RS5A-09 — Negative Authority Test Suite (84 cases) — 2026-06-21
Macro: RS5A · Mục tiêu H · Deliverable: 09 of 15.
Class: DEFINED_NOT_EXECUTED — these are acceptance criteria for a future governed registrar. No test was run; no runtime was driven; no mutation occurred.
Layers: V = validator (pure/shape), R = registrar admission guard, A = authority/quorum, F = future-surface (fails closed until the surface exists). Each row names the fail-open it must defeat. Reject codes are defined in [[rs5a-06]].
Count: 84 cases (≥80 required).
Group A — Owner identity spoofing (A01–A12)
| ID |
input / state |
expected reject |
layer |
fail-open guarded |
| A01 |
request payload says "I am owner" |
CALLER_SELF_ASSERTED_OWNER_REJECTED |
R |
caller = authority |
| A02 |
dot_tools.owner='system' cited as owner |
FREE_TEXT_OWNER_REJECTED |
R |
free-text owner |
| A03 |
dot_tools.owner='claude_ai' cited |
FREE_TEXT_OWNER_REJECTED |
R |
free-text owner |
| A04 |
dot_tools.owner=NULL treated as ownerless-OK |
OWNER_OF_RECORD_ABSENT |
R |
null = permissive |
| A05 |
Directus Administrator cited as owner |
DIRECTUS_ROLE_NOT_GOVERNANCE_OWNER |
R |
RBAC = governance |
| A06 |
Directus user (1 of 13) cited as owner |
DIRECTUS_ROLE_NOT_GOVERNANCE_OWNER |
R |
user = head |
| A07 |
tac-admin role cited |
DIRECTUS_ROLE_NOT_GOVERNANCE_OWNER |
R |
admin = owner |
| A08 |
operator/registrar runtime cited as owner |
OPERATOR_NOT_OWNER |
R |
operator = authority |
| A09 |
APR proposer cited as owner |
REQUESTER_NOT_OWNER/CALLER_SELF_ASSERTED_OWNER_REJECTED |
A |
proposer = authority |
| A10 |
reviewed_by free text cited as owner |
FREE_TEXT_OWNER_REJECTED |
R |
reviewer text = head |
| A11 |
vote approver='president-bot' (substring) treated as president authority head |
QUORUM_APPROVER_IDENTITY_UNVERIFIED |
A |
ILIKE '%president%' text match |
| A12 |
approver_type='ai_council' self-declared without head binding |
QUORUM_APPROVER_IDENTITY_UNVERIFIED |
A |
type text = identity |
Group B — Owner binding & lifecycle (B01–B10)
| ID |
input / state |
expected reject |
layer |
| B01 |
governance_object_ownership = 0 rows |
OWNER_OF_RECORD_ABSENT |
R |
| B02 |
ownership row exists but owner_kind='supporting' (no accountable) |
ACCOUNTABLE_HEAD_UNRESOLVED |
R |
| B03 |
ownership row owner_kind='delegated', effective_to past |
AUTHORIZATION_WINDOW_EXPIRED |
A |
| B04 |
ownership row lifecycle_status='superseded' |
ACCOUNTABLE_HEAD_UNRESOLVED |
R |
| B05 |
ownership row lifecycle_status='revoked' |
AUTHORITY_BINDING_UNRESOLVED |
R |
| B06 |
ownership row lifecycle_status='expired' |
AUTHORIZATION_WINDOW_EXPIRED |
A |
| B07 |
two active accountable rows for same (object,scope) |
(blocked by uq_gov_obj_accountable) ACCOUNTABLE_HEAD_UNRESOLVED |
F |
| B08 |
accountable head = GOV-MOIT (draft governance object) |
AUTHORITY_BINDING_UNRESOLVED |
R |
| B09 |
owner_gov_code not in governance_registry |
(FK reject) AUTHORITY_BINDING_UNRESOLVED |
F |
| B10 |
delegated head with effective_to=NULL |
(blocked by chk_delegated_ttl) AUTHORIZATION_WINDOW_EXPIRED |
F |
Group C — Scope (C01–C08)
| ID |
input / state |
expected reject |
layer |
| C01 |
no DOT_REGISTRATION_AUTHORITY scope in governance_responsibility_scope |
OWNER_SCOPE_MISMATCH/scope REQUIRED_NOT_PRESENT |
F |
| C02 |
head owns execution scope, used to admit registration |
OWNER_SCOPE_MISMATCH |
R |
| C03 |
head owns render/policy, used for admission |
OWNER_SCOPE_MISMATCH |
R |
| C04 |
registration authority used to activate |
WRONG_ACTION_FOR_EFFECT |
R |
| C05 |
registration authority implicitly grants DOT_ARTIFACT_ADMISSION |
OWNER_SCOPE_MISMATCH (no implicit inherit) |
R |
| C06 |
registration authority implicitly grants DOT_AUDIT_SINK |
OWNER_SCOPE_MISMATCH |
R |
| C07 |
one mega-owner row claims all 9 scopes |
(allowed only if explicitly bound per scope) else OWNER_SCOPE_MISMATCH |
R |
| C08 |
scope present but no active accountable head bound |
OWNER_OF_RECORD_ABSENT |
R |
Group D — Action presence & family (D01–D10)
| ID |
input / state |
expected reject |
layer |
| D01 |
register_dot absent from apr_action_types |
REGISTER_DOT_ACTION_REQUIRED_NOT_PRESENT |
F |
| D02 |
register_axis reused to register a DOT |
WRONG_ACTION_FOR_EFFECT |
R |
| D03 |
register_topic_node reused |
WRONG_ACTION_FOR_EFFECT |
R |
| D04 |
activate_dot used to perform registration |
WRONG_ACTION_FOR_EFFECT |
R |
| D05 |
dry_run_scan result treated as a registration |
WRONG_ACTION_FOR_EFFECT |
R |
| D06 |
register_dot authored with handler_ref='unimplemented', APR →applied |
HANDLER_UNIMPLEMENTED_RESERVE_ONLY (live guard) |
A |
| D07 |
register_dot with risk_level other than high |
quorum tier too weak → QUORUM_NOT_SATISFIED |
A |
| D08 |
assign_governance_owner APR →applied to mint owner (unimplemented) |
HANDLER_UNIMPLEMENTED_RESERVE_ONLY (live) |
A |
| D09 |
APR with proposed_action_code=NULL for a DOT registration |
quorum false on NULL action → QUORUM_NOT_SATISFIED |
A |
| D10 |
register_dot auto-activates on admission |
WRONG_ACTION_FOR_EFFECT (activation is separate) |
R |
Group E — APR / effect binding (E01–E10)
| ID |
input / state |
expected reject |
layer |
| E01 |
APR approved but not bound to effect_identity |
APPROVAL_NOT_BOUND_TO_EFFECT_IDENTITY |
A |
| E02 |
APR bound to request_proposed hash, not attested artifact |
APPROVAL_BOUND_TO_REQUEST_PROPOSED_HASH |
A |
| E03 |
APR bound to (target_collection,target_entity_code) only (no artifact) |
APPROVAL_NOT_BOUND_TO_EFFECT_IDENTITY |
R |
| E04 |
approval for effect X replayed to admit effect Y |
APPROVAL_NOT_BOUND_TO_EFFECT_IDENTITY |
A |
| E05 |
APR exists, quorum missing |
QUORUM_NOT_SATISFIED |
A |
| E06 |
approval after canonical_artifact_hash drift |
APPROVAL_AFTER_ARTIFACT_HASH_DRIFT |
A |
| E07 |
approval fresh but same effect already registered |
AUTHORIZATION_CHANGED_SAME_EFFECT_DUPLICATE |
R |
| E08 |
only authority changed, same business effect |
AUTHORIZATION_CHANGED_SAME_EFFECT_DUPLICATE |
R |
| E09 |
approval points to superseded artifact |
APPROVAL_AFTER_ARTIFACT_HASH_DRIFT |
A |
| E10 |
authorization_binding_digest missing on attempt |
AUTHORITY_BINDING_UNRESOLVED |
R |
Group F — Quorum (F01–F10)
| ID |
input / state |
expected reject |
layer |
| F01 |
high-risk, president=0 |
QUORUM_NOT_SATISFIED |
A |
| F02 |
high-risk, council=1 (<2) |
QUORUM_NOT_SATISFIED |
A |
| F03 |
any reject vote present |
QUORUM_NOT_SATISFIED |
A |
| F04 |
proposer self-approves |
QUORUM_NOT_SATISFIED (self-exclusion) |
A |
| F05 |
quorum_passed=true but no effect binding |
QUORUM_EFFECT_BINDING_MISSING |
A |
| F06 |
quorum votes counted before lock (race) |
(row-lock present) QUORUM_NOT_SATISFIED |
A |
| F07 |
president via approver='vice-president' substring |
QUORUM_APPROVER_IDENTITY_UNVERIFIED |
A |
| F08 |
duplicate approver name double-counted |
(blocked by UNIQUE(apr_id,approver)) QUORUM_NOT_SATISFIED |
A |
| F09 |
quorum true at approve, votes withdrawn before apply |
apply-time re-proof → QUORUM_NOT_SATISFIED |
A |
| F10 |
quorum_passed=true treated as sufficient for admission |
QUORUM_EFFECT_BINDING_MISSING (necessary-not-sufficient) |
R |
Group G — Nonce / window / replay (G01–G08)
| ID |
input / state |
expected reject |
layer |
| G01 |
nonce issued by non-authority |
NONCE_ISSUER_NOT_AUTHORITY |
A |
| G02 |
nonce reused (replay) |
replay surface → duplicate/AUTHORIZATION_CHANGED_SAME_EFFECT_DUPLICATE |
F |
| G03 |
authorization window expired at admission |
AUTHORIZATION_WINDOW_EXPIRED |
A |
| G04 |
nonce bound to attempt_id used as effect key |
(non-keying invariant) AUTHORITY_BINDING_UNRESOLVED |
R |
| G05 |
no nonce surface present |
NONCE_ISSUER_NOT_AUTHORITY/REQUIRED_NOT_PRESENT |
F |
| G06 |
delegated authority acts after effective_to |
AUTHORIZATION_WINDOW_EXPIRED |
A |
| G07 |
nonce issued for scope A used for scope B |
OWNER_SCOPE_MISMATCH |
R |
| G08 |
exact-retry of same nonce+effect |
returns prior decision (no new write) |
R |
Group H — Policy surfaces (H01–H08)
| ID |
input / state |
expected reject |
layer |
| H01 |
status_policy undeclared (no inert-state policy) |
STATUS_POLICY_UNDECLARED |
F |
| H02 |
registration writes status='active' directly |
STATUS_POLICY_UNDECLARED/WRONG_ACTION_FOR_EFFECT |
R |
| H03 |
writes out-of-vocab status='published' (live: 16 such) |
STATUS_POLICY_UNDECLARED |
R |
| H04 |
U3 head policy undeclared |
U3_HEAD_POLICY_UNDECLARED |
F |
| H05 |
second current_head for same code |
U3_HEAD_POLICY_UNDECLARED (U3 unique) |
F |
| H06 |
audit_policy undeclared |
FAILURE_AUDIT_POLICY_UNDECLARED |
F |
| H07 |
success-audit emitted (PATCH2: no success audit) |
FAILURE_AUDIT_POLICY_UNDECLARED (success audit forbidden) |
R |
| H08 |
artifact_hash_ref carrier absent |
ARTIFACT_HASH_CARRIER_UNPROVEN |
F |
Group I — Activation non-inheritance & drift (I01–I08)
| ID |
input / state |
expected reject |
layer |
| I01 |
registration implicitly flips draft→active |
WRONG_ACTION_FOR_EFFECT |
R |
| I02 |
activation performed under registration authority |
OWNER_SCOPE_MISMATCH |
R |
| I03 |
notify fired on draft write |
(PATCH1 inert=draft) STATUS_POLICY_UNDECLARED |
R |
| I04 |
supersede performed without DOT_HEAD_UNIQUENESS authority |
OWNER_SCOPE_MISMATCH |
R |
| I05 |
revision (new hash) treated as duplicate |
(new effect_identity) admit as revision, not reject |
R |
| I06 |
mega-owner used to bypass per-scope edges |
OWNER_SCOPE_MISMATCH |
R |
| I07 |
rollback of one scope auto-rolls another |
per-row rollback_ref isolation; else reject |
R |
| I08 |
activation authority used to register |
WRONG_ACTION_FOR_EFFECT |
R |
Coverage check vs mandatory fail-open list (Mục tiêu 1.8)
caller-owner ✔(A01) · free-text owner ✔(A02–A03) · Directus user no-ownership ✔(A05–A07) · owner-no-accountable ✔(B02) · stale/superseded ✔(B03–B06) · scope mismatch ✔(C02) · action absent ✔(D01) · wrong action ✔(D02–D05) · APR-not-bound-effect ✔(E01) · APR-bound-request_proposed ✔(E02) · quorum missing ✔(E05) · quorum-true-semantics ✔(F05/F10) · approval-after-drift ✔(E06) · fresh-but-duplicate ✔(E07) · nonce-issuer-not-authority ✔(G01) · window-expired ✔(G03) · status policy missing ✔(H01) · U3 policy missing ✔(H04) · audit policy missing ✔(H06). All mandatory cases present.