Incomex AI Portal
KB-1D22

FIX7 Real-N6 packet — commands.sh

3 min read Revision 1
tool-kiem-thufix7n6real-n6tkt-v022026-06-11

#!/usr/bin/env bash

============================================================================

FIX7 REAL-N6 provenance packet -- canonical command sequence (TKT v0.2 style).

Runs the four gates against a reconstructed governed-evidence tree ($RECON).

Prints OVERALL: PASS only if every gate passed in THIS invocation.

RECON env (default _recon) must be a tree produced by kb_fetch_reconstruct.py

Exit codes per step are recorded in exit_codes.json.

SAFE/OFFLINE: stdlib python3 + diff only; no network, no DB, no production.

============================================================================

set -uo pipefail cd "$(dirname "$0")" export PYTHONDONTWRITEBYTECODE=1 RECON="${RECON:-_recon}" mkdir -p cmd-out fail=0 step(){ echo; echo "### $1"; }

step "1. real-N6 verifier selftest (expect exit 0)" python3 real_n6_provenance_verifier.py --selftest > cmd-out/verifier-selftest.log 2>&1 rc=$?; tail -1 cmd-out/verifier-selftest.log; echo "exit=$rc"; [ $rc -eq 0 ] || fail=1

step "2. verify REAL N6 from governed corpus + emit certificate (expect exit 0)" python3 real_n6_provenance_verifier.py --verify
--corpus "$RECON/docs"
--canonicalizer "$RECON/evidence/fix7_canon_v1_ssot_extended.py"
--ssot "$RECON/evidence/canonicalizer-fix7-canon-v1-ssot.md"
--hash-manifest "$RECON/HASH_MANIFEST.txt"
--provenance ENGINEERING_VERIFIED_CANDIDATE --source GOVERNED_KB
--emit-cert cmd-out/regenerated-cert.json > cmd-out/verify.log 2>&1 rc=$?; tail -1 cmd-out/verify.log; echo "exit=$rc"; [ $rc -eq 0 ] || fail=1

step "2b. regenerated certificate == pinned certificate (deterministic, byte-identical)" if diff cmd-out/regenerated-cert.json real-n6-provenance-certificate.json > cmd-out/cert.diff 2>&1; then echo "regenerated cert == pinned cert"; else echo "CERT DRIFT"; cat cmd-out/cert.diff; fail=1; fi

step "3. Codex-style adversarial probes (expect exit 0; all fail-closed)" python3 n6_adversarial_probes.py "$RECON" > cmd-out/probes.log 2>&1 rc=$?; tail -2 cmd-out/probes.log; echo "exit=$rc"; [ $rc -eq 0 ] || fail=1

step "4. executable authority firewall (expect exit 0; all rules hold)" python3 authority_firewall.py "$RECON" > cmd-out/firewall.log 2>&1 rc=$?; tail -1 cmd-out/firewall.log; echo "exit=$rc"; [ $rc -eq 0 ] || fail=1

step "5. certificate binding self-check (recompute binding digest)" python3 - "$RECON" <<'PY' > cmd-out/cert-binding.log 2>&1 import json,sys sys.path.insert(0,".") import real_n6_provenance_verifier as V cert=json.load(open("real-n6-provenance-certificate.json")) ok=V.verify_certificate(cert) print("certificate binding intact:", ok, "| n6=", cert["n6_active_corpus_sha256"], "| authority=", cert["authority"]) sys.exit(0 if ok else 1) PY rc=$?; cat cmd-out/cert-binding.log; echo "exit=$rc"; [ $rc -eq 0 ] || fail=1

echo if [ $fail -eq 0 ]; then echo "OVERALL: PASS (5/5 gates)"; exit 0; else echo "OVERALL: FAIL"; exit 1; fi

Back to Knowledge Hub knowledge/dev/reports/architecture/fix7-real-n6-provenance-under-tkt-v02-2026-06-11/commands.sh