Skip to content

findings: F41-F43 Cobrust corroboration (source-surface-leak + device-name-redact + SPOF-build)#2

Draft
Hakureirm wants to merge 2 commits into
mainfrom
adsd-cobrust-f41-f43
Draft

findings: F41-F43 Cobrust corroboration (source-surface-leak + device-name-redact + SPOF-build)#2
Hakureirm wants to merge 2 commits into
mainfrom
adsd-cobrust-f41-f43

Conversation

@Hakureirm
Copy link
Copy Markdown
Member

@Hakureirm Hakureirm commented May 21, 2026

Summary

3 new failure-mode findings (F41-F43) empirically corroborated by Cobrust Phase G/J
sprints (2026-05-19/20). Follow-up to PR #1 (cobrust-f31-f39, F31-F40 batch, open).

  • F41 — Source-surface leakage of codegen-internal primitive (Cobrust local F38)
  • F42 — Device-identifying names leaked into public artifacts via sub-agent memory read-through (Cobrust local F39)
  • F43 — Single-point-of-failure heavy-build host (Cobrust local F40)

Empirical anchors

Finding Cobrust local Incident date Ratified SHA Resolution
F41 F38 2026-05-19/20 46c0946 ADR-0064 print-monomorphization + CI lint
F42 F39 2026-05-19 d012df9 git filter-repo Option-A force-rewrite + opsec-lint CI gate
F43 F40 2026-05-19/20 9cb84b5 DG abandonment — GH Actions CI as sole heavy-gate verifier

All three SHAs are reachable on Cobrust-lang/Cobrust main branch.

Pattern families

  • F41 extends the LLM-first design principle (CLAUDE.md §2.5) as a new sub-form:
    "type-suffix source-face names violate training-data-overlap rule." New family: design-surface contamination.
  • F42 extends F1-Sediment as a new sub-form: "opsec-boundary: agent memory read-through
    propagates private literals to publishable artifacts without enforcement gate."
  • F43 introduces infrastructure-resilience (SPOF sub-form): SSH-gated single host
    as sole verification path; adjacent to F29 (runner-pool) but at the sprint-verification layer.

Slot rationale

PR #1 claims upstream F31-F40 for different patterns (Cobrust local F27-F34 + stream-watchdog).
Upstream catalogue currently ends at F30 (on main). F41-F43 are the next free slots.

Files

plugins/adsd/skills/agent-driven-development/reference/cobrust-f41-f43/
  README.md                                           (batch index, ~60 lines)
  F41-source-surface-leakage-codegen-primitive.md    (~155 lines)
  F42-device-name-leakage-public-artifacts.md         (~150 lines)
  F43-spof-heavy-build-host.md                       (~145 lines)

Checklist

  • 3 finding files match upstream catalogue shape (frontmatter + Pattern + Root cause + Empirical + Detection rule + Resolution path + Related findings)
  • All Cobrust SHAs verified reachable on main
  • No impl/test/ADR changes — outreach finding files only
  • F43 SHA corrected to 9cb84b5 (DG abandonment doc commit, distinct from d012df9 F42 CI-rename)
  • No opsec-sensitive strings embedded (device names use neutral placeholders per F42 going-forward rule)

Drafted as DRAFT — user action required to gh pr create or promote to ready-for-review.

吴冰晶 added 2 commits May 21, 2026 11:19
findings: F41-F43 Cobrust empirical corroboration (source-leak + devi…
f817625 
…ce-name-redact + SPOF-build)

F41 (Cobrust F38): source-surface leakage of codegen-internal primitive
  - print_int/str/bool/float leaked into source-face PRELUDE; 333 LOC cleanup
  - Ratified Cobrust@46c0946 (ADR-0064); violates LLM-first §2.5 training-data-overlap rule

F42 (Cobrust F39): device-identifying names in git history via sub-agent memory read-through
  - 31 commit messages + 18 repo files; filter-repo Option-A force-rewrite
  - Ratified Cobrust@d012df9; adds opsec-boundary sub-form to F1-Sediment family

F43 (Cobrust F40): single-point-of-failure heavy-build host (DG abandonment)
  - SSH-gated workstation died; 8+ hr sprint blocked; sub-agents retried silently
  - Ratified Cobrust@d012df9; resolution = GH Actions as sole authoritative heavy-gate verifier
fix(f43): correct Cobrust SHA to 9cb84b5 (DG abandonment doc commit)
4ba9801
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Hakureirm