FIX7 Final Authority-Seal Fail-Open + Provenance Patch — Master Report (2026-06-11)
FIX7 Final Authority-Seal — Fail-Open + Provenance Patch — Master Report
- Date: 2026-06-11 Asia/Ho_Chi_Minh · Host: T1 / Claude Code / Mythos
- Lane:
FIX7_FINAL_AUTHORITY_SEAL_FAILOPEN_AND_PROVENANCE_PATCH_MACRO_2026_06_11 - Final status:
FIX7_FINAL_AUTHORITY_SEAL_SELF_CODEX_READY_AFTER_FAILOPEN_PATCH - Standing authority blocker (Status-B condition, prominently surfaced):
FINAL-AS-N6-PROVENANCE=SEAL_REAL_N6_NOT_AVAILABLE— no real non-rehearsal N1..N6 chain exists in this lane; creating/sealing it is a Codex/owner authority act, not done here. - Production mutation: NO · Codex consulted: NO · Real N7/N8/P7 authored: NO / NO / NO · Real seal claimed: NO
0. What Codex rejected and what this lane did
Codex returned CODEX_FIX7_FINAL_AUTHORITY_SEAL_REJECT on two independent grounds, proved by 8 direct adversarial probes:
- Fail-open encoder —
NOT_A_SHA, empty IDs/signers,not-an-intrevisions,-1byte counts, empty + duplicate report sets all produced a 64-hex digest. - Provenance-blind N7 — the proposed N6
active_corpus_sha256is classifiedREHEARSAL, yet nothing stopped it laundering into a real N7. - Governed-KB evidence missing — 7 required rehearsal files returned
404(prose-only embedding instead of the actual files).
This lane reproduced the 8 probes as ACCEPTED on the pre-fix encoder, patched the encoder/spec/harnesses to fail closed, added a provenance class system, published the 7 governed-KB evidence files, extended the red-team to include every Codex probe class, and ran a full fresh self-Codex dry-run. It does not author any real seal and does not implement FIX7.
1. Before/after of Codex's 8 direct probes (full table in the probes report)
| # | Probe | Before (pre-fix) | After (patched) |
|---|---|---|---|
| 1 | N7 canonicalizer_sha256="NOT_A_SHA" |
ACCEPTED a38c6b2b… |
REJECTED SEAL_FIELD_NOT_HEX |
| 2 | N7 approval_event_id="" |
ACCEPTED dc2edfb4… |
REJECTED SEAL_FIELD_EMPTY |
| 3 | N8 sealed_by="" |
ACCEPTED f0d22aba… |
REJECTED SEAL_FIELD_EMPTY |
| 4 | N8 report_documents_digest="NOT_A_SHA" |
ACCEPTED d12bd027… |
REJECTED SEAL_FIELD_NOT_HEX |
| 5 | P7 pinned_canonicalizer_revision="not-an-int" |
ACCEPTED 113481ef… |
REJECTED SEAL_FIELD_BAD_INT |
| 6 | P7 pinned_canonicalizer_utf8_bytes="-1" |
ACCEPTED 079af996… |
REJECTED SEAL_FIELD_BAD_INT |
| 7 | report_documents_digest([]) |
ACCEPTED a1b0e446… |
REJECTED SEAL_REPORT_SET_EMPTY |
| 8 | duplicate report-document records | ACCEPTED 256351be… |
REJECTED SEAL_REPORT_SET_DUPLICATE |
Pre-fix: CODEX-PROBES: 0/19 REJECTED (accepted/fail-open=19). Post-fix: 19/19 REJECTED (accepted/fail-open=0). Notably the pre-fix provenance probes (CP17/18/19) produced the published fixture N7 digest 6225f265…, demonstrating the laundering risk concretely.
2. Blocker closure ledger (Codex final-seal blockers)
| Codex blocker | Required correction | Status | Evidence |
|---|---|---|---|
FINAL-AS-VALUE-GRAMMAR |
per-field non-empty/type/grammar/range; reject bad hashes/IDs/revisions/byte-counts/signers/timestamps | CLOSED | value-grammar report; selftest 48/48; probes CP1–CP6/CP9–CP14 REJECTED |
FINAL-AS-REPORT-SET |
reject empty/duplicate/invalid report sets; deterministic sort | CLOSED | report-set report; probes CP7/CP8/CP15/CP16 REJECTED |
FINAL-AS-PROVENANCE |
provenance classes; reject REHEARSAL/missing/forbidden into real N7 | CLOSED (engineering) | provenance report; probes CP17/CP18/CP19 REJECTED |
FINAL-AS-KB-PACKET |
publish actual governed rehearsal files; prove manifest/tree | CLOSED | governed-KB evidence report; 7 files now present (404→present) |
FINAL-AS-N6-PROVENANCE (surfaced by the gate) |
supply a real non-rehearsal ENGINEERING_VERIFIED_CANDIDATE N1..N6 chain, then seal | TRUE BLOCKER (owner/operator + Codex) | SEAL_REAL_N6_NOT_AVAILABLE; not faked |
IMPL-OWNER-AUTHORIZATION |
separate implementation macro after seal | OPEN (owner) | precondition checklist |
3. Self-Codex dry-run (fresh, sequential, exit 0) — bash rehearsal/commands.sh → rc 0
| Step | Result | Exit |
|---|---|---|
authority_seal_encoder.py --selftest |
48/48 PASS | 0 |
authority_seal_rehearsal.py (N7→N8→P7, deterministic, rehearsal→real BLOCKED) |
REHEARSAL OK | 0 |
authority_seal_redteam.py (sequential, after rehearsal) |
39/39 caught (incl. all Codex probe classes) | 0 |
authority_seal_drift_check.py . |
41/41 agree, drift 0 | 0 |
authority_seal_antihardcode.py |
13/13 PASS (incl. provenance-laundering T6) | 0 |
codex_probes.py (direct probes) |
19/19 REJECTED (fail-closed) | 0 |
Artifacts: packet_tree.sha256 = ac3f56f917f760760a71000b0c7a43c65cc40a5ceb0c468dd947dd6a579477dc (reproducible — identical across two consecutive full runs). Encoder sha256 = 13344f92cafcaf0d07dcb21700bdb642f38b89351702e08080eacb0e957144b8. cwd /tmp/fix7-failopen/packet.
4. Pins preserved (no engineering contradiction)
Fixture digests are byte-identical to the reviewed values after the patch: N7 6225f265…459bfd, N8 b1f001b6…75aa73, P7 3599f663…a7d541. Engineering pins unchanged: canonicalizer rev3 49c386a9…b734d0 (rev 3, 38756 B), Packet V3 tree b95df0a5…ca6d, membership f2bda8…fe251. The patch adds validation that runs before encoding; valid fixtures encode identically ⇒ no Packet V3 engineering contradiction.
5. Governed-KB evidence (FINAL-AS-KB-PACKET)
The 7 files Codex flagged 404 are now governed and re-fetched present (each content_length > 0): rehearsal/commands.sh, HASH_MANIFEST.txt, packet_tree.sha256, rehearsal-summary.json, exit_codes.json, stdout.log, stderr.log. Reconstruction model: fetch the byte-exact source files (encoder verified 13344f92…, round-trip content_length=35135 match) → run commands.sh → it regenerates the artifacts + manifest + tree deterministically (ac3f56f9…). See the governed-KB evidence report.
6. Honest scope / non-overclaim
- No real N7/N8/P7 was authored; the only digests produced are FIXTURE/NOT-A-SEAL.
- The provenance gate is engineering-complete, but the real N6 chain is not materialized or sealed here — that is
SEAL_REAL_N6_NOT_AVAILABLE, a genuine owner/operator + Codex authority action. It was not faked. - KB-stored generated artifacts are regenerated by
commands.sh; the byte-exact reproducible inputs are the source files (whose hashes are listed inHASH_MANIFEST.txt). A fresh KB-fetch-and-rerun is the Codex-side verification step. - No production / PG / Directus / registry / system_issues mutation; no REAL_RUN / QT001 / permit / activation / repoint / cutover; no registries-pivot; no auto-birth repair.
7. Deliverables (this lane)
Reports: master (this), codex-probes-before-after, value-grammar-validation, provenance-validation, report-set-validation, governed-kb-evidence-packet, redteam-expanded-codex-probes, self-codex-dry-run-after-patch. Updated files: encoder/spec.md/spec.json/redteam/drift/antihardcode/rehearsal + codex_probes.py + n7(md/json)/n8/p7 + checklist + 7 rehearsal evidence files + artifacts. Ledger rev7; checkpoint; current-state; object registry + 00-index governance.
8. Minimal safe next step
Route the patched closure packet to Codex for a fresh final-seal review (Codex re-runs §3 from governed KB; all probes now fail closed). The seal itself remains blocked on SEAL_REAL_N6_NOT_AVAILABLE (owner/operator + Codex must supply and seal a real ENGINEERING_VERIFIED_CANDIDATE N6 chain) and on owner implementation authorization. No implementation until both close.