KB-3248
READY-TO-ASSEMBLE-LEGO1 07 — C1 Check/Test & Adversarial Matrix — 2026-06-22
8 min read Revision 1
ready-to-assemble-lego1test-matrixadversarialc1-canonical-operation-vocabularybad-inputsregistration-hold2026-06-22
READY-TO-ASSEMBLE-LEGO1 07 — C1 Check/Test & Adversarial Matrix — 2026-06-22
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations.
Status of all tests: DEFINED_NOT_EXECUTED (design fixtures; caveat C3). Write status of every row: NOT_EXECUTED.
Controlling property: no invalid/adversarial input may produce PASS / digest / seal / ready. If any could, this package would stop at READY_TO_ASSEMBLE_LEGO1_HOLD_TEST_MATRIX_INCOMPLETE.
1. Valid-input tests
| Test | Purpose | Input | Expected output | Command/check | PASS | FAIL |
|---|---|---|---|---|---|---|
| V1 | vocabulary present | populated table | VOCAB_PRESENT |
query_pg count>0 (DRY_RUN) |
count>0 | count=0 |
| V2 | value lookup ok | active value+act_type | VOCAB_LOOKUP_OK |
lookup fixture | resolves | not found |
| V3 | versioned supersession resolvable | superseded value, historical effect | old value still resolvable | lookup under old protocol_version |
resolves | dangling |
| V4 | register_dot is one value | register_dot for dot_registration only |
accepted as one value, not default | admission fixture | accepted-as-one | defaulted |
2. Invalid-input tests (must reject; no PASS)
| Test | Input | Expected rejection | Evidence |
|---|---|---|---|
| I1 | resolve against absent table | CANONICAL_OPERATION_VOCABULARY_REQUIRED_NOT_PRESENT |
closeout C1; file 02 §4 |
| I2 | lookup absent value | CANONICAL_OPERATION_VALUE_ABSENT |
file 04 §2.2 |
| I3 | new use of retired value, no successor | CANONICAL_OPERATION_RETIRED_FOR_NEW_USE (I6) |
file 05 §6 |
| I4 | founding/scope act → register_dot |
WRONG_CANONICAL_OPERATION_FOR_EFFECT |
RS5B-PATCH2 R1 |
| I5 | create runtime rows w/o separate authorization | VOCABULARY_RUNTIME_OVERCLAIM |
R5 |
| I6 | admit an authority-named value as an operation | WRONG_CANONICAL_OPERATION_FOR_EFFECT |
file 03 §7 |
3. Adversarial tests (beyond happy path — required bad inputs §3.7)
Each maps an attack to a single reject code; none can reach PASS/digest/seal.
| # | Adversarial input | Expected rejection | Can PASS? |
|---|---|---|---|
| AD1 missing plan | build attempted with no LEGO1-C1-… plan object |
ROLLBACK_PLAN_ABSENT (RBP-1) / INDEPENDENT_REVIEW_NOT_OBTAINED |
No |
| AD2 wrong carrier ID | Chairman token/plan names a different carrier | CHAIRMAN_AUTHORIZATION_SCOPE_MISMATCH (XBI-24) |
No |
| AD3 wrong version | value admitted under a stale/forged protocol_version |
ROLLBACK_CHANGES_HISTORICAL_SEMANTICS (RBP-5) if it re-means history; else admission rejected |
No |
| AD4 deleted referenced identity | drop a value referenced by a historical effect | ROLLBACK_DELETES_REFERENCED_IDENTITY (RBP-2) — XBI-11 |
No |
| AD5 orphan edge | retire value so a live C2 ref cannot resolve | ROLLBACK_ORPHANS_DEPENDENCY (RBP-3) |
No |
| AD6 erased history | erase the value's prior audit/value record | ROLLBACK_ERASES_HISTORY (RBP-4) |
No |
| AD7 semantic mutation | re-mean an existing value in place | ROLLBACK_CHANGES_HISTORICAL_SEMANTICS (RBP-5) |
No |
| AD8 authority weakening | drop governing_authority_ref / make it optional |
ROLLBACK_WEAKENS_AUTHORITY (RBP-6) |
No |
| AD9 successor exists but retired value still admissible | retire value, leave it usable for new acts | ROLLBACK_FORWARD_FAIL_CLOSED_VIOLATED (RBP-8) — XBI-26 |
No |
| AD10 non-local rollback | C1 rollback only works by editing C2 | ROLLBACK_NOT_LOCAL (RBP-10) — XBI-19A |
No |
| AD11 generic Chairman token | token present but not scoped to this plan | CHAIRMAN_AUTHORIZATION_SCOPE_MISMATCH (XBI-24) |
No |
| AD12 no Chairman token | plan reviewed, no token | G2_EXECUTION_REQUIRES_SEPARATE_AUTHORIZATION (XBI-23) |
No |
| AD13 Gate A treated as P2 open | use Gate A accept to create the table now | BASELINE_ACCEPTANCE_NOT_P2_OPEN_AUTHORIZATION (XBI-22) |
No |
| AD14 attempted runtime write (this macro) | any DDL/DML during prep/review | RUNTIME_MUTATION_REJECTED (RBP-0) — XBI-10 |
No |
| AD15 attempted rollback execution (this macro) | execute a retire now | RUNTIME_MUTATION_REJECTED (RBP-0); I10 contract-validity ≠ execution |
No |
| AD16 invalid input still emits PASS/digest/seal | any of AD1–AD15 produces a seal | fail-open ⇒ HOLD/REJECT; by construction none does (see §6) | No |
| AD17 successor-rule absent | retire value with no successor mapping at all | ROLLBACK_SUCCESSOR_RULE_ABSENT (RBP-7) — XBI-17 |
No |
| AD18 audit absent | rollback without rollback_ref/audit |
ROLLBACK_AUDIT_TRAIL_ABSENT (RBP-9) — XBI-18 |
No |
| AD19 mega-registry coupling | C1 merged with C2/owner into one table/lifecycle | LEGO_BOUNDARY_INSUFFICIENT (XBI-6) |
No |
| AD20 overload existing vocab | reuse apr_action_types/dot_operations as the C1 carrier |
scope drift (file 03 §7); rejected at plan review | No |
4. Regression tests (existing surfaces unaffected)
| Test | Purpose | Check (read-only) | PASS |
|---|---|---|---|
| R1 ownership untouched | C1 build mints no owner | count(governance_object_ownership) == 0 before/after |
unchanged at 0 |
| R2 approval untouched | C1 build creates no approval | count(approval_requests) unchanged |
unchanged (230) |
| R3 no register_dot | C1 introduces no register_dot path | apr_action_types/dot_operations unchanged; no register_dot value |
unchanged |
| R4 guard views | existing guard views still pass | read v_authority_quorum_regression_guard, v_birth_register_* read-only |
no new violation |
| R5 build-authorization integrity | exactly one token consumed | governance_build_authorization shows 1 consumed row for this plan |
exactly 1 |
5. Preflight / post-assembly / rollback / evidence / authority-boundary tests
| Class | Test | Expected |
|---|---|---|
| Preflight | P-PRE: file 09 checks all PASS at build time | PASS or STOP |
| Post-assembly | P-POST: table exists, values governed, diff matches file 06 §6 shape | matches |
| Rollback | P-RB: retire-with-successor is local, resolvable, audited, forward-fail-closed | RBP-PASS for the rollback plan; reject otherwise |
| Evidence | P-EV: before/after snapshots + hashes + readback present (file 10) | all artifacts present |
| Authority boundary | P-AUTH: no authority inherited; Chairman token scoped+consumed; HOLD retained | no inheritance; HOLD intact |
6. Why no invalid input can produce PASS/digest/seal
- The rollback validity oracle PASS is the full conjunction
¬RBP0 ∧ … ∧ ¬RBP10; every adversarial rollback above matches at least one RBP-k, falsifying its¬RBPk⇒ PASS impossible (closeout file 02 proof; precedence emits the earliest match). - The admission/check rejects (
…_REQUIRED_NOT_PRESENT,…_VALUE_ABSENT,…_RETIRED_FOR_NEW_USE,WRONG_CANONICAL_OPERATION_FOR_EFFECT,VOCABULARY_RUNTIME_OVERCLAIM) are fail-closed and emit a single code; none returns a seal. - The gate/authority rejects (XBI-22/23/24/10/6) are fail-closed; a baseline/seal/digest is never emitted on the reject path.
- ⇒ The matrix is complete and fail-closed; no
READY_TO_ASSEMBLE_LEGO1_HOLD_TEST_MATRIX_INCOMPLETE.
7. Boundary attestation
This file defines tests at design level (DEFINED_NOT_EXECUTED). It creates no carrier, runs no runtime test, writes no row, opens no P2/lane, and clears no blocker. REGISTRATION_HOLD retained; REGISTRATION_CAN_PROCEED = NO; 0 runtime mutations; I1–I10 not weakened.