Tool-Kiem-Thu Governance Update — FIX7 Final Authority-Seal Fail-Open + Provenance Patch New Objects (TKT-OBJ-182..200, 2026-06-11)
Tool-Kiem-Thu Governance Update — FIX7 Final Authority-Seal Fail-Open + Provenance Patch New Objects
- Date: 2026-06-11 · Macro:
FIX7_FINAL_AUTHORITY_SEAL_FAILOPEN_AND_PROVENANCE_PATCH_MACRO_2026_06_11 - Authority of THIS doc: KB-level governance record (design/governance authority), NOT a production registry insertion. No PG/Directus/
birth_registryrow created. - Pattern: same standalone governance-update precedent as TKT-OBJ-137..147 / 172..181. These rows are the canonical KB-level governance records for this macro's new objects → no orphan. Continues object registry md/json (latest TKT-OBJ-181).
1. Birth rows (TKT-OBJ-182..200)
| TKT-OBJ | Object | Type/species | Location | Owner-class | Authority class | Lifecycle | Allowed / Prohibited | Retention |
|---|---|---|---|---|---|---|---|---|
| 182 | codex_probes.py |
harness (probe-reproduction) | …/fix7-authority-closure-2026-06-10/ | T1/engineering | evidence-only | active | run read-only; MUST NOT author a seal | KB-permanent |
| 183 | rehearsal/commands.sh |
orchestrator | …/rehearsal/ | T1/engineering | evidence-only | active | run-from-packet-root; no mutation | KB-permanent |
| 184 | rehearsal/HASH_MANIFEST.txt |
run artifact | …/rehearsal/ | T1 | evidence-only | active | integrity reference | KB-permanent |
| 185 | rehearsal/packet_tree.sha256 |
run artifact | …/rehearsal/ | T1 | evidence-only | active | tree integrity | KB-permanent |
| 186 | rehearsal/exit_codes.json |
run artifact | …/rehearsal/ | T1 | evidence-only | active | run evidence | KB-permanent |
| 187 | rehearsal/stdout.log |
run artifact | …/rehearsal/ | T1 | evidence-only | active | run evidence | KB-permanent |
| 188 | rehearsal/stderr.log |
run artifact | …/rehearsal/ | T1 | evidence-only | active | run evidence | KB-permanent |
| 189 | master report | report | …/reports/ | T1 | evidence-only | active | — | KB-permanent |
| 190 | codex-probes before/after report | report | …/reports/ | T1 | evidence-only | active | — | KB-permanent |
| 191 | value-grammar validation report | report | …/reports/ | T1 | evidence-only | active | — | KB-permanent |
| 192 | provenance validation report | report | …/reports/ | T1 | evidence-only | active | — | KB-permanent |
| 193 | report-set validation report | report | …/reports/ | T1 | evidence-only | active | — | KB-permanent |
| 194 | governed-kb-evidence-packet report | report | …/reports/ | T1 | evidence-only | active | — | KB-permanent |
| 195 | redteam-expanded-codex-probes report | report | …/reports/ | T1 | evidence-only | active | — | KB-permanent |
| 196 | self-codex-dry-run-after-patch report | report | …/reports/ | T1 | evidence-only | active | — | KB-permanent |
| 197 | checkpoint (failopen+provenance ready) | checkpoint | …/checkpoints/ | T1 | evidence-only | active | — | KB-permanent |
| 198 | current-state (failopen+provenance ready) | current-state | knowledge/current-state/reports/ | T1 | evidence-only | active | — | KB-permanent |
| 199 | this governance update | governance record | …/governance/ | T1 | design/governance | active | KB-level only; NOT production registry | KB-permanent |
| 200 | blocker-class/status FINAL-AS-N6-PROVENANCE = SEAL_REAL_N6_NOT_AVAILABLE + 18 new SEAL_* fail-closed statuses + 6 provenance classes + 8 value-grammar kinds |
vocabulary/status-class | encoder + spec.json + spec.md | T1 | design/governance | active provisional | naming only; not authority | KB-permanent |
2. Updated (rev-bumped) existing objects — NOT new births
authority_seal_encoder.py (rev2, sha 13344f92… was 47200442…), authority-seal-encoder-spec.md (rev2), authority-seal-encoder-spec.json (rev2), authority_seal_redteam.py (rev2, 39 attacks), authority_seal_drift_check.py (rev2), authority_seal_antihardcode.py (rev2), authority_seal_rehearsal.py (rev2), n7-approval-event-input-envelope.{md,json} (rev3), n8-detached-seal-request.md (rev3), p7-codex-reseal-request.md (rev3), fix7-implementation-precondition-checklist.md (rev2), codex-final-seal-review-packet.md (rev2), rehearsal artifacts (rev2/3), blocker ledger TKT-OBJ-066 (rev7). These are existing governed objects; no new ID.
3. /tmp accessories (retention/cleanup)
Working dir /tmp/fix7-failopen/ (baseline pre-fix encoder + packet + codex_probes) is local-only ephemeral evidence; the governed copies live in KB. Cleanup rule: /tmp/fix7-failopen/ may be deleted at session end (its authoritative bytes are in KB). No retention obligation beyond the session.
4. No-orphan attestation
Every object/accessory this macro created or rev-bumped is either (a) born+governed here (TKT-OBJ-182..200), or (b) a rev-bump of an already-governed object (§2). No production registry insertion was performed (that is an AUTHORITY action → out of scope). KB-level birth ≠ production registry (per Phase-3.5 rule); production insertion remains an owner/operator action recorded as a standing residual (not introduced by this macro).