When code consumes security-critical data—either to perform privileged state changes at runtime or to download/execute external artifacts—it must validate integrity/invariants before proceeding.

Apply these checks:

• Runtime guardrails for powerful flags: For any command that can force behavior (e.g., recovery/replay/creation), validate that referenced resources actually exist and that the operation will not create inconsistent/phantom state. If validation fails, skip or reject deterministically.
• Supply-chain artifact integrity: For build/dependency downloads, verify the downloaded file using the correct checksum from the official source for the exact artifact you download (e.g., don’t mix tar.gz vs tar.xz checksums).

Example (runtime invariant + safe skip):

// Pseudocode for a FORCE-like path
if (force_enabled) {
    if (!stream_entry_exists(stream_id)) {
        // Prevent phantom state creation
        return OK_WITHOUT_MUTATION; // or skip this ID
    }
    create_pel_entry(...); // only after invariant holds
}

Example (build checksum verification):

RUST_VERSION=1.94.0
# Ensure checksum matches the exact downloaded artifact
RUST_SHA256='9a358120ce1491a4d5b7f71a41e4e97b380b5db5d4ec31f7110f5b3090bd3d55'
curl -sSLO "$URL"  # URL must point to the same tarball as the checksum
echo "$RUST_SHA256  $(basename "$URL")" | sha256sum -c -