KB-664F
B7 Governed Export-Packet Acceptance Test Matrix — tool-kiem-thu (2026-06-10)
6 min read Revision 1
tool-kiem-thub7acceptance-test-matrixexport-packetside-effect-preventionprovenancedesign2026-06-10
B7 Governed Export-Packet Acceptance Test Matrix — tool-kiem-thu
Status: B7_ACCEPTANCE_MATRIX_DEFINED_PARTIALLY_EXECUTED · Date: 2026-06-10
Bound to real evidence where executed (2026-06-10). Enforcement layers: GW = native query_pg/context_pack_readonly gateway (live-proven) · CAT = named-query catalog · VAL = packet validation harness b7_validate.py (ran) · CON = MVP consumption contract (Phase-2 MVP behavior) · DEF = deferred to a future contract.
Extends rev4 acceptance matrix L5 (export-step) + #31/#32 into a standalone, runnable matrix for the export-packet pipeline. "EXECUTED" rows have real evidence today; "DESIGN" rows are specified and bound to a layer but await the promoted catalog / automated service.
A. Gateway / side-effect-SQL prevention (EXECUTED 2026-06-10, real probes, no mutation)
| # | Test | Layer | Expected | Result |
|---|---|---|---|---|
| B-01 | raw INSERT submitted |
GW | rejected pre-exec | PASS — [DENIED] only SELECT queries allowed, got Insert |
| B-02 | CREATE (DDL) submitted |
GW | rejected pre-exec | PASS — [DENIED] … got Create |
| B-03 | multi-statement SELECT 1; SELECT 2 |
GW | rejected | PASS — [DENIED] exactly one statement required, got 2 |
| B-04 | restricted current_setting() |
GW | rejected | PASS — [DENIED] current_setting() only allowed for a safe parameter list |
| B-05 | function executes inside SELECT (pg_backend_pid()) |
GW | executes ⇒ proves allowlist needed | PASS — returned 514845; rationale for CAT allowlist (#B-08) |
| B-06 | read-only role attributes | GW | all false | PASS — context_pack_readonly rolsuper/createrole/createdb/bypassrls=false |
| B-07 | DB allowlist (postgres denied) |
GW | denied | bound (cited §9.1; {directus,incomex_metadata,workflow} only) — DESIGN |
B. Named-query catalog (mixed)
| # | Test | Layer | Expected | Result |
|---|---|---|---|---|
| B-08 | side-effect function query (#32) | CAT | rejected: no function_allowlist entry (empty today) |
DESIGN (D9 boundary; rationale proven by B-05) |
| B-09 | unknown / non-catalog query ID | CAT | rejected, no execution | DESIGN |
| B-10 | raw SQL accepted from caller | CAT+GW | rejected (IDs only) | PASS (GW half proven B-01..B-03; catalog stores SQL) |
| B-11 | dynamic / parameter-built SQL | CAT | dynamic_sql=false ⇒ rejected |
DESIGN |
| B-12 | catalog entry approved without live-run evidence | CAT | rejected (§10 evidence required) | DESIGN |
| B-13 | TAC⋈IU joined query in catalog | CAT | prohibited (Domain H) | DESIGN |
| B-14 | detector/engine call in catalog | CAT | prohibited (Domain G) | DESIGN |
C. Packet schema / provenance (EXECUTED 2026-06-10 via b7_validate.py, real packet)
| # | Test | Layer | Expected | Result |
|---|---|---|---|---|
| B-15 | valid governed packet accepted | VAL | V01–V10 pass | PASS (10/10) |
| B-16 | missing provenance | VAL | NOT_EVIDENCED (V05 FAIL) |
PASS (N2) |
| B-17 | tampered payload | VAL | content_hash mismatch (V08) | PASS (N1) |
| B-18 | tampered manifest_hash | VAL | V07 mismatch | PASS (N4) |
| B-19 | local-first source | VAL | FLAG_LOCAL_FIRST_AUTHORITY (V06) |
PASS (N3) |
| B-20 | diagnostic mislabeled canonical | VAL | V09 FAIL (Domain D) | PASS (N5) |
| B-21 | raw-SQL leaked to consumer | VAL | V10 FAIL | PASS (N6) |
| B-22 | freshness present for staleness gate | VAL | AS_OF_EXPORT present |
PASS (N7) |
| B-23 | collapsed denominator (single canonical DOT #) | VAL/CAT | rejected as disguised hardcode | DESIGN (each count carries surface+denominator+ts) |
D. MVP consumption boundary (bound to Phase-2 evidence)
| # | Test | Layer | Expected | Result |
|---|---|---|---|---|
| B-24 | packet trying to claim proof-of-run | CON | held; no run evidence accepted (Call Contract deferred) | bound to Phase-3 pilot (proves_execution=false) — PASS |
| B-25 | packet trying global absence | CON | scoped to NOT_EVIDENCED_IN_ALLOWED_SURFACES |
bound to Phase-3 pilot (proves_global_absence=false) — PASS |
| B-26 | report remains non-gating | CON | decision_effect=NONE, may_gate=false |
bound to Phase-2 run — PASS |
| B-27 | stale packet | CON | BLOCKED_BY_UNVERIFIED_SOURCE |
DESIGN (consumer max-age gate) |
| B-28 | MVP executes a named_query_id | CON | impossible (no driver) | bound to B4′ (no network/driver) — PASS |
E. Deferred (correctly NOT closed here)
- D9 — automated export service + network-policy enforcement (B-07/B-08/B-11 live-enforced end-to-end).
- D10 — path-scoped server-enforced KB writer (no reusable surface; PROHIBITED to build in this macro).
- D11 — downstream gate-consumer (PROHIBITED to build in this macro).
- Catalog promotion to governed authority (B7-EXP-1, owner/Codex).
Net
EXECUTED today: A (6/7) + C (8/8 incl. negatives) + the bound D rows = real PASS. DESIGN rows are specified and layer-bound but await the promoted catalog / automated service / owner-Codex seal. No row is fake-green; deferred rows are named, not hidden.