v0.2 dev repro packet — src/tkt_v02_oracle.py
#!/usr/bin/env python3
============================================================================
tkt_v02_oracle.py -- Tool-Kiem-Thu v0.2-hardening
Generic black-box ORACLE + SUT execution harness.
Generalizes the Codex-accepted FIX7 Recheck-9 V3 proof model
(packets/fix7-codex-recheck-9-2026-06-10) into a SUT/ORACLE/VERIFIER
framework with NO FIX7-specific authority:
SUT = a real executable/CLI, run as an OS subprocess. Its OBSERVED
exit code + stdout/stderr are the only behavioural evidence.
We NEVER read in-process state or trust an inferred contract.
ORACLE = CLI_ORACLE below: a STATIC, spec-derived constant of THIS
verifier. It is NEVER regenerated from SUT output. A mutated
fail-open SUT cannot rewrite the oracle by re-running our tools.
VERIFIER= tkt_v02_verify.py / tkt_v02_blackbox_suite.py /
tkt_v02_failopen_regression.py compare OBSERVED behaviour against
this oracle and FAIL CLOSED (raise) on any violation.
Authority: NON_AUTHORITY, NOT_PROMOTED, NOT_USED_FOR_FIX7_SEAL,
may_gate=false, decision_effect=NONE. Dev evidence only.
Safe/offline: stdlib only; no network, no DB, no production surface.
============================================================================
import hashlib import os import subprocess import sys
--- The static behavioural oracle (spec pin, NOT derived from SUT output) ---
Spec contract of the generic demo SUT (sut_demo.py), mirrors the FIX7 CLI
contract shape: "exit 0 ONLY iff corpus_ok AND membership_frozen_ok;
exit 4 otherwise; selftest exit 0 iff all checks pass else 1".
CLI_ORACLE = { "oracle_source": "STATIC_SPEC_PIN (sut_demo.py contract text; not generated from SUT output)", "produce_ok_exit": 0, "produce_corpus_error_exit": 4, "selftest_pass_exit": 0, "selftest_fail_exit": 1, "suppression_marker": "ALL CANDIDATE DIGESTS SUPPRESSED", "suppressed_token": "SUPPRESSED_CORPUS_NOT_OK", "ok_marker": "corpus_ok: True", "evidence_class": "EXECUTED_CLI_BLACKBOX", }
Field that, if it ever appears in a manifest authority block, means a tool
synthesized a CLI exit instead of observing one (the Codex V2 attack class).
The verifier hard-fails if it reappears.
BANNED_LAUNDERING_FIELDS = ("cli_exit_contract", "cli_exit_inferred", "cli_exit_synthesized")
class OracleViolation(Exception): """Raised when OBSERVED SUT behaviour contradicts the static oracle."""
def sha256_bytes(b: bytes) -> str: return hashlib.sha256(b).hexdigest()
def sha256_file(path: str) -> str: with open(path, "rb") as f: return sha256_bytes(f.read())
def run_cli(sut_path, argv, cwd=None, timeout=60): """Black-box SUT execution: real OS subprocess, OBSERVED exit + streams.
Returns dict(exit, stdout, stderr). No in-process state is consulted.
"""
proc = subprocess.run(
[sys.executable, sut_path, *[str(a) for a in argv]],
cwd=cwd,
capture_output=True,
text=True,
timeout=timeout,
)
return {
"exit": proc.returncode,
"stdout": proc.stdout,
"stderr": proc.stderr,
"evidence_class": CLI_ORACLE["evidence_class"],
}
def assert_produce_ok(observed): """Positive control: SUT produce on a valid corpus MUST exit 0 + ok marker.""" if observed["exit"] != CLI_ORACLE["produce_ok_exit"]: raise OracleViolation( f"produce positive control: OBSERVED exit {observed['exit']} " f"!= {CLI_ORACLE['produce_ok_exit']} (oracle)" ) if CLI_ORACLE["ok_marker"] not in observed["stdout"]: raise OracleViolation("produce positive control: missing ok marker in stdout") return True
def assert_produce_corpus_error(observed): """Negative case: SUT produce on a broken corpus MUST exit 4, suppress all candidate digests, leak no aggregate hex, and create no output artifact. A fail-open SUT (exit 0 here) raises OracleViolation -> verifier fails closed. """ if observed["exit"] != CLI_ORACLE["produce_corpus_error_exit"]: raise OracleViolation( f"negative corpus case: OBSERVED exit {observed['exit']} " f"!= {CLI_ORACLE['produce_corpus_error_exit']} (oracle) -- FAIL-OPEN SUT" ) out = observed["stdout"] if CLI_ORACLE["suppression_marker"] not in out: raise OracleViolation("negative corpus case: suppression marker absent") if CLI_ORACLE["suppressed_token"] not in out: raise OracleViolation("negative corpus case: suppressed token absent") return True
if name == "main": # Self-describe (no side effects) -- handy for the rerun template. import json print(json.dumps({"CLI_ORACLE": CLI_ORACLE, "banned_laundering_fields": list(BANNED_LAUNDERING_FIELDS)}, indent=2))