FIX7 Recheck-9 V3 — Adjacent Self-Referential Proof Scan (R9-B6.6)

• Date: 2026-06-10 · Verdict: 9 surfaces inspected; 4 same-lane defects FIXED in this macro; 4 documented-by-design; 1 honest structural limit (no blocker hidden)

#	surface	finding	disposition
1	authority.selftest.exit_code_contract	SAME LANE as R9-B6: synthesized 0 if st_ok else 1, never observed	FIXED: replaced by cli_exit_observed from a REAL selftest CLI run (runpy, observed SystemExit) + cli_evidence_class=EXECUTED_CLI_BLACKBOX; oracle-checked at emit AND verify
2	authority.produce.exit_code_contract	SAME LANE: synthesized constant 0	FIXED: replaced by observed produce-CLI exit on the pinned corpus, plus stdout-marker and membership-digest-presence checks
3	adversarial_suite.py T2	counted produce() state without running the target CLI	FIXED: T2d executes the REAL CLI and asserts observed exit 4 + marker + zero leak; T13a/T13b added (fail-open SUT must defeat emit AND verify)
4	manifest_tool.py own CLI exit path (sys.exit(main()))	verdict functions return ints; nothing observed the actual verifier CLI exit (a mutated __main__ could exit 0 while printing FAIL)	FIXED: blackbox N6/N7/N8 execute the REAL manifest_tool.py CLI on tampered copies and observe exit 1; RERUN gate 11 additionally greps MANIFEST_VERIFY: OK so exit AND marker must both hold
5	evidence/selftest-expected-output.txt, evidence/produce-expected-output.txt	SUT-generated files used as RERUN diff targets — an oracle-laundering surface if treated as behavior proof	RECLASSIFIED, documented: explicitly VALUE-CONSISTENCY regression pins (candidate digest values), NOT behavioral oracles — recorded in manifest.json explanatory.expected_output_pins_classification + README §1; behavior is proven only by the static-oracle executed gates
6	HASH_MANIFEST.txt / --emit-hash-manifest	proves byte consistency, not behavior; regenerable by an attacker	BY DESIGN, documented: transport-integrity only (README §3 step 2); behavior gates (6/7/8/11) fire regardless of HASH relaundering — proven in the V3 attack replay
7	RERUN checking logs instead of executing	audited every gate: all 13 gates execute commands live in the same invocation; greps run only against rerun-out/ outputs produced by THIS invocation, never against pinned logs/; pinned logs/ are publication-time evidence re-generated live into rerun-out/ each rerun	CLEAN (no change needed beyond the new gates)
8	candidate/rehearsal seal flags toggle + re-emit	could a toggled flag survive re-emission?	COVERED, observed: --emit recomputes codex_sealed_values_present=false and classes from the allowlist; hand-edit caught by deep-diff + allowlist invariant (T10/T11) and now ALSO by the observed manifest_tool.py --verify CLI exit (blackbox N8)
9	verifier self-integrity (manifest_tool/RERUN/suites mutated wholesale)	a packet cannot prove its own verifier unmutated — the V2 attack generalizes to tool rewrites	HONEST STRUCTURAL LIMIT, declared: README §5(e); mitigation = all tool bytes hash-pinned + KB packet root as single authority surface + Codex's independent fresh-fetch rerun is the backstop. NOT claimed solved; NOT a hidden PASS

Also checked: kb_fetch_reconstruct.py (read-only fetch + bidirectional HASH check; makes no behavior claim — clean); materialize_canonicalizer.py (deterministic extraction, gate 2 cmp against two independently pinned byte targets — clean); membership gate 9 (cross-tool hashlib AND shasum against the frozen pin, not SUT-derived — clean).

No safe same-lane defect remains unfixed; no unsafe fix was attempted; no new blocker beyond the declared structural limit and the existing authority blockers.