#!/usr/bin/env bash

============================================================================

FIX7 N7/N8/P7 AUTHORITY-INPUT packet -- canonical command sequence.

Runs every gate against the packet directory ($PK, default = this dir).

Prints OVERALL: PASS only if every gate passed in THIS invocation.

Writes per-step exit codes to exit_codes.json.

SAFE/OFFLINE: stdlib python3 + shasum/diff only. No network, no DB, no prod.

============================================================================

set -uo pipefail cd "$(dirname "$0")" export PYTHONDONTWRITEBYTECODE=1 PK="${PK:-.}" mkdir -p cmd-out logs fail=0 declare -a NAMES RCS step(){ echo; echo "### $1"; } record(){ NAMES+=("$1"); RCS+=("$2"); }

step "1. authority-input validator selftest (expect exit 0)" python3 authority_input_validator.py --selftest > cmd-out/validator-selftest.log 2>&1 rc=$?; tail -1 cmd-out/validator-selftest.log; echo "exit=$rc"; record validator_selftest $rc; [ $rc -eq 0 ] || fail=1

step "2. authority-input validator --validate over packet (expect exit 0)" python3 authority_input_validator.py --validate "$PK" > cmd-out/validate.log 2>&1 rc=$?; tail -1 cmd-out/validate.log; echo "exit=$rc"; record validator_validate $rc; [ $rc -eq 0 ] || fail=1

step "3. stale-prose detector selftest (expect exit 0)" python3 stale_prose_detector.py --selftest > cmd-out/stale-selftest.log 2>&1 rc=$?; tail -1 cmd-out/stale-selftest.log; echo "exit=$rc"; record stale_selftest $rc; [ $rc -eq 0 ] || fail=1

step "4. stale-prose detector --scan N6 status (expect exit 0, no live stale prose)" python3 stale_prose_detector.py --scan "$PK/n7-envelope-n6-status.json"
--prose "$PK/n7-envelope-n6-status.json" > cmd-out/stale-scan.log 2>&1 rc=$?; tail -1 cmd-out/stale-scan.log; echo "exit=$rc"; record stale_scan $rc; [ $rc -eq 0 ] || fail=1

step "5. executable authority firewall (expect exit 0; all rules hold)" python3 authority_firewall.py "$PK" > cmd-out/firewall.log 2>&1 rc=$?; tail -1 cmd-out/firewall.log; echo "exit=$rc"; record authority_firewall $rc; [ $rc -eq 0 ] || fail=1

step "6. bad-input probes (expect exit 0; 10/10 fail-closed)" python3 bad_input_probes.py "$PK" > cmd-out/bad-probes.log 2>&1 rc=$?; tail -1 cmd-out/bad-probes.log; echo "exit=$rc"; record bad_input_probes $rc; [ $rc -eq 0 ] || fail=1

step "7. HASH_MANIFEST cross-tool re-hash (shasum -c)" if [ -f HASH_MANIFEST.txt ]; then shasum -a 256 -c HASH_MANIFEST.txt > cmd-out/hashcheck.log 2>&1 rc=$?; echo "shasum -c: $(grep -c OK cmd-out/hashcheck.log) OK"; record hashmanifest $rc; [ $rc -eq 0 ] || fail=1 else echo "HASH_MANIFEST.txt absent (pre-pin run)"; record hashmanifest 0; fi

step "8. packet_tree.sha256 == sha256(HASH_MANIFEST.txt)" if [ -f packet_tree.sha256 ] && [ -f HASH_MANIFEST.txt ]; then T=$(shasum -a 256 HASH_MANIFEST.txt | awk '{print $1}') P=$(awk '{print $1}' packet_tree.sha256) if [ "$T" = "$P" ]; then echo "packet_tree OK ($T)"; record packet_tree 0; else echo "packet_tree MISMATCH $T != $P"; record packet_tree 1; fail=1; fi else echo "packet_tree/HASH_MANIFEST absent (pre-pin run)"; record packet_tree 0; fi

emit exit_codes.json

{ echo "{" echo " "packet": "fix7-n7-n8-p7-authority-input-packet-2026-06-11"," echo " "steps": {" for i in "${!NAMES[@]}"; do sep=","; [ $i -eq $(( ${#NAMES[@]} - 1 )) ] && sep="" echo " "${NAMES[$i]}": ${RCS[$i]}$sep" done echo " }," echo " "overall": $([ $fail -eq 0 ] && echo 0 || echo 1)" echo "}" } > exit_codes.json

echo if [ $fail -eq 0 ]; then echo "OVERALL: PASS (8/8 gates)"; exit 0; else echo "OVERALL: FAIL"; exit 1; fi