M4: VSLSEC (security/authz S5) + VSLLOG (audit sink S3)#6
Merged
Conversation
Bind the security and audit seams in v-stdlib, dual-engine GREEN 11/11 (vehu YDB + foia-t12 IRIS); full suite 33/33, no regression. VSLSEC — the VistA authorization decision (authz-only). Grounded that no portable Kernel generic-hash entry point exists ($$SHAHASH^XUSHSH absent on vehu; classic ^XUSHSH returns a constant on both engines), so portable crypto stays in STDCRYPTO and VSLSEC binds none (architecture 3.4). $$hasKey over ^XUSEC (Supported reference, notional ICR; a DENY is a normal 0, not an error), $$duz (#200 IEN principal), $$user (#200 NAME via VSLFS reuse, v->v). Loud ,U-VSL-SEC-ARG, on a malformed call (empty key). VSLLOG — the first v->v composition: the audit sink reuses VSLFS (no FileMan DBS re-bind), files a $$now^STDDATE() (v->m) timestamped line as .01, and maps a VSLFS ,U-VSL-FS-DIERR, to ,U-VSL-LOG-WRITE,. No @iCr (no direct L4 call). Lane A no-op: no MSL seam change, so m-stdlib is untouched, no v0.10.0 tag, and the pin stays v0.9.0. Gates green: check-icr 9, check-citations 9 (new XU/krn_8_0_dg_security_keys_ug#key-lookup verified vs gold), check-namespaces 5, check-seams 0, check-msl-pin v0.9.0; make check-fast clean. Fixtures are existing low-risk entries probed read-only (a real ^XUSEC(key,duz) pair; #200 IEN 1; a #8989.51 ZZ throwaway audit record). Deferred (non-gating): the optional MailMan alert and context-option authz ($$inContext via CRCONTXT^XWBSEC). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
VSL/MSL M4 — the security (S5) + audit (S3) seams
Binds the security and audit seams in v-stdlib. Dual-engine GREEN 11/11
(vehu YDB + foia-t12 IRIS) over the driver stack; full v-stdlib suite 33/33,
no regression. m-stdlib untouched.
VSLSEC — the VistA authorization decision (authz-only)
Grounded by probing both live engines that no portable Kernel generic-hash
entry point exists (
$$SHAHASH^XUSHSHabsent on vehu/older-FOIA; classictop-level
^XUSHSHreturns a constant on both engines), so portable cryptostays in STDCRYPTO and VSLSEC binds none (architecture §3.4).
$$hasKey(key,duz)=''$D(^XUSEC(key,duz))— the security-key decision (aDENY is a normal
0, not an error).$$duz()=+$G(DUZ)— the ambient principal (the #200 IEN binding).$$user(duz)= #200 NAME via VSLFS reuse (v→v; no DBS re-bind).,U-VSL-SEC-ARG,on a malformed call (empty key).^XUSECis the documented Supported reference (no numeric DBIA) → notional@icr(a$Dread, not a set/kill — no-direct-global rule satisfied).VSLLOG — the first v→v composition (audit sink)
Reuses VSLFS (no FileMan DBS re-bind), composing a
$$now^STDDATE()(v→m)timestamped line filed as
.01;$$readreads it back; a VSLFS,U-VSL-FS-DIERR,is caught and re-raised as,U-VSL-LOG-WRITE,. No@icr(no direct L4 call — DIQ/DIE live in VSLFS; STDDATE is m-layer).
Lane A no-op
M4 needed no MSL seam change → m-stdlib untouched, no
v0.10.0tag, pin staysv0.9.0.Gates (all green)
check-icr 9 · check-citations 9 (new
XU/krn_8_0_dg_security_keys_ug#key-lookupverified vs gold) · check-namespaces 5 · check-seams 0 · check-msl-pin v0.9.0;
make check-fastclean.Fixtures
Existing low-risk entries probed read-only: a real
^XUSEC(key,duz)pair, #200IEN 1, and a #8989.51 ZZ throwaway audit record. No keys granted/revoked.
Deferred (non-gating)
Optional MailMan alert (
SETUP^XQALERT/EN^XMB— a real side effect) andcontext-option authz
$$inContextviaCRCONTXT^XWBSEC(ICR 4053; needs theencrypted option name + sets context — too fragile for a safe read-only probe).
🤖 Generated with Claude Code