07 — C1 Authorization Verifier & Grant Proof (2026-06-22)
07 — C1 Authorization Verifier & Grant Proof — 2026-06-22
LABELS: LOCAL_DISPOSABLE_SANDBOX_DOT_EMULATOR · NOT_GOVERNED_RUNTIME · NOT_PRODUCTION · NOT_DIRECTUS_GOVERNED_WRITE · NOT_A_SUBSTITUTE_FOR_DOT_C1_REGISTRATION
c1.verify_authorization(auth_code, carrier, plan_ref, manifest_hash, action_set) mirrors the production governance_build_authorization model (22 cols: scope jsonb, expires_at NOT NULL, consumed/revoked, rollback_plan_ref NOT NULL). All grants below are non-production sandbox fixtures (granted_by='SANDBOX_FIXTURE').
Verifier guarantees (each → distinct reject code)
| Property required | Reject code on violation |
|---|---|
| auth_code present | REJECT_AUTH_MISSING |
| exactly one row | REJECT_AUTH_NOT_FOUND / REJECT_AUTH_AMBIGUOUS |
| not revoked | REJECT_AUTH_REVOKED |
| not consumed (single-use) | REJECT_AUTH_ALREADY_CONSUMED |
| status='active' | REJECT_AUTH_NOT_ACTIVE |
| not expired | REJECT_AUTH_EXPIRED |
| C1-only, not generic | REJECT_AUTH_GENERIC_SCOPE (carrier */null) |
| correct carrier | REJECT_AUTH_WRONG_CARRIER |
| plan-bound | REJECT_AUTH_WRONG_PLAN |
| manifest-bound | REJECT_AUTH_MANIFEST_MISMATCH |
| exact action set (no loose superset) | REJECT_AUTH_LOOSE_SUPERSET |
Grant fixtures exercised (9)
| auth_code | scope intent | verifier outcome |
|---|---|---|
| G_VALID | carrier=C1, plan=LEGO1-C1-PLAN, manifest_hash=computed, action_set=exact | OK (consumed on apply) |
| G_GENERIC | carrier=* |
REJECT_AUTH_GENERIC_SCOPE |
| G_WRONGCARRIER | carrier=C2 | REJECT_AUTH_WRONG_CARRIER |
| G_WRONGPLAN | plan=OTHER-PLAN | REJECT_AUTH_WRONG_PLAN |
| G_WRONGHASH | manifest_hash=deadbeef | REJECT_AUTH_MANIFEST_MISMATCH |
| G_SUPERSET | action_set + c1.op.SMUGGLED |
REJECT_AUTH_LOOSE_SUPERSET |
| G_EXPIRED | expires_at = now-1h | REJECT_AUTH_EXPIRED |
| G_REVOKED | revoked_at set | REJECT_AUTH_REVOKED |
| G_CONSUMED | consumed_at set | REJECT_AUTH_ALREADY_CONSUMED |
Single-use (CAS consume)
On valid SANDBOX_APPLY the grant is consumed via UPDATE … WHERE status='active' AND consumed_at IS NULL AND revoked_at IS NULL. Re-use of the same grant → REJECT_AUTH_ALREADY_CONSUMED, 0 new rows (file 10).
Properties proven
C1-only ✔ · test/sandbox-only ✔ · plan-bound ✔ · manifest-bound ✔ · expiry ✔ · revocation ✔ · single-use lease ✔ · no generic token ✔ · no loose superset ✔ · no stale/reused grant ✔.
Scope note
Production governance_build_authorization has 0 grants (active=0). No production sovereign grant exists; the sandbox grant is a clearly-marked non-production fixture. A governed C1 grant remains part of the operator action (file 13).