Incomex AI Portal
KB-1C2D

FIX7 P0 Shaped-Clone CI-Gate — run_hardened_validator.py

3 min read Revision 1
tool-kiem-thufix7p0production-shaped-cloneci-gate-packet2026-06-12

#!/usr/bin/env python3

-- coding: utf-8 --

""" Run the canonical hardened validator's --selftest and record the result.

In THIS macro there is NO operator-provided production-shaped clone, so the clone-rehearsal leg is NOT_APPLIED. What CAN be proven without a clone is that the mandatory hardened validator is present, byte-exact to canonical (e6547e69..956c47), that its selftest PASSes, and that a fabricated no-mutation rollback fails closed. That is what this script records. """ import hashlib import json import os import subprocess import sys

HERE = os.path.dirname(os.path.abspath(file)) VALIDATOR = os.path.join(HERE, "hardened_dryrun_validator.py") CANON_SHA = "e6547e6935cb01aae5feb405899c97107f1990ff3e2f7e6b9157828a90956c47" OUT = os.path.join(HERE, "hardened-validator-result.json")

def main(): with open(VALIDATOR, "rb") as fh: actual_sha = hashlib.sha256(fh.read()).hexdigest() byte_exact = (actual_sha == CANON_SHA)

proc = subprocess.run([sys.executable, VALIDATOR, "--selftest"],
                      capture_output=True, text=True, cwd=HERE)
selftest_pass = (proc.returncode == 0)
out = proc.stdout
negative_control_fails_closed = "fabricated no-mutation rollback fails closed" in out and \
    "ROLLBACK_APPLY_DID_NOT_MUTATE" in out

result = {
    "doc": "fix7-p0-shaped-clone-hardened-validator-result",
    "date": "2026-06-12",
    "validator_path": "hardened_dryrun_validator.py",
    "validator_sha256": actual_sha,
    "validator_is_canonical_byte_exact": byte_exact,
    "canonical_sha256_expected": CANON_SHA,
    "selftest_pass": selftest_pass,
    "negative_control_fails_closed": negative_control_fails_closed,
    "clone_rehearsal_leg": "NOT_APPLIED_NO_PRODUCTION_SHAPED_CLONE",
    "rehearsal_pass": None,
    "selftest_stdout": out.strip().splitlines(),
    "overall": ("PASS_VALIDATOR_READY_REHEARSAL_NOT_APPLIED"
                if (byte_exact and selftest_pass and negative_control_fails_closed)
                else "FAIL"),
    "production_contact": False,
}
with open(OUT, "w", encoding="utf-8") as fh:
    json.dump(result, fh, indent=2, sort_keys=True, ensure_ascii=True)
    fh.write("\n")
print("HARDENED_VALIDATOR: byte_exact=%s selftest=%s neg_control=%s"
      % (byte_exact, selftest_pass, negative_control_fails_closed))
ok = byte_exact and selftest_pass and negative_control_fails_closed
print("RUN_HARDENED_VALIDATOR_RESULT: %s" % ("PASS" if ok else "FAIL"))
sys.exit(0 if ok else 1)

if name == "main": main()

Back to Knowledge Hub knowledge/dev/reports/architecture/fix7-p0-production-shaped-clone-rehearsal-ci-gate-packet-2026-06-12/run_hardened_validator.py