An audit-ready verification surface for the six Protective Computing principles. This page turns the normative spec into concrete test catalogs, traceable evidence requirements, and a final checklist suitable for release reviews, external audits, and hostile-environment validation.
Normative source: Protective Computing Specification v1.0. Defensibility ledger: MUST Justifications Annex.
| Requirement | How to test |
|---|---|
| Reversibility User actions and system changes must be recoverable within documented boundaries; failures must not become permanent harm. |
Run destructive-action regression, recovery-window disclosure checks, crash-recovery tests, and adversarial deletion attempts. Verify undo paths, delay windows, and documented irreversibility boundaries. |
| Exposure Minimization Collect only essential data, defend it cryptographically, and enforce automatic retention limits. |
Audit field justification, storage encryption, TLS posture, retention expiry, logs, and data egress. Confirm every field has a purpose and every disclosure path is bounded. |
| Local Authority Essential work must remain possible without continuous server reachability or live re-authentication. |
Execute full essential workflows in airplane mode, under expired tokens, and across interrupted sync. Validate local cache integrity, non-blocking sync, and published offline/online parity. |
| Coercion Resistance Users must retain confidentiality and integrity under physical, legal, and administrative pressure. |
Perform server-side decrypt-failure checks, KDF and passphrase validation, threat-model review, forced-disclosure tabletop exercises, and backdoor hunts. |
| Degraded Functionality Core utility must survive constrained bandwidth, power, compute, and input conditions. |
Throttle to 2G, constrain memory and CPU, audit keyboard-only flows, test non-essential feature shedding, confirm no media autoload, and run WCAG AA checks. |
| Essential Utility Features must serve survival and autonomy, not engagement, extraction, or coercive monetization. |
Run feature-justification review, subtraction drills, dark-pattern probes, metric audits, and paywall checks. Confirm essential workflows stay free of manipulative friction. |
Full reference: Reversibility
Accidental deletion, coerced action, panic clicks, crash-driven loss, or misleading flows turn routine mistakes into irreversible harm.
Destructive actions can be undone, recovery windows are visible, permanent deletion is delayed, and the system clearly documents what cannot be recovered.
| Test | Preconditions | Steps | Expected outcome | Evidence to capture | MUST coverage |
|---|---|---|---|---|---|
| REV-A1 Automated Destructive action undo regression |
Seeded account or fixture data; destructive flows available; online and offline test modes. | Run integration tests for delete, modify, and publish actions. Trigger action, invoke undo, then confirm original state is restored within the documented recovery window. | Every destructive action exposes a working undo path or restore flow; no state corruption or hidden residual damage remains. | CI logs, before/after snapshots, restored record IDs, recovery-window timestamps. | NORM-001, NORM-003 |
| REV-A2 Automated Crash and restart recovery |
Draft/edit flow available; app restart or browser reload scriptable; optional offline mode. | Begin editing an essential record, interrupt with crash/reload/power-loss simulation, relaunch, then check draft presence and recovery affordance. | Essential work survives interruption or is recoverable through an explicit restoration flow; no silent data discard occurs. | Crash logs, local storage snapshot, relaunch video, recovered draft state. | NORM-001 |
| REV-M1 Manual Recovery-window disclosure walkthrough |
Device build with production UI; destructive actions reachable from normal navigation. | Walk every delete/archive/reset path. Record the exact warning text, recovery window wording, and whether the time boundary is visible before execution. | Every destructive flow clearly shows the recovery window duration and the consequence of expiry before the action completes. | Screenshots of warnings, screen recording of the flow, UI text inventory. | NORM-004, NORM-005 |
| REV-M2 Manual Reversibility boundary review |
Published docs or internal transition inventory available; access to all user-triggerable state transitions. | Enumerate create, edit, delete, export, sync, reset, migration, and expiry actions. Mark each as reversible or irreversible, then verify runtime matches the label. | No state transition lacks a reversibility label, and no transition behaves differently from its published classification. | Action inventory, screenshots, before/after state captures, documentation diff. | NORM-006 |
| REV-U1 Abuse Coerced rapid-delete attempt |
Attacker has brief unlocked-device access; user regains access within recovery window. | Attempt immediate deletion of sensitive records, force close the app, then return to the user account and attempt restoration from local UI or documented recovery path. | Deletion cannot become instantly irreversible; confirmation and delay controls leave the user a realistic recovery path. | Screen recording of attack and restore attempt, deletion timestamps, restore confirmation. | NORM-005, NORM-001 |
Full reference: Exposure Minimization
Over-collection, plaintext storage, long retention, and undisclosed sharing make breach, subpoena, coercion, and analytics leakage materially worse.
Every field is justified, sensitive values are encrypted, transport is hardened, retention is explicit and automatic, and no third-party disclosure occurs without informed opt-in consent.
| Test | Preconditions | Steps | Expected outcome | Evidence to capture | MUST coverage |
|---|---|---|---|---|---|
| EXP-A1 Automated Field-justification ledger gate |
Schema definition and versioned field inventory available in repo. | Diff the current schema against the field-justification ledger. Fail CI if any new or existing stored field lacks necessity, sensitivity class, and retention bound. | No persisted field exists without explicit justification and retention metadata. | CI artifact showing schema diff, justification ledger, failing/passing rows. | NORM-007, NORM-010 |
| EXP-A2 Automated At-rest encryption and log scan |
Access to local storage, database export, and application logs in a test profile containing sensitive data. | Seed sensitive records, export local storage and logs, then search for plaintext values and keys. Validate encryption algorithm and key-handling metadata. | No sensitive values are readable without decryption material; logs do not contain payload data or secrets. | Storage export, grep output, encryption config summary, redacted logs. | NORM-007, NORM-011 |
| EXP-A3 Automated TLS and outbound egress audit |
Network inspector or proxy capture; endpoint inventory; consent toggles if present. | Run essential workflows, capture outbound requests, scan endpoints for TLS posture, and compare observed egress against documented processor list and consent state. | All traffic is TLS-protected, no plaintext endpoint exists, and no data leaves the system outside declared and consented channels. | Packet capture, TLS scan reports, endpoint list, consent-state matrix. | NORM-012, NORM-014 |
| EXP-M1 Manual Retention expiry walkthrough |
Test configuration with short retention window; ability to inspect data before and after expiry. | Create records, wait past the configured retention boundary, then verify UI access, search, export, and recovery paths after expiry. | Expired data no longer appears in the UI, exports, or app-level searches, and the retention behavior matches published policy. | Screenshots before and after expiry, retention settings, export attempt results. | NORM-013 |
| EXP-U1 Abuse Compromised-device extraction attempt |
Attacker has filesystem access to a seized device or backup image. | Attempt to recover records through local DB dumps, crash logs, cached previews, and third-party SDK artifacts without valid user credentials. | Only ciphertext or bounded metadata is accessible; no plaintext payload leakage appears through side channels. | Filesystem snapshot, extracted files, plaintext scan output, screenshots of failed recovery. | NORM-007, NORM-011, NORM-013, NORM-014 |
Full reference: Local Authority
Users are locked out by outages, account throttling, censorship, captive portals, or server-side policy decisions exactly when they most need the system.
Essential workflows run offline, essential data remains cached locally, sync is asynchronous and non-blocking, offline access does not require live auth, and parity/sync behavior is documented.
| Test | Preconditions | Steps | Expected outcome | Evidence to capture | MUST coverage |
|---|---|---|---|---|---|
| LOC-A1 Automated Airplane-mode essential workflow suite |
Seeded local dataset; network disabled at OS level; network inspector enabled. | Execute essential create, read, update, and delete flows in airplane mode, including app restart between operations. | All essential workflows complete without server reachability and without emitting outbound traffic or blocking prompts. | CI or device logs, network trace showing zero outbound requests, state snapshots after restart. | NORM-015, NORM-017 |
| LOC-A2 Automated Local cache persistence and reload test |
Previously synced records on device; ability to force reload while offline. | Disconnect network, edit a record, reload the app, then inspect whether cached records and recent local edits are still accessible. | The user retains a readable, internally consistent local copy with no silent rollback. | Storage snapshot, screenshots before/after reload, offline render proof. | NORM-018 |
| LOC-A3 Automated Asynchronous sync under packet loss |
Sync-enabled build; simulated latency >= 2000ms and packet loss >= 30%. | Perform several writes while the network is unstable, then reconnect and inspect queue replay, conflict handling, and UI responsiveness. | Writes persist locally immediately, UI remains usable, and reconciliation occurs without duplication, corruption, or lockup. | Queue logs, network trace, conflict-resolution output, before/after record counts. | NORM-019 |
| LOC-M1 Manual Offline access without live re-authentication |
Cached data on device; server tokens expired or revoked; network disabled. | Close the app, expire credentials, relaunch offline, and attempt access to essential cached records. | Essential cached content remains accessible without requiring live auth or support intervention. | Video walkthrough, expired-token proof, screenshots of accessible cached content. | NORM-020 |
| LOC-M2 Manual Parity and sync documentation review |
Published offline/online feature matrix and sync documentation available. | Compare the published parity matrix against observed behavior across offline, intermittent, and online states, including conflict resolution. | Feature parity and sync semantics are accurately documented, with no undocumented exposure or behavior differences. | Documentation snapshot, comparison notes, screenshots of each mode. | NORM-021 |
| LOC-U1 Abuse Account lockout or censorship scenario |
User account is throttled, region-blocked, or identity provider is unavailable; device remains in user possession. | Simulate server-side lockout, then attempt essential local operations and data access entirely offline. | Server-side denial does not remove the user's local authority over essential data and workflows. | Lockout logs, offline screenshots, attempted server calls, local export artifacts. | NORM-015, NORM-017, NORM-020 |
Full reference: Coercion Resistance
Forced unlock, legal compulsion, device seizure, insider access, or master-key architectures convert a protective system into a disclosure mechanism.
Server operators cannot decrypt user content, user-held secrets remain required, passphrases are strong, KDFs are slow, no administrative backdoor exists, and the threat model says what the system cannot protect.
| Test | Preconditions | Steps | Expected outcome | Evidence to capture | MUST coverage |
|---|---|---|---|---|---|
| COE-A1 Automated Server-side decrypt failure |
Encrypted data on server or backup; admin credentials only; no user secret material. | Attempt to decrypt or export readable user content from server-side storage using operator privileges alone. | Only ciphertext or bounded metadata is obtainable; plaintext remains inaccessible without user-held secrets. | Server export artifact, failed decrypt logs, ciphertext samples, admin-only access transcript. | NORM-022, NORM-023 |
| COE-A2 Automated Passphrase policy and cracking resistance |
Credential policy visible in code or runtime; test ciphertext or backup available. | Validate passphrase rules, generate policy-minimum examples, and run controlled cracking attempts against encrypted fixtures. | Weak passphrases are rejected or flagged; minimum accepted passphrases remain infeasible to recover in controlled attack windows. | Policy screenshots, cracking benchmark output, accepted/rejected credential logs. | NORM-024 |
| COE-A3 Automated KDF and backdoor regression |
Source or binary inspection access; key derivation configuration; recovery flows accessible. | Search for hard-coded keys, master secrets, legacy KDFs, privileged decryption endpoints, and recovery flows that bypass user-bound secrets. | No administrative backdoor or master key exists; only approved slow KDFs are allowed in build or runtime configuration. | Static scan report, config dump, API inventory, failed privileged decryption attempts. | NORM-025, NORM-026 |
| COE-M1 Manual Threat-model disclosure review |
Public threat model, privacy claims, or product security documentation available. | Read the declared coercion boundary, then compare it against storage, export, cache, and support behavior observed in the product. | The product does not over-claim. Documentation clearly states what an attacker can and cannot extract. | Threat-model excerpt, screenshots of claims, observed behavior notes. | NORM-027 |
| COE-U1 Abuse Forced-unlock tabletop |
Attacker gains temporary physical control of an unlocked device; user cannot refuse interaction. | Walk through shoulder-surf, forced export, and forced navigation to sensitive history while capturing what the UI, exports, and cached views reveal. | The system's protective boundary is explicit, bounded, and consistent with documented coercion claims; no surprise disclosure channels appear. | Screen recording, exported files, cached preview inspection, disclosure matrix. | NORM-022, NORM-027 |
| COE-U2 Abuse Compelled operator disclosure attempt |
Operator has DB access, admin console access, and legal demand scenario assumptions. | Attempt to satisfy a disclosure request using operator access only, including backups, support tooling, and admin exports. | Operator can provide only the limited data classes explicitly allowed by architecture, never hidden plaintext or universal decrypt capability. | Support export screenshots, admin console output, backup sample, disclosure classification notes. | NORM-023, NORM-026 |
Full reference: Degraded Functionality
Critical workflows fail on weak links, old devices, keyboard-only input, screen readers, or battery-constrained conditions, effectively excluding vulnerable users.
The baseline path works on 2G, low-memory devices, and keyboard-only or assistive contexts; non-essential features degrade first; media never autoloads.
| Test | Preconditions | Steps | Expected outcome | Evidence to capture | MUST coverage |
|---|---|---|---|---|---|
| DEG-A1 Automated Constrained-resource regression suite |
Browser/device emulation with CPU throttling, latency, and reduced-memory profiles. | Run the essential workflow suite under constrained network, CPU, and memory settings, confirming non-critical features degrade first. | Essential workflows remain usable without sync-required prompts or hard failures; feature shedding is predictable and documented. | CI performance logs, throttling profiles, workflow completion output, degraded-mode screenshots. | NORM-028, NORM-032 |
| DEG-A2 Automated 2G payload budget check |
Performance harness able to measure initial HTML and first interaction on simulated 2G. | Throttle to 2G, load the baseline path, record initial HTML size and first usable interaction time, and fail the build if the declared budget is exceeded. | The baseline path stays within the initial payload budget and remains functionally usable on 2G. | HAR file, payload report, Lighthouse or equivalent budget artifact. | NORM-029 |
| DEG-A3 Automated No media autoload trace |
Network inspector enabled; pages containing media or attachments reachable. | Load the app and navigate baseline flows without explicitly requesting media. Inspect network traffic for image, audio, or video fetches. | No media is requested until explicit user action occurs. | HAR trace, network waterfall, UI recording of no-click navigation. | NORM-033 |
| DEG-M1 Manual Low-memory device walkthrough |
Older or emulated device with less than 512MB RAM target profile. | Complete the baseline critical workflow while monitoring crashes, jank, and memory pressure behavior. | Core tasks finish without crashes or unusable slowdown on the target RAM floor. | Device profile, screen recording, memory graph, crash logs. | NORM-030 |
| DEG-M2 Manual Keyboard-only workflow walkthrough |
No mouse or touch input; focus indicators visible; critical flows identified. | Navigate all critical flows using keyboard only, including complex widgets such as date pickers, charts, modals, and exports. | Every interactive control is reachable and usable without a pointer; focus order remains logical throughout. | Screen recording with keypress overlay, focus-order notes, blocked-control screenshots. | NORM-031 |
| DEG-M3 Manual WCAG AA and screen reader audit |
Assistive tech enabled; contrast tooling available; essential flows defined. | Run contrast, semantics, ARIA, labels, announcements, and screen-reader walkthroughs across all essential workflows. | Critical workflows satisfy WCAG 2.1 AA requirements and remain understandable and operable with assistive technology. | Accessibility audit report, screen-reader transcript, contrast screenshots, remediation notes. | NORM-034 |
| DEG-U1 Abuse Resource-shock and hostile-network test |
High latency, CPU throttling, low battery mode, and intermittent connectivity active. | Force the system into constrained conditions mid-workflow and observe whether it drops non-essential features first or collapses the essential path. | The product degrades gracefully, preserving the critical path rather than failing wholesale. | Video, performance timeline, network trace, degraded-mode state comparison. | NORM-028, NORM-032 |
Full reference: Essential Utility
Engagement, monetization, and product-growth incentives displace survival-critical outcomes, creating manipulative friction and paywalled safety.
Every feature is tied to an essential use case or protective need, dark patterns are absent, addictive mechanics are excluded, success metrics follow user outcomes, and essential features are never paywalled.
| Test | Preconditions | Steps | Expected outcome | Evidence to capture | MUST coverage |
|---|---|---|---|---|---|
| ESS-A1 Automated Feature-justification ledger gate |
Versioned feature inventory and essential workflow ledger available. | Diff the current feature inventory against the justification ledger and fail if any feature lacks linkage to an essential workflow, protective requirement, or accessibility/safety obligation. | No shipped feature exists without an explicit reason tied to user survival, autonomy, or accessibility. | CI diff artifact, feature matrix, missing-link report. | NORM-035, NORM-037 |
| ESS-A2 Automated Gamification and addictive mechanic scan |
UI copy inventory, notification catalog, analytics config, feature flags. | Search runtime copy, config, and notification templates for streaks, variable rewards, leaderboards, FOMO nudges, and manipulative retention prompts. | No addictive mechanic or engagement-maximizing loop appears in the shipped product or dormant flags intended for essential flows. | Static scan output, copy inventory, notification diff, feature-flag report. | NORM-039 |
| ESS-A3 Automated Metric inventory and decision-basis review |
Access to product metrics, analytics dashboards, roadmap or PRD artifacts from recent releases. | Classify all primary and secondary metrics as outcome, engagement, or mixed; verify essential workflows have outcome metrics and roadmap decisions are justified by those outcomes. | Primary success metrics are outcome-based; engagement metrics are secondary and not used to justify essential-path changes. | Metric inventory, dashboard screenshots, PRD excerpts, decision trace notes. | NORM-040 |
| ESS-M1 Manual Feature subtraction walkthrough |
Feature flags or disable paths available; essential workflows enumerated. | Disable or hide the top non-essential candidate features, then re-run essential workflows to confirm utility and integrity remain intact. | Removing non-essential features does not harm the essential path, proving the product surface is utility-first rather than feature-accumulative. | Before/after screenshots, workflow results, disabled-feature list, subtraction notes. | NORM-035, NORM-037 |
| ESS-M2 Manual Essential free-tier paywall check |
Fresh free-tier account or unpaid user state; essential workflow list defined. | Complete every essential workflow as an unpaid user and attempt deep links directly into critical routes to detect hidden gating. | No essential feature is paywalled, rate-limited to unusability, or blocked by entitlement checks. | Screen recording, entitlement matrix, API responses, blocked-route screenshots if any. | NORM-041 |
| ESS-U1 Abuse Dark-pattern adversarial probe |
Attacker/product-growth perspective; access to onboarding, cancellation, export, deletion, and notification flows. | Attempt to coerce the user into continuing, sharing, paying, or disclosing more through deceptive defaults, misleading confirmation copy, or manipulative urgency. | No deceptive friction, bait notifications, misleading confirmations, or forced-continuity tactics appear in essential workflows. | Screenshots of every prompt, notification samples, flow notes, UX review log. | NORM-038 |
This matrix is the cross-check that each normative MUST or MUST NOT in the v1.0 spec maps to at least one concrete test on this page.
| Spec MUST IDs | Mapped tests | Coverage note |
|---|---|---|
NORM-001, NORM-003, NORM-004, NORM-005, NORM-006 |
REV-A1, REV-A2, REV-M1, REV-M2, REV-U1 |
Reversibility coverage includes undo paths, recovery windows, delayed deletion, and published reversibility boundaries. |
NORM-007, NORM-010, NORM-011, NORM-012, NORM-013, NORM-014 |
EXP-A1, EXP-A2, EXP-A3, EXP-M1, EXP-U1 |
Exposure coverage includes field necessity, crypto at rest, TLS in transit, retention expiry, and undisclosed sharing checks. |
NORM-015, NORM-017, NORM-018, NORM-019, NORM-020, NORM-021 |
LOC-A1, LOC-A2, LOC-A3, LOC-M1, LOC-M2, LOC-U1 |
Local-authority coverage includes offline operation, local cache integrity, async sync, offline access without auth, and documented parity. |
NORM-022, NORM-023, NORM-024, NORM-025, NORM-026, NORM-027 |
COE-A1, COE-A2, COE-A3, COE-M1, COE-U1, COE-U2 |
Coercion coverage includes zero-knowledge boundaries, passphrase and KDF quality, no backdoors, and truthful threat-model disclosure. |
NORM-028, NORM-029, NORM-030, NORM-031, NORM-032, NORM-033, NORM-034 |
DEG-A1, DEG-A2, DEG-A3, DEG-M1, DEG-M2, DEG-M3, DEG-U1 |
Degraded-mode coverage includes constrained networks, low memory, keyboard-only operation, media loading, and WCAG AA accessibility. |
NORM-035, NORM-037, NORM-038, NORM-039, NORM-040, NORM-041 |
ESS-A1, ESS-A2, ESS-A3, ESS-M1, ESS-M2, ESS-U1 |
Essential-utility coverage includes feature justification, anti-dark-pattern review, anti-addiction review, metric discipline, and paywall checks. |
NORM-042 |
GOV-01 |
Global compliance declaration is verified in the final audit-ready checklist below. |
Use this section as the final release or independent-review signoff sheet. Mark each item only when the evidence artifact exists and is attached to the audit packet.
WEAK_VERIFICATION_COUNT=0.| Test | Preconditions | Steps | Expected outcome | Evidence to capture | MUST coverage |
|---|---|---|---|---|---|
| GOV-01 Manual Compliance declaration review |
Published compliance claim or release notes available; per-principle levels documented. | Verify the system declares a level for each principle and that overall compliance resolves to the weakest principle rather than an average or marketing summary. | Claims are explicit, complete, and do not conceal the weakest principle. | Compliance matrix screenshot, release note excerpt, final audit summary. | NORM-042 |
Protective Computing — back to home