#!/usr/bin/env python3

-- coding: ascii --

"""Exercise the canonical hardened rollback validator against THIS lane's surrogate rehearsal evidence.

Four proofs, all required for PASS:

1. BYTE-EXACT: the local hardened_dryrun_validator.py is byte-identical to the canonical pin e6547e69..956c47.
2. SELFTEST: the validator's own selftest passes (real frozen T1 evidence passes; a fabricated no-mutation rollback fails closed).
3. REHEARSAL: check_rollback_proof() returns NO fail codes on this lane's surrogate rollback evidence (rollback-evidence.json).
4. NEGATIVE CONTROL: a fabricated after_apply_hash == before_hash entry fails closed (ROLLBACK_APPLY_DID_NOT_MUTATE).

Emits hardened-validator-result.json. Exit 0 only if all hold. No production contact; pure local static evaluation of frozen JSON. """ import sys sys.dont_write_bytecode = True # keep packet dir free of pycache import copy import hashlib import json import os

HERE = os.path.dirname(os.path.abspath(file)) sys.path.insert(0, HERE) import hardened_dryrun_validator as V # noqa: E402

CANON_SHA = "e6547e6935cb01aae5feb405899c97107f1990ff3e2f7e6b9157828a90956c47"

result = {"doc": "fix7-p0-final-pre-real-data-hardened-validator-result", "date": "2026-06-12", "scope": "LOCAL_STATIC_NO_PRODUCTION_CONTACT", "rehearsal_target": "GENERATED_SURROGATE_NOT_REAL_PRODUCTION_DUMP"}

with open(os.path.join(HERE, "hardened_dryrun_validator.py"), "rb") as fh: actual_sha = hashlib.sha256(fh.read()).hexdigest() result["validator_local_copy_sha256"] = actual_sha result["canonical_hardened_validator_sha256"] = CANON_SHA result["validator_is_canonical_byte_exact"] = (actual_sha == CANON_SHA)

selftest_ok = V.selftest(HERE) result["selftest_pass"] = bool(selftest_ok)

with open(os.path.join(HERE, "rollback-evidence.json"), encoding="utf-8") as fh: rb = json.load(fh) rehearsal_fails = V.check_rollback_proof(rb) result["rehearsal_check_rollback_proof_fails"] = rehearsal_fails result["rehearsal_pass"] = (len(rehearsal_fails) == 0) print("[%s] surrogate rollback evidence passes hardened gate%s" % ("PASS" if result["rehearsal_pass"] else "FAIL", "" if result["rehearsal_pass"] else " -> " + "; ".join(rehearsal_fails)))

fake = copy.deepcopy(rb) e0 = fake["entries"][0] e0["after_apply_hash"] = e0["before_hash"] # claim mutation, nothing changed e0["after_rollback_hash"] = e0["before_hash"] fake["entries"] = [e0] neg_fails = V.check_rollback_proof(fake) neg_closed = any(f.startswith("ROLLBACK_APPLY_DID_NOT_MUTATE") for f in neg_fails) result["negative_control_fail_codes"] = neg_fails result["negative_control_fails_closed"] = bool(neg_closed) print("[%s] fabricated no-mutation surrogate entry fails closed%s" % ("PASS" if neg_closed else "FAIL", " (" + "; ".join(neg_fails) + ")" if neg_fails else " (FAIL-OPEN!)"))

result["after_apply_differs_from_before"] = all( e["after_apply_hash"] != e["before_hash"] for e in rb["entries"]) result["after_rollback_restores_before"] = all( e["after_rollback_hash"] == e["before_hash"] for e in rb["entries"]) result["production_rollback_status"] = rb.get("production_rollback_status")

overall = (result["validator_is_canonical_byte_exact"] and result["selftest_pass"] and result["rehearsal_pass"] and result["negative_control_fails_closed"] and result["after_apply_differs_from_before"] and result["after_rollback_restores_before"] and result["production_rollback_status"] == "NOT_APPLICABLE") result["overall"] = "PASS" if overall else "FAIL"

with open(os.path.join(HERE, "hardened-validator-result.json"), "w", encoding="ascii") as fh: json.dump(result, fh, indent=2, sort_keys=True, ensure_ascii=True) fh.write("\n")

print("HARDENED_VALIDATOR_OVERALL:", result["overall"]) sys.exit(0 if overall else 1)