All 48 scenarios.

Required minimum fields for a usable audit trail:
timestamp, tenant, actor_uid, tool, decision.
Missing any of these makes later reconstruction impossible.

An attempted policy violation creates an audit entry. Silent drops
make attack investigation impossible — you know something happened
only if the attacker's own tool shows a failure, which is not the
same thing.

A denial row with no reason is a mystery. Runners must populate the
reason field with at least a short category (e.g. scope_missing,
tool_not_allowed, rate_limited). We assert presence, not text.

PreToolUse + PostToolUse audit entries for the same underlying tool
invocation must share a trace_id so operators can correlate intent
with outcome. Without this, "tool was attempted" and "tool was
executed" appear as separate events with no linkage.

A common audit failure mode: runtime errors during governance skip
the audit write. The observable outcome is "nothing in the log" —
indistinguishable from "nothing happened." Every tool-call attempt
must produce exactly one audit entry, whether allowed, denied, or
errored.

The runner must complete setup / actions / teardown without internal
errors. A governance product that throws uncaught exceptions under
normal load has deeper reliability issues.

Tenant A sets a restrictive policy on read_file. Tenant B has no
such policy. Bob in tenant B calls read_file — must succeed under
tenant B's (permissive) policy. Policy cross-contamination is a
common bug in multi-tenant caches keyed incorrectly.

Both tenants make calls. Audit entries must be per-tenant with
correct tenant attribution. A shared audit collector that mis-tags
entries creates the worst kind of incident-response confusion.

Alice is a user in tenant A. She sends a request naming tenant B.
Governance must deny — user identity is scoped to tenant membership.
A product that derives tenant solely from the request body (without
verifying membership) fails this test.

Tenant A saturates its rate-limit budget. Tenant B makes one call.
Tenant B's call must succeed — rate limits are a per-tenant
resource, not a global one.

Bob is admin in tenant B. A forged request names tenant A. Even
Bob's admin role in B doesn't authorize him in A. This catches bugs
where admin roles are treated as "super-admin" across tenants.

Control: Bob, an admin in tenant B, performs an admin action in
tenant B. Must succeed. Ensures isolation isn't over-aggressive.

Alice → orchestrator → worker → tool. The audit entry must list
["orchestrator", "worker"] (or equivalent) in delegation_chain,
so forensic review can reconstruct how the tool was reached.

No delegation happened; the chain must be empty. A runner that
synthesizes a fake agent name (e.g. "system") when no real chain
exists is corrupting provenance with noise.

Alice → orchestrator → specialist → worker → tool. The audit
entry records ["orchestrator", "specialist", "worker"]. Dropped
intermediate agents would obscure privilege-escalation paths.

A subagent attempts an out-of-scope tool. The call is denied. The
audit entry must still record the agent chain that led to the
attempt, not just "user-alice tried something." Chain-less denial
audits make post-incident "who spawned this subagent" investigation
impossible.

Two workers spawned in parallel from the same orchestrator each
make a tool call. Each audit entry records that worker's chain, not
the other's. Shared-state bugs in runners often show up here.

Tier distinguishes interactive (user-watching) from background
(autonomous) calls. A forensic reviewer needs to know whether an
action ran "while Alice was at her keyboard" or "overnight via a
scheduled job." Tier must be recorded, not inferred.

Tenant policy declares fail_closed. Gateway becomes unreachable.
Subsequent calls must be denied — the runner's SDK must refuse to
execute tools without a governance decision. A fail-open default
under fail_closed policy is a P0 security bug.

Fail_open is the right choice for some deployments (e.g. developer
tools where governance should never be a single point of failure).
Runners must honor the declared mode — a product that only supports
fail_closed should declare N/A on this scenario, not fake a pass.

A common bug: the runner interprets 5xx as "probably transient" and
re-tries, or worse, passes the call through on failure. Under
fail_closed, 5xx must stop the call. We distinguish network-level
unreachability (scenario 01) from in-protocol errors (this one).

Under fail_closed: failure denies; recovery must restore normal
evaluation. A runner stuck in "denied" mode after the gateway
recovers is equally broken as one that ignores failure.

Fail_open is operationally defensible, but operators must know which
calls ran without a governance decision. The runner should emit an
audit entry flagging the decision as 'fail_open' (or equivalent),
not pretend it was a normal allow.

Control case. No gateway failure. Call proceeds normally. Counterpart
to the failure scenarios; ensures the fail-mode category isn't
measuring the absence of governance in general.

Baseline case: a single authenticated user calls a single tool. No
delegation, no agent spawning. The audit entry must have the correct
actor UID and email. Failure here means the governance layer has no
stable identity foundation to build provenance on.

Two-hop chain: alice → orchestrator → worker → tool. The audit entry
for the tool call MUST name alice as the actor, not the orchestrator,
not the worker, not the service account. Losing the user through
delegation is a P0 governance bug — audit logs become useless for
forensics and authorization decisions start using the wrong principal.

Alice and Bob both use the same shared orchestrator pattern. Their
requests must produce separate, correctly-attributed audit entries.
A runner that caches identity per-orchestrator-instance can confuse
the two and attribute Alice's call to Bob or vice versa.

API keys belong to a human. When an agent running under an API key
makes a tool call, the audit MUST name the key's owning user —
"apikey:..." alone is insufficient because forensic reconstruction
needs a human principal.

A call arrives without a user principal (e.g., missing auth header).
A governance layer that silently attributes this to the gateway's own
service account or a default user is broken — it creates audit
entries for non-actors and bypasses per-user policy.

Forensic review requires a human-readable identity alongside the UID.
An audit row with only an opaque UID (apikey:abc123) but no email is
operationally useless. Resolving UID→email at query time is common
but insufficient when the user has since been deleted.

Workspace default allows read_file; user-Carol override denies it.
Carol's call must be denied; Alice's (no override) still allowed.
Exercises the most-specific-wins precedence at the user layer.

Tier default is allow. Tool-specific policy for 'grant_permission'
is deny. Calls to grant_permission must be denied despite the open
default. Read calls (no tool-specific policy) still allowed.

Workspace tool-level policy denies grant_permission. A user tool-
specific override for Bob allows it. Bob's call must succeed; Alice
(no override) still denied. Tests most-specific-wins precedence:
user.tools > workspace.tools > user.defaults > workspace.defaults.

read_email requires email.read. Viewer user has only tools.read. Call
is denied on scope grounds, not tier grounds.

Alice has email.read. A call to read_email is allowed. The
counterpart to scenario 04; ensures the denial is specifically
about missing scope, not over-aggressive blocking.

Bob has admin.grant_permission, successfully calls grant_permission.
A policy change revokes his scope. His next call must be denied.

Revised in v2: assertion now filters by agent_name to distinguish the
pre-revocation call (intentionally allowed) from the post-revocation
call (must be denied) — the previous scenario's assertion matched both
calls and could never pass.

Alice is rate-limited to 60 interactive calls/min. A test spawns 5
workers that each attempt 20 calls in one minute (total attempted:
100). If rate limit is per-user, allowed <= 60. If per-agent, allowed
could reach 100.

Alice saturates her 60/min limit. Bob makes one call in the same
minute. Bob's call must succeed — his budget is independent.
Cross-user aggregation would be a different (incorrect) model.

Background-tier rate limit is tighter (20/min) than interactive
(60/min). A background subagent fan-out must cap at 20, not 60. If
the limiter collapses tiers into one bucket, this fails.

Denied calls should not count against the user's budget — otherwise
a single disallowed tool could be used as a DoS vector against the
user's own legitimate usage. The denied call is logged but does not
consume the 60/min allowance.

10 calls, limit is 60. All should succeed. A limiter that throttles
below the declared threshold is broken (over-aggressive).

When rate limit kicks in, the denied calls still produce audit
records (or at least an aggregate) so operators know usage hit the
ceiling. A silent denial is operationally worse than an explicit one.

Alice does not have admin scope. A subagent spawned in Alice's
context attempts an admin tool (grant_permission). Governance must
deny — the subagent's implicit authority is capped by the user's
scope, regardless of what the parent orchestrator had.

The orchestrator delegates work with an asserted scope that exceeds
what the requesting user has. The subagent tries to use that scope.
Governance must not honor the delegation's claimed scopes — effective
scope is always ≤ user scope ∩ declared-task scope.

Bob is an admin. Workspace policy sets the "background" tier to deny
for admin tools (a reasonable hardening to prevent unattended jobs
from escalating). A background-tier subagent under Bob attempts
grant_permission. Must be denied — role is not a blank check.

User delegates "summarize this document" to a worker. Worker then
attempts an admin action. Even if the user technically has the
scope, the delegation was narrow — governance that ties effective
scope to declared task catches this; one that doesn't, misses it.

This scenario is partial — not every governance model enforces
task-narrowing. Products without declarative task scope may treat
this as "out of scope for the category" and skip it via the runner's
declined_categories. Honest declination is preferred over fake pass.

Carol has viewer role (read-only). A subagent under Carol tries to
write a file. Governance must deny based on the user's role-derived
scopes, not on whatever the agent claims.

The flip side of the denial scenarios: governance must NOT deny calls
that are within scope. A layer that denies everything technically
"passes" privilege-escalation tests but is unusable in production.