FIX7 Final Authority-Seal — Value Grammar Validation Report (2026-06-11)
FIX7 Final Authority-Seal — Value Grammar Validation Report (FINAL-AS-VALUE-GRAMMAR)
- Date: 2026-06-11 · Host: T1 · Codex: NO · Prod mutation: NO · Encoder
13344f92…957144b8
1. Mechanism
Every roster field is bound to exactly one grammar kind via FIELD_KIND (28 fields). In encode_node, after structural checks (cycle/missing/extra/dup/order/const) and the forbidden-byte gate, validate_value(field, v) runs for every field before any record is emitted. An invalid value raises a specific SEAL_FIELD_* and no digest is produced (fail-closed). field_kinds is mirrored in authority-seal-encoder-spec.json and drift-checked field-by-field against the encoder.
2. Grammar table (anchored regex; deterministic)
| kind | rule | reject status | applies to |
|---|---|---|---|
hex |
^[0-9a-f]{64}$ |
SEAL_FIELD_NOT_HEX |
all *_sha256, report_documents_digest, pinned hashes/tree |
id |
^[A-Za-z0-9][A-Za-z0-9._:@+/-]{0,199}$ |
SEAL_FIELD_BAD_ID |
approval_event_id |
identity |
non-empty printable ASCII 0x20–0x7E, not all-whitespace | SEAL_FIELD_BAD_IDENTITY |
approver_identity, sealed_by |
timestamp |
^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d{1,9})?Z$ |
SEAL_FIELD_BAD_TIMESTAMP |
approval_event_timestamp, sealed_at |
decision |
^[A-Z0-9][A-Z0-9_]{0,127}$ |
SEAL_FIELD_BAD_ENUM |
owner_blueprint_decision |
posint |
^[1-9][0-9]{0,17}$ (rejects -1, 0, not-an-int) |
SEAL_FIELD_BAD_INT |
pinned_canonicalizer_revision, pinned_canonicalizer_utf8_bytes |
path |
^[A-Za-z0-9][A-Za-z0-9._/@:+-]{0,399}$ |
SEAL_FIELD_BAD_PATH |
doc-id/path/checkpoint fields |
const |
fixed contract value | SEAL_CONSTANT_FIELD_MISMATCH |
schema_version, node_id, scopes |
(any non-const) "" |
empty pre-check | SEAL_FIELD_EMPTY |
all non-const fields |
NUL/TAB/LF/CR/backslash remain forbidden by the canonicalizer-identical _check_field (status SEAL_FIELD_FORBIDDEN_BYTE), which runs before grammar so injection attempts keep that precise status (red-team A7/A8).
3. Evidence (selftest negatives, all PASS)
--selftest 48/48 includes: NOT_A_SHA→NOT_HEX, uppercase-hex→NOT_HEX, 63-hex→NOT_HEX, empty id/identity→EMPTY, bad timestamp→BAD_TIMESTAMP, lowercase decision→BAD_ENUM, revision not-an-int→BAD_INT, byte-count -1/0→BAD_INT, empty path→EMPTY, plus N8 sealed_by=""→EMPTY and report_documents_digest not-hex→NOT_HEX. Codex probes CP1–CP6, CP9–CP14 all REJECTED; red-team A21–A26, A33–A35.
4. Pin preservation
The valid fixtures satisfy every grammar (all *_sha256 are 64 lowercase hex; approval_event_timestamp/sealed_at are RFC3339; revision 3/bytes 38756 are posint; ids/identities/paths valid) so the fixture digests are unchanged (6225f265…, b1f001b6…, 3599f663…). Adding grammar therefore introduced zero change to any computed digest — confirmed by drift fixture-digest checks (3/3) and --emit-fixture.