09 — Red-Team v3: 64 Scenarios (48 rerun + 16 new) (Branch I) (2026-06-01)
09 — Red-Team v3: 64 Scenarios (Branch I)
Reruns all 48 Round-3 scenarios under the Round-4 hardened text + adds 16 new scenarios targeting the open-question/new-attack classes the mission named. Legend: ✅ caught and auto-remediable · 🟧 detected + gate-blocked (production protected) but auto-remediation pending a named substrate prerequisite (T1-6a/b, SB-3) · ❌ uncaught.
Result: 64/64 (100%) caught-or-classified · 58 ✅ (90.6%) auto-remediable · 6 🟧 (#13,#14,#36,#45,#51,#58) · 0 ❌. Meets all thresholds: 100% critical caught/blocked; ≥90% caught/classified; no uncaught local-governance island, no uncaught future-axis hardcode, no uncaught IU governance island.
9.1 Scenarios 1–48 (rerun — Round-3 doc 12, status under Round-4 text)
Part A (1–24, prior rerun): all ✅ except #13 🟧 (PROPOSE malformed APR — no action_code) and #14 🟧 (APPLY object-edge CHECK-blocked).
1 API route no owner ✅ · 2 pivot no approval ✅ · 3 personal pin→global ✅ · 4 local policy table ✅ · 5 Direct-PG "temporary" forever ✅ · 6 grouping invents classification ✅ · 7 two agencies claim a policy ✅ · 8 seam nobody owns ✅ · 9 DOT writes labels no approval ✅ · 10 mutating DOT no paired_dot ✅ · 11 scanner itself unowned (bootstrap) ✅ · 12 applier self-approves ✅ · 13 PROPOSE malformed APR 🟧 · 14 APPLY object-edge CHECK-blocked 🟧 · 15 UI hardcodes classification ✅ · 16 UI count not pivot-backed ✅ · 17 Nuxt computes governance state ✅ · 18 event before registration ✅ · 19 1M duplicate issues ✅ · 20 parent hides child policy ✅ · 21 source missing from L1 inventory ✅ · 22 owner flips draft, dependents rot ✅ · 23 RO adapter gains write endpoint ✅ · 24 object parked ignored to green-gate ✅
Part B (25–48, prior new): all ✅ except #36 🟧 (PROPOSE assign IU/axis owner — missing action-type) and #45 🟧 (APPLY object-grain owner for law-orphan IU/route/axis).
25 new IU axis no governance ✅ · 26 future pivot group-by column ✅ · 27 new unit_kind no vocab owner ✅ · 28 inherited IU container hides child split ✅ · 29 IU 54-cmd catalog ∥ dot_tools ✅ · 30 grouping policy island under IU ✅ · 31 vector exception never expires ✅ · 32 preview route promoted to prod ✅ · 33 Direct-PG bypass gains write ✅ · 34 personal pin→global (IU/RP) ✅ · 35 dormant event reuse (mother.governance.*) ✅ · 36 PROPOSE assign IU/axis owner 🟧 · 37 hardcoded axis list in RP UI ✅ · 38 new law no §0-GOV hook ✅ · 39 IU owner_agency=TBD (OP-B) ✅ · 40 two agencies claim IU policy ✅ · 41 10⁶ uncovered inheriting IU pieces ✅ · 42 IU reconstruction broken by a cut ✅ · 43 IU KG edge outside a DOT ✅ · 44 unknown future object type ✅ · 45 APPLY object-grain owner law-orphan 🟧 · 46 stale scan passes a gate ✅ · 47 suppression silences a class ✅ · 48 profile catalog weakened ✅
9.2 Scenarios 49–64 (NEW — Round-4 attack classes)
| # | Attack | Expected detection | Sev | Owner | Issue / event | Gate impact | Hardened text catches? | Fix if not |
|---|---|---|---|---|---|---|---|---|
| 49 | count>1 harmless: 2 personal browser prefs flagged as islands | Correctly NOT flagged — Class 0 (M-DEF-1/10); exclusion in COUNCIL list | info | COUNCIL (list) | none | none | ✅ (anti-over-governance: 0 issue) | — |
| 50 | count>1 governed: 2 prod routes, unowned | governed (SURFACE); route_orphan/OWNER_GAP |
high | MOUT/SIV | route_orphan / gov event |
G-PROD block | ✅ | — |
| 51 | future document axis: evidence_unit axis appears |
axis_unregistered; PROPOSE assign_axis_owner |
crit | per registry | axis_unregistered |
block | 🟧 detected+blocked; apply needs SB-1(action-type)+SB-2(edge) | C-2/C-1 |
| 52 | migrated law clause: clause moved Đ26→Đ37 drops its §0-GOV decl | governance_hook_missing on migrated objects |
high | NRM-SYS | governance_hook_missing |
review block | ✅ (§0-GOV required on any law edit) | — |
| 53 | specialized law ships without §0-GOV | governance_hook_missing at Đ20 review |
high | COUNCIL | issue + review fail | G-DESIGN block | ✅ | — |
| 54 | new object type, no registry: new PG table appears, not in any L1 inventory | inventory_gap → Class 12 FUTURE, owner-of-last-resort |
crit | SIV→COUNCIL | inventory_gap |
block | ✅ (inventory completeness) | — |
| 55 | island disguised as config: a dot_config row encodes an owner/approval policy |
island via owner-constant-in-data (PG) + CI (OQ-D3) | crit | SIV | LOCAL_GOVERNANCE_ISLAND |
block | ✅ (PG + CI dual channel) | — |
| 56 | AI agent creates pivot+label+DOT in one batch | each born (Đ0-G) → predicate-classified → owned; creator irrelevant | high | per class | coalesced gov issues | block per object | ✅ (1 coalesced issue, not spam) | — |
| 57 | coverage scanner self-approves its own APR | SoD block; os_proposal_approvals=0 ⇒ no self-sign-off |
crit | COUNCIL | apr_self_approval |
block | ✅ (applier≠approver; scanner is a governed object #11) | — |
| 58 | route registry absent / scan root misconfigured | route inventory UNVERIFIABLE=fail; depends on a defined scan root |
high | MOUT/SIV | route_unverifiable |
G-ROUTE block | 🟧 detected+failed-closed; completeness depends on OQ-G1 scan root | OQ-G1 (defined scan root) |
| 59 | event spam at 10⁸ objects: coverage scan over 100M inheriting objects | grain aggregation + coalesce + emit ceiling ⇒ ≤1 container issue | info | SIV | 1 coalesced summary | none (no flood) | ✅ (proven vs live template_gap 182k) |
— |
| 60 | inheritance hides child's own exception: covered parent; child route carries an un-ratified Direct-PG exception | own UNRATIFIED_EXCEPTION despite covered parent |
crit | SIV | unratified_exception |
block | ✅ (owner-link-only inheritance; risk links never inherit) | — |
| 61 | Direct-PG exception TTL expires unnoticed | issue_on_expiry fires; fingerprint invalidates; escalate critical |
crit | SIV | exception_expired |
block | ✅ (M-DEF-6 expiry+fingerprint) | — |
| 62 | personal pin exported/shared (OQ-A2) | crosses shared-truth boundary at share-time → governed; pin_policy_unowned if no global owner |
high | COUNCIL | pin_policy_unowned |
block | ✅ (A2 default: shareable⇒governed at share) | council ratify A2 |
| 63 | vector index drift: IU re-cut, Qdrant not reindexed | iu_vector_drift (content_digest≠indexed_digest); non-exemptable |
crit | KG-SYS/SIV | iu_vector_drift |
block | ✅ (vector-per-IU invariant; no waiver) | — |
| 64 | DOT IU island: new command added to dot_iu_command_catalog not dot_tools |
DOT_AUTHORITY_GAP (parallel catalog) |
high | DOT | dot_authority_gap |
block | ✅ (single Đ35 SSOT) | bind catalog (IU design) |
9.3 The 6 🟧 — all reduce to named prerequisites (no silent escape)
| 🟧 | Reduces to | Cleared by |
|---|---|---|
| #13, #36 | PROPOSE blocked — missing assign_governance_owner/assign_axis_owner action-type |
SB-1 / C-2 |
| #14, #45 | APPLY blocked — object/axis owner edge un-expressible (CHECK {law,agency}) | SB-2 / C-1 |
| #51 | future-axis APPLY — same action-type + edge prerequisites | SB-1 + SB-2 |
| #58 | route completeness depends on a defined scan root | OQ-G1 (defined scan root; fails-closed meanwhile) |
Every 🟧 is fully detected and gate-blocked (production protected); only auto-remediation waits. The IU axis envelope hardcode (SB-3) is surfaced by #51's substrate (a 4th axis needs DDL) and is tracked as a design prerequisite, not a red-team escape.
9.4 Threshold check & answer to Success-Target Q12
| Threshold (mission §13) | Result |
|---|---|
| 100% critical caught or explicitly blocked | ✅ (all crit ✅/🟧) |
| ≥90% total caught/classified | ✅ 100% |
| ≥90% auto-remediable | ✅ 90.6% (58/64) |
| no uncaught local-governance island | ✅ (#55) |
| no uncaught future-axis hardcode | ✅ (#51 detected+blocked; SB-3 named) |
| no uncaught IU governance island | ✅ (#29/#64) |
| 0 ❌ | ✅ |
Q12 ("detection → issue/event/notification without spam") → YES — #59 demonstrates 10⁸-object scan produces ≤1 coalesced issue, validated against the live 182,378-row template_gap flood the anti-spam machinery already survives.