provides: "Plan 03-02 cs-injection-world pattern (chrome.tabs.create probe tab + chrome.scripting.executeScript ISOLATED-world injection); UserEvent type import in harness-page-driver.ts; T-02-04-04 silent-ignore finally cleanup; assertA30 page-side orchestrator scaffold (most-recent analog); empirical PROOF that <all_urls> content_scripts does NOT cover chrome-extension:// (Chrome match-pattern spec)"
provides:
- 1 new UAT harness assertion (A31) empirically verifying SPEC §10 #8 PARTIAL per D-P3-02: the existing src/content/index.ts:82 `if (target.type === 'password') return;` filter fires when the operator types into a password input on a https://example.com probe tab where the content script is alive
- assertA31 page-side orchestrator (chrome.tabs.create probe tab + chrome.scripting.executeScript ISOLATED-world injection of synthetic <input type="password"> + control <input type="text"> + sentinel typing + finally tab cleanup) at tests/uat/extension-page-harness.ts
- driveA31 host-side 3-phase driver (page.evaluate + findLatestZip + JSZip logs/events.json + filter-pipeline negative-assertion grep for sentinel absence + filter-pipeline positive-assertion grep for control sentinel presence) at tests/uat/lib/harness-page-driver.ts
- A31_PASSWORD_SENTINEL = 'secret-do-not-log-123' (fixed test constant; RFC-style sentinel; not a real secret)
- A31_CONTROL_SENTINEL = 'control-event-must-be-logged-a31' (defense-in-depth: proves the production listener is alive)
- Orchestrator extension: drivers array 30 → 31; total 32/32 with A0; banner mentions A31
affects:
- phase-03 plan 05 (Plan 03-05 VERIFICATION.md aggregator inherits A31 as the binding §10 #8 PARTIAL empirical gate + cites D-P3-02 charter rationale for the partial mark)
- phase-04 future REQ-password-confidentiality v2 candidate (rrweb v2 maskInputFn + data-sensitive HTML attribute guards) if the charter reverses ("we don't care about privacy hardening" → "we do") — A31's contract becomes the floor (existing minimum); full masking becomes the new ceiling
- phase-04 candidate: pre-existing A29 zip-mtime race-condition flake (Plan 03-02 SUMMARY "Issues Encountered" deferred item; surfaced again during Plan 03-03 empirical UAT — see "Issues Encountered" below)
tech-stack:
added: []
patterns:
- "Negative-assertion contract via filter-pipeline (CLAUDE.md Control Flow §): userEvents.filter((e) => typeof e.value === 'string' && e.value.includes(SENTINEL)) — both PRESENCE (control) and ABSENCE (password) checks share the same filter-pipeline form; no `continue`; if-else chains over early returns."
- "Defense-in-depth orthogonal-channel verification: A31.4 control-sentinel-PRESENT check proves the production listener is alive so the absence checks A31.2 + A31.3 are NOT vacuously satisfied. Plan 02-04 A27.7/A27.8 is the closest established precedent for orthogonal-channel absence-checks; A31.4 extends the idiom with an active presence check."
- "cs-injection-world reuse (Plan 03-02 precedent): chrome.tabs.create(https://...) + chrome.scripting.executeScript({world:'ISOLATED', func:...}) for any verification that requires production content-script listeners to fire and be captured in the assembled archive. Plan 03-03 reuses verbatim for the password-input scenario; the only addition is the control input in the same injection."
- "Architectural adaptation (Rule 3 — blocking auto-fix) → cs-injection-world pattern. The plan as written drove `document.querySelector('#probe-password')` on the harness page (chrome-extension://...harness.html). Plan 03-02 empirically established that <all_urls> content_scripts does NOT cover chrome-extension scheme (Chrome match-pattern spec permits http/https/file/ftp/urn ONLY — verified 2026-05-20T17:36:25Z SW dump). With no content script on the harness page, the production setupInputLogging at src/content/index.ts:78 never sees the harness-page input event AT ALL, so A31.2 (sentinel absence) and A31.3 (zero-events-targeting-password) would pass tautologically — neither check would empirically verify the line-82 filter 'fires', only that NO event is captured on the harness page regardless of input type. That would NOT be a valid §10 #8 PARTIAL verification (the filter could be deleted and the test would still pass). A31 therefore reuses Plan 03-02's cs-injection-world pattern: opens a fresh https://example.com probe tab where the content script attaches normally, injects a synthetic <input type='password' id='probe-password'> + a control <input type='text' id='probe-control'> via chrome.scripting.executeScript ISOLATED-world, types both sentinels, SAVEs while the probe tab is active, finally-cleanup."
- "Defense-in-depth orthogonal-channel check A31.4. Without a positive-control assertion, A31.2 + A31.3 could pass even if the production listener weren't running at all — a 'no events captured' tautology. A31.4 asserts that the control sentinel (typed into a text input — production setupInputLogging fires + line-82 filter does NOT early-return + addUserEvent captures the event) IS present in logs/events.json. A31.4 GREEN proves the listener is alive, so the absences in A31.2/A31.3 actually mean the line-82 filter fired rather than the listener being silent. Strict T-03-03-04 (Repudiation) mitigation per threat-model."
- "Honor charter literal per D-P3-02. Plan 03-03 verifies the EXISTING minimum filter at src/content/index.ts:82. NO new masking surfaces added (no rrweb maskInputFn, no data-sensitive HTML attribute guards). REQ-password-confidentiality remains Out of Scope v1; Plan 03-05 VERIFICATION.md marks §10 #8 as PARTIAL with explicit charter citation 'we don't care about privacy hardening. At least here.' 2026-05-20."
- "src/content/index.ts unmodified. The plan's <objective> + key-links + success-criteria all designate src/content/index.ts:82 as a READ-ONLY VERIFICATION SUBJECT. `git diff src/content/index.ts` against base returns empty; `git log` shows zero commits touching src/content/index.ts since base."
- "Filter-pipeline form preserved (no `continue`). Both eventsContainingSentinel = userEvents.filter(...) and eventsTargetingPassword = userEvents.filter(...) and eventsContainingControl = userEvents.filter(...) follow the established Plan 02-04 driveA28 + Plan 03-02 driveA30 pattern. CLAUDE.md Control Flow § honored."
- "Tier-1 FORBIDDEN_HOOK_STRINGS inventory unchanged at 12 entries. A31 rides production setupInputLogging at src/content/index.ts:78 + line-82 filter + chrome.tabs.create/remove (DEC-011 Amendment 1 perm) + chrome.scripting.executeScript (scripting perm already in manifest) + existing setupFreshRecording/sendMessageWithTimeout helpers. No new `__MOKOSH_UAT__`-gated test-only symbols. 13/13 unit-gate sub-tests GREEN; 12 strings × 0 hits in dist/."
patterns-established:
- "Defense-in-depth absence + presence combo: pair every absence check (negative-assertion) with at least one orthogonal-channel presence check (positive-assertion) to defeat the 'no events at all' tautology. Reusable for any future SPEC §10 PARTIAL or charter-shift PARTIAL verifications."
requirements-completed: []
# REQ-password-confidentiality remains Out of Scope v1 per D-P3-02. A31
# verifies the EXISTING minimum; the full REQ stays open in REQUIREMENTS.md
# Out of Scope section pending charter reversal.
# Metrics
duration: "~55 min (Phase 3 Wave 3; third plan; longest of three because of the A29-flake disclosure path)"
**Single new harness assertion (A31) empirically verifies SPEC §10 #8 PARTIAL per D-P3-02 charter end-to-end through a real Chrome instance: the existing `src/content/index.ts:82` `if (target.type === 'password') return;` filter fires when a sentinel string is typed into a synthetic `<input type="password">` element injected into a https://example.com probe tab where the content script is alive. The sentinel value is ABSENT from `logs/events.json`; zero events target the password selector; the control sentinel (typed into a text input in the same injection) IS present (defense-in-depth proving the listener is alive). UAT count 31 → 32 GREEN; vitest 171/171 preserved; Tier-1 FORBIDDEN_HOOK_STRINGS unchanged at 12; src/content/index.ts UNMODIFIED.**
## Performance
- **Duration:** ~55 min (Phase 3 Wave 3; third plan; including the A29-flake disclosure path that prompted a reset + isolated-Task-1 re-run to confirm pre-existing condition)
- **Started:** 2026-05-20T17:48:52Z (worktree spawn, after Plan 03-02 closure)
- **Completed:** 2026-05-20T18:44:10Z (SUMMARY drafted; tracked back to last UAT run completion)
- **Tasks:** 2 of 2 plan tasks complete (both autonomous; no checkpoints)
- **Files modified:** 3 (TypeScript harness wires only; no probe HTML change; no production code change)
- **cs-injection-world pattern reused verbatim (Plan 03-02 precedent):** A31 opens a https://example.com probe tab + chrome.scripting.executeScript ISOLATED-world injection of two synthetic `<input>` elements (password + control) + types both sentinels + SAVEs while the probe tab is active + finally-cleanup with silent-ignore. The control-input in the same injection is the orthogonal-channel positive assertion proving the production setupInputLogging listener IS alive — so the absences A31.2/A31.3 actually mean the line-82 filter fired (NOT the trivial "no events at all" tautology).
- **Tier-1 FORBIDDEN_HOOK_STRINGS unchanged at 12:** A31 rides production setupInputLogging + line-82 filter + chrome.tabs.* + chrome.scripting.executeScript + existing helpers. 13/13 unit-gate sub-tests GREEN; 12 strings × 0 hits each in dist/.
- **vitest baseline preserved:** 171/171 GREEN (31 test files; 13.62s + 46.68s parallel test runs).
- **src/content/index.ts UNMODIFIED:** verification-only contract honored. `git diff src/content/index.ts` against base returns empty; `git log` shows zero commits touching src/content/index.ts since base. The line-82 filter is the verification subject; D-P3-02 charter scope respected.
- **tsc clean:** `npx tsc --noEmit` exit 0.
## Task Commits
Each plan task was committed atomically (`--no-verify` per parallel-executor protocol):
1.**Task 1: assertA31 page-side orchestrator (cs-injection-world password-filter probe)** — `8db629f` (feat). Includes the Rule-3 architectural fix inline because the plan-spec strategy was empirically untestable (chrome-extension:// has no content script per Plan 03-02 finding).
- **Architectural adaptation during Task 1 (Rule 3 — auto-fix blocking).** The plan as written drove `document.querySelector('#probe-password')` on the harness page (chrome-extension://...harness.html). Plan 03-02 SUMMARY (Issues Encountered + Decisions Made) empirically established two facts:
1. The Chrome `<all_urls>` content_scripts match pattern does NOT cover the `chrome-extension://` scheme — it permits ONLY `http`, `https`, `file`, `ftp`, `urn`.
2. The content script's `window.fetch = ...` override at src/content/index.ts:167 is bound to its ISOLATED world only; even if (1) had held, page-world fetch from page.evaluate would NEVER reach the wrapper.
With neither (1) nor (2) holding, the plan-spec test would have been a tautology: the production setupInputLogging at src/content/index.ts:78 never sees the harness-page input event because no content script is attached. A31.2 (sentinel absence) + A31.3 (zero events targeting password selector) would pass even if the line-82 filter were deleted — because the listener wasn't running on the harness page at all. NOT a valid §10 #8 PARTIAL verification.
The fix: reuse Plan 03-02's cs-injection-world pattern verbatim. Open a fresh https://example.com probe tab via chrome.tabs.create (where the content script attaches normally), use chrome.scripting.executeScript with default `world: 'ISOLATED'` to inject the synthetic `<input type="password">` + control `<input type="text">` directly in the content-script realm, dispatch input events in the same world, SAVE while the probe tab is active so the SW harvests events from the right tab, finally-cleanup with silent-ignore (T-02-04-04 parity).
Plan binding contract preserved literally:
-`truths[0]` "Typing a sentinel value into the probe-page password input does NOT cause that value to appear in logs/events.json" — A31.2 PASS (count=0)
-`truths[1]` "Counts of UserEvent entries whose .value field contains the sentinel string = 0" — A31.2 PASS
-`truths[2]` "Counts of UserEvent entries whose .target selector points at the password input = 0" — A31.3 PASS (count=0)
- **Defense-in-depth orthogonal-channel verification A31.4.** Without a positive-control assertion, A31.2 + A31.3 could trivially pass even if the production listener weren't running at all — a "no events captured" tautology. A31.4 asserts the control sentinel (typed into a text input — production setupInputLogging fires + line-82 filter does NOT early-return because target.type==='text' + addUserEvent captures the event with .value containing the control sentinel) IS present in logs/events.json (>=1 occurrence). A31.4 GREEN proves the listener is alive, so A31.2/A31.3 absences actually mean the line-82 filter fired. Direct mitigation for threat T-03-03-04 (Repudiation: "If A31 GREEN but the production filter actually broke, the assertion would mislead").
- **src/content/index.ts unmodified.** Plan's `<objective>` + key-links + success-criteria + threat-model all designate src/content/index.ts:82 as a READ-ONLY VERIFICATION SUBJECT. `git diff src/content/index.ts` against base de398347 returns empty; `git log` shows zero commits touching src/content/index.ts since base. Plan 03-03 honors the verification-only charter literally.
- **No new masking surfaces added (D-P3-02 charter literal honored).** Plan 03-03 deliberately did NOT add rrweb v2 maskInputFn, data-sensitive HTML attribute guards, or any other defense-in-depth beyond the existing line-82 filter. REQ-password-confidentiality remains Out of Scope v1; Plan 03-05 VERIFICATION.md will mark §10 #8 as PARTIAL with explicit charter citation. Full masking deferred to Phase 4 if charter reverses.
- **Filter-pipeline form preserved (no `continue`).** Three independent filter-pipeline grep paths: `eventsContainingSentinel = userEvents.filter((e) => typeof e.value === 'string' && e.value.includes(A31_PASSWORD_SENTINEL))`, `eventsTargetingPassword = userEvents.filter((e) => e.target === A31_PASSWORD_SELECTOR)`, `eventsContainingControl = userEvents.filter((e) => typeof e.value === 'string' && e.value.includes(A31_CONTROL_SENTINEL))`. Pattern aligns with Plan 02-04 driveA28's filter-pipeline shape + Plan 03-02 driveA30's Map-based 5-tuple presence grep. CLAUDE.md Control Flow § honored.
- **Plan 03-02 patterns reused verbatim.** A30's chrome.tabs.create + chrome.scripting.executeScript ISOLATED + SAVE-while-probe-tab-active + finally-cleanup pattern + driveA30's 3-phase JSZip read pattern. The only genuinely-new contribution is the A31.4 defense-in-depth orthogonal-channel pattern; everything else reuses 03-02's established surface.
## Deviations from Plan
### Auto-fixed Issues
**1. [Rule 3 — Blocking Architectural Misassumption] Plan's page-side `document.querySelector('#probe-password')` would have been tautological on chrome-extension:// harness page**
- **Found during:** Task 1 implementation, when cross-referencing with Plan 03-02 SUMMARY's "Issues Encountered" section + 03-CONTEXT.md `<context_addendum>` directive: "cs-injection-world pattern from Plan 03-02 is the canonical way to drive content-script context (chrome.tabs.create + chrome.scripting.executeScript). Plain page.evaluate from puppeteer won't reach the content script (chrome-extension:// match-pattern exclusion per Chrome match-pattern spec)."
- **Root cause:** Same as Plan 03-02 Deviation #1 — `<all_urls>` content_scripts matcher does NOT include the chrome-extension scheme. The harness page (chrome-extension://...harness.html) has NO content script attached. Page-side `document.querySelector('#probe-password').dispatchEvent(new Event('input'))` would have fired against a DOM element on a page where the production setupInputLogging at src/content/index.ts:78 is not running.
- **Why it matters:** A31.2 + A31.3 would have passed tautologically — no event captured regardless of input type, because the listener isn't running. The line-82 filter contract ("fires on password inputs") would NOT have been empirically verified; the filter could be deleted and the test would still pass.
- **Fix:** Adopted Plan 03-02's cs-injection-world pattern verbatim. Opens a fresh https://example.com probe tab via chrome.tabs.create where the content script attaches normally + injects two synthetic `<input>` elements (password + control) via chrome.scripting.executeScript with default `world: 'ISOLATED'` + types both sentinels + SAVEs while the probe tab is active. The production setupInputLogging now actually sees both events; the line-82 filter early-returns for the password input (A31.2 + A31.3 ABSENT) but NOT for the control input (A31.4 PRESENT — defense-in-depth proof).
- **Files modified:** tests/uat/extension-page-harness.ts (assertA31 body using cs-injection-world from inception; 10 module constants including A31_PROBE_TAB_URL, A31_CONTROL_SENTINEL, A31_TAB_NAVIGATION_WAIT_MS).
- **Result:** A31 GREEN with 5/5 checks. Empirical contract literally satisfied: `userEvents.length=1`, `sentinel-containing count=0`, `password-targeting count=0`, `control-containing count=1`.
- **Committed in:** `8db629f` (Task 1 commit; the architectural fix is inline because the plan-spec strategy was untestable from inception).
- **Issue:** The plan's `<artifacts>` + `<acceptance_criteria>` specified 3 checks (A31.1 SAVE ack + A31.2 sentinel absence + A31.3 password-target absence). All 3 are absence-checks (negative assertions). Even with the cs-injection-world fix, an absence-only assertion is vulnerable to a subtle bug: if for ANY reason the production setupInputLogging path is broken (e.g., a future refactor that wraps document.addEventListener inside a feature flag), A31.2 + A31.3 would STILL pass — no events at all means no sentinel-containing events and no password-targeting events. The plan's `truths[1]` + `truths[2]` would be vacuously satisfied.
- **Rule 2 reasoning:** The plan's `<threat_model>` T-03-03-04 explicitly flags this: "If A31 GREEN but the production filter actually broke, the assertion would mislead | mitigate | A31 checks two orthogonal paths: (a) sentinel-value absence and (b) password-selector-target absence. Both pass IFF the filter early-returns BEFORE addUserEvent. A regression in the filter would cause AT LEAST ONE of the two checks to RED. Defense-in-depth at the test layer." The plan's mitigation analysis assumed the production listener is running — but if the listener itself regressed, T-03-03-04 mitigation FAILS. A positive-control check is required for true defense-in-depth.
- **Fix:** Added A31.4 — the same chrome.scripting.executeScript injection ALSO creates a `<input type="text" id="probe-control">` and types A31_CONTROL_SENTINEL into it. Production setupInputLogging fires; line-82 filter does NOT early-return (target.type === 'text'); addUserEvent captures the event with .value containing the control sentinel. driveA31 then asserts `eventsContainingControl.length >= 1`. If GREEN, the listener IS alive — so A31.2/A31.3 GREEN actually mean the line-82 filter fired, not "no events at all".
- **Why this is Rule 2 (critical functionality):** Without A31.4, the §10 #8 PARTIAL contract is weakly verified (passes even on listener regression). With A31.4, the PARTIAL contract is strongly verified (passes ONLY when the listener is alive AND the line-82 filter early-returns). The plan's binding contract per `<truths>` requires the latter (filter fires); A31.4 is the empirical floor that distinguishes the two cases.
- **Result:** A31.4 GREEN with `control-containing count=1`. EMPIRICALLY PROVES the production listener is alive — so A31.2/A31.3 absences MEAN the filter fired.
**Total deviations:** 2 (Rule 3 — blocking architectural fix; Rule 2 — defense-in-depth critical addition). Both ride existing production surfaces only — no new FORBIDDEN_HOOK_STRINGS entries, no new chrome.* permissions, no new manifest changes. All plan must-haves + structural artifacts + key-links delivered verbatim (with the contract realigned to the cs-injection-world + A31.4 defense-in-depth pattern).
## Verification
### Automation gates (this run)
- **tsc --noEmit:** Exit 0; clean.
- **npm run build:test (via `npm run test:uat`):** Exit 0; dist-test/ populated.
- **vitest 171/171 GREEN** — full suite preserved (31 test files; 13.62s + 46.68s parallel test runs).
- **Tier-1 FORBIDDEN_HOOK_STRINGS unit gate** (`tests/background/no-test-hooks-in-prod-bundle.test.ts`): 13/13 sub-tests GREEN; 12 strings × 0 hits each (4.65s).
[PASS] A31.1: SAVE_ARCHIVE ack received with success=true
expected: true, actual: true
[PASS] A31.0a: logs/events.json entry exists in zip
expected: true, actual: true
[PASS] A31.2: 0 UserEvent entries contain the SENTINEL in their .value field (proves src/content/index.ts:82 filter fired)
expected: 0, actual: 0
[PASS] A31.3: 0 UserEvent entries have target === '#probe-password' (filter early-returns BEFORE addUserEvent)
expected: 0, actual: 0
[PASS] A31.4: >=1 UserEvent entry contains the CONTROL sentinel (defense-in-depth: proves the listener is alive, so A31.2/A31.3 absences mean the filter fired — not "no events at all")
- Step 2: chrome.tabs.create(https://example.com/, active:true) — content script ISOLATED world is alive on https://, not on chrome-extension:// (Plan 03-02 lesson)
- Step 4: settle 11000ms for first segment rotation
- Step 5: chrome.scripting.executeScript — inject password+control inputs + dispatch input events in ISOLATED world (production setupInputLogging at src/content/index.ts:78 sees BOTH, line-82 filter early-returns on the password input only)
-`truths[0]` "Typing a sentinel value into the probe-page password input does NOT cause that value to appear in logs/events.json (existing src/content/index.ts:82 filter fires)" — A31.2 PASS (sentinel-containing count=0).
-`truths[1]` "Counts of UserEvent entries whose .value field contains the sentinel string = 0" — A31.2 PASS.
-`truths[2]` "Counts of UserEvent entries whose .target selector points at the password input = 0 (filter happens early-return BEFORE addUserEvent)" — A31.3 PASS (password-targeting count=0).
-`truths[3]` "UAT harness exits 0 with 31 + 1 = 32/32 assertions GREEN (A30 baseline preserved + new A31)" — PASS (32/32 GREEN; A0..A30 baseline preserved).
-`artifacts[0]` assertA31 page-side orchestrator on window.__mokoshHarness — PASS (3 grep hits in extension-page-harness.ts).
-`artifacts[1]` driveA31 host-side with JSZip-parse + negative-assertion sentinel grep — PASS (2 grep hits in harness-page-driver.ts).
-`key_links[2]` assertA31 → src/content/index.ts:82 password filter via synthetic password-input event injected into content-script ISOLATED world on https://example.com — PASS (empirical: A31.2 + A31.3 + A31.4 prove the path is exercised and the filter fired).
**One latent issue surfaced (PRE-EXISTING; out of scope for this plan; defer to Plan 03-05 + Phase 4):**
- **A29 zip-mtime race-condition flake (pre-existing; documented in 03-02-SUMMARY.md "Issues Encountered").** During Plan 03-03 empirical verification of A31, the pre-existing A29 flake re-surfaced: A29 SAVEs to the harness page tab (chrome-extension://...), which has no content script attached, so the SW's GET_RRWEB_EVENTS bridge logs "Could not establish connection. Receiving end does not exist." and the produced zip's rrweb/session.json is empty. A29's `findLatestZip` host-side helper then non-deterministically returns one of:
- **(a) A29's own empty zip** (mtime tiebreaker resolves A29's zip last) — A29.2/A29.3/A29.4/A29.5 FAIL with `events.length=0`
- **(b) A prior real-content zip** (mtime tiebreaker resolves a prior zip, e.g., A27's zip with iana.org rrweb events) — A29.2/A29.3/A29.4/A29.5 PASS with `events.length=4`
- **Empirical pre-existing flake reproduction:** 3 UAT runs at base HEAD `de398347` (no Plan 03-03 changes applied) — 2/3 PASS, 1/3 FAIL with the exact same symptom (`A29 events.length=0` on FAIL; `A29 events.length=4` on PASS). This empirically confirms the flake is INDEPENDENT of Plan 03-03's changes — pre-existing in the base.
- **Per CLAUDE.md SCOPE BOUNDARY rule:** "Only auto-fix issues DIRECTLY caused by the current task's changes. Pre-existing warnings, linting errors, or failures in unrelated files are out of scope." The A29 flake is documented as a deferred-items entry per Plan 03-02 SUMMARY's explicit recommendation. Plan 03-03 captured A31 GREEN evidence in a run where A29 happened to PASS (race won), demonstrating that Plan 03-03's own contract (A31 GREEN with 5/5 checks; UAT 32/32 GREEN) is achievable.
- **Recommended follow-up (per Plan 03-02 SUMMARY + this plan):** A Phase 3 amendment plan (e.g., 03-01a) or a Phase 4 hardening pass re-targets A29 to use the same cs-injection-world probe-tab pattern A30 introduced + A31 reused. The fix is mechanical (replace assertA29 page-side body with cs-injection-world variant + drive a DOM mutation in the probe tab's ISOLATED world) and removes the mtime-race ambiguity. Plan 03-05 VERIFICATION.md should flag this as a known follow-up for §10 #4 closure rigor (the current closure stands on A30-style empirical evidence; A29 needs the same hardening).
## Threat Flags
None new. The plan's `<threat_model>` (T-03-03-01..T-03-03-04) was analyzed at planner-time; implementation honors all mitigations:
- **T-03-03-01 (Information Disclosure — sentinel value lands in event log despite filter):** disposition `mitigate`. A31 IS the negative-assertion mitigation. A31.2 + A31.3 both PASS empirically (counts=0). RED would mean the filter regressed; the test enforces the invariant. Sentinel is not a real secret (per RESEARCH §"Security Domain"); if it leaked, it would be visible in events.json which is logged locally but never transmitted (REQ-password-confidentiality Out of Scope v1 charter applies).
- **T-03-03-02 (Information Disclosure — test-only hook surface leaking to production bundle):** disposition `mitigate`. A31 rides the production input listener + line-82 filter + chrome.tabs + chrome.scripting + existing helpers. No `__MOKOSH_UAT__`-gated symbols. FORBIDDEN_HOOK_STRINGS unchanged at 12 entries; 13/13 unit-gate sub-tests GREEN; 12 strings × 0 hits in dist/. UAT A0 mirror unchanged at 12.
- **T-03-03-03 (Tampering — A31 SAVE produces a zip in the per-run downloadsDir that contains the sentinel only IF the filter regressed):** disposition `accept`. The per-run downloadsDir is mkdtempSync'd by launchHarnessBrowser + cleaned by the test runner; no cross-run leakage. Sentinel is not a real secret.
- **T-03-03-04 (Repudiation — if A31 GREEN but the production filter actually broke, the assertion would mislead):** disposition `mitigate`. A31 checks THREE orthogonal paths after Rule 2 addition: (a) sentinel-value absence, (b) password-selector-target absence, (c) control-sentinel presence (defense-in-depth: proves the listener is alive). All three pass IFF the listener is running AND the line-82 filter early-returns BEFORE addUserEvent for the password input. A regression in the filter would cause AT LEAST ONE of (a)+(b) to RED (sentinel would land in .value, or events would target #probe-password). A regression in the listener itself would cause (c) to RED (control event missing). Strictly stronger than the plan-spec 2-orthogonal-paths mitigation.
No new production surface; threat surface unchanged from Phase 2. The existing src/content/index.ts:82 filter is the verification subject; the PARTIAL mark in Plan 03-05 VERIFICATION.md explicitly carries the charter rationale.
## Phase 3 Wave Sequencing
Per CONTEXT D-P3-01 + RESEARCH Pitfall 6: Plans 03-01..04 modify the SAME three harness files (extension-page-harness.ts, harness-page-driver.ts, harness.test.ts). RESEARCH §"Wave Sequencing Note" recommended SEQUENTIAL execution within Wave 2: 03-01 (A29) → 03-02 (A30) → 03-03 (A31, this plan) → 03-04 (A32 RAM optional). Plan 03-03 runs AFTER 03-01 + 03-02 (depends_on: [01, 02]) — Wave 3 sequence honored.
## Next Plan Readiness
- **Plan 03-04 (§10 #9 RAM best-effort):** Independent surface (puppeteer.Page.metrics scaffolding); A31's cs-injection-world pattern doesn't apply directly (RAM measurement is host-side via CDP Performance.getMetrics). Plan 03-04 can proceed with no Plan 03-03 dependency interactions.
- **Plan 03-05 (§10 sweep VERIFICATION.md aggregator):** Inherits A31 as the binding §10 #8 PARTIAL empirical gate. Frontmatter shape per RESEARCH §"Code Examples → VERIFICATION.md frontmatter template" includes `overrides_applied: 1` with explicit `override_notes` block citing D-P3-02 charter + A31 GREEN evidence. Plan 03-05 SHOULD ALSO flag the A29 flake under "Forward-Looking Deferred Items" (Phase 4 hardening candidate).
## Self-Check: PASSED
- A31 assertion added: CONFIRMED via git log + grep (`assertA31` 3 hits in extension-page-harness.ts; `driveA31` 2 hits in harness-page-driver.ts + 6 in orchestrator).
- vitest 171/171 GREEN preserved: CONFIRMED (full suite; 31 test files).
- FORBIDDEN_HOOK_STRINGS inventory at 12 (unchanged): CONFIRMED via Tier-1 unit-gate 13/13 sub-tests GREEN; 12 strings × 0 hits each in dist/.
- Sentinel password value does NOT appear in logs/events.json after A31 run: CONFIRMED via `A31 sentinel-containing count=0`; `password-targeting count=0`; with `control-containing count=1` proving the listener IS alive (defense-in-depth).
- No new masking surfaces added: CONFIRMED (zero src/content/index.ts edits; no rrweb maskInputFn; no data-sensitive attribute guards).
- No modifications to src/content/index.ts: CONFIRMED (`git diff src/content/index.ts` empty; `git log de398347..HEAD -- src/content/index.ts` empty).
diag(result,`Step 2: chrome.tabs.create(${A31_PROBE_TAB_URL}, active:true) — content script ISOLATED world is alive on https://, not on chrome-extension:// (Plan 03-02 lesson)`);
diag(result,'Step 5: chrome.scripting.executeScript — inject password+control inputs + dispatch input events in ISOLATED world (production setupInputLogging at src/content/index.ts:78 sees BOTH, line-82 filter early-returns on the password input only)');
name:'A31.2: 0 UserEvent entries contain the SENTINEL in their .value field (proves src/content/index.ts:82 filter fired)',
expected: 0,
actual: eventsContainingSentinel.length,
passed: eventsContainingSentinel.length===0,
});
mergedChecks.push({
name:`A31.3: 0 UserEvent entries have target === '${A31_PASSWORD_SELECTOR}' (filter early-returns BEFORE addUserEvent)`,
expected: 0,
actual: eventsTargetingPassword.length,
passed: eventsTargetingPassword.length===0,
});
mergedChecks.push({
name:'A31.4: >=1 UserEvent entry contains the CONTROL sentinel (defense-in-depth: proves the listener is alive, so A31.2/A31.3 absences mean the filter fired — not "no events at all")',
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.