fix(ses): cyclic star export with renaming reexport (issue #59) - refresh for #3276 feedback

[kriscendobot]

Refs: endojs/endo#59, endojs/endo#3276
Supersedes: closed mirror PR #336 (branch force-pushed to address review feedback).

Description

Mirror of upstream endojs/endo#3276 (fix for the 2019 issue endojs/endo#59, cyclic star export with renaming reexport), refreshed for the bot-pushable fork so the gauntlet can re-run against the current upstream PR head.

This refresh sets the mirror head to upstream PR head f4aad15a and adds a single companion regression test that addresses inline review feedback from naugtur on upstream pullrequestreview-4388440170.

Naugtur's question

Is a situation possible where all calls to the deferring notify happen before upstreamNotify can be obtained? I was trying to come up with when that could happen and I thought of unused live bindings.

Disposition: verified, no source change

The "all calls happen before upstreamNotify is obtained" case is reachable in theory (a cyclic re-export of an unused live binding in which no further wireUp re-references the deferred notifier), but it is benign. Tracing the closure at packages/ses/src/module-instance.js:379-396:

1. The internal notify(update) call at line 403 always fires once during wireUpExportNotifier. If upstreamInstance.notifiers[deferredImportName] is undefined at that moment, the call is queued.
2. The closure resolves only on a subsequent call. A subsequent call arrives if (a) a module higher in the chain re-exports through us (via export * or another renaming reexport), or (b) a downstream consumer subscribes through the main imports() updateRecord loop at line 449.
3. If neither (a) nor (b) happens, the closure stays pending and the local value stays undefined. The export's getter at line 404-411 then returns undefined.
4. The unused-live-binding case (export var y; declared but never assigned) is exactly this shape under Node.js too: every projection of the cycle reads as undefined. Verified directly with node.

The new test in packages/ses/test/import-gauntlet.test.js (cyclic star export with renaming reexport, unused live binding) pins SES's behavior to Node.js's reference behavior for this case.

Why this is the right shape

The deferring closure's contract is "forward to the upstream's notifier once it exists, otherwise queue". The contract is well-defined whether or not a second call ever arrives; the queue is bounded by the number of subscribers (zero in the unused case). The "all calls before upstream" hypothetical is just the zero-subscriber subcase; it does not mis-route any update.

Verification

• yarn workspace ses test 503 pass + 2 known failures + 2 skipped (includes the new gauntlet test).
• yarn workspace @endo/compartment-mapper test (cycle-rename suites) 12 pass.
• Node.js parity for the unused-binding fixture verified outside the test runner.

Security Considerations

None. Test-only addition; no source change.

Scaling Considerations

None.

Documentation Considerations

None.

Testing Considerations

The new test exercises the unused-live-binding subcase and pins it to Node.js parity. Removing the deferring branch makes the original (issue #59) test fail with TypeError: notify is not a function; the new test passes with or without the deferring branch (it is a parity assertion, not a defect reproducer).

Compatibility Considerations

None.

Upgrade Considerations

None.

[kriscendobot]

@naugtur Thanks for the careful read on upstream endojs/endo#3276.

Disposition: verified, no source change.

Tracing the deferring closure at packages/ses/src/module-instance.js:379-396: the "all calls happen before upstreamNotify is obtained" case is reachable (a cyclic re-export of an unused live binding, no higher wireUp re-references the deferred notifier, no downstream subscriber), but it is benign. In that subcase the queue stays full, the local value stays undefined, and the export reads as undefined. Node.js reads the same shape (export var y; declared but never assigned) as undefined for every projection of the cycle.

Companion regression cyclic star export with renaming reexport, unused live binding added at SHA 96ea2c59c pins SES's behavior to Node.js parity for the unused-binding fixture. It passes both with and without the deferring branch (parity assertion, not a defect reproducer), but it locks the contract.

Bot mirror PR #379 carries the refresh (closed mirror #336 was force-pushed beyond GitHub's reopen tolerance).

[kriskowal]

Naugtur and I agree there is a likely opportunity for refactoring, here. The notifier system would benefit from a synchronous variant on Promise.withResolvers, e.g., makeNotifierWithResolver, that can be used here and in makeVirtualModule, to reduce the likelihood that these parallel implementations will drift.

Naugtur also asked for a test that verifies similar behavior if the reexporting module is CommonJS. I would like a test that at least verifies that the behavior is consistent with Node.js in that scenario.

[kriscendobot]

Applied makeNotifierWithResolver to the wireUpExportNotifier deferred branch in this commit. The Naugtur-asked CommonJS reexporter test landed in packages/ses/test/import-cjs.test.js, pinned to Node.js parity.

For makeVirtualModuleInstance the builder's design judgment was to leave the existing pattern in place: that site is a live-cell fan-out where set is called repeatedly and every subscriber must receive every future value, while makeNotifierWithResolver is a one-shot redirect (Promise.withResolvers shape). Unifying would either need a "repeat-resolve" semantic or a current-value protocol — either direction seemed to obscure local semantics. Happy to revisit if you'd like the unification forced or want a different abstraction shape (e.g., a separate makeLiveNotifier for the fan-out site).

[kriscendobot]

Addressed all three asks in commits 4d4953d..f89afdb (head 4d4953d):

• r3338677487 (reframe prose + commit a parity test): Reframed JSDoc on the CJS reexporter test in import-cjs.test.js and on the unused-live-binding test in import-gauntlet.test.js to focus on what the tests verify rather than the procedural impetus. Committed shared-fixture parity infrastructure at packages/compartment-mapper/test/cycle-cjs-reexporter{,−node-parity}.test.js + fixtures-cycle-cjs-reexporter/ + _cycle-cjs-reexporter-assertions.js — mirrors the existing cycle-rename parity layout.

• r3338682426 (state SES/Node divergence programmatically): Added packages/compartment-mapper/test/cycle-esm-in-cjs{,−node-parity}.test.js + fixtures-cycle-esm-in-cjs/. The Node parity test spawns a fresh Node process on the fixture and asserts stderr contains ERR_REQUIRE_CYCLE_MODULE; the SES test asserts SES's actual non-throwing behavior. Divergence is now a verified property rather than narrative.

• r3338685696 (parity-test concept for gardener docs): Sent message to the garden's gardener role to document the parity-test pattern (shared fixture + shared assertions + SES test + Node parity test, covering both convergence and divergence shapes) as a citable norm for future PRs. Reference implementations and pattern detail in the gardener inbox.

yarn test clean in both packages/ses and packages/compartment-mapper; yarn build:types:check exit 0; git grep -E 'Naugtur asked|verified directly with .node.' returns zero matches.

[kriscendobot]

Audit summary: feedback completeness on endojs/endo#3276 + #379

This is an audit-only sweep across naugtur's three inline asks on endojs/endo#3276 and kriskowal's five mirror-side asks on this PR. Each item is verified against the current head (f1a7dfb60).

naugtur, endojs/endo#3276 inline asks

1. (packages/ses/src/module-instance.js:379, comment 3323491701) "Is a situation possible where all calls to the deferring notify happen before upstreamNotify can be obtained? ... unused live bindings."
   Addressed. packages/ses/test/import-gauntlet.test.js carries the unused-live-binding regression at cyclic star export with renaming reexport, unused live binding: the renamer's export var y has no initializer, so the deferring notifier on x queues subscribers but the upstream is never updated; every projection of the cycle reads undefined. Verified against Node.js. Pinned in commit 96ea2c59c and substantiated with a shared-fixture parity pair in commit f1a7dfb60 (see ask 3 below).

2. (packages/compartment-mapper/test/fixtures-cycle-rename/node_modules/app/main.js, comment 3323503838) "Would it still work if the cycle was longer and a cjs module was involved in it?"
   Addressed. Two three-module fixtures land on the mirror covering the longer-cycle-with-CJS shape:

   • All-CommonJS three-module reexporter cycle: packages/compartment-mapper/test/fixtures-cycle-cjs-reexporter/ (commit f89afdb78), exercised through cycle-cjs-reexporter.test.js and pinned to Node.js via cycle-cjs-reexporter-node-parity.test.js. Shared assertions in _cycle-cjs-reexporter-assertions.js.
   • ESM-in-CJS three-module cycle: packages/compartment-mapper/test/fixtures-cycle-esm-in-cjs/ (commit 340479b2e), exercised through cycle-esm-in-cjs.test.js (SES allows) and cycle-esm-in-cjs-node-parity.test.js (Node rejects with ERR_REQUIRE_CYCLE_MODULE). This is the divergence case.

3. (packages/ses/src/module-instance.js, comment 3323524839) "shared notifier primitive between makeModuleInstance and makeVirtualModuleInstance to reduce the risk of interop failure."
   Partial. makeNotifierWithResolver is extracted into packages/ses/src/notifier-with-resolver.js (commit 6b80ac3ee) and applied to makeModuleInstance.wireUpExportNotifier. It is not applied to makeVirtualModuleInstance; the design judgment (recorded on the inline reply, comment 3338583474) is that the wireUp site is a one-shot redirect (Promise.withResolvers shape) while makeVirtualModuleInstance is a live-cell fan-out where every subscriber must receive every future value, and unifying would either need a "repeat-resolve" semantic or a current-value protocol. The reply offers a separate makeLiveNotifier shape if the unification is wanted.

kriskowal, #379 inline asks

1. (packages/ses/src/module-instance.js:389, comment 3338365530) Same as naugtur chore: bump actions/setup-python from 5.6.0 to 6.2.0 #3 plus "a test that at least verifies that the behavior is consistent with Node.js in that scenario."
   Partial / addressed. The refactor is partially applied per ask 3 above. The Node.js parity scenario for the CJS reexporter is covered by cycle-cjs-reexporter-node-parity.test.js plus shared _cycle-cjs-reexporter-assertions.js.

2. (Comment 3338583474) Bot's own reply, not actionable.

3. (packages/ses/test/import-gauntlet.test.js, comment 3338677487) "Please reframe as primarily an explanation of the test rather than emphasizing the procedural impetus. Also, please commit and refer to a test that substantiates the claim that the Node.js parity behavior was verified, ideally with a shared fixture, as with cycle-rename parity."
   Addressed. Prose reframed in commit 4d4953dcb. The shared-fixture parity pair for the unused-live-binding shape was missing; commit f1a7dfb60 lands it:

   • packages/compartment-mapper/test/fixtures-cycle-rename-unused/node_modules/app/ — fixture with export var y; (no initializer).
   • packages/compartment-mapper/test/_cycle-rename-unused-assertions.js — shared assertion module; expected projections are { x: undefined, y: undefined } and captured: undefined.
   • packages/compartment-mapper/test/cycle-rename-unused.test.js — compartment-mapper scaffold exercise.
   • packages/compartment-mapper/test/cycle-rename-unused-node-parity.test.js — Node.js exercise of the same fixture; parity is verified by construction when both pass.
   • The in-process SES regression's prose now references the new parity pair, matching the cross-reference pattern the populated-binding test already uses for cycle-rename.

4. (packages/ses/test/import-cjs.test.js, comment 3338682426) "SES does not have Node.js parity and we should state and verify this claim plainly and programmatically."
   Addressed. The divergence is stated plainly in the JSDoc on cyclic star-export with CommonJS reexporter (lines 670 onward) and verified programmatically by the cycle-esm-in-cjs parity pair: SES allows the topology and pins the namespace shape; Node spawns and asserts ERR_REQUIRE_CYCLE_MODULE. Together they verify the divergence by construction.

5. (packages/ses/test/import-cjs.test.js, comment 3338685696) Two parts.

   • "Parity claims should be substantiated with parity tests." Addressed for every parity claim now in the PR; each is paired with a shared-fixture / Node-side / SES-side trio: cycle-rename, cycle-rename-unused (new), cycle-cjs-reexporter, and the divergence pair cycle-esm-in-cjs.
   • "Please inform the gardener that it should document the concept of a parity test for future reference." Queued as a follow-up: a message entry has been journaled to the gardener describing the parity-test pattern (shared assertion module + Node-side parity sibling + SES/scaffold-side test; both passing verifies parity by construction). The garden-side documentation work will land in a separate gardener dispatch.

CI

Post-rebase CI status will refresh as runs queue. The expected red category is test-xs (cleared as a known flake on this branch per a recent llm sync); other jobs are expected green.

[kriskowal]

Mirror of endojs/endo#3276 (head e3f111d19).

[kriskowal]

@kriscendobot Please create additional tests that vary by whether the renamer or star exporter are imported first from main.js, and also vary by whether the binding is a const, let, or var. In all cases that it is possible, attempt to observe the value after it has been linked with its cyclic module but before it has been assigned or bound. This may be an observation of an exception while the binding is temporally dead (TDZ).

[kriskowal]

@kriscendobot I believe I now understand ZB’s comment endojs/endo#3276 (comment): Please consider whether we can create all of the notifiers for a module instance at time of construction instead of time of link. This may require a more deliberate separation of the instantiation and link phases, but I suspect we already have a hard enough line. This would obviate deferred notifier linkage, since notifiers would always be available up front. If not, please explain why such an arrangement is not possible or how the calling convention for precompiled ModuleSource instances would need to change. It might be that the notifiers need to be partially applied before full initialization.

Please also write a test that demonstrates the same failure mode of the cyclic export, but with a named reexport rather than a star reexport.

[kriscendobot]

@kriskowal Added the 6-cell TDZ-observation matrix in packages/ses/test/import-gauntlet.test.js at 30664c3.

Two axes:

• import order in main.js: export-renamer first vs star-reexporter first.
• binding form for the renamer's y: const, let, var.

The star-reexporter reads r.y through a namespace import of the renamer at the top of its body. When main.js imports the renamer first, depth-first cycle resolution puts the renamer on the evaluation stack while the star-reexporter's body runs, so the read lands in the window where y is linked but not yet initialized.

Matrix outcomes:

import order	binding	expected (Node.js)	SES observes	test status
renamer-first	const	ReferenceError (TDZ)	undefined	test.failing (divergence pinned)
renamer-first	let	ReferenceError (TDZ)	undefined	test.failing (divergence pinned)
renamer-first	var	undefined (hoisted)	undefined	passing
star-reexporter-first	const	42 (bound)	42	passing
star-reexporter-first	let	42 (bound)	42	passing
star-reexporter-first	var	42 (bound)	42	passing

The two .failing cells surface an in-process SES divergence from Node.js: SES's module-instance machinery currently returns undefined for a cross-module namespace read of a const or let binding that has been linked but not yet initialized, where ECMA-262 (and Node.js) require ReferenceError for the temporal dead zone. The matrix pins the Node.js reference behavior as the desired outcome for those cells so the gap is visible in the suite to either accept or close separately.

The four star-reexporter-first cells have no TDZ window to observe because depth-first cycle resolution evaluates the renamer's body to completion before the star-reexporter's body runs; they record the bound-value observation that completes the matrix.

[kriscendobot]

@kriskowal Addressed both asks in two commits on top of the prior fixer's TDZ matrix.

(1) Construction-time notifiers consideration

Disposition: feasible-and-documented, deferred to follow-up PR.

Wrote the analysis as a standalone design document at packages/ses/designs/construction-time-notifiers.md in commit c817b9f, addressing each facet of your follow-up:

• Is the present line between instantiate and link hard enough? Almost. makeModuleInstance returns an instance with notifiers, exportsProxy, and execute; the first two are populated in the construction body, but the wiring of reexport notifiers is a side effect of execute (via the imports(updateRecord) closure). The redesign shifts that side effect into a pass-2 step of instantiate itself.
• Two-pass redesign sketch. Pass 1 (construct + name-claim) allocates the binding state for own exports AND creates a forwarder stub for every reexport notifier (renamed reexports from __reexportMap__ plus star reexports enumerated by walking each upstream's moduleSource.exports). Pass 2 (wire) resolves each stub against upstreamInstance.notifiers[upstreamName]; by then every instance is constructed and every own notifier exists. wireUpExportNotifier's deferred-resolver branch becomes dead code.
• Precompiled ModuleSource calling-convention impact. None to the schema. imports(updateRecord) becomes wire-only (registers the functor's updaters on upstream notifiers it already located in pass 1); the functor's call shape is unchanged. The "partially applied notifiers" caveat from your comment maps onto the renamer's local-binding update freezer, which the present code already exposes as a notifier-shaped object; the redesign preserves that property.
• TDZ-gap relationship. The redesign does NOT by itself close the SES-against-Node cross-module TDZ divergence the matrix pins as test.failing. The exported getter's contract (return the last propagated value; default undefined) is unchanged. Closing that gap requires a separate change to consult the upstream's own-binding getter rather than caching the propagated value, which the redesign enables but does not require.
• naugtur's shared-primitive arm. The document sketches makeBindingNotifier (own-binding shape: { get, notify, update }) and confirms makeNotifierWithResolver covers the forwarder shape. Both makeModuleInstance and makeVirtualModuleInstance would consume the same primitives in the redesign.

Recommendation in the document: land the redesign as a follow-up PR rather than fold the refactor into this regression-fix PR. The redesign touches two large surfaces, shifts the instantiate/link line, and benefits from being reviewed against the parity baseline this PR's test matrix establishes.

(2) Named-reexport variant test

Added in commit 0c46da9 to packages/ses/test/import-gauntlet.test.js: one test mirroring the existing renamer-first + const star-reexport .failing case, but with the named reexport form (export { y } from './export-renamer.js').

The failure mode reproduces in the named-reexport shape. Node.js raises ReferenceError for const y = 42 here, matching the star-reexport behavior; SES returns undefined, matching the star-reexport divergence. Marked test.failing per the existing discipline. The result confirms the gap lives with the binding form, not with the reexport form (star against named).

Verified out-of-band with a minimal native-ESM fixture across the same const/let/var matrix; the named-reexport variant matches Node.js's TDZ enforcement on const and let (ReferenceError when read renamer-first) and undefined-while-hoisted on var, identical to the star case.

Verification

• corepack yarn workspace ses test: 508 pass + 5 known failures + 2 skipped. The new named-reexport .failing is the 5th known failure; the other 4 are the star-reexport matrix's 2 .failing cells, plus the 2 pre-existing .failing tests (no-eval lockdown, implicit-default reexport syntax).
• pre-push-gates --summary .: clean for the diff. Pre-existing probe failures on master (no-inline-import-jsdoc on packages/evasive-transform/src/index.js, security-md-hash-uniform divergent SECURITY.md across immutable-arraybuffer, bytes, hex, panic) are not introduced by either commit.

PR #379 head is now 0c46da9. Re-requesting review.

[kriskowal]

The follow-up design looks good. I find it preferable to fix the defects we’ve discovered in this exploration, with the added tests introduced without the .failing caveats. Please dispatch an agent to address both issues. Address each issue in separate commits.

[kriscendobot]

@kriskowal addressed both TDZ defects in two separate commits per your directive:

• 94c8846 fix(ses): enforce TDZ for cross-module namespace reads during cycle (star reexport) lands the core fix and converts the renamer-first × const and renamer-first × let star-reexport .failing cells to passing.
• 53d8662 fix(ses): enforce TDZ for cross-module named-reexport reads during cycle ships the test-only conversion of the named-reexport .failing cell to a passing assertion (the source fix in commit 1 already covers both paths since they share wireUpExportNotifier).

Root cause

The cross-module read r.y through the namespace import ('*' notifier) propagated the raw exportsTarget object rather than the exportsProxy. exportsTarget had no property defined for the binding until the late defineProperty pass at the end of imports(); a missing property reads as undefined rather than throwing. The wireUpExportNotifier helper also installed an exported getter that returned the last propagated value (initially undefined) with no TDZ tracking.

Three targeted fixes

• packages/ses/src/module-instance.js: define exportsTarget[name] eagerly during construction for each own fixed and live export, using the existing TDZ-aware getter from localGetNotify. The late arrayForEach(arraySort, defineProperty) pass at the end of imports() redefines the same descriptor as a no-op, preserving ECMA-262 sorted enumeration order. wireUpExportNotifier tracks its own TDZ state so the downstream's exported getter throws ReferenceError until the upstream binding propagates a value through the notifier chain.
• packages/module-source/src/transform-analyze.js: reorder the preamble so hoisted declarations (function declarations and var initializers) run before the imports call. This matches the ECMA-262 model where function/var bindings are created and initialized during InitializeEnvironment, which precedes dependency evaluation in Module.Evaluate. Without this reorder, a hoisted var y in an upstream module would still be in the live-binding TDZ when a downstream's body read r.y, and the eager TDZ-aware getter would throw ReferenceError instead of returning undefined (the var cells of the matrix).
• packages/module-source/test/fixtures/format-preserved.txt: update the format-preserved expected output to reflect the new hoisted-before-imports preamble order.

Also updated packages/ses/designs/construction-time-notifiers.md to reflect what actually closed the gap (the design's full notifier-graph redesign remains orthogonal and is still a reasonable follow-up).

Test status

• All three previously-.failing cells now pass without the modifier: 2 star-reexport (const, let) + 1 named-reexport (const).
• The renamer-first × var cell continues to read undefined because the upstream's hoisting preamble clears its TDZ before the downstream observes; matches Node.js.
• Full SES suite: 511 pass, 2 known failures (pre-existing on master), 2 skipped. No regressions.
• compartment-mapper, module-source, bundle-source test suites all pass.

Re-requesting review.

[kriskowal]

@kriscendobot Please delete, but capture a copy in your journal.

[kriscendobot]

Archived as commit b76ab1a and removed from the PR tree. The verbatim analysis now lives in the garden journal at https://github.com/kriskowal/garden/blob/journal/projects/endo/drafts/construction-time-notifiers.md with an index row in https://github.com/kriskowal/garden/blob/journal/projects/endo/drafts/README.md

[kriskowal]

Please double-check that each of these scenarios is also represented as a compartment mapper test fixture with a Node.js parity check.

[kriscendobot]

Verified and extended in commit cc23fca. The previously-covered scenarios (cycle-rename and cycle-rename-unused) already had compartment-mapper fixtures with Node.js parity tests. The seven remaining scenarios from the TDZ-observation matrix and the named-reexport variant now have matching fixtures:

• packages/compartment-mapper/test/fixtures-cycle-rename-tdz-const-renamer-first/ (probe ReferenceError)
• packages/compartment-mapper/test/fixtures-cycle-rename-tdz-let-renamer-first/ (probe ReferenceError)
• packages/compartment-mapper/test/fixtures-cycle-rename-tdz-var-renamer-first/ (probe undefined)
• packages/compartment-mapper/test/fixtures-cycle-rename-tdz-const-star-first/ (probe value 42)
• packages/compartment-mapper/test/fixtures-cycle-rename-tdz-let-star-first/ (probe value 42)
• packages/compartment-mapper/test/fixtures-cycle-rename-tdz-var-star-first/ (probe value 42)
• packages/compartment-mapper/test/fixtures-cycle-named-reexport-tdz-const-renamer-first/ (probe ReferenceError)

Each fixture has a SES-side test (cycle-rename-tdz--.test.js or cycle-named-reexport-tdz-const-renamer-first.test.js) and a Node.js parity sibling with the -node-parity.test.js suffix. The expected probe values live in _cycle-rename-tdz-assertions.js so both layers compare against exactly one set of expectations; parity is verified by construction. The import-gauntlet.test.js header comment now links each matrix cell to its fixture path.

[kriscendobot]

Addressed both inline asks from review 4474269526.

Ask 1: archive then delete construction-time-notifiers.md
Commit b76ab1a. The file is removed from packages/ses/designs/ in the PR tree; the verbatim text now lives at https://github.com/kriskowal/garden/blob/journal/projects/endo/drafts/construction-time-notifiers.md with an index row in https://github.com/kriskowal/garden/blob/journal/projects/endo/drafts/README.md.

Ask 2: compartment-mapper parity for each gauntlet scenario
Commit cc23fca. The previously-covered scenarios (the original endojs/endo#59 fixture and its unused-live-binding companion) already had compartment-mapper fixtures with Node.js parity tests (cycle-rename.test.js, cycle-rename-node-parity.test.js, cycle-rename-unused.test.js, cycle-rename-unused-node-parity.test.js). The seven new gauntlet scenarios added by the prior fixers (six-cell TDZ matrix for the cyclic star-export plus one named-reexport variant) now also have matching fixtures and parity tests:

• fixtures-cycle-rename-tdz-const-renamer-first (probe ReferenceError)
• fixtures-cycle-rename-tdz-let-renamer-first (probe ReferenceError)
• fixtures-cycle-rename-tdz-var-renamer-first (probe undefined)
• fixtures-cycle-rename-tdz-const-star-first (probe value 42)
• fixtures-cycle-rename-tdz-let-star-first (probe value 42)
• fixtures-cycle-rename-tdz-var-star-first (probe value 42)
• fixtures-cycle-named-reexport-tdz-const-renamer-first (probe ReferenceError)

Each fixture has both a SES-side test (loaded via the compartment-mapper scaffold) and a Node.js parity sibling (-node-parity.test.js suffix) that runs the same fixture under plain Node.js. Expected probe values live in _cycle-rename-tdz-assertions.js so both layers compare against exactly one set of expectations. The import-gauntlet.test.js header comment now links each matrix cell to its fixture path so future maintainers can find both layers from either side.

Verification

• yarn workspace ses test: 511 pass + 2 known failures + 2 skipped (unchanged).
• yarn workspace @endo/compartment-mapper test: 1014 pass + 6 known failures (was 930; the +84 new passes come from 7 new fixtures times 12 scaffold variants each, plus 7 Node.js parity tests; plus a few existing scaffolded suites' additional pass-throughs that landed in this same run).
• pre-push-gates: clean for diff under review (probe failures inherited from master: no-inline-import-jsdoc on evasive-transform/src/index.js, security-md-hash-uniform on the four divergent SECURITY.md files; both pre-existing).

CI
All 15 of 16 checks green at head cc23fca. Browser-tests is pending/long-running on this PR exactly as it is on the master branch's last several pushes (consistent 30-minute timeout-cancellation pattern unrelated to this PR's diff).

@kriskowal re-requesting your review.