KB-3931
FIX7 Recheck-9 Codex-Adversarial Selfcheck Report (2026-06-10)
4 min read Revision 1
tool-kiem-thufix7recheck-9packet-v2r9-b1-b52026-06-10
FIX7 Recheck-9 — Codex-Adversarial Selfcheck Report
- Date: 2026-06-10 · Authority: provisional-non-authority, evidence-only. Codex consulted: NO · Production mutation: NO.
- Tool:
adversarial_suite.py(KB packet root, rev 1; raw output pinned atlogs/adversarial-suite.log). Each test copies the canonical packet to an OS temp dir, applies ONE tamper, and asserts the toolchain FAILS CLOSED; an expected-fail test that unexpectedly passes fails the suite. The canonical packet is never mutated.
1. Result: 22/22 expectations met, exit 0 — and rerun INSIDE every bash RERUN.sh (gate 9)
Positive controls (exclude "fails because the environment is broken")
| control | result |
|---|---|
C1 untampered --verify == 0 |
OK |
C2 untampered --complete == 0 |
OK |
C3 untampered --scan == 0 |
OK |
| C4 untampered produce corpus_ok + frozen_ok | OK |
Tamper classes (macro-required list → executed test → observed)
| macro requirement | test | observed |
|---|---|---|
tamper forbidden_scope.forbidden_operations_found → must fail |
T1 (=999) | verify exit 1 ✓ (Codex's V1 probe: was exit 0); ALSO full-RERUN level: exit 1 |
| remove active doc 05 → must fail nonzero | T2a/T2b/T2c | produce fail-closed (suppression + exit-4 contract) ✓; verify exit 1 ✓; complete exit 1 ✓; full RERUN exit 1 |
| tamper any load-bearing manifest PASS field → must fail | T3 (selftest.checks_passed=999) |
verify exit 1 ✓ |
| tamper any hash → must fail | T4 (ssot_md_sha256=0…0) |
verify exit 1 ✓ |
| remove raw log → must fail | T5 (logs/produce.log) |
verify exit 1 + complete exit 1 ✓ |
| remove HASH_MANIFEST entry → must fail | T6 (drop docs/03 line) | complete exit 1 ✓ (bidirectional coverage) |
| remove RERUN.sh from packet → must fail completeness | T7 | complete exit 1 ✓; KB-side: fetching a missing packet doc returns 404 → kb_fetch_reconstruct.py raises FETCH_FAILED (demonstrated live) |
| mismatch KB vs local packet hash tree → must fail | T8a/T8b/T8c | complete exit 1 + verify exit 1 + tree-hash divergence detected ✓; reconstruction tool fails closed on any fetched-vs-pinned mismatch |
| attempt forbidden operation marker → must fail | T9 (import subprocess into seal-path file) |
scan exit 1 (hit reported with file+line) + verify exit 1 ✓ |
| candidate/rehearsal digest claimed as sealed → must fail | T10 (class→CODEX_SEALED) + T11 (codex_sealed_values_present=true) |
verify exit 1 ✓ (allowlist + deep diff + invariant) |
| (stronger) smuggle an unverified field into authority | T12 (extra key) | verify exit 1 ✓ (schema-closed authority) |
2. Relation to Codex's Recheck-9 method
Codex's two decisive probes (§3.5 literal tamper, §3.6 missing doc) are now PERMANENT executable packet tests (T1, T2) that run on every bash RERUN.sh. The remaining classes extend coverage beyond what Codex ran (log removal, HM-entry removal, packet-file removal, tree divergence, forbidden-token injection, sealed-claim injection, authority-schema smuggling).
3. Design notes (honest disclosures)
adversarial_suite.pyis excluded from the forbidden-scope scan BY DESIGN: it embeds forbidden tokens as TEST VECTORS (T9). It is hash-pinned in manifest authority + HASH_MANIFEST instead; the exclusion and its reason are themselves part of the verified authority object.- Suite tests run in OS temp dirs; the pinned
logs/adversarial-suite.logcontains absolute temp paths from the sealing run (raw evidence, not diffed by RERUN; gate 9 enforces the suite's EXIT, and the log is hash-pinned).
4. Verdict
SELF-CODEX ADVERSARIAL SUITE: PASS (22/22). Every Codex Recheck-9 adversarial failure plus eight stronger classes is caught fail-closed by executable tests embedded in the packet and enforced on every rerun.