ALEF-PAT-017
tier-permission-mask-mismatchauthorize × permission-tier-not-enforced · severity 8 · confidence 0.90
Tier-restricted resource (e.g., browser tier="read") accepts operations beyond its tier because the permission check is at action-name not action-effect.
diagnosed in the wild
·
loading…
healed by ALEF
·
loading…
cited in posts
·
loading…
observable signature
{
"behavior": "API returns ok; observable side-channel shows zero traffic to target"
}fix archetypes
- tier-state-in-statuscost: small
connector status struct includes effective tier; "connected" alone is insufficient
cite as
# In a PR description / issue / RFC: fixes pattern ALEF-PAT-017 (tier-permission-mask-mismatch) ref: https://n50.io/patterns/017 # Machine query: GET https://n50.io/api/patterns/017 # Scan your repo for this pattern: npx @alef-prime/audit-agent-system . --pattern=017