FIX7 Final Authority-Seal — Expanded Red-Team (Codex probe classes) Report (2026-06-11)
FIX7 Final Authority-Seal — Expanded Red-Team Adversarial Report
- Date: 2026-06-11 · Host: T1 · Codex: NO · Prod mutation: NO
- Suite:
authority_seal_redteam.py→ 39/39 caught, 0 escaped, exit 0 (sequential, after rehearsal artifacts exist).
1. What changed vs the prior 20/20 suite
The prior suite (20 attacks) did not cover Codex's fail-open classes. This suite adds attacks A21–A39 (Codex probe classes + provenance) and upgrades A8: previously the wrong-but-clean timestamp was declared OUT_OF_CONTRACT_SCOPE (tamper-evident only); it is now semantically validated → SEAL_FIELD_BAD_TIMESTAMP.
2. Attack coverage (mechanism → status)
- A1–A20 (retained): structural (missing/extra/order/tag/cycle/const/forbidden-byte), verify-mismatch (mutated canonicalizer/tree, manifest tamper), drift (spec.json/spec.md/encoder), governance guards (fixture-claims-real, checklist gate), cycle detection.
- A21 invalid hash →
SEAL_FIELD_NOT_HEX - A22 empty approval_event_id →
SEAL_FIELD_EMPTY - A23 empty signer →
SEAL_FIELD_EMPTY - A24 invalid report digest →
SEAL_FIELD_NOT_HEX - A25 invalid revision →
SEAL_FIELD_BAD_INT - A26 negative byte count →
SEAL_FIELD_BAD_INT - A27 empty report set →
SEAL_REPORT_SET_EMPTY - A28 duplicate report records →
SEAL_REPORT_SET_DUPLICATE - A29 REHEARSAL N6 into real N7 →
SEAL_PROVENANCE_REHEARSAL_BLOCKED - A30 fixture-as-real (missing provenance) →
SEAL_PROVENANCE_MISSING - A31 forbidden provenance class →
SEAL_PROVENANCE_FORBIDDEN_CLASS - A32 unknown provenance class →
SEAL_PROVENANCE_UNKNOWN_CLASS - A33 invalid timestamp →
SEAL_FIELD_BAD_TIMESTAMP - A34 invalid ID grammar →
SEAL_FIELD_BAD_ID - A35 invalid path grammar →
SEAL_FIELD_BAD_PATH - A36 empty report doc id →
SEAL_REPORT_DOC_ID_INVALID - A37 invalid report revision →
SEAL_REPORT_REVISION_INVALID - A38 duplicate report document id →
SEAL_REPORT_SET_DUPLICATE - A39 valid provenance but no real N6 →
SEAL_REAL_N6_NOT_AVAILABLE
3. Macro item-E mapping (every named probe class present)
invalid hash (A21/A24) · empty approval_event_id (A22) · empty signer (A23) · invalid report_documents_digest (A24) · invalid revision (A25) · negative byte count (A26) · empty report set (A27) · duplicate report records (A28/A38) · REHEARSAL N6 into real N7 (A29) · fixture labelled as real seal (A16/A30) · missing provenance (A30) · forbidden provenance class (A31) · invalid timestamp (A33) · invalid ID grammar (A34) · invalid path grammar (A35). All caught.
4. New-probe-during-own-red-team check
No new escape surfaced during authoring: the parallel-vs-sequential race Codex noted (red-team before rehearsal artifacts exist) is structurally avoided — commands.sh runs red-team after the rehearsal step, and red-team reads the artifacts it needs. Output redteam-results.json records all 39 verdicts + the canonical fixture chain.