#!/usr/bin/env python3

============================================================================

FIX7 REAL-N6 -- EXECUTABLE AUTHORITY FIREWALL (fail-closed)

Enforces, as runnable assertions, the boundary between an ENGINEERING N6

candidate and any AUTHORITY act. exit 0 iff EVERY rule holds. A single broken

rule -> nonzero. This firewall does not seal, approve, or promote anything.

Usage: python3 authority_firewall.py <recon_dir>

============================================================================

import os, sys, importlib.util

HERE = os.path.dirname(os.path.abspath(file)) sys.path.insert(0, HERE) import real_n6_provenance_verifier as V

RECON = sys.argv[1] if len(sys.argv) > 1 else "_recon" DOCS = os.path.join(RECON, "docs") CANON = os.path.join(RECON, "evidence", "fix7_canon_v1_ssot_extended.py") SSOT = os.path.join(RECON, "evidence", "canonicalizer-fix7-canon-v1-ssot.md") HM = os.path.join(RECON, "HASH_MANIFEST.txt") ENC_PATH = os.path.join(RECON, "authority", "authority_seal_encoder.py") _spec = importlib.util.spec_from_file_location("authority_seal_encoder", ENC_PATH) E = importlib.util.module_from_spec(_spec); _spec.loader.exec_module(E)

rules = [] def rule(name, ok, note=""): rules.append((name, bool(ok), note))

def main(): cert = V.verify_real_n6(DOCS, CANON, SSOT, HM) # the genuine engineering candidate

# F1: real N6 engineering candidate is NOT an official seal
rule("F1 N6 candidate is NOT a seal",
     cert["authority"] == "NOT_A_SEAL" and cert["is_official_pin"] is False)

# F2: N6 engineering candidate does NOT create N7/N8/P7
rule("F2 N6 candidate does not create N7/N8/P7",
     cert["creates_n7_n8_p7"] is False)

# F3: N7/N8/P7 remain BLOCKED without owner/Codex authority. Feed the genuine
#     candidate provenance + (would-be) authority classes but DO NOT assert a
#     real upstream -> the encoder must still refuse.
blocked_n7 = False
good = {f: "ENGINEERING_VERIFIED_CANDIDATE" for f in
        ("active_corpus_sha256", "membership_sha256", "canonicalizer_sha256",
         "marker_fence_registry_sha256", "superseded_boundary_sha256", "guard_set_sha256")}
for f in ("approval_event_id", "approver_identity", "approval_event_timestamp", "owner_blueprint_decision"):
    good[f] = "AUTHORITY_INPUT"
try:
    E.encode_real_n7(E.fixture_n7_pairs(), good)   # real_n6_available defaults False
except E.Reject as e:
    blocked_n7 = (e.status == "SEAL_REAL_N6_NOT_AVAILABLE")
rule("F3 N7 blocked without owner/Codex authority (no real-upstream assertion)", blocked_n7, "SEAL_REAL_N6_NOT_AVAILABLE")

# F4: rehearsal cannot become authority
blocked_reh = False
try:
    E.encode_real_n7(E.fixture_n7_pairs(), E.fixture_rehearsal_provenance())
except E.Reject as e:
    blocked_reh = (e.status == "SEAL_PROVENANCE_REHEARSAL_BLOCKED")
rule("F4 rehearsal cannot become authority", blocked_reh)

# F5: candidate cannot become OFFICIAL_PIN without authority
blocked_pin = False
try:
    V.verify_real_n6(DOCS, CANON, SSOT, HM, provenance_class="OFFICIAL_PIN")
except V.N6Reject as e:
    blocked_pin = (e.status == "N6_OFFICIAL_PIN_WITHOUT_AUTHORITY")
rule("F5 candidate cannot self-promote to OFFICIAL_PIN", blocked_pin)

# F6: local-only evidence cannot become authority
blocked_local = False
try:
    V.verify_real_n6(DOCS, CANON, SSOT, HM, source_kind="LOCAL_ONLY")
except V.N6Reject as e:
    blocked_local = (e.status == "N6_SOURCE_NOT_GOVERNED")
rule("F6 local-only evidence cannot become authority", blocked_local)

# F7: T2 v0.2 dev proof cannot become owner/Codex seal. The candidate cert is
#     explicitly engineering; promotion is gated to owner/Codex. Assert the
#     cert says so and the seal layer never auto-promotes a dev/engineering class.
rule("F7 dev/engineering proof != owner/Codex seal",
     cert["owner_codex_required_for_promotion"] is True and
     cert["n_number_table"] == "ENGINEERING_CONVENTION_ONLY_NOT_RATIFIED")

# F8: Stage 2.6B / permit / REAL_RUN / QT001 remain blocked (out-of-lane guard)
def out_of_lane(op):
    raise V.N6Reject("OUT_OF_LANE_OPERATION_BLOCKED", op)
all_blocked = True
for op in ("STAGE_2_6B", "permit", "REAL_RUN", "QT001", "activation", "repoint", "cutover"):
    try:
        out_of_lane(op); all_blocked = False
    except V.N6Reject:
        pass
rule("F8 Stage2.6B/permit/REAL_RUN/QT001 remain blocked", all_blocked)

npass = sum(1 for _, ok, _ in rules if ok)
for name, ok, note in rules:
    print(f"  [{'PASS' if ok else 'FAIL'}] {name}" + (f"  ({note})" if note else ""))
print(f"AUTHORITY-FIREWALL: {npass}/{len(rules)} rules hold")
return all(ok for _, ok, _ in rules)

if name == "main": sys.exit(0 if main() else 1)