FIX7 Recheck-9 Manifest Verifier Completeness Report — R9-B1 (2026-06-10)
FIX7 Recheck-9 — Manifest Verifier Completeness Report (R9-B1)
- Date: 2026-06-10 · Authority: provisional-non-authority, evidence-only. Codex consulted: NO · Production mutation: NO.
- Subject:
manifest_tool.pyV2 +manifest.jsonformatFIX7-R9-MANIFEST-V2in packetknowledge/dev/laws/tool-kiem-thu/packets/fix7-codex-recheck-9-2026-06-10/.
1. The V1 defect (Codex evidence, reproduced first-hand)
V1 --verify diffed only flatten_hashes() — 33 selected hash literals + 2 special fields. Tampering forbidden_scope.forbidden_operations_found to 999 yielded verify exit 0 AND full RERUN_RESULT: PASS (reproduced this session before fixing). Load-bearing literals (forbidden scope, negative-test statuses, counts, classes, p_ext flags) were hand-authored in build_manifest() and never checked.
2. The V2 design — authority vs explanatory
manifest.json now has exactly three top-level keys (schema-enforced): manifest_format, authority, explanatory.
authority — every field recomputed at --verify, none hand-authored:
| field group | how recomputed at every --verify |
|---|---|
frozen_membership_pin, membership_reproduced |
canon.membership() re-executed; equality with the frozen pin recomputed |
produce.* (8 digests + corpus_ok + membership_frozen_ok + exit contract) |
full --produce re-executed over docs/ (fails closed if the pinned corpus no longer produces cleanly) |
per_doc_normalized_active_content_sha256 ×10 |
from the same live produce run |
selftest.* (all_pass, passed, total, exit contract) |
canon.selftest() re-executed in-process |
ssot.* (md/py/extended hashes, materialized_equals_extended) |
files re-hashed from disk |
p_ext_2_applied |
derived live: fence==extended AND selftest all-pass |
artifacts (24 file hashes: code, SSOT, docs ×10, pre-emit logs, expected outputs, README, RERUN.sh, suite, fetch tool) |
every file re-hashed from disk |
forbidden_scope.* (count, hits, scope, exclusions) |
scanner re-executed over the 6 seal-path files |
negative_tests.* (8 tests) |
RE-EXECUTED live in OS temp dirs: produce on missing/extra/invalid/absent-dir corpora; duplicate-listing detection; 9-doc wrong-membership; doc-03 tamper hash divergence; absent-py fail-closed |
digest_classes, allowlist, counts, codex_sealed_values_present |
derived from code constants + invariant-checked (see §3) |
explanatory — declared non-authority (authority_status marker schema-checked): ids, prose, the two labelled historical SSOT hashes (rev1 8f80f9f0…, rev2 144eb3d9…), KB-binding claims (verified by KB fetch, not offline), remaining blockers. Excluded from PASS logic by construction; tampering it cannot create a false PASS because nothing reads it for PASS.
Circularity handling (documented, not silent): manifest.json and HASH_MANIFEST.txt cannot pin themselves; HASH_MANIFEST.txt pins manifest.json + the two post-emit logs (manifest-verify.log, adversarial-suite.log); --complete enforces bidirectional coverage of the whole tracked tree.
3. Verification algorithm (fail-closed)
- Structural schema: top-level keys exact; format string exact; explanatory marker present.
compute_authority()re-executes EVERYTHING (§2); any exception (e.g. deleted artifact) →MANIFEST_VERIFY: FAIL (authority recomputation impossible — fail-closed)exit 1.- Recursive deep-diff fresh vs disk
authority: any changed value, missing key, or EXTRA key → exit 1 (an unverifiable field structurally cannot live in authority). - Hard invariants checked on the RECOMPUTED state regardless of the disk manifest: forbidden hits must be 0; digest classes ⊆ non-sealed allowlist
[FROZEN_REPRODUCED, REAL_CANDIDATE, REHEARSAL, CANDIDATE_OVER_PATCHED_KB_BYTES, BLOCKED_NEEDS_SEALED_INPUTS, CODEX_ONLY];codex_sealed_values_presentmust befalse; all 4 produce negative tests must fail closed.
4. Tamper-class evidence (all executed; from logs/adversarial-suite.log)
| tamper class | test | result |
|---|---|---|
| current-PASS literal (Codex's decisive probe) | T1 forbidden_operations_found=999 |
verify exit 1; full RERUN exit 1 |
| PASS-count literal | T3 selftest.checks_passed=999 |
verify exit 1 |
| hash literal | T4 ssot_md_sha256=0…0 |
verify exit 1 |
| artifact removal | T5 logs/produce.log deleted |
verify exit 1 (fail-closed recomputation) + complete exit 1 |
| sealed-class claim | T10 class→CODEX_SEALED; T11 codex_sealed_values_present=true |
verify exit 1 (allowlist + diff) |
| smuggled unverified field | T12 extra key in authority | verify exit 1 (schema) |
| corpus tamper | T2 / T8 | verify exit 1 + produce exit 4 + complete exit 1 |
| forbidden op | T9 token in seal-path file | scan exit 1 + verify exit 1 |
Positive controls C1–C4 green on the untampered packet (excludes "fails because broken environment").
5. Verdict
R9-B1 CLOSED. There is no load-bearing manifest field that is not recomputed-and-deep-diffed or structurally excluded from authority; Codex's exact V1 probe now fails at both the verifier and the full-RERUN level.