KB-4DA5
03 — Authority Regression & Fail-Closed Proof
3 min read Revision 1
Supertrack C — Authority Regression & Fail-Closed Proof
Live teeth (rehearsed in BEGIN…ROLLBACK, zero live mutation)
Eight modeled paths were executed against the live triggers. Bad paths must FAIL (be blocked); positive controls must PASS (so the guard is not trivially always-failing). All 8 passed; the in-transaction births (1,210,783→1,210,800) were rolled back.
| # | test | type | result |
|---|---|---|---|
| T1 | action='add' INSERT stays pending (containment) |
containment | PASS |
| T2 | pending→approved, 0 votes, high risk | bad-path blocked | PASS |
| T3 | AI-only (2 ai_council, 0 president), high risk → "AI cannot approve" | bad-path blocked | PASS |
| T4 | proposer self-approve excluded | bad-path blocked | PASS |
| T5 | any reject blocks approval | bad-path blocked | PASS |
| T6 | medium + 1 valid president approve → APPROVED | positive control | PASS |
| T7 | high quorum met → approved; then approved→applied with unimplemented handler blocked | positive + bad-path | PASS |
| T8 | terminal immutability (rejected→approved blocked) | bad-path blocked | PASS |
Machine-visible guards
v_authority_quorum_regression_guard and v_authority_lifecycle_failclosed_guard introspect the live function/trigger definitions and emit pass/severity/blocking rows.
- Quorum guard: 6 blocking P0 assertions all PASS (ai_cannot_approve_high_alone, president_required_medium_high, reject_blocks_approval, self_approve_prohibited, insert_add_cannot_autoapprove, quorum_trigger_fires_pending_to_approved).
- Lifecycle guard: 5 blocking P0 assertions all PASS (pending/approved transitions restricted, terminal immutability, apply blocks unimplemented handler, enacted-nrm-must-have-approval).
- Blocking verdict: all blocking assertions pass = TRUE.
Honest open gaps (non-blocking P1, surfaced not hidden)
| assertion | pass | meaning |
|---|---|---|
| scanner_autoapply_quorum_gated | false | auto_apply_approval() applies scanner rows with no vote/quorum check |
| apply_quorum_reproof_present | false | no independent quorum re-check at approved→applied (relies on the pending→approved gate) |
These are the routed next-step hardening items (doc 09). They do not weaken the contained P0; they are defense-in-depth additions.