10 — Intentional-Mistake Test Matrix (P9)
10 — Intentional-Mistake Test Matrix (P9)
No destructive prod tests were run (forbidden). This is the proof design: each row states the attack, the detector/guard that catches it, and the expected outcome. Tests marked rollback-only are safe to run by an operator inside a transaction that is rolled back; tests marked detector are pure read-only SELECTs once P1/P2/P5 are applied.
| # | Intentional mistake | Detected/blocked by | Expected outcome | Test type |
|---|---|---|---|---|
| 1 | File DOT under /opt/incomex/dot/bin without registry row |
P2 v_dot_fs_reconciliation FILE_NO_REGISTRY; P6 blocks |
DETECTED → preflight BLOCK | detector (after snapshot) |
| 2 | Registry row (dot_tools) without birth |
P1 v_birth_orphan; P6 birth_orphan_critical_active |
DETECTED → BLOCK | detector |
| 3 | Governed table row without birth (e.g. new pivot) | P1 v_birth_orphan (pivot_row) |
DETECTED (unborn) | detector |
| 4 | Pivot row without birth | P1 v_birth_orphan (26 baseline) |
DETECTED | detector |
| 5 | DISABLE TRIGGER attempt on dot_tools birth gate |
Owner = directus can do it (G7). Mitigation: birth_gate_policy.bypass_allowed=false makes GUC-bypass ineffective; full prevention needs reassigning table ownership away from directus. |
PARTIALLY blocked → documented residual risk | rollback-only / design |
| 6 | NULL code insert to skip gate | Original gate skips null code. Hardened gate (P3) blocks null code for blocking+no-bypass criticals; else still skips (legacy-safe) but fn_pre_birth_check check-3 would fail when code present |
DETECTED at Stage-2; legacy-safe at Stage-1 | rollback-only |
| 7 | Duplicate birth mapping | fn_pre_birth_check check-5 (code dup) + helper v_birth_dup (GROUP BY HAVING>1) |
DETECTED | detector |
| 8 | Registry exists but file missing | P2 v_dot_registry_no_file |
DETECTED | detector (after snapshot) |
| 9 | File hash drift | Gap: no baseline hash column today. Outcome until baseline added: NOT detected — documented, not silently passed. Follow-up: add dot_tools.baseline_sha256 |
NOT-YET (documented) | design |
| 10 | Direct manual DML into birth_registry to fake coverage |
App role owns table → possible (G7). Detector side: v_birth_phantom catches fake births whose entity is absent; phantom_class flags non-organic origins |
DETECTED downstream (phantom) | detector |
| 11 | Bypass GUC app.bypass_birth_gate='true' on a critical collection |
Hardened gate (P3) ignores GUC when bypass_allowed=false |
BLOCKED (Stage-1 hardened) | rollback-only |
| 12 | Use dot-pivot-update for RP cleanup |
P6 preflight + classification NOT_VALID_DOT; macro forbidden-rule | BLOCKED | policy + detector |
No silent pass: every row resolves to DETECTED, BLOCKED, QUARANTINED, or an explicitly documented NOT-YET (rows 5, 9) with the exact follow-up. The two residual risks (table ownership = directus; missing baseline hash) are named, not hidden.
Suggested rollback-only proof harness (operator)
Open a transaction; apply P1/P2/P3/P6 from sql/; attempt mistakes 5/6/11 as DML; assert the expected RAISE/row; roll the whole transaction back. Prod stays byte-identical. (Not executed here — no DDL/DML channel.)