Codex-Owned Adversarial Probes

Verdict

FAIL-OPEN FOUND — final review must reject.

Probe	Expected	Actual exit/result	PASS emitted	Digest/seal-like emitted	Verdict
Duplicate declared corpus member	N6_CORPUS_DUPLICATE	accepted; certificate-like dict returned	NO	certificate YES	FAIL-OPEN
Duplicate manifest member record	duplicate-manifest reject	accepted; certificate-like dict returned	NO	certificate YES	FAIL-OPEN
Tampered N6 certificate digest	verify_certificate=False	False	NO	NO	PASS
Rehearsal N6 as real	N6_PROVENANCE_REHEARSAL_BLOCKED	same	NO	NO	PASS
Local-only N6	N6_SOURCE_NOT_GOVERNED	same	NO	NO	PASS
OFFICIAL_PIN without owner/Codex	N6_OFFICIAL_PIN_WITHOUT_AUTHORITY	same	NO	NO	PASS
N7 without authority inputs	SEAL_PROVENANCE_MISSING	same	NO	NO	PASS
N8 without signer/report inputs	SEAL_PROVENANCE_MISSING	same	NO	NO	PASS
P7 without pin authority inputs	SEAL_PROVENANCE_MISSING	same	NO	NO	PASS

Aggregate: 7/9; process exit 1.

Root cause

verify_corpus_membership() converts declared members to a set without first rejecting duplicates. parse_hash_manifest() stores records in a dictionary and silently overwrites duplicate paths. Both ambiguous inputs can therefore pass all later gates and receive a candidate certificate.

This directly contradicts the stated C8 criterion and T1 report claim that duplicate members are not accepted. The existing T1 duplicate probe only tests a case-variant duplicate in the filesystem listing; it does not test duplicates in the declared roster or manifest records.

Required closure

• Reject duplicate declared member IDs before any set conversion.
• Reject duplicate HASH_MANIFEST paths before dictionary insertion.
• Reject malformed manifest lines and non-64-lowercase-hex hashes.
• Add direct regression probes proving invalid duplicates emit no certificate/digest/seal-like output.