KB-11A2
FIX7 Real-N6 — fix7-real-n6-authority-firewall-under-tkt-v02-2026-06-11.md
3 min read Revision 1
tool-kiem-thufix7n6real-n6tkt-v022026-06-11
FIX7 Real-N6 Authority Firewall — under TKT v0.2 (2026-06-11)
- Host: T1. Codex: NO. Owner: NO. Production mutation: NO.
- Executable:
authority_firewall.pyin packet…/fix7-real-n6-provenance-under-tkt-v02-2026-06-11/. - Result: 8/8 rules hold (exit 0), run against fresh-reconstructed governed evidence.
Firewall rules (each an executable assertion)
| rule | enforces | mechanism | result |
|---|---|---|---|
| F1 | real N6 candidate is NOT an official seal | cert authority=NOT_A_SEAL, is_official_pin=false |
PASS |
| F2 | N6 candidate does not create N7/N8/P7 | cert creates_n7_n8_p7=false |
PASS |
| F3 | N7/N8/P7 remain blocked without owner/Codex authority | encoder encode_real_n7(candidate+authority classes, no real-upstream) → SEAL_REAL_N6_NOT_AVAILABLE |
PASS |
| F4 | rehearsal cannot become authority | encoder rehearsal provenance → SEAL_PROVENANCE_REHEARSAL_BLOCKED |
PASS |
| F5 | candidate cannot self-promote to OFFICIAL_PIN | verifier OFFICIAL_PIN w/o authority → N6_OFFICIAL_PIN_WITHOUT_AUTHORITY |
PASS |
| F6 | local-only evidence cannot become authority | verifier source_kind=LOCAL_ONLY → N6_SOURCE_NOT_GOVERNED |
PASS |
| F7 | T2 v0.2 dev proof ≠ owner/Codex seal | cert owner_codex_required_for_promotion=true, n_number_table=ENGINEERING_CONVENTION_ONLY_NOT_RATIFIED |
PASS |
| F8 | Stage 2.6B / permit / REAL_RUN / QT001 remain blocked | out-of-lane guard refuses every op | PASS |
What the firewall guarantees about this macro
- A real engineering N6 candidate now exists and is verified — but it is firewalled from every authority act: it is not a seal (F1), creates nothing downstream (F2), and the seal layer stays blocked (F3) until owner/Codex supply authority inputs and ratify/promote.
- Rehearsal evidence (F4), local-only evidence (F6), and dev/engineering proof (F7) can never cross into authority. The candidate cannot promote itself (F5).
- The forbidden operational lanes (Stage 2.6B / permit / REAL_RUN / QT001 / activation / repoint / cutover) remain blocked (F8).
Firewall verdict
PASS — the engineering↔authority boundary holds under executable assertion. Closing the engineering
half of SEAL_REAL_N6_NOT_AVAILABLE does not weaken any authority gate.