Mega Gate — Bad-Input Oracle / Harness Requirements (no test run)
Mega Gate — Bad-Input Oracle / Harness Requirements
Date: 2026-06-18 · Workstream: LEGO-PILOT-SLICE-0-B2-MEGA-GATE-BUNDLE-2026-06-18 (Deliverable 14 of 20) · Editorial revision: rev1
Class: design-only / oracle & harness requirements / verification requirement · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NOT remediation · NOT technical design · NOT implementation · NOT a runtime test · NO blocker resolved · NO runtime touched.
Metadata convention. Editorial revision (rev1) only. AgentData storage revision and
content_lengthare authoritative in AgentData metadata at read time; not pinned in this body.
Oracle-requirements lock. This packet states what a future bad-input oracle/harness must check to verify B2 fails closed — as requirements, not a harness built or a test run. It executes no bad input, builds no harness, writes no test code/fixtures. The fail-closed question — would invalid input still create a stamp / certify / canonical / PASS? — is the oracle's, asked of a built producer; nothing is asked of runtime here.
0. Status and non-authorization
STATUS: PASS — engineering / design-only. This is a complete design-only oracle/harness requirements packet: the bad-input inventory the harness must cover (BAD-1…BAD-15), the fail-open conditions it must detect (F-OPEN-1…F-OPEN-10), the oracle's decision rule (fail-open ⇒ reject), the black-box / fail-open-regression / manifest-laundering-prevention properties the harness must have, and the tool-lock posture (v0.1-stable / FIX7 V3 baseline; v0.2-hardening not authority).
Engineering PASS ≠ authority PASS. A PASS means the oracle requirements are complete on paper. It is not an Owner authorization to build a harness, run a test, or build the producer. Default disposition: HOLD.
Pipeline position (downstream-only). Deliverable 14 of the Mega Gate Bundle; it deepens the verification plan (Deliverable D — BAD-1…15, F-OPEN-1…10, the Codex-style adversarial method) into oracle/harness requirements for a future pilot. It runs no test.
Non-authorization (explicit). As Deliverable 1 §0, and specifically: it executes no bad input; builds no harness/fixtures; writes no test code; builds no producer; runs no test. v0.1-stable / FIX7 V3 baseline not overwritten; v0.2-hardening not promoted / not used as authority.
Evidence basis — INHERITED_EVIDENCE. No runtime queried; the producer is MISSING, so every expected behavior is a conceptual obligation (BAD_INPUT_BEHAVIOR_UNCLEAR). AgentData metadata authoritative at read time. CAV-3/CAV-4/CAV-5 carried.
Reading discipline (Codex caveat, honored). All sources read directly from AgentData KB, bounded/sequential, by the main process — no parallel/background reader-agents, no sub-agents, no local-prose inference. /tmp = decode-scratch only, never SSOT.
1. Purpose
Answer the macro's bad-input question: what must the future bad-input oracle/harness require, so a built B2 is proven fail-closed (without running any test now)? The packet answers:
- What bad inputs must the harness cover? — §5 (BAD-1…15).
- What is the oracle's decision rule? — §5 (fail-open ⇒ reject).
- What fail-open conditions must it detect? — §5 (F-OPEN-1…10).
- What properties must the harness have? — §5 (black-box; fail-open regression; manifest-laundering prevention).
- What is the tool-lock posture? — §3.
The one rule, above all detail. The oracle asks one adversarial question of a built producer: would invalid input still create a stamp, a certify, a canonical write, or a PASS? If yes for any case → fail-open → REJECT. This packet states the oracle's requirements; it runs nothing and builds nothing.
2. Sources read
All 25 required sources read first-hand from AgentData KB, by the main process, sequentially; none SOURCE_NOT_READ (full list in Deliverable 20 §2). Used principally: the verification plan (Deliverable D — §3 adversarial method, §4 BAD-1…15, §5 expected rejection, §6 F-OPEN-1…10); the B2 TD-prep §8 (BI-1…12); the tool/packet lock (v0.1 baseline; v0.2 not authority; black-box oracle / fail-open regression / manifest-laundering lessons); operating-rules ("không chắc đúng = sai"; "PASS/FAIL không có số liệu").
3. Tool/packet lock (carried, no change)
| Item | Status |
|---|---|
| Tool/packet currently built by T1 = v0.1-stable / FIX7 V3 baseline | Carried. May continue to be used for FIX7 Recheck-9 / current Codex packet. Must not be overwritten. Use only as reproducibility / comparison / regression fixture. |
| Tool-Kiem-Thu v0.2-hardening | Carried. Separate development track on a separate dev surface. May inherit lessons from V3 (black-box oracle, fail-open regression, manifest-laundering prevention). Not authority for FIX7 until it passes regression and Owner/User promotes it. |
A v0.2-hardening result offered as authority for FIX7 is rejected until Owner/User promotion (mirrored as BAD-10 / BI-10 / B2-AC-11). The oracle lessons (black-box, fail-open regression, manifest-laundering prevention) are reusable as requirements below; reusing the lessons is not promoting v0.2.
4. Accepted baseline (carried, not re-derived)
- The fail-closed test (carried, Deliverable D §6): if invalid input would still stamp, certify, canonicalize, leak to production, survive delete-fast, act as approval, or produce a PASS, the contract is fail-open and must be rejected.
- BAD-1…BAD-15 (the ≥15 cases) and F-OPEN-1…F-OPEN-10 (the disqualifying outcomes) carried from Deliverable D.
- Producer MISSING → every expected behavior is a conceptual obligation (
BAD_INPUT_BEHAVIOR_UNCLEAR); BAD-4 / BAD-5 / BAD-12 explicitly so. - Blockers — all OPEN. Tool/packet lock carried (§3).
5. Bad-input oracle / harness requirements
5.1 Coverage requirement — the harness must exercise BAD-1…BAD-15 (carried)
| ID | Bad input / invalid state | Oracle's required pass-verdict (fail-closed) |
|---|---|---|
| BAD-1 | row missing entity_code |
no inspect_pen; failure appended to audit evidence |
| BAD-2 | row missing collection_name |
no inspect_pen; failure appended |
| BAD-3 | already certified=true |
skip / no producer write |
| BAD-4 | partial inspect_* of unknown origin |
mark ambiguous / Owner-gated review / never certify (BAD_INPUT_BEHAVIOR_UNCLEAR) |
| BAD-5 | Đ0-G rule-set unresolved | SOURCE_RECOVERY_REQUIRED; no stamp (depends on GATE-3) |
| BAD-6 | asked to set certified=true |
reject (B2 never certifies) |
| BAD-7 | asked to set canonical_address |
reject (canonical is at-promote) |
| BAD-8 | blanket inspect_*=now() |
reject as the fused-shortcut |
| BAD-9 | channel not approved / owner missing | no-op / pending Owner |
| BAD-10 | v0.2-hardening offered as FIX7 authority | reject until Owner/User promotion |
| BAD-11 | out-of-order STAMP/GATE | reject (later stamp may not precede earlier) |
| BAD-12 | out-of-scope governance_role |
skip / out of scope (BAD_INPUT_BEHAVIOR_UNCLEAR for observed) |
| BAD-13 | audit event used as approval | reject (S7 records, not approves) |
| BAD-14 | candidate result written to a production field | reject / impossible by separation (the load-bearing isolation test) |
| BAD-15 | delete-fast leaves a candidate behind | reject the staging design (disposal must be total) |
5.2 Detection requirement — the harness must detect F-OPEN-1…F-OPEN-10 (carried)
The oracle must flag, as disqualifying, any of: F-OPEN-1 phantom stamp · F-OPEN-2 unearned certify · F-OPEN-3 canonical leak · F-OPEN-4 fused shortcut · F-OPEN-5 ungoverned run · F-OPEN-6 authority confusion (v0.2-as-authority or audit-event-as-approval) · F-OPEN-7 order violation · F-OPEN-8 production leak · F-OPEN-9 disposal residue · F-OPEN-10 silent PASS.
5.3 Oracle decision rule
Fail-open ⇒ REJECT. For every BAD-n, the oracle asks: would the invalid input still produce a stamp / certify / canonical write / production leak / surviving residue / approval / a PASS? If yes for any case, the producer is fail-open and the pilot is rejected. The oracle defaults to REJECT on uncertainty ("không chắc đúng = sai") and on any PASS reported without evidence (F-OPEN-10).
5.4 Harness properties the oracle must have (oracle lessons, reused as requirements — not v0.2 promotion)
| Property | Requirement on the future harness | Why |
|---|---|---|
| Black-box oracle | the oracle judges B2 by its observable outputs (the inspect_* columns set/unset, the audit append, the production snapshot) — not by trusting the producer's self-report |
a producer that claims fail-closed must be proven by readback, not by its own log (operating-rules: judge by evidence, not feeling) |
| Fail-open regression | each BAD-n is a standing regression case: once a producer passes, a later change must not silently re-open a fail-open path | prevents a fix from regressing fail-closure |
| Manifest-laundering prevention | the oracle must not accept a "manifest" / summary that launders a fail-open result into a PASS; it checks the actual readback, not a curated manifest | prevents a fail-open from being hidden behind a clean-looking report (F-OPEN-10) |
| Evidence-backed verdict | every BAD-n verdict carries the readback evidence (the unset column, the audit record, the before/after production snapshot) — no silent PASS | AP-CLOSE; "PASS/FAIL không có số liệu" anti-pattern |
| Adversarial construction | cases are constructed outside the happy path (missing identity, partial/ambiguous, fused, out-of-order, out-of-scope, leak-to-production, residue, authority confusion) | a happy-path harness would skip exactly the cases that matter |
5.5 Verdict
The oracle/harness requirements are complete on paper; they are not met (no producer to test; INHERITED_EVIDENCE / BAD_INPUT_BEHAVIOR_UNCLEAR). A future pilot must build a harness with §5.4 properties, exercise BAD-1…15, detect F-OPEN-1…10, and apply the fail-open⇒reject rule. No bad input is executed; no harness is built; no test is run here.
6. Owner-gated future work
| Future work | Gate required | Forbidden now? |
|---|---|---|
| Build the B2 producer (so bad inputs can be tested) | Điều 32 + S2 + channel + staging | Yes |
| Build the bad-input harness/oracle (with §5.4 properties) | Điều 32 (within the governed pilot) | Yes |
| Execute BAD-1…BAD-15 against the built producer in staging | Điều 32 + built producer + built staging | Yes |
| Generate the evidence-backed verdicts | Điều 32 (within the governed pilot) | Yes |
| Promote v0.2-hardening to FIX7 authority | regression + Owner/User promotion (forbidden now) | Yes |
7. What remains unresolved
- No test is run; the producer is MISSING. Every BAD-n behavior is a conceptual obligation (
BAD_INPUT_BEHAVIOR_UNCLEAR); BAD-4/BAD-5/BAD-12 explicitly so. - BAD-5 depends on GATE-3 (Đ0-G authoritative; Deliverable 10).
- BAD-14 / BAD-15 are the load-bearing staging tests — production leak and disposal residue (cross Deliverables 12/13).
- Tool lock holds — v0.1-stable / FIX7 V3 not overwritten; v0.2-hardening not authority (BAD-10 rejects it as authority); the oracle lessons are reused as requirements, not a v0.2 promotion.
- Blockers — all OPEN, none resolved: CONS-002, CONS-003, CELL-003/004/007, HOLD-1, HOLD-2, RISK-BYPASS, GOV-016/017, GOV-REUSE-001, Điều 39 runtime-EMPTY, Điều 35 production-readiness FAIL.
- FUTURE_TECHNICAL_DESIGN_REQUIRED (NOT written here): the harness, fixtures, the producer, the staging surface, any test code or command sequence.
8. Ready for GPT/Codex review
Yes — as a design-only oracle/harness requirements packet, not a test.
Core rule, kept above all detail: the future oracle must cover BAD-1…15, detect F-OPEN-1…10, apply fail-open ⇒ reject, and be black-box / regression-guarded / manifest-laundering-proof / evidence-backed — asking of a built producer "would invalid input still stamp/certify/canonicalize/PASS?" No test is run; no harness is built; v0.2 is not promoted.
Default disposition: HOLD. Engineering PASS = a complete oracle-requirements set on paper; it is not an Owner authorization to build, harness, or test. No PASS authorizes writes. All blockers remain OPEN.