#!/usr/bin/env bash

TKT Base Pack — RERUN: reconstruct into a clean mktemp dir and reverify.

Proves L1: the pack's verdict is independent of the working directory.

NON_AUTHORITY.

set -uo pipefail SRC="$(cd "$(dirname "$0")" && pwd)" TMP="$(mktemp -d)" trap 'rm -rf "$TMP"' EXIT

cp -R "$SRC"/. "$TMP"/ cd "$TMP" rm -rf ./evidence

L0 — tree pin + forward manifest

test "$(shasum -a 256 HASH_MANIFEST.txt | awk '{print $1}')" = "$(cat packet_tree.sha256)"
|| { echo "RERUN_RESULT: FAIL (tree pin)"; exit 1; } shasum -a 256 -c HASH_MANIFEST.txt >/dev/null
|| { echo "RERUN_RESULT: FAIL (manifest)"; exit 1; }

L1 — gates pass in the clean dir

bash commands.sh >/dev/null 2>&1
|| { echo "RERUN_RESULT: FAIL (commands.sh)"; exit 1; }

exit_codes.json determinism: it must still match the pinned hash after rerun

(regenerated all-pass content is byte-identical to the committed anchor).

shasum -a 256 -c HASH_MANIFEST.txt >/dev/null
|| { echo "RERUN_RESULT: FAIL (exit_codes drift after rerun)"; exit 1; }

L2 — harness fail-closed in the clean dir

python3 harness/tkt_base_harness.py >/dev/null 2>&1
|| { echo "RERUN_RESULT: FAIL (harness)"; exit 1; }

echo "RERUN_RESULT: PASS"