#!/usr/bin/env bash

============================================================================

FIX7 AUTHORITY-SEAL -- governed rehearsal evidence orchestrator

Runs the full self-Codex dry-run sequentially (selftest -> rehearsal ->

red-team -> drift -> anti-hardcode -> Codex direct probes), captures stdout,

stderr and exit codes into governed evidence files, then builds a reproducible

HASH_MANIFEST.txt and a single packet_tree.sha256 over the deterministic

packet fileset. Produces NO real seal.

cwd contract: run from the PACKET ROOT (parent of rehearsal/):

cd <packet>; bash rehearsal/commands.sh

============================================================================

set -u PKT="$(cd "$(dirname "$0")/.." && pwd)" REH="$PKT/rehearsal" cd "$PKT"

STDOUT="$REH/stdout.log" STDERR="$REH/stderr.log" EXITS="$REH/exit_codes.json" : > "$STDOUT"; : > "$STDERR"

PY=python3 declare -a NAMES=() declare -a CODES=()

run() { # run <name> <cmd...> local name="$1"; shift { echo "==================================================================" echo "STEP: $name" echo "CMD : $* (cwd=$PKT)" echo "------------------------------------------------------------------" } | tee -a "$STDOUT" >> /dev/null echo "### $name :: $" >> "$STDOUT" echo "### $name :: $" >> "$STDERR" "$@" >> "$STDOUT" 2>> "$STDERR" local rc=$? echo "EXIT($name)=$rc" >> "$STDOUT" NAMES+=("$name"); CODES+=("$rc") echo "[$name] exit=$rc" }

1. encoder selftest

run selftest $PY authority_seal_encoder.py --selftest

2. end-to-end rehearsal (writes rehearsal/*.json) -- MUST precede red-team

run rehearsal $PY authority_seal_rehearsal.py "$REH"

3. red-team AFTER rehearsal artifacts exist (sequential, not parallel)

run redteam $PY authority_seal_redteam.py "$REH"

4. spec/code/json/doc drift

run drift $PY authority_seal_drift_check.py .

5. anti-hardcode / anti-laundering

run antihardcode $PY authority_seal_antihardcode.py

6. Codex direct adversarial probes (must all be REJECTED / fail-closed)

run codex_probes $PY codex_probes.py --json "$REH/codex-probes-results.json"

---- exit_codes.json ----

{ echo "{" echo " "sequence": [" for i in "${!NAMES[@]}"; do sep=","; [ "$i" -eq $(( ${#NAMES[@]} - 1 )) ] && sep="" echo " {"step": "${NAMES[$i]}", "exit_code": ${CODES[$i]}}$sep" done echo " ]," agg=0; for c in "${CODES[@]}"; do [ "$c" -ne 0 ] && agg=1; done echo " "all_zero": $([ "$agg" -eq 0 ] && echo true || echo false)" echo "}" } > "$EXITS"

---- HASH_MANIFEST.txt over the deterministic packet fileset ----

exclude volatile run-evidence + manifests themselves + pycache

( cd "$PKT" && find . -type f
! -name 'HASH_MANIFEST.txt'
! -name 'packet_tree.sha256'
! -name 'stdout.log'
! -name 'stderr.log'
! -name 'exit_codes.json'
! -name 'codex-probes-results.json'
! -path '/pycache/'
! -name '_broken_encoder.py'
| sed 's|^./||' | LC_ALL=C sort
| while read -r f; do h=$(shasum -a 256 "$f" | awk '{print $1}') printf '%s %s\n' "$h" "$f" done ) > "$REH/HASH_MANIFEST.txt"

---- packet_tree.sha256 = single tree hash over the manifest ----

shasum -a 256 "$REH/HASH_MANIFEST.txt" | awk '{print $1}' > "$REH/packet_tree.sha256"

echo "----------------------------------------------------------------" echo "packet_tree.sha256: $(cat "$REH/packet_tree.sha256")" echo "exit_codes: $(cat "$EXITS" | tr -d '\n' | sed 's/ */ /g')"

overall rc

agg=0; for c in "${CODES[@]}"; do [ "$c" -ne 0 ] && agg=1; done exit $agg