CHAOS TRIAL HL7BOXY V13 · Every Chaos Test = a Segment

CHAOS TRIAL HL7BOXY V13 · eose-dev k3s · 4-HOUR SCHEDULE

THE CHAOS TRIAL
IF YOUR STACK CAN'T SURVIVE THE SEGMENTS
IT CAN'T SURVIVE PROD

EVERY CHAOS TEST = A SEGMENT · VERDICT = ADMIT / DENY / WATCH

γ₁ = 14.134725141734693 · Chaos load ceiling: γ₁×6 = 84.8% WPA (BREAK threshold) · Day 97

THE CHAOS TRIAL DOCTRINE

A chaos trial IS a message. The message says: "here is what I threw at your stack, here is what happened."

COI minimum for chaos: MSH (trial identity) + PID (target) + AL1 (allergy limits — what chaos is NOT allowed to do) + DG1 (verdict). These 4 are required. Missing any = STUB trial, not executed.

AL1 is required, not optional. Chaos without boundaries is not a trial. It is sabotage. Every chaos trial must declare what it will NOT do before it runs.

The 4-hour schedule: this trial runs every 4 hours as part of the gate stack heartbeat. Results feed into container dashboard and security helix bonixer verdict.

THE 6 SEGMENTS — CHAOS TRIAL AS HL7 MESSAGE

MSH · TRIAL IDENTITY

REQUIRED · Message Header

Trial ID · Target: eose-dev k3s · Date + γ₁ timestamp · Authorized by (ARB/TRB ref) · Trial version · Gate stack version (v137+)

REQUIRED

PID · TARGET WORKLOAD

REQUIRED · Patient ID

Namespace · Pod selector · Gate being tested (G1..G6) · SOSTLE level of target · GID of workload · Expected blast radius

REQUIRED

OBX · CHAOS OBSERVATIONS

OPTIONAL · Observations

Load injected (req/sec) · Gate latency under load (ms) · Memory pressure (%) · CPU spike (%) · Pass/fail at each load level · Time to recovery

OPTIONAL (raises floor)

AL1 · TRIAL ALLERGIES

REQUIRED · What chaos will NOT do

No L4/L5 wall crossing · No production data access · No persistent volume damage · No cross-namespace escalation · No internet egress from chaos pods · Bounded blast radius (max N pods)

REQUIRED

IN1 · TRIAL LINEAGE

OPTIONAL · Signed Lineage

Authorized by: Kay (GID-FAM-001) · ARB reference · TRB reference · CLO sign-off if L3+ · git commit of chaos spec · Reproduced by (crew member)

OPTIONAL (required for L3+)

DG1 · VERDICT

REQUIRED · Diagnostic Verdict

Did the gate hold? ADMIT = gate survived chaos at ceiling. DENY = gate failed under load. WATCH = degraded but functional. STUB = chaos not executed (AL1 missing).

REQUIRED

7 CHAOS TESTS — DAY 97 BASELINE VERDICTS

TEST	GATE TARGETED	EXPECTED	DAY 97 BASELINE	VERDICT
FLOOD ADMISSION 100 pods/sec burst	G2 Gatekeeper G4 Kyverno	gates hold <100ms	no constraints → gates pass all (no policy)	WATCH · constraints needed
INJECT BAD IMAGE no digest, no registry	G1 Trivy G4 Kyverno	Trivy flags CVE · Kyverno denies	Trivy scanning · Kyverno no verify policy yet	WATCH · need Kyverno image verify policy
VIOLATE NETPOL 0.0.0.0/0 egress attempt	G3 Falco G2 Gatekeeper	Falco alerts · Gatekeeper blocks if netpol constraint	Falco running · no netpol constraint deployed	WATCH · Falco detects, no block yet
SPIKE SYSCALLS fork bomb pattern	G3 Falco	Falco rule fires immediately	Falco eBPF running · default rules loaded	ADMIT · Falco detects fork bomb by default
PRIVILEGE ESCALATE root container attempt	G2 Gatekeeper G4 Kyverno G3 Falco	blocked at admission · Falco alerts runtime	no privileged=false constraint deployed yet	WATCH · Falco alerts but admission allows
UNSIGNED IMAGE no cosign signature	G4 Kyverno G5 MEROSTONE	Kyverno image verify denies · MEROSTONE EA-69 fires	no image verify policy deployed yet	WATCH · need Kyverno verify policy
WPA STRESS γ₁×6 = 84.8% load	ALL GATES	all 6 gates respond within SLA under ceiling load	eose-dev node: 32GB RAM, 12 CPU, 8% used → headroom	ADMIT · substantial headroom on eose-dev

4-HOUR SCHEDULE — SET/SET-OPS GATE CHECK

EVERY 4 HOURS — AUTOMATED CHAOS GATE VERIFICATION

:00MSH: Build trial identity · γ₁ timestamp · gate stack version check

:01PID: Confirm eose-dev k3s targets · all 4 OSS gate pods running check

:02AL1: Verify allergy boundaries in place · eose-dev namespace isolation confirmed

:03-:07OBX: Run spike-syscalls + flood-admission + wpa-stress · record latency readings

:08IN1: Record lineage · git ref · crew authorization

:09DG1: Compile verdict · update container dashboard · alert Kay if any DENY

OngoingAKS no-limits container count check · FC flush check · GPU pool check (all per HEARTBEAT.md)

DAY 97 SUMMARY VERDICT

5 of 7 tests: WATCH · 2 of 7: ADMIT · 0 of 7: DENY

All 4 OSS gates running. No constraints deployed yet. Next sprint: KCF EA-64 + EA-67 + EA-68 + EA-69 constraint templates → 5 WATCH tests flip to ADMIT.