FIX7 Final Authority-Seal — Provenance Validation Report (FINAL-AS-PROVENANCE)

• Date: 2026-06-11 · Host: T1 · Codex: NO · Prod mutation: NO

1. Provenance class system

Six explicit classes: ENGINEERING_VERIFIED_CANDIDATE, REHEARSAL, AUTHORITY_INPUT, CODEX_AUTHORED, OFFICIAL_PIN, FORBIDDEN_FOR_REAL_SEAL. Two real-seal allow-lists:

• corpus (N6 etc.): {ENGINEERING_VERIFIED_CANDIDATE, OFFICIAL_PIN}
• authority/signer: {AUTHORITY_INPUT, CODEX_AUTHORED, OFFICIAL_PIN}

The classes + both allow-lists are mirrored in spec.json and drift-checked against the encoder (provenance classes/allowed_real_corpus/allowed_real_authority — 3/3 PASS).

2. Two-path design (the rehearsal can never become a seal)

• Rehearsal/generic path encode_node — provenance-agnostic; validates structure + value grammar; used by --selftest and the rehearsal driver. It is never a real seal and is clearly so labelled.
• Real path encode_real_n7 / encode_real_n8 / encode_real_p7 — requires a provenance class for every input. assert_provenance rejects: missing→SEAL_PROVENANCE_MISSING, unknown→SEAL_PROVENANCE_UNKNOWN_CLASS, REHEARSAL→SEAL_PROVENANCE_REHEARSAL_BLOCKED, disallowed→SEAL_PROVENANCE_FORBIDDEN_CLASS.

The rehearsal corpus is classed REHEARSAL; feeding it to encode_real_n7 is blocked. The rehearsal driver itself asserts this each run (rehearsal_corpus_into_real_n7_status = SEAL_PROVENANCE_REHEARSAL_BLOCKED) and fails if it is ever not blocked.

3. Standing true blocker — SEAL_REAL_N6_NOT_AVAILABLE

Even with valid ENGINEERING_VERIFIED_CANDIDATE (corpus) + AUTHORITY_INPUT (authority) classes, the real path stays BLOCKED by SEAL_REAL_N6_NOT_AVAILABLE until a real non-rehearsal N1..N6 chain is supplied (real_n6_available=True with first-hand evidence). This lane uses rehearsal placeholders for N3/N4/N5/N6 (3/4/5/6×64) and does not materialize or seal a real N6 chain — that is a Codex/owner/operator authority act and was not faked.

encode_real_n7(…, good_provenance, real_n6_available=True) is proven live (it returns the same N7 digest), so the path is not dead code — it is gated, not broken. The gate, not a missing feature, is what stands.

4. Evidence

selftest provenance negatives (5) + the live-path positive: REHEARSAL→blocked, missing→missing, forbidden→forbidden, unknown→unknown, valid-no-N6→SEAL_REAL_N6_NOT_AVAILABLE, valid+real_n6_available→digest. Red-team A29–A32, A39. Codex probes CP17–19. Anti-hardcode T6 (a–d) proves the very corpus that reproduces the published fixture 6225f265… cannot be laundered into a real seal.

5. Blocker disposition

Blocker ID	Class	Actor	Blocks seal?	Blocks impl?	Blocks prod?	Next action
FINAL-AS-PROVENANCE (gate)	ENGINEERING	T1 (closed)	—	—	—	CLOSED
FINAL-AS-N6-PROVENANCE (SEAL_REAL_N6_NOT_AVAILABLE)	AUTHORITY	owner/operator + Codex	YES	YES	YES	produce + seal a real ENGINEERING_VERIFIED_CANDIDATE N1..N6 chain

Verdict: provenance engineering CLOSED; N6-provenance is a genuine standing true blocker (Status-B condition), not faked.