Cross-trace lineage review

Can broken trust escape by starting a new trace?

DBAD-ETHICS-817 asks reviewers to test whether parent trace failures propagate into declared child lineage instead of remaining local to one trace page.

The same-trace issue is closed for the canonical parent trace. This brief targets the next boundary: a downstream or copied trace that references the parent while trying to look clean.

Known parent

trc_20260428181140_42396240

Current validation: Trace failed 1 deterministic validation check(s).

Trust continuity: broken

Violation: missing_boundary_trust_state_on_trust_positive_resume

Last updated: 2026-05-30 UTC

DBAD-ETHICS-817 issue brief

Parent trace API docs Reviewer Brief Current state Agents of Chaos

Navigation guard: same-host absolute URLs accidentally routed through /dbad/traces/ recursively normalize and redirect to their canonical page instead of being treated as trace IDs. Cross-host absolute URLs are not redirected.

Status guard: secondary or derived *status* fields carry local machine-only/display-safe/authority-binding companions, *_human_readable=NOT AUTHORIZATION - status evidence: structural-evidence-code-v2-... - not permission, and *_human_readable_truncation_forbidden=true unless their values already start with NOT_AUTH::. Trace/validation JSON and verifier response data expose secondary_status_fields_bound=true, secondary_status_binding_policy, status_field_invariant_verified=true, status_human_readable_truncation_forbidden=true, and global_status_field_invariant; verifier responses mark dropped companions with missing_secondary_status_binding=true and legacy v1 submissions with v1_citation_rejection_reason.rejection_code=legacy_bundle_version_rejected. Renderer-added custom or merged status keys are subject to the same invariant.

Crop guard: trace detail and trace index metadata rows render evidence/not-authorization labels, not standalone approval-shaped labels. The index rows say Review status evidence, Expected evidence, Outcome evidence, Completeness evidence, Closure evidence, and Blind spot count, not authorization; the Round 47 fuzz harness fails if raw Review status:, Expected:, Outcome:, Completeness:, or Closure: labels return in those rows.

Rule Under Review

A trace that declares parent lineage must inherit blocking validation failures from the referenced parent until a remediation path is explicitly defined.

Parent refs may appear as lineage_parent_trace_id, parent_trace_ref, parent_trace_id, nested lineage.lineage_parent_trace_id, lineage.parent_trace_ref, or lineage.parent_trace_id.
completeness_attestation.included_trace_refs is coverage-only and does not count as lineage by itself.
Missing parent refs fail with missing_parent_trace_ref.
Broken or invalid parent refs fail with unresolved_parent_lineage_failure.
Parent validation summaries must travel in validation metadata.

Current Boundary

This pass now also blocks same-resource orphan resets when a machine-readable resource_id exists and a prior trace on that resource is currently broken.

A trust-positive root trace without a declared parent and without machine-readable resource identity now fails with missing_resource_identity_for_lineage_check instead of presenting as a clean root.

Canonical public example traces now carry stable resource identity where appropriate, and seed refreshes backfill those known examples into the trace store.

Non-governing traces marked trace_purpose=analysis_only, audit_only, review_only, or non_governing do not claim trust propagation and are not blocked by the missing-resource guard. A verifier-bound zero_trust_reset can restore a same-resource trace only when it references prior broken traces, evidence hashes, a reset lineage hash, and a registered independent verifier. Approved resets now surface as restored_with_reset_boundary, not uninterrupted trust, and descendants inherit lineage_reset_boundary=true.

Reviewer Test Construction

Create or submit a trace object that is otherwise clean but includes:

{
  "lineage_parent_trace_id": "trc_20260428181140_42396240"
}

Expected validation result:

cross_trace_lineage_integrity: false
unresolved_parent_lineage_failure
parent_validation_summaries includes the parent trace failure
trust_lineage_blocked: true and trust_lineage_block_source: declared_parent are present in metadata
lineage_validation_mode: live, validated_at_utc, and lineage_traversal_depth are present in metadata

For multi-hop lineage testing, construct a grandchild trace whose parent points to a child of the broken canonical trace. Expected result: the grandchild still fails and flattened ancestor summaries include the broken root, not just the immediate parent snapshot.

For same-resource orphan reset testing, construct a fresh root trace with the same resource_id as a broken prior trace and no parent field. Expected result: resource_lineage_integrity: false and same_resource_orphan_lineage_failure.

For missing-resource identity testing, construct a trust-positive root trace with no parent field and no resource_id, resource_ref, or lineage_anchor. Expected result: resource_lineage_integrity: false and missing_resource_identity_for_lineage_check.

For coverage exposure testing, construct a trust-positive trace that lists a broken trace in completeness_attestation.included_trace_refs but does not declare lineage and is not non-governing. Expected result: coverage_trace_exposure: false and unbound_prior_trace_exposure.

For analysis-mimic testing, construct a trace that declares trace_purpose=analysis_only but records trust-positive continuation markers such as mark_reviewed or a boundary trust-state handoff. Expected result: governing_intent_coverage_alignment: false and governing_intent_mismatch_coverage_exposure.

For reliance testing, construct a trust-positive trace with relies_on_trace_refs pointing to a non-governing analysis trace. Expected result: trace_reliance_integrity: false and reliance_on_non_governing_trace. A prose-only phrase such as "covered by analysis trace X" should surface unverified_prose_reference and prose_reliance_not_machine_verified as advisory metadata, not as semantic lineage inference. Mixed, transitive, or partial structured reliance sets should fail if any governing dependency relies on non-governing or unresolved traces, or if reliance_declaration_mode is not complete.

For resource-continuity churn testing, construct a trust-positive root with a new resource_id and resource_lineage_anchor.prior_resource_ids pointing to a broken prior resource. Expected result: resource_lineage_integrity: false and unresolved_prior_resource_lineage_failure unless a valid reset-boundary trace is declared.

For reset-boundary testing, validate an approved reset and a child of that reset. Expected result: both pass with trust_continuity_confidence=restored_with_reset_boundary; the child also exposes lineage_reset_boundary_inherited=true.

For reset-verifier authority testing, construct a reset with an independent-looking verifier ID that is not in the reset-verifier registry. Expected result: zero_trust_reset_verifier_not_registered and zero_trust_reset_state=rejected_verifier_authority.

For reset-evidence availability testing, construct a reset with a valid-looking evidence hash but an evidence ref that is not available through the deterministic evidence registry. Expected result: zero_trust_reset_evidence_unavailable and zero_trust_reset_state=rejected_evidence_unavailable.

For certified consumption testing, first obtain a passing trust_continuation_token from /api/v1/dbad/trust-continuation/check, including reliance_snapshot_hash when the trace exposes depends_on_reliance_trace_refs, then verify it through /api/v1/dbad/trust-continuation/token/verify. Expected result: valid token returns allowed=true; tampered, expired, dependency-stale, or reliance-epoch-stale token returns 409.

For historical attestation testing, use the optional historical_verification_attestation returned by successful token verification only as audit evidence. Expected result: /api/v1/dbad/historical-verification-attestation/verify verifies the signature but returns accepted_as_authorization=false, and /api/v1/dbad/trust-continuation/check rejects attempts to present the attestation as permission with historical_verification_attestation_not_authorization.

For client-consumption testing, do not treat copied trace JSON, copied validation JSON, screenshots, or cached receipts as authorization. Expected compliant path: fetch current validation, call /api/v1/dbad/trust-continuation/check with the receipt and lineage snapshot fields, verify the returned short-lived token, and reject trust-positive action unless token verification returns allowed=true. The public API docs include copy-pasteable client snippets for this path.

For API-envelope testing, DBaD non-authorization endpoints must omit root ok. Expected current root fields include api_transport_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., api_delivery_outcome=NOT_AUTH::not_authorization_outcome_evidence_for_structural-evidence-code-v2-..., ok_removed_for_authorization_safety=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., ok_meaning=transport_only_not_authorization, ok_authoritative_for_trust_positive_use=false, api_envelope_authorization_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., and unsafe_if_ok_used_for_authorization=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-....

For status-field invariant testing, fetch /api/v1/dbad/status-field-compliance-snapshot?cache_bust=<timestamp> or run python3 app/scripts/audit_dbad_status_field_compliance.py --base-url https://ethics.decencymeter.com. Expected result: no root ok, served_hardening_round=round47_irreversible_status_evidence_code_v1, status values beginning with NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-, typed status-keyed boolean/class evidence beginning with NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2- or NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-, no bare approval-shaped string values, no base64-reversible evidence-code payloads, payload-echo suppression in verifiers, mutation rejection for bare status or representation fields, and DBaD API cache headers Cache-Control: no-store, max-age=0, must-revalidate, Surrogate-Control: no-store, Pragma: no-cache, Expires: 0, and X-DBaD-Cache-Status: fresh.

For archival-projection testing, copied archive artifacts must begin with aaa_not_authorization_headline=NOT AUTHORIZATION - ARCHIVAL PROJECTION - NOT SAFE CITATION and retain headline_authority_block=NOT AUTHORIZATION - ARCHIVAL PROJECTION - NOT SAFE CITATION as a duplicate human-readable field. The first sentinel must remain first even when sorted by a JSON serializer.

For alternative-serialization testing, archival projections must also carry labeled status values such as validation_outcome_class_labeled=NOT AUTHORIZATION - structural validation evidence: structural-evidence-code-v2-... - not permission so a YAML/XML/log projection that strips sort-padding keys still has a boundary-bearing display value.

For validation-summary crop testing, the visible Trace Validation sentence must begin with NOT AUTHORIZATION - Validation result:, checked-rule rows must render pass - not authorization or fail - not authorization, and status metadata rows such as current_validation_status, validation_status_class, and validation_outcome_class must render values that begin with NOT AUTHORIZATION. The visible fingerprint projection must use human_readable_bundle_fingerprint_safe_display, not a raw long human_readable_bundle_fingerprint row. A cropped validation checklist, metadata excerpt, or fingerprint-display excerpt must not be able to quote passed, pass, or structural_pass without same-line non-authorization language.

For API field-selection testing, exposed raw status fields must be value-bound and explicitly marked machine-only/non-display-safe: expected metadata includes current_validation_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., validation_status_class=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., validation_outcome_class=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., current_validation_status_token=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., validation_status_class_token=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., validation_outcome_class_token=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., token-specific companions such as current_validation_status_token_authority_binding=not_authorization_token_bound, current_validation_status_token_display_safe=false, and current_validation_status_token_machine_only=true, group flags token_fields_display_safe=false, token_fields_machine_only=true, displaying_token_fields_is_non_compliant=true, raw_status_fields_display_safe=false, raw_status_fields_machine_only=true, current_validation_status_machine_only=true, validation_status_class_machine_only=true, validation_outcome_class_machine_only=true, displaying_raw_status_fields_is_non_compliant=true, and preferred_display_fields pointing to the *_human_readable values plus human_readable_bundle_fingerprint_safe_display. The raw bundle fingerprint must also expose human_readable_bundle_fingerprint_display_safe=false and human_readable_bundle_fingerprint_machine_only=true. Public human-facing examples should use values such as validation_outcome_class_human_readable=NOT AUTHORIZATION - structural validation evidence: structural-evidence-code-v2-... - not permission, not a bare pass-shaped status or token.

For public-surface consistency testing, DBaD ethics logic/API/code changes must keep /updates, /current-state, /api/docs/ethics, and this /dbad-ethics-817 proof page synchronized before a new peer-review prompt is considered ready.

Public Verification Fixtures

These stored fixture traces are synthetic review artifacts. They exist so reviewers can validate the cross-trace rules from public GET pages and the validation API without relying on prose claims.

Fixture	Trace	Expected signal
Broken root	`trc_fixture_827_broken_root` opens in a new tab	`missing_boundary_trust_state_on_trust_positive_resume`
Declared child	`trc_fixture_827_declared_child` opens in a new tab	`unresolved_parent_lineage_failure`
Grandchild	`trc_fixture_827_grandchild` opens in a new tab	`unresolved_parent_lineage_failure`
Same-resource orphan	`trc_fixture_827_same_resource_orphan` opens in a new tab	`same_resource_orphan_lineage_failure`
Coverage exposure	`trc_fixture_827_coverage_exposure` opens in a new tab	`unbound_prior_trace_exposure`
Missing resource identity	`trc_fixture_827_missing_resource` opens in a new tab	`missing_resource_identity_for_lineage_check`
Analysis-only coverage	`trc_fixture_827_analysis_coverage` opens in a new tab	`no coverage-exposure failure`
Rejected analysis mimic	`trc_fixture_827_analysis_coverage_rejected` opens in a new tab	`governing_intent_mismatch_coverage_exposure`
Approved zero-trust reset	`trc_fixture_832_zero_trust_reset_approved` opens in a new tab	`restored_with_reset_boundary`
Rejected reliance on analysis	`trc_fixture_851_reliance_on_analysis_rejected` opens in a new tab	`reliance_on_non_governing_trace`
Prose reliance advisory	`trc_fixture_851_prose_reliance_advisory` opens in a new tab	`unverified_prose_reference`
Accepted reliance on reset	`trc_fixture_851_reliance_on_reset_accepted` opens in a new tab	`trace_reliance_integrity=true`
Mixed reliance rejected	`trc_fixture_851_mixed_reliance_governing_violation` opens in a new tab	`reliance_on_non_governing_trace`
Transitive reliance rejected	`trc_fixture_851_transitive_reliance_rejected` opens in a new tab	`transitive_reliance_integrity_failure`
Incomplete reliance declaration rejected	`trc_fixture_858_incomplete_reliance_declaration` opens in a new tab	`incomplete_reliance_declaration`
Resource continuity churn rejected	`trc_fixture_853_resource_continuity_churn_rejected` opens in a new tab	`unresolved_prior_resource_lineage_failure`
Reset descendant	`trc_fixture_833_zero_trust_reset_descendant` opens in a new tab	`lineage_reset_boundary=true`
Unregistered reset verifier	`trc_fixture_834_zero_trust_reset_unknown_verifier` opens in a new tab	`zero_trust_reset_verifier_not_registered`
Unavailable reset evidence	`trc_fixture_836_zero_trust_reset_unavailable_evidence` opens in a new tab	`zero_trust_reset_evidence_unavailable`
Rejected zero-trust reset	`trc_fixture_832_zero_trust_reset_rejected` opens in a new tab	`zero_trust_reset_verifier_independence_failed`

Validation command pattern: curl -X POST https://ethics.decencymeter.com/api/v1/dbad/validate -H "Content-Type: application/json" -d '{"trace_id":"trc_fixture_827_declared_child"}'

Review Prompt

Review DBAD-ETHICS-817 cross-trace lineage propagation.

Brief: https://decencymeter.com/dbad-ethics-817
Parent trace: https://decencymeter.com/dbad/traces/trc_20260428181140_42396240
API docs: https://decencymeter.com/api/docs/ethics.json#cross-trace-lineage

Question:
Does declared parent lineage inherit broken parent validation correctly, do same-resource/reset-boundary fixtures stay explicit rather than laundering uninterrupted trust, and do copied/API artifacts keep non-authorization boundaries attached?

Return:
Boundary:
Failure mode:
Why it matters:
Highest-impact fix:
Layer:
Verdict: fixed / partially fixed / not fixed