Problem
#6665 restores compatible-endpoint credential reuse during an authoritative rebuild by allowing a preflighted, matching pending session to recover its recorded provider. The current handoff is a narrowly validated boolean capability. It should become an explicit, one-shot authorization receipt bound to the exact rebuild target.
The recovery authorization recheck also needs direct concurrency coverage for the TOCTOU cases previously identified in #6634.
Acceptance criteria
- Mint a provider-recovery authorization receipt only after locked rebuild preflight validates the sandbox, session, gateway, provider, model, and route.
- Bind and validate the receipt at provider selection and again inside the sandbox and gateway mutation locks.
- Reject replay, cross-sandbox use, session mismatch, expired or malformed receipts, and foreign or ownerless reservations.
- Add a concurrent same-sandbox recovery test proving only the reservation owner succeeds.
- Add a registry-mutation race test proving a foreign reservation introduced after initial selection is rejected inside the mutation locks.
- Remove the authoritative incomplete-session boolean exception and its temporary lifecycle comment once the receipt is in use.
Context
Follow-up to #6634 and #6665. This issue tracks the durable replacement; #6665 keeps the current exception fail-closed with matching identity, reservation rechecks, and exact-head E2E coverage.
Problem
#6665 restores compatible-endpoint credential reuse during an authoritative rebuild by allowing a preflighted, matching pending session to recover its recorded provider. The current handoff is a narrowly validated boolean capability. It should become an explicit, one-shot authorization receipt bound to the exact rebuild target.
The recovery authorization recheck also needs direct concurrency coverage for the TOCTOU cases previously identified in #6634.
Acceptance criteria
Context
Follow-up to #6634 and #6665. This issue tracks the durable replacement; #6665 keeps the current exception fail-closed with matching identity, reservation rechecks, and exact-head E2E coverage.