FIX7 Recheck-9 V3 — Manifest Laundering Prevention Report (R9-B6.4)

• Date: 2026-06-10 · Verdict: PROVEN — --emit cannot convert fail-open behavior into a valid manifest

1. How --emit obtains evidence (V3)

cmd_emit → build_manifest → compute_authority now EXECUTES the real CLI six times per emission and observes exits:

1. selftest CLI (no args) — observed exit must equal oracle 0 and stdout must contain ALL PASS: True;
2. produce CLI over the pinned 10-doc corpus — observed exit must equal oracle 0, stdout must contain corpus_ok: True, must NOT contain the suppression marker, and must contain the recomputed membership digest; 3.–6. the four negative corpus cases (missing 05 / extra / invalid / absent dir) via run_negative_tests — each observed exit must equal oracle 4 with suppression markers, zero aggregate-digest leak, no output artifact, and fail-closed in-process state.

2. How the oracle is checked

The expected side is CLI_ORACLE, a STATIC constant of manifest_tool.py derived from the SSOT contract text — not from any SUT run. Regenerating expected outputs, manifest, or HASH_MANIFEST with packet tools cannot alter it; altering manifest_tool.py itself changes a hash-pinned, KB-published, scan-scoped file that Codex independently fetches and reads (backstop documented in README §5e).

3. What happens when SUT behavior violates the oracle

Any violation RAISES SystemExit("ORACLE_VIOLATION …") inside compute_authority, which is reached by BOTH --emit and --verify:

• --emit aborts BEFORE writing manifest.json (build happens before dump) → observed: exit 1, manifest file unchanged;
• --verify catches the raise fail-closed → MANIFEST_VERIFY: FAIL (authority recomputation impossible — fail-closed), exit 1.

4. Proof bad behavior cannot be emitted as a valid manifest (observed, raw logs)

• Fail-open mutation + expected-output regeneration on a V3 copy → manifest_tool.py --emit exit 1 with ORACLE_VIOLATION … cli_exit_observed: 0, cli_exit_expected: 4 (/private/tmp/r9-repro/v3-failopen-emit.log; also M3 of failopen_regression.py, run live in RERUN gate 8).
• --emit-hash-manifest alone still succeeds by DESIGN — HASH_MANIFEST pins transport bytes and is never a behavior claim; with a relaundered HASH the full RERUN still fails at gate 6 (V3_BYPASS_RERUN_EXIT=1) because the gates execute behavior, not hashes.
• Hand-editing manifest.json to fake observed exits fails --verify deep-diff (recomputed-vs-disk on every authority field; adversarial T1/T3/T4/T12) and the recomputed invariants (cli_exit_observed==4 / ==0 checked on the FRESH recompute, independent of disk); writing the V2 inferred field cli_exit_contract anywhere in manifest.json is itself a hard RERUN gate-11 failure and a --verify failure.
• Residual honest limit: an attacker who rewrites the verifier code (manifest_tool/RERUN/suites) AND republishes everything self-consistently is outside any packet's self-defense; mitigations: all tool bytes hash-pinned in authority artifacts + HASH_MANIFEST, KB packet root is the single authority surface, and the Codex rerun is itself a fresh-fetch independent execution. This is recorded in README_FOR_CODEX §5(e), not hidden.