KB-28F1

06 — C1 Manifest / Hash / Resolver Proof (2026-06-22)

3 min read Revision 1

06 — C1 Manifest / Hash / Resolver Proof — 2026-06-22

LABELS: LOCAL_DISPOSABLE_SANDBOX_DOT_EMULATOR · NOT_GOVERNED_RUNTIME · NOT_PRODUCTION · NOT_DIRECTUS_GOVERNED_WRITE · NOT_A_SUBSTITUTE_FOR_DOT_C1_REGISTRATION

Resolver R_C1 (deterministic, governed-values-only)

c1.resolve() maps the frozen authority fixture → canonical_operation candidates: 'c1.op.'||action_code, risk_level, handler_ref, source_action_code for status='active', ordered by operation_code → 14 operations (matches prod apr_action_types 14 active rows). Values come ONLY from the resolver; caller cannot inject (injected_operations → REJECT, see file 09).

Manifest (cser-v1)

{ carrier:"C1", protocol_version:1, serialization:"cser-v1",
  authority_source:"apr_action_types_fixture",
  authority_fixture_hash:"3b3c2ff96c24c78df9f1923f21c5b998360ba964c7dac38deb9b1e9a73f315f4",
  operations:[ {operation_code, risk_level, handler_ref, source_action_code} × 14 ] }

cser-v1 = keys sorted (C collation / bytewise), explicit nulls, UTF-8 NFC-normalized strings, JSON-escaped. Implemented in c1.cser(jsonb) (recursive, immutable).
Canonical byte length = 2123.

Hash

c1.manifest_hash(m) = encode(sha256(convert_to(c1.cser(m),'UTF8')),'hex').
C1 manifest hash = c9286d3acf8223d77207de69c79b2333c949c996c33843c5c42866a628d7ec00.

Recompute proof (recomputable by an INDEPENDENT tool)

Method	Result
`manifest_hash(build_manifest(1))` call #1	`c9286d3a…ec00`
`manifest_hash(build_manifest(1))` call #2	`c9286d3a…ec00` (deterministic)
external `shasum -a 256` over exported cser bytes	`c9286d3a…ec00` — MATCH
Recompute command: `psql … \copy (select c1.cser(c1.build_manifest(1))) to manifest.cser` then `perl -0777 -pe 's/\n\z//' manifest.cser	shasum -a 256`.

Negative cases

Caller-supplied expected_manifest_hash='deadbeef' ≠ computed → REJECT_MANIFEST_HASH_MISMATCH (file 09 wrong_hash).
Tampering authority fixture changes authority_fixture_hash → changes manifest hash (binding holds).
injected_operations in payload → REJECT_NON_GOVERNED_VALUE_INJECTION (manifest never built from caller values).

Scope note

This proves manifest/hash recompute logic. The governed runtime would compute the same hash over the live (not frozen) apr_action_types; that governed computation is not demonstrated here (no governed C1 surface exists).