{ "fixture_id": "task-2553+34.allow-vs-forbid-conflict", "task": "task-2553+34", "track": "C2", "lv": "Lv.3 independent adversarial verification", "adversarial_class": "allow_vs_forbid_precedence_conflict", "phase": "A=engine-independent design (now) / B=engine-consuming assertion (pending C1)", "threat_model": "The single most dangerous adversarial case: the SAME action/target is simultaneously in the profile's allowed_actions AND forbidden by the boundary (forbidden_actions and/or scope_invariants.forbidden_paths_regex). A precedence bug that lets ALLOW win over an explicit FORBID is a privilege-escalation primitive. This fixture pins the fail-closed precedence invariant: FORBID strictly dominates ALLOW; equality/overlap resolves to HOLD.", "structural_reference": { "boundary_validator_ref": "anu_v3/goal_boundary_validator.py (rule (b): planned ∩ forbidden_actions == ∅; rule (d): forbidden_write_targets ∩ effective_diff == ∅)", "profile_schema": "schemas/policy_profiles/test_only_hardening_pr_merge_v1.schema.json (read-only ref)" }, "input": { "goal_request": { "goal_id": "g-2553p34-conflict", "goal_statement": "Merge the PR — profile explicitly allows merge_pr.", "boundary": ["no production diff"], "policy_profile": { "name": "test_only_hardening_pr_merge_v1" } }, "planned_effective_actions": ["merge_pr"], "effective_diff_files": ["anu_v3/parallel_batch_coordinator.py"] }, "profile_registry_state": { "resolved_profile_body": { "profile_id": "test_only_hardening_pr_merge_v1", "version": "v1", "stale_detected": false, "allowed_actions": ["merge_pr", "edit_file", "commit"], "forbidden_actions": ["merge_pr"], "scope_invariants": {"forbidden_paths_regex": ["anu_v3/.*coordinator"]}, "note": "INJECTED CONFLICT: 'merge_pr' is in BOTH allowed_actions and forbidden_actions; effective_diff also matches a forbidden_paths_regex. ALLOW and FORBID collide on the same action and target." } }, "injection": "Same token 'merge_pr' appears in allowed_actions and forbidden_actions; the diff target matches both an allow-implied write and an explicit forbidden_paths_regex.", "expected_engine_behavior": { "gate": "HOLD", "decision_status": "HOLD", "hold_reason_class": "allow_vs_forbid_conflict", "precedence_rule_applied": "FORBID_DOMINATES_ALLOW", "effective_allowed_after_resolution": [], "allowed_actions_expansion": [], "forbidden_enforced": true, "must_not": [ "MUST NOT let allowed_actions membership override an explicit forbidden_actions membership", "MUST NOT resolve the conflict by 'last wins' / 'allow wins' / ordering luck", "MUST NOT pass gate on an action that is forbidden, regardless of it also being allowed", "MUST NOT silently drop the conflict without recording it as the hold cause" ] }, "phase_b_assertions": [ {"predicate": "engine.decision.status == 'HOLD'", "rationale": "conflict resolves fail-closed"}, {"predicate": "'merge_pr' NOT in engine.decision.effective_allowed_actions", "rationale": "forbid dominates allow for the colliding token"}, {"predicate": "'allow_vs_forbid_conflict' in engine.decision.hold_reasons", "rationale": "the conflict itself is the recorded cause, not a downstream symptom"}, {"predicate": "engine.decision.precedence_rule == 'FORBID_DOMINATES_ALLOW' (or equivalent fail-closed marker)", "rationale": "precedence is explicit and deterministic, not order-dependent"} ], "false_positive_guard": "An engine that HOLDs only because of the forbidden_paths_regex diff match (rule d) but still reports merge_pr as allowed would pass a naive status check; the assertion separately requires 'merge_pr' absent from effective_allowed_actions so the precedence bug cannot hide behind the path check.", "criticality": "This is the highest-severity fixture in the suite (adversarial precedence). A Phase-B failure here is a §8 candidate: 'C1 engine 이 adversarial 에서 구조적 결함 노출(보고 필요)'." }