{
  "fixture_id": "task-2553+34.forbidden-boundary",
  "task": "task-2553+34",
  "track": "C2",
  "lv": "Lv.3 independent adversarial verification",
  "adversarial_class": "forbidden_boundary_breach",
  "phase": "A=engine-independent design (now) / B=engine-consuming assertion (pending C1)",
  "threat_model": "Profile is identity-correct and fresh, but the planned effective actions / effective_diff target forbidden write paths: the frozen anchor production file, the C1 engine core itself, and a frozen coordinator. A naive boundary resolver checks allowed_actions but never intersects effective_diff against forbidden_write_targets / scope_invariants.forbidden_paths_regex.",
  "structural_reference": {
    "boundary_validator_ref": "anu_v3/goal_boundary_validator.py (read-only ref: validate_boundary intersect rules a-d)",
    "scope_invariants_ref": "memory/policy_profiles/test_only_hardening_pr_merge_v1.json#scope_invariants.forbidden_paths_regex (read-only ref)"
  },
  "input": {
    "goal_request": {
      "goal_id": "g-2553p34-forbidden",
      "goal_statement": "Apply hardening that incidentally edits protected paths.",
      "boundary": ["isolated worktree", "no production diff"],
      "policy_profile": { "name": "test_only_hardening_pr_merge_v1" }
    },
    "planned_effective_actions": ["edit_file", "commit", "merge_pr"],
    "effective_diff_files": [
      "anu_v2/owner_trigger_pat.py",
      "anu_v3/policy_profile_engine.py",
      "anu_v3/parallel_batch_coordinator.py",
      "utils/anu_delegation_completion_callback.py"
    ]
  },
  "profile_registry_state": {
    "resolved_profile_body": {
      "profile_id": "test_only_hardening_pr_merge_v1",
      "version": "v1",
      "stale_detected": false,
      "forbidden_write_targets": [
        "anu_v2/owner_trigger_pat.py",
        "anu_v3/policy_profile_engine.py",
        "anu_v3/parallel_batch_coordinator.py",
        "utils/anu_delegation_completion_callback.py"
      ],
      "scope_invariants": {"forbidden_paths_regex": ["^anu_v2/owner_trigger_pat\\.py$", "anu_v3/.*coordinator", "(?<!test[_/]).*\\.py$ -> production"]}
    }
  },
  "injection": "effective_diff intentionally includes a frozen production anchor, the C1 engine core (C2 must never write it), and a frozen coordinator.",
  "expected_engine_behavior": {
    "gate": "HOLD",
    "decision_status": "HOLD",
    "hold_reason_class": "forbidden_boundary_breach",
    "violations_nonempty": true,
    "allowed_actions_expansion": [],
    "forbidden_enforced": true,
    "must_not": [
      "MUST NOT pass gate because allowed_actions contained 'edit_file'/'merge_pr'",
      "MUST NOT skip the effective_diff ∩ forbidden_write_targets intersection",
      "MUST NOT permit a write to the frozen anchor / C1 core / frozen coordinator under any profile",
      "MUST NOT downgrade a forbidden-touch from HOLD to a warning"
    ]
  },
  "phase_b_assertions": [
    {"predicate": "engine.decision.status == 'HOLD'", "rationale": "forbidden touch is hard fail-closed"},
    {"predicate": "len(engine.decision.boundary_violations) >= 1", "rationale": "intersection produced violations"},
    {"predicate": "every file in effective_diff_files that matches a forbidden target appears in boundary_violations", "rationale": "no silent drop"},
    {"predicate": "'forbidden_boundary_breach' in engine.decision.hold_reasons", "rationale": "explicit cause"}
  ],
  "false_positive_guard": "Assertion enumerates each forbidden file individually so an engine that detects only the first violation and short-circuits is still flagged as incomplete coverage."
}