#!/usr/bin/env bash

============================================================================

FIX7 N7/N8/P7 AUTHORITY-INPUT packet -- STRICT reproducible rerun.

set -euo pipefail + ERR trap: any nonzero / diff / hash mismatch aborts before

the final PASS line. "RERUN_RESULT: PASS" prints ONLY after every gate below

ran and succeeded in THIS invocation (no pinned log is trusted).

Gates:

1 HASH_MANIFEST cross-tool re-hash (shasum -c)

2 packet_tree.sha256 == sha256(HASH_MANIFEST.txt)

3 canonical command sequence (commands.sh) -> OVERALL: PASS

4 bad-input probes -> 10/10 fail-closed

Fresh-from-KB reconstruction is performed by the operator via governed MCP

(get_document_for_rewrite per file) into a clean dir, then this RERUN.sh runs

there; see logs/kb-reconstruct.log for that round-trip evidence.

SAFE/OFFLINE: no network, no DB, no production.

============================================================================

set -euo pipefail trap 'echo "RERUN_RESULT: FAIL (line $LINENO)"; exit 1' ERR cd "$(dirname "$0")" export PYTHONDONTWRITEBYTECODE=1

echo "### 1. HASH_MANIFEST cross-tool re-hash (shasum -c)" shasum -a 256 -c HASH_MANIFEST.txt > /tmp/authinput-rerun-hashcheck.log echo "shasum -c: $(grep -c OK /tmp/authinput-rerun-hashcheck.log) entries OK"

echo "### 2. packet_tree.sha256 == sha256(HASH_MANIFEST.txt)" T=$(shasum -a 256 HASH_MANIFEST.txt | awk '{print $1}') P=$(awk '{print $1}' packet_tree.sha256) [ "$T" = "$P" ] && echo "packet_tree OK ($T)" || { echo "packet_tree MISMATCH"; exit 1; }

echo "### 3. canonical command sequence (commands.sh)" PK=. bash commands.sh

echo "### 4. bad-input probes (10/10 fail-closed)" python3 bad_input_probes.py .

echo "RERUN_RESULT: PASS (all gates enforced this run)"