Macro-3 Bad-Input Fail-Open Risk Map (2026-06-19)
Macro-3 Bad-Input Fail-Open Risk Map (2026-06-19)
Date: 2026-06-19 · Workstream: R2-B2-MACRO-3-OPTION-D-OWNER-DELEGATE-DECISION-PACKAGE-2026-06-19 (Deliverable 38 of 60) · Editorial revision: rev1
Class: bad-input fail-open risk map · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · proof NOT run · NO write performed.
Metadata convention. Editorial revision (rev1) only. Storage revision/
content_lengthauthoritative at read time.
Bad-input-not-run lock. This maps fail-open risks conceptually; it runs no bad-input test. Running one would require a producer + staging = forbidden here.
0. Status and non-authorization
STATUS: PASS — engineering / decision-prep. Conceptual fail-open risk map for the eventual B2 producer. Engineering PASS ≠ authority PASS. Default: HOLD.
1. Purpose
Record the fail-open failure modes so any future producer is designed fail-closed.
2. Sources / evidence read
Macro-2 bad-input proof not-run register; inspect-producer TD-prep BI-1…12. Main process, no reader-agents.
3. Accepted baseline (carried)
Fail-open (stamping on bad/ambiguous input) is a reject condition; the producer must fail-closed (no stamp → audit queue).
4. Evidence / analysis — fail-open risks (conceptual)
| # | Bad input | Fail-open danger | Required behavior |
|---|---|---|---|
| BI-FO-1 | missing/unresolved Đ0-G rule | stamping without authority | fail-closed, no stamp (BI-5) |
| BI-FO-2 | out-of-order stage (GATE before PEN) | inconsistent stamps | reject, strict PEN→STAMP→GATE |
| BI-FO-3 | malformed birth row | partial stamp | reject whole row |
| BI-FO-4 | duplicate/idempotency breach | double stamp | idempotent no-op |
| BI-FO-5 | source unreadable | guessing a default | reject, audit |
5. Recommendation / matrix / result
Every BI-FO-* must resolve to fail-closed in the actual B2 TD. No test run here. A fail-open oracle result would be a reject signal, not a pass.
6. Owner-gated future work
Running the bad-input oracle requires a staging producer; Owner-gated; forbidden now.
7. What remains unresolved
No oracle run; behavior is specified, not proven.
8. Ready for GPT/Codex review
Yes — Codex should add any fail-open mode omitted and confirm all map to fail-closed.