Incomex AI Portal
KB-55F3

FIX7 P0 Codex Review Evidence Bundle — RECONSTRUCTION_COMMANDS

4 min read Revision 1
tool-kiem-thufix7p0codex-review-evidence-bundlenon-authority2026-06-11
<!-- DOC_STATUS: ACTIVE_NON_AUTHORITY -->

Reconstruction Commands — FIX7 P0 Codex Review Evidence Bundle

  • Authority: EVIDENCE_BUNDLE_NON_AUTHORITY. Instructions only; authorizes nothing.
  • Date: 2026-06-11. Tooling: Incomex KB (batch_read / list_documents), POSIX shasum.

The block was an access failure, so reconstruction is designed to not depend on a pre-populated workspace: fetch each artifact fresh from KB, then verify by hash.

A. Verify this bundle (no network)

bash commands.sh        # recompute this bundle's packet_tree + shasum -c HASH_MANIFEST.txt

Expect OVERALL PASS (exit 0). packet_tree.sha256 here = sha256(HASH_MANIFEST.txt).

B. Fresh-from-KB reconstruct of the three external packets

For each packet, fetch HASH_MANIFEST.txt (full bytes) and recompute its tree:

# pseudo-procedure (agent/Codex runs the KB fetch, then shasum locally)
kb batch_read --full \
  knowledge/dev/reports/architecture/fix7-p0-dryrun-and-execution-readiness-packet-2026-06-11/HASH_MANIFEST.txt \
  > _external/dryrun_HASH_MANIFEST.txt
shasum -a 256 _external/dryrun_HASH_MANIFEST.txt
# expect: 02b200e5a3c7a21c2e620b293fbf28ccc81731a983430c3e5a202798c05e94e6

Repeat for:

  • planning: …/fix7-p0-implementation-planning-packet-2026-06-11/HASH_MANIFEST.txt → expect f470d0d019f9af63794ce943a64ea08ff31a17906a7857f4124d0b1e14a0fe8f
  • seal: …/codex-fix7-n7-n8-p7-authority-seal-reauthor-with-valid-a5-2026-06-11/HASH_MANIFEST.txt → expect 3890cd3467720b3f2c105625e2e1dc627fd2e7fdfb74d9059bad95bece12a234

Then run:

bash RERUN.sh           # checks _external/*_HASH_MANIFEST.txt against expected trees + self-check

C. Verify the authority chain digests

Fetch the three seal JSONs and read the pinned digests:

kb batch_read --full \
  .../n7-approval-event.json   # field: envelope_manifest_sha256 = efb0c574…1853d32  (N7)
  .../n8-detached-codex-seal.json # field: detached_seal_sha256 = daa70c39…6117e1a1  (N8)
  .../p7-authoritative-pin.json   # field: authority_seal_pin_sha256 = 9ddb27c3…034550 (P7)

Confirm implementation_authorized_by_p7_alone=false and implementation_boundary=IMPLEMENTATION_EXECUTION_REMAINS_BLOCKED; POST_SEAL_IMPLEMENTATION_PLANNING_ONLY_ALLOWED.

D. Re-run the packet's own validators (optional, staging-only)

Inside the dry-run packet, dryrun_validator.py (11 gates) and bad_input_probes.py (20/20 fail-closed) are executable and read-only; they touch no production. Inside the planning packet, planning_packet_validator.py and its bad_input_probes.py likewise. These re-derive the structural evidence behind the verdict.

E. Optional full byte-exact reconstruct

To reproduce a tree end-to-end, fetch every file in a packet (full bytes), write to a clean temp dir preserving relative paths (incl. logs/), then:

shasum -a 256 -c HASH_MANIFEST.txt           # all files OK
shasum -a 256 HASH_MANIFEST.txt              # == packet_tree.sha256

This is how each tree in EXPECTED_HASHES_AND_TREES.json was verified during this macro.

Boundary

No production mutation. No implementation execution. No REAL_RUN/QT001/apply/permit/activation/ repoint/cutover. Reconstruction is read-only against KB.

Back to Knowledge Hub knowledge/dev/reports/architecture/fix7-p0-codex-review-evidence-bundle-2026-06-11/RECONSTRUCTION_COMMANDS.md