« All posts

A Green Test Suite Isn't Proof: Authority Gaps Slipped Past 16/16

A 16/16 passing test suite hid three critical gaps in an authority model. Why a green scoreboard alone was never sufficient proof.

An engineer describes how a memory-verification gate passed 16 out of 16 frozen test cases, with an independent checker reproducing the exact same result from raw fixtures — yet the article still got blocked before publication. The issue wasn't a fake run; it was that the test suite was answering the wrong question. The system was being graded against an answer key, but the answer key itself was incomplete.

Three loopholes survived: an owner-consent record could pass without any real external authority behind it; a blanket standing rule could silently rebuild the exact ambient power the design was meant to eliminate; and a consent granted to one reviewer could be borrowed by a different, unauthorized requester. The fix moved relation-checking away from persuasive prose and toward write-time authority facts — who requested the change, who owns the target record, and whether the invoking grant was actually live.

The sharpest finding concerned 'external' channels: a component could impersonate a trusted authority source simply by relabeling its own fields, and the gate accepted it. The real fix requires defining externality by capability, not description — the relation-minting component must have zero write path to the authority channel, enforced at the infrastructure level, below the application being tested. The engineering lesson: independent verification catches reproducibility failures, but a checker that only reruns your published tests can't tell you if you never tested the most dangerous case.