<!-- DOC_STATUS: ACTIVE_NON_AUTHORITY -->

Checker Policy — Manifest File-Presence (L0)

Generalizes: v0.2 report-vs-file audit §8 (the file-existence check that closed the blind spot that let 6 load-bearing files go missing). Level: 0.

The rule (three-way, not two-way)

A manifest check MUST verify three things. The original v0.2 audit verified only the first two and shipped a packet with six absent files:

1. Tree pin — sha256(HASH_MANIFEST.txt) == packet_tree.sha256.
2. Hash recompute (forward-hash) — for every line sha256␠␠relpath, recompute sha256(file) and assert == declared.
3. File presence (forward-existence) — for every line, assert the file actually exists at relpath. This is the check that was missing. A hash that matches a file that is not there is impossible to detect if you only hash the manifest text.

Plus the backward direction:

4. No unlisted file (backward) — every governed file under the packet root appears in the manifest, except (a) declared by-reference modules and (b) intentionally-ungoverned raw evidence (which the no-vector policy covers via hash+pointer instead).

Why hashing the manifest is not enough

The original audit recomputed sha256(HASH_MANIFEST.txt) and fetched the manifest back, but never asserted each manifest-listed file exists at its packet path. Six files were in fact absent.

packet_tree.sha256 pins the text of the manifest, not the existence of the files it names. A complete manifest text can name files that were never published. File-presence is therefore an independent, mandatory check.

Procedure

# tree pin
test "$(shasum -a 256 HASH_MANIFEST.txt | awk '{print $1}')" = "$(cat packet_tree.sha256)"

# forward: present AND hash-match (this is the load-bearing addition)
shasum -a 256 -c HASH_MANIFEST.txt        # fails if any file missing OR hash wrong

# backward: no unlisted governed file
comm -23 \
  <(find . -type f ! -name HASH_MANIFEST.txt ! -name packet_tree.sha256 | sed 's#^\./##' | sort) \
  <(awk '{print $2}' HASH_MANIFEST.txt | sort)
# ^ output must contain only declared by-reference / ungoverned-raw paths

When reconstructing from a remote store (KB), fetch each file at its declared path and hash it; do not trust that "the manifest fetched OK" implies the files exist. Run the forward check against the freshly-fetched tree.

Fail-closed contract

• Any missing file → FAIL (nonzero), level_reached capped below L0.
• Any hash mismatch → FAIL.
• Tree-pin mismatch → FAIL.
• The check NEVER emits PASS while any listed file is absent.