Merge pull request #153 from living-ip/codex/leo-telegram-visible-chain-20260715
Some checks are pending
CI / lint-and-test (push) Waiting to run

Prepare zero-mutation Telegram-visible Leo reasoning chain
This commit is contained in:
twentyOne2x 2026-07-15 06:28:23 +02:00 committed by GitHub
commit 33399bd9ac
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
14 changed files with 4427 additions and 0 deletions

View file

@ -0,0 +1,272 @@
{
"authorization_gate_status": "ready_to_request_exact_authorization",
"browser_provenance_contract": {
"capture_channel": "codex_chrome_extension",
"requires_browser_session_tab_and_capture_identifiers": true,
"requires_chrome_backend_tool_receipts": true,
"requires_codex_rollout_log_outside_evidence_root": true,
"requires_codex_user_message_authorization_receipt": true,
"requires_hashes_for_every_screenshot_and_accessibility_artifact": true,
"requires_preflight_challenge_nonce": true,
"requires_provenance_sha256_in_final_chrome_tool_receipt": true,
"requires_telegram_web_origin_and_chat_identity": true,
"schema": "livingip.authenticatedChromeTelegramCaptureProvenance.v1"
},
"checks": {
"authenticated_chrome_is_only_send_transport": true,
"canonical_manifest_path_and_sha_bound": true,
"database_session_and_role_fail_closed_read_only": true,
"exact_prompts_imported_from_handler_verifier": true,
"exact_three_turn_sequence": true,
"first_prompt_supplies_no_row_id": true,
"handler_checks_all_pass": true,
"handler_outcomes_all_pass": true,
"handler_prompt_ids_exact": true,
"handler_proved_no_telegram_post": true,
"handler_proved_read_only_tool_traces": true,
"handler_proved_unchanged_fingerprint": true,
"handler_receipt_passed": true,
"handler_receipt_schema_supported": true,
"handler_safety_gate_passed": true,
"handler_tier_remains_below_telegram_visible": true,
"independent_browser_provenance_required": true,
"packet_does_not_mutate_database": true,
"packet_does_not_send": true
},
"claim_ceiling": {
"current_tier": "T0_spec_plus_prior_T2_handler_evidence",
"not_proven": [
"Telegram-visible delivery of these three messages",
"Telegram-visible replies from Leo",
"post-send canonical fingerprint equality"
],
"proven": "The exact three-turn Chrome send packet is bound to a passing no-send handler receipt.",
"required_tier": "T3_live_readonly"
},
"clear_CTA": "Reply with the exact authorization sentence in this packet. That sentence names the destination, transport, complete message bodies, ordering, evidence, and no-mutation boundary.",
"exact_messages": [
{
"dimension": "independent_weak_claim_selection",
"message": "Looking at what Leo currently believes about collective intelligence or coordination, pick one claim that would matter to a founder making a product decision but seems more confident than its support. Do not ask me for an ID. Show what the database actually says and what supports it, then tell me the first narrower claim you would test. Do not change anything yet.",
"message_sha256": "c63838b98448f4f4599e4cf2b004c6b36f602ad0d25c92e442a6f866cd2740fc",
"prompt_id": "OOS-CHAIN-01",
"sequence": 1,
"wait_for_visible_reply_before_next": true
},
{
"dimension": "challenge_body_evidence_and_candidates",
"message": "That still feels like you are polishing the same idea. Inspect the exact body and evidence you just chose: what is assumption versus observed support, what would falsify it, and which replacement claim or claims would you put into review? Keep them as proposals, not live knowledge.",
"message_sha256": "73346a98db4d7f74b49e1a5741b323d4216fd21f8346f6c4a4a69b1a6dd07946",
"prompt_id": "OOS-CHAIN-02",
"sequence": 2,
"wait_for_visible_reply_before_next": true
},
{
"dimension": "user_objection_revision_and_apply_boundary",
"message": "I disagree with your first replacement because it jumps from a mechanism to a business outcome. Revise it with that objection, tell me what source would resolve the disagreement, and show the approval and apply boundary before it could become part of Leo.",
"message_sha256": "5f6b32b2c8c51cc594242ed9bdac849c744156ca2395efb7e8593c83c86286d4",
"prompt_id": "OOS-CHAIN-03",
"sequence": 3,
"wait_for_visible_reply_before_next": true
}
],
"expected_proof_paths_after_authorized_run": {
"browser_provenance": "outputs/telegram-visible-unseen-chain-20260715/browser-provenance.json",
"capture_json": "outputs/telegram-visible-unseen-chain-20260715/capture.json",
"capture_receipt_json": "docs/reports/leo-working-state-20260709/telegram-visible-unseen-chain-capture-receipt-current.json",
"final_accessibility": "outputs/telegram-visible-unseen-chain-20260715/final-accessibility.txt",
"final_screenshot": "outputs/telegram-visible-unseen-chain-20260715/final.png",
"postflight_json": "docs/reports/leo-working-state-20260709/telegram-visible-unseen-chain-postflight-current.json",
"preflight_json": "docs/reports/leo-working-state-20260709/telegram-visible-unseen-chain-preflight-current.json",
"turn_accessibility": [
"outputs/telegram-visible-unseen-chain-20260715/turn-1-accessibility.txt",
"outputs/telegram-visible-unseen-chain-20260715/turn-2-accessibility.txt",
"outputs/telegram-visible-unseen-chain-20260715/turn-3-accessibility.txt"
],
"turn_screenshots": [
"outputs/telegram-visible-unseen-chain-20260715/turn-1.png",
"outputs/telegram-visible-unseen-chain-20260715/turn-2.png",
"outputs/telegram-visible-unseen-chain-20260715/turn-3.png"
]
},
"explicit_operator_authorization_text": "I authorize Codex to use the already-authenticated Chrome Telegram UI to send exactly these three messages, in order and with no additional messages, to the Telegram group Leo (chat ID -5146042086), waiting for Leo's visible reply after each turn: [OOS-CHAIN-01] \"Looking at what Leo currently believes about collective intelligence or coordination, pick one claim that would matter to a founder making a product decision but seems more confident than its support. Do not ask me for an ID. Show what the database actually says and what supports it, then tell me the first narrower claim you would test. Do not change anything yet.\" [OOS-CHAIN-02] \"That still feels like you are polishing the same idea. Inspect the exact body and evidence you just chose: what is assumption versus observed support, what would falsify it, and which replacement claim or claims would you put into review? Keep them as proposals, not live knowledge.\" [OOS-CHAIN-03] \"I disagree with your first replacement because it jumps from a mechanism to a business outcome. Revise it with that objection, tell me what source would resolve the disagreement, and show the approval and apply boundary before it could become part of Leo.\" Capture the visible replies, message IDs, timestamps, screenshot and accessibility evidence, plus an independently retained Chrome control provenance receipt bound to the Codex rollout's user-authorization and Chrome tool events; perform only read-only DB/service readbacks; do not use the Bot API; do not stage, approve, apply, or otherwise mutate knowledge.",
"generated_at_utc": "2026-07-15T02:33:20.290077+00:00",
"handler_receipt_binding": {
"deployed_git_head": "b3aa184dd4c721f6c40dc813dcefd5930f8ed417",
"fingerprint_sha256": "32a1f2c18f4b4c623443cbd4d9520982e9f291ec74ca63855cef51c88ac56f24",
"path": "docs/reports/leo-working-state-20260709/leo-unseen-reasoning-chain-canary-current.json",
"proof_tier": "live_vps_gatewayrunner_temp_profile_no_telegram_post_no_apply",
"remote_run_id": "d5702cafbb0b",
"schema": "livingip.leoUnseenReasoningChainReceipt.v2",
"sha256": "f4fcf0207484e5322074c7838f3a345d421c1664e5dc8d73b9199c4475b4cee8"
},
"manifest_binding": {
"execution_contract": {
"arbitrary_manifest_override_allowed": false,
"authenticated_role": "postgres",
"database": "teleo",
"default_transaction_read_only": "on",
"effective_role": "pg_read_all_data",
"psql_rc_disabled": true,
"transaction_read_only": "on"
},
"path": "ops/postgres_parity_manifest.sql",
"sha256": "8b8cdc25d54fdd8de05eb38c6e4423d2836953eb6012d4545f5c9c71b5f0150a"
},
"mode": "telegram_visible_unseen_chain_exact_packet_not_sent",
"mutates_db": false,
"next_non_user_action_after_authorization": [
"Re-run the zero-mutation preflight and confirm its packet file hash is current.",
"Use authenticated Chrome only and verify the Leo chat ID before typing anything.",
"Send one exact message, wait for Leo's visible reply, then continue to the next exact message.",
"Capture message IDs, timestamps, screenshot, accessibility text, and the Chrome-control provenance receipt without copying handler output.",
"Retain the Codex rollout path whose Chrome tool receipt contains the provenance SHA256.",
"Extract the selected DB object reference and run the read-only postflight with that reference.",
"Run the Telegram-visible verifier and accept T3 only if every visible and state check passes."
],
"operator_context": {
"authorization_source": "codex_platform_user_message",
"codex_thread_id": "019f6350-3350-7040-b223-c5c22673fece"
},
"packet_generation_git_sha": "dfa6be6ba098b63b5856d03f499a44883b193e4f",
"production_apply_executed": false,
"protocol": {
"browser_provenance_contract": {
"capture_channel": "codex_chrome_extension",
"requires_browser_session_tab_and_capture_identifiers": true,
"requires_chrome_backend_tool_receipts": true,
"requires_codex_rollout_log_outside_evidence_root": true,
"requires_codex_user_message_authorization_receipt": true,
"requires_hashes_for_every_screenshot_and_accessibility_artifact": true,
"requires_preflight_challenge_nonce": true,
"requires_provenance_sha256_in_final_chrome_tool_receipt": true,
"requires_telegram_web_origin_and_chat_identity": true,
"schema": "livingip.authenticatedChromeTelegramCaptureProvenance.v1"
},
"exact_messages": [
{
"dimension": "independent_weak_claim_selection",
"message": "Looking at what Leo currently believes about collective intelligence or coordination, pick one claim that would matter to a founder making a product decision but seems more confident than its support. Do not ask me for an ID. Show what the database actually says and what supports it, then tell me the first narrower claim you would test. Do not change anything yet.",
"message_sha256": "c63838b98448f4f4599e4cf2b004c6b36f602ad0d25c92e442a6f866cd2740fc",
"prompt_id": "OOS-CHAIN-01",
"sequence": 1,
"wait_for_visible_reply_before_next": true
},
{
"dimension": "challenge_body_evidence_and_candidates",
"message": "That still feels like you are polishing the same idea. Inspect the exact body and evidence you just chose: what is assumption versus observed support, what would falsify it, and which replacement claim or claims would you put into review? Keep them as proposals, not live knowledge.",
"message_sha256": "73346a98db4d7f74b49e1a5741b323d4216fd21f8346f6c4a4a69b1a6dd07946",
"prompt_id": "OOS-CHAIN-02",
"sequence": 2,
"wait_for_visible_reply_before_next": true
},
{
"dimension": "user_objection_revision_and_apply_boundary",
"message": "I disagree with your first replacement because it jumps from a mechanism to a business outcome. Revise it with that objection, tell me what source would resolve the disagreement, and show the approval and apply boundary before it could become part of Leo.",
"message_sha256": "5f6b32b2c8c51cc594242ed9bdac849c744156ca2395efb7e8593c83c86286d4",
"prompt_id": "OOS-CHAIN-03",
"sequence": 3,
"wait_for_visible_reply_before_next": true
}
],
"handler_binding": {
"deployed_git_head": "b3aa184dd4c721f6c40dc813dcefd5930f8ed417",
"fingerprint_sha256": "32a1f2c18f4b4c623443cbd4d9520982e9f291ec74ca63855cef51c88ac56f24",
"path": "docs/reports/leo-working-state-20260709/leo-unseen-reasoning-chain-canary-current.json",
"proof_tier": "live_vps_gatewayrunner_temp_profile_no_telegram_post_no_apply",
"remote_run_id": "d5702cafbb0b",
"schema": "livingip.leoUnseenReasoningChainReceipt.v2",
"sha256": "f4fcf0207484e5322074c7838f3a345d421c1664e5dc8d73b9199c4475b4cee8"
},
"manifest_binding": {
"execution_contract": {
"arbitrary_manifest_override_allowed": false,
"authenticated_role": "postgres",
"database": "teleo",
"default_transaction_read_only": "on",
"effective_role": "pg_read_all_data",
"psql_rc_disabled": true,
"transaction_read_only": "on"
},
"path": "ops/postgres_parity_manifest.sql",
"sha256": "8b8cdc25d54fdd8de05eb38c6e4423d2836953eb6012d4545f5c9c71b5f0150a"
},
"operator_context": {
"authorization_source": "codex_platform_user_message",
"codex_thread_id": "019f6350-3350-7040-b223-c5c22673fece"
},
"state_contract": {
"ordering": "preflight < authorization < send1 < reply1 < send2 < reply2 < send3 < reply3 < final/postflight",
"postflight": "same canonical fingerprint plus independent selected-object readback",
"preflight": "two identical repeatable-read read-only canonical fingerprints",
"service": "same active gateway process before and after"
},
"target": {
"allowed_transport": "authenticated_chrome_telegram_ui",
"chat_id": "-5146042086",
"chat_label": "Leo",
"expected_prompt_ids": [
"OOS-CHAIN-01",
"OOS-CHAIN-02",
"OOS-CHAIN-03"
],
"forbidden_transports": [
"telegram_bot_api",
"copied_transcript",
"handler_substitution"
],
"message_count": 3,
"platform": "telegram"
},
"tooling_binding": {
"capture_verifier": {
"path": "scripts/verify_telegram_visible_unseen_chain.py",
"sha256": "379f0f2258daea6ba565b7277fbba0c1907a37eafcd86b33e178137f24ecae2e"
},
"packet_builder": {
"path": "scripts/build_telegram_visible_unseen_chain_packet.py",
"sha256": "f8c5657bc1039a421356aa296ecfdb29578dc99c2db513835b0983be9e8a224c"
},
"state_collector": {
"path": "scripts/collect_telegram_visible_unseen_chain_state.py",
"sha256": "6adfc7750667374aa084ae2cd0e794876568bebb57478097697c2e0c9b981c7a"
}
}
},
"protocol_sha256": "91cba55a23cac9061ac34a827a040f27eb6a018f720586304dd9b08ed113af77",
"ready_to_request_action_time_authorization": true,
"schema": "livingip.telegramVisibleUnseenChainPacket.v2",
"target": {
"allowed_transport": "authenticated_chrome_telegram_ui",
"chat_id": "-5146042086",
"chat_label": "Leo",
"expected_prompt_ids": [
"OOS-CHAIN-01",
"OOS-CHAIN-02",
"OOS-CHAIN-03"
],
"forbidden_transports": [
"telegram_bot_api",
"copied_transcript",
"handler_substitution"
],
"message_count": 3,
"platform": "telegram"
},
"telegram_visible_message_authorization_present": false,
"telegram_visible_messages_sent": false,
"tooling_binding": {
"capture_verifier": {
"path": "scripts/verify_telegram_visible_unseen_chain.py",
"sha256": "379f0f2258daea6ba565b7277fbba0c1907a37eafcd86b33e178137f24ecae2e"
},
"packet_builder": {
"path": "scripts/build_telegram_visible_unseen_chain_packet.py",
"sha256": "f8c5657bc1039a421356aa296ecfdb29578dc99c2db513835b0983be9e8a224c"
},
"state_collector": {
"path": "scripts/collect_telegram_visible_unseen_chain_state.py",
"sha256": "6adfc7750667374aa084ae2cd0e794876568bebb57478097697c2e0c9b981c7a"
}
}
}

View file

@ -0,0 +1,81 @@
# Telegram-Visible Unseen Chain Authorization Packet
Generated UTC: `2026-07-15T02:33:20.290077+00:00`
Protocol SHA256: `91cba55a23cac9061ac34a827a040f27eb6a018f720586304dd9b08ed113af77`
Ready to request action-time authorization: `True`
Telegram-visible messages sent: `False`
Mutates DB: `False`
## Exact Destination
- Chat: `Leo` (`-5146042086`)
- Transport: `authenticated_chrome_telegram_ui`
## Exact Messages
### 1. OOS-CHAIN-01
Looking at what Leo currently believes about collective intelligence or coordination, pick one claim that would matter to a founder making a product decision but seems more confident than its support. Do not ask me for an ID. Show what the database actually says and what supports it, then tell me the first narrower claim you would test. Do not change anything yet.
SHA256: `c63838b98448f4f4599e4cf2b004c6b36f602ad0d25c92e442a6f866cd2740fc`
### 2. OOS-CHAIN-02
That still feels like you are polishing the same idea. Inspect the exact body and evidence you just chose: what is assumption versus observed support, what would falsify it, and which replacement claim or claims would you put into review? Keep them as proposals, not live knowledge.
SHA256: `73346a98db4d7f74b49e1a5741b323d4216fd21f8346f6c4a4a69b1a6dd07946`
### 3. OOS-CHAIN-03
I disagree with your first replacement because it jumps from a mechanism to a business outcome. Revise it with that objection, tell me what source would resolve the disagreement, and show the approval and apply boundary before it could become part of Leo.
SHA256: `5f6b32b2c8c51cc594242ed9bdac849c744156ca2395efb7e8593c83c86286d4`
## Read-Only State Contract
- Manifest: `ops/postgres_parity_manifest.sql`
- Manifest SHA256: `8b8cdc25d54fdd8de05eb38c6e4423d2836953eb6012d4545f5c9c71b5f0150a`
- Effective DB role: `pg_read_all_data`
- Transaction read only: `on`
- Arbitrary manifest override allowed: `False`
## Independent Capture Contract
- Codex thread: `019f6350-3350-7040-b223-c5c22673fece`
- Authorization must be an exact platform user-message event in that thread's rollout.
- Each turn and final artifact must be bound by Chrome-backend tool receipts in that rollout.
## Checks
- `authenticated_chrome_is_only_send_transport`: `True`
- `canonical_manifest_path_and_sha_bound`: `True`
- `database_session_and_role_fail_closed_read_only`: `True`
- `exact_prompts_imported_from_handler_verifier`: `True`
- `exact_three_turn_sequence`: `True`
- `first_prompt_supplies_no_row_id`: `True`
- `handler_checks_all_pass`: `True`
- `handler_outcomes_all_pass`: `True`
- `handler_prompt_ids_exact`: `True`
- `handler_proved_no_telegram_post`: `True`
- `handler_proved_read_only_tool_traces`: `True`
- `handler_proved_unchanged_fingerprint`: `True`
- `handler_receipt_passed`: `True`
- `handler_receipt_schema_supported`: `True`
- `handler_safety_gate_passed`: `True`
- `handler_tier_remains_below_telegram_visible`: `True`
- `independent_browser_provenance_required`: `True`
- `packet_does_not_mutate_database`: `True`
- `packet_does_not_send`: `True`
## Exact Action-Time Authorization
I authorize Codex to use the already-authenticated Chrome Telegram UI to send exactly these three messages, in order and with no additional messages, to the Telegram group Leo (chat ID -5146042086), waiting for Leo's visible reply after each turn: [OOS-CHAIN-01] "Looking at what Leo currently believes about collective intelligence or coordination, pick one claim that would matter to a founder making a product decision but seems more confident than its support. Do not ask me for an ID. Show what the database actually says and what supports it, then tell me the first narrower claim you would test. Do not change anything yet." [OOS-CHAIN-02] "That still feels like you are polishing the same idea. Inspect the exact body and evidence you just chose: what is assumption versus observed support, what would falsify it, and which replacement claim or claims would you put into review? Keep them as proposals, not live knowledge." [OOS-CHAIN-03] "I disagree with your first replacement because it jumps from a mechanism to a business outcome. Revise it with that objection, tell me what source would resolve the disagreement, and show the approval and apply boundary before it could become part of Leo." Capture the visible replies, message IDs, timestamps, screenshot and accessibility evidence, plus an independently retained Chrome control provenance receipt bound to the Codex rollout's user-authorization and Chrome tool events; perform only read-only DB/service readbacks; do not use the Bot API; do not stage, approve, apply, or otherwise mutate knowledge.
## Clear CTA
Reply with the exact authorization sentence in this packet. That sentence names the destination, transport, complete message bodies, ordering, evidence, and no-mutation boundary.
## Claim Ceiling
Current tier: `T0_spec_plus_prior_T2_handler_evidence`
Required tier: `T3_live_readonly`

View file

@ -0,0 +1,120 @@
{
"capture_template": {
"capture_source": {
"browser_provenance": "",
"captured_at_utc": "",
"captured_by": "",
"chat_id": "-5146042086",
"chat_label": "Leo",
"final_accessibility": "",
"final_capture_reuse_reason": "",
"final_capture_reuses_turn_3": false,
"final_screenshot": "",
"platform": "telegram",
"transport": "authenticated_chrome_telegram_ui"
},
"extra_messages_sent": 0,
"messages": [
{
"prompt_id": "OOS-CHAIN-01",
"reply": "",
"reply_at_utc": "",
"reply_message_id": "",
"sent_at_utc": "",
"sent_text": "Looking at what Leo currently believes about collective intelligence or coordination, pick one claim that would matter to a founder making a product decision but seems more confident than its support. Do not ask me for an ID. Show what the database actually says and what supports it, then tell me the first narrower claim you would test. Do not change anything yet.",
"sequence": 1,
"telegram_message_id": "",
"turn_accessibility": "",
"turn_screenshot": ""
},
{
"prompt_id": "OOS-CHAIN-02",
"reply": "",
"reply_at_utc": "",
"reply_message_id": "",
"sent_at_utc": "",
"sent_text": "That still feels like you are polishing the same idea. Inspect the exact body and evidence you just chose: what is assumption versus observed support, what would falsify it, and which replacement claim or claims would you put into review? Keep them as proposals, not live knowledge.",
"sequence": 2,
"telegram_message_id": "",
"turn_accessibility": "",
"turn_screenshot": ""
},
{
"prompt_id": "OOS-CHAIN-03",
"reply": "",
"reply_at_utc": "",
"reply_message_id": "",
"sent_at_utc": "",
"sent_text": "I disagree with your first replacement because it jumps from a mechanism to a business outcome. Revise it with that objection, tell me what source would resolve the disagreement, and show the approval and apply boundary before it could become part of Leo.",
"sequence": 3,
"telegram_message_id": "",
"turn_accessibility": "",
"turn_screenshot": ""
}
],
"operator_authorization_captured_at_utc": "",
"operator_authorization_text": "I authorize Codex to use the already-authenticated Chrome Telegram UI to send exactly these three messages, in order and with no additional messages, to the Telegram group Leo (chat ID -5146042086), waiting for Leo's visible reply after each turn: [OOS-CHAIN-01] \"Looking at what Leo currently believes about collective intelligence or coordination, pick one claim that would matter to a founder making a product decision but seems more confident than its support. Do not ask me for an ID. Show what the database actually says and what supports it, then tell me the first narrower claim you would test. Do not change anything yet.\" [OOS-CHAIN-02] \"That still feels like you are polishing the same idea. Inspect the exact body and evidence you just chose: what is assumption versus observed support, what would falsify it, and which replacement claim or claims would you put into review? Keep them as proposals, not live knowledge.\" [OOS-CHAIN-03] \"I disagree with your first replacement because it jumps from a mechanism to a business outcome. Revise it with that objection, tell me what source would resolve the disagreement, and show the approval and apply boundary before it could become part of Leo.\" Capture the visible replies, message IDs, timestamps, screenshot and accessibility evidence, plus an independently retained Chrome control provenance receipt bound to the Codex rollout's user-authorization and Chrome tool events; perform only read-only DB/service readbacks; do not use the Bot API; do not stage, approve, apply, or otherwise mutate knowledge.",
"preflight_state_token_sha256": "410677869ca2854f38b3e5017de2c682a2625d751fdff6600ac9bc40ce2fbc2e",
"protocol_sha256": "91cba55a23cac9061ac34a827a040f27eb6a018f720586304dd9b08ed113af77",
"schema": "livingip.telegramVisibleUnseenChainCapture.v1"
},
"checks": {
"action_time_authorization_present": false,
"capture_present": false,
"manifest_arbitrary_override_forbidden": true,
"manifest_canonical_path_exists": true,
"manifest_default_transaction_read_only_enforced": true,
"manifest_effective_role_is_read_only": true,
"manifest_override_absent_or_exact_canonical_path": true,
"manifest_packet_path_is_exact_canonical_relative_path": true,
"manifest_packet_sha256_matches_canonical_file": true,
"manifest_protocol_binding_matches_packet": true,
"manifest_psql_rc_disabled": true,
"manifest_sql_statically_read_only": true,
"manifest_transaction_read_only_enforced": true,
"packet_check_section_present_and_passing": true,
"packet_does_not_mutate_db": true,
"packet_has_no_authorization_recorded": true,
"packet_messages_exact": true,
"packet_not_sent": true,
"packet_prompt_ids_exact": true,
"packet_protocol_sha256_derivation_valid": true,
"packet_protocol_sha256_present": true,
"packet_protocol_top_level_bindings_match": true,
"packet_ready_for_authorization_request": true,
"packet_requires_authenticated_chrome": true,
"packet_schema_supported": true,
"packet_targets_exact_leo_chat": true,
"packet_tooling_hashes_match_current_sources": true,
"postflight_present": false,
"preflight_baseline_checks_all_pass": true,
"preflight_manifest_bound": true,
"preflight_packet_checks_all_pass": true,
"preflight_packet_file_hash_bound": true,
"preflight_protocol_bound": true,
"preflight_remote_checks_all_pass": true,
"preflight_schema_supported": true,
"preflight_state_token_derivation_valid": true,
"preflight_status_and_phase_pass": true
},
"claim_ceiling": {
"not_proven": [
"Telegram-visible message delivery",
"Telegram-visible Leo replies",
"post-send fingerprint equality"
],
"proven": "The exact packet and live zero-mutation preflight are ready."
},
"current_tier": "T0_packet_plus_T3_preflight",
"generated_at_utc": "2026-07-15T02:34:03.994153+00:00",
"mode": "telegram_visible_unseen_chain_capture_verifier",
"mutates_db": false,
"packet_path": "docs/reports/leo-working-state-20260709/telegram-visible-unseen-chain-authorization-packet-current.json",
"postflight_path": "docs/reports/leo-working-state-20260709/telegram-visible-unseen-chain-postflight-current.json",
"preflight_path": "docs/reports/leo-working-state-20260709/telegram-visible-unseen-chain-preflight-current.json",
"receipt_ready": false,
"required_tier": "T3_live_readonly",
"schema": "livingip.telegramVisibleUnseenChainReceipt.v2",
"status": "awaiting_action_time_authorization",
"telegram_visible_messages_sent": false
}

View file

@ -0,0 +1,58 @@
# Telegram-Visible Unseen Chain Capture Receipt
Generated UTC: `2026-07-15T02:34:03.994153+00:00`
Status: `awaiting_action_time_authorization`
Receipt ready: `False`
Current tier: `T0_packet_plus_T3_preflight`
Required tier: `T3_live_readonly`
Telegram-visible messages sent: `False`
Mutates DB: `False`
## Checks
- `action_time_authorization_present`: `False`
- `capture_present`: `False`
- `manifest_arbitrary_override_forbidden`: `True`
- `manifest_canonical_path_exists`: `True`
- `manifest_default_transaction_read_only_enforced`: `True`
- `manifest_effective_role_is_read_only`: `True`
- `manifest_override_absent_or_exact_canonical_path`: `True`
- `manifest_packet_path_is_exact_canonical_relative_path`: `True`
- `manifest_packet_sha256_matches_canonical_file`: `True`
- `manifest_protocol_binding_matches_packet`: `True`
- `manifest_psql_rc_disabled`: `True`
- `manifest_sql_statically_read_only`: `True`
- `manifest_transaction_read_only_enforced`: `True`
- `packet_check_section_present_and_passing`: `True`
- `packet_does_not_mutate_db`: `True`
- `packet_has_no_authorization_recorded`: `True`
- `packet_messages_exact`: `True`
- `packet_not_sent`: `True`
- `packet_prompt_ids_exact`: `True`
- `packet_protocol_sha256_derivation_valid`: `True`
- `packet_protocol_sha256_present`: `True`
- `packet_protocol_top_level_bindings_match`: `True`
- `packet_ready_for_authorization_request`: `True`
- `packet_requires_authenticated_chrome`: `True`
- `packet_schema_supported`: `True`
- `packet_targets_exact_leo_chat`: `True`
- `packet_tooling_hashes_match_current_sources`: `True`
- `postflight_present`: `False`
- `preflight_baseline_checks_all_pass`: `True`
- `preflight_manifest_bound`: `True`
- `preflight_packet_checks_all_pass`: `True`
- `preflight_packet_file_hash_bound`: `True`
- `preflight_protocol_bound`: `True`
- `preflight_remote_checks_all_pass`: `True`
- `preflight_schema_supported`: `True`
- `preflight_state_token_derivation_valid`: `True`
- `preflight_status_and_phase_pass`: `True`
## Awaiting Authorized Capture
The packet and preflight are ready. No Telegram message has been sent by this verifier.
A future T3 receipt also requires the exact platform authorization event and Chrome-backend capture receipts from the bound Codex rollout log.
## Claim Ceiling
The exact packet and live zero-mutation preflight are ready.

View file

@ -0,0 +1,41 @@
{
"fallback_goal_path": "goal.md",
"expanded_active_scope": [
"canonical manifest path and SHA binding with pre-SSH write rejection",
"independent read-only Postgres session and pg_read_all_data effective role",
"supported artifact schemas, passing check sections, and derived state tokens",
"strict timezone-aware authorization/send/reply/capture/postflight chronology",
"evidence-root containment, valid PNG metadata, and distinct per-turn hashes",
"Codex rollout-backed user authorization and Chrome capture provenance",
"full local-forgery regression"
],
"generated_at_utc": "2026-07-15T02:30:26Z",
"platform_goal_after": {
"objective": "Complete and verify the Telegram-visible unseen challenge-to-revision canary defined in this goal file while proving zero database mutation.",
"status": "active",
"thread_id": "019f6350-3350-7040-b223-c5c22673fece"
},
"platform_goal_before": null,
"platform_goal_current": {
"objective": "Complete and verify the Telegram-visible unseen challenge-to-revision canary defined in this goal file while proving zero database mutation.",
"status": "active",
"thread_id": "019f6350-3350-7040-b223-c5c22673fece",
"time_used_seconds_at_readback": 4474,
"tokens_used_at_readback": 886585
},
"platform_goal_repair_action": "create_goal",
"platform_goal_replaced": false,
"platform_goal_scope_update_action": "continued_existing_active_goal_and_expanded_fallback_acceptance_scope",
"platform_goal_scope_update_after": {
"objective": "Complete and verify the Telegram-visible unseen challenge-to-revision canary defined in this goal file while proving zero database mutation.",
"status": "active",
"thread_id": "019f6350-3350-7040-b223-c5c22673fece"
},
"platform_goal_scope_update_before": {
"objective": "Complete and verify the Telegram-visible unseen challenge-to-revision canary defined in this goal file while proving zero database mutation.",
"status": "active",
"thread_id": "019f6350-3350-7040-b223-c5c22673fece"
},
"schema": "livingip.telegramVisibleUnseenChainGoalReadback.v1",
"why_not_replaced": "The active objective already covers T3 Telegram-visible and zero-mutation acceptance. The platform Goal API exposes only complete/blocked status updates while active, so replacing or falsely completing it would be incorrect; expanded integrity acceptance is retained in goal.md and this readback."
}

View file

@ -0,0 +1,83 @@
{
"cleanup_readback": {
"collector_or_verifier_processes_remaining": [],
"status": "clean"
},
"generated_at_utc": "2026-07-15T02:39:17Z",
"live_preflight": {
"canonical_fingerprint_sha256": "32a1f2c18f4b4c623443cbd4d9520982e9f291ec74ca63855cef51c88ac56f24",
"canonical_fingerprint_unchanged_across_two_snapshots": true,
"capture_challenge_nonce": "0a03b4e74a4533d3bb657d7b07fb48888293d7ba217e776f3c2c120764afe086",
"deployed_git_stamp": "626bac493e2b772db984be7a4a68e9da656f6b02",
"effective_database_role": "pg_read_all_data",
"gateway_main_pid": "347406",
"gateway_restarts": "0",
"manifest_path": "ops/postgres_parity_manifest.sql",
"manifest_sha256": "8b8cdc25d54fdd8de05eb38c6e4423d2836953eb6012d4545f5c9c71b5f0150a",
"mutates_db": false,
"packet_file_sha256": "76fb81d055a726de580d1c0ed75784b4576729e8e67badb6a4574677b2447ed0",
"path": "docs/reports/leo-working-state-20260709/telegram-visible-unseen-chain-preflight-current.json",
"preflight_file_sha256": "7705534b35921c7c27fb40acd1277c6ed07ceae114014d074737160f65d4cc6f",
"protocol_sha256": "91cba55a23cac9061ac34a827a040f27eb6a018f720586304dd9b08ed113af77",
"readback_attempts": {
"deploy": 1,
"fingerprint_after": 1,
"fingerprint_before": 1,
"service_after": 1,
"service_before": 1
},
"state_token_sha256": "410677869ca2854f38b3e5017de2c682a2625d751fdff6600ac9bc40ce2fbc2e",
"status": "pass",
"table_count": 39,
"tooling_hashes_match_current_sources": true,
"total_rows": 52167,
"transaction_read_only": "on",
"workspace_head_matches_deployed_stamp": true
},
"not_tested": [
"Telegram message delivery",
"Telegram-visible Leo replies",
"action-time authorization and authenticated-Chrome capture backed by the bound Codex rollout",
"post-send selected-object readback",
"post-send canonical fingerprint equality"
],
"proof_paths": [
"docs/reports/leo-working-state-20260709/telegram-visible-unseen-chain-authorization-packet-current.json",
"docs/reports/leo-working-state-20260709/telegram-visible-unseen-chain-preflight-current.json",
"docs/reports/leo-working-state-20260709/telegram-visible-unseen-chain-capture-receipt-current.json",
"docs/reports/leo-working-state-20260709/telegram-visible-unseen-chain-goal-readback-current.json"
],
"receipt_hashes": {
"authorization_packet_sha256": "76fb81d055a726de580d1c0ed75784b4576729e8e67badb6a4574677b2447ed0",
"capture_receipt_sha256": "0573aed8ceaf04c186afa68b5bf1c6687b76059b00725d33f87939f84b2e5401",
"preflight_sha256": "7705534b35921c7c27fb40acd1277c6ed07ceae114014d074737160f65d4cc6f"
},
"schema": "livingip.telegramVisibleUnseenChainNonsendProof.v1",
"send_boundary": {
"action_time_authorization_present": false,
"authenticated_chrome_used": false,
"telegram_visible_messages_sent": false
},
"tests": [
{
"command": "/Users/user/Documents/Codex/2026-07-09/019f34eb-d297-72d0-b7e2-b222d5515ab9-load/work/teleo-infra-main/.venv/bin/pytest -q tests/test_verify_leo_unseen_reasoning_chain.py tests/test_build_telegram_visible_unseen_chain_packet.py tests/test_collect_telegram_visible_unseen_chain_state.py tests/test_verify_telegram_visible_unseen_chain.py",
"result": "42 passed in 4.19s"
},
{
"command": "/Users/user/Documents/Codex/2026-07-09/019f34eb-d297-72d0-b7e2-b222d5515ab9-load/work/teleo-infra-main/.venv/bin/pytest -q",
"result": "1319 passed in 81.44s"
},
{
"command": "/Users/user/Documents/Codex/2026-07-09/019f34eb-d297-72d0-b7e2-b222d5515ab9-load/work/teleo-infra-main/.venv/bin/ruff check scripts/build_telegram_visible_unseen_chain_packet.py scripts/collect_telegram_visible_unseen_chain_state.py scripts/verify_telegram_visible_unseen_chain.py tests/test_build_telegram_visible_unseen_chain_packet.py tests/test_collect_telegram_visible_unseen_chain_state.py tests/test_verify_telegram_visible_unseen_chain.py",
"result": "All checks passed"
},
{
"command": "/Users/user/Documents/Codex/2026-07-09/019f34eb-d297-72d0-b7e2-b222d5515ab9-load/work/teleo-infra-main/.venv/bin/ruff format --check scripts/build_telegram_visible_unseen_chain_packet.py scripts/collect_telegram_visible_unseen_chain_state.py scripts/verify_telegram_visible_unseen_chain.py tests/test_build_telegram_visible_unseen_chain_packet.py tests/test_collect_telegram_visible_unseen_chain_state.py tests/test_verify_telegram_visible_unseen_chain.py",
"result": "6 files already formatted"
},
{
"command": "git diff --check",
"result": "pass"
}
]
}

View file

@ -0,0 +1,149 @@
{
"baseline_checks": {},
"baseline_path": "",
"baseline_state_token_sha256": "",
"blocker_readback": {
"attempted_routes": [
"local exact packet validation",
"SSH deploy stamp and gateway service readback",
"two canonical repeatable-read read-only Postgres parity manifests"
],
"clear_CTA": "Use the packet's exact authorization sentence only when ready to cross the send boundary.",
"current_canary": "Read-only pre-send readiness for the exact three-turn unseen Leo chain in Telegram",
"exact_gate": "",
"next_non_user_action": "Run the authenticated-Chrome three-turn flow only after exact authorization, then collect postflight."
},
"capture_challenge_nonce": "0a03b4e74a4533d3bb657d7b07fb48888293d7ba217e776f3c2c120764afe086",
"claim_ceiling": {
"current_tier": "T3_live_readonly",
"not_proven": [
"Telegram-visible delivery or reply behavior",
"authorization to send Telegram messages",
"canonical mutation"
],
"proven": "Two canonical read-only snapshots and the gateway process were unchanged during this probe."
},
"generated_at_utc": "2026-07-15T02:33:56.887524+00:00",
"manifest_binding": {
"execution_contract": {
"arbitrary_manifest_override_allowed": false,
"authenticated_role": "postgres",
"database": "teleo",
"default_transaction_read_only": "on",
"effective_role": "pg_read_all_data",
"psql_rc_disabled": true,
"transaction_read_only": "on"
},
"path": "ops/postgres_parity_manifest.sql",
"sha256": "8b8cdc25d54fdd8de05eb38c6e4423d2836953eb6012d4545f5c9c71b5f0150a"
},
"mode": "telegram_visible_unseen_chain_zero_mutation_state_readback",
"mutates_db": false,
"packet_checks": {
"manifest_arbitrary_override_forbidden": true,
"manifest_canonical_path_exists": true,
"manifest_default_transaction_read_only_enforced": true,
"manifest_effective_role_is_read_only": true,
"manifest_loaded_bytes_match_bound_sha256": true,
"manifest_loaded_bytes_revalidated_read_only": true,
"manifest_override_absent_or_exact_canonical_path": true,
"manifest_packet_path_is_exact_canonical_relative_path": true,
"manifest_packet_sha256_matches_canonical_file": true,
"manifest_protocol_binding_matches_packet": true,
"manifest_psql_rc_disabled": true,
"manifest_sql_statically_read_only": true,
"manifest_transaction_read_only_enforced": true,
"packet_check_section_present_and_passing": true,
"packet_does_not_mutate_db": true,
"packet_has_no_authorization_recorded": true,
"packet_messages_exact": true,
"packet_not_sent": true,
"packet_prompt_ids_exact": true,
"packet_protocol_sha256_derivation_valid": true,
"packet_protocol_sha256_present": true,
"packet_protocol_top_level_bindings_match": true,
"packet_ready_for_authorization_request": true,
"packet_requires_authenticated_chrome": true,
"packet_schema_supported": true,
"packet_targets_exact_leo_chat": true,
"packet_tooling_hashes_match_current_sources": true
},
"packet_file_sha256": "76fb81d055a726de580d1c0ed75784b4576729e8e67badb6a4574677b2447ed0",
"packet_path": "docs/reports/leo-working-state-20260709/telegram-visible-unseen-chain-authorization-packet-current.json",
"phase": "preflight",
"production_apply_executed": false,
"protocol_sha256": "91cba55a23cac9061ac34a827a040f27eb6a018f720586304dd9b08ed113af77",
"ready_for_action_time_authorization": true,
"ready_for_visible_capture_verification": false,
"remote": {
"deploy_head": "626bac493e2b772db984be7a4a68e9da656f6b02",
"deploy_stamp_ancestor": true,
"fingerprint_after": {
"current_user": "pg_read_all_data",
"fingerprint_sha256": "32a1f2c18f4b4c623443cbd4d9520982e9f291ec74ca63855cef51c88ac56f24",
"schema": "livingip.teleoCanonicalDatabaseFingerprint.v1",
"status": "ok",
"structure_sha256": "61bf482330a652ebdb419de3fb78196f2c7d25d1a482b100f385e8102c8e8d52",
"table_count": 39,
"table_rows_sha256": "f50d86fc3ce699f602bdc0029485bd901fd98bd8114eecd5dcc4346a0f52112a",
"total_rows": 52167,
"transaction_read_only": "on"
},
"fingerprint_before": {
"current_user": "pg_read_all_data",
"fingerprint_sha256": "32a1f2c18f4b4c623443cbd4d9520982e9f291ec74ca63855cef51c88ac56f24",
"schema": "livingip.teleoCanonicalDatabaseFingerprint.v1",
"status": "ok",
"structure_sha256": "61bf482330a652ebdb419de3fb78196f2c7d25d1a482b100f385e8102c8e8d52",
"table_count": 39,
"table_rows_sha256": "f50d86fc3ce699f602bdc0029485bd901fd98bd8114eecd5dcc4346a0f52112a",
"total_rows": 52167,
"transaction_read_only": "on"
},
"last_deploy_sha": "626bac493e2b772db984be7a4a68e9da656f6b02",
"readback_attempts": {
"deploy": 1,
"fingerprint_after": 1,
"fingerprint_before": 1,
"service_after": 1,
"service_before": 1
},
"service_after": {
"ActiveState": "active",
"ExecMainStartTimestamp": "Tue 2026-07-14 22:59:43 UTC",
"MainPID": "347406",
"NRestarts": "0",
"SubState": "running"
},
"service_before": {
"ActiveState": "active",
"ExecMainStartTimestamp": "Tue 2026-07-14 22:59:43 UTC",
"MainPID": "347406",
"NRestarts": "0",
"SubState": "running"
},
"subject_readback": null,
"workspace_head_matches_deployed_stamp": true
},
"remote_checks": {
"canonical_fingerprint_unchanged_during_probe": true,
"deployed_stamp_is_ancestor_of_workspace_head": true,
"deployed_stamp_is_sha": true,
"fingerprints_are_read_only": true,
"fingerprints_use_independent_read_only_role": true,
"first_fingerprint_complete": true,
"second_fingerprint_complete": true,
"service_active_before_and_after": true,
"service_identity_complete": true,
"service_process_unchanged_during_probe": true,
"ssh_readbacks_succeeded": true,
"workspace_head_is_sha": true
},
"remote_returncode": 0,
"remote_stderr": "",
"schema": "livingip.telegramVisibleUnseenChainState.v2",
"state_token_sha256": "410677869ca2854f38b3e5017de2c682a2625d751fdff6600ac9bc40ce2fbc2e",
"status": "pass",
"subject_ref": "",
"telegram_visible_messages_sent_by_collector": false
}

View file

@ -0,0 +1,70 @@
# Telegram-Visible Unseen Chain Preflight
Generated UTC: `2026-07-15T02:33:56.887524+00:00`
Status: `pass`
Protocol SHA256: `91cba55a23cac9061ac34a827a040f27eb6a018f720586304dd9b08ed113af77`
Packet file SHA256: `76fb81d055a726de580d1c0ed75784b4576729e8e67badb6a4574677b2447ed0`
State token SHA256: `410677869ca2854f38b3e5017de2c682a2625d751fdff6600ac9bc40ce2fbc2e`
Messages sent by collector: `False`
Mutates DB: `False`
## Checks
- `manifest_arbitrary_override_forbidden`: `True`
- `manifest_canonical_path_exists`: `True`
- `manifest_default_transaction_read_only_enforced`: `True`
- `manifest_effective_role_is_read_only`: `True`
- `manifest_loaded_bytes_match_bound_sha256`: `True`
- `manifest_loaded_bytes_revalidated_read_only`: `True`
- `manifest_override_absent_or_exact_canonical_path`: `True`
- `manifest_packet_path_is_exact_canonical_relative_path`: `True`
- `manifest_packet_sha256_matches_canonical_file`: `True`
- `manifest_protocol_binding_matches_packet`: `True`
- `manifest_psql_rc_disabled`: `True`
- `manifest_sql_statically_read_only`: `True`
- `manifest_transaction_read_only_enforced`: `True`
- `packet_check_section_present_and_passing`: `True`
- `packet_does_not_mutate_db`: `True`
- `packet_has_no_authorization_recorded`: `True`
- `packet_messages_exact`: `True`
- `packet_not_sent`: `True`
- `packet_prompt_ids_exact`: `True`
- `packet_protocol_sha256_derivation_valid`: `True`
- `packet_protocol_sha256_present`: `True`
- `packet_protocol_top_level_bindings_match`: `True`
- `packet_ready_for_authorization_request`: `True`
- `packet_requires_authenticated_chrome`: `True`
- `packet_schema_supported`: `True`
- `packet_targets_exact_leo_chat`: `True`
- `packet_tooling_hashes_match_current_sources`: `True`
- `canonical_fingerprint_unchanged_during_probe`: `True`
- `deployed_stamp_is_ancestor_of_workspace_head`: `True`
- `deployed_stamp_is_sha`: `True`
- `fingerprints_are_read_only`: `True`
- `fingerprints_use_independent_read_only_role`: `True`
- `first_fingerprint_complete`: `True`
- `second_fingerprint_complete`: `True`
- `service_active_before_and_after`: `True`
- `service_identity_complete`: `True`
- `service_process_unchanged_during_probe`: `True`
- `ssh_readbacks_succeeded`: `True`
- `workspace_head_is_sha`: `True`
## Live Readback
- Deploy head: `626bac493e2b772db984be7a4a68e9da656f6b02`
- Deploy stamp: `626bac493e2b772db984be7a4a68e9da656f6b02`
- Gateway MainPID: `347406`
- Gateway NRestarts: `0`
- Manifest: `ops/postgres_parity_manifest.sql`
- Manifest SHA256: `8b8cdc25d54fdd8de05eb38c6e4423d2836953eb6012d4545f5c9c71b5f0150a`
- Effective DB role: `pg_read_all_data`
- Transaction read only: `on`
- Canonical fingerprint: `32a1f2c18f4b4c623443cbd4d9520982e9f291ec74ca63855cef51c88ac56f24`
- Canonical tables: `39`
- Canonical rows: `52167`
- Selected object ref: ``
## Claim Ceiling
Two canonical read-only snapshots and the gateway process were unchanged during this probe.

View file

@ -0,0 +1,406 @@
#!/usr/bin/env python3
"""Build the exact no-send packet for Leo's unseen Telegram reasoning chain."""
from __future__ import annotations
import argparse
import hashlib
import json
import subprocess
from datetime import datetime, timezone
from pathlib import Path
from typing import Any
try:
import verify_leo_unseen_reasoning_chain as unseen
except ImportError: # pragma: no cover - imported as scripts.* in tests
from scripts import verify_leo_unseen_reasoning_chain as unseen
SCHEMA = "livingip.telegramVisibleUnseenChainPacket.v2"
REPO_ROOT = Path(__file__).resolve().parents[1]
REPORT_DIR = Path("docs/reports/leo-working-state-20260709")
DEFAULT_HANDLER_RECEIPT = REPORT_DIR / "leo-unseen-reasoning-chain-canary-current.json"
DEFAULT_OUT = REPORT_DIR / "telegram-visible-unseen-chain-authorization-packet-current.json"
DEFAULT_MARKDOWN_OUT = REPORT_DIR / "telegram-visible-unseen-chain-authorization-packet-current.md"
DEFAULT_CAPTURE_RECEIPT = REPORT_DIR / "telegram-visible-unseen-chain-capture-receipt-current.json"
DEFAULT_PREFLIGHT = REPORT_DIR / "telegram-visible-unseen-chain-preflight-current.json"
DEFAULT_POSTFLIGHT = REPORT_DIR / "telegram-visible-unseen-chain-postflight-current.json"
DEFAULT_CHAT_ID = "-5146042086"
DEFAULT_CHAT_LABEL = "Leo"
DEFAULT_PROOF_DIR = "outputs/telegram-visible-unseen-chain-20260715"
DEFAULT_MANIFEST_SQL = Path("ops/postgres_parity_manifest.sql")
READ_ONLY_DB_ROLE = "pg_read_all_data"
DEFAULT_CODEX_THREAD_ID = "019f6350-3350-7040-b223-c5c22673fece"
TOOLING_PATHS = {
"packet_builder": Path("scripts/build_telegram_visible_unseen_chain_packet.py"),
"state_collector": Path("scripts/collect_telegram_visible_unseen_chain_state.py"),
"capture_verifier": Path("scripts/verify_telegram_visible_unseen_chain.py"),
}
def _load_json(path: Path) -> dict[str, Any]:
return json.loads(path.read_text(encoding="utf-8"))
def _sha256_bytes(value: bytes) -> str:
return hashlib.sha256(value).hexdigest()
def _sha256_file(path: Path) -> str:
return _sha256_bytes(path.read_bytes())
def _canonical_sha256(value: Any) -> str:
encoded = json.dumps(value, sort_keys=True, separators=(",", ":")).encode("utf-8")
return _sha256_bytes(encoded)
def current_git_sha(repo_root: Path = Path(".")) -> str:
proc = subprocess.run(
["git", "rev-parse", "HEAD"],
cwd=repo_root,
text=True,
capture_output=True,
check=False,
)
return proc.stdout.strip() if proc.returncode == 0 else ""
def exact_messages() -> list[dict[str, Any]]:
messages = []
for sequence, prompt in enumerate(unseen.PROMPTS, start=1):
message = str(prompt["message"])
messages.append(
{
"sequence": sequence,
"prompt_id": prompt["id"],
"dimension": prompt["dimension"],
"message": message,
"message_sha256": _sha256_bytes(message.encode("utf-8")),
"wait_for_visible_reply_before_next": True,
}
)
return messages
def tooling_binding(repo_root: Path = REPO_ROOT) -> dict[str, dict[str, Any]]:
return {name: {"path": str(path), "sha256": _sha256_file(repo_root / path)} for name, path in TOOLING_PATHS.items()}
def manifest_binding(repo_root: Path = REPO_ROOT) -> dict[str, Any]:
return {
"path": str(DEFAULT_MANIFEST_SQL),
"sha256": _sha256_file(repo_root / DEFAULT_MANIFEST_SQL),
"execution_contract": {
"database": "teleo",
"authenticated_role": "postgres",
"effective_role": READ_ONLY_DB_ROLE,
"default_transaction_read_only": "on",
"transaction_read_only": "on",
"psql_rc_disabled": True,
"arbitrary_manifest_override_allowed": False,
},
}
def _handler_checks(receipt: dict[str, Any]) -> dict[str, bool]:
safety = receipt.get("safety_gate") if isinstance(receipt.get("safety_gate"), dict) else {}
safety_checks = safety.get("checks") if isinstance(safety.get("checks"), dict) else {}
database = receipt.get("database") if isinstance(receipt.get("database"), dict) else {}
prompt_ids = [str(item["id"]) for item in unseen.PROMPTS]
return {
"handler_receipt_passed": receipt.get("status") == "pass",
"handler_receipt_schema_supported": receipt.get("schema") == unseen.SCHEMA,
"handler_prompt_ids_exact": receipt.get("prompt_ids") == prompt_ids,
"handler_outcomes_all_pass": bool(receipt.get("outcomes"))
and all(value is True for value in receipt.get("outcomes", {}).values()),
"handler_checks_all_pass": bool(receipt.get("checks"))
and all(value is True for value in receipt.get("checks", {}).values()),
"handler_safety_gate_passed": safety.get("status") == "pass",
"handler_proved_no_telegram_post": safety_checks.get("no_telegram_post") is True,
"handler_proved_read_only_tool_traces": safety_checks.get("all_tool_traces_read_only_and_bound") is True,
"handler_proved_unchanged_fingerprint": database.get("fingerprint_unchanged") is True
and isinstance(database.get("fingerprint_sha256"), str)
and len(database["fingerprint_sha256"]) == 64,
"handler_tier_remains_below_telegram_visible": "Telegram-visible message delivery"
in (receipt.get("claim_ceiling") or {}).get("not_proven", []),
}
def _authorization_text(*, chat_label: str, chat_id: str, messages: list[dict[str, Any]]) -> str:
quoted = " ".join(f"[{item['prompt_id']}] {json.dumps(item['message'], ensure_ascii=True)}" for item in messages)
return (
"I authorize Codex to use the already-authenticated Chrome Telegram UI to send exactly these three "
f"messages, in order and with no additional messages, to the Telegram group {chat_label} (chat ID "
f"{chat_id}), waiting for Leo's visible reply after each turn: {quoted} Capture the visible replies, "
"message IDs, timestamps, screenshot and accessibility evidence, plus an independently retained Chrome "
"control provenance receipt bound to the Codex rollout's user-authorization and Chrome tool events; "
"perform only read-only DB/service "
"readbacks; do not use the Bot API; do not stage, approve, apply, or otherwise mutate knowledge."
)
def build_packet(
*,
handler_receipt_path: Path = DEFAULT_HANDLER_RECEIPT,
chat_id: str = DEFAULT_CHAT_ID,
chat_label: str = DEFAULT_CHAT_LABEL,
proof_dir: str = DEFAULT_PROOF_DIR,
codex_thread_id: str = DEFAULT_CODEX_THREAD_ID,
git_sha: str | None = None,
) -> dict[str, Any]:
handler_receipt = _load_json(handler_receipt_path)
messages = exact_messages()
handler_checks = _handler_checks(handler_receipt)
target = {
"platform": "telegram",
"chat_label": chat_label,
"chat_id": chat_id,
"allowed_transport": "authenticated_chrome_telegram_ui",
"forbidden_transports": ["telegram_bot_api", "copied_transcript", "handler_substitution"],
"message_count": len(messages),
"expected_prompt_ids": [item["prompt_id"] for item in messages],
}
handler_binding = {
"path": str(handler_receipt_path),
"sha256": _sha256_file(handler_receipt_path),
"schema": handler_receipt.get("schema"),
"proof_tier": handler_receipt.get("proof_tier"),
"remote_run_id": handler_receipt.get("remote_run_id"),
"deployed_git_head": handler_receipt.get("deployed_git_head"),
"fingerprint_sha256": (handler_receipt.get("database") or {}).get("fingerprint_sha256"),
}
tooling = tooling_binding()
manifest = manifest_binding()
browser_provenance_contract = {
"schema": "livingip.authenticatedChromeTelegramCaptureProvenance.v1",
"capture_channel": "codex_chrome_extension",
"requires_preflight_challenge_nonce": True,
"requires_codex_rollout_log_outside_evidence_root": True,
"requires_chrome_backend_tool_receipts": True,
"requires_provenance_sha256_in_final_chrome_tool_receipt": True,
"requires_codex_user_message_authorization_receipt": True,
"requires_browser_session_tab_and_capture_identifiers": True,
"requires_telegram_web_origin_and_chat_identity": True,
"requires_hashes_for_every_screenshot_and_accessibility_artifact": True,
}
protocol = {
"target": target,
"exact_messages": messages,
"handler_binding": handler_binding,
"tooling_binding": tooling,
"manifest_binding": manifest,
"browser_provenance_contract": browser_provenance_contract,
"operator_context": {
"codex_thread_id": codex_thread_id,
"authorization_source": "codex_platform_user_message",
},
"state_contract": {
"preflight": "two identical repeatable-read read-only canonical fingerprints",
"postflight": "same canonical fingerprint plus independent selected-object readback",
"service": "same active gateway process before and after",
"ordering": "preflight < authorization < send1 < reply1 < send2 < reply2 < send3 < reply3 < final/postflight",
},
}
protocol_sha256 = _canonical_sha256(protocol)
checks = {
**handler_checks,
"exact_three_turn_sequence": len(messages) == 3 and [item["sequence"] for item in messages] == [1, 2, 3],
"exact_prompts_imported_from_handler_verifier": [item["message"] for item in messages]
== [item["message"] for item in unseen.PROMPTS],
"first_prompt_supplies_no_row_id": unseen.UUID_RE.search(messages[0]["message"]) is None,
"authenticated_chrome_is_only_send_transport": target["allowed_transport"]
== "authenticated_chrome_telegram_ui",
"canonical_manifest_path_and_sha_bound": manifest == manifest_binding(),
"database_session_and_role_fail_closed_read_only": manifest["execution_contract"]["effective_role"]
== READ_ONLY_DB_ROLE
and manifest["execution_contract"]["default_transaction_read_only"] == "on"
and manifest["execution_contract"]["transaction_read_only"] == "on"
and manifest["execution_contract"]["arbitrary_manifest_override_allowed"] is False,
"independent_browser_provenance_required": browser_provenance_contract[
"requires_codex_rollout_log_outside_evidence_root"
]
is True,
"packet_does_not_send": True,
"packet_does_not_mutate_database": True,
}
ready = all(checks.values())
authorization_text = _authorization_text(chat_label=chat_label, chat_id=chat_id, messages=messages)
proof_paths = {
"preflight_json": str(DEFAULT_PREFLIGHT),
"postflight_json": str(DEFAULT_POSTFLIGHT),
"capture_receipt_json": str(DEFAULT_CAPTURE_RECEIPT),
"capture_json": f"{proof_dir}/capture.json",
"turn_screenshots": [f"{proof_dir}/turn-{index}.png" for index in range(1, 4)],
"turn_accessibility": [f"{proof_dir}/turn-{index}-accessibility.txt" for index in range(1, 4)],
"final_screenshot": f"{proof_dir}/final.png",
"final_accessibility": f"{proof_dir}/final-accessibility.txt",
"browser_provenance": f"{proof_dir}/browser-provenance.json",
}
return {
"schema": SCHEMA,
"generated_at_utc": datetime.now(timezone.utc).isoformat(),
"mode": "telegram_visible_unseen_chain_exact_packet_not_sent",
"packet_generation_git_sha": git_sha if git_sha is not None else current_git_sha(),
"protocol_sha256": protocol_sha256,
"protocol": protocol,
"ready_to_request_action_time_authorization": ready,
"authorization_gate_status": "ready_to_request_exact_authorization" if ready else "not_ready",
"telegram_visible_messages_sent": False,
"telegram_visible_message_authorization_present": False,
"production_apply_executed": False,
"mutates_db": False,
"target": target,
"exact_messages": messages,
"handler_receipt_binding": handler_binding,
"tooling_binding": tooling,
"manifest_binding": manifest,
"browser_provenance_contract": browser_provenance_contract,
"operator_context": protocol["operator_context"],
"checks": checks,
"expected_proof_paths_after_authorized_run": proof_paths,
"explicit_operator_authorization_text": authorization_text,
"clear_CTA": (
"Reply with the exact authorization sentence in this packet. That sentence names the destination, "
"transport, complete message bodies, ordering, evidence, and no-mutation boundary."
),
"next_non_user_action_after_authorization": [
"Re-run the zero-mutation preflight and confirm its packet file hash is current.",
"Use authenticated Chrome only and verify the Leo chat ID before typing anything.",
"Send one exact message, wait for Leo's visible reply, then continue to the next exact message.",
"Capture message IDs, timestamps, screenshot, accessibility text, and the Chrome-control provenance receipt without copying handler output.",
"Retain the Codex rollout path whose Chrome tool receipt contains the provenance SHA256.",
"Extract the selected DB object reference and run the read-only postflight with that reference.",
"Run the Telegram-visible verifier and accept T3 only if every visible and state check passes.",
],
"claim_ceiling": {
"current_tier": "T0_spec_plus_prior_T2_handler_evidence",
"required_tier": "T3_live_readonly",
"proven": "The exact three-turn Chrome send packet is bound to a passing no-send handler receipt.",
"not_proven": [
"Telegram-visible delivery of these three messages",
"Telegram-visible replies from Leo",
"post-send canonical fingerprint equality",
],
},
}
def write_json(path: Path, data: dict[str, Any]) -> None:
path.parent.mkdir(parents=True, exist_ok=True)
path.write_text(json.dumps(data, indent=2, sort_keys=True) + "\n", encoding="utf-8")
def write_markdown(path: Path, data: dict[str, Any]) -> None:
target = data["target"]
lines = [
"# Telegram-Visible Unseen Chain Authorization Packet",
"",
f"Generated UTC: `{data['generated_at_utc']}`",
f"Protocol SHA256: `{data['protocol_sha256']}`",
f"Ready to request action-time authorization: `{data['ready_to_request_action_time_authorization']}`",
f"Telegram-visible messages sent: `{data['telegram_visible_messages_sent']}`",
f"Mutates DB: `{data['mutates_db']}`",
"",
"## Exact Destination",
"",
f"- Chat: `{target['chat_label']}` (`{target['chat_id']}`)",
f"- Transport: `{target['allowed_transport']}`",
"",
"## Exact Messages",
"",
]
for item in data["exact_messages"]:
lines.extend(
[
f"### {item['sequence']}. {item['prompt_id']}",
"",
item["message"],
"",
f"SHA256: `{item['message_sha256']}`",
"",
]
)
manifest = data["manifest_binding"]
execution = manifest["execution_contract"]
lines.extend(
[
"## Read-Only State Contract",
"",
f"- Manifest: `{manifest['path']}`",
f"- Manifest SHA256: `{manifest['sha256']}`",
f"- Effective DB role: `{execution['effective_role']}`",
f"- Transaction read only: `{execution['transaction_read_only']}`",
f"- Arbitrary manifest override allowed: `{execution['arbitrary_manifest_override_allowed']}`",
"",
"## Independent Capture Contract",
"",
f"- Codex thread: `{data['operator_context']['codex_thread_id']}`",
"- Authorization must be an exact platform user-message event in that thread's rollout.",
"- Each turn and final artifact must be bound by Chrome-backend tool receipts in that rollout.",
"",
"## Checks",
"",
]
)
lines.extend(f"- `{key}`: `{value}`" for key, value in sorted(data["checks"].items()))
lines.extend(
[
"",
"## Exact Action-Time Authorization",
"",
data["explicit_operator_authorization_text"],
"",
"## Clear CTA",
"",
data["clear_CTA"],
"",
"## Claim Ceiling",
"",
f"Current tier: `{data['claim_ceiling']['current_tier']}`",
f"Required tier: `{data['claim_ceiling']['required_tier']}`",
"",
]
)
path.parent.mkdir(parents=True, exist_ok=True)
path.write_text("\n".join(lines), encoding="utf-8")
def parse_args(argv: list[str] | None = None) -> argparse.Namespace:
parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument("--handler-receipt", type=Path, default=DEFAULT_HANDLER_RECEIPT)
parser.add_argument("--chat-id", default=DEFAULT_CHAT_ID)
parser.add_argument("--chat-label", default=DEFAULT_CHAT_LABEL)
parser.add_argument("--proof-dir", default=DEFAULT_PROOF_DIR)
parser.add_argument("--out", type=Path, default=DEFAULT_OUT)
parser.add_argument("--markdown-out", type=Path, default=DEFAULT_MARKDOWN_OUT)
return parser.parse_args(argv)
def main(argv: list[str] | None = None) -> int:
args = parse_args(argv)
data = build_packet(
handler_receipt_path=args.handler_receipt,
chat_id=args.chat_id,
chat_label=args.chat_label,
proof_dir=args.proof_dir,
)
write_json(args.out, data)
write_markdown(args.markdown_out, data)
print(
json.dumps(
{
"out": str(args.out),
"markdown_out": str(args.markdown_out),
"ready_to_request_action_time_authorization": data["ready_to_request_action_time_authorization"],
"telegram_visible_messages_sent": False,
},
indent=2,
sort_keys=True,
)
)
return 0 if data["ready_to_request_action_time_authorization"] else 2
if __name__ == "__main__":
raise SystemExit(main())

View file

@ -0,0 +1,788 @@
#!/usr/bin/env python3
"""Collect fail-closed read-only state for the unseen Telegram chain."""
from __future__ import annotations
import argparse
import hashlib
import json
import re
import secrets
import shlex
import subprocess
from collections.abc import Callable
from dataclasses import dataclass
from datetime import datetime, timezone
from pathlib import Path
from typing import Any
try:
import build_telegram_visible_unseen_chain_packet as packet_builder
import verify_leo_unseen_reasoning_chain as unseen
except ImportError: # pragma: no cover - imported as scripts.* in tests
from scripts import build_telegram_visible_unseen_chain_packet as packet_builder
from scripts import verify_leo_unseen_reasoning_chain as unseen
SCHEMA = "livingip.telegramVisibleUnseenChainState.v2"
REPO_ROOT = Path(__file__).resolve().parents[1]
REPORT_DIR = Path("docs/reports/leo-working-state-20260709")
DEFAULT_PACKET = packet_builder.DEFAULT_OUT
DEFAULT_PREFLIGHT_OUT = REPORT_DIR / "telegram-visible-unseen-chain-preflight-current.json"
DEFAULT_PREFLIGHT_MARKDOWN_OUT = REPORT_DIR / "telegram-visible-unseen-chain-preflight-current.md"
DEFAULT_POSTFLIGHT_OUT = REPORT_DIR / "telegram-visible-unseen-chain-postflight-current.json"
DEFAULT_POSTFLIGHT_MARKDOWN_OUT = REPORT_DIR / "telegram-visible-unseen-chain-postflight-current.md"
DEFAULT_SSH_TARGET = "root@77.42.65.182"
DEFAULT_SSH_KEY = Path.home() / ".ssh/livingip_hetzner_20260604_ed25519"
DEFAULT_MANIFEST_SQL = packet_builder.DEFAULT_MANIFEST_SQL
REMOTE_REPO = "/opt/teleo-eval/workspaces/deploy-infra"
SUBJECT_REF_RE = re.compile(
r"^(?:[0-9a-f]{8}|[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})$",
re.IGNORECASE,
)
SHA40_RE = re.compile(r"^[0-9a-f]{40}$")
SHA64_RE = re.compile(r"^[0-9a-f]{64}$")
FORBIDDEN_MANIFEST_SQL_RE = re.compile(
r"\b(?:insert|update|delete|merge|create|alter|drop|truncate|grant|revoke|copy|call|do|vacuum|"
r"refresh|reindex|cluster|commit|prepare|execute)\b|"
r"\\(?:!|i|ir|include|include_relative|copy)\b|"
r"\bset\s+(?:session\s+authorization|role)\b|"
r"\breset\s+(?:session\s+authorization|role)\b|"
r"\b(?:default_)?transaction_read_only\s*=\s*(?:off|false|0)\b|"
r"\btransaction\s+read\s+write\b",
re.IGNORECASE,
)
@dataclass(frozen=True)
class CommandResult:
returncode: int
stdout: str
stderr: str
Runner = Callable[[list[str], str, int], CommandResult]
def subprocess_runner(command: list[str], input_text: str, timeout: int) -> CommandResult:
try:
proc = subprocess.run(
command,
input=input_text,
text=True,
capture_output=True,
timeout=timeout,
check=False,
)
except subprocess.TimeoutExpired as exc:
return CommandResult(124, str(exc.stdout or ""), f"command timed out after {timeout}s")
return CommandResult(proc.returncode, proc.stdout, proc.stderr)
def _load_json(path: Path) -> dict[str, Any]:
return json.loads(path.read_text(encoding="utf-8"))
def _canonical_sha256(value: Any) -> str:
encoded = json.dumps(value, sort_keys=True, separators=(",", ":")).encode("utf-8")
return hashlib.sha256(encoded).hexdigest()
def _sha256_file(path: Path) -> str:
return hashlib.sha256(path.read_bytes()).hexdigest()
def canonical_manifest_path() -> Path:
return (REPO_ROOT / DEFAULT_MANIFEST_SQL).resolve()
def _manifest_sql_is_statically_read_only(sql: str) -> bool:
normalized = re.sub(r"\s+", " ", sql).strip().casefold()
return (
normalized.startswith(r"\set on_error_stop on")
and "begin transaction isolation level repeatable read read only;" in normalized
and normalized.endswith("rollback;")
and FORBIDDEN_MANIFEST_SQL_RE.search(sql) is None
)
def manifest_checks(packet: dict[str, Any], requested_path: Path | None = None) -> dict[str, bool]:
canonical_path = canonical_manifest_path()
binding = packet.get("manifest_binding") if isinstance(packet.get("manifest_binding"), dict) else {}
protocol = packet.get("protocol") if isinstance(packet.get("protocol"), dict) else {}
execution = binding.get("execution_contract") if isinstance(binding.get("execution_contract"), dict) else {}
try:
sql = canonical_path.read_text(encoding="utf-8")
actual_sha256 = _sha256_file(canonical_path)
except OSError:
sql = ""
actual_sha256 = ""
override_path = requested_path.resolve() if requested_path is not None else canonical_path
return {
"manifest_canonical_path_exists": canonical_path.is_file(),
"manifest_override_absent_or_exact_canonical_path": override_path == canonical_path,
"manifest_packet_path_is_exact_canonical_relative_path": binding.get("path") == str(DEFAULT_MANIFEST_SQL),
"manifest_packet_sha256_matches_canonical_file": bool(actual_sha256) and binding.get("sha256") == actual_sha256,
"manifest_protocol_binding_matches_packet": protocol.get("manifest_binding") == binding,
"manifest_sql_statically_read_only": bool(sql) and _manifest_sql_is_statically_read_only(sql),
"manifest_effective_role_is_read_only": execution.get("effective_role") == packet_builder.READ_ONLY_DB_ROLE,
"manifest_default_transaction_read_only_enforced": execution.get("default_transaction_read_only") == "on",
"manifest_transaction_read_only_enforced": execution.get("transaction_read_only") == "on",
"manifest_psql_rc_disabled": execution.get("psql_rc_disabled") is True,
"manifest_arbitrary_override_forbidden": execution.get("arbitrary_manifest_override_allowed") is False,
}
def parse_key_value_lines(text: str) -> dict[str, str]:
values: dict[str, str] = {}
for line in text.splitlines():
if "=" not in line:
continue
key, value = line.split("=", 1)
values[key] = value.strip()
return values
def parse_manifest_output(raw: str) -> dict[str, Any]:
rows = []
try:
for line in raw.splitlines():
candidate = line.strip()
if not candidate or candidate in {"BEGIN", "SET", "ROLLBACK"}:
continue
value = json.loads(candidate)
if isinstance(value, dict):
rows.append(value)
except (TypeError, json.JSONDecodeError) as exc:
return {"status": "error", "error": f"manifest_parse_error:{type(exc).__name__}"}
tables = {
f"{row['schema']}.{row['table']}": {
"row_count": int(row["row_count"]),
"rowset_md5": row["rowset_md5"],
}
for row in rows
if row.get("kind") == "table"
}
singleton_kinds = {
"schemas",
"extensions",
"application_roles",
"columns",
"constraints",
"indexes",
"sequences",
"views",
"functions",
"triggers",
"types",
"policies",
}
singleton = {str(row["kind"]): row.get("items", []) for row in rows if row.get("kind") in singleton_kinds}
identity_rows = [row for row in rows if row.get("kind") == "identity"]
if len(identity_rows) != 1 or not tables or singleton_kinds - set(singleton):
return {"status": "error", "error": "canonical_database_fingerprint_manifest_incomplete"}
identity = identity_rows[0]
stable = {
"identity": {
key: identity.get(key)
for key in (
"database",
"server_version_num",
"server_encoding",
"database_collation",
"database_ctype",
"transaction_read_only",
)
},
"singleton_sha256": {key: _canonical_sha256(value) for key, value in sorted(singleton.items())},
"tables": tables,
}
return {
"schema": "livingip.teleoCanonicalDatabaseFingerprint.v1",
"status": "ok",
"fingerprint_sha256": _canonical_sha256(stable),
"table_count": len(tables),
"total_rows": sum(item["row_count"] for item in tables.values()),
"table_rows_sha256": _canonical_sha256(tables),
"structure_sha256": _canonical_sha256(stable["singleton_sha256"]),
"transaction_read_only": identity.get("transaction_read_only"),
"current_user": identity.get("current_user"),
}
def packet_checks(packet: dict[str, Any], *, requested_manifest_path: Path | None = None) -> dict[str, bool]:
target = packet.get("target") if isinstance(packet.get("target"), dict) else {}
protocol = packet.get("protocol") if isinstance(packet.get("protocol"), dict) else {}
packet_check_section = packet.get("checks") if isinstance(packet.get("checks"), dict) else {}
exact = packet_builder.exact_messages()
expected_tooling = packet_builder.tooling_binding()
checks = {
"packet_schema_supported": packet.get("schema") == packet_builder.SCHEMA,
"packet_check_section_present_and_passing": bool(packet_check_section)
and all(value is True for value in packet_check_section.values()),
"packet_ready_for_authorization_request": packet.get("ready_to_request_action_time_authorization") is True,
"packet_not_sent": packet.get("telegram_visible_messages_sent") is False,
"packet_has_no_authorization_recorded": packet.get("telegram_visible_message_authorization_present") is False,
"packet_does_not_mutate_db": packet.get("mutates_db") is False,
"packet_targets_exact_leo_chat": target.get("chat_label") == packet_builder.DEFAULT_CHAT_LABEL
and target.get("chat_id") == packet_builder.DEFAULT_CHAT_ID,
"packet_requires_authenticated_chrome": target.get("allowed_transport") == "authenticated_chrome_telegram_ui",
"packet_prompt_ids_exact": target.get("expected_prompt_ids") == [item["id"] for item in unseen.PROMPTS],
"packet_messages_exact": [item.get("message") for item in packet.get("exact_messages", [])]
== [item["message"] for item in exact],
"packet_protocol_sha256_present": bool(SHA64_RE.fullmatch(str(packet.get("protocol_sha256") or ""))),
"packet_protocol_sha256_derivation_valid": bool(protocol)
and packet.get("protocol_sha256") == _canonical_sha256(protocol),
"packet_protocol_top_level_bindings_match": protocol.get("target") == packet.get("target")
and protocol.get("exact_messages") == packet.get("exact_messages")
and protocol.get("handler_binding") == packet.get("handler_receipt_binding")
and protocol.get("tooling_binding") == packet.get("tooling_binding")
and protocol.get("browser_provenance_contract") == packet.get("browser_provenance_contract")
and protocol.get("operator_context") == packet.get("operator_context"),
"packet_tooling_hashes_match_current_sources": packet.get("tooling_binding") == expected_tooling,
}
checks.update(manifest_checks(packet, requested_path=requested_manifest_path))
return checks
def ssh_command(args: argparse.Namespace, remote_command: str) -> list[str]:
return [
"ssh",
"-i",
str(args.ssh_key),
"-o",
"BatchMode=yes",
"-o",
"StrictHostKeyChecking=accept-new",
"-o",
f"ConnectTimeout={args.connect_timeout}",
args.ssh_target,
remote_command,
]
def deploy_readback_command() -> str:
repo = shlex.quote(REMOTE_REPO)
return (
f"cd {repo} && "
"deploy_head=$(git rev-parse HEAD) && "
"last_deploy_sha=$(cat /opt/teleo-eval/.last-deploy-sha) && "
'printf \'deploy_head=%s\\nlast_deploy_sha=%s\\n\' "$deploy_head" "$last_deploy_sha" && '
'if git merge-base --is-ancestor "$last_deploy_sha" "$deploy_head"; then '
"printf 'deploy_stamp_ancestor=true\\n'; else printf 'deploy_stamp_ancestor=false\\n'; fi"
)
def service_readback_command() -> str:
return (
"systemctl show leoclean-gateway.service "
"-p ActiveState -p SubState -p MainPID -p NRestarts -p ExecMainStartTimestamp --no-pager"
)
def fingerprint_readback_command() -> str:
pgoptions = shlex.quote(
"PGOPTIONS=-c default_transaction_read_only=on -c transaction_read_only=on "
f"-c role={packet_builder.READ_ONLY_DB_ROLE}"
)
return f"docker exec -e {pgoptions} -i teleo-pg psql -X -U postgres -d teleo -At -q -v ON_ERROR_STOP=1"
def subject_readback_sql(subject_ref: str) -> str:
if not SUBJECT_REF_RE.fullmatch(subject_ref):
raise ValueError("subject_ref must be an eight-hex prefix or UUID")
prefix = subject_ref.casefold()
return f"""
\\set ON_ERROR_STOP on
begin transaction isolation level repeatable read read only;
select jsonb_build_object(
'subject_ref', '{prefix}',
'matches', coalesce(jsonb_agg(item order by item->>'table', item->'row'->>'id'), '[]'::jsonb)
)::text
from (
select jsonb_build_object(
'table', 'public.claims',
'row', to_jsonb(claim_row),
'evidence_count', (select count(*) from public.claim_evidence evidence where evidence.claim_id = claim_row.id)
) as item
from public.claims claim_row
where lower(claim_row.id::text) like '{prefix}%'
union all
select jsonb_build_object(
'table', 'public.beliefs',
'row', to_jsonb(belief_row),
'evidence_count', null
) as item
from public.beliefs belief_row
where lower(belief_row.id::text) like '{prefix}%'
) matched;
rollback;
""".strip()
def _parse_single_json_line(raw: str) -> dict[str, Any] | None:
for line in raw.splitlines():
candidate = line.strip()
if not candidate or candidate in {"BEGIN", "SET", "ROLLBACK"}:
continue
try:
value = json.loads(candidate)
except json.JSONDecodeError:
continue
if isinstance(value, dict):
return value
return None
def collect_remote(
args: argparse.Namespace,
runner: Runner,
*,
manifest_sql: str,
) -> tuple[dict[str, Any], int, str]:
calls: list[tuple[str, list[str], str, int]] = [
("deploy", ssh_command(args, deploy_readback_command()), "", args.timeout),
("service_before", ssh_command(args, service_readback_command()), "", args.timeout),
(
"fingerprint_before",
ssh_command(args, fingerprint_readback_command()),
manifest_sql,
args.fingerprint_timeout,
),
(
"fingerprint_after",
ssh_command(args, fingerprint_readback_command()),
manifest_sql,
args.fingerprint_timeout,
),
("service_after", ssh_command(args, service_readback_command()), "", args.timeout),
]
if args.subject_ref:
calls.append(
(
"subject",
ssh_command(args, fingerprint_readback_command()),
subject_readback_sql(args.subject_ref),
args.timeout,
)
)
results: dict[str, CommandResult] = {}
attempts: dict[str, int] = {}
for name, command, input_text, timeout in calls:
result = CommandResult(1, "", "not attempted")
for attempt in range(1, max(1, args.ssh_attempts) + 1):
result = runner(command, input_text, timeout)
attempts[name] = attempt
if result.returncode == 0:
break
results[name] = result
deploy_values = parse_key_value_lines(results["deploy"].stdout)
service_before = parse_key_value_lines(results["service_before"].stdout)
service_after = parse_key_value_lines(results["service_after"].stdout)
fingerprint_before = parse_manifest_output(results["fingerprint_before"].stdout)
fingerprint_after = parse_manifest_output(results["fingerprint_after"].stdout)
subject = _parse_single_json_line(results["subject"].stdout) if "subject" in results else None
returncode = next((result.returncode for result in results.values() if result.returncode != 0), 0)
stderr = "\n".join(f"{name}: {result.stderr.strip()}" for name, result in results.items() if result.stderr.strip())
return (
{
"deploy_head": deploy_values.get("deploy_head", ""),
"last_deploy_sha": deploy_values.get("last_deploy_sha", ""),
"deploy_stamp_ancestor": deploy_values.get("deploy_stamp_ancestor") == "true",
"workspace_head_matches_deployed_stamp": deploy_values.get("deploy_head")
== deploy_values.get("last_deploy_sha"),
"service_before": service_before,
"service_after": service_after,
"fingerprint_before": fingerprint_before,
"fingerprint_after": fingerprint_after,
"subject_readback": subject,
"readback_attempts": attempts,
},
returncode,
stderr,
)
def _service_active(state: dict[str, Any]) -> bool:
return state.get("ActiveState") == "active" and state.get("SubState") == "running"
def _service_identity(state: dict[str, Any]) -> dict[str, Any]:
return {key: state.get(key) for key in ("MainPID", "NRestarts", "ExecMainStartTimestamp")}
def _remote_checks(
remote: dict[str, Any],
*,
returncode: int,
subject_required: bool,
expected_subject_ref: str | None,
) -> dict[str, bool]:
before = remote.get("fingerprint_before") or {}
after = remote.get("fingerprint_after") or {}
service_before = remote.get("service_before") or {}
service_after = remote.get("service_after") or {}
subject = remote.get("subject_readback") or {}
matches = subject.get("matches") if isinstance(subject, dict) else None
checks = {
"ssh_readbacks_succeeded": returncode == 0,
"workspace_head_is_sha": bool(SHA40_RE.fullmatch(str(remote.get("deploy_head") or ""))),
"deployed_stamp_is_sha": bool(SHA40_RE.fullmatch(str(remote.get("last_deploy_sha") or ""))),
"deployed_stamp_is_ancestor_of_workspace_head": remote.get("deploy_stamp_ancestor") is True,
"service_active_before_and_after": _service_active(service_before) and _service_active(service_after),
"service_identity_complete": all(
value
for value in (
service_before.get("MainPID"),
service_before.get("NRestarts"),
service_before.get("ExecMainStartTimestamp"),
service_after.get("MainPID"),
service_after.get("NRestarts"),
service_after.get("ExecMainStartTimestamp"),
)
),
"service_process_unchanged_during_probe": _service_identity(service_before) == _service_identity(service_after),
"first_fingerprint_complete": before.get("status") == "ok" and int(before.get("table_count") or 0) > 0,
"second_fingerprint_complete": after.get("status") == "ok" and int(after.get("table_count") or 0) > 0,
"fingerprints_are_read_only": before.get("transaction_read_only") == "on"
and after.get("transaction_read_only") == "on",
"fingerprints_use_independent_read_only_role": before.get("current_user") == packet_builder.READ_ONLY_DB_ROLE
and after.get("current_user") == packet_builder.READ_ONLY_DB_ROLE,
"canonical_fingerprint_unchanged_during_probe": bool(before.get("fingerprint_sha256"))
and before.get("fingerprint_sha256") == after.get("fingerprint_sha256"),
}
if subject_required:
checks.update(
{
"subject_readback_present": isinstance(subject, dict),
"subject_reference_matches_request": subject.get("subject_ref")
== str(expected_subject_ref or "").casefold(),
"subject_resolved_to_exactly_one_db_object": isinstance(matches, list) and len(matches) == 1,
}
)
return checks
def derive_state_token(artifact: dict[str, Any]) -> str:
return _canonical_sha256(
{
"schema": artifact.get("schema"),
"generated_at_utc": artifact.get("generated_at_utc"),
"phase": artifact.get("phase"),
"packet_file_sha256": artifact.get("packet_file_sha256"),
"protocol_sha256": artifact.get("protocol_sha256"),
"manifest_binding": artifact.get("manifest_binding"),
"capture_challenge_nonce": artifact.get("capture_challenge_nonce"),
"baseline_state_token_sha256": artifact.get("baseline_state_token_sha256"),
"subject_ref": artifact.get("subject_ref"),
"packet_checks": artifact.get("packet_checks"),
"remote_checks": artifact.get("remote_checks"),
"baseline_checks": artifact.get("baseline_checks"),
"remote": {
"deploy_head": (artifact.get("remote") or {}).get("deploy_head"),
"last_deploy_sha": (artifact.get("remote") or {}).get("last_deploy_sha"),
"service_after": _service_identity((artifact.get("remote") or {}).get("service_after") or {}),
"fingerprint_after": (artifact.get("remote") or {}).get("fingerprint_after"),
"subject_readback": (artifact.get("remote") or {}).get("subject_readback"),
},
}
)
def state_token_is_valid(artifact: dict[str, Any]) -> bool:
token = artifact.get("state_token_sha256")
return bool(SHA64_RE.fullmatch(str(token or ""))) and token == derive_state_token(artifact)
def _empty_remote() -> dict[str, Any]:
return {
"deploy_head": "",
"last_deploy_sha": "",
"deploy_stamp_ancestor": False,
"workspace_head_matches_deployed_stamp": False,
"service_before": {},
"service_after": {},
"fingerprint_before": {},
"fingerprint_after": {},
"subject_readback": None,
"readback_attempts": {},
}
def collect_state(args: argparse.Namespace, *, runner: Runner = subprocess_runner) -> dict[str, Any]:
packet = _load_json(args.packet)
requested_manifest_path = getattr(args, "manifest_sql", None)
local_packet_checks = packet_checks(packet, requested_manifest_path=requested_manifest_path)
manifest_sql = ""
if all(local_packet_checks.values()):
try:
manifest_sql = canonical_manifest_path().read_text(encoding="utf-8")
except OSError:
manifest_sql = ""
loaded_sha256 = hashlib.sha256(manifest_sql.encode("utf-8")).hexdigest()
local_packet_checks.update(
{
"manifest_loaded_bytes_match_bound_sha256": loaded_sha256
== (packet.get("manifest_binding") or {}).get("sha256"),
"manifest_loaded_bytes_revalidated_read_only": _manifest_sql_is_statically_read_only(manifest_sql),
}
)
if all(local_packet_checks.values()):
remote, remote_returncode, remote_stderr = collect_remote(
args,
runner,
manifest_sql=manifest_sql,
)
else:
remote = _empty_remote()
remote_returncode = 1
remote_stderr = "local fail-closed validation rejected execution before SSH"
remote_checks = _remote_checks(
remote,
returncode=remote_returncode,
subject_required=args.phase == "postflight",
expected_subject_ref=args.subject_ref,
)
baseline = _load_json(args.baseline) if args.baseline else None
baseline_checks: dict[str, bool] = {}
if args.phase == "postflight":
baseline_packet_checks = baseline.get("packet_checks") if isinstance(baseline, dict) else {}
baseline_remote_checks = baseline.get("remote_checks") if isinstance(baseline, dict) else {}
baseline_nonce = str((baseline or {}).get("capture_challenge_nonce") or "")
baseline_checks = {
"baseline_supplied": baseline is not None,
"baseline_schema_supported": bool(baseline and baseline.get("schema") == SCHEMA),
"baseline_is_passing_preflight": bool(
baseline and baseline.get("phase") == "preflight" and baseline.get("status") == "pass"
),
"baseline_check_sections_all_pass": bool(baseline_packet_checks)
and all(value is True for value in baseline_packet_checks.values())
and bool(baseline_remote_checks)
and all(value is True for value in baseline_remote_checks.values()),
"baseline_state_token_derivation_valid": bool(baseline and state_token_is_valid(baseline)),
"baseline_capture_challenge_nonce_valid": bool(SHA64_RE.fullmatch(baseline_nonce)),
"baseline_protocol_matches_packet": bool(
baseline and baseline.get("protocol_sha256") == packet.get("protocol_sha256")
),
"baseline_packet_file_matches": bool(
baseline and baseline.get("packet_file_sha256") == _sha256_file(args.packet)
),
"baseline_manifest_binding_matches_packet": bool(
baseline and baseline.get("manifest_binding") == packet.get("manifest_binding")
),
"canonical_fingerprint_matches_preflight": bool(
baseline
and (baseline.get("remote") or {}).get("fingerprint_after", {}).get("fingerprint_sha256")
== remote.get("fingerprint_after", {}).get("fingerprint_sha256")
),
"gateway_process_matches_preflight": bool(
baseline
and _service_identity((baseline.get("remote") or {}).get("service_after") or {})
== _service_identity(remote.get("service_after") or {})
),
}
status = (
"pass"
if all(local_packet_checks.values()) and all(remote_checks.values()) and all(baseline_checks.values())
else "fail"
)
packet_file_sha256 = _sha256_file(args.packet)
generated_at_utc = datetime.now(timezone.utc).isoformat()
capture_challenge_nonce = (
secrets.token_hex(32)
if args.phase == "preflight"
else str((baseline or {}).get("capture_challenge_nonce") or "")
)
baseline_state_token_sha256 = (
str((baseline or {}).get("state_token_sha256") or "") if args.phase == "postflight" else ""
)
exact_gate = ""
if status != "pass":
failed = [
key
for checks in (local_packet_checks, remote_checks, baseline_checks)
for key, value in checks.items()
if value is not True
]
exact_gate = "; ".join(part for part in (remote_stderr.strip(), ", ".join(failed)) if part)
current_canary = (
"Read-only pre-send readiness for the exact three-turn unseen Leo chain in Telegram"
if args.phase == "preflight"
else "Read-only post-send DB grounding and unchanged-state proof for the exact Telegram chain"
)
artifact = {
"schema": SCHEMA,
"generated_at_utc": generated_at_utc,
"mode": "telegram_visible_unseen_chain_zero_mutation_state_readback",
"phase": args.phase,
"status": status,
"ready_for_action_time_authorization": args.phase == "preflight" and status == "pass",
"ready_for_visible_capture_verification": args.phase == "postflight" and status == "pass",
"telegram_visible_messages_sent_by_collector": False,
"production_apply_executed": False,
"mutates_db": False,
"packet_path": str(args.packet),
"packet_file_sha256": packet_file_sha256,
"protocol_sha256": packet.get("protocol_sha256"),
"manifest_binding": packet.get("manifest_binding"),
"capture_challenge_nonce": capture_challenge_nonce,
"baseline_state_token_sha256": baseline_state_token_sha256,
"baseline_path": str(args.baseline) if args.baseline else "",
"subject_ref": args.subject_ref or "",
"packet_checks": local_packet_checks,
"remote_checks": remote_checks,
"baseline_checks": baseline_checks,
"remote": remote,
"remote_returncode": remote_returncode,
"remote_stderr": remote_stderr,
"blocker_readback": {
"current_canary": current_canary,
"attempted_routes": [
"local exact packet validation",
*(
[
"SSH deploy stamp and gateway service readback",
"two canonical repeatable-read read-only Postgres parity manifests",
*(["independent selected-object DB readback"] if args.subject_ref else []),
]
if remote.get("readback_attempts")
else []
),
],
"exact_gate": exact_gate,
"clear_CTA": (
"No user action is needed; repair the named readback check and rerun this collector."
if exact_gate
else "Use the packet's exact authorization sentence only when ready to cross the send boundary."
),
"next_non_user_action": (
"Run the authenticated-Chrome three-turn flow only after exact authorization, then collect postflight."
if args.phase == "preflight" and status == "pass"
else "Repair the failed preflight check and rerun before requesting authorization."
if args.phase == "preflight"
else "Run the visible capture verifier against this postflight and the retained Chrome evidence."
),
},
"claim_ceiling": {
"current_tier": "T3_live_readonly" if status == "pass" else "T0_failed_preflight",
"proven": (
"Two canonical read-only snapshots and the gateway process were unchanged during this probe."
if status == "pass"
else "No live readiness claim; one or more fail-closed checks did not pass."
),
"not_proven": [
"Telegram-visible delivery or reply behavior",
"authorization to send Telegram messages",
"canonical mutation",
],
},
}
artifact["state_token_sha256"] = derive_state_token(artifact)
return artifact
def write_json(path: Path, data: dict[str, Any]) -> None:
path.parent.mkdir(parents=True, exist_ok=True)
path.write_text(json.dumps(data, indent=2, sort_keys=True) + "\n", encoding="utf-8")
def write_markdown(path: Path, data: dict[str, Any]) -> None:
remote = data.get("remote") or {}
service = remote.get("service_after") or {}
fingerprint = remote.get("fingerprint_after") or {}
lines = [
f"# Telegram-Visible Unseen Chain {data['phase'].title()}",
"",
f"Generated UTC: `{data['generated_at_utc']}`",
f"Status: `{data['status']}`",
f"Protocol SHA256: `{data['protocol_sha256']}`",
f"Packet file SHA256: `{data['packet_file_sha256']}`",
f"State token SHA256: `{data['state_token_sha256']}`",
f"Messages sent by collector: `{data['telegram_visible_messages_sent_by_collector']}`",
f"Mutates DB: `{data['mutates_db']}`",
"",
"## Checks",
"",
]
for section in ("packet_checks", "remote_checks", "baseline_checks"):
for key, value in sorted(data.get(section, {}).items()):
lines.append(f"- `{key}`: `{value}`")
lines.extend(
[
"",
"## Live Readback",
"",
f"- Deploy head: `{remote.get('deploy_head', '')}`",
f"- Deploy stamp: `{remote.get('last_deploy_sha', '')}`",
f"- Gateway MainPID: `{service.get('MainPID', '')}`",
f"- Gateway NRestarts: `{service.get('NRestarts', '')}`",
f"- Manifest: `{(data.get('manifest_binding') or {}).get('path', '')}`",
f"- Manifest SHA256: `{(data.get('manifest_binding') or {}).get('sha256', '')}`",
f"- Effective DB role: `{fingerprint.get('current_user', '')}`",
f"- Transaction read only: `{fingerprint.get('transaction_read_only', '')}`",
f"- Canonical fingerprint: `{fingerprint.get('fingerprint_sha256', '')}`",
f"- Canonical tables: `{fingerprint.get('table_count', '')}`",
f"- Canonical rows: `{fingerprint.get('total_rows', '')}`",
f"- Selected object ref: `{data.get('subject_ref', '')}`",
"",
"## Claim Ceiling",
"",
data["claim_ceiling"]["proven"],
"",
]
)
path.parent.mkdir(parents=True, exist_ok=True)
path.write_text("\n".join(lines), encoding="utf-8")
def parse_args(argv: list[str] | None = None) -> argparse.Namespace:
parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument("--phase", choices=("preflight", "postflight"), default="preflight")
parser.add_argument("--packet", type=Path, default=DEFAULT_PACKET)
parser.add_argument("--baseline", type=Path)
parser.add_argument("--subject-ref")
parser.add_argument("--ssh-target", default=DEFAULT_SSH_TARGET)
parser.add_argument("--ssh-key", type=Path, default=DEFAULT_SSH_KEY)
parser.add_argument("--connect-timeout", type=int, default=10)
parser.add_argument("--timeout", type=int, default=60)
parser.add_argument("--fingerprint-timeout", type=int, default=240)
parser.add_argument("--ssh-attempts", type=int, default=3)
parser.add_argument("--out", type=Path)
parser.add_argument("--markdown-out", type=Path)
args = parser.parse_args(argv)
if args.phase == "postflight" and (not args.baseline or not args.subject_ref):
parser.error("postflight requires --baseline and --subject-ref")
if args.subject_ref and not SUBJECT_REF_RE.fullmatch(args.subject_ref):
parser.error("--subject-ref must be an eight-hex prefix or UUID")
if args.out is None:
args.out = DEFAULT_PREFLIGHT_OUT if args.phase == "preflight" else DEFAULT_POSTFLIGHT_OUT
if args.markdown_out is None:
args.markdown_out = (
DEFAULT_PREFLIGHT_MARKDOWN_OUT if args.phase == "preflight" else DEFAULT_POSTFLIGHT_MARKDOWN_OUT
)
return args
def main(argv: list[str] | None = None) -> int:
args = parse_args(argv)
data = collect_state(args)
write_json(args.out, data)
write_markdown(args.markdown_out, data)
print(
json.dumps(
{
"out": str(args.out),
"markdown_out": str(args.markdown_out),
"phase": args.phase,
"status": data["status"],
"mutates_db": False,
},
indent=2,
sort_keys=True,
)
)
return 0 if data["status"] == "pass" else 2
if __name__ == "__main__":
raise SystemExit(main())

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,73 @@
from __future__ import annotations
import json
from pathlib import Path
from scripts import build_telegram_visible_unseen_chain_packet as packet
def test_packet_binds_handler_receipt_and_preserves_exact_messages() -> None:
data = packet.build_packet(git_sha="a" * 40)
assert data["schema"] == packet.SCHEMA
assert data["ready_to_request_action_time_authorization"] is True
assert data["telegram_visible_messages_sent"] is False
assert data["telegram_visible_message_authorization_present"] is False
assert data["mutates_db"] is False
assert data["target"]["chat_label"] == "Leo"
assert data["target"]["chat_id"] == "-5146042086"
assert data["target"]["allowed_transport"] == "authenticated_chrome_telegram_ui"
assert [item["message"] for item in data["exact_messages"]] == [item["message"] for item in packet.unseen.PROMPTS]
assert [item["sequence"] for item in data["exact_messages"]] == [1, 2, 3]
assert all(len(item["message_sha256"]) == 64 for item in data["exact_messages"])
assert data["handler_receipt_binding"]["sha256"] == packet._sha256_file(packet.DEFAULT_HANDLER_RECEIPT)
assert data["tooling_binding"] == packet.tooling_binding()
assert data["manifest_binding"] == packet.manifest_binding()
assert data["manifest_binding"]["path"] == "ops/postgres_parity_manifest.sql"
assert data["manifest_binding"]["execution_contract"]["effective_role"] == "pg_read_all_data"
assert data["manifest_binding"]["execution_contract"]["transaction_read_only"] == "on"
assert data["protocol"]["manifest_binding"] == data["manifest_binding"]
assert data["operator_context"]["codex_thread_id"] == packet.DEFAULT_CODEX_THREAD_ID
assert data["protocol"]["operator_context"] == data["operator_context"]
assert packet._canonical_sha256(data["protocol"]) == data["protocol_sha256"]
assert all(data["checks"].values())
def test_action_time_authorization_contains_destination_transport_and_full_messages() -> None:
data = packet.build_packet(git_sha="a" * 40)
authorization = data["explicit_operator_authorization_text"]
assert "Telegram group Leo (chat ID -5146042086)" in authorization
assert "already-authenticated Chrome Telegram UI" in authorization
assert "do not use the Bot API" in authorization
assert "Codex rollout's user-authorization and Chrome tool events" in authorization
assert "no additional messages" in authorization
for item in data["exact_messages"]:
assert item["prompt_id"] in authorization
assert json.dumps(item["message"], ensure_ascii=True) in authorization
def test_packet_fails_closed_when_handler_receipt_no_longer_passes(tmp_path: Path) -> None:
receipt = json.loads(packet.DEFAULT_HANDLER_RECEIPT.read_text(encoding="utf-8"))
receipt["status"] = "fail"
receipt_path = tmp_path / "handler.json"
receipt_path.write_text(json.dumps(receipt), encoding="utf-8")
data = packet.build_packet(handler_receipt_path=receipt_path, git_sha="a" * 40)
assert data["ready_to_request_action_time_authorization"] is False
assert data["authorization_gate_status"] == "not_ready"
assert data["checks"]["handler_receipt_passed"] is False
def test_markdown_retains_exact_cta_and_no_send_ceiling(tmp_path: Path) -> None:
data = packet.build_packet(git_sha="a" * 40)
out = tmp_path / "packet.md"
packet.write_markdown(out, data)
text = out.read_text(encoding="utf-8")
assert "Telegram-Visible Unseen Chain Authorization Packet" in text
assert "Telegram-visible messages sent: `False`" in text
assert "Exact Action-Time Authorization" in text
assert data["exact_messages"][2]["message"] in text

View file

@ -0,0 +1,320 @@
from __future__ import annotations
import argparse
import copy
import json
from pathlib import Path
import pytest
from scripts import build_telegram_visible_unseen_chain_packet as packet_builder
from scripts import collect_telegram_visible_unseen_chain_state as state
def manifest_output(*, row_count: int = 7) -> str:
rows = [
{
"kind": "identity",
"database": "teleo",
"current_user": packet_builder.READ_ONLY_DB_ROLE,
"server_version_num": 160014,
"server_encoding": "UTF8",
"database_collation": "C.UTF-8",
"database_ctype": "C.UTF-8",
"transaction_read_only": "on",
}
]
for kind in (
"schemas",
"extensions",
"application_roles",
"columns",
"constraints",
"indexes",
"sequences",
"views",
"functions",
"triggers",
"types",
"policies",
):
rows.append({"kind": kind, "items": []})
rows.append(
{
"kind": "table",
"schema": "public",
"table": "claims",
"row_count": row_count,
"rowset_md5": "f" * 32,
}
)
return "BEGIN\nSET\n" + "\n".join(json.dumps(item) for item in rows) + "\nROLLBACK\n"
def write_packet(tmp_path: Path) -> Path:
out = tmp_path / "packet.json"
packet_builder.write_json(
out,
packet_builder.build_packet(
handler_receipt_path=packet_builder.DEFAULT_HANDLER_RECEIPT.resolve(),
git_sha="a" * 40,
),
)
return out
def args_for(packet: Path, tmp_path: Path, *, phase: str = "preflight") -> argparse.Namespace:
return argparse.Namespace(
phase=phase,
packet=packet,
baseline=None,
subject_ref=None,
manifest_sql=Path("ops/postgres_parity_manifest.sql"),
ssh_target="root@example.invalid",
ssh_key=tmp_path / "key",
connect_timeout=1,
timeout=5,
fingerprint_timeout=5,
ssh_attempts=3,
out=tmp_path / f"{phase}.json",
markdown_out=tmp_path / f"{phase}.md",
)
class GoodRunner:
def __init__(self) -> None:
self.service_calls = 0
def __call__(self, command: list[str], input_text: str, _timeout: int) -> state.CommandResult:
remote_command = command[-1]
if "git rev-parse HEAD" in remote_command:
sha = "b" * 40
return state.CommandResult(
0,
f"deploy_head={sha}\nlast_deploy_sha={sha}\ndeploy_stamp_ancestor=true\n",
"",
)
if "systemctl show" in remote_command:
self.service_calls += 1
return state.CommandResult(
0,
"\n".join(
[
"ActiveState=active",
"SubState=running",
"MainPID=123",
"NRestarts=0",
"ExecMainStartTimestamp=Wed 2026-07-15 00:00:00 UTC",
]
),
"",
)
if "'subject_ref'" in input_text:
assert "default_transaction_read_only=on" in remote_command
assert "-c transaction_read_only=on" in remote_command
assert f"role={packet_builder.READ_ONLY_DB_ROLE}" in remote_command
assert "psql -X" in remote_command
payload = {
"subject_ref": "c0000000",
"matches": [
{
"table": "public.beliefs",
"row": {"id": "c0000000-0000-4000-8000-000000000001"},
"evidence_count": None,
}
],
}
return state.CommandResult(0, f"BEGIN\n{json.dumps(payload)}\nROLLBACK\n", "")
if "postgres_parity_manifest" not in remote_command and input_text.startswith("\\set ON_ERROR_STOP"):
assert "default_transaction_read_only=on" in remote_command
assert "-c transaction_read_only=on" in remote_command
assert f"role={packet_builder.READ_ONLY_DB_ROLE}" in remote_command
assert "psql -X" in remote_command
return state.CommandResult(0, manifest_output(), "")
raise AssertionError(f"unexpected command: {command} / input={input_text[:80]}")
def test_preflight_passes_with_two_identical_read_only_fingerprints(tmp_path: Path) -> None:
args = args_for(write_packet(tmp_path), tmp_path)
result = state.collect_state(args, runner=GoodRunner())
assert result["status"] == "pass"
assert result["ready_for_action_time_authorization"] is True
assert result["telegram_visible_messages_sent_by_collector"] is False
assert result["mutates_db"] is False
assert all(result["packet_checks"].values())
assert all(result["remote_checks"].values())
assert len(result["state_token_sha256"]) == 64
def test_preflight_fails_when_second_fingerprint_drifts(tmp_path: Path) -> None:
args = args_for(write_packet(tmp_path), tmp_path)
fingerprint_calls = 0
good = GoodRunner()
def drift_runner(command: list[str], input_text: str, timeout: int) -> state.CommandResult:
nonlocal fingerprint_calls
if input_text.startswith("\\set ON_ERROR_STOP") and "'subject_ref'" not in input_text:
fingerprint_calls += 1
return state.CommandResult(0, manifest_output(row_count=7 + fingerprint_calls - 1), "")
return good(command, input_text, timeout)
result = state.collect_state(args, runner=drift_runner)
assert result["status"] == "fail"
assert result["remote_checks"]["canonical_fingerprint_unchanged_during_probe"] is False
def test_preflight_accepts_newer_workspace_head_when_deployed_stamp_is_ancestor(tmp_path: Path) -> None:
args = args_for(write_packet(tmp_path), tmp_path)
class AheadRunner(GoodRunner):
def __call__(self, command: list[str], input_text: str, timeout: int) -> state.CommandResult:
if "git rev-parse HEAD" in command[-1]:
return state.CommandResult(
0,
f"deploy_head={'c' * 40}\nlast_deploy_sha={'b' * 40}\ndeploy_stamp_ancestor=true\n",
"",
)
return super().__call__(command, input_text, timeout)
result = state.collect_state(args, runner=AheadRunner())
assert result["status"] == "pass"
assert result["remote"]["workspace_head_matches_deployed_stamp"] is False
assert result["remote_checks"]["deployed_stamp_is_ancestor_of_workspace_head"] is True
def test_preflight_retries_transient_ssh_failure(tmp_path: Path) -> None:
args = args_for(write_packet(tmp_path), tmp_path)
good = GoodRunner()
deploy_attempts = 0
def transient_runner(command: list[str], input_text: str, timeout: int) -> state.CommandResult:
nonlocal deploy_attempts
if "git rev-parse HEAD" in command[-1]:
deploy_attempts += 1
if deploy_attempts == 1:
return state.CommandResult(255, "", "Connection timed out during banner exchange")
return good(command, input_text, timeout)
result = state.collect_state(args, runner=transient_runner)
assert result["status"] == "pass"
assert result["remote"]["readback_attempts"]["deploy"] == 2
def test_preflight_rejects_packet_bound_to_different_tooling_source(tmp_path: Path) -> None:
packet_path = write_packet(tmp_path)
packet = json.loads(packet_path.read_text(encoding="utf-8"))
packet["tooling_binding"]["capture_verifier"]["sha256"] = "0" * 64
packet_path.write_text(json.dumps(packet), encoding="utf-8")
result = state.collect_state(args_for(packet_path, tmp_path), runner=GoodRunner())
assert result["status"] == "fail"
assert result["packet_checks"]["packet_tooling_hashes_match_current_sources"] is False
def test_postflight_binds_baseline_fingerprint_service_and_subject(tmp_path: Path) -> None:
packet = write_packet(tmp_path)
pre_args = args_for(packet, tmp_path)
preflight = state.collect_state(pre_args, runner=GoodRunner())
baseline = tmp_path / "preflight.json"
state.write_json(baseline, preflight)
post_args = args_for(packet, tmp_path, phase="postflight")
post_args.baseline = baseline
post_args.subject_ref = "c0000000"
postflight = state.collect_state(post_args, runner=GoodRunner())
assert postflight["status"] == "pass"
assert postflight["ready_for_visible_capture_verification"] is True
assert all(postflight["baseline_checks"].values())
assert postflight["remote_checks"]["subject_resolved_to_exactly_one_db_object"] is True
def test_postflight_rejects_baseline_fingerprint_mismatch(tmp_path: Path) -> None:
packet = write_packet(tmp_path)
pre_args = args_for(packet, tmp_path)
preflight = state.collect_state(pre_args, runner=GoodRunner())
preflight = copy.deepcopy(preflight)
preflight["remote"]["fingerprint_after"]["fingerprint_sha256"] = "0" * 64
baseline = tmp_path / "preflight.json"
state.write_json(baseline, preflight)
post_args = args_for(packet, tmp_path, phase="postflight")
post_args.baseline = baseline
post_args.subject_ref = "c0000000"
postflight = state.collect_state(post_args, runner=GoodRunner())
assert postflight["status"] == "fail"
assert postflight["baseline_checks"]["canonical_fingerprint_matches_preflight"] is False
def test_subject_sql_rejects_untrusted_input() -> None:
try:
state.subject_readback_sql("c0000000'; delete from public.claims; --")
except ValueError as exc:
assert "subject_ref" in str(exc)
else:
raise AssertionError("unsafe subject ref was accepted")
class NoSshRunner:
def __init__(self) -> None:
self.calls = 0
def __call__(self, _command: list[str], _input_text: str, _timeout: int) -> state.CommandResult:
self.calls += 1
raise AssertionError("SSH runner must not be called after local fail-closed rejection")
def test_write_capable_manifest_override_is_rejected_before_ssh(tmp_path: Path) -> None:
packet = write_packet(tmp_path)
malicious = tmp_path / "write.sql"
malicious.write_text(
"\\set ON_ERROR_STOP on\nbegin;\nupdate public.claims set status = 'live';\ncommit;\n",
encoding="utf-8",
)
args = args_for(packet, tmp_path)
args.manifest_sql = malicious
runner = NoSshRunner()
result = state.collect_state(args, runner=runner)
assert result["status"] == "fail"
assert result["packet_checks"]["manifest_override_absent_or_exact_canonical_path"] is False
assert result["remote"]["readback_attempts"] == {}
assert runner.calls == 0
assert state._manifest_sql_is_statically_read_only(malicious.read_text(encoding="utf-8")) is False
def test_manifest_hash_mismatch_is_rejected_before_ssh(tmp_path: Path) -> None:
packet_path = write_packet(tmp_path)
packet = json.loads(packet_path.read_text(encoding="utf-8"))
packet["manifest_binding"]["sha256"] = "0" * 64
packet_path.write_text(json.dumps(packet), encoding="utf-8")
runner = NoSshRunner()
result = state.collect_state(args_for(packet_path, tmp_path), runner=runner)
assert result["status"] == "fail"
assert result["packet_checks"]["manifest_packet_sha256_matches_canonical_file"] is False
assert result["remote"]["readback_attempts"] == {}
assert runner.calls == 0
def test_cli_removes_arbitrary_manifest_override() -> None:
with pytest.raises(SystemExit):
state.parse_args(["--manifest-sql", "write.sql"])
def test_fingerprint_command_enforces_read_only_session_role_and_disables_psql_rc() -> None:
command = state.fingerprint_readback_command()
assert "default_transaction_read_only=on" in command
assert "-c transaction_read_only=on" in command
assert f"role={packet_builder.READ_ONLY_DB_ROLE}" in command
assert "psql -X" in command

View file

@ -0,0 +1,766 @@
from __future__ import annotations
import copy
import hashlib
import json
import struct
import zlib
from pathlib import Path
import pytest
from scripts import build_telegram_visible_unseen_chain_packet as packet_builder
from scripts import collect_telegram_visible_unseen_chain_state as state_collector
from scripts import verify_telegram_visible_unseen_chain as verifier
SUBJECT_ID = "c0000000-0000-4000-8000-000000000001"
CHALLENGE_NONCE = "a" * 64
TURN_CAPTURE_CALL_IDS = ["call_chrome_turn_1", "call_chrome_turn_2", "call_chrome_turn_3"]
FINAL_CAPTURE_CALL_ID = "call_chrome_final"
def packet_and_path(tmp_path: Path) -> tuple[dict, Path]:
packet = packet_builder.build_packet(
handler_receipt_path=packet_builder.DEFAULT_HANDLER_RECEIPT.resolve(),
git_sha="a" * 40,
)
path = tmp_path / "packet.json"
packet_builder.write_json(path, packet)
return packet, path
def _finish_state_token(value: dict) -> dict:
value["state_token_sha256"] = state_collector.derive_state_token(value)
return value
def preflight(packet: dict, packet_path: Path) -> dict:
return _finish_state_token(
{
"schema": state_collector.SCHEMA,
"generated_at_utc": "2026-07-14T23:59:00+00:00",
"phase": "preflight",
"status": "pass",
"protocol_sha256": packet["protocol_sha256"],
"packet_file_sha256": verifier._sha256_file(packet_path),
"manifest_binding": packet["manifest_binding"],
"capture_challenge_nonce": CHALLENGE_NONCE,
"baseline_state_token_sha256": "",
"subject_ref": "",
"packet_checks": {"fixture_packet_checks_pass": True},
"remote_checks": {"fixture_remote_checks_pass": True},
"baseline_checks": {},
"remote": {
"deploy_head": "d" * 40,
"last_deploy_sha": "d" * 40,
"fingerprint_after": {"fingerprint_sha256": "f" * 64},
"service_after": {
"MainPID": "123",
"NRestarts": "0",
"ExecMainStartTimestamp": "Wed 2026-07-15 00:00:00 UTC",
},
"subject_readback": None,
},
}
)
def postflight(packet: dict, packet_path: Path, before: dict) -> dict:
return _finish_state_token(
{
"schema": state_collector.SCHEMA,
"generated_at_utc": "2026-07-15T00:04:00Z",
"phase": "postflight",
"status": "pass",
"protocol_sha256": packet["protocol_sha256"],
"packet_file_sha256": verifier._sha256_file(packet_path),
"manifest_binding": packet["manifest_binding"],
"capture_challenge_nonce": CHALLENGE_NONCE,
"baseline_state_token_sha256": before["state_token_sha256"],
"subject_ref": "c0000000",
"packet_checks": {"fixture_packet_checks_pass": True},
"remote_checks": {"fixture_remote_checks_pass": True},
"baseline_checks": {"fixture_baseline_checks_pass": True},
"remote": {
"deploy_head": "d" * 40,
"last_deploy_sha": "d" * 40,
"fingerprint_after": {"fingerprint_sha256": "f" * 64},
"service_after": {
"MainPID": "123",
"NRestarts": "0",
"ExecMainStartTimestamp": "Wed 2026-07-15 00:00:00 UTC",
},
"subject_readback": {
"subject_ref": "c0000000",
"matches": [
{
"table": "public.beliefs",
"row": {"id": SUBJECT_ID, "statement": "Coordination is the bottleneck."},
}
],
},
},
}
)
def write_png(path: Path, rgba: tuple[int, int, int, int]) -> None:
width = verifier.MIN_SCREENSHOT_WIDTH
height = verifier.MIN_SCREENSHOT_HEIGHT
scanline = b"\x00" + bytes(rgba) * width
pixels = scanline * height
def chunk(kind: bytes, payload: bytes) -> bytes:
return (
struct.pack(">I", len(payload))
+ kind
+ payload
+ struct.pack(">I", zlib.crc32(kind + payload) & 0xFFFFFFFF)
)
ihdr = struct.pack(">IIBBBBB", width, height, 8, 6, 0, 0, 0)
path.write_bytes(
b"\x89PNG\r\n\x1a\n" + chunk(b"IHDR", ihdr) + chunk(b"IDAT", zlib.compress(pixels)) + chunk(b"IEND", b"")
)
def _artifact_hashes(capture: dict) -> dict:
source = capture["capture_source"]
return {
"final_screenshot": verifier._sha256_file(Path(source["final_screenshot"])),
"final_accessibility": verifier._sha256_file(Path(source["final_accessibility"])),
"turn_screenshots": [verifier._sha256_file(Path(item["turn_screenshot"])) for item in capture["messages"]],
"turn_accessibility": [verifier._sha256_file(Path(item["turn_accessibility"])) for item in capture["messages"]],
}
def authorization_event(packet: dict, capture: dict) -> dict:
return {
"timestamp": capture["operator_authorization_captured_at_utc"],
"type": "response_item",
"payload": {
"type": "message",
"role": "user",
"content": [{"type": "input_text", "text": capture["operator_authorization_text"]}],
"internal_chat_message_metadata_passthrough": {"turn_id": "user-message-20260715-authorization"},
},
}
def write_browser_provenance(packet: dict, capture: dict, path: Path) -> str:
source = capture["capture_source"]
auth_event = authorization_event(packet, capture)
auth_event_sha256 = hashlib.sha256(
json.dumps(auth_event, sort_keys=True, separators=(",", ":")).encode("utf-8")
).hexdigest()
final_call_id = TURN_CAPTURE_CALL_IDS[2] if source["final_capture_reuses_turn_3"] else FINAL_CAPTURE_CALL_ID
provenance = {
"schema": verifier.BROWSER_PROVENANCE_SCHEMA,
"status": "pass",
"capture_channel": "codex_chrome_extension",
"capture_challenge_nonce": CHALLENGE_NONCE,
"protocol_sha256": packet["protocol_sha256"],
"turn_capture_call_ids": TURN_CAPTURE_CALL_IDS,
"final_capture_call_id": final_call_id,
"browser": {
"browser_type": "extension",
"browser_id": "chrome-backend-20260715",
"session_id": "chrome-session-20260715",
"tab_id": "telegram-tab-20260715",
"provider_capture_id": "chrome-capture-20260715",
"page_url": "https://web.telegram.org/k/#-5146042086",
"page_title": "Leo - Telegram",
"captured_at_utc": source["captured_at_utc"],
},
"authorization": {
"source": "codex_platform_user_message",
"thread_id": packet["operator_context"]["codex_thread_id"],
"user_message_id": "user-message-20260715-authorization",
"source_receipt_id": auth_event_sha256,
"text_sha256": hashlib.sha256(capture["operator_authorization_text"].encode("utf-8")).hexdigest(),
"captured_at_utc": capture["operator_authorization_captured_at_utc"],
},
"telegram": {
"chat_label": "Leo",
"chat_id": "-5146042086",
"message_ids": [item["telegram_message_id"] for item in capture["messages"]],
"reply_ids": [item["reply_message_id"] for item in capture["messages"]],
},
"artifacts": _artifact_hashes(capture),
"checks": {
"authenticated_chrome_extension_session": True,
"telegram_web_origin_observed": True,
"chat_identity_observed_in_browser": True,
"message_ids_observed_in_browser": True,
"accessibility_captured_from_browser": True,
"screenshots_captured_from_browser": True,
"authorization_read_from_codex_user_message": True,
},
}
path.write_text(json.dumps(provenance, indent=2, sort_keys=True) + "\n", encoding="utf-8")
return verifier._sha256_file(path)
def write_codex_rollout(packet: dict, capture: dict, tmp_path: Path, provenance_sha256: str) -> Path:
provenance_path = Path(capture["capture_source"]["browser_provenance"])
provenance = json.loads(provenance_path.read_text(encoding="utf-8"))
browser = provenance["browser"]
artifacts = provenance["artifacts"]
thread_id = packet["operator_context"]["codex_thread_id"]
sessions_root = tmp_path.parent / f"{tmp_path.name}-codex-sessions"
rollout_dir = sessions_root / "2026" / "07" / "15"
rollout_dir.mkdir(parents=True, exist_ok=True)
rollout_path = rollout_dir / f"rollout-2026-07-15T00-00-00-{thread_id}.jsonl"
events = [
{
"timestamp": "2026-07-14T23:58:00Z",
"type": "session_meta",
"payload": {"id": thread_id},
},
authorization_event(packet, capture),
]
def chrome_event(call_id: str, timestamp: str, values: list[str]) -> dict:
return {
"timestamp": timestamp,
"type": "event_msg",
"payload": {
"type": "mcp_tool_call_end",
"call_id": call_id,
"invocation": {
"server": "node_repl",
"tool": "js",
"arguments": {
"code": (
"await tab.screenshot({fullPage:false}); "
"await tab.playwright.domSnapshot(); await tab.url(); await tab.title();"
)
},
},
"result": {
"Ok": {
"content": [{"type": "text", "text": json.dumps(values)}],
"isError": False,
"_meta": {
"codex/toolSurface": {
"backend": "chrome",
"browserId": browser["browser_id"],
"kind": "browserUse",
"openTabIds": [browser["tab_id"]],
}
},
}
},
},
}
turn_timestamps = ["2026-07-15T00:01:30Z", "2026-07-15T00:02:30Z", "2026-07-15T00:03:30Z"]
for index, (call_id, timestamp, message) in enumerate(
zip(TURN_CAPTURE_CALL_IDS, turn_timestamps, capture["messages"], strict=True)
):
values = [
artifacts["turn_screenshots"][index],
artifacts["turn_accessibility"][index],
message["telegram_message_id"],
message["reply_message_id"],
browser["page_url"],
browser["page_title"],
packet["target"]["chat_id"],
]
if provenance["final_capture_call_id"] == call_id:
values.extend(
[
artifacts["final_screenshot"],
artifacts["final_accessibility"],
provenance_sha256,
*[item["telegram_message_id"] for item in capture["messages"]],
*[item["reply_message_id"] for item in capture["messages"]],
]
)
timestamp = capture["capture_source"]["captured_at_utc"]
events.append(chrome_event(call_id, timestamp, values))
if provenance["final_capture_call_id"] == FINAL_CAPTURE_CALL_ID:
events.append(
chrome_event(
FINAL_CAPTURE_CALL_ID,
capture["capture_source"]["captured_at_utc"],
[
artifacts["final_screenshot"],
artifacts["final_accessibility"],
provenance_sha256,
*[item["telegram_message_id"] for item in capture["messages"]],
*[item["reply_message_id"] for item in capture["messages"]],
],
)
)
rollout_path.write_text(
"".join(json.dumps(event, sort_keys=True) + "\n" for event in events),
encoding="utf-8",
)
return rollout_path
def refresh_provenance_and_rollout(packet: dict, capture: dict, tmp_path: Path) -> Path:
provenance_path = Path(capture["capture_source"]["browser_provenance"])
provenance_sha256 = write_browser_provenance(packet, capture, provenance_path)
return write_codex_rollout(packet, capture, tmp_path, provenance_sha256)
def good_capture(packet: dict, tmp_path: Path) -> tuple[dict, Path]:
screenshot = tmp_path / "final.png"
accessibility = tmp_path / "final.txt"
write_png(screenshot, (10, 20, 30, 255))
accessibility.write_text("telegram final accessibility proof", encoding="utf-8")
replies = [
(
"The database public.beliefs object c0000000 is an axiom with confidence 0.85. What supports it in "
"the DB: nothing supports it; there are zero evidence rows and no external primary source."
),
(
"Claim c0000000 is still the coordination bottleneck belief. Assumption versus observed support: the "
"priority leap is assumed and the evidence is absent. Falsifier: a contrary case. Proposal A and "
"Proposal B are staged only for review; nothing applied and neither is live knowledge."
),
(
"Revised proposal: separate the mechanism from the business outcome. What would resolve the "
"disagreement: a randomized study and its primary source dataset. Keep it pending_review for human "
"review; approved is not apply and applied_at remains null. This is not an apply."
),
]
colors = [(40, 50, 60, 255), (70, 80, 90, 255), (100, 110, 120, 255)]
messages = []
for item, reply, color in zip(packet["exact_messages"], replies, colors, strict=True):
sequence = item["sequence"]
turn_screenshot = tmp_path / f"turn-{sequence}.png"
turn_accessibility = tmp_path / f"turn-{sequence}.txt"
write_png(turn_screenshot, color)
turn_accessibility.write_text(
f"Telegram message: {item['message']}\nLeo reply: {reply}\n",
encoding="utf-8",
)
messages.append(
{
"sequence": sequence,
"prompt_id": item["prompt_id"],
"sent_text": item["message"],
"reply": reply,
"sent_at_utc": f"2026-07-15T00:0{sequence}:00Z",
"reply_at_utc": f"2026-07-15T00:0{sequence}:20Z",
"telegram_message_id": f"sent-{sequence}",
"reply_message_id": f"reply-{sequence}",
"turn_screenshot": str(turn_screenshot),
"turn_accessibility": str(turn_accessibility),
}
)
provenance_path = tmp_path / "browser-provenance.json"
capture = {
"schema": verifier.CAPTURE_SCHEMA,
"protocol_sha256": packet["protocol_sha256"],
"preflight_state_token_sha256": "",
"operator_authorization_text": packet["explicit_operator_authorization_text"],
"operator_authorization_captured_at_utc": "2026-07-15T00:00:00Z",
"extra_messages_sent": 0,
"capture_source": {
"platform": "telegram",
"transport": "authenticated_chrome_telegram_ui",
"chat_label": "Leo",
"chat_id": "-5146042086",
"captured_at_utc": "2026-07-15T00:03:40Z",
"captured_by": "codex_chrome_extension",
"final_screenshot": str(screenshot),
"final_accessibility": str(accessibility),
"browser_provenance": str(provenance_path),
"final_capture_reuses_turn_3": False,
"final_capture_reuse_reason": "",
},
"messages": messages,
}
rollout_path = refresh_provenance_and_rollout(packet, capture, tmp_path)
return capture, rollout_path
def verified_fixture(tmp_path: Path) -> tuple[dict, Path, dict, dict, dict, Path]:
packet, packet_path = packet_and_path(tmp_path)
before = preflight(packet, packet_path)
after = postflight(packet, packet_path, before)
capture, rollout = good_capture(packet, tmp_path)
capture["preflight_state_token_sha256"] = before["state_token_sha256"]
return packet, packet_path, before, after, capture, rollout
def run_verifier(
packet: dict,
packet_path: Path,
before: dict,
after: dict,
capture: dict,
rollout_log: Path | None,
tmp_path: Path,
) -> dict:
return verifier.verify_capture(
packet,
before,
capture,
after,
packet_path=packet_path,
evidence_root=tmp_path,
codex_rollout_log=rollout_log,
codex_sessions_root=(
rollout_log.parents[3] if rollout_log is not None else tmp_path.parent / f"{tmp_path.name}-codex-sessions"
),
)
def test_no_capture_returns_awaiting_authorization_template(tmp_path: Path) -> None:
packet, packet_path = packet_and_path(tmp_path)
before = preflight(packet, packet_path)
receipt = verifier.verify_capture(
packet,
before,
None,
None,
packet_path=packet_path,
evidence_root=tmp_path,
)
assert receipt["status"] == "awaiting_action_time_authorization"
assert receipt["preparation_ready"] is True
assert receipt["receipt_ready"] is False
assert receipt["current_tier"] == verifier.PREPARATION_TIER
assert receipt["telegram_visible_messages_sent"] is False
assert receipt["live_receipt_boundary"]["accepted_by_this_api"] is False
assert receipt["live_receipt_boundary"]["verified"] is False
assert receipt["capture_template"]["schema"] == verifier.CAPTURE_SCHEMA
assert receipt["capture_template"]["messages"][0]["prompt_id"] == "OOS-CHAIN-01"
def test_public_verifier_keeps_fully_well_formed_all_local_forgery_preparation_only(
tmp_path: Path,
monkeypatch: pytest.MonkeyPatch,
) -> None:
_packet, packet_path, before, after, capture, rollout = verified_fixture(tmp_path)
preflight_path = tmp_path / "preflight.json"
capture_path = tmp_path / "capture.json"
postflight_path = tmp_path / "postflight.json"
out_path = tmp_path / "receipt.json"
markdown_path = tmp_path / "receipt.md"
verifier.write_json(preflight_path, before)
verifier.write_json(capture_path, capture)
verifier.write_json(postflight_path, after)
monkeypatch.setattr(verifier, "DEFAULT_CODEX_SESSIONS_ROOT", rollout.parents[3])
exit_code = verifier.main(
[
"--packet",
str(packet_path),
"--preflight",
str(preflight_path),
"--capture-json",
str(capture_path),
"--postflight",
str(postflight_path),
"--evidence-root",
str(tmp_path),
"--codex-rollout-log",
str(rollout),
"--out",
str(out_path),
"--markdown-out",
str(markdown_path),
]
)
receipt = json.loads(out_path.read_text(encoding="utf-8"))
assert exit_code == 0
assert receipt["status"] == verifier.PREPARATION_STATUS
assert receipt["verification_scope"] == "caller_writable_preparation_structure"
assert receipt["preparation_ready"] is True
assert receipt["receipt_ready"] is False
assert receipt["current_tier"] == verifier.PREPARATION_TIER
assert receipt["telegram_visible_messages_sent"] is False
assert receipt["live_receipt_boundary"] == {
"accepted_by_this_api": False,
"authority": "independently_authenticated_platform_browser_receipt",
"local_inputs_are": "caller_writable_preparation_evidence",
"required": True,
"verified": False,
}
assert all(receipt["checks"].values())
assert all(receipt["preparation_outcomes"].values())
assert receipt["selected_subject"]["row_id"] == SUBJECT_ID
assert "T3_live_readonly" not in receipt["current_tier"]
assert "caller-writable preparation evidence only" in markdown_path.read_text(encoding="utf-8")
def test_self_declared_browser_provenance_without_codex_rollout_cannot_pass_t3(
tmp_path: Path,
) -> None:
packet, packet_path, before, after, capture, _rollout = verified_fixture(tmp_path)
receipt = run_verifier(packet, packet_path, before, after, capture, None, tmp_path)
assert receipt["status"] == "fail"
assert receipt["telegram_visible_messages_sent"] is False
assert receipt["checks"]["codex_rollout_log_has_expected_local_sessions_shape"] is False
assert receipt["checks"]["codex_rollout_capture_events_are_chrome_backend"] is False
def test_non_chrome_rollout_capture_events_are_rejected(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, rollout = verified_fixture(tmp_path)
events = [json.loads(line) for line in rollout.read_text(encoding="utf-8").splitlines()]
for event in events:
payload = event.get("payload") or {}
if payload.get("type") == "mcp_tool_call_end":
payload["result"]["Ok"]["_meta"]["codex/toolSurface"]["backend"] = "computerUse"
rollout.write_text(
"".join(json.dumps(event, sort_keys=True) + "\n" for event in events),
encoding="utf-8",
)
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["codex_rollout_capture_events_are_chrome_backend"] is False
def test_bot_api_capture_is_rejected(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, rollout = verified_fixture(tmp_path)
capture["capture_source"]["transport"] = "telegram_bot_api"
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["authenticated_chrome_transport_declared"] is False
assert receipt["checks"]["bot_api_not_substituted"] is False
def test_postflight_fingerprint_drift_is_rejected(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, rollout = verified_fixture(tmp_path)
after["remote"]["fingerprint_after"]["fingerprint_sha256"] = "0" * 64
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["postflight_state_token_derivation_valid"] is False
assert receipt["checks"]["canonical_fingerprint_unchanged_from_preflight"] is False
def test_message_text_drift_is_rejected(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, rollout = verified_fixture(tmp_path)
capture["messages"][1]["sent_text"] += " extra"
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["sent_text_exact"] is False
def test_sent_and_reply_message_id_reuse_is_rejected(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, _rollout = verified_fixture(tmp_path)
capture["messages"][0]["reply_message_id"] = capture["messages"][0]["telegram_message_id"]
rollout = refresh_provenance_and_rollout(packet, capture, tmp_path)
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["message_and_reply_ids_present_unique"] is False
def test_copied_reply_not_present_in_accessibility_is_rejected(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, rollout = verified_fixture(tmp_path)
capture["messages"][0]["reply"] += " copied-only suffix"
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["turn_accessibility_binds_exact_messages_and_replies"] is False
def test_all_prompts_sent_before_replies_is_rejected(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, rollout = verified_fixture(tmp_path)
capture["messages"][0]["reply_at_utc"] = "2026-07-15T00:02:30Z"
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["strict_send_reply_turn_order"] is False
def test_after_the_fact_authorization_is_rejected(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, _rollout = verified_fixture(tmp_path)
capture["operator_authorization_captured_at_utc"] = "2026-07-15T00:01:10Z"
rollout = refresh_provenance_and_rollout(packet, capture, tmp_path)
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["captured_authorization_before_first_send"] is False
@pytest.mark.parametrize("timestamp", ["2026-07-15T00:01:00", "not-a-timestamp"])
def test_naive_or_malformed_timestamps_are_rejected(tmp_path: Path, timestamp: str) -> None:
packet, packet_path, before, after, capture, rollout = verified_fixture(tmp_path)
capture["messages"][0]["sent_at_utc"] = timestamp
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["timestamps_valid_and_timezone_aware"] is False
def test_reused_per_turn_evidence_is_rejected(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, _rollout = verified_fixture(tmp_path)
capture["messages"][1]["turn_screenshot"] = capture["messages"][0]["turn_screenshot"]
capture["messages"][1]["turn_accessibility"] = capture["messages"][0]["turn_accessibility"]
rollout = refresh_provenance_and_rollout(packet, capture, tmp_path)
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["per_turn_screenshot_hashes_distinct_nonempty"] is False
assert receipt["checks"]["per_turn_accessibility_hashes_distinct_nonempty"] is False
def test_final_capture_may_reuse_turn_three_when_documented(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, _rollout = verified_fixture(tmp_path)
capture["capture_source"]["final_screenshot"] = capture["messages"][2]["turn_screenshot"]
capture["capture_source"]["final_accessibility"] = capture["messages"][2]["turn_accessibility"]
capture["capture_source"]["final_capture_reuses_turn_3"] = True
capture["capture_source"]["final_capture_reuse_reason"] = (
"The final Chrome capture is the retained third-turn response state."
)
rollout = refresh_provenance_and_rollout(packet, capture, tmp_path)
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == verifier.PREPARATION_STATUS
assert receipt["preparation_ready"] is True
assert receipt["receipt_ready"] is False
assert receipt["telegram_visible_messages_sent"] is False
assert receipt["checks"]["final_capture_reuse_policy_satisfied"] is True
def test_undocumented_final_turn_three_reuse_is_rejected(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, _rollout = verified_fixture(tmp_path)
capture["capture_source"]["final_screenshot"] = capture["messages"][2]["turn_screenshot"]
rollout = refresh_provenance_and_rollout(packet, capture, tmp_path)
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["final_capture_reuse_policy_satisfied"] is False
def test_evidence_path_escape_is_rejected(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, rollout = verified_fixture(tmp_path)
outside = tmp_path.parent / "outside-turn.png"
write_png(outside, (1, 2, 3, 255))
capture["messages"][0]["turn_screenshot"] = str(outside)
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["all_evidence_paths_contained_in_root"] is False
def test_non_png_screenshot_is_rejected(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, _rollout = verified_fixture(tmp_path)
Path(capture["messages"][0]["turn_screenshot"]).write_bytes(b"not a png")
rollout = refresh_provenance_and_rollout(packet, capture, tmp_path)
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["screenshots_are_valid_png_with_metadata"] is False
def test_malformed_local_bundle_without_supported_state_or_rollout_structure_fails(
tmp_path: Path,
) -> None:
packet, packet_path = packet_and_path(tmp_path)
before = {
"phase": "preflight",
"status": "pass",
"generated_at_utc": "2026-07-14T23:59:00Z",
"protocol_sha256": packet["protocol_sha256"],
"packet_file_sha256": verifier._sha256_file(packet_path),
"state_token_sha256": "1" * 64,
"remote": {"fingerprint_after": {"fingerprint_sha256": "f" * 64}, "service_after": {}},
}
after = {
"phase": "postflight",
"status": "pass",
"generated_at_utc": "2026-07-15T00:04:00Z",
"protocol_sha256": packet["protocol_sha256"],
"state_token_sha256": "2" * 64,
"subject_ref": "c0000000",
"remote": {
"fingerprint_after": {"fingerprint_sha256": "f" * 64},
"service_after": {},
"subject_readback": {"subject_ref": "c0000000", "matches": []},
},
}
fake_png = tmp_path / "fake.png"
fake_text = tmp_path / "fake.txt"
fake_png.write_bytes(b"arbitrary non-PNG bytes")
fake_text.write_text("copied prompts and replies", encoding="utf-8")
capture = {
"protocol_sha256": packet["protocol_sha256"],
"preflight_state_token_sha256": "1" * 64,
"operator_authorization_text": packet["explicit_operator_authorization_text"],
"operator_authorization_captured_at_utc": "2026-07-15T00:00:00Z",
"extra_messages_sent": 0,
"capture_source": {
"platform": "telegram",
"transport": "authenticated_chrome_telegram_ui",
"chat_label": "Leo",
"chat_id": "-5146042086",
"captured_at_utc": "2026-07-15T00:03:40Z",
"captured_by": "fabricated",
"final_screenshot": str(fake_png),
"final_accessibility": str(fake_text),
"browser_provenance": "",
"final_capture_reuses_turn_3": False,
"final_capture_reuse_reason": "",
},
"messages": [
{
"sequence": item["sequence"],
"prompt_id": item["prompt_id"],
"sent_text": item["message"],
"reply": f"fabricated reply {item['sequence']}",
"sent_at_utc": f"2026-07-15T00:0{item['sequence']}:00Z",
"reply_at_utc": f"2026-07-15T00:0{item['sequence']}:20Z",
"telegram_message_id": f"sent-{item['sequence']}",
"reply_message_id": f"reply-{item['sequence']}",
"turn_screenshot": str(fake_png),
"turn_accessibility": str(fake_text),
}
for item in packet["exact_messages"]
],
}
receipt = run_verifier(packet, packet_path, before, after, capture, None, tmp_path)
assert receipt["status"] == "fail"
assert receipt["current_tier"] != "T3_live_readonly"
assert receipt["telegram_visible_messages_sent"] is False
assert receipt["checks"]["capture_schema_supported"] is False
assert receipt["checks"]["preflight_schema_supported"] is False
assert receipt["checks"]["preflight_state_token_derivation_valid"] is False
assert receipt["checks"]["codex_rollout_log_has_expected_local_sessions_shape"] is False
assert receipt["checks"]["codex_rollout_has_exact_single_authorization_event"] is False
assert receipt["checks"]["screenshots_are_valid_png_with_metadata"] is False
assert receipt["checks"]["per_turn_screenshot_hashes_distinct_nonempty"] is False
def test_state_token_tampering_is_rejected(tmp_path: Path) -> None:
packet, packet_path, before, after, capture, rollout = verified_fixture(tmp_path)
before = copy.deepcopy(before)
before["generated_at_utc"] = "2026-07-14T23:58:00Z"
receipt = run_verifier(packet, packet_path, before, after, capture, rollout, tmp_path)
assert receipt["status"] == "fail"
assert receipt["checks"]["preflight_state_token_derivation_valid"] is False