Incomex AI Portal
KB-52D0 rev 3

FIX7 Recheck-9 Packet V2 — manifest generator/verifier (full authority recompute, R9-B1)

35 min read Revision 3

#!/usr/bin/env python3

============================================================================

FIX7 Recheck-9 packet manifest generator/verifier — V3 (R9-B6 closed).

V3 SUT/ORACLE/VERIFIER SEPARATION (Codex R9-V2-B6 fix):

SUT = the actual canonicalizer CLI file executed as main

(runpy harness: real argv, real module run, OBSERVED SystemExit

code, captured stdout/stderr). NOT canon.produce() in-process

state. The synthesized "cli_exit_contract" field is REMOVED.

ORACLE = CLI_ORACLE below: STATIC, spec-derived from the SSOT contract

text ("exit 0 ONLY iff corpus_ok AND membership_frozen_ok;

exit 4 otherwise"). It is a constant of THIS verifier and is

NEVER generated from SUT output. A mutated fail-open SUT cannot

rewrite the oracle by re-running the packet's own tools.

VERIFIER = run_negative_tests / compute_authority compare OBSERVED CLI

behavior against the oracle and RAISE (fail-closed) on any

violation — so BOTH --emit and --verify die on a fail-open SUT.

--emit therefore CANNOT launder broken behavior into a fresh

self-consistent manifest (the Codex V2 attack class).

manifest.json has exactly TWO sections:

"authority" — EVERY field is load-bearing and EVERY field is RECOMPUTED

from bytes on disk + real executions (produce run, selftest

run, forbidden-scope scan, negative-test executions) at

--verify time. The verifier deep-diffs the ENTIRE recomputed

authority object against the on-disk one and exits 1 on ANY

difference, missing key, or extra key. There is NO unverified

load-bearing literal: tampering ANY authority field fails.

"explanatory" — NON_AUTHORITY explanation (ids, prose, historical constants,

KB-binding claims verified by KB fetch, remaining blockers).

Excluded from PASS logic by construction; carries no

load-bearing claim. Schema-checked for its marker only.

Modes:

--emit (re)write manifest.json from full recomputation

--verify recompute EVERYTHING, deep-diff vs disk, exit 1 on ANY

mismatch (fail-closed) — includes rerunning selftest,

produce, forbidden scan, and all negative tests

--scan forbidden-scope scan only; exit 1 if any hit

--complete packet completeness: required files present + HASH_MANIFEST

bidirectional coverage + hash equality; exit 1 on any gap

--emit-hash-manifest (re)write HASH_MANIFEST.txt over the tracked tree

SAFE/OFFLINE: stdlib only; reads packet files; writes only manifest.json

(--emit) / HASH_MANIFEST.txt (--emit-hash-manifest) / OS temp dirs (negative

tests). No network, no DB, no production surface.

============================================================================

import hashlib, json, sys, os, importlib.util, tempfile, shutil, runpy, io, contextlib

sys.dont_write_bytecode = True

MANIFEST_FORMAT = "FIX7-R9-MANIFEST-V3"

---------------------------------------------------------------------------

STATIC CLI ORACLE (R9-B6.1) — spec-derived; NEVER computed from SUT output.

Source: SSOT contract text (canonicalizer-fix7-canon-v1-ssot.md, --produce

contract: "exit 0 ONLY iff corpus_ok AND membership_frozen_ok; exit 4

otherwise"; --selftest contract: "exit 0 iff every embedded vector passes").

These literals are the EXPECTED side of every black-box comparison below;

the OBSERVED side always comes from executing the real CLI file as main.

---------------------------------------------------------------------------

CLI_ORACLE = { "oracle_source": "STATIC_SPEC_PIN (SSOT contract text; not generated from SUT output)", "produce_ok_exit": 0, "produce_corpus_error_exit": 4, "selftest_pass_exit": 0, "selftest_fail_exit": 1, "suppression_marker": "ALL CANDIDATE DIGESTS SUPPRESSED", "suppressed_token": "SUPPRESSED_CORPUS_NOT_OK", } CANON_CLI_REL = "evidence/canonicalizer-fix7-canon-v1-ssot.py"

the 8 aggregate digest stdout labels that MUST NOT leak a hex digest when

the corpus is not OK (per-doc N1 hashes of present docs are allowed):

AGG_DIGEST_LABELS = ["membership_sha256","active_corpus_sha256", "marker_fence_registry_sha256","superseded_boundary_sha256","guard_set_sha256", "canonicalizer_sha256_cand","envelope_manifest_sha256","detached_seal_sha256"]

def run_cli(py_path, argv): """Execute the REAL CLI file as main and return (observed_exit, stdout+stderr).

Black-box w.r.t. the SUT: fresh module namespace via runpy, real sys.argv,
the OBSERVED SystemExit code (mirroring OS process semantics: no exit -> 0,
unhandled exception -> 1). No child-process spawning is needed (the
forbidden-scope policy stays fully intact); RERUN.sh gate 6 additionally
observes the same exits at true OS-process level from bash."""
old_argv = sys.argv
buf = io.StringIO()
try:
    sys.argv = [py_path] + list(argv)
    with contextlib.redirect_stdout(buf), contextlib.redirect_stderr(buf):
        try:
            runpy.run_path(py_path, run_name="__main__")
            code = 0
        except SystemExit as e:
            if isinstance(e.code, int): code = e.code
            elif e.code is None: code = 0
            else:  # process semantics: message to stderr, exit status 1
                buf.write(str(e.code)+"\n"); code = 1
        except BaseException as e:
            buf.write(f"\n[run_cli] unhandled {type(e).__name__}: {e}\n")
            code = 1
finally:
    sys.argv = old_argv
return code, buf.getvalue()

def agg_digest_leak(stdout_text): """True iff any aggregate digest line leaks a 64-hex value (must be the SUPPRESSED token when the corpus is not OK).""" for line in stdout_text.splitlines(): for lab in AGG_DIGEST_LABELS: if line.strip().startswith(lab) and _re.search(r":\s*[0-9a-f]{64}\b", line): return True return False

def snapshot_tree(d): out=[] if not os.path.isdir(d): return out for dp,_,fns in os.walk(d): for f in fns: out.append(os.path.relpath(os.path.join(dp,f), d)) return sorted(out)

def packet_root(): return os.path.dirname(os.path.abspath(file))

DOC_NAMES = ["00-readme-first.md","01-live-existing-system-inventory.md","02-design-to-live-mapping.md", "03-gap-classification.md","04-dependency-safe-construction-order.md","05-rollback-blueprint.md", "06-test-guard-blueprint.md","07-implementation-package-split.md","08-hard-blocks-do-not-touch-list.md", "12-final-verdict.md"]

LOG_NAMES = ["materialized-selftest.log","extended-selftest.log","produce.log", "forbidden-scope.log","manifest-verify.log","adversarial-suite.log", "blackbox-negative-suite.log","failopen-regression.log"]

Required at packet root for completeness (R9-B4); HASH_MANIFEST covers all of

these except itself; manifest authority covers all except itself + HASH_MANIFEST.

REQUIRED_FILES = (["README_FOR_CODEX.md","RERUN.sh","HASH_MANIFEST.txt","manifest.json", "manifest_tool.py","adversarial_suite.py","kb_fetch_reconstruct.py", "blackbox_negative_suite.py","failopen_regression.py", "evidence/canonicalizer-fix7-canon-v1-ssot.md","evidence/canonicalizer-fix7-canon-v1-ssot.py", "evidence/fix7_canon_v1_ssot_extended.py","evidence/materialize_canonicalizer.py", "evidence/selftest-expected-output.txt","evidence/produce-expected-output.txt"]

  • [f"docs/{d}" for d in DOC_NAMES] + [f"logs/{l}" for l in LOG_NAMES])

logs generated AFTER manifest emission (verify/suite runs copy or reference

the emitted manifest itself) — pinning them inside manifest.json would be

circular, so they are pinned by HASH_MANIFEST.txt + required-file

completeness instead, and re-generated live by RERUN.sh into rerun-out/.

POST_EMIT_LOGS = {"logs/manifest-verify.log","logs/adversarial-suite.log", "logs/blackbox-negative-suite.log","logs/failopen-regression.log"}

files whose hashes are pinned INSIDE manifest.json authority (everything

required except the circular ones: manifest.json, HASH_MANIFEST.txt, and the

post-emit logs above)

def authority_artifact_paths(): return [p for p in REQUIRED_FILES if p not in ("manifest.json","HASH_MANIFEST.txt") and p not in POST_EMIT_LOGS]

EXCLUDE_DIRS = {"rerun-out","pycache"} EXCLUDE_FILES = {".DS_Store"}

def sha_file(p): return hashlib.sha256(open(p,"rb").read()).hexdigest()

def tracked_tree(root): """All packet files subject to HASH_MANIFEST, sorted, relative paths.""" out=[] for dirpath, dirnames, filenames in os.walk(root): dirnames[:] = sorted(d for d in dirnames if d not in EXCLUDE_DIRS) for f in sorted(filenames): if f in EXCLUDE_FILES or f.endswith(".pyc"): continue rel=os.path.relpath(os.path.join(dirpath,f), root) if rel=="HASH_MANIFEST.txt": continue out.append(rel) return sorted(out)

---------------------------------------------------------------------------

canonicalizer loading (materialize from the SSOT .md if the .py is absent)

---------------------------------------------------------------------------

def materialize(root, dst=None): import re md=open(os.path.join(root,"evidence/canonicalizer-fix7-canon-v1-ssot.md"),encoding="utf-8").read() code=re.search(r"python\n(.*?)\n",md,re.S).group(1)+"\n" dst=dst or os.path.join(root,"evidence/canonicalizer-fix7-canon-v1-ssot.py") open(dst,"w",encoding="utf-8").write(code) return dst

def load_canon(root): py=os.path.join(root,"evidence/canonicalizer-fix7-canon-v1-ssot.py") if not os.path.exists(py): materialize(root) spec=importlib.util.spec_from_file_location("fix7canon",py) m=importlib.util.module_from_spec(spec); spec.loader.exec_module(m) return m

---------------------------------------------------------------------------

forbidden-scope scan (R9 doctrine: count is COMPUTED, never hand-authored)

---------------------------------------------------------------------------

Scan scope: the seal-path code (canonicalizer .py/.md fence, materializer,

manifest tool, RERUN.sh). adversarial_suite.py is EXCLUDED BY DESIGN: it

embeds forbidden tokens as TEST VECTORS to prove this scanner fails closed;

it is hash-pinned in authority instead.

SCAN_FILES = ["evidence/canonicalizer-fix7-canon-v1-ssot.py", "evidence/fix7_canon_v1_ssot_extended.py", "evidence/canonicalizer-fix7-canon-v1-ssot.md", "evidence/materialize_canonicalizer.py", "manifest_tool.py","RERUN.sh", "blackbox_negative_suite.py","failopen_regression.py"] import re as _re

SCAN_PATTERNS_BEGIN (this sentinel block is skipped when scanning THIS file)

SCAN_PATTERNS = [ r"\bimport\s+(socket|requests|urllib|httpx|psycopg2?|asyncpg|pymysql|paramiko)\b", r"\bfrom\s+(socket|requests|urllib|psycopg2?|asyncpg)\b", r"\bsubprocess\b", r"os.system", r"\bos.popen\b", r"(?<![\w.])eval(", r"(?<![\w.])exec(", r"\bQT001\b", r"\bREAL_RUN\b", r"\bbackfill_permit\b", r"\brepoint\b", r"\bcutover\b", r"\bdirectus_(create|update|delete)\b", r"\bsystem_issues\b", r"\b(INSERT|UPDATE|DELETE|DROP|TRUNCATE|ALTER)\s+(INTO|FROM|TABLE)\b", ]

SCAN_PATTERNS_END

def forbidden_scan(root): hits=[] for rel in SCAN_FILES: p=os.path.join(root,rel) if not os.path.exists(p): hits.append({"file":rel,"line":0,"pattern":"FILE_MISSING_FROM_SCAN_SCOPE"}); continue in_sentinel=False for i,line in enumerate(open(p,encoding="utf-8",errors="replace"),start=1): if "SCAN_PATTERNS_BEGIN" in line: in_sentinel=True if "SCAN_PATTERNS_END" in line: in_sentinel=False; continue if in_sentinel: continue for pat in SCAN_PATTERNS: if _re.search(pat,line): hits.append({"file":rel,"line":i,"pattern":pat}) return hits

---------------------------------------------------------------------------

negative tests (R9-B6 acceptance: the REAL CLI is EXECUTED for every case;

observed exit/stdout are compared against the STATIC oracle; results are

recomputed at every --emit AND --verify; any oracle violation RAISES, so a

fail-open SUT can be neither emitted nor verified — no manifest laundering)

---------------------------------------------------------------------------

def run_negative_tests(root, canon): docs=os.path.join(root,"docs") cli=os.path.join(root,CANON_CLI_REL) ssot=os.path.join(root,"evidence/canonicalizer-fix7-canon-v1-ssot.md") res={} def cli_case(tmpdocs): """Black-box: run the ACTUAL canonicalizer CLI on tmpdocs and compare OBSERVED behavior to the static oracle. In-process produce() state is recorded alongside as secondary state evidence, never as the exit proof.""" before=snapshot_tree(tmpdocs) rc,out_text=run_cli(cli,["--produce",tmpdocs,ssot]) after=snapshot_tree(tmpdocs) st=canon.produce(tmpdocs, ssot) rec={"evidence_class":"EXECUTED_CLI_BLACKBOX", "cli_exit_observed":rc, "cli_exit_expected":CLI_ORACLE["produce_corpus_error_exit"], "cli_exit_matches_oracle":rc==CLI_ORACLE["produce_corpus_error_exit"], "stdout_corpus_ok_false":"corpus_ok: False" in out_text, "stdout_membership_frozen_ok_false":"membership_frozen_ok: False" in out_text, "stdout_suppression_marker_present":CLI_ORACLE["suppression_marker"] in out_text, "stdout_no_aggregate_digest_leak":not agg_digest_leak(out_text), "no_output_artifact_created":before==after, "state_corpus_ok":bool(st["corpus_ok"]), "state_membership_frozen_ok":bool(st["membership_frozen_ok"]), "state_all_candidates_suppressed":all(st.get(k)==canon.SUPPRESSED for k in canon.SUPPRESSIBLE_DIGEST_KEYS)} if not (rec["cli_exit_matches_oracle"] and rec["stdout_corpus_ok_false"] and rec["stdout_suppression_marker_present"] and rec["stdout_no_aggregate_digest_leak"] and rec["no_output_artifact_created"] and not rec["state_corpus_ok"] and rec["state_all_candidates_suppressed"]): raise SystemExit(f"ORACLE_VIOLATION (fail-closed; no emit/verify may proceed): " f"negative CLI case violated the static oracle: {rec}") return rec base=tempfile.mkdtemp(prefix="fix7negv3-") try: # NEG-1 missing active member (the decisive Codex case: doc 05) t=os.path.join(base,"missing"); shutil.copytree(docs,t) os.remove(os.path.join(t,"05-rollback-blueprint.md")) res["produce_missing_member"]=cli_case(t) # NEG-2 extra member t=os.path.join(base,"extra"); shutil.copytree(docs,t) open(os.path.join(t,"99-extra-doc.md"),"w").write("<!-- DOC_STATUS: ACTIVE_AUTHORITY -->\nx\n") res["produce_extra_member"]=cli_case(t) # NEG-3 invalid member (unbalanced fence in doc 03) t=os.path.join(base,"invalid"); shutil.copytree(docs,t) open(os.path.join(t,"03-gap-classification.md"),"w").write( "<!-- DOC_STATUS: ACTIVE_AUTHORITY -->\n<!-- SUPERSEDED_NON_AUTHORITY BEGIN -->\nbroken\n") res["produce_invalid_member"]=cli_case(t) # NEG-4 docs dir absent res["produce_docs_dir_missing"]=cli_case(os.path.join(base,"nonexistent")) # NEG-9 duplicate active doc ON DISK: N/A on a case-insensitive filesystem # (two casefold-equal names cannot coexist); adjacent equivalent below # (NEG-5) exercises the duplicate-listing validator directly. res["duplicate_member_on_disk"]={ "evidence_class":"NA_WITH_RATIONALE", "na_rationale":"case-insensitive filesystem cannot host two casefold-equal " "filenames; duplicate detection is proven by NEG-5 " "(listing_duplicate_detected) and SSOT selftest fixtures", "adjacent_equivalent":"listing_duplicate_detected"} # NEG-5 duplicate listing detected (pure; case-variant cannot exist on a # case-insensitive FS, so the listing validator is exercised directly) dup=canon.validate_corpus_listing(list(canon.DOCS)+["05-Rollback-Blueprint.md"]) res["listing_duplicate_detected"]={"ok_flag_false":not dup["ok"],"n_duplicates":len(dup["duplicate"])} # NEG-6 wrong membership (9 docs) differs from the frozen pin nine=sorted(canon.PREFIX+d for d in canon.DOCS if d!="05-rollback-blueprint.md") nine_digest=canon.digest("FIX7_ACTIVE_AUTHORITY_MEMBERSHIP_V1",[canon.rec(i) for i in nine]) res["wrong_membership_9doc_differs"]={"differs_from_frozen":nine_digest!=canon.MEMBERSHIP_EXPECT} # NEG-7 doc tamper changes the input hash (detected by manifest/HASH_MANIFEST) b=open(os.path.join(docs,"03-gap-classification.md"),"rb").read() res["tamper_doc03_changes_hash"]={"differs":hashlib.sha256(b+b"TAMPER\n").hexdigest()!=hashlib.sha256(b).hexdigest()} # NEG-8 the original recheck-8 defect class: absent .py fails closed try: open(os.path.join(root,"evidence/this-file-does-not-exist.py"),"rb"); absent_ok=False except FileNotFoundError: absent_ok=True res["absent_py_fails_closed"]={"filenotfound_raised":absent_ok} finally: shutil.rmtree(base, ignore_errors=True) return res

---------------------------------------------------------------------------

authority computation (EVERYTHING here is recomputed, nothing hand-authored)

---------------------------------------------------------------------------

CLASS_ALLOWLIST = ["FROZEN_REPRODUCED","REAL_CANDIDATE","REHEARSAL", "CANDIDATE_OVER_PATCHED_KB_BYTES","BLOCKED_NEEDS_SEALED_INPUTS","CODEX_ONLY"]

def compute_authority(root): canon=load_canon(root) cli=os.path.join(root,CANON_CLI_REL) ssot=os.path.join(root,"evidence/canonicalizer-fix7-canon-v1-ssot.md") # selftest (real run, in-process for the per-check lines) st_ok, st_lines = canon.selftest() st_passed=sum("[PASS]" in l for l in st_lines) # selftest POSITIVE CONTROL via the REAL CLI (observed exit vs static oracle) st_rc, st_out = run_cli(cli, []) if st_rc != CLI_ORACLE["selftest_pass_exit"] or "ALL PASS: True" not in st_out: raise SystemExit(f"ORACLE_VIOLATION (fail-closed): selftest CLI observed exit " f"{st_rc} != {CLI_ORACLE['selftest_pass_exit']} or ALL PASS marker absent") # produce (real run over the pinned docs, in-process for digest values) res=canon.produce(os.path.join(root,"docs"), ssot) if not (res["corpus_ok"] and res["membership_frozen_ok"]): raise SystemExit("FATAL: pinned packet corpus does not produce cleanly (fail-closed)") # produce POSITIVE CONTROL via the REAL CLI (observed exit vs static oracle) pr_rc, pr_out = run_cli(cli, ["--produce", os.path.join(root,"docs"), ssot]) if (pr_rc != CLI_ORACLE["produce_ok_exit"] or "corpus_ok: True" not in pr_out or CLI_ORACLE["suppression_marker"] in pr_out or res["membership_sha256"] not in pr_out): raise SystemExit(f"ORACLE_VIOLATION (fail-closed): produce CLI on the pinned " f"corpus observed exit {pr_rc} != {CLI_ORACLE['produce_ok_exit']} " f"or stdout markers wrong") mat=sha_file(os.path.join(root,"evidence/canonicalizer-fix7-canon-v1-ssot.py")) ext=sha_file(os.path.join(root,"evidence/fix7_canon_v1_ssot_extended.py")) scan=forbidden_scan(root) neg=run_negative_tests(root, canon) classes={"membership_sha256":"FROZEN_REPRODUCED", "normalized_active_content_sha256_x10":"REAL_CANDIDATE", "marker_fence_registry_sha256":"REAL_CANDIDATE", "superseded_boundary_sha256":"REAL_CANDIDATE", "guard_set_sha256":"REAL_CANDIDATE", "active_corpus_sha256":"REHEARSAL", "canonicalizer_sha256":"CANDIDATE_OVER_PATCHED_KB_BYTES", "envelope_manifest_sha256":"BLOCKED_NEEDS_SEALED_INPUTS", "detached_seal_sha256":"CODEX_ONLY"} computable=sum(1 for c in classes.values() if c in ("FROZEN_REPRODUCED","REAL_CANDIDATE","REHEARSAL","CANDIDATE_OVER_PATCHED_KB_BYTES")) return { "manifest_format_pin": MANIFEST_FORMAT, "algorithm": "sha256 lowercase hex", "cli_oracle": dict(CLI_ORACLE), "frozen_membership_pin": canon.MEMBERSHIP_EXPECT, "membership_reproduced": canon.membership()==canon.MEMBERSHIP_EXPECT, "produce": { "corpus_ok": True, "membership_frozen_ok": True, "cli_exit_observed": pr_rc, "cli_exit_expected": CLI_ORACLE["produce_ok_exit"], "cli_evidence_class": "EXECUTED_CLI_BLACKBOX", "membership_sha256": res["membership_sha256"], "active_corpus_sha256": res["active_corpus_sha256"], "marker_fence_registry_sha256": res["marker_fence_registry_sha256"], "superseded_boundary_sha256": res["superseded_boundary_sha256"], "guard_set_sha256": res["guard_set_sha256"], "canonicalizer_sha256_candidate": res["canonicalizer_sha256_candidate"], "envelope_manifest_sha256": res["envelope_manifest_sha256"], "detached_seal_sha256": res["detached_seal_sha256"], }, "per_doc_normalized_active_content_sha256": {d: res["per_doc"][d]["normalized_active_content_sha256"] for d in DOC_NAMES}, "digest_classes": classes, "digest_class_allowlist": CLASS_ALLOWLIST, "computable_now": computable, "seal_or_codex_dependent": len(classes)-computable, "codex_sealed_values_present": False, "selftest": {"all_pass": bool(st_ok), "checks_passed": st_passed, "checks_total": len(st_lines), "cli_exit_observed": st_rc, "cli_exit_expected": CLI_ORACLE["selftest_pass_exit"], "cli_evidence_class": "EXECUTED_CLI_BLACKBOX"}, "ssot": {"ssot_md_sha256": sha_file(os.path.join(root,"evidence/canonicalizer-fix7-canon-v1-ssot.md")), "materialized_py_sha256": mat, "extended_py_sha256": ext, "materialized_equals_extended": mat==ext}, "p_ext_2_applied": (mat==ext) and st_ok, "artifacts": {p: sha_file(os.path.join(root,p)) for p in authority_artifact_paths()}, "forbidden_scope": { "scanned_files": SCAN_FILES, "scan_excluded_with_reason": { "adversarial_suite.py": "embeds forbidden tokens as TEST VECTORS (proves the scanner fails closed); hash-pinned in artifacts", "kb_fetch_reconstruct.py": "READ-ONLY KB fresh-fetch reconstruction tooling (R9-B4); uses HTTPS to the governed MCP endpoint (get_document_for_rewrite only, zero writes); not part of the offline seal path; hash-pinned in artifacts"}, "forbidden_operations_found": len(scan), "hits": scan, "stdlib_offline_only": len(scan)==0, }, "negative_tests": neg, }

EXPLANATORY = { "authority_status": "NON_AUTHORITY_EXPLANATORY — excluded from --verify PASS logic by construction; carries no load-bearing claim; the load-bearing truth is ONLY the authority section, every field of which is recomputed fail-closed", "packet_id": "FIX7-CODEX-RECHECK-9-PACKET-V3", "object_id": "TKT-OBJ-050", "date": "2026-06-10", "author": "T1/Claude-Code/Mythos (Tool-Kiem-Thu support macro; R9-B6 black-box CLI oracle lane)", "authority": "provisional-non-authority; evidence-only; decision_effect=NONE; may_gate=false", "codex_consulted": False, "production_mutation": False, "real_run_qt001_permit_activation_repoint": False, "target": "T1 FIX7 Existing-System Refactor Execution Blueprint canonicalizer SSOT (Codex Recheck-9 V2 NEEDS_T1_FIX -> R9-B6 black-box CLI oracle packet v3)", "expected_output_pins_classification": "evidence/selftest-expected-output.txt and evidence/produce-expected-output.txt are SUT-derived VALUE-CONSISTENCY regression pins (candidate digest values), NOT behavioral oracles; the behavioral oracle is authority.cli_oracle (static spec pin) checked against EXECUTED CLI runs", "ssot_old_sha256_historical": { "rev1_pre_p_ext_1": "8f80f9f02cec29824a11d2507baaf0558419aecfdb5cf36eafe1336ec16a1f12", "rev2_post_p_ext_1": "144eb3d9f44bc69b0955c387b7f6c3cf5e306a41e9e2716d42ddf2412f87412a", "note": "RECORDED HISTORICAL constants (superseded SSOT revisions; bytes no longer on disk; NOT recomputed; NEVER used in PASS/seal logic)"}, "kb_binding": { "verification": "VERIFIED_BY_KB_FETCH_ONLY — not offline-recomputable; see fix7-recheck9-current-kb-byte-hash-proof-2026-06-10.md; excluded from offline --verify PASS", "ssot_document_id": "knowledge/dev/reports/architecture/t1-fix7-existing-system-refactor-execution-blueprint-2026-06-08/canonicalizer-fix7-canon-v1-ssot.md", "packet_root": "knowledge/dev/laws/tool-kiem-thu/packets/fix7-codex-recheck-9-2026-06-10/"}, "remaining_blockers": ["N7 needs sealed approval-event inputs (Codex/owner)", "N8 Codex-authored detached seal", "P7 Codex re-seal", "owner standing do-not-approve", "R9-B5 residual: no server-side governed byte-export/digest endpoint (MCP fetch-level hash proof provided instead)"], "rerun": "bash RERUN.sh — strict mode; every step exit checked; reruns hash manifest, forbidden scan, selftest, produce, LIVE black-box negative CLI gates (OS-process observed exits), black-box suite, fail-open regression, manifest verify, and the full adversarial suite", }

def build_manifest(root): return {"manifest_format": MANIFEST_FORMAT, "authority": compute_authority(root), "explanatory": EXPLANATORY}

---------------------------------------------------------------------------

deep diff (canonical, path-labelled)

---------------------------------------------------------------------------

def deep_diff(want, got, path=""): diffs=[] if isinstance(want,dict) and isinstance(got,dict): for k in sorted(set(want)|set(got)): if k not in got: diffs.append(f"{path}.{k}: MISSING in manifest") elif k not in want: diffs.append(f"{path}.{k}: EXTRA key in manifest (not recomputable -> not allowed in authority)") else: diffs += deep_diff(want[k], got[k], f"{path}.{k}") elif isinstance(want,list) and isinstance(got,list): if json.dumps(want,sort_keys=True)!=json.dumps(got,sort_keys=True): diffs.append(f"{path}: list differs: manifest={json.dumps(got)[:120]} recomputed={json.dumps(want)[:120]}") else: if want!=got: diffs.append(f"{path}: manifest={got!r} != recomputed={want!r}") return diffs

---------------------------------------------------------------------------

modes

---------------------------------------------------------------------------

def cmd_emit(root): m=build_manifest(root) p=os.path.join(root,"manifest.json") json.dump(m,open(p,"w"),indent=2); open(p,"a").write("\n") print("MANIFEST_EMIT: wrote manifest.json (every authority field recomputed; none hand-authored)") print(" authority fields:", len(m["authority"])) print(" ssot_md_sha256 :", m["authority"]["ssot"]["ssot_md_sha256"]) print(" membership :", m["authority"]["produce"]["membership_sha256"]) return 0

def cmd_verify(root): p=os.path.join(root,"manifest.json") if not os.path.exists(p): print("MANIFEST_VERIFY: FAIL (manifest.json absent)"); return 1 disk=json.load(open(p)) bad=[] # 1) structural schema if sorted(disk.keys())!=sorted(["manifest_format","authority","explanatory"]): bad.append(f"top-level keys {sorted(disk.keys())} != [authority, explanatory, manifest_format]") if disk.get("manifest_format")!=MANIFEST_FORMAT: bad.append(f"manifest_format {disk.get('manifest_format')!r} != {MANIFEST_FORMAT!r}") expl=disk.get("explanatory",{}) if not (isinstance(expl,dict) and str(expl.get("authority_status","")).startswith("NON_AUTHORITY_EXPLANATORY")): bad.append("explanatory.authority_status marker missing — explanatory section must declare itself non-authority") # 2) FULL recomputation of the authority object + deep diff (fail-closed) try: fresh=compute_authority(root) except BaseException as e: print(f"MANIFEST_VERIFY: FAIL (authority recomputation impossible — fail-closed): {type(e).name}: {e}") return 1 bad += deep_diff(fresh, disk.get("authority",{}), "authority") # 3) hard invariants (checked on the RECOMPUTED state, independent of disk) if fresh["forbidden_scope"]["forbidden_operations_found"]!=0: bad.append(f"forbidden scan found {fresh['forbidden_scope']['forbidden_operations_found']} hits: {fresh['forbidden_scope']['hits']}") for k,v in fresh["digest_classes"].items(): if v not in CLASS_ALLOWLIST or "SEAL" in v.upper().replace("SEALED_INPUTS",""): bad.append(f"digest class {k}={v} outside non-sealed allowlist") if disk.get("authority",{}).get("codex_sealed_values_present") is not False: bad.append("authority.codex_sealed_values_present must be false") for k,v in disk.get("authority",{}).get("digest_classes",{}).items(): if v not in CLASS_ALLOWLIST: bad.append(f"manifest digest class {k}={v!r} not in allowlist {CLASS_ALLOWLIST} (claiming a sealed/unknown class fails closed)") # R9-B6 hard invariants: the OBSERVED CLI behavior (recomputed above by # executing the real CLI) must satisfy the static oracle, and the manifest # on disk must claim EXECUTED evidence (never an inferred contract). if fresh["cli_oracle"]!=CLI_ORACLE: bad.append("cli_oracle drifted from the static spec pin") nt=fresh["negative_tests"] for name in ["produce_missing_member","produce_extra_member", "produce_invalid_member","produce_docs_dir_missing"]: c=nt[name] if (c["cli_exit_observed"]!=CLI_ORACLE["produce_corpus_error_exit"] or not c["cli_exit_matches_oracle"] or c["state_corpus_ok"] or not c["stdout_suppression_marker_present"] or not c["stdout_no_aggregate_digest_leak"] or not c["state_all_candidates_suppressed"] or c["evidence_class"]!="EXECUTED_CLI_BLACKBOX"): bad.append(f"negative test {name}: observed CLI behavior violates oracle: {c}") if fresh["produce"]["cli_exit_observed"]!=CLI_ORACLE["produce_ok_exit"]: bad.append(f"produce CLI observed exit {fresh['produce']['cli_exit_observed']} != oracle 0") if fresh["selftest"]["cli_exit_observed"]!=CLI_ORACLE["selftest_pass_exit"]: bad.append(f"selftest CLI observed exit {fresh['selftest']['cli_exit_observed']} != oracle 0") if "cli_exit_contract" in json.dumps(disk): bad.append("manifest contains an inferred 'cli_exit_contract' field — inferred negative " "evidence is forbidden in V3 (R9-B6); only observed CLI exits are admissible") if bad: print("MANIFEST_VERIFY: FAIL (authority != full recomputation, or invariant violated)") for b in bad: print(" -", b) return 1 n_leaves=len(json.dumps(fresh)) n_cli=4+2 # 4 negative corpus cases + produce/selftest positive controls print(f"MANIFEST_VERIFY: OK — ENTIRE authority section ({len(fresh)} top fields, {len(fresh['artifacts'])} artifact hashes, " f"selftest {fresh['selftest']['checks_passed']}/{fresh['selftest']['checks_total']}, " f"forbidden hits {fresh['forbidden_scope']['forbidden_operations_found']}, " f"{len(fresh['negative_tests'])} negative tests) recomputed and equal; " f"{n_cli} REAL CLI executions observed against the static oracle " f"(exits {CLI_ORACLE['produce_corpus_error_exit']}/{CLI_ORACLE['produce_ok_exit']} as spec'd); " f"explanatory is declared non-authority") return 0

def cmd_scan(root): hits=forbidden_scan(root) print(f"FORBIDDEN_SCAN: files={len(SCAN_FILES)} hits={len(hits)}") for h in hits: print(" -",h) return 0 if not hits else 1

def cmd_complete(root): bad=[] for f in REQUIRED_FILES: if not os.path.exists(os.path.join(root,f)): bad.append(f"required file MISSING: {f}") hm=os.path.join(root,"HASH_MANIFEST.txt") if os.path.exists(hm): entries={} for line in open(hm): line=line.strip() if not line or line.startswith("#"): continue h,_,rel=line.partition(" ") entries[rel]=h disk=tracked_tree(root) for rel in disk: if rel not in entries: bad.append(f"file on disk NOT covered by HASH_MANIFEST: {rel}") for rel,h in entries.items(): p=os.path.join(root,rel) if not os.path.exists(p): bad.append(f"HASH_MANIFEST entry has no file on disk: {rel}") elif sha_file(p)!=h: bad.append(f"hash mismatch vs HASH_MANIFEST: {rel}") if bad: print("PACKET_COMPLETENESS: FAIL") for b in bad: print(" -",b) return 1 print(f"PACKET_COMPLETENESS: OK ({len(REQUIRED_FILES)} required files present; HASH_MANIFEST covers the tracked tree bidirectionally; all hashes match)") return 0

def cmd_emit_hash_manifest(root): lines=[f"{sha_file(os.path.join(root,rel))} {rel}" for rel in tracked_tree(root)] open(os.path.join(root,"HASH_MANIFEST.txt"),"w").write("\n".join(lines)+"\n") print(f"HASH_MANIFEST_EMIT: {len(lines)} entries") return 0

def main(argv=None, root=None): argv=argv if argv is not None else sys.argv[1:] root=root or packet_root() mode=argv[0] if argv else "--verify" return {"--emit":cmd_emit,"--verify":cmd_verify,"--scan":cmd_scan, "--complete":cmd_complete,"--emit-hash-manifest":cmd_emit_hash_manifest}.get( mode, lambda r:(print("usage: manifest_tool.py --emit|--verify|--scan|--complete|--emit-hash-manifest"),2)[1])(root)

if name=="main": sys.exit(main())