capsuleos/PUBLIC_FAILURE_MODEL.json at main · number1projects/capsuleos · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
{
  "version": "0.2.0",
  "reviewed_at": "2026-03-28",
  "principles": [
    "Public boundaries should reject malformed input before trusted state changes.",
    "Negative paths should stay typed and bounded rather than surfacing as unhandled failures.",
    "Trust-sensitive portability workflows should fail closed when evidence is incomplete.",
    "Published contract artifacts should be blocked when reference integrity or completeness breaks."
  ],
  "failure_classes": [
    {
      "id": "integrity-seal-rejection",
      "summary": "Capsules that are structurally plausible but cryptographically wrong must fail at the final trust gate.",
      "strongest_surfaces": [
        "examples/example-validator-invalid-g16.capsule.json",
        "examples/api/validate-response.fail.json",
        "docs/examples.md"
      ],
      "verify_commands": [
        "npm run check:examples",
        "npm run check:api-examples",
        "npm run check:failure-model"
      ]
    },
    {
      "id": "validator-input-rejection",
      "summary": "Malformed validator route input should return bounded 4xx-style errors before any trusted mutation.",
      "strongest_surfaces": [
        "docs/api-envelopes.md",
        "examples/api/error-response.sample.json",
        "examples/api/unauthorized-response.sample.json",
        "examples/api/forbidden-response.sample.json",
        "examples/api/conflict-response.sample.json"
      ],
      "verify_commands": [
        "npm run check:api-examples",
        "npm run check:api-schemas",
        "npm run check:failure-model"
      ]
    },
    {
      "id": "support-route-failure",
      "summary": "Support-route failures should remain bounded typed envelopes instead of surfacing as opaque 500 behavior.",
      "strongest_surfaces": [
        "docs/api-envelopes.md",
        "examples/api/stats-error-response.sample.json",
        "docs/failure-model.md"
      ],
      "verify_commands": [
        "npm run check:api-examples",
        "npm run check:api-schemas",
        "npm run check:failure-model"
      ]
    },
    {
      "id": "portability-trust-block",
      "summary": "Archive replay should stop when checksum, scope, or policy evidence is missing.",
      "strongest_surfaces": [
        "docs/portability.md",
        "docs/archive-bundles.md",
        "PUBLIC_PORTABILITY_PROFILE.json"
      ],
      "verify_commands": [
        "npm run check:portability",
        "npm run check:failure-model"
      ]
    },
    {
      "id": "artifact-publication-block",
      "summary": "OpenAPI or route-family artifacts with missing required paths or broken references should be rejected instead of published.",
      "strongest_surfaces": [
        "docs/openapi.md",
        "openapi/validate.openapi.json",
        "docs/failure-model.md"
      ],
      "verify_commands": [
        "npm run check:docs",
        "npm run check:failure-model"
      ]
    }
  ],
  "non_claims": [
    "This file does not enumerate every private runtime failure case.",
    "This file does not replace the stronger example, OpenAPI, or portability surfaces it references."
  ],
  "review_commands": [
    "npm run check:failure-model",
    "npm run verify:repo"
  ]
}