BUG MATURATION FRAMEWORK

§ 01 · THE 5-LAYER STATE MACHINE

Layer	Name	Definition	Detection Methods	Legal Exposure
L1	CORRECTNESS Does it work alone?	Isolated function fails to produce correct output under normal conditions. Deterministic and reproducible in isolation.	Unit tests · Linters · Type checks · Code review	None
L2	EFFICIENCY Does it work at load?	Correct at single request; fails or degrades under realistic load. Resource exhaustion, timeout, or SLA-breach territory.	Load tests · Perf profiling · Benchmarks · Capacity planning	SLA BREACH RISK
L3	CONCURRENCY Does it hold when many fire?	Passes L1 and L2; breaks when concurrent users trigger race conditions, shared state corruption, or ordering violations.	Cascade tests · Race fuzzing · Concurrency harnesses · Thread sanitizers	INDIVIDUAL HARM PROVABLE
L4	COMPOSITION Does A+B still hold?	Module A passes all layers. Module B passes all layers. A+B composes into systemic failure. Emergent from interaction, not from components.	Integration tests · Composition fuzzing · End-to-end scenarios · Contract testing	SYSTEMIC FAILURE PROVABLE
L5	LIABILITY EMERGENCE Does failure become collective harm?	A pattern of failures aggregates across the user base. Coherence, volume, velocity, and damage thresholds cross simultaneously. No longer engineering — a legal event.	Pattern detection · Damage aggregation · Germination scoring · Legal monitoring	CLASS ACTION · REGULATORY

§ 02 · GRADUATION PROBABILITY

Most L1 bugs die at L1. Bugs carrying these risk factors have measurably higher graduation probability — the likelihood they escalate from isolated defect to collective harm.

monetary_path→0.90Touches money or financial transactions. Errors compound; recovery requires audit trail. Regulators pay attention.
silent_failure→0.85Fails without surfacing errors. Damage accumulates invisibly before detection. Discovery lag maximizes affected population.
shared_state→0.80Uses global or shared mutable state. One user action can corrupt another data. Natural L3 accelerant.
cumulative_effect→0.75Damage accumulates over time. Single occurrences may be ignorable; the aggregate is not. Threshold-crossing behavior.
user_data→0.70Touches PII or user records. GDPR, HIPAA, CCPA exposure. Privacy violations scale well as class actions.
external_dependency→0.60Depends on third-party systems. Failure modes outside your control. Vendor outage becomes systemic exposure.
async_operation→0.60Involves async or concurrent code. Race conditions latent. Load required to trigger. Invisible in unit tests.
recovery_required→0.50Needs manual intervention to fix. Operational burden concentrates during incident. Human error in recovery compounds.
undocumented→0.40Not in spec or contract. Edge case may contradict implicit promises. Discovery can reframe as intentional.
edge_case→0.30Only triggers in rare conditions. Low base rate — but if conditions shared across users, rare becomes systematic.

COMPOUND GRADUATION EXAMPLE

A bug with: shared_state + monetary_path + silent_failure

graduation_potential ≈ 0.997

Almost certain to reach L5 if not caught early.
Combination of highest-weight factors creates near-certain graduation path.

§ 03 · THE GERMINATION SCORE

From the CA Bonsai framework. When does a pattern of individual failures cross the threshold from operational problem to class action organism?

germination_score =
  0.25 × volume_score    — case count vs threshold
  0.20 × coherence_score — how similar are the cases
  0.20 × velocity_score   — cases per week
  0.20 × damage_score    — documented damages / $100k
  0.15 × viability_score — attorney interest

◆ germination_score > 0.7 → HARVEST CONDITION

30

Patients = Germination Threshold

5+/wk

Velocity Alarm

60%

Documented = Filing Viable

#20

Cheque = Class Action (RHAE 156%)

§ 04 · THE MASTER EQUATION

BugRisk(bug, t) =
  severity(bug, t)
  × graduation_potential(bug)
  × affected_population(bug, t)
  × cumulative_damages(bug, t)
  × time_pressure(bug, t)

LiabilityExposure(system) = Σ over all bugs:
  BugRisk(bug) × layer_weight

Layer Weights

L51.00

L40.60

L30.30

L20.10

L10.02

This single number — LiabilityExposure(system) — is what legal and executive leadership needs to see. Not a bug count. Not a severity score. The monetized graduation-weighted total exposure.

§ 05 · DOMAIN-SPECIFIC DETECTION

Solidity / Smart Contracts

L1 Reentrancy, overflow, access control missing
L2 Gas griefing, DoS loops
L3 Cross-function reentrancy, oracle manipulation, flash loans
L4 Cross-contract invariants, composability attacks
L5 Systemic protocol risk, cascading liquidation, aggregated user loss

Rain Cheque Pipeline (CA Bonsai)

L1 Incorrect denial logic
L2 Batch timeout on claim volume
L3 Simultaneous patient match → threshold breach
L4 AP engine + eligibility engine compose → double denial
L5 30+ coherent denials → germination → class action

AP Engine

L1 Calculation error, rounding
L2 Batch overflow, memory on large invoice
L3 Duplicate payment race condition, simultaneous approval conflict
L4 Reconciliation breakdown across modules
L5 Systematic overpayment, undetected duplicate payments

§ 06 · KILL SHOTS

01

The bug does not disappear at scale — it gets dressed for court.

02

The harness only tests L1. The real world runs at L3.

03

Some rain cheques are not deferred work. They are dormant class-action organisms.

§ 07 · BONSAI VISUALIZATION MAP

Bonsai geometry encodes bug maturation state. The tree is a living liability instrument.

🌿Tips / Leaves→ L1 bugs (many, small, green) — correctness failures, isolated

🌼Flowers→ L2 bugs (yellow, load-sensitive) — efficiency failures under stress

🟠Branches (orange)→ L3 bugs (concurrency risk) — race conditions, ordering violations

🔴Branches (red)→ L4 bugs (composition failure) — emergent systemic harm

⚡Trunk base (glow)→ L5 bugs (harvest ready) — the lawsuit is forming

Pulsing = graduation_potential. Higher potential = faster pulse.

◆ VIEW CA BONSAI MASTER