Lab Mode and Scope Bypass
How WitnessOps documents the exception path for lab execution, scope bypass, and non-production testing.
Lab mode and scope bypass define the explicit exception path when normal governance scope enforcement is intentionally suspended.
1. Problem this page solves
Normal governed execution assumes scope checks pass before execution.
Some lab/test scenarios require controlled exceptions, and those exceptions must be recorded without being confused for normal governed production evidence.
2. What you should understand after reading
After this page, you should understand:
- when lab mode is allowed
- what
--laband--no-scopemean operationally - what must be documented before and after exception use
- what a bypassed receipt can and cannot prove
3. Mechanism-first exception path
- Declare exception intent. Lab objective and reason scope enforcement is insufficient are documented.
- Constrain exception boundary. Target boundary, environment class, and stop condition are explicitly set.
- Authorize exception. Named approver accepts elevated risk posture.
- Execute with explicit markers.
--labmarks lab run;--no-scopebypasses scope enforcement when required. - Record exception evidence. Receipt/evidence chain must show lab status and bypass state unambiguously.
- Interpret trust posture correctly. Bypassed run is treated as exception evidence, not normal governed scope-compliant evidence.
See Commands for command reference details.
4. Required controls and evidence fields
Before running with lab mode or scope bypass, define:
- why normal scope enforcement is insufficient
- exact target boundary
- named approver for exception risk
- environment classification (lab/sandbox/demo/isolated test)
- stop condition for unintended scope/data impact
Evidence record must show:
- lab marker present
- bypass state present
- approver and reason present
- intended target boundary present
- sensitive-data handling state present
In the current receipt model, scope_validated: false means normal scope enforcement did not apply.
5. Observed vs inferred
| Layer | What is observed | What is inferred |
|---|---|---|
| Observed | explicit lab/bypass markers, approver record, exception rationale, run artifacts | none beyond recorded exception facts |
| Inferred | whether exception was appropriate for policy context | depends on external governance standards and reviewer judgment |
6. Trust assumptions and hard-fail boundaries
Lab mode is not a speed shortcut. It is an explicit trust-posture downgrade with stricter documentation requirements.
Hard-fail examples:
- bypass without named approver
- lab run claimed against production target without explicit written exception
- exception run later represented as normal governed scope-compliant evidence
- sensitive artifact collection without handling plan
A bypassed receipt can still prove that a run occurred and artifacts were linked.
It cannot prove that normal scope controls were satisfied.
7. Next-page handoff
Next, read Operations to see how governed workflows, runbooks, and operator controls handle these governance boundaries in execution practice.
Then use Authorization Model and Threat Model for authority and boundary depth.