Snowflake reconciliation audit — badge integrity, Chain I harness, staging SQL

docs/analysis/chain-reference-table.md

@@ -37,7 +37,7 @@ public-artifact-to-credential-replay path stacked on top is hypothesis.
 | **H** — SPCS over-broad EAI egress | `MODELED`[^h1] | `spcs_egress_probe.py`, `spcs_base_image_probe.py` | `snowflake_spcs_eai_overbroad.yml` (9f4b2a6e) → `snowflake_spcs_eai_overbroad_trail.yml` (9d1e3f50), `spcs_image_unpinned_or_external.yml` (6c8a2d4f) | No public Snowflake-attributed incident; egress-policy-misconfiguration class is empirical at the network-policy layer. Lab-validated against SPCS service + EAI specs. | PHI in SPCS containers (clinical analytics, federated learning) → uncontrolled egress. |
 | **I** — MCP tool poisoning vs. Cortex Agents | `MODELED`[^i1] | `cortex_search_poisoning.py`, `cortex_agent_mcp_bench.py`, `cortex_agent_planner_steer.py` | `cortex_agent_directive_followup.yml` (12c8b3a4) → `cortex_agent_directive_followup_trail.yml` (0e2f4051), `cortex_agent_followup_without_user_intent.yml` (5c8e3f1a), `cortex_agent_sql_from_tool_output.yml` (9b2c4e7a), `cortex_search_rank_anomaly.yml` (c9a4d2c1) | IPI class documented in industry corpus (EchoLeak CVE-2025-32711, ShareLeak CVE-2026-21520, AgentForce PipeLeak); no public Cortex-specific incident as of 2026-05. Lab-validated against deterministic 5-family planner mock. | Patient-record lookup via agent steered to over-fetch beyond minimum-necessary. |
 | **J** — Partner-integration token replay | `EMPIRICAL` | `partner_integration_audit.py` | `partner_integration_credential_replay.yml` (2c4d6e8f) → `partner_integration_credential_replay_trail.yml` (1f30516e) | 2026 analytics-SaaS-token incident (no public CVE); UNC5537 (2024) is the developer-endpoint analog. | Partner-held PHI scope (claims clearinghouses, BAA partners with Snowflake access). |
-| **K** — Polaris / Iceberg catalog abuse | `MODELED`[^k1] | `iceberg_catalog_pivot.py` | `iceberg_table_outside_catalog_base.yml` (3b6c8d1e) | No public Snowflake-attributed incident. Iceberg-spec attack-surface class documented at the catalog-trust layer. Lab-validated against Polaris REST catalog spec as of 2026-05. | Iceberg-warehoused PHI tables (de-identified extracts, research cohorts) potentially re-identified via pointer poisoning. |
+| **K** — Polaris / Iceberg catalog abuse | `HYPOTHESIS`[^k1] | `iceberg_catalog_pivot.py` | `iceberg_table_outside_catalog_base.yml` (3b6c8d1e) | No public Snowflake-attributed incident. Iceberg-spec attack-surface class documented at the catalog-trust layer. Mock Polaris endpoint and tenant staging SQL not yet present; tool cannot run end-to-end. | Iceberg-warehoused PHI tables (de-identified extracts, research cohorts) potentially re-identified via pointer poisoning. |
 | **L** — External OAuth scope drift | `MODELED` | `oauth_scope_audit.py` | `oauth_integration_scope_drift.yml` (2d4e6f80) | No public Snowflake-attributed incident. OAuth consent-attack class is empirical at the IdP layer (illicit-consent grant campaigns against Entra/Okta tenants). Lab-validated against INTEGRATIONS + IdP consent-snapshot diff. | Role mapping drift → broader PHI access by federated user than intended. |
 | **M** — UDF EAI breakout | `MODELED` | `udf_eai_egress.py` | `udf_with_eai_invocation.yml` (4f7a9c2d) | No public Snowflake-attributed incident. UDF EAI breakout shape is documented in Snowflake's own EAI guidance as the per-row exfil primitive. Lab-validated against FUNCTIONS + INTEGRATIONS join. | Per-row PHI sent to attacker endpoint via UDF invoked over patient table. |
 | Chain H ext. — SPCS base-image supply chain | `MODELED` | `spcs_base_image_probe.py` | `spcs_image_unpinned_or_external.yml` (6c8a2d4f) | Container-image supply-chain class is empirical in the broader ecosystem (npm Shai-Hulud, PyPI typosquats, Docker Hub backdoors); no Snowflake-specific incident. | Same surface as Chain H; the failure happens at build time rather than at egress time. |
@@ -48,7 +48,7 @@ public-artifact-to-credential-replay path stacked on top is hypothesis.
 
 [^i1]: **Chain I caveat.** The lab planner is a deterministic recogniser for five payload families (directive, semantic_inject, authority_spoof, multi_turn_setup, multi_turn_payoff). Production Cortex Agent planner robustness against the same families requires tenant-side measurement before claiming the attack works at scale — the lab mock is a simplification, not a stand-in for the production model.
 
-[^k1]: **Chain K caveat.** Modelled against the Polaris REST catalog spec as of 2026-05. Snowflake's Open Catalog API is still evolving (Polaris graduated from Apache incubation late 2025); operators should validate the tool against their deployment's actual Polaris version before relying on the tool's enumeration semantics. The `iceberg_table_outside_catalog_base.yml` rule is keyed on the catalog-base prefix and is robust across spec revisions; the tool's REST enumeration paths are not.
+[^k1]: **Chain K caveat.** Downgraded from `MODELED` to `HYPOTHESIS` (reconciliation audit 2026-06). Three gaps block end-to-end validation: (1) no mock Polaris/Iceberg endpoint exists (`/api/v2/iceberg-catalogs` and port-9610 catalog service absent from `infra/lab/`); (2) the tool had a containment guard bug passing a full URL to `assert_loopback()` (fixed — now extracts hostname via `urlparse`); (3) no tenant staging SQL in `lab-validation/`. The threat model and detection rule (`iceberg_table_outside_catalog_base.yml`) remain valid; the badge will advance to `MODELED` once the mock Polaris service and staging SQL are added.
 
 ## Residual-risk profile
 

docs/analysis/snowflake-platform-attack-surface-2026.md

@@ -948,7 +948,7 @@ emits a remediation-prioritized report. Lab validation in
 [`tools/cloud-identity/snowflake/lab-validation/partner_integration_baseline.sql`](../../tools/cloud-identity/snowflake/lab-validation/partner_integration_baseline.sql)
 captures the baseline source-IP profile per partner user.
 
-### Chain K — Polaris / Iceberg Catalog Abuse `[MODELED]`
+### Chain K — Polaris / Iceberg Catalog Abuse `[HYPOTHESIS]`
 
 Snowflake's Open Catalog (Polaris) and the broader Iceberg REST
 catalog ecosystem expand the platform's attack surface in directions