# Trinity Break-Glass Outage Test Checklist

## Goal
Prove Trinity can recover Mr Anderson with bounded operator access and no general shell access.

## Pre-checks
- `trinity-operator` account exists
- Trinity public key is installed with forced-command restrictions
- `/usr/local/bin/mr-anderson-recovery` is installed and executable
- `/usr/local/bin/mr-anderson-recovery-root` is installed and executable
- sudoers snippet is installed via `visudo`
- Source network path is restricted to Trinity over Tailscale
- Audit log destination exists and is writable by root

## Test 1: Status works
Expected:
- Returns service status for `openclaw-gateway.service`
- Returns `systemctl --user is-active` output
- Returns `openclaw gateway status`

## Test 2: Logs works
Expected:
- Returns only recent gateway-related logs
- Does not expose arbitrary files or workspace contents

## Test 3: Unsupported command is rejected
Examples:
- `shell`
- `cat MEMORY.md`
- `status extra`

Expected:
- Hard failure
- No shell execution
- Audit trail shows rejection where applicable

## Test 4: Restart works
During a safe window:
- Invoke `restart`

Expected:
- Service restarts cleanly
- Post-restart status is `active`
- Gateway status responds successfully

## Test 5: Verify works
Expected:
- Returns `service_state=active`
- Gateway status succeeds
- No extra privileges granted

## Test 6: Controlled outage simulation
Suggested sequence:
1. Induce a safe, reversible outage for the gateway service
2. Trinity runs `status`
3. Trinity runs `logs`
4. Trinity runs `restart`
5. Trinity runs `verify`

Expected:
- Recovery completes without shell access
- Audit log captures all actions
- Adner receives a concise summary after the test

## Exit criteria
The design is ready for production only if:
- all four allowed verbs work
- all unsupported actions fail cleanly
- no workspace/private context can be read through this path
- audit logging is complete and readable