FIX7 Authority-Seal Anti-Hardcode / Anti-Laundering Report (2026-06-10)
FIX7 Authority-Seal — Anti-Hardcode / Anti-Laundering Report (Workstream F)
- Date: 2026-06-10 · Host: T1 · Codex consulted: NO · Production mutation: NO
- Harness:
authority_seal_antihardcode.py→ 9/9 PASS, exit 0. - Claim under test: the encoder computes its digests over inputs (it does not return a laundered/hardcoded constant), and the published fixture digests are either reproduced exactly or flagged as drift — never trusted blindly.
1. Tests and results
| Test | What it proves | Result |
|---|---|---|
| T1 mutate engineering input (N2, 1 hex char) | N7 digest changes → output depends on input | 6225f26515… → 6d498cb6b9… ✓ |
| T2 mutate approval input (A1) | N7 digest changes → not a constant | 6225f26515… → cf2d800953… ✓ |
| T3 mutate expected P7 digest | verify_pin against a wrong expected returns False |
✓ |
| T4a physically broken encoder selftest | still exits 0 — selftest has no hex oracle | rc=0 ✓ (documented limitation) |
| T4b broken encoder vs spec.json fixture oracle | published N7 6225f265… ≠ broken 0acd178d… → drift flagged |
✓ |
| T4c real drift-checker on broken encoder | exits nonzero (rc=1) | ✓ |
| T5a change placeholder sub-digest (N3) | N7 changes → fixture-specific, not universal | ✓ |
| T5b fixture inputs are FIXTURE-marked | ≥3 explicit FIXTURE-/*_OPTION_* markers |
✓ |
| T5c spec.json labels digests NOT_A_SEAL | fixture_digests_NOT_A_SEAL key present |
✓ |
2. The key anti-laundering finding (T4)
A laundered/hardcoded encoder would return a fixed digest regardless of inputs. We disprove that two ways:
- Mutating any input changes the output (T1/T2/T5) — the digest is a genuine function of the inputs.
- A physically broken encoder is caught (T4): we wrote
_broken_encoder.pywith the N7 domain tag mutated, imported it, and observed:- its own
--selfteststill prints 22/22 PASS exit 0 — because the selftest only asserts determinism/fail-closed, it has no expected-hex oracle; - but the drift checker (which pins fixture digests to
spec.json) fails and exits nonzero.
- its own
Conclusion: "selftest 22/22" alone is NOT sufficient integrity evidence — it cannot detect a contract mutation that changes digests. The drift checker is the oracle that binds the published digests to the live code. This is precisely why the macro forbids "repeat 22/22" as completion, and why the drift + anti-hardcode layer is load-bearing in this packet. (The broken encoder file was deleted after the test; it is not part of the packet tree.)
3. Fixture vs real-seal distinction
The rehearsal digests (6225f265…, b1f001b6…, 3599f663…) are fixture-specific: they depend on the FIXTURE- approval values and the 3×64…6×64 placeholder engineering sub-digests. A real seal uses real A1–A5 + real N3–N6 + Codex signer/timestamp, all of which differ, so the real digests will differ. The fixture digests are labelled NOT_A_SEAL in spec.json, every rehearsal artifact, and the README.
4. Verdict
ANTI-HARDCODE / ANTI-LAUNDERING PASS (9/9). Digests are computed, not stored; published values are pinned to the live code by the drift oracle; fixtures are distinguishable from and cannot impersonate real seals.