PR 4a: Vocabulary<S>::is_fdr_dissem trait method (006 T111)

[bashandbone]

Summary

First piece of Phase 8 (User Story 6, lattice projection laws) of the 006-engine-rule-refactor. Adds one trait method to Vocabulary<S> so PR 4b's per-category Lattice impls can ask "is this token part of the §B.3.a FD&R chain?" through the scheme surface instead of each consumer re-implementing the closed-CVE membership check.

Spec ref	What it does
T111	fn is_fdr_dissem(&self, token: &S::Token) -> bool with default false; CapcoScheme override iterates FDR_DOMINATORS

PR 4 has been split into 4a / 4b / 4c sub-PRs after preflight discovery. This is 4a (small, foundational).

• 4a (this PR): is_fdr_dissem trait surface + tests.
• 4b (queued): per-category Lattice impls + AEA §-amendment to 2026-05-01-lattice-design.md + CapcoMarking::join PageContext delegation deleted + property/cross-axis tests (T112–T117a).
• 4c (queued): tests/corpus/lattice/ regression fixtures + tests/corpus/prose-positive/ + Predicate coverage catalog: 39 CAPCO declarative constraints / canonicalizations surfaced from PR #303 #307 Groups B/C/E predicate catalog (T118–T119c) — this is where the SCI per-system Custom-row → proper Constraint::Requires conversion lands.

T119b (Group A required-pair fixes) was rolled into PR 4c after the preflight survey found that all five Group A predicates are already encoded:

• HCS-O via the SCI per-system catalog walker bridge (scheme.rs:6541-6601)
• EXDIS + NODIS via the E038 Custom fold (scheme.rs:2502-2520)
• SBU-NF + LES-NF via Pattern A PageRewrites (scheme.rs:1658-1751)

#307 Group A's "HCS-O survives as a gap" framing is stale relative to PR 3b.E (#326) and PR 3c.B Commit 7.4 — those landed the proper coverage in transitional Constraint::Custom shape. PR 4c retires the transitional shape uniformly as part of Groups B + E.

Implementation notes worth a reviewer's attention

Delegation strategy — FDR_DOMINATORS direct, not is_fdr_dominator. During implementation the value-pin test caught a load-bearing semantic difference between is_fdr_dissem (this PR's new predicate, "is this token an FD&R member") and is_fdr_dominator (existing, "is this token an FD&R dominator OVER RELIDO" — RELIDO-vs-RELIDO is a tautology in its RELIDO-conflict-family role). RELIDO IS unambiguously FD&R per §B.3.a p19, so the override iterates FDR_DOMINATORS directly. A regression test (is_fdr_dissem_admits_canonical_dominators's TOK_RELIDO arm) pins this and explains why a future "delegate to is_fdr_dominator" refactor would silently under-fire.

Bidirectional pin. mod fdr_dissem_pin in crates/capco/src/vocabulary.rs walks FDR_DOMINATORS forward (every Token entry → is_fdr_dissem returns true) and a representative non-FD&R sentinel set backward (ORCON / IMCON / FOUO / …). A future FDR_DOMINATORS extension that doesn't update the override will fail the test.

pub(crate) visibility uplift on FDR_DOMINATORS and capco_token_category. Per project memory pub_doc_hidden_is_still_public_api: prefer pub(crate) + unit tests over #[doc(hidden)] pub. No crate-boundary leak — both stay private to marque-capco.

Default impl is false with explicit footgun documentation. A scheme that has an FD&R-style family but forgets to override silently returns false for every dominator, which would produce wrong banner roll-ups in PR 4b. The doc comment names this in MUST-language, mirroring MarkingScheme::iter_present_tokens' existing override-or-broken contract.

Citation discipline

Per Constitution VIII, every §-citation in this PR has been verified against crates/capco/docs/CAPCO-2016.md at the point of implementation. Two iterations:

1. Initial draft cited §B.3 Table 2 p21 for the FD&R-set definition.
2. capco-dissem-validator review identified this as the scenario-summary table, not the canonical enumeration. The definitional passage is §B.3.a p19 ("NOFORN, REL TO, RELIDO, or DISPLAY ONLY"). All 11 PR-introduced sites corrected to §B.3.a p19.

Two test-label page-number defects also corrected (caught by the same review): NODIS §H.9 p172 → p174, RESTRICTED §H.1 p51 → §H.3 p56 (TOK_RESTRICTED's consumer is the §H.3 p56 JOINT-conflicts-RESTRICTED rule, not a §H.1 entry — §H.1 has no standalone "RESTRICTED").

Reviewer chain (before opening)

1. system-architect preflight — flagged the stale-Predicate coverage catalog: 39 CAPCO declarative constraints / canonicalizations surfaced from PR #303 #307-Group-A status; recommended scope reduction to T111 only.
2. rust-reviewer preflight — recommended Path A (delegation through is_fdr_dominator), default false, #[inline] on the override, bidirectional value-pin test.
3. gan-generator implementation — caught the is_fdr_dominator-vs-is_fdr_dissem semantic divergence at value-pin time and switched delegation strategy mid-implementation. Documented the regression-pin rationale.
4. rust-reviewer review (post-implementation) — APPROVE; 2 MEDIUM (REL TO test could also exercise TOK_REL_TO; FDR_DOMINATORS comment phrasing) + 3 LOW.
5. code-reviewer review — REQUEST CHANGES (1 HIGH: stale comment in mod fdr_dissem_pin header described the override as delegating to is_fdr_dominator after the implementation switched to iterating FDR_DOMINATORS directly). Fixed.
6. capco-dissem-validator review — CITATION DEFECTS FOUND (3 defects: §B.3 Table 2 p21 → §B.3.a p19, NODIS §H.9 p172 → p174, RESTRICTED §H.1 p51 → §H.3 p56). All fixed.

Test plan

• cargo build --workspace — clean
• cargo test --workspace --no-fail-fast — 0 failures across all suites (capco / scheme / engine / wasm / server / cli)
• cargo +stable clippy --workspace --all-targets -- -D warnings — clean
• cargo fmt --check — clean
• New tests: 6 total (4 public-API integration + 2 in-crate unit + 1 default-impl stub) — all pass
• CI green on the PR

Refs

• Spec: specs/006-engine-rule-refactor/tasks.md T111
• Constitution: III (WASM safety — vocabulary surface is WASM-safe), V (audit content-ignorance — predicate is a non-content boolean), VIII (citation fidelity — all §-citations verified at point of implementation)
• Related: Predicate coverage catalog: 39 CAPCO declarative constraints / canonicalizations surfaced from PR #303 #307 (Group A discovery context), PR 3b.E refactor-006 PR 3b.E: declarative SCI per-system catalog walker (T026e) #326 (SCI per-system walker landing), PR 3c.B (walker retirement)

🤖 Generated with Claude Code

[github-actions]

🤖 Hi @bashandbone, I've received your request, and I'm working on it now! You can track my progress in the logs.

[github-actions]

🤖 I'm sorry @bashandbone, but I was unable to process your request. Please see the logs for more details.

[Copilot]

Pull request overview

Adds the Vocabulary<S>::is_fdr_dissem predicate surface so CAPCO and future lattice/closure consumers can identify FD&R dissemination-family membership through the scheme vocabulary API.

Changes:

• Adds a default Vocabulary::is_fdr_dissem implementation returning false.
• Implements the CAPCO override by walking FDR_DOMINATORS.
• Adds default-impl, public CAPCO behavior, and in-crate source-of-truth pin tests.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
crates/scheme/src/vocabulary.rs	Adds the new trait method and contract documentation.
crates/scheme/tests/vocabulary_default_is_fdr_dissem.rs	Pins the default constant-false implementation.
crates/capco/src/scheme.rs	Exposes capco_token_category and FDR_DOMINATORS within the crate for the override/tests.
crates/capco/src/vocabulary.rs	Implements CAPCO FD&R membership and adds in-crate pin tests.
crates/capco/tests/fdr_dissem_predicate.rs	Adds public API integration tests for accepted and rejected CAPCO tokens.

Comments suppressed due to low confidence (1)

crates/capco/src/vocabulary.rs:1035

• This RELIDO rationale uses the same stale §B.3 Table 2 citation even though the canonical FD&R membership citation is §B.3.a p19. Please align this with the corrected citation used later in the comment block.

    /// `is_fdr_dissem(TOK_RELIDO)`. RELIDO is unambiguously an FD&R
    /// member per §B.3 Table 2, so this method iterates over the
    /// full `FDR_DOMINATORS` slice directly.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[bashandbone]

Addressed in 6ba9138. Both line 1018 and line 1033 (now 1034) corrected to cite §B.3.a p19 as the canonical FD&R-set definition, with §B.3 Table 2 pp 21-22 acknowledged as the scenario-summary table per the same correction.

[bashandbone]

Addressed in 6ba9138. Test assertion message corrected to cite §B.3.a p19.

[bashandbone]

Addressed in 6ba9138. Reworded the maintenance note to make the distinction explicit: FDR_DOMINATORS enumerates FD&R set membership per §B.3.a p19; is_fdr_dominator enumerates dominators over RELIDO (deliberately excluding RELIDO itself for the conflict-family role). Added a pointer to the relido_admits_despite_is_fdr_dominator_excluding_it regression pin.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

[bashandbone]

Addressed in f4ddca4. Updated the FDR_DOMINATORS header comment block above to cite §B.3.a p19 as the authoritative enumeration, with §B.3 Table 2 pp 21-22 acknowledged as the derivative scenario-summary table. The file no longer contradicts itself between the header and the new maintenance contract.

[bashandbone]

Addressed in f4ddca4. Rewrote the trait-doc bullet to make the distinction explicit: is_fdr_dissem is the FD&R-set-membership accessor (admits RELIDO per §B.3.a p19); is_fdr_dominator answers "dominator over RELIDO" for the conflict-family role (excludes RELIDO). Added the same do-not-delegate guidance the in-tree maintenance contract carries.

[bashandbone]

Addressed in f4ddca4. Reworded with the explicit two-path dual-update rule: TokenRef::Token entries automatically update this method (the iteration walks every entry); TokenRef::AnyInCategory(CAT_X) entries only admit tokens that capco_token_category routes to Some(CAT_X), so adding a new AnyInCategory entry requires a matching capco_token_category arm. The maintenance contract on FDR_DOMINATORS now carries the explicit dual-update rule too.