SafeGate v6.2 / Edge Case Test Plan

Test the failure paths before claiming working proof.

v6.2 defines how SafeGate should test invalid, duplicate, delayed, ambiguous, rate-limited, and unsafe verification scenarios.

A trust layer is not serious because the happy path works. It becomes serious when unsafe states fail securely and leave a clean audit trace.

30-Second v6.2 Summary

SafeGate must prove that receipt verification behaves safely when something goes wrong: bad input → no unlock, duplicate attempt → logged, ambiguous payment → fail secure, internal error → no secret leak.

1. Edge Case Test Matrix

Case	Expected Code	Safe Behavior	Audit Event
Missing or malformed receipt ID	400 INVALID_RECEIPT_ID	No unlock. No internal detail.	VERIFY_REJECTED_INVALID_INPUT
Receipt ID not found	404 RECEIPT_NOT_FOUND	No unlock. No ID enumeration hints.	VERIFY_RECEIPT_NOT_FOUND
Wrong amount or mismatched order	409 PAYMENT_MISMATCH	No unlock. Record mismatch.	VERIFY_PAYMENT_MISMATCH
Duplicate verification / replay-like attempt	409 DUPLICATE_OR_REPLAY_ATTEMPT	No new unlock. Existing state preserved.	VERIFY_REPLAY_ATTEMPT
Delayed callback / unsettled state	202 VERIFICATION_PENDING or 503 VERIFICATION_AMBIGUOUS	No unlock until safe confirmation.	VERIFY_PENDING_OR_AMBIGUOUS
Verification API timeout	503 VERIFICATION_AMBIGUOUS	Fail secure. Retry allowed with limits.	VERIFY_TIMEOUT_FAIL_SECURE
Rate limit exceeded	429 RATE_LIMITED	Throttle request. No unlock.	VERIFY_RATE_LIMITED
Unauthorized merchant / future API consumer	401 UNAUTHORIZED_MERCHANT	No record access. No key detail leak.	VERIFY_UNAUTHORIZED
Internal server error	500 INTERNAL_ERROR_SAFE	No stack trace. No secret leak. No unlock.	VERIFY_INTERNAL_ERROR_SAFE

2. Detailed Test Cases

Input validation

INVALID_RECEIPT_ID

Test missing, empty, too short, too long, or malformed receipt IDs.

{
  "input": "",
  "expectedStatus": 400,
  "expectedCode": "INVALID_RECEIPT_ID",
  "safeBehavior": "NO_UNLOCK"
}

Lookup

RECEIPT_NOT_FOUND

Test unknown but well-formed receipt IDs.

{
  "input": "SG-RCPT-UNKNOWN-001",
  "expectedStatus": 404,
  "expectedCode": "RECEIPT_NOT_FOUND",
  "safeBehavior": "NO_UNLOCK"
}

Payment integrity

PAYMENT_MISMATCH

Test wrong amount, wrong order, wrong merchant, or mismatched product context.

{
  "expectedStatus": 409,
  "expectedCode": "PAYMENT_MISMATCH",
  "safeBehavior": "BLOCK_UNLOCK_AND_LOG"
}

Replay protection

DUPLICATE_OR_REPLAY_ATTEMPT

Test repeated verify calls, duplicate payment reference, or suspicious repeated unlock attempts.

{
  "expectedStatus": 409,
  "expectedCode": "DUPLICATE_OR_REPLAY_ATTEMPT",
  "safeBehavior": "PRESERVE_EXISTING_STATE_AND_LOG"
}

Async risk

CALLBACK_DELAYED

Test delayed payment confirmation where receipt exists but final state is not safely confirmed yet.

{
  "expectedStatus": 202,
  "expectedCode": "VERIFICATION_PENDING",
  "safeBehavior": "NO_UNLOCK_UNTIL_FINAL"
}

Fail secure

VERIFICATION_AMBIGUOUS

Test API timeout, ambiguous provider state, or inconsistent backend result.

{
  "expectedStatus": 503,
  "expectedCode": "VERIFICATION_AMBIGUOUS",
  "safeBehavior": "FAIL_SECURE"
}

Abuse control

RATE_LIMITED

Test too many verification attempts from a merchant/API consumer or repeated public abuse pattern.

{
  "expectedStatus": 429,
  "expectedCode": "RATE_LIMITED",
  "safeBehavior": "THROTTLE_AND_LOG"
}

Error safety

INTERNAL_ERROR_SAFE

Test generic safe error response without stack trace, service role, token, database URL, or config leakage.

{
  "expectedStatus": 500,
  "expectedCode": "INTERNAL_ERROR_SAFE",
  "safeBehavior": "NO_SECRET_LEAK_NO_UNLOCK"
}

3. Required Audit Event Envelope

{
  "eventId": "SG-AUDIT-EDGE-MOCK-001",
  "eventType": "VERIFY_REPLAY_ATTEMPT",
  "receiptId": "SG-RCPT-1781465776152",
  "orderId": "TP-DEMO-273551",
  "actorType": "merchant_or_api_consumer",
  "result": "BLOCKED",
  "safeBehavior": "PRESERVE_EXISTING_STATE_AND_LOG",
  "httpStatus": 409,
  "responseCode": "DUPLICATE_OR_REPLAY_ATTEMPT",
  "createdAt": "mock_timestamp",
  "boundaries": {
    "productionPublicApiClaim": false,
    "productionApiKeyIssued": false,
    "backendSecretExposed": false,
    "piMainnetSettlementClaim": false
  }
}

4. Test Acceptance Criteria

Every unsafe or unclear state must avoid access unlock.
Every rejected verification must produce a bounded public-safe response.
Every verification attempt should be represented by a minimal audit event.
Internal implementation details must never leak into public responses.
Duplicate/replay-like behavior must preserve existing state and create an audit-relevant event.
Rate limits must be merchant/API-consumer scoped in future production design, not only IP-based.
Ambiguous payment state must fail secure instead of guessing success.

5. What This Does Not Claim

This is an edge-case test plan, not a completed production security audit. It does not claim that all cases are implemented in production today.

Its purpose is to define what must be tested before SafeGate can make stronger working-proof or production-readiness claims.

6. V6 Progression

v6.0 Audit Trail Planning

Defines the evidence event chain.

Open v6.0 →

v6.1 Endpoint Direction

Defines the first backend-supported receipt verify direction.

Open v6.1 →

v6.2 Edge Case Plan

Defines failure, abuse, replay, ambiguous, and safe error behavior.

v6.3 Evidence Timeline

Next: minimal event/time/result viewer.

7. Public Boundary

SafeGate v6.2 is a public test-plan page. It does not claim a production public API, does not issue real API keys, does not create production merchant accounts, does not expose backend secrets, and does not claim Pi Mainnet settlement proof.

Current evidence remains Pi Testnet controlled post-payment trust flow.