RS5A-PATCH1-06 — Negative-Test Oracle Corrections — 2026-06-21
RS5A-PATCH1-06 — Negative-Test Oracle Corrections — 2026-06-21
Macro: RS5A-PATCH1 · Mục tiêu E + R5 · Deliverable: 06 of 10.
Supersedes: the expected-reject codes for RS5A-09 cases D07, H03, H07, I03, G02, G08 only. The other 78 cases stand; no renumbering. Suite remains DEFINED_NOT_EXECUTED.
Reason (Codex §9): the listed codes are not sufficiently discriminating to serve as an executable acceptance oracle.
1. Authoritative oracle-correction table
| case | scenario | RS5A-09 code (withdrawn) | corrected oracle | why |
|---|---|---|---|---|
| D07 | register_dot authored with risk tier weaker than high |
QUORUM_NOT_SATISFIED |
REGISTER_DOT_RISK_TIER_MISMATCH (alias REGISTER_DOT_ACTION_CONTRACT_VIOLATION) |
a weaker tier can pass its own quorum; the violation is contract-level, not quorum shortfall |
| H03 | registration writes out-of-vocabulary status (live: published×16) |
STATUS_POLICY_UNDECLARED |
STATUS_VALUE_OUT_OF_VOCABULARY |
a status policy may exist; the fault is the value, not a missing policy |
| H07 | success-audit row emitted on registration | FAILURE_AUDIT_POLICY_UNDECLARED |
SUCCESS_AUDIT_FORBIDDEN_BY_PHASE4_CONTRACT (alias SUCCESS_AUDIT_NOT_PART_OF_REGISTER_DOT_CONTRACT) |
PATCH2-04: no success audit; this is a forbidden-side-effect, not a missing failure sink |
| I03 | draft write fires activation notify |
STATUS_POLICY_UNDECLARED |
DRAFT_WRITE_EMITTED_ACTIVATION_NOTIFY (alias ACTIVATION_SIDE_EFFECT_ON_INERT_WRITE) |
the fault is an activation side-effect on an inert write, not a missing status policy |
2. Replay / idempotency distinction (G02, G08)
RS5A-09 conflated "nonce reuse" with "exact retry". Corrected:
| case | precise scenario | corrected outcome | class |
|---|---|---|---|
| G02a | same effect + same nonce, already committed | idempotent retrieval of the prior durable decision (no new write, no reject) | IDEMPOTENCY_BEHAVIOR_CASE |
| G02b | same nonce + changed request/effect | NONCE_REUSE_DIFFERENT_EFFECT |
rejection |
| G02c | same nonce + changed authorization envelope | NONCE_REUSE_AUTHORIZATION_MISMATCH |
rejection |
| G08 | exact retry: same effect / same nonce / same envelope | returns the prior durable decision; NOT a rejection | IDEMPOTENCY_BEHAVIOR_CASE |
So G02 splits into one idempotency case (G02a) and two rejection cases (G02b, G02c); G08 is explicitly an idempotency behavior, not a reject. (This aligns with RS5A-09 I05's existing "revision = new effect, admit not reject" behavioral framing.)
3. Dependent coverage-text correction
RS5A-09 §"Coverage check" mapped quorum-true-semantics ✔(F05/F10) and nonce-issuer ✔(G01) etc. Corrected coverage notes:
- "wrong risk tier" now maps to D07 →
REGISTER_DOT_RISK_TIER_MISMATCH(no longer a quorum case). - "status policy missing" (H01) is unchanged; H03 is now a distinct value-vocabulary case, not a policy-undeclared duplicate.
- "audit policy missing" (H06) is unchanged; H07 is now a forbidden-success-audit case, not a missing-sink duplicate.
- "notify on draft" (I03) is now an activation-side-effect case, distinct from status policy (H01/H02).
- Replay coverage now reads: G02a/G08 idempotency + G02b/G02c nonce-reuse rejections + G01/G03–G07 authority/window.
Net case count: still 84 enumerated (G02 internally clarified as a/b/c sub-outcomes of one numbered case; no renumber). All mandatory fail-open classes remain covered.
4. Status
R5 CLOSED — six oracle defects corrected; replay vs idempotency made explicit; coverage text reconciled. Tests remain defined-not-executed; TEST_ORACLE_INSUFFICIENT HOLD does not apply.