Incomex AI Portal
KB-168A

T1-Max Review - Test / Guard

4 min read Revision 1
fix7architecturemax-reviewtest-guard

08 - SUPERTRACK H: Test / Guard Review (30 guards)

Checks

check result
guard count consistent across docs PASS - 30 rows in doc 06; "Total guards: 30"; doc 12 + both checkpoints = 30
every guard has input, expected output, fail meaning PASS - all 30 rows complete
guard failure blocks the correct package PASS - "when run" column maps each guard to its S-step/package
G-LEGACY-FROZEN and G-DOT-NOOVERWRITE fully defined PASS - G-LEGACY-FROZEN defined (XHI-02); G-DOT-NOOVERWRITE re-grounded PG-native (MC-01)
guard does not pass on an empty set unless the empty set is itself verified PASS-after-fix (MH-01) - new rule 1: "=0"/empty/both-EXCEPT guards must prove the underlying set/closure is non-vacuous
guard does not rely on bool_and NULL-ignore PASS-after-fix (MH-01) - new rule 2: NULL-strict count-match required
guard does not rely on function/view existence PASS - rule 4 reaffirms; guards test behavior/sets/recomputed values
guard does not rely on source-text as final authority PASS-after-fix (MH-01/MC-01) - new rule 3: source-text diagnostic only; final authority PG-native
guard failure cannot be hidden by Directus-editable data PASS - guards read pg_catalog (ownership/ACL) + owner-isolated qt001_cp sealed manifests; qt001_cp is never directus-owned (created owner-isolated at S01), so no Directus row edit can flip a guard
guard proves blocked-now for routed-later risks PASS - G-17 + apply/permit/REAL_RUN/2.6B blocked across all steps

Finding

MH-01 (P2) - guard-quality rules missing (anti-false-green)

The 30 guards were individually adequate, but three cross-cutting disciplines - exactly the ones FIX5/FIX6 were burned by - were not stated as binding rules, so a future implementer could re-introduce a vacuous or NULL-ignoring guard.

  • Fix (doc 06, new "Guard-quality rules" section):
    1. No vacuous pass. Any "=0"/empty/both-EXCEPT guard (G-NOLEGACY, G-EXACTSET-20, G-UNKNOWN-ZERO, G-AUTH-27/G-RUNTIME-NONAUTH diffs) must also assert the input set/closure is non-vacuous and well-formed (expected set populated; closure traversed from present roots). G-NOLEGACY's row now carries this non-vacuity clause explicitly.
    2. NULL-strict aggregates. No bool_and/bool_or over a nullable column that NULL-ignores; use NULL-strict count-match so a NULL component fails closed.
    3. Source-text diagnostic only. Guards reading pg_get_functiondef/viewdef/DOT bodies use text to flag candidates; final authority is catalog/ACL, pg_constraint/pg_index, pg_depend closure, sealed rows, or a recomputed hash; missing text fails closed.
    4. No existence-only proof.
  • These align with the governing law §5 (no_fake_PASS, evidence_first) and the negative-test rule (§2.5) already present ("no negative test may be a literal PASS row").

Independent guard spot-checks

  • G-NOLEGACY: now structural #11 closure + ACL over the complete captured legacy set + the non-vacuity clause - the strongest form (FIX5 lesson fully internalized).
  • G-DOT-NOOVERWRITE: PG-native owner-isolation as final authority (MC-01).
  • G-HASHDET: two independent recomputes under CP-06 encoding - defends the FIX..FIX6 divergence loop. Adequate.
  • 30 guards unchanged - the Max pass tightened wording and added rules; it added/removed no guard.

Verdict

TEST_GUARD_PASS_AFTER_FIX - 30 PG-native guards, every macro family covered, with the anti-false-green disciplines (non-vacuity, NULL-strict, source-text-diagnostic) now binding rules, and the two highest-risk guards (G-NOLEGACY, G-DOT-NOOVERWRITE) hardened.

Back to Knowledge Hub knowledge/dev/reports/architecture/t1-max-fix7-refactor-blueprint-review-2026-06-08/08-test-guard-review.md