FIX7 P0 - CI Seal-vs-Bytes Gate :: OFF-PRODUCTION ADOPTION PACKET (2026-06-12)

Macro: FIX7_P0_FINAL_PRE_REAL_DATA_READINESS_LANE_MACRO_2026_06_12 Scope: LOCAL / OFF-PRODUCTION ONLY. No CI was triggered. No production was contacted. No secrets were read or changed. Production CI adoption remains an owner/operator-only action (blocker FIX7-P0-PROD-CI-SCOPE-1).

What this packet is

The prior shaped-clone lane DESIGNED the CI seal-vs-bytes gate (ci-seal-vs-bytes-gate-design.md + reference checker, packet tree 2fa3d54e..b53c46da). This packet closes the remaining ENGINEERING gap by making the gate adoption-ready off-production:

1. Reference checker - ci_seal_vs_bytes_gate.py, byte-exact to the canonical designed checker (sha256 09c4b8c843d13f545212dfee2b47def64eda1e76 28066c4d86a403cb2184937a, 8089 bytes). Hashes RAW on-disk bytes; compares BOTH sha256 AND exact byte length; no normalization knob exists; fails closed (exit nonzero, no PASS token) on any mismatch or missing file.
2. Expected config - sample-sealed-manifest.json (machine-readable description) + sample-seal-manifest.sha256 (the gate-native format: <sha256> <byte_len> <relpath> per line). The sample seals the gate's own canonical bytes and verifies PASS locally.
3. Workflow stub - sample-workflow-stub.yml. SAMPLE ONLY / NOT WIRED: workflow_dispatch trigger only, branch-guarded to a throwaway wiring-test branch, no deploy step, no secrets.
4. Byte-drift test cases - byte-drift-test-cases/case-01..09.json. Pure-ASCII specs (payloads base64-encoded so this packet itself cannot byte-drift in KB) covering: edited content, Unicode em-dash drift, JSON ensure_ascii re-encode drift, BOM, CRLF, missing file, byte-length mismatch, and same-length hash mismatch, plus the byte-identical control.
5. Test driver - run_byte_drift_tests.py materializes each case in a throwaway temp dir and runs the gate as a subprocess. Result: 9/9 behaved as expected (8/8 drift cases FAIL CLOSED with the expected failure codes and no PASS token; control PASSes) - see ci-gate-test-results.json. The gate's own --selftest also passes (7/7 fail-closed; ci-seal-vs-bytes-gate-selftest-result.json).

What this packet is NOT

• It does NOT wire any CI. Nothing here runs automatically.
• It does NOT touch production, secrets, or deploy surfaces.
• It does NOT close FIX7-P0-PROD-CI-SCOPE-1: production adoption requires (a) the owner deciding to adopt the gate and (b) the operator wiring the stub in a throwaway non-production branch and reviewing it there first.

Rerun

bash commands.sh   # gate selftest + sample-seal verify + 9 byte-drift tests
bash RERUN.sh      # same, from a fresh shell, with hash re-verification

Both must end with OVERALL PASS / RERUN_RESULT PASS and exit 0.