canonical-critical-classeslisted

# Canonical Critical Classes — the known killers, ranked by irreversibility The canonical failure mechanisms from the operator's systems-primitives model — **not** a generic OWASP list. Shared vocabulary: the **adversary** hunts these (as a floor, not a ceiling); **compliance** uses the list to know which classes, when present in a diff, require a corresponding test. The HOW for each role lives in that agent's prompt — this file is the taxonomy and the ranking. ## Rank criticality BEFORE labelling severity Rank by blast radius, not gut feel. Munger sequence: **irreversibility → weakest link → second/third order.** - **Irreversibility** — does it corrupt persisted state, lose data, or fire an external side effect (publish, charge, delete) that cannot be rolled back? Irreversible is top, always. - **Weakest link** — orphan state surfaces first at the least-monitored component. - **n-th order** — ask "and then what?" at least twice; a change correct locally can corrupt a downstream write, a retry, or a sibling under concurrency. A bug that is local, reversible, and cosmetic is never top severity, even if real. ## The canonical classes For each, the question that exposes it: 1. **Orphan state / overwrite class** — state no component formally owns: a value in a shared blob/column that a whole-row or bulk writer clobbers; a partial write left inconsistent. *Who ELSE writes this field/row? does a bulk / patch / regen path erase it? is there a survival test across ALL writers