gate: reject -dirty binaries in BINARY_MATCH (close residual contamination)

SonicField · SonicField · commit ab803601b8a9 · 2026-04-21T18:09:55.000-07:00
Push 39's e808676 + 0a5f096 added BINARY_MATCH on both arches. The grep is bare-hash: 'grep "$COMMIT_HASH" "$LONG_VERSION"'. That matches both clean ':<hash>,' AND '-dirty:<hash>' suffix — the exact contamination class that bit catch python#4 (binary built from a dirty working tree masquerades as a clean build). Pre-push-39, 'cp || true' accidentally protected against this by falling back to a stale-clean python_gate when local build was dirty. Push 39 removed the fallback. Without -dirty rejection, the next contaminated build IS the binary the gate tests, while BINARY_MATCH still passes. Fix: tighten the check to reject any version string containing '-dirty'. Mirror on ARM64 path (mirrors 0a5f096 symmetry). Output now distinguishes BINARY_MISMATCH (wrong hash) from BINARY_DIRTY (right hash, dirty build). Adds catches python#5 (push-39 in-flight commit race) and python#6 (this fix) to docs/wiring_catches.md. Per supervisor 2026-04-22 01:08:18Z + theologian 01:08:00Z (defense-in-depth: when a single incident exposes N adjacent gaps, fixing 1 leaves N-1 unprotected).
diff --git a/docs/wiring_catches.md b/docs/wiring_catches.md
@@ -17,6 +17,8 @@ caught it> <root cause class> <test-bug | emit-bug | gate-script bug>`.
 | 2 | 2026-04-21 | 15feea07c9   | ARM64 gate (push 36 stash bracket)     | `git stash push -u` captured SCP'd bundle inside cpython tree → fetch failed silently               | gate-script bug  |
 | 3 | 2026-04-21 | 91d5b60f5d   | ARM64 commit-match check               | `grep -oP 'ARM64_COMMIT=\K\S+'` matched heredoc body literal `$(git rev-parse...)` not runtime echo | gate-script bug  |
 | 4 | 2026-04-22 | 79890e7b73   | testkeeper G1.6 prep investigation     | `cp "$PYTHON" "${PYTHON}_gate" \|\| true` silently tolerated 'Text file busy' → gate ran against stale `python_gate` (8382896c85) for pushes 36/37/38; masked emitGetIter validation AND latent LOAD_ATTR_SLOT segfault in generalist's in-flight stash | gate-script bug  |
+| 5 | 2026-04-22 | f3271f58a5   | gate's own commit-match check          | self-induced race: testkeeper committed e8086760e3 + 0a5f096d6f WHILE the gate at f3271f58a5 was running; gate locks COMMIT_HASH at start but `git bundle create` reads HEAD at Step 7 — bundle captured later commits, ARM64 fetched e8086760e3, x86_64 reported f3271f58a5, mismatch flagged | gate-script bug + coordination-discipline gap |
+| 6 | 2026-04-22 | 0a5f096d6f   | supervisor / gatekeeper post-push-39 review | bare-hash `grep "$COMMIT_HASH"` matches both clean `':<hash>,'` AND `-dirty:<hash>` build strings → the SAME contamination class that bit catch #4 (binary built from dirty tree masquerades as clean) was still tolerated by the new BINARY_MATCH check; closed by tightening grep to reject `-dirty` suffix | gate-script bug  |
 
 ## Meta-observation (supervisor 2026-04-22 00:17:13Z)
 
diff --git a/scripts/gate_phoenix.sh b/scripts/gate_phoenix.sh
@@ -98,13 +98,25 @@ echo "$GATE_BINARY_VERSION" | tee -a "$RESULTS_FILE"
 # the commit hash; --version only carries '3.12.13'. Use sys.version.
 GATE_BINARY_LONG_VERSION=$("$PYTHON" -c 'import sys; print(sys.version)' 2>&1)
 echo "$GATE_BINARY_LONG_VERSION" | tee -a "$RESULTS_FILE"
-if echo "$GATE_BINARY_LONG_VERSION" | grep -q "$COMMIT_HASH"; then
-    echo "BINARY_MATCH: gate binary reports $COMMIT_HASH ✓" | tee -a "$RESULTS_FILE"
-else
+if ! echo "$GATE_BINARY_LONG_VERSION" | grep -q "$COMMIT_HASH"; then
     echo "BINARY_MISMATCH: gate binary does not contain HEAD hash $COMMIT_HASH" | tee -a "$RESULTS_FILE"
     echo "GATE FAIL — gate binary identity does not match HEAD" | tee -a "$RESULTS_FILE"
     exit 1
 fi
+# Reject '-dirty' suffix: per supervisor 2026-04-22 01:08:18Z, the prior
+# 'cp || true' (removed in f3271f58a5) was accidentally protecting the
+# gate by falling back to a stale-clean binary when the local build was
+# dirty. With cp now strict, a -dirty build IS the binary the gate
+# tests. The original 79890e7b73-dirty contamination (catch #4) would
+# match 'BINARY_MATCH 79890e7b73 ✓' under the bare-hash grep — close
+# the loophole.
+if echo "$GATE_BINARY_LONG_VERSION" | grep -q -- "-dirty"; then
+    echo "BINARY_DIRTY: gate binary built with uncommitted working-tree changes" | tee -a "$RESULTS_FILE"
+    echo "  $GATE_BINARY_LONG_VERSION" | tee -a "$RESULTS_FILE"
+    echo "GATE FAIL — gate binary built from a dirty working tree (commit 'git stash' or 'git status --short' before re-running)" | tee -a "$RESULTS_FILE"
+    exit 1
+fi
+echo "BINARY_MATCH: gate binary reports $COMMIT_HASH (clean) ✓" | tee -a "$RESULTS_FILE"
 
 # Step 1b: _reg usage policy gate (no-FS DeoptBase factories banned in simplify_c.c)
 echo "" | tee -a "$RESULTS_FILE"
@@ -536,13 +548,17 @@ if [ "$ARM64" -eq 1 ]; then
         chmod +x python;
         ARM64_BINARY_LONG_VERSION=\$(./python -c 'import sys; print(sys.version)' 2>&1);
         echo ARM64_BINARY_LONG_VERSION=\$ARM64_BINARY_LONG_VERSION;
-        if echo \"\$ARM64_BINARY_LONG_VERSION\" | grep -q \"\$ARM64_COMMIT\"; then
-            echo \"ARM64_BINARY_MATCH: ./python reports \$ARM64_COMMIT ✓\";
-        else
+        if ! echo \"\$ARM64_BINARY_LONG_VERSION\" | grep -q \"\$ARM64_COMMIT\"; then
             echo \"ARM64_BINARY_MISMATCH: ./python does not contain \$ARM64_COMMIT\";
             echo \"GATE FAIL — ARM64 gate binary identity does not match HEAD\";
             exit 99;
         fi;
+        if echo \"\$ARM64_BINARY_LONG_VERSION\" | grep -q -- '-dirty'; then
+            echo \"ARM64_BINARY_DIRTY: ./python built with uncommitted working-tree changes\";
+            echo \"GATE FAIL — ARM64 gate binary built from a dirty working tree\";
+            exit 99;
+        fi;
+        echo \"ARM64_BINARY_MATCH: ./python reports \$ARM64_COMMIT (clean) ✓\";
         JIT_ENABLE=1 ./python -m test test_phoenix_jit_arithmetic test_phoenix_jit_autocompile test_phoenix_jit_comparisons test_phoenix_jit_containers test_phoenix_jit_controlflow test_phoenix_jit_coverage test_phoenix_jit_functions test_phoenix_jit_generators test_phoenix_jit_loadattr_golden test_phoenix_float test_phoenix_hir_type test_phoenix_benchmark_correctness test_phoenix_deferred_compile test_phoenix_profiling_hooks test_phoenix_usetype_float 2>&1 | tail -10;
         echo ARM64_EXIT=\$?;
         echo STASH_POP_BEGIN;
