09 — C1 Bad-Input & Fail-Closed Results (2026-06-22)
09 — C1 Bad-Input & Fail-Closed Results — 2026-06-22
LABELS: LOCAL_DISPOSABLE_SANDBOX_DOT_EMULATOR · NOT_GOVERNED_RUNTIME · NOT_PRODUCTION · NOT_DIRECTUS_GOVERNED_WRITE · NOT_A_SUBSTITUTE_FOR_DOT_C1_REGISTRATION
19 bad-input cases executed via c1.run_case(...). Every row: fail_closed=t, has_seal=f. Aggregate: total=19, not_fail_closed=0, any_bad_input_emitted_seal=f.
| case | outcome | reject_code | has_seal | fail_closed |
|---|---|---|---|---|
| bad_mode | REJECT | REJECT_BAD_MODE | f | t |
| wrong_carrier | REJECT | REJECT_WRONG_CARRIER | f | t |
| c2_cross_mutation | REJECT | REJECT_C2_CROSS_MUTATION | f | t |
| production_target | REJECT | REJECT_PRODUCTION_TARGET | f | t |
| missing_plan | REJECT | REJECT_MISSING_PLAN | f | t |
| bad_version | REJECT | REJECT_BAD_PROTOCOL_VERSION | f | t |
| injected_ops | REJECT | REJECT_NON_GOVERNED_VALUE_INJECTION | f | t |
| wrong_hash | REJECT | REJECT_MANIFEST_HASH_MISMATCH | f | t |
| no_authorization | REJECT | REJECT_AUTH_MISSING | f | t |
| auth_not_found | REJECT | REJECT_AUTH_NOT_FOUND | f | t |
| generic_auth | REJECT | REJECT_AUTH_GENERIC_SCOPE | f | t |
| grant_wrong_carrier | REJECT | REJECT_AUTH_WRONG_CARRIER | f | t |
| grant_wrong_plan | REJECT | REJECT_AUTH_WRONG_PLAN | f | t |
| grant_hash_mismatch | REJECT | REJECT_AUTH_MANIFEST_MISMATCH | f | t |
| loose_superset | REJECT | REJECT_AUTH_LOOSE_SUPERSET | f | t |
| expired_auth | REJECT | REJECT_AUTH_EXPIRED | f | t |
| revoked_auth | REJECT | REJECT_AUTH_REVOKED | f | t |
| reused_consumed_auth | REJECT | REJECT_AUTH_ALREADY_CONSUMED | f | t |
| attempted_real_run | RAISED | C1_PROD_REAL_RUN_BLOCKED (exception) | f | t |
Coverage vs the required bad-input list (§3.8)
missing manifest/wrong hash → wrong_hash + grant_hash_mismatch ✔ · extra/duplicate value → injected_ops + PK on-conflict (file 10) ✔ · wrong version → bad_version ✔ · semantic rewrite → injected_ops + write-once (file 10) ✔ · wrong carrier → wrong_carrier ✔ · wrong lane/production target → production_target ✔ · wrong plan → grant_wrong_plan ✔ · no/generic/expired/revoked/reused auth → 6 cases ✔ · loose action superset → loose_superset ✔ · attempted real-run → attempted_real_run (RAISE) ✔ · attempted production target → production_target ✔ · attempted C2 mutation → c2_cross_mutation ✔.
Fail-open assertion
No invalid input produced a PASS/digest/seal. has_seal excludes the dry-run sentinel WITHHELD_DRY_RUN; no case emitted a real seal. No C1_DRYRUN_REJECT_BAD_INPUT_FAIL_OPEN condition exists.