| FP_001 |
Duplicate Execution After Retry Timeout |
State Consistency |
Retry Idempotence Window |
FP |
FM_001 · GR_001 · PM_001 · FP_002 · FP_003 |
At-least-once retry after lease timeout can apply one logical effect more than once unless a durable idempotency boundary exists. |
| FM_001 |
Duplicate execution caused by retry after timeout |
State Consistency |
Retry Idempotence Window |
FM |
FP_001 · GR_001 · PM_001 · FP_002 · GR_002 · PM_002 · FP_003 · GR_003 · PM_003 |
Systems with at-least-once delivery can legitimately retry work after a timeout. If commit semantics are not idempotent at the logical job boundary, retries can amplify side effects. |
| GR_001 |
Idempotent Commit Boundary |
State Consistency |
Retry Idempotence Window |
GR |
FP_001 · FM_001 · PM_001 |
Introduce a durable single-commit boundary (COMMITTED) per logical job. Only the first execution may cross this boundary; subsequent retries no-op. |
| PM_001 |
PM_001 — Duplicate execution after retry timeout |
State Consistency |
Retry Idempotence Window |
PM |
FP_001 · FM_001 · GR_001 · FM_002 |
FM001 was triggered when a lease expired and the same job was retried by a second worker while the first worker was still completing work. Without an explicit idempotent commit boundary, both attempts could apply logical effects. |
| FP_002 |
Extension Authority Persistence |
Policy Enforcement |
Extension Authority Lifecycle |
FP |
FP_001 · FM_001 · GR_002 · PM_002 · FP_003 |
Authority granted to an extension persists beyond the extension lifecycle, creating stale privilege scope. |
| FM_002 |
Unbounded pagination cookie state under repeated discover requests |
Resource Exhaustion |
Server-side Cursor Growth |
FM |
FP_005 · GR_005 · PM_005 |
Server-side pagination that persists cookies/cursors per request can become a remote memory amplification vector when cookie state has no enforced bound. |
| GR_002 |
Lifecycle-Bound Authority Registry |
Policy Enforcement |
Extension Authority Lifecycle |
GR |
FM_001 · FP_002 · PM_002 · FP_003 |
Authority entries are derived views of active components, not independent mutable state. |
| PM_002 |
PM_002 — Extension authority persists after uninstall |
Policy Enforcement |
Extension Authority Lifecycle |
PM |
FM_001 · FP_002 · GR_002 |
Credential mappings registered by an extension were not revoked on uninstall/deactivate, so HTTP credential injection authority could outlive the extension until process restart. This incident seeded FP002. |
| FP_003 |
Read-only Enforcement Gap |
Policy Enforcement |
Read/Write Boundary Drift |
FP |
FP_001 · FM_001 · FP_002 · GR_003 · PM_003 |
Declared read-only policy is not enforced at capability exposure boundaries. |
| FM_003 |
Per-peer reservation quota off-by-one at boundary |
Policy Enforcement |
Quota Boundary Math |
FM |
FP_006 · GR_006 · PM_006 |
Per-peer quota enforcement can fail at the exact limit if the admission guard uses strict-greater () instead of greater-or-equal (=), allowing one extra allocation beyond policy. |
| GR_003 |
Capability Surface Reduction at Startup |
Policy Enforcement |
Read/Write Boundary Drift |
GR |
FM_001 · FP_002 · FP_003 · PM_003 |
Project policy mode into the runtime capability surface during registration, not at invocation hints. |
| PM_003 |
PM_003 — Read-only intent not enforced in MCP server |
Policy Enforcement |
Read/Write Boundary Drift |
PM |
FM_001 · FP_003 · GR_003 |
The filesystem MCP server exposed destructive tools even when launched with read-only intent, relying on advisory hints instead of runtime enforcement. This incident seeded FP003. |
| FP_004 |
Anthropomorphic Misinterpretation |
Human Interpretation |
Anthropomorphic Projection |
FP |
FM_001 · FP_003 · GR_004 |
Statistical model errors are misclassified as strategic deception due to anthropomorphic interpretation. |
| FM_004 |
Participant identity map bijection not enforced |
Identity Integrity |
Identity Registry Collisions |
FM |
FP_007 · GR_007 · PM_007 |
Startup builds a tlskey → participantid registry using overwrite semantics. If two participants share the same TLS key (or duplicate IDs), the later insert replaces the earlier mapping. Runtime attribution becomes ambiguous. |
| GR_004 |
Failure-Domain Disambiguation Before Mitigation |
Model Behavior |
Anthropomorphic Projection |
GR |
FP_004 |
Require domain-disambiguation checks before assigning intent-bearing labels (e.g., "deception") to model failures. |
| FP_005 |
Unbounded Pagination Cookie State Amplification |
Resource Exhaustion |
Server-side Cursor Growth |
FP |
FM_002 · GR_005 · PM_005 · FP_006 |
Unauthenticated pagination requests create server-side cursor state without a global bound, allowing remote peers to amplify memory usage until exhaustion. |
| GR_005 |
Bounded Pagination State Registry |
Resource Exhaustion |
Server-side Cursor Growth |
GR |
FM_002 · FP_005 · PM_005 |
Project pagination into a deterministic bounded state budget. Every new cookie allocation must pass through capacity enforcement with explicit overflow behavior (evict/reject/expire). |
| PM_005 |
PM_005 — Unbounded pagination cookie state growth |
Resource Exhaustion |
Server-side Cursor Growth |
PM |
FM_002 · FP_005 · GR_005 |
Repeated DISCOVER-style requests caused the server to allocate a new pagination cookie per call without any bound or eviction. A single remote peer could grow the cookie registry until memory pressure/OOM. This was the field incident that m |
| FP_006 |
Quota Boundary Off-by-One Admission |
Policy Enforcement |
Quota Boundary Math |
FP |
FM_003 · FP_005 · GR_006 · PM_006 |
Resource admission logic uses an exclusive boundary check where an inclusive limit is required, allowing one extra allocation beyond configured quota. |
| GR_006 |
Inclusive Quota Boundary Admission Checks |
Policy Enforcement |
Quota Boundary Math |
GR |
FM_003 · FP_006 · PM_006 |
Quota admission checks must reject at the exact configured boundary by using an inclusive predicate (current = max) before allocation is admitted. |
| PM_006 |
PM_006 — Quota boundary off-by-one admission |
Policy Enforcement |
Quota Boundary Math |
PM |
FM_003 · FP_006 · GR_006 |
Per-peer reservation admission used a strict-greater () comparator. When a peer reached the configured max and sent one more request, the check passed and admitted a max + 1 reservation. This field bug motivated FM003/FP006. |
| FP_007 |
Identity Map Bijection Break |
Identity Integrity |
Identity Registry Collisions |
FP |
FP_001 · FM_004 · GR_007 · PM_007 |
Participant identity registry allows duplicate credentials or IDs to overwrite existing entries, breaking the required bijection between participant IDs and TLS keys. |
| GR_007 |
Identity Bijection Startup Validation |
Identity Integrity |
Identity Registry Collisions |
GR |
FM_004 · FP_007 · PM_007 |
Validate participant configuration at startup before any listeners are opened: - compute uniqueness of participant IDs and credentials (TLS keys) - if counts differ, fail fast with diagnostics listing conflicts - prohibit silent overwrite; |
| PM_007 |
PM_007 — Participant identity ↔ TLS key bijection not enforced |
Identity Integrity |
Identity Registry Collisions |
PM |
FM_004 · FP_007 · GR_007 |
During TLS key rotation/scale-out, two participants shared the same TLS key. The identity map used HashMap::insert, so the later insert overwrote the earlier one. Runtime attribution could map authenticated traffic to the wrong participant, |
| FP_008 |
Tool Authority Escalation via Prompt Injection |
Agent Runtime |
Tool Authorization Conflation |
FP |
FP_002 · FP_003 · FM_008 · GR_008 · PM_008 |
If tool authority is delegated to model reasoning, prompt framing can steer agents into invoking sensitive tools outside intended user authority. |
| FM_008 |
Tool authority escalation via prompt injection |
Tool / Agent Interfaces |
Tool Authorization Conflation |
FM |
FP_008 · GR_008 · PM_008 |
An LLM agent with access to both public and sensitive tools can be manipulated by user prompt framing ("inspect internal config first") to invoke a sensitive tool that should not be available for standard user requests. |
| GR_008 |
Explicit Tool Authorization Boundary |
Tool / Agent Interfaces |
Tool Authorization Conflation |
GR |
FP_008 · FM_008 · PM_008 |
Real failure → Minimal reproduction → Mechanism → Guardrail → Atlas update. |
| PM_008 |
PM_008 — Tool Authority Escalation via Prompt Injection |
Tool / Agent Interfaces |
Tool Authorization Conflation |
PM |
FP_008 · FM_008 · GR_008 |
In FM008, a tool-using LLM agent was configured with: |