#!/usr/bin/env bash

TKT Base — packet RERUN.sh TEMPLATE (reconstruct + reverify)

Copies the packet into a clean mktemp dir, rebuilds nothing, and re-verifies

the manifest + tree pin + gates there, proving the verdict is independent of

the working dir. Replace <…> as needed. NON_AUTHORITY.

set -uo pipefail SRC="$(cd "$(dirname "$0")" && pwd)" TMP="$(mktemp -d)" trap 'rm -rf "$TMP"' EXIT

1. reconstruct into a clean dir

cp -R "$SRC"/. "$TMP"/ cd "$TMP" rm -rf ./evidence # drop prior run logs; they are regenerated

2. L0 — manifest forward (present + hash) + tree pin

test "$(shasum -a 256 HASH_MANIFEST.txt | awk '{print $1}')" = "$(cat packet_tree.sha256)"
|| { echo "RERUN_RESULT: FAIL (tree pin)"; exit 1; } shasum -a 256 -c HASH_MANIFEST.txt >/dev/null
|| { echo "RERUN_RESULT: FAIL (manifest)"; exit 1; }

3. L1 — re-run the gates in the clean dir

bash commands.sh >/dev/null 2>&1
|| { echo "RERUN_RESULT: FAIL (commands.sh)"; exit 1; }

4. byte-exact anchor: exit_codes.json determinism (if class declared byte-exact)

(uncomment + pin EXPECT when the packet declares exit_codes.json byte-exact)

EXPECT="<64hex>"

test "$(shasum -a 256 exit_codes.json | awk '{print $1}')" = "$EXPECT" \

|| { echo "RERUN_RESULT: FAIL (exit_codes drift)"; exit 1; }

echo "RERUN_RESULT: PASS"