From 7c64910c90d4af7a56c65e5c02d8fbbdf3a8fc44 Mon Sep 17 00:00:00 2001 From: mwiegand Date: Fri, 15 May 2026 14:39:11 +0200 Subject: [PATCH] spec(hardening-refactor): resolve emitter open items Verified during plan execution that the ckn-bw systemd-bundle emitter handles tuples and empty values as expected. SocketBindAllow port range hard-coded since systemd directive variable substitution is not universal. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../2026-05-15-hardening-refactor-design.md | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/docs/superpowers/specs/2026-05-15-hardening-refactor-design.md b/docs/superpowers/specs/2026-05-15-hardening-refactor-design.md index c4ae441..619cf5d 100644 --- a/docs/superpowers/specs/2026-05-15-hardening-refactor-design.md +++ b/docs/superpowers/specs/2026-05-15-hardening-refactor-design.md @@ -202,13 +202,25 @@ reference unit points readers at the reactor. scope. - **Pushing the branch** — operator decides when. -## Open items resolved in implementation, not design +## Implementation notes (resolved during plan execution) -- Does the systemd-bundle emitter handle `('a', 'b')` tuples as - repeated `Key=` lines, and `''` as `Key=` empty value? Verify as the - first step of the plan; fallback strategies if not. -- `SocketBindAllow=` value: hard-coded range vs. variable - substitution. Determined during emitter verification. +- The ckn-bw systemd-bundle emitter renders Python tuples as repeated + `Key=Value` lines and renders empty strings as `Key=` with no value. + Both behaviors confirmed by reading the Mako template in + `libs/systemd.py:17-23`. Tuple branch: `isinstance(value, + (list, set, tuple))` iterates and emits `${option}=${item}` per + element, preserving insertion order (sets are sorted; lists and + tuples are not). Empty-string branch: falls through to `else: + ${option}=${str(value)}`, which emits `Key=` with nothing after `=`. + `None` suppresses the key entirely (distinct from empty string — + important). The `protection()` helper at `libs/systemd.py:94` already + uses `'CapabilityBoundingSet': ''` as a live in-repo example. Tuple + precedent in the left4me bundle: `EnvironmentFile` at + `bundles/left4me/metadata.py:201-204`. Verified 2026-05-15. +- `SocketBindAllow=` value: hard-coded port range `27000-27999` for + both `udp:` and `tcp:` lines (matches the `LEFT4ME_PORT_RANGE_*` + metadata values). Variable substitution in systemd directives is not + universally supported; hard-coded range avoids the hazard. ## Pointers