fix(spec-003 v0.8.3): admit-tokenless on duplicate during settling window

[Augustas11]

Summary

Replaces v0.8.2's hard-TOFU reject with admit-tokenless when a tokenless connect arrives for a provider_id that already has an unrevoked token row.

The DB partial unique index (v0.8.2) is the canonical "at most one valid bearer per provider_id" enforcement. The wire-level close was redundant and structurally incompatible with the settling-window deploy plan that PRs #44 + Entries 60-62 designed against.

Why now

Discovered during the 2026-06-12 v1.3.1 deploy attempt to Pearl (DECISION_CRITERIA Entry 66). Cascading failure:

1. 13:55Z — Coordinator v1.3.1 deployed; restart kicked existing pool.
2. Within 5 min — air5 + air8gb (both on v1.2.5 binaries) reconnected tokenless. Coordinator self-minted tokens for each, returned in hello_ack. v1.2.5 silently dropped the unknown assigned_provider_token field (Swift JSON decoder behavior).
3. 22:47Z — air8gb disconnected (NAT blip), reconnected tokenless, hit v0.8.2's hard-TOFU gate: HasActiveTokenForProvider == true → CloseInvalidToken / "invalid_token". Permanently rejected.
4. 22:49Z — Coordinator rolled back to v1.3.0-24-g87b3a6b via coordinator.prev swap. Both providers recovered on next reconnect.

The structural defect: PR #44's three-auditor pass + the focused security re-audit evaluated the security model (TOFU does prevent credential capture — correct) but did not audit the deployment plan against the "existing tokenless providers cannot persist tokens" constraint. The settling window cannot work if the wire-level reject bricks the old-binary cohort on first reconnect.

What changes

phase4-coordinator/internal/ws/server.go

• resolveProvisionalToken maps ErrActiveTokenAlreadyExists to provisionalTokenSkip (admit without ack token) instead of provisionalTokenRejectTOFU (close).
• Pre-INSERT HasActiveTokenForProvider SELECT call removed — it was a TOCTOU-racy belt for the unique-index suspenders, and the suspenders are the only canonical enforcement.
• provisionalTokenRejectTOFU enum value + the v1/v2 ack-write close-on-reject branches deleted.

phase4-coordinator/internal/ws/provider_token_self_serve_test.go

Renamed + rewrote the TOFU regression test:

• Old: TestSelfServeProvisionalTokenRejectedWhenActiveTokenExists (asserted CloseInvalidToken)
• New: TestSelfServeProvisionalTokenAdmitsTokenlessWhenActiveTokenExists

Asserts:

• hello_ack received (not close frame)
• assigned_provider_token == "" in the ack (loser is bearer-less)
• Exactly one active row in DB (DB constraint prevented duplicate mint)

specs/SPEC-003-open-onboarding.md

Bumped v0.8.2 → v0.8.3:

• FR-C9.1 rewritten: coordinator MUST attempt the mint on every tokenless provisional admission; on ErrActiveTokenAlreadyExists, admit tokenless without ack token.
• FR-C9.4 rewritten: the partial unique index is the canonical "at most one valid bearer per provider_id" enforcement (not a wire-level reject). Settling-window contract = admit-tokenless. Post-flip contract = validateProviderToken upgrade-gate reject. Operator runbook now mandates coordinator-cli list-tokens audit + revoke-and-coordinate at flag-flip.

beta/DECISION_CRITERIA.md

Entry 66 — full deploy postmortem + the methodology lesson: deployment plans for security-sensitive contract changes need an adversarial review against "what existing field consumers in the wild do," not just "what the spec says they should do."

Security property preserved

The credential-capture attack the codex security audit on PR #44 (MAJOR-1) closed remains closed. An attacker still cannot mint a parallel bearer for someone else's provider_id — the INSERT fails on the unique constraint. The only thing that changes is what happens to the losing connection on the wire: admit-bearer-less instead of close-with-reject.

After flag-flip (RequireProviderTokens=true), tokenless connects are still rejected at the WS upgrade layer by validateProviderToken BEFORE reaching admission. The DB constraint at that layer becomes defense in depth.

Operator runbook update at flag-flip

Pre-flip checklist (now normative in FR-C9.4):

1. coordinator-cli list-tokens — audit for duplicate or unexpected active rows
2. coordinator-cli revoke-token --token-prefix <prefix> on any rows belonging to the wrong party
3. Coordinate with the legitimate party so they can mint cleanly on their next reconnect (revoke + restart, OR ensure they're on a binary that can persist assigned_provider_token)
4. Only THEN flip auth.require_provider_tokens=true + SIGHUP

Test plan

• go test ./... full coordinator suite green
• New test TestSelfServeProvisionalTokenAdmitsTokenlessWhenActiveTokenExists passes
• All existing token tests still pass (no regressions on the v0.8.2 TOCTOU-safety properties)
• Pre-fix test name (...RejectedWhen...) no longer exists; renamed + rewrote

Not in this PR (carried separately)

• PR release: conditional Developer ID signing + notarization (unblocks macOS 26.3.1 launchd) #62 — release-pipeline Developer ID signing + notarization (gates the next deploy on macOS 26.3.1+).
• Revoke the two orphan tokens before any future v1.3.1+ coordinator deploy. Prefixes: 372c3372023e (air5), d630849e8acb (air8gb).
• Fix nginx duplicate-zone source-of-truth in phase4-coordinator/dist/nginx-coordinator.streamvc.live.conf:18-19 — operator hot-patched the live conf; source still has the bug.

🤖 Generated with Claude Code

[Augustas11]

fix-pass-3 (commit 1619f97) — three-auditor pass + structural fix

Three codex auditors (code-reviewer, security-reviewer, architect) ran in parallel on the v0.8.3 commit 1fc7eaa:

Auditor	Verdict	CRITICAL / MAJOR / MINOR / NIT
code-reviewer	REQUEST CHANGES	0 / 2 / 3 / 0
security-reviewer	BLOCK MERGE	0 / 2 / 0 / 1
architect	refactor-needed	0 / 3 / 3 / 0

Convergent MAJOR (security + architect)

v0.8.3's admit-tokenless removed the wire-level close, but the v1/v2 paths still called registerProviderSession, which keys by provider_id and last-writer-wins-evicts the existing session (pool/provider.go:191-224). Attacker:

• Doesn't get a bearer (DB unique index prevents that ✓)
• Gets the pool slot (eviction defense missing ✗)
• Receives buyer traffic ✗
• Accrues billing identity under the victim's provider_id ✗

That re-opened M1-1 / XSEC-1 (provider impersonation) in a different shape.

Fix

Added pool.AuthState as a first-class enum + field on pool.Provider:

• AuthBearerValidated
• AuthSelfMinted
• AuthBearerlessDuplicate

resolveProvisionalToken now returns (outcome, token, authState). v1/v2 ack sites set entry.AuthState before registerProviderSession.

Three concurrent gates on AuthBearerlessDuplicate:

1. pool.Registry.Register returns (oldConn, registered bool); refuses to evict an existing session in favor of a bearer-less duplicate. WS handler closes the duplicate with CloseInvalidToken / "invalid_token".
2. pool.Provider.RoutingEligible() returns false — excluded from buyer routing AND billing identity (billing is keyed on routed providers).
3. Surfaced in /poolz JSON via auth_state field (omitempty, so default-value entries don't change pre-v0.8.3 output).

Convergent MAJOR-2 (security + architect): flag-flip runbook ungrounded

Old runbook: "audit list-tokens for duplicate or unexpected rows." But duplicates are prevented by the unique index (so "duplicate" is unobservable) and "unexpected" was undefined.

New runbook (FR-C9.4(e)): gate flag flip on last_used_at freshness within 24h. A row with last_used_at IS NULL proves no binary has ever successfully authenticated with that token — could be the legitimate provider whose binary can't persist tokens OR an attacker who never had a usable binary. Either way: revoke + reconnect (race for fresh mint) OR coordinate out-of-band via coordinator-cli issue-token for a pinned-tier token.

Other findings (mechanical)

• Code MAJOR-1 + architect MAJOR-3: Stale "TOFU close path" / "MUST treat as TOFU rejection" comments cleaned up across tokens.go, server.go, messages.go.
• Code MAJOR-2 + architect MINOR-3: Added v2 auth_response duplicate-admit-tokenless test.
• Code MINOR-3 + architect MINOR-1: HasActiveTokenForProvider removed from TokenIssuer interface. Retained on *auth.Store for operator tooling with explicit doc-comment warning against re-introducing it as a pre-flight gate (would reintroduce the TOCTOU window v0.8.2 closed).
• Entry 63 → Entry 66 references corrected throughout SPEC-003 + test file.
• NIT-1: Stale comments cleaned up.

New regression tests

Test	What it locks	Fails on
TestSelfServeProvisionalTokenEvictionDefenseProtectsRoutableSession	Bearer-less duplicate cannot evict a routable session	Pre-fix code (v0.8.3 1fc7eaa)
TestSelfServeProvisionalTokenAdmitsTokenlessOnAuthResponseV2WhenActiveTokenExists	v2 admit-tokenless symmetric with v1	Pre-fix (v2 untested)
(extended) TestSelfServeProvisionalTokenAdmitsTokenlessWhenActiveTokenExists	Now also asserts AuthBearerlessDuplicate marking + RoutingEligible()==false	Pre-fix-pass-3

SPEC-003 FR-C9.4 rewritten as layered normative contract

• (a) Storage invariant (unchanged from v0.8.2)
• (b) Settling-window wire contract (5-step MUST list, including AuthBearerlessDuplicate marking)
• (c) NEW: Routing + billing + registry consequences — codifies the eviction defense + routing exclusion + /poolz visibility
• (d) Post-flip wire contract (DB constraint as defense in depth)
• (e) NEW: Operator flag-flip runbook with last_used_at freshness gate

DECISION_CRITERIA

Entry 67 records the postmortem + the methodology lesson:

Any change to admission semantics requires explicit re-evaluation of pool-registration, routing, and billing consequences, not just wire-frame behavior.

Tests

Full Go suite green. 9 self-serve tests pass in WS package.

🤖 Generated with Claude Code

[antfleet-ops]

fix-pass-4 pushed in 51c1a18. Architectural changes:

• Routing/capacity sites (handleModels, chat-completions, hard-pin) delegate to p.RoutingEligible()
• Observability sites (Tier-2 metadata, hash verification) renamed to hasAvailableSlot with explicit AuthBearerlessDuplicate exclusion (preserves HashStatus branching needed for operator visibility)
• pool.Provider.RoutingEligible() scope corrected — HashStatus filtering removed (was overaggressive when Tier-2 hash enforcement is operator-disabled). Predicate now exclusively concerns credential trust (AuthState) + slot availability. Tier-2 hash filtering stays in config-aware buyer code.

Three buyer regression tests added:

• TestChatCompletionsExcludesAuthBearerlessDuplicate (503, no upstream invocation, no provider header)
• TestChatCompletionsPinnedHeaderRejectsAuthBearerlessDuplicate (hard-pin path)
• TestModelsExcludesAuthBearerlessDuplicateFromCapacity (capacity exclusion)

Code MINOR-1 / MINOR-2 / NIT addressed:

• Eviction-defense test: positive AuthBearerValidated assertion (no more silent empty-state regression)
• v2 retention-cleanup variant: SPEC-010 catalog fields force retainSpec010=true, verifies R-7.9.7 defer on duplicate-admit
• Entry 67 reformatted; Entry 68 added documenting fix-pass-4

Architect's larger items deferred to tracking issue #82 (Phase 5 gateway aggregation, AuthMintFailed enum, coordinator-cli pre-flip-audit command, explorer auth_state) — kept out of this PR to maintain reviewability and atomicity.

Full phase4-coordinator test suite green.

[antfleet-ops]

fix-pass-5 pushed in 9c78355. Composed v0.8.4 merge with three-codex-auditor closure.

Convergent A-E (doc/test cleanup):

• SPEC-003 §FR-C9.4(b) rewrite + changelog Entry 68 → 71 cross-ref fix
• TokenIssuer interface doc-comment refresh
• Eviction-defense test renamed to reflect actual fired branch under composition (strict-reject path); added two direct registry-level tests in internal/pool for the actual Register-layer defenses

Code MAJOR-1 (F): atomic ValidateAndMarkTokenUsed.
Closes the TOCTOU window between ValidateToken at WS upgrade and MarkTokenUsed in prepareProviderAdmission where a concurrent tokenless self-heal could revoke the legitimate provider's still-NULL row and mint a fresh bearer for an attacker. Single UPDATE-RETURNING in auth.Store.ValidateAndMarkTokenUsed; called at upgrade time. prepareProviderAdmission MarkTokenUsed call removed (with explanatory comment).

Security MAJOR-1 (G): AuthMintFailed enum + fail-closed.
pool.AuthState gains AuthMintFailed (4th value). Transient IssueToken DB errors now return provisionalTokenRejectTOFU + AuthMintFailed instead of Skip + "". Closes the DoS-amplification vector where empty AuthState was treated as routable.

Security MAJOR-2 + Architect Steelman (H): extended Register eviction defense.
pool.Registry.Register now refuses non-Bearer-validated replacement of an existing routable Bearer-validated session. Bearer-validated reconnects always succeed (proof-of-bearer is independently strong).

Test coverage:

• internal/auth/pool/ws/buyer: all green under -count=1
• Race detector clean on auth/pool/ws/buyer
• 2 new direct registry tests: TestRegistryRefusesBearerlessDuplicateReplacement + TestRegistryRefusesNonBearerReplacementOfRoutableBearerValidated
• 1 new fail-closed test: TestSelfServeProvisionalTokenMintFailureFailsClosed (replaces the pre-fix-pass-5 tolerated variant)
• Renamed: TestSelfServeProvisionalTokenStrictRejectPreservesRoutableSession

Deferred to tracking issue #82:

• Phase 5 gateway /poolz aggregation decode + auth_state exclusion (architect MAJOR-2)
• v2 strict-reject mirror test (code MINOR-2)
• coordinator-cli pre-flip-audit CLI (architect Followup 3)
• explorer auth_state exposure (architect Followup 5)

PR state: GitHub now shows CONFLICTING because more PRs landed on main during fix-pass-5 (M3 batch). Files touched on both sides: DECISION_CRITERIA, auth/tokens.go, buyer/server.go, pool/provider.go, ws/server.go, SPEC-003. Another merge resolution will be needed before merge.