FIX7 Authority-Seal Red-Team Adversarial Report (2026-06-10)
FIX7 Authority-Seal — Red-Team Adversarial Report (Workstream D)
- Date: 2026-06-10 · Host: T1 · Codex consulted: NO · Production mutation: NO
- Harness:
authority_seal_redteam.py rehearsal→ 20/20 attacks caught, 0 escaped, exit 0. - Rule applied: if ANY required attack had NOT been caught, that is a contract defect and the lane would report
…CONTRACT_DEFECT_FOUNDinstead of CODEX_READY. None escaped.
1. Attack matrix (all 20 macro-required)
| # | Attack | Mechanism | Caught status/result |
|---|---|---|---|
| 1 | delete N7 required field | ENCODE_FAIL_CLOSED | SEAL_INPUT_MISSING ✓ |
| 2 | add extra N7 field | ENCODE_FAIL_CLOSED | SEAL_INPUT_EXTRA ✓ |
| 3 | reorder N7 field | ENCODE_FAIL_CLOSED | SEAL_FIELD_ORDER_MISMATCH ✓ |
| 4 | wrong N7 domain tag | ENCODE_FAIL_CLOSED | SEAL_DOMAIN_TAG_MISMATCH ✓ |
| 5 | N7 tries to bind N8 (cycle) | ENCODE_FAIL_CLOSED | SEAL_HASH_GRAPH_CYCLE ✓ |
| 6 | N8 missing N7 | ENCODE_FAIL_CLOSED | SEAL_INPUT_MISSING ✓ |
| 7 | N8 wrong signer representation | ENCODE_FAIL_CLOSED + VERIFY_MISMATCH | injection→SEAL_FIELD_FORBIDDEN_BYTE; byte-clean→digest≠canonical ✓ |
| 8 | N8 wrong timestamp format | ENCODE_FAIL_CLOSED + VERIFY_MISMATCH | injection→SEAL_FIELD_FORBIDDEN_BYTE; byte-clean→digest≠canonical ✓ (see §2) |
| 9 | P7 missing canonicalizer hash | ENCODE_FAIL_CLOSED | SEAL_INPUT_MISSING ✓ |
| 10 | P7 mutated canonicalizer hash | VERIFY_MISMATCH | verify_pin False ✓ |
| 11 | P7 mutated Packet V3 tree | VERIFY_MISMATCH | verify_pin False ✓ |
| 12 | prose-only P7 pin | ENCODE_FAIL_CLOSED | SEAL_PROSE_ONLY_PIN_REJECTED ✓ |
| 13 | spec.json drift from encoder | DRIFT_DETECTED | tampered roster ≠ encoder ✓ |
| 14 | spec.md claims a field not in encoder | DRIFT_DETECTED | +ghost_field ≠ encoder roster ✓ |
| 15 | encoder extra authority field not in spec | DRIFT_DETECTED | extra-field roster ≠ spec.json ✓ |
| 16 | fixture labelled as real seal | GUARD_REJECT | SEAL_FIXTURE_CLAIMS_REAL ✓ |
| 17 | owner authorization expanded to implementation | ENCODE_FAIL_CLOSED | SEAL_CONSTANT_FIELD_MISMATCH ✓ |
| 18 | production gate removed from checklist | GUARD_REJECT | SEAL_PRODUCTION_GATE_MISSING ✓ |
| 19 | unknown dependency edge added | CYCLE_DETECTED | injected N7→N8 → has_cycle True ✓ |
| 20 | hash manifest tamper | VERIFY_MISMATCH | recompute ≠ tampered line ✓ |
Output footer: RED-TEAM: 20/20 attacks caught; escaped=0. Full machine record: rehearsal/redteam-results.json.
2. Honest scope note (attacks 7 & 8)
The contract guarantees a fixed roster/order/tag, forbidden-byte rejection, constant enforcement, and tamper-evidence. It does not semantically validate free-text authority fields (signer identity string, timestamp format). Two complementary defenses cover the attack:
- Structural injection (a TAB/backslash/separator inside the signer/timestamp) → fail-closed
SEAL_FIELD_FORBIDDEN_BYTE. - Byte-clean but wrong value → a different digest than the canonical seal, so it cannot forge the expected pin (
verifymismatch).
Supplying the correct signer/timestamp is Codex's authority responsibility. This is a documented design boundary (OUT_OF_CONTRACT_SCOPE), not an escaped attack — the forger cannot produce the canonical seal in either case.
3. Verdict
RED-TEAM PASS — no contract defect. Every required attack is caught by a concrete mechanism (fail-closed, verify-mismatch, drift-detected, guard-reject, or cycle-detected). The protocol cannot be tricked into a forged seal, a silent drift, a cycle, a fixture-as-real claim, an implementation-scope expansion, a removed production gate, or a manifest tamper.