Incomex AI Portal
KB-12AD

FIX7 Authority-Seal End-to-End Rehearsal Driver (NOT A SEAL)

6 min read Revision 1
tool-kiem-thufix7authority-sealrehearsal-driverharnessnot-a-seal2026-06-10

#!/usr/bin/env python3

============================================================================

FIX7 AUTHORITY-SEAL -- END-TO-END DRESS REHEARSAL DRIVER (NOT A SEAL)

Imports the byte-exact authority_seal_encoder and drives the acyclic

N7 -> N8 -> P7 sequence with CLEARLY-LABELLED FIXTURE authority inputs.

Emits, for each node: ordered input pairs, the exact canonical record bytes,

the digest preimage (tag line + records), its sha256, and the node digest.

THIS PRODUCES NO REAL SEAL. Every authority input below is a FIXTURE value.

Real A1/A2/A3/A5 (owner+Codex approval-event) and the Codex signer/timestamp/

parent/report fields are owner/Codex-only and are NOT present here.

============================================================================

import json, os, sys, hashlib import authority_seal_encoder as E

OUT = sys.argv[1] if len(sys.argv) > 1 else "../rehearsal" os.makedirs(OUT, exist_ok=True)

NOT_A_SEAL = { "ARTIFACT_CLASS": "REHEARSAL_ONLY_NOT_A_SEAL", "is_real_n7": False, "is_real_n8": False, "is_real_p7": False, "is_owner_final_seal": False, "is_codex_seal": False, "note": "Deterministic rehearsal with FIXTURE authority inputs. " "Digests below prove the encoder RUNS end-to-end and is DETERMINISTIC. " "They are NOT authority seals and carry NO approval.", }

def preimage(tag, pairs): """Reconstruct the exact bytes the encoder hashes: (tag+\n) + records.""" records = [E.rec(n, v) for n, v in pairs] pre = (tag + "\n").encode() + b"".join(records) return records, pre

def node_artifact(node_id, pairs): tag = E.TAGS[node_id] records, pre = preimage(tag, pairs) digest = E.encode_node(node_id, pairs) assert digest == E.sha(pre), "driver preimage != encoder digest" # cross-check return { "NOT_A_SEAL": NOT_A_SEAL, "node_id": node_id, "domain_tag": tag, "roster": E.ROSTERS[node_id], "output_field": E.OUTPUT_FIELD[node_id], "input_pairs": [[n, v] for n, v in pairs], "canonical_records_text": [r.decode("utf-8") for r in records], "preimage_total_bytes": len(pre), "preimage_sha256": E.sha(pre), "digest": digest, "digest_field": {E.OUTPUT_FIELD[node_id]: digest}, }

def main(): # acyclic order: N7 -> N8 -> P7 n7_pairs = E.fixture_n7_pairs() n7 = E.encode_node("N7", n7_pairs) n8_pairs = E.fixture_n8_pairs(n7) n8 = E.encode_node("N8", n8_pairs) p7_pairs = E.fixture_p7_pairs(n7, n8) p7 = E.seal_p7(p7_pairs)

# fixture-inputs.json (the labelled authority inputs that fed the rehearsal)
fixture_inputs = {
    "NOT_A_SEAL": NOT_A_SEAL,
    "dag_acyclic": not E.has_cycle(E.EDGES),
    "edges": E.EDGES,
    "engineering_constants_real_published": {
        "canonicalizer_sha256_N2": E.N2_REV3,
        "membership_sha256": E.MEMBERSHIP,
        "packet_v3_tree_sha256": E.PACKET_V3_TREE,
        "ssot_document_id": E.SSOT_DOC,
    },
    "fixture_engineering_subdigests_PLACEHOLDER": E.FX,
    "fixture_authority_inputs": {
        "N7": {k: v for k, v in n7_pairs if k in (
            "approval_event_id", "approver_identity",
            "approval_event_timestamp", "owner_blueprint_decision")},
        "N8": {k: v for k, v in n8_pairs if k in (
            "sealed_by", "sealed_at", "parent_checkpoint",
            "report_documents_digest")},
        "P7": {k: v for k, v in p7_pairs if k in (
            "codex_report_document", "codex_checkpoint_document",
            "approval_event_id")},
    },
    "fixture_input_marker": "all approval/signer/timestamp values prefixed FIXTURE- "
                            "or *_OPTION_* are placeholders, NOT owner/Codex inputs",
}
write(os.path.join(OUT, "fixture-inputs.json"), fixture_inputs)

a7 = node_artifact("N7", n7_pairs)
a8 = node_artifact("N8", n8_pairs)
a7p = node_artifact("P7", p7_pairs)
write(os.path.join(OUT, "n7-rehearsal-artifact.json"), a7)
write(os.path.join(OUT, "n8-rehearsal-artifact.json"), a8)
write(os.path.join(OUT, "p7-rehearsal-artifact.json"), a7p)

# determinism re-run (second pass must equal first)
n7_2 = E.encode_node("N7", E.fixture_n7_pairs())
n8_2 = E.encode_node("N8", E.fixture_n8_pairs(n7_2))
p7_2 = E.seal_p7(E.fixture_p7_pairs(n7_2, n8_2))
deterministic = (n7, n8, p7) == (n7_2, n8_2, p7_2)

summary = {
    "NOT_A_SEAL": NOT_A_SEAL,
    "sequence": ["N7", "N8", "P7"],
    "dag_acyclic": not E.has_cycle(E.EDGES),
    "n7_envelope_manifest_sha256": n7,
    "n8_detached_seal_sha256": n8,
    "p7_authority_seal_pin_sha256": p7,
    "deterministic_second_pass_identical": deterministic,
    "encoder_sha256": hashlib.sha256(
        open("authority_seal_encoder.py", "rb").read()).hexdigest(),
}
write(os.path.join(OUT, "rehearsal-summary.json"), summary)

print("END-TO-END REHEARSAL (NOT A SEAL):")
print("  N7:", n7)
print("  N8:", n8, "(binds N7)")
print("  P7:", p7, "(binds N7,N8)")
print("  DAG acyclic:", not E.has_cycle(E.EDGES))
print("  deterministic 2nd pass:", deterministic)
if not deterministic:
    print("REHEARSAL FAIL: non-deterministic")
    return 1
print("REHEARSAL OK")
return 0

def write(path, obj): with open(path, "w") as f: json.dump(obj, f, indent=2, sort_keys=False) f.write("\n")

if name == "main": sys.exit(main())

Back to Knowledge Hub knowledge/dev/laws/tool-kiem-thu/packets/fix7-authority-closure-2026-06-10/authority_seal_rehearsal.py