Incomex AI Portal
KB-55D9 rev 2

FIX7 Authority Closure — N8 Detached Seal Request (rev2, executable contract)

4 min read Revision 2
tool-kiem-thufix7authority-closuren8detached-sealexecutable2026-06-10

FIX7 Authority Closure — N8 Detached Seal Request (rev2)

  • Date: 2026-06-10 · Lane: FIX7 authority-seal contract executable macro · rev2 closes Codex AS-P3.
  • Authority of THIS doc: request only. T1 CANNOT author N8. The detached seal is a Codex-only act: the signer identity, timestamp, parent checkpoint, and report documents are authority inputs only Codex supplies. Any N8-shaped value produced by T1 would be a fabricated seal and is prohibited.
  • Executable contract (new in rev2): N8's domain tag, fixed roster, order, and byte encoding are defined in authority-seal-encoder-spec.md §4 and implemented in authority_seal_encoder.py (encode_node("N8", …), sha256 47200442…a452b5bb). Codex authors N8 by filling the Codex-only fields and running the encoder — it invents no protocol.

1. N8 fixed roster (AS-P3)

Domain tag FIX7_CODEX_DETACHED_SEAL_V1; output detached_seal_sha256; fields in this exact order:

# field source actor
1 schema_version (FIX7-AUTHORITY-SEAL-V1) const contract
2 node_id (N8) const contract
3 canonicalizer_sha256 N2 = 49c386a9…b734d0 engineering
4 guard_set_sha256 N5 engineering
5 active_corpus_sha256 N6 engineering
6 envelope_manifest_sha256 N7 (from the N7 envelope) from N7
7 sealed_by signer/authority identity Codex
8 sealed_at timestamp Codex
9 parent_checkpoint checkpoint document_id@revision Codex
10 report_documents_digest sub-digest, tag FIX7_CODEX_SEAL_REPORTS_V1 over sorted rec(document_id, revision) Codex
11 seal_scope (BLUEPRINT_SEAL_ONLY_NO_IMPLEMENTATION) const contract
  • Dependency direction (acyclic): N8 binds N7 (N8 → N2,N5,N6,N7). N8 does NOT bind P7; supplying authority_seal_pin_sha256 to N8 is rejected SEAL_HASH_GRAPH_CYCLE. Omitting N7 is rejected SEAL_INPUT_MISSING. This is the corrected, acyclic version of the prior packet (which had N7 binding N8).

2. What must be sealed

The N8 seal binds, at minimum:

  1. Packet V3 tree b95df0a5…ca6d and canonicalizer rev3 49c386a9…b734d0 (revision 3, 38756 bytes) — via N6/N2 and the P7 pin.
  2. N7 envelope manifest once Codex computes it from the authorized approval event (n7-approval-event-input-envelope.md).
  3. The Codex signer identity, seal timestamp, parent checkpoint, and report-document set.

3. Why engineering is ready

Codex Recheck-9 V3: engineering PASS, Article 13/14 PASS, no hardcode defect, fresh-fetch reconstruction + 13-gate RERUN exit 0, V2 laundering attack replay rejected fail-closed, rev3 byte identity independently verified. Codex V3 §8: "Engineering evidence is sufficient for this hash/revision to move to the authorized Codex/owner seal step."

4. Explicit statement

T1 cannot author this seal. This request supplies the byte-exact contract + candidate engineering inputs only. Codex authors the final N8 value by running encode_node("N8", …) with its signer/timestamp/parent/report fields. Until then every N8 field remains CODEX_ONLY, codex_sealed_values_present:false, no sealed value claimed.

Back to Knowledge Hub knowledge/dev/laws/tool-kiem-thu/packets/fix7-authority-closure-2026-06-10/n8-detached-seal-request.md