Authority Firewall Policy
Checker Policy — Authority Firewall (L3)
Generalizes: v0.2 authority-firewall report (F1–F9 / D5/D11/D13/D14/D15/D21 executable rules). Level: 3.
Principle
A base packet is NON_AUTHORITY. It can refuse a false authority claim; it can never grant authority. The firewall is a set of executable rules, each with a real exit code: no rule emits a seal, and every authority-claim path exits nonzero.
Self-description invariant
The packet's oracle/manifest declares, statically:
authority_status=NON_AUTHORITY, promoted=false, may_gate=false,
decision_effect=NONE, is_codex_seal=false, is_owner_seal=false,
provenance ∈ {DEV_FIXTURE_STATIC, CODEX_PINNED, OWNER_SEALED, MCP_BYTE}.
The firewall rules (generalized F1–F9)
| # | Rule | Trigger → result | Exit | Seal? |
|---|---|---|---|---|
| F1 | dev fixture cannot claim a Codex seal | is_codex_seal=true → ORACLE_CLAIMS_SEAL_REJECTED |
3 | no |
| F2 | dev fixture cannot claim an owner seal | is_owner_seal=true → reject |
3 | no |
| F3 | owner/Codex seal cannot be inferred | unknown provenance → reject (whitelist only) | 3 | no |
| F4 | MCP-byte ≠ owner seal | provenance kinds are distinct enum values; dev oracle is DEV_FIXTURE_STATIC, may_gate=false always |
3 | no |
| F5 | rehearsal/candidate cannot become authority | promoted=true → ORACLE_CLAIMS_PROMOTED_REJECTED |
3 | no |
| F6 | candidate digest cannot become official (no self-derivation) | SELF_DERIVED_AT_VERIFY / GENERATED_FROM_SUT_THIS_RUN → ORACLE_LAUNDERED |
3 | no |
| F7 | dev oracle cannot claim gate authority | may_gate=true or decision_effect≠NONE → reject |
3 | no |
| F8 | a filename-only seal is refused as autonomous | --strict-autonomous-seal with no content oracle → REFUSED |
6 | no |
| F9 | laundering is demonstrably refused | derive expected from corpus-under-test → tamper hides AND load_oracle refuses the laundered provenance |
3 | no |
Why F8 exists (the load-bearing boundary)
Filename-membership (G1) is not content-binding (G2), and neither is seal-authority (G3). A checker that proves the right filenames are present has proven nothing about content and nothing about authority. Requesting an autonomous seal from a content-less oracle must be refused (exit 6), not silently upgraded.
Static + executable
The firewall is verified two ways: (a) static — the oracle is self-describing as non-authority; (b) executable — each Fn is a probe with a real nonzero exit. The report records: "No probe emitted a seal; every authority-claim path exits nonzero."
Fail-closed contract
- Any
trueonis_codex_seal/is_owner_seal/promoted/may_gate→ reject (3). - Any non-NONE
decision_effect→ reject (3). - Any unknown/laundered provenance → reject (3).
- Strict-seal with no content oracle → refuse (6).
- The firewall emits no seal token under any input.