chore(workspace): clear pre-push hygiene RED (spec LOC, doc link, error-voice)

ThibautMelen · nikadotsh · ThibautMelen · commit 1944737f4c99 · 2026-06-14T05:18:08.000+02:00
Three hygiene vectors blocked the push:
- crate-spec-metrics: nika-exec-runner.md IMPL LOC anchor stale (~938 -&gt; ~1412,
  33% drift); refreshed both occurrences.
- doc-private-items: nika-schema lints/mod.rs intra-doc link to `arg_injection`
  was ambiguous (fn vs mod under --document-private-items); disambiguated to
  `arg_injection()`.
- error-one-voice: allowlist two boundary-wrapped error enums that carry their
  code at the crate boundary (not their own registry range), matching the
  established ExprError/ExtractError pattern: CelErrorKind (nika-cel, spec-plane,
  NIKA-VAR-001/005/006 via nika_pack) and CommandSandboxError (nika-kernel-core,
  flattened onto ShellError::Blocked). Audit-table rows added to match.

Co-Authored-By: Nika 🦋 &lt;nika@supernovae.studio&gt;
diff --git a/crates/nika-schema/src/lints/mod.rs b/crates/nika-schema/src/lints/mod.rs
@@ -10,7 +10,7 @@
 //!
 //! v0.1 ships TWO rule sets · [`one_obvious_way`] — the control-flow
 //! preference rules the spec marks « normative for linters » — and
-//! [`arg_injection`] — argument-injection advisories for the array command
+//! [`arg_injection()`] — argument-injection advisories for the array command
 //! form (spec `02-verbs.md` §exec Security · the differentiator).
 
 mod arg_injection;
diff --git a/docs/architecture/error-trait-completeness-2026-06-10.md b/docs/architecture/error-trait-completeness-2026-06-10.md
@@ -71,6 +71,8 @@ timeout boundary (spec 03 · catchable · never retryable).
 | `ToolErrorPolicy` · `OnError` · `ErrorCategory` | NOT error types (policy/config enums matching the `*Error` name pattern) |
 | `TestError`/`OtherError` (traits.rs tests) | test fixtures |
 | `ExtractError` (nika-extract) | pure L1.5 transformation error · its only consumer (`nika-builtin` fetch) flattens every variant onto the spec-form `NIKA-BUILTIN-FETCH-001` string at the dispatcher boundary (crate spec) · the builtin plane carries the code |
+| `CelErrorKind` (nika-cel) §cel-subset | **spec-plane** carrier · the `cel-subset/0.1` failure class carries SPEC wire codes (`NIKA-VAR-001`/`005`/`006` · resolvable via `nika_pack::error_codes()`) NOT a `nika_error` registry range — same plane as the runtime's `NIKA-TIMEOUT-001`. The host maps it to `RuntimeError::{CelEval,UnresolvedTemplate,WhenUnsupported}` which carries the registry code (NIKA-1702/1703) at the runtime boundary. The struct `CelError` wraps it for Display; neither is an engine-internal enum owing a registry code |
+| `CommandSandboxError` (nika-kernel-core) §cmd-sandbox | **wrapped-intermediate** · OS command-confinement seam error (ADR-095 Layer 6 · `io/command_sandbox.rs`). Its ONLY consumer (`nika-exec-runner` `map_sandbox_error`) flattens both variants (`Unavailable`/`Profile`) onto `ShellError::Blocked` at the runner boundary · the Shell range 050-099 wrapper carries the code |
 
 ## Open follow-ups (deferred-with-trigger)
 
diff --git a/docs/crate-specs/nika-exec-runner.md b/docs/crate-specs/nika-exec-runner.md
@@ -6,7 +6,7 @@
 | Layer | L1 — effect crate · the only production site spawning subprocesses (`tokio::process`) |
 | Design | `TokioShell` impl of the L0.5 `nika_kernel::process` traits (`ShellRun` + `ShellCancel`) via the `*Dyn` (`Send`) companions · SECURITY-SENSITIVE (command blocklist + injection defense) |
 | LOC budget | well under the ≤1500/file + ≤15k/crate caps (enforced live by vectors 12+24) · live count · `scripts/crate-metrics.sh nika-exec-runner` |
-| LOC (live) | ~938 LOC src (live · `scripts/crate-metrics.sh nika-exec-runner`) |
+| LOC (live) | ~1412 LOC src (live · `scripts/crate-metrics.sh nika-exec-runner`) |
 | Function cap | ≤100 lines each |
 | Crate version | tracks workspace (`0.80.0`) |
 | License | `AGPL-3.0-or-later` |
@@ -138,7 +138,7 @@ AND stderr) is therefore capped at **64 MiB** (`MAX_OUTPUT_BYTES`):
 |---|---|---|
 | 1 SPEC | ✅ | this file |
 | 2 TDD | ✅ | `tests/exec_contract.rs` (14 subprocess contract) + blocklist/lib unit (25) authored first · RED → GREEN |
-| 3 IMPL | ✅ | ~938 LOC src (live · `scripts/crate-metrics.sh`) · zero unwrap/expect in src |
+| 3 IMPL | ✅ | ~1412 LOC src (live · `scripts/crate-metrics.sh`) · zero unwrap/expect in src |
 | 4 CLIPPY 0 | ✅ | `cargo clippy --workspace --all-targets -- -D warnings` GREEN |
 | 5 MUTATION ≥90% | ✅ | `cargo mutants -p nika-exec-runner` · 28 mutants · **23 caught / 25 viable = 92%** (3 unviable). 2 documented survivors, both non-security: (a) the `basename_normalized` OR-branch — an EQUIVALENT mutant (for the current patterns `basename(s).contains(p) ⇒ lower.contains(p)`, so it never uniquely matches · pure defense-in-depth redundancy that would only bite a future mid-path pattern); (b) the `-1` exit sentinel for signal-death (`status.code()==None`) — cosmetic, no control-flow/security impact. The killers added: dequoted-sole-matcher (`/d'e'v/tcp/`) + quote-bypass-via-dequoting + basename helper + shell-expansion regression set. |
 | 6 PROPERTY | ✅ | security unit-battery: each normalization layer (NFKC/zero-width/quote/basename) blocked · shell-expansion bypasses ($IFS/$VAR/$()/backtick/fullwidth-$) refused · safe commands + plain pipes allowed |
diff --git a/scripts/ci/error-one-voice-allowlist.tsv b/scripts/ci/error-one-voice-allowlist.tsv
@@ -24,3 +24,5 @@ ExprError	nika-schema	wrapped-intermediate	internal CEL-subset parser error · w
 GoDurationError	nika-schema	wrapped-intermediate	internal Go-duration parse error · wrapped into SchemaError before crossing the crate boundary · the wrapper carries the code (audit table §50)
 InferLocalError	nika-infer-local	deferred-with-trigger	WIP sidecar crate (ADR-091) pre-gate-pass · Pattern A NikaErrorCode impl lands at its 12-gate admission · push-train unblock 2026-06-11
 ExtractError	nika-extract	wrapped-intermediate	pure L1.5 transformation error · its ONLY consumer (nika-builtin fetch) flattens every variant onto the spec-form NIKA-BUILTIN-FETCH-001 string at the dispatcher boundary (crate spec §header) · the builtin plane carries the code (audit table)
+CelErrorKind	nika-cel	spec-plane	the cel-subset/0.1 conformance failure class · carries SPEC wire codes (NIKA-VAR-001/005/006 · resolvable via nika_pack::error_codes()) NOT a nika_error registry range · same plane as the runtime NIKA-TIMEOUT-001 · the host maps it to RuntimeError::{CelEval,UnresolvedTemplate,WhenUnsupported} which carries the registry code at the boundary (audit table §cel-subset)
+CommandSandboxError	nika-kernel-core	wrapped-intermediate	OS command-confinement seam error (ADR-095 Layer 6) · its ONLY consumer (nika-exec-runner map_sandbox_error) flattens both variants onto ShellError::Blocked at the runner boundary · the Shell range 050-099 wrapper carries the code (audit table §cmd-sandbox)
