Align CORPIFORM runtime authority enforcement and ledger fixtures

execution/gate.sh

@@ -5,24 +5,27 @@ set -euo pipefail
 # Central enforcement gate. No execution may proceed past this point
 # without satisfying all authority and policy checks.
 
-# Required environment variables
 : "${AUTHORITY_SEAL_PATH:?REFUSE: AUTHORITY_SEAL_PATH not set}"
 : "${EXECUTION_COMMAND_PATH:?REFUSE: EXECUTION_COMMAND_PATH not set}"
 : "${EXECUTION_CUSTODIAN:?REFUSE: EXECUTION_CUSTODIAN not set}"
 
-# Authority presence
-seals/require_auctoriseal.sh
+run_or_reject() {
+  local script="$1"
+  local reason="$2"
 
-# Authority verification
-seals/verify_seal.sh
-seals/verify_scope.sh
-seals/verify_time_window.sh
-seals/verify_custody.sh
+  if ! "$script"; then
+    seals/reject_invalid.sh "$reason"
+  fi
+}
+
+run_or_reject seals/require_auctoriseal.sh MISSING_AUTHORITY_SEAL
+run_or_reject seals/verify_seal.sh INVALID_AUTHORITY_SEAL
+run_or_reject seals/verify_scope.sh AUTHORITY_SCOPE_VIOLATION
+run_or_reject seals/verify_time_window.sh AUTHORITY_TIME_WINDOW_VIOLATION
+run_or_reject seals/verify_custody.sh AUTHORITY_CUSTODY_VIOLATION
+run_or_reject seals/verify_revocation.sh AUTHORITY_REVOKED
 
-# Acquire execute-once lock
 execution/state_lock/acquire_lock.sh
 
-# Execution permitted beyond this point
 echo "EXECUTION GATE PASSED"
-
 exit 0

fixtures/expired_authority/command.json

@@ -0,0 +1,13 @@
+{
+  "command_id": "cmd-expired-001",
+  "body": "mail",
+  "action": "MAIL_DISPATCH",
+  "adapter": "smtp",
+  "parameters": {
+    "to": "recipient@example.test",
+    "from": "sender@example.test",
+    "subject": "Expired Authority Test",
+    "body": "This execution must be refused because the authority is expired."
+  },
+  "authority_seal_id": "seal-expired-001"
+}

fixtures/expired_authority/seal.json

@@ -0,0 +1,14 @@
+{
+  "issuer": "root.primary",
+  "authority_seal_id": "seal-expired-001",
+  "custodian": "test-custodian",
+  "scope": {
+    "body": "mail",
+    "action": "MAIL_DISPATCH",
+    "adapter": "smtp"
+  },
+  "valid_from": "2015-01-01T00:00:00Z",
+  "valid_until": "2020-01-01T00:00:00Z",
+  "single_use": true,
+  "signature": "TEST_SIGNATURE_EXPIRED_AUTHORITY"
+}

fixtures/invalid_authority/command.json

@@ -0,0 +1,13 @@
+{
+  "command_id": "cmd-invalid-001",
+  "body": "mail",
+  "action": "MAIL_DISPATCH",
+  "adapter": "smtp",
+  "parameters": {
+    "to": "recipient@example.test",
+    "from": "sender@example.test",
+    "subject": "Invalid Authority Test",
+    "body": "This execution must be refused due to invalid authority."
+  },
+  "authority_seal_id": "seal-invalid-missing-signature"
+}

fixtures/invalid_authority/seal.json

@@ -0,0 +1,13 @@
+{
+  "issuer": "root.primary",
+  "authority_seal_id": "seal-invalid-missing-signature",
+  "custodian": "test-custodian",
+  "scope": {
+    "body": "mail",
+    "action": "MAIL_DISPATCH",
+    "adapter": "smtp"
+  },
+  "valid_from": "2025-01-01T00:00:00Z",
+  "valid_until": "2030-01-01T00:00:00Z",
+  "single_use": true
+}

fixtures/keys/denial.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAreBOCtBzzkl6y0C41lURMsOjXiZSpWPaJYpPj4O4Cb/GrvJe
+LUdj6yrd+NYz76W8Qhfluj5Yw5X9qMKye6gWP/l924kgSdF2AN3NpUPmThsj2RIv
+UNHarT/aSrwTpHWfpNc16swFMVm6xviNYx0aFQHGNkkC3cGNjlvw01izpIoQuBav
+Wwcuz42RB0VmjqTjutTukxUCAKqaWjeAahwlAy9KhdieLQe3tROkRaqzunnVrIAP
+IN/wmzw88AUrUVyeLwwWtmaU738UwMAmuvXZgqer4K/OX5Eg4xAqUEHg53dyLYlE
+xiCAYzN5Yf/h6ocmr3qwIQtwuVITGQyFfFOIRwIDAQABAoIBAAUL03gA4LuF6mhn
+snWV9m/QubcLya4/HZ+lSfXSTs8Jn8yIAC+0OLQkhFiqbstvtez9II+tK4pRmhEB
+xYhNMogcx4hNjIBX8eLIjSVUuSRfKUUtf+4KiRwqFD3DA5bsSvvPuyLbVPM/tWn8
+4K2VtKITcRs2Nz0UVvVgubaIhn4p711xJHxIV/opWrSaMWduYyBm375vasmwhf3/
+z09rjrTIyAAQL3IRKQSj2INv9cCcdUr2N1za3iv08Ev2/nge1YVB5NWiLun56MNM
+df9eZ3B6gmK4eyQipMElMk+2oL1zK7M75hR6ea0wqZQ5drfOxrbAWGmYuiQC9mX1
+U/BGxPECgYEA2koUb3hveDff9A9xTFVjxb7S8309YIuSzXIkpra3f6Vc+iW3P2Wj
+6BAvSgIF5UmW+cuaf6etMGAwI+5CyV/lq4pVMOneGVKMrbbt59JGkJ0IEACTkWi1
+sVo2zbGLLxbk6VyJpTkTn7yGd7vHxogTQRc4LLGxq06p0X8K1WwYpGsCgYEAy+oJ
+hwdcL+3ot+SYV2FkTlUcEpkNCPJb8srCL60VwZXh0kfg1KZ3lcuKBMIZeZGy9Lja
+et7r0M84v8iEaQ+1LdpctN6zesi2z9wp08tJ9d4X0hYZ1YMiYdWTLR64yX42UQoe
+8RCcEOGVNtRhKo6rArscq41YutGb0X6WBobZApUCgYBdYpXNfmOJtbWsjrK0qk8t
+uM48dpa8Z9mc5LkDTWXBSPg2183GZHAzhkEE00q8ZbgeE1l8RTqVWIEfzf1qcwkp
+UtvROivW/3bJllm+9DlWAqgBWI3JBle8kNCjPNJDifLSVtFYCsv3aUrJjF8R8wLx
+tMJGdJqCo/uIcWYsGbuNEwKBgFuluVh931oPVGvqCuoi9KEcMXzOWwRtYRQTOwmQ
+glm6Un9fHNaWZuLlUwfmcOqpqEPDHTbiIBx+NiREK/bIP4b3QHluKj6CHV/4tLfj
+Az/E7PHYSw4iXP6Zrgc2apjs596ubM+txmbz7EtzUqR88LFOhYk5AuscMCsM+MLA
+MqKtAoGATeFtkKz/sBI9D5hP44hVVBKGjihcfdNID/SisHgKXu/RT0ksgMuvADUP
+L6ueP4to7ToxijAs66YymgI/yDC0scEjdCwQcueCPhKobWWTga8qwvtWNp0U80RZ
+SdRfSrjp5fhpGfRb6jJlciuJPictJ9hZwQU+7PPNikWAxLVK9yM=
+-----END RSA PRIVATE KEY-----

fixtures/keys/receipt.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA1FShs0OaJRZIzzjrytumnEFaqIf/SPYMThlpwJpDvF/nVxlZ
+46Yl9GnKvgU4brllPkwjM1HFMosyVzWEchQPqCXLptIIDoGE9VWsMcRikDwzl5cy
+LoTB5gj6WKex/9vRt8nNk4+yPJ3oRSz4URfbFS0SKotM9l6/ctyLYugUl0qx6hP3
+JMU0zYCel1p2uGhoIJwkJahtPD8DCkL6JdaR62dUK0392yKzM2b8zv69PvjFqCvb
+azaRgMOLauQER0zmnR75fzgwO83mfWTnf/0DRcRC8PJCgklI5b1VM8hnbzA/+4f/
+9R8oIK6AlAY2kj7T+oIW7w/56Vl0POKluRO49wIDAQABAoIBAQCXkSo0Sud33eZv
+ddRrZEwUclqCv0GuFWVHQsDIqdX8XAFJnWEbLfkd9X6yEgvsjg8FX1gpRA+eOtre
+gedff46FmyU6mecCY9ZDQrq+c89f4nl5loZNypqW2IXMTziyyXl01msXEJZMyvOI
+ncdMK9lJzniPQgzYOV40YdZl7gD01SDYlqZO9dYcadP9Lb+II002qd2GsLB4JyEx
+1CATTC4iy0DEdclyKfkN2J+7ihuXFnDcYlDjEMOLkByiMDgXSV4rN0JUI6RJoJPV
+JwRxMwBqMxU+pUbzJlpvcfqROF+v5OxsIq01SBPfQ6RDc80R/y8ZvuxS0hkilzLY
+a1PSqwmxAoGBAP9yzTc3fuHaFO++ofVo4e92H8pJ5W/xGF4g75cWZQ/ur2wByiz+
+Fq+7P5F0y8ZZ1QffALKHit+39L+XGJ7IZG76SXDnNO7XVWRZKPLxkq85hsH4KO4+
+Py0tiyXvC1XaHlSf6U7Y106qZNhhr5SFtp/d5tXoOya7s8UMrIGV36BLAoGBANTJ
+/ysmrVwIiF2zDTXywZMV/Iqfoc+HzpFABRdk37LqB1rDKPeS8hn+bq417iajjL30
+11c4ZJ5KabwWcO2+ukvEjo/PN2GVeZV4he46saIQUHZmqkg8Tj1D4HwaObWSSWql
+bDsbv5BQPJ0ooWFYzVJ/y5WB/HRrCEvZKLBu/RaFAoGAYh5hjuUFGpFe21u47/+y
+UP1pZpUNyPqtZnJ2NO2IMh93SCBD3RZX9nYRC7j2EKEuv5A7v1dq01Xgb7sE3PCS
+C0Kd9P0KCvexOBM7NF3v/tg018qPRjuonpzQxuhTzU0zu0OVJRELWo7+n1KeU4ks
+xalBYkaKee09NuIQXNIJjJMCgYEAkhAeIcao1TXeNUNE3DVIfuhms9kjv0rfloC1
+fft2Ol++sKSqKFcr7H/kBZ1rXgaCA5pffrVtC+LUdZGJ7wgu5PeFTF3XDBsInHtg
+o8iSSkaclMmgNXl/0zoWi9mMp4BE+PmYM3K2qh8JnG9ZZ3MHbYvfeT8Cxf76cOYd
+sg5dl+kCgYB0Tso0i4uTBDzn617dEmXGoJSc4pCaq0r504U05/b5tPIu6wlYn9m5
+ZS1027NENgKChXFTcmPwAbGF5o9xaSqpnJbybJf1vPQAlgoBBPGGgvXrTDKVj6U6
+ourNqwRRA47juGeutLuElZ6TrOAVPlUO1pfyxQ8dtLjqU4pFqTGMiw==
+-----END RSA PRIVATE KEY-----

fixtures/replay_attempt/command.json

@@ -0,0 +1,13 @@
+{
+  "command_id": "cmd-replay-001",
+  "body": "mail",
+  "action": "MAIL_DISPATCH",
+  "adapter": "smtp",
+  "parameters": {
+    "to": "recipient@example.test",
+    "from": "sender@example.test",
+    "subject": "Replay Attempt Test",
+    "body": "This command must execute once and be refused on replay."
+  },
+  "authority_seal_id": "seal-replay-001"
+}

fixtures/replay_attempt/seal.json

@@ -0,0 +1,14 @@
+{
+  "issuer": "root.primary",
+  "authority_seal_id": "seal-replay-001",
+  "custodian": "test-custodian",
+  "scope": {
+    "body": "mail",
+    "action": "MAIL_DISPATCH",
+    "adapter": "smtp"
+  },
+  "valid_from": "2025-01-01T00:00:00Z",
+  "valid_until": "2030-01-01T00:00:00Z",
+  "single_use": true,
+  "signature": "TEST_SIGNATURE_SINGLE_USE"
+}

fixtures/revoked_authority/command.json

@@ -0,0 +1,13 @@
+{
+  "command_id": "cmd-revoked-001",
+  "body": "mail",
+  "action": "MAIL_DISPATCH",
+  "adapter": "smtp",
+  "parameters": {
+    "to": "recipient@example.test",
+    "from": "sender@example.test",
+    "subject": "Revoked Authority Test",
+    "body": "This execution must be refused because the authority is revoked."
+  },
+  "authority_seal_id": "seal-revoked-001"
+}

fixtures/revoked_authority/revocation.record.json

@@ -1,5 +1,5 @@
 {
-  "issuer": "auctoriseal:test-root",
+  "issuer": "root.primary",
   "revocation_id": "revocation-001",
   "authority_seal_id": "seal-revoked-001",
   "reason": "TEST_REVOCATION",

fixtures/revoked_authority/seal.json

@@ -0,0 +1,14 @@
+{
+  "issuer": "root.primary",
+  "authority_seal_id": "seal-revoked-001",
+  "custodian": "test-custodian",
+  "scope": {
+    "body": "mail",
+    "action": "MAIL_DISPATCH",
+    "adapter": "smtp"
+  },
+  "valid_from": "2024-01-01T00:00:00Z",
+  "valid_until": "2030-01-01T00:00:00Z",
+  "single_use": true,
+  "signature": "TEST_SIGNATURE_REVOKED_AUTHORITY"
+}

fixtures/time_violation/command.json

@@ -0,0 +1,13 @@
+{
+  "command_id": "cmd-time-violation-001",
+  "body": "mail",
+  "action": "MAIL_DISPATCH",
+  "adapter": "smtp",
+  "parameters": {
+    "to": "recipient@example.test",
+    "from": "sender@example.test",
+    "subject": "Time Violation Test",
+    "body": "This execution must be refused because authority time window is invalid."
+  },
+  "authority_seal_id": "seal-time-past-001"
+}

fixtures/time_violation/seal.json

@@ -0,0 +1,14 @@
+{
+  "issuer": "root.primary",
+  "authority_seal_id": "seal-time-past-001",
+  "custodian": "test-custodian",
+  "scope": {
+    "body": "mail",
+    "action": "MAIL_DISPATCH",
+    "adapter": "smtp"
+  },
+  "valid_from": "2010-01-01T00:00:00Z",
+  "valid_until": "2015-01-01T00:00:00Z",
+  "single_use": true,
+  "signature": "TEST_SIGNATURE_PAST_VALID_UNTIL"
+}

fixtures/valid_authority/command.json

@@ -0,0 +1,13 @@
+{
+  "command_id": "cmd-valid-001",
+  "body": "mail",
+  "action": "MAIL_DISPATCH",
+  "adapter": "smtp",
+  "parameters": {
+    "to": "recipient@example.test",
+    "from": "sender@example.test",
+    "subject": "Test Message",
+    "body": "This is a test email dispatched under valid authority."
+  },
+  "authority_seal_id": "seal-valid-001"
+}

fixtures/valid_authority/seal.json

@@ -0,0 +1,14 @@
+{
+  "issuer": "root.primary",
+  "authority_seal_id": "seal-valid-001",
+  "custodian": "test-custodian",
+  "scope": {
+    "body": "mail",
+    "action": "MAIL_DISPATCH",
+    "adapter": "smtp"
+  },
+  "valid_from": "2025-01-01T00:00:00Z",
+  "valid_until": "2030-01-01T00:00:00Z",
+  "single_use": true,
+  "signature": "TEST_SIGNATURE_NOT_CRYPTOGRAPHICALLY_VALID"
+}

runtime/runner/run.sh

@@ -15,23 +15,42 @@ set -euo pipefail
 # Canonical denial emission hook
 export DENIAL_EMIT_SCRIPT="${DENIAL_EMIT_SCRIPT:-denials/emit.sh}"
 
-# Ensure system is not dead or frozen
-if grep -q "DEAD" STATUS.md; then
-  echo "REFUSE: system is dead"
-  if [[ -x "$DENIAL_EMIT_SCRIPT" ]]; then
-    "$DENIAL_EMIT_SCRIPT" "SYSTEM_DEAD" || true
-  fi
-  exit 1
-fi
+CURRENT_STATE="$(
+  python3 - <<'PY'
+from pathlib import Path
+
+for line in Path("STATUS.md").read_text().splitlines():
+    if line.startswith("**CURRENT STATE:**"):
+        print(line.split(":", 1)[1].replace(chr(96), "").strip())
+        break
+PY
+)"
 
-if grep -q "FROZEN" STATUS.md; then
-  echo "REFUSE: system is frozen"
+if [[ -z "${CURRENT_STATE:-}" ]]; then
+  echo "REFUSE: current state unresolved"
   if [[ -x "$DENIAL_EMIT_SCRIPT" ]]; then
-    "$DENIAL_EMIT_SCRIPT" "SYSTEM_FROZEN" || true
+    "$DENIAL_EMIT_SCRIPT" "STATUS_STATE_UNRESOLVED" || true
   fi
   exit 1
 fi
 
+case "$CURRENT_STATE" in
+  DEAD)
+    echo "REFUSE: system is dead"
+    if [[ -x "$DENIAL_EMIT_SCRIPT" ]]; then
+      "$DENIAL_EMIT_SCRIPT" "SYSTEM_DEAD" || true
+    fi
+    exit 1
+    ;;
+  FROZEN)
+    echo "REFUSE: system is frozen"
+    if [[ -x "$DENIAL_EMIT_SCRIPT" ]]; then
+      "$DENIAL_EMIT_SCRIPT" "SYSTEM_FROZEN" || true
+    fi
+    exit 1
+    ;;
+esac
+
 # Authority + policy gate
 execution/gate.sh
 

seals/verify_revocation.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# VERIFY REVOCATION
+# Refuses execution if authority seal is revoked.
+
+SEAL_FILE="${AUTHORITY_SEAL_PATH:-}"
+
+if [[ -z "$SEAL_FILE" ]]; then
+  echo "REFUSE: no authority seal path provided"
+  exit 1
+fi
+
+if [[ ! -f "$SEAL_FILE" ]]; then
+  echo "REFUSE: authority seal file not found"
+  exit 1
+fi
+
+REVOKED=$(jq -r ".revoked // false" "$SEAL_FILE")
+
+if [[ "$REVOKED" == "true" ]]; then
+  echo "REFUSE: authority revoked"
+  exit 1
+fi
+
+echo "AUTHORITY NOT REVOKED"
+exit 0