left4me/docs/superpowers/specs/2026-05-15-session-handoff.md

# Session handoff — hardening refactor landed

The hardening refactor planned at
`docs/superpowers/plans/2026-05-15-hardening-refactor.md` is deployed
to `left4.me` and verified. This session executed all 12 tasks
subagent-driven; no follow-up implementation work is queued.

## What landed

**left4me commits** (this session, in order; all on `master`, pushed):
- `7c64910` — `spec(hardening-refactor): resolve emitter open items`
  (verified ckn-bw systemd-bundle emitter handles tuples + empty values)
- `8e678b6` — `deploy/files: annotate reference units with per-directive hardening comments`
- `37309ba` — `spec(hardening-test-plan): fix four bugs surfaced by executor`
- `f615d0d` — `spec(user-uid-split): mark superseded by the hardening refactor`

**ckn-bw commits** (this session, in order; all on `master`, pushed):
- `85b9af0` — `bundles/left4me: add HARDENING_{COMMON,SERVER,WEB} constants`
- `640461c` — `bundles/left4me: spread HARDENING_SERVER into left4me-server@.service`
- `c6721e7` — `bundles/left4me: spread HARDENING_WEB into left4me-web.service`
- `130b0b1` — `bundles/left4me: ship kernel.yama.ptrace_scope=2 sysctl drop-in`

**Deploy:** `bw apply ovh.left4me` ran clean in 10 s (194 OK, 4 fixed,
0 failed). `left4me-web.service` restarted automatically by `bw`;
`left4me-server@1` and `@2` restarted manually post-apply.

## What's live on `left4.me`

| Unit | systemd-analyze score | State |
|---|---|---|
| `left4me-server@1.service` | **1.3 OK** (was 7.5 baseline) | active since 13:13:39 UTC |
| `left4me-server@2.service` | 1.3 OK | active since 13:14:40 UTC |
| `left4me-web.service` | **4.1 OK** (was 8.7 baseline) | active since 13:01:06 UTC |

Sysctl: `kernel.yama.ptrace_scope = 2` (managed by ckn-bw bundle now,
not hand-applied).

Composition matches Test 7 of the test plan with two amendments
(`SystemCallArchitectures=native x86`, `PrivatePIDs=true`) and one
addition (`SocketBindAllow=udp:27000-27999 tcp:27000-27999`).
`MemoryDenyWriteExecute=true` permanently excluded.

## Attack vectors blocked (Test 8 subset rerun post-deploy)

- **D1.a — srcds reads DB**: `cat /var/lib/left4me/left4me.db` from
  inside the unit's mount namespace → `No such file or directory`
- **D1.b — srcds reads web.env**: `cat /etc/left4me/web.env` →
  `No such file or directory`
- **D1.c — srcds sees /opt**: empty listing
- **D2.b — srcds sees gunicorn PID via /proc**: `cannot access /proc/<pid>`
  (PrivatePIDs in effect; PID doesn't exist in the namespace)
- **D5 — cross-instance ptrace**: `cannot access /proc/<peer-srcds-pid>`
  (cross-instance PID isolation)
- **Syscall filter compiled correctly**: `ptrace` and `process_vm_*`
  not in the compiled allow list (verified via
  `systemd-analyze syscall-filter`)

## Known acceptable noise

- **One SECCOMP audit line per gameserver restart** (`type=1326`,
  i386 syscall 26 = `ptrace`, sig=31 SIGSYS, code=0x80000000
  SECCOMP_RET_KILL_PROCESS). Source: srcds's Breakpad crash-reporter
  init forks a child that attempts `ptrace`; we block it by design.
  The child gets killed; the main srcds process is unaffected. Net
  effect: Valve doesn't get crash minidumps from this host.
  Acceptable trade-off given the threat model. If the audit-log noise
  becomes a problem, switch the SECCOMP filter's action from
  `KILL_PROCESS` to `EPERM` via `SystemCallErrorNumber=EPERM` (would
  let breakpad fail cleanly instead of getting killed; same security
  outcome).

## Host cleanup done

`gdb`, `libseccomp-dev`, `seccomp` removed via `apt remove --purge`.
Test tooling was installed during the test-plan execution session
(commit `461b8d0`); not needed in steady state. ~13 MB freed.

## What's next

No queued follow-up from this work. Adjacent open work:

- **`build-overlay-unit` refactor**
  (`docs/superpowers/specs/2026-05-15-build-overlay-unit-design.md`).
  Will reuse `HARDENING_COMMON` (or a sandbox-class variant) when it
  lands. Sequenced after this; not blocked.
- **Broader configmgmt-responsibility reshape** — hardening as drop-in
  files living in left4me with ckn-bw as a thin file-shipper. Real
  direction, deliberately deferred to a dedicated session in this
  refactor's design doc.
- **Stale RCON port app bug** flagged in the prior executor's handoff.
  Not a hardening issue; separate scope.

## Open items the operator should sanity-check manually

I executed everything programmatically that I could. The following
need an eyeballed check via the web UI from your laptop:

1. Login to the web UI; confirm session works (would catch a SECRET_KEY
   regression or session-cookie issue).
2. Start/stop a server from the UI (exercises the sudo path on the web
   unit; if the SystemCallFilter or any other web hardening broke
   sudo, this would fail).
3. View live logs for a server (uses `sudo left4me-journalctl`).
4. Trigger an overlay rebuild for a script overlay (exercises the
   sandbox; unchanged by this refactor, but a smoke against the
   full chain).

If any of those break, the most likely cause is the web unit's
`SystemCallFilter`. Drop-in override at
`/etc/systemd/system/left4me-web.service.d/00-debug.conf` with
`SystemCallLog=...` instead of `SystemCallFilter` to identify the
offending syscall, then narrow the filter.

## Pointers

- Threat model: `docs/superpowers/specs/2026-05-15-hardening-threat-model.md`
- Defenses survey: `docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md`
- Test plan (with executor results + this session's bug fixes):
  `docs/superpowers/specs/2026-05-15-hardening-test-plan.md`
- Design doc: `docs/superpowers/specs/2026-05-15-hardening-refactor-design.md`
- Implementation plan: `docs/superpowers/plans/2026-05-15-hardening-refactor.md`
- uid-split spec (marked superseded): `docs/superpowers/specs/2026-05-15-user-uid-split-design.md`
- Live unit emission: `~/Projekte/ckn-bw/bundles/left4me/metadata.py`
  (`HARDENING_COMMON` etc. near top; spreads at the
  `left4me-server@.service` and `left4me-web.service` entries)
- Reference units (annotated): `deploy/files/usr/local/lib/systemd/system/`