Incomex AI Portal
KB-172C

FIX7 Authority-Seal Test Vectors Report (2026-06-10)

4 min read Revision 1
tool-kiem-thufix7authority-sealtest-vectorsas-p52026-06-10

FIX7 Authority-Seal Test Vectors Report (AS-P5)

  • Date: 2026-06-10 · Host: T1 · Codex consulted: NO
  • Command: python3 authority_seal_encoder.py --selftest → exit 0; --emit-fixture for digests.
  • Encoder sha256 47200442f176b1c534f000c4079632f6388b17dd1763bdbac2cbb725a452b5bb.

1. Selftest output (verbatim, 22/22 PASS, exit 0)

  [PASS] DAG acyclic (N7,N8,P7)
  [PASS] injected N7->N8 edge detected as cycle
  [PASS] N7 encodes to 64-hex
  [PASS] N7 deterministic
  [PASS] N8 encodes (binds N7) to 64-hex
  [PASS] N8 deterministic
  [PASS] P7 seals (binds N7,N8) to 64-hex
  [PASS] P7 deterministic
  [PASS] missing field -> SEAL_INPUT_MISSING
  [PASS] extra field -> SEAL_INPUT_EXTRA
  [PASS] wrong order -> SEAL_FIELD_ORDER_MISMATCH
  [PASS] wrong domain tag -> SEAL_DOMAIN_TAG_MISMATCH
  [PASS] wrong dependency (N3 into N8) -> SEAL_INPUT_EXTRA
  [PASS] N7 binds N8 -> SEAL_HASH_GRAPH_CYCLE
  [PASS] N7 binds P7 -> SEAL_HASH_GRAPH_CYCLE
  [PASS] N8 missing N7 -> SEAL_INPUT_MISSING
  [PASS] N8 binds P7 -> SEAL_HASH_GRAPH_CYCLE
  [PASS] P7 prose-only -> SEAL_PROSE_ONLY_PIN_REJECTED
  [PASS] mutated canonicalizer hash -> P7 verify FAIL
  [PASS] mutated Packet V3 tree -> P7 verify FAIL
  [PASS] tampered scope constant -> SEAL_CONSTANT_FIELD_MISMATCH
  [PASS] forbidden byte in field -> SEAL_FIELD_FORBIDDEN_BYTE
AUTHORITY-SEAL-ENCODER SELFTEST: 22/22 PASS

2. Macro AS-P5 checklist → vector

AS-P5 required vector Vector Status raised Result
valid N7 vector positive N7 digest 64-hex PASS
missing field N7 minus last field SEAL_INPUT_MISSING PASS
extra field N7 + rogue_field SEAL_INPUT_EXTRA PASS
wrong order N7 fields 3↔4 swapped SEAL_FIELD_ORDER_MISMATCH PASS
wrong domain tag N7 claimed_tag=WRONG_TAG_V1 SEAL_DOMAIN_TAG_MISMATCH PASS
wrong dependency N3 fed into N8 SEAL_INPUT_EXTRA PASS
N7 tries to bind N8 → cycle N7 + detached_seal_sha256 SEAL_HASH_GRAPH_CYCLE PASS
N8 missing N7 → fail N8 minus envelope_manifest_sha256 SEAL_INPUT_MISSING PASS
P7 prose-only → fail seal_p7(prose_only=True) SEAL_PROSE_ONLY_PIN_REJECTED PASS
mutated canonicalizer hash → fail P7 pinned_canonicalizer_sha256→0×64 verify_pin FALSE PASS
mutated Packet V3 tree → fail P7 pinned_packet_v3_tree_sha256→0×64 verify_pin FALSE PASS

Extra hardening vectors (beyond the macro list): N7-binds-P7 cycle, N8-binds-P7 cycle, tampered scope constant (SEAL_CONSTANT_FIELD_MISMATCH), forbidden byte in field (SEAL_FIELD_FORBIDDEN_BYTE).

3. Fixture digests (NOT a seal)

FIXTURE authority inputs (clearly-labelled; real A1–A5 + Codex signer are owner/Codex-only):

N7 envelope_manifest_sha256 : 6225f265155942c1d32ce3ed2d491b4c3b7b0109a3b4b6fde9a37f434b459bfd
N8 detached_seal_sha256     : b1f001b64da50748823259593393b6e2d050c8c55c56918c99386984d075aa73
P7 authority_seal_pin_sha256: 3599f6635be42a695991f66f561642e26718403f4e14ad220480480a8da7d541
DAG acyclic                 : True

These prove the encoder RUNS and is DETERMINISTIC (re-running yields identical values). They are not authority seals — the engineering sub-digests N3/N4/N5/N6 used here are deterministic FIXTURE placeholders (3×64, 4×64, …) and the approval/signer fields are FIXTURE-…. N2 (49c386a9…) and membership (f2bda8…fe251) are the real published engineering constants.

4. Grammar equivalence proof (no new encoding)

Cross-checked against the canonicalizer's own rec/digest/FORBIDDEN_BYTES:

rec bytes identical: True
digest identical    : True
multifield rec identical: True
FORBIDDEN identical : True
EDGES engineering subset identical: True

Therefore an N7/N8/P7 digest computed by this encoder is in the SAME byte grammar as every other FIX7 seal digest. Codex needs no new encoding.

Back to Knowledge Hub knowledge/dev/laws/tool-kiem-thu/reports/fix7-authority-seal-test-vectors-report-2026-06-10.md