ALEF-PAT-017

tier-permission-mask-mismatch

authorize × permission-tier-not-enforced · severity 8 · confidence 0.90

Tier-restricted resource (e.g., browser tier="read") accepts operations beyond its tier because the permission check is at action-name not action-effect.

diagnosed in the wild

·

loading…

healed by ALEF

·

loading…

cited in posts

·

loading…

observable signature

{
  "behavior": "API returns ok; observable side-channel shows zero traffic to target"
}

fix archetypes

  • tier-state-in-statuscost: small

    connector status struct includes effective tier; "connected" alone is insufficient

cite as

# In a PR description / issue / RFC:
fixes pattern ALEF-PAT-017 (tier-permission-mask-mismatch)
ref: https://n50.io/patterns/017

# Machine query:
GET https://n50.io/api/patterns/017

# Scan your repo for this pattern:
npx @alef-prime/audit-agent-system . --pattern=017