KB-2224 rev 2
FIX7 Recheck-9 Packet V2 — Codex-adversarial selfcheck suite (12 tamper classes)
10 min read Revision 2
#!/usr/bin/env python3
============================================================================
FIX7 Recheck-9 packet — CODEX-ADVERSARIAL SELFCHECK SUITE (R9 hardening lane).
Re-runs, as EXECUTABLE tests, every adversarial probe Codex used in Recheck-9
plus stronger ones. Each test copies the canonical packet to an OS temp dir,
applies ONE tamper, and asserts that the packet toolchain FAILS CLOSED
(nonzero / FAIL). An expected-fail test that unexpectedly passes FAILS this
suite. The canonical packet is NEVER mutated.
This file is EXCLUDED from the forbidden-scope scan BY DESIGN: it embeds
forbidden tokens as TEST VECTORS (T9) to prove the scanner fails closed.
It is hash-pinned in manifest.json authority + HASH_MANIFEST.txt instead.
Exit: 0 iff every positive control passes AND every tamper is caught.
SAFE/OFFLINE: stdlib only; reads packet files; writes only OS temp dirs.
============================================================================
import os, sys, json, shutil, tempfile, hashlib
sys.dont_write_bytecode = True ROOT = os.path.dirname(os.path.abspath(file)) sys.path.insert(0, ROOT) import manifest_tool as MT
RESULTS=[] def report(label, ok, detail=""): RESULTS.append(ok) print(f" [{'OK' if ok else 'UNEXPECTED'}] {label}{(' — '+detail) if detail else ''}")
def fresh_copy(base): dst=os.path.join(base, f"copy{len(os.listdir(base))}") shutil.copytree(ROOT, dst, ignore=shutil.ignore_patterns( "rerun-out","pycache","*.pyc",".DS_Store")) return dst
def load_canon(root): return MT.load_canon(root)
def edit_manifest(root, fn): p=os.path.join(root,"manifest.json") m=json.load(open(p)); fn(m) json.dump(m,open(p,"w"),indent=2); open(p,"a").write("\n")
def tree_hash(root): h=hashlib.sha256() for rel in MT.tracked_tree(root): h.update(rel.encode()+b"\0"+open(os.path.join(root,rel),"rb").read()+b"\0") return h.hexdigest()
def main(): base=tempfile.mkdtemp(prefix="fix7adv-") try: # ---- positive controls (the environment itself must be green) ---- c0=fresh_copy(base) report("C1 positive control: untampered copy --verify == 0", MT.cmd_verify(c0)==0) report("C2 positive control: untampered copy --complete == 0", MT.cmd_complete(c0)==0) report("C3 positive control: untampered copy --scan == 0", MT.cmd_scan(c0)==0) canon=load_canon(c0) res=canon.produce(os.path.join(c0,"docs"), os.path.join(c0,"evidence/canonicalizer-fix7-canon-v1-ssot.md")) report("C4 positive control: produce corpus_ok+frozen_ok on untampered copy", res["corpus_ok"] and res["membership_frozen_ok"])
# ---- T1: the decisive Codex Recheck-9 tamper (R9-B1) ----
t=fresh_copy(base)
edit_manifest(t, lambda m: m["authority"]["forbidden_scope"].__setitem__("forbidden_operations_found",999))
report("T1 tamper authority.forbidden_scope.forbidden_operations_found=999 -> verify FAILS",
MT.cmd_verify(t)==1)
# ---- T2: missing active doc 05 (R9-B2, the second decisive Codex test) ----
t=fresh_copy(base)
os.remove(os.path.join(t,"docs/05-rollback-blueprint.md"))
canon_t=load_canon(t)
r=canon_t.produce(os.path.join(t,"docs"), os.path.join(t,"evidence/canonicalizer-fix7-canon-v1-ssot.md"))
report("T2a missing doc 05 -> produce fail-closed state (corpus_ok False, all digests suppressed)",
(not r["corpus_ok"]) and (not r["membership_frozen_ok"]) and
all(r.get(k)==canon_t.SUPPRESSED for k in canon_t.SUPPRESSIBLE_DIGEST_KEYS))
report("T2b missing doc 05 -> manifest --verify FAILS", MT.cmd_verify(t)==1)
report("T2c missing doc 05 -> packet --complete FAILS", MT.cmd_complete(t)==1)
# R9-B6: the REAL CLI is executed here; exit 4 is OBSERVED, never inferred
rc,out=MT.run_cli(os.path.join(t,"evidence/canonicalizer-fix7-canon-v1-ssot.py"),
["--produce",os.path.join(t,"docs"),
os.path.join(t,"evidence/canonicalizer-fix7-canon-v1-ssot.md")])
report("T2d missing doc 05 -> ACTUAL CLI exit OBSERVED == 4, suppression marker, no digest leak",
rc==MT.CLI_ORACLE["produce_corpus_error_exit"]
and MT.CLI_ORACLE["suppression_marker"] in out
and not MT.agg_digest_leak(out), f"observed_exit={rc}")
# ---- T3: tamper a load-bearing PASS literal (selftest count) ----
t=fresh_copy(base)
edit_manifest(t, lambda m: m["authority"]["selftest"].__setitem__("checks_passed",999))
report("T3 tamper authority.selftest.checks_passed=999 -> verify FAILS", MT.cmd_verify(t)==1)
# ---- T4: tamper a hash literal ----
t=fresh_copy(base)
edit_manifest(t, lambda m: m["authority"]["ssot"].__setitem__("ssot_md_sha256","0"*64))
report("T4 tamper authority.ssot.ssot_md_sha256 -> verify FAILS", MT.cmd_verify(t)==1)
# ---- T5: remove a raw log ----
t=fresh_copy(base)
os.remove(os.path.join(t,"logs/produce.log"))
report("T5a remove logs/produce.log -> verify FAILS (log is an authority artifact)", MT.cmd_verify(t)==1)
report("T5b remove logs/produce.log -> --complete FAILS", MT.cmd_complete(t)==1)
# ---- T6: remove a HASH_MANIFEST entry ----
t=fresh_copy(base)
hm=os.path.join(t,"HASH_MANIFEST.txt")
lines=[l for l in open(hm) if "docs/03-gap-classification.md" not in l]
open(hm,"w").writelines(lines)
report("T6 drop HASH_MANIFEST entry for docs/03 -> --complete FAILS (bidirectional coverage)",
MT.cmd_complete(t)==1)
# ---- T7: remove RERUN.sh ----
t=fresh_copy(base)
os.remove(os.path.join(t,"RERUN.sh"))
report("T7 remove RERUN.sh -> --complete FAILS (required packet file)", MT.cmd_complete(t)==1)
# ---- T8: byte-flip an input doc (hash-tree mismatch / KB-vs-local divergence class) ----
t=fresh_copy(base)
p=os.path.join(t,"docs/00-readme-first.md")
b=open(p,"rb").read()
open(p,"wb").write(b+b"X\n")
report("T8a byte-tamper docs/00 -> --complete FAILS (hash mismatch)", MT.cmd_complete(t)==1)
report("T8b byte-tamper docs/00 -> verify FAILS", MT.cmd_verify(t)==1)
report("T8c byte-tamper -> packet tree-hash diverges (KB-vs-local mismatch detector)",
tree_hash(t)!=tree_hash(c0))
# ---- T9: forbidden-operation marker inserted into seal-path code ----
t=fresh_copy(base)
p=os.path.join(t,"evidence/materialize_canonicalizer.py")
open(p,"a").write("\nimport subprocess # FORBIDDEN TEST VECTOR\n")
report("T9a forbidden token in seal-path code -> --scan FAILS", MT.cmd_scan(t)==1)
report("T9b forbidden token in seal-path code -> verify FAILS", MT.cmd_verify(t)==1)
# ---- T10: candidate digest class claimed as sealed ----
t=fresh_copy(base)
edit_manifest(t, lambda m: m["authority"]["digest_classes"].__setitem__("canonicalizer_sha256","CODEX_SEALED"))
report("T10 digest class -> CODEX_SEALED -> verify FAILS (allowlist + deep diff)", MT.cmd_verify(t)==1)
# ---- T11: codex_sealed_values_present flipped to true ----
t=fresh_copy(base)
edit_manifest(t, lambda m: m["authority"].__setitem__("codex_sealed_values_present",True))
report("T11 codex_sealed_values_present=true -> verify FAILS", MT.cmd_verify(t)==1)
# ---- T12: smuggle an EXTRA unverified field into authority ----
t=fresh_copy(base)
edit_manifest(t, lambda m: m["authority"].__setitem__("totally_real_seal","trust me"))
report("T12 extra hand-authored field in authority -> verify FAILS (schema: no unverified field may live in authority)",
MT.cmd_verify(t)==1)
# ---- T13: the Codex V2 fail-open attack (R9-V2-B6) — a SUT whose error
# ---- branch exits 0 must be caught even after full self-regeneration ----
t=fresh_copy(base)
for rel in ["evidence/canonicalizer-fix7-canon-v1-ssot.md",
"evidence/canonicalizer-fix7-canon-v1-ssot.py",
"evidence/fix7_canon_v1_ssot_extended.py"]:
p=os.path.join(t,rel); s=open(p,encoding="utf-8").read()
assert s.count("sys.exit(4)")==1, rel
open(p,"w",encoding="utf-8").write(s.replace("sys.exit(4)","sys.exit(0)"))
rc,out=MT.run_cli(os.path.join(t,"manifest_tool.py"),["--emit"])
report("T13a fail-open SUT (error exit 0) -> manifest --emit FAILS (no laundering)",
rc!=0 and "ORACLE_VIOLATION" in out, f"observed_exit={rc}")
rc,out=MT.run_cli(os.path.join(t,"manifest_tool.py"),["--verify"])
report("T13b fail-open SUT (error exit 0) -> manifest --verify FAILS", rc!=0,
f"observed_exit={rc}")
finally:
shutil.rmtree(base, ignore_errors=True)
total=len(RESULTS); good=sum(RESULTS)
print(f"ADVERSARIAL_SUITE: {'PASS' if good==total else 'FAIL'} ({good}/{total} expectations met; "
f"every tamper must be caught, every control must be green)")
return 0 if good==total else 1
if name=="main": sys.exit(main())