lab: complete Step 6 — VerifyingSlotProvider, IDiagSink, scenario pump

[boggspa]

What

Step 6 of Milestone 1, per the lab README: the VerifyingSlotProvider invariant decorator, the IDiagSink port behind it, and the scenario pump. The Milestone 1 exit criteria are now executable checks — and they pass:

• ≥10⁶ cycles through controller → engine → Verifying(Fake) on the regular 512-frame schedule: zero invariant violations
• Adversarial schedules produce their expected counter signatures — a skipped callback surfaces as silence inside structurally valid packets (never corruption), sample-time jumps land in framesWithoutPacket / framesOutsidePacket

Suite: 17,440 checks, 0 failures (was 8,341). Dext target still compiles.

The instrument

Lab/VerifyingSlotProvider wraps any IAmdtpTxSlotProvider and asserts P1–P4 on every PublishSlot:

• P1 — tumbling 8000-packet window must hold exactly 6000 data packets; N,D,D,D run shape (≤3 consecutive data, isolated no-data); packet-index contiguity
• P2 — DBC continuity: every packet carries the running DBC, only data advances it, no-data carries it unchanged
• P3 — CIP bit-exactness re-parsed from the published wire image (Q0 sid/dbs/fn/qpc/sph/dbc, Q1 eoh/fmt/fdf/syt, 8-byte CIP-only no-data, byteCount vs frames×dbs×4), plus publish-without-acquire detection
• P4 — gapless frame tiling (firstAudioFrame/framesInPacket), zero frames on no-data

Design points (documented in the source):

• Observer, not gate — violating packets still forward; the decorator never alters behavior.
• Resync-after-violation — one injected fault increments exactly one counter; signatures stay readable.
• Checks wire facts, not implementation internals — structural constants (FMT, FDF, no-data rules) are asserted; stream constants (SID, frames-per-data) are learned from the first packet and held. The verifier shares no code with the packetizer it judges, and its self-tests use a hand-rolled golden driver for the same reason.
• RT-safe by construction — relaxed-atomic sticky counters, optional Ports::IDiagSink mirroring, no logging anywhere. Ready to run inside the lab dext at Milestone 3, and to wrap the real DMA ring at ASFW bring-up.

Self-tests

An asserting instrument that never fires is worse than none, so every violation kind has a corruption case proving it fires exactly once with no cross-talk (DBC jump on data, DBC advance on no-data, short/padded byte counts, wrong FDF, wrong DBS field, frame-tiling gap, frames-on-no-data, double no-data, index gap, unacquired publish, 5999/8000 window).

Seams touched (additive only, no behavior change)

• VirtualAudioDeviceController::BindLabSlotProvider() — interposes Verifying(Fake) between engine and ring (the seam the AudioIOPath comment anticipated for the Step 6 pump)
• DiceTxStreamEngine::PayloadWriterCounters() / controller PayloadCounters() — read-only access to the writer's miss buckets so scenarios can assert the expected signatures

Nothing else in Protocols/ was modified. README untouched — happy to tick the Step 6 / M1-exit boxes there too if you'd like it in this PR, or leave that to you.

Verification

xcodegen generate
xcodebuild -scheme ADKVirtualAudioLabTests  → BUILD SUCCEEDED (0 warnings)
./ADKVirtualAudioLabTests                   → 17440 checks, 0 failures (~5 s)
xcodebuild -scheme ADKVirtualAudioLab       → BUILD SUCCEEDED (dext, compile-only)

🤖 Generated with Claude Code