05 — Negative / Forgery / Fail-Closed Test Matrix (consolidated)
05 — Negative / Forgery / Fail-Closed Test Matrix (consolidated)
Package:
one-roof-auth-axis-bootstrap-ratification-rehearsal-go-nogo-2026-06-02Mode: live BEGIN..ROLLBACK; each negative caught in a PL/pgSQL subtransaction (savepoint) so the outer txn proceeds; zero COMMIT. This doc consolidates every fail-closed proof from docs 03/04 into one auditable matrix.
5.1 The single property under test
A forged, expired, consumed, revoked, under-quorum, or unsigned-sovereign authorization, and any self-granted authorization, must be inert — the COMMIT verifier must DENY, and the substrate's own constraints must reject malformed rows. The design's load-bearing claim is validity is recomputed from backing evidence, never trusted from a stored status (INV-6/INV-10).
5.2 Authorization fail-closed matrix (the 7 required modes)
| # | Mode | Grant shape | v_build_auth_valid? |
fn_build_commit_allowed |
Invariant |
|---|---|---|---|---|---|
| 1 | Forged / no backing | status='active', commit_allowed=true, request_ref='APR-FORGED-NOEXIST' |
absent (JOIN fails) | DENY | INV-6 |
| 2 | Insufficient quorum | backed by real approved APR-0234 (0 votes) |
absent (quorum_passed=false) |
DENY | INV-6 |
| 3 | Expired | valid backing, now() > expires_at |
absent (TTL) | DENY | INV-11 |
| 4 | Consumed | valid backing, consumed_at set |
absent | DENY | INV-9 |
| 5 | Revoked | valid backing, revoked_at set |
absent | DENY | INV-12 |
| 6 | Sovereign w/o e-sign | valid backing, requires_sovereign_esign=true, ref → non-existent e-sign |
absent (valid_sovereign_esign=false, os_proposal_approvals=0) |
DENY | INV-7 |
| 7 | Self-grant | fully valid grant (in view), but granted_by = consuming agent |
present | DENY | INV-5 |
Modes 1–6 are killed by the view (recomputed validity). Mode 7 is the decisive one: the grant is valid (it appears in v_build_auth_valid), yet the verifier still DENYs because granted_by = agent. Authorization to COMMIT requires a grant someone else issued.
Keystone evidence (R6): of 8 seeded grants, 6 carry raw status='active'; the recomputed view returns only 2 (BA-VALID, BA-SELF). The four active-but-invalid forgeries vanish.
5.3 SB-0 substrate CHECK negatives (R7b)
| Constraint | Malformed input | Result (SQLSTATE) |
|---|---|---|
chk_expiry |
expires_at <= granted_at |
REJECTED (23514) |
chk_sov_esign |
requires_sovereign_esign=true, ref NULL |
REJECTED (23514) |
status enum |
status='bogus' |
REJECTED (23514) |
chk_consumed_pair |
consumed_at set, consumed_by NULL |
REJECTED (23514) |
uq_one_active_grant_per_step |
2nd active grant for step axis_registry |
REJECTED (23505) |
5.4 Axis substrate negatives (R9 / A1–A7)
| Test | Malformed / boundary input | Result (SQLSTATE) |
|---|---|---|
| A2 | candidate, provenance=NULL |
REJECTED chk_provenance_or_quarantine (23514) |
| A4 | axis_code not in registry |
REJECTED FK (23503) |
| A5 | 2nd approved node, single-cardinality entity |
REJECTED uq_axis_single_approved (23505) |
| A6 | duplicate active (axis/collection/entity/node) |
REJECTED uq_axis_assignment_active (23505) |
| A7 | zone='bogus_zone' |
REJECTED zone enum (23514) |
| A1 | candidate + provenance | ALLOWED (positive control) |
| A3 | quarantine + NULL provenance | ALLOWED (safe sink) |
5.5 Verdict
All 7 authorization fail-closed modes DENY; all 5 SB-0 CHECK negatives reject; all 5 axis negatives reject; both positive controls accept. No forged/invalid authorization can authorize a COMMIT; no malformed grant or assignment can be stored. The recompute-not-trust keystone is demonstrated live. Fail-closed is the default everywhere (default DENY, default candidate/quarantine).
5.6 Cross-links
- evidence from [[03-sb0-authorization-rehearsal-results]] §3.4–3.6 and [[04-axis-registry-assignment-rehearsal-results]] §4.4.
- proves the hardened invariants of [[one-roof-axis-auth-proposal-operational-hardening-build-ready-design-2026-06-02]] docs 02/03/05.