLLOW -- TOCTOU symlink swap closed.
• STRANDS_MESH_DISABLE_CA_PIN is download-only; the on-disk re-use path always raw-checks the pin. This is the right asymmetry.
• _AMAZON_ROOT_CA1_SHA256 legacy alias is removed (not just deprecated). Good follow-through on CodeQL #229.
• OperatorPublishToFleet */cmd wildcard is documented as deliberate AND pinned by test_publish_to_fleet_wildcard_is_deliberate. A future 'finish the wildcard removal' agent will trip the test.
• Camera presigned-URL TTL is properly bracketed (< 1 floor, > 3600 cap, env-var fallback only when kwarg is None).
• Multi-pin rotation contract is pinned (test_tuple_supports_multiple_pins) so collapsing the tuple back to str won't pass review silently.

Concerns

• Round budget pressure is visible. The PR is at 8 review rounds (R7-fix-2 inline). The R7-fix introduced a docstring artefact, the R7-fix-2 caught it but the original R7-fix pin missed it, and the structural pin had to be added. The pattern is consistent with an over-folded late-stack diff. Consider whether #259/#260/#251 actually need to be follow-ups and whether deferring would have been cleaner during R5.
• Asymmetric exception-hygiene treatment. teardown_thing's three best-effort except clauses got # noqa: BLE001 annotations in R6, but the parallel _cleanup_stale_certs clauses (which do the same operations) did not. See inline.
• Subscribe/Receive asymmetry on robot policy. AllowOwnSubscriptions covers ${ThingName}/* but AllowReceiveScoped covers only ${ThingName}/cmd and ${ThingName}/response/*. Topics like ${ThingName}/health or ${ThingName}/state will subscribe but silently drop on receive. Tracked in #253 but worth a one-line comment in the policy doc now -- the next maintainer reading the dict will wonder.

Verification suggestions

# Pin-rotation regression -- catches a future tuple->str collapse
hatch run pytest tests/mesh/test_iot_ca_pin.py::TestMultiPinRotation -v

# Docstring structural pin -- catches the cleandoc indentation regression
hatch run pytest tests/mesh/test_teardown_thing_validation.py::TestTeardownThingDocstringShape -v

# All new policy-scope pins
hatch run pytest tests/mesh/test_iot_policy_scope.py tests/mesh/test_iot_ca_pin.py tests/mesh/test_camera_acl.py tests/mesh/test_presign_ttl_none_vs_zero.py tests/mesh/test_teardown_thing_validation.py -v

# Operator should still be able to publish to any robot's cmd (deliberate wildcard)
python -c "import json; from strands_robots.mesh.iot.provision import _OPERATOR_POLICY_DOC; print(json.dumps(_OPERATOR_POLICY_DOC, indent=2))" | grep -A2 OperatorPublishToFleet

As the description notes, full CI on this branch in isolation is expected red until #223 / #221 land.