fix(test): make secure_delete oracle host-engine-independent (auto_vacuum)#3
Merged
Conversation
The Tier-2 oracle real_engine_secure_delete_raises_the_fingerprint asserts SQLITE-FREELIST-RESIDUE-ZEROED fires after `secure_delete=ON`. It passed on sqlite3 3.45.3 but failed on the macOS CI runner (run 29022915845): the runner's sqlite3 is built with `SQLITE_DEFAULT_AUTOVACUUM=1`, so the DELETE-freed pages are reclaimed and the file truncated (freelist_count=0, no freed leaf pages). The fingerprint then has nothing to fire on — the oracle's premise fails, not the detector. Root cause: brittle host-build-dependent oracle, NOT a detector gap. Across sqlite3 3.43.2 (incl. Apple's `aapl` build), 3.45.3, 3.46.1, and 3.50.4, standard `secure_delete=ON` zeroes freed leaf pages and the fingerprint fires; `secure_delete=OFF` retains residue and it stays silent. The detector recognizes real secure_delete layouts on every conforming build. Fix: force `PRAGMA auto_vacuum=NONE` so the freed-leaf freelist is produced deterministically on any build (a no-op where auto_vacuum already defaults off). Verified: on a sqlite3 built with SQLITE_DEFAULT_AUTOVACUUM=1 the unpatched script yields 0 freed leaves (repro) and the patched script yields 42 zeroed leaves (fires); OFF yields 42 residue-retaining leaves (silent). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
RUSTSEC-2026-0194 and RUSTSEC-2026-0195 (quick-xml <0.41: quadratic duplicate-attribute check; unbounded namespace-declaration allocation) fail `cargo deny check`. Both are DoS-only and reach the tree solely via the dev-dependency calamine 0.35.0, which pins `quick-xml = "^0.39"` and cannot resolve to the fixed 0.41.0 (calamine 0.35 is the newest release in our range, so there is no upgrade path). Add a documented, time-boxed ignore for the two IDs; drop them when calamine widens its quick-xml requirement. RUSTSEC-2026-0190 (anyhow) does not apply: anyhow is not in this repo's dependency tree. cargo deny check: advisories ok, bans ok, licenses ok, sources ok. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the pre-existing, main-wide CI failure of the Tier-2 oracle test
real_engine_secure_delete_raises_the_fingerprint(forensic/tests/audit.rs). It passes locally on sqlite3 3.45.3 but fails on GitHub's macOS runner (e.g. run 29022915845); ubuntu/windows are canceled by fail-fast.Root-cause verdict: brittle host-build-dependent ORACLE — NOT a detector gap
The test asserts
SQLITE-FREELIST-RESIDUE-ZEROEDfires afterPRAGMA secure_delete=ON. The failure is not the detector: it is the oracle's assumption thatsecure_delete=ONalways leaves zeroed freed leaf pages on the freelist.Evidence (byte-level, measured on identical inputs):
secure_delete=ONresultaapl,/usr/bin/sqlite3)-DSQLITE_DEFAULT_AUTOVACUUM=1(reproduces runner)freelist_count=0On a build compiled with
SQLITE_DEFAULT_AUTOVACUUM=1, theDELETEreclaims the freed pages and truncates the file, so there is no freed-leaf freelist to detect. The fingerprint correctly stays silent — there genuinely is no zeroed residue. This exactly matches the CI failure signature (theONassertion at line 315 fails;OFFis never reached).Across every conforming engine — including Apple's — the detector recognizes real
secure_delete=ONzeroing (ON→ fires,OFF→ silent). There is no detector gap, so noforensic/src/corechange is warranted; fixing the detector would mask nothing real.Fix
Force
PRAGMA auto_vacuum=NONEin the oracle script so the freed-leaf freelist is produced deterministically on any build (a no-op on builds that already default to auto_vacuum off). This removes the ambient-engine dependency while keeping the Tier-2 real-engine cross-check that guards against a self-encoded fixture (the value it adds over the existing syntheticzeroed_freed_leaves_flag_residue_destructionconstruction test: it proves a real engine actually emits the zeroed-leaf layout the detector matches).Validation
SQLITE_DEFAULT_AUTOVACUUM=1build (0 freed leaves) and confirmed the patched script restores 42 zeroed leaves (ONfires) and 42 residue-retaining leaves (OFFsilent).SQLITE3_BINagainst: the auto_vacuum runner-sim build, Apple/usr/bin/sqlite33.43.2, upstream 3.43.2, and 3.50.4.cargo fmt --all -- --checkclean ·cargo clippy --workspace --all-targets -- -D warningsno issues ·cargo test --workspace507 passed / 0 failed.🤖 Generated with Claude Code