Parameter Enforcement
This page defines the bounded-parameter rules required to satisfy INV-2.
Spec Drift Warning
Changes to implementation that violate invariant mappings invalidate compliance with v1.0. Implementations MUST preserve invariant-to-component, invariant-to-artifact, and invariant-to-verification-step mapping.
Compliance Assertion
- • Satisfies INV-2 by binding execution to approved bounds.
- • Prohibits silent truncation and unapproved parameter expansion.
Non-Compliance Results In
- • Bounds exceedance causes denial.
- • Unverifiable narrowing causes denial.
- • Executed parameters that diverge from approved parameters are non-compliant.
Parameter Bounds Validation
Invariant Mapping: INV-2
- • Every execution request MUST be evaluated against the bounded parameters in the approval envelope.
- • The bounded parameters MUST be deterministic and serializable.
- • Requests exceeding approved bounds MUST be denied. Silent truncation is prohibited.
Allowed Transformations
Invariant Mapping: INV-2
Parameter narrowing is permitted only when it is explicitly configured, deterministic, and semantically safe.
- • A narrowing rule MUST be declared in policy before use.
- • A narrowing rule MUST preserve semantic meaning of the approved operation.
- • If safe narrowing cannot be proven, execution SHALL be denied.
Rejection Conditions
Invariant Mapping: INV-2
- • Gate MUST deny requests containing additional parameters not present in the approval envelope.
- • Gate MUST deny requests whose serialized parameters do not match the bounded patterns.
- • Execution Layer MUST deny any request where executed parameters differ from approved parameters without an allowed narrowing rule.
Compliance Evidence
- • Test case showing denial for bounds exceedance.
- • Trace showing executed parameters equal approved parameters or approved narrowed parameters.
- • Audit record capturing DENIED_BOUNDS_EXCEEDED.
Verification Linkage
INV-2
Artifact: approval-001.json
Check: Approved bounds exist and are deterministic
Verification step: verification walkthrough: Step 4
INV-2
Artifact: audit-chain-001.json
Check: Executed parameters match approved parameters
Verification step: verify.sh: INV-2