# Runbook: From Exploit to Regression Test Exploits arrive from four sources: adversarial self-play (Milestone #5), human red-team review, incidents in *other* governance systems (news, DAO post-mortems, history), and — worst case — incidents in our own. The pipeline is the same for all four. The goal is that no exploit is ever fixed without becoming permanent memory. ## Step 0 — Triage (same day) If the exploit is live against the project's own funding pool: invoke the kernel's incident procedure first (freeze the affected proposal class via `kernel.A5` with the shortest lawful sunset). The runbook continues in parallel, not instead. Classify severity: - **critical** — constitutional capture, irreversible loss, or empathy floor < 0.3; - **high** — extraction or suppression bounded by exit rights; - **medium** — degraded fairness/availability, recoverable; - **low** — theoretical, requires implausible coordination. ## Step 1 — Reproduce as moves Express the exploit as a concrete move sequence in the DSL (`docs/dsl-spec.md`). It must run: `fabletest run --file drafts/exploit.yaml` should show the attack **succeeding** against the current text. If you cannot express it in moves, either the DSL needs a new action (open a DSL change PR — those are reviewed strictly, the action vocabulary is the engine's attack surface) or the exploit isn't constitutional and belongs elsewhere. ## Step 2 — Minimize Delete moves until removing any one move makes the attack stop working. Minimal scenarios localize blame: the failing rule is adjacent to the last deletable move. Record the unminimized original in the PR description for the historical record. ## Step 3 — Classify Assign exactly one taxonomy family (`docs/attack-taxonomy.md`) by **mechanism**, take the next free id in that family's sequence, and add cross-cutting `tags`. If the exploit genuinely fits no family, that is a taxonomy amendment — a separate PR that adds the family with at least three scenarios, because a family of one is a tag. ## Step 4 — Write the expectation - `expected.verdict` is what the constitution **should** do, not what it currently does. - `blocked_by` names the rule that *ought* to stop it. If no existing rule ought to — the exploit revealed a hole — write the scenario against the rule the companion amendment will introduce, and ship scenario + amendment in the same PR. - Set `worst_off_floor` from the calibration table in `docs/empathy-metric.md`. Justify the number in `empathy.rationale`. Floors below 0.5 need explicit reviewer sign-off. ## Step 5 — Document the precedent Every scenario carries its receipt: the historical event, game-theoretic result, or incident report it encodes, with dates and enough specificity that a stranger can check it. "This could happen" is not a precedent; "this happened, here, then" or "this is dominant-strategy under these payoffs" is. Synthetic baselines say so explicitly. ## Step 6 — Add the legitimacy control Ask: what *healthy* behavior looks most like this attack? If the fix could plausibly block it, add a control scenario (`expected.verdict: succeeds`) in the same PR. Every tightening of the rules pays for itself in a demonstrated preserved freedom. ## Step 7 — Open the PR One PR contains: the scenario(s), the companion amendment if a rule change is needed, and the precedent documentation. CI will show the scenario failing against current text (expected, if there's a hole) and passing with the amendment applied. The amendment then goes through the Milestone #2 ratification gate like any other — the test suite has no power to change the constitution, only to block changes that regress it. ## Step 8 — After merge - Update the corpus counts in `docs/attack-taxonomy.md` if a family grew. - If the exploit was found in self-play, link the self-play episode id. - If it was live, write the post-mortem and link it from the scenario's `precedent` — we are our own incumbent benchmark now. ## Removing or weakening a scenario Almost never. A scenario may be weakened only when the kernel feature it tests was itself lawfully removed by ratified amendment, and even then the scenario is rewritten to assert the new intended behavior, not deleted. Floors may be raised freely; lowering a floor is a `critical`-severity review.