cronekorkn/left4me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

spec(hardening-refactor): resolve emitter open items

Browse source 
Verified during plan execution that the ckn-bw systemd-bundle emitter
handles tuples and empty values as expected. SocketBindAllow port
range hard-coded since systemd directive variable substitution is not
universal.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
mwiegand 2026-05-15 14:39:11 +02:00
parent b1293f9952
commit 7c64910c90
No known key found for this signature in database
1 changed files with 18 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
docs/superpowers/specs/2026-05-15-hardening-refactor-design.md
View file

@ -202,13 +202,25 @@ reference unit points readers at the reactor.
scope. scope.
- **Pushing the branch** — operator decides when. - **Pushing the branch** — operator decides when.
## Open items resolved in implementation, not design ## Implementation notes (resolved during plan execution)
- Does the systemd-bundle emitter handle `('a', 'b')` tuples as - The ckn-bw systemd-bundle emitter renders Python tuples as repeated
repeated `Key=` lines, and `''` as `Key=` empty value? Verify as the `Key=Value` lines and renders empty strings as `Key=` with no value.
first step of the plan; fallback strategies if not. Both behaviors confirmed by reading the Mako template in
- `SocketBindAllow=` value: hard-coded range vs. variable `libs/systemd.py:17-23`. Tuple branch: `isinstance(value,
substitution. Determined during emitter verification. (list, set, tuple))` iterates and emits `${option}=${item}` per
element, preserving insertion order (sets are sorted; lists and
tuples are not). Empty-string branch: falls through to `else:
${option}=${str(value)}`, which emits `Key=` with nothing after `=`.
`None` suppresses the key entirely (distinct from empty string —
important). The `protection()` helper at `libs/systemd.py:94` already
uses `'CapabilityBoundingSet': ''` as a live in-repo example. Tuple
precedent in the left4me bundle: `EnvironmentFile` at
`bundles/left4me/metadata.py:201-204`. Verified 2026-05-15.
- `SocketBindAllow=` value: hard-coded port range `27000-27999` for
both `udp:` and `tcp:` lines (matches the `LEFT4ME_PORT_RANGE_*`
metadata values). Variable substitution in systemd directives is not
universally supported; hard-coded range avoids the hazard.
## Pointers ## Pointers