Incomex AI Portal
KB-129D

Codex Re-Review — RS-TKT-0A-PATCH1

12 min read Revision 1
codex-rereviewrs-tkt-0a-patch1tool-kiem-thulegofail-closedrejectregistration-holdread-only2026-06-21

Codex Re-Review — RS-TKT-0A-PATCH1

Date: 2026-06-21
Review mode: independent read-only AgentData KB contract review
Final verdict: REJECT_RS_TKT_0A_PATCH1_FAIL_CLOSED_UNRESOLVED
Registration gate: REGISTRATION_HOLD
REGISTRATION_CAN_PROCEED = NO

1. Executive judgment

PATCH1 is additive, complete, and materially improves RS-TKT-0A. P2–P5 close the prior findings at design level. The package preserves the authority/registration boundary and does not create a Phase-1 package.

PATCH1 cannot be accepted because P1 contains a contradictory detector contract:

  • BAD-FC-001 says bad input that prints bare PASS and exits 3 must FAIL.
  • Section 3 says a token counts as a forbidden grant only when carried by a structured GRANT event with authority_effect=GRANTED, or when a forbidden artifact file is created.

A bare stdout/stderr PASS has no structured event. The current wording therefore permits two incompatible implementations: reject it as a grant-like token, or ignore it as unstructured output. Fail-closed design cannot leave that choice to an implementer. Nonzero exit no longer explicitly erases output, but unstructured dangerous output can still escape the structured detector.

P6 and P7 also remain internally inconsistent, though neither is the primary rejection reason.

2. Files actually read

Governing instructions and prior review

  • .claude/skills/incomex-rules.md — all 36 items / steps 0–7.
  • knowledge/dev/ssot/operating-rules.md — OR v7.58, revision 51, full read, truncated=false.
  • knowledge/dev/laws/constitution.md — Constitution v4.6.3 BAN HÀNH, revision 44, full read, truncated=false.
  • knowledge/dev/laws/law-01-foundation-principles.md — Điều 1 v3.3, revision 12.
  • Prior Codex review: knowledge/current-state/reports/codex-review-rs-tkt-0a-tool-kiem-thu-lego-survey-conversion-plan-2026-06-21.md — revision 1, full read, verdict NEED_RS_TKT_0A_PATCH1.

PATCH1 package — full reads

  • patch1/00-codex-blocker-closure-map-2026-06-21.md.
  • patch1/01-fail-closed-forbidden-output-contract-patch-2026-06-21.md.
  • patch1/02-l3-lego-boundary-split-patch-2026-06-21.md.
  • patch1/03-source-authority-status-hierarchy-patch-2026-06-21.md.
  • patch1/04-l1-vs-phase4-execution-boundary-patch-2026-06-21.md.
  • patch1/05-nvsz-taxonomy-and-ledger-normalization-patch-2026-06-21.md.
  • patch1/06-rs5a-rs5b-profile-provenance-split-patch-2026-06-21.md.
  • patch1/07-level-dependency-and-output-consistency-patch-2026-06-21.md.
  • patch1/08-final-patch1-report-for-gpt-codex-review-2026-06-21.md.
  • knowledge/dev/laws-new/tool-kiem-thu-lego/index.md — revision 3.

Inventory evidence

AgentData inventory for knowledge/dev/laws-new/tool-kiem-thu-lego/ returned:

  • count=19, next_offset=null, truncated=false;
  • nine prior numbered deliverables remain revision 1;
  • nine PATCH1 deliverables exist at revision 1;
  • index.md is revision 3;
  • no Phase-1 package exists.

3. P1–P7 closure judgment

P1 — Fail-closed forbidden output: NOT CLOSED — BLOCKER

Accepted improvements:

  • The old “counts only if exit == 0” rule is explicitly withdrawn.
  • invalid_input_safe is conjunctive.
  • Cert/seal/digest artifacts remain failures regardless of exit.
  • Exit 0 without artifacts fails.
  • Structured REJECTION with authority_effect=NONE is distinguished from a grant.

Blocking contradiction:

  1. Section 2 says any PASS/cert/digest/seal-like token is a failure regardless of exit.
  2. Section 3 says a token counts only when carried by a structured GRANT event.
  3. BAD-FC-001 only says “prints PASS”; it does not say the output is a structured GRANT event.

Therefore the design does not define the result of:

stdout = "PASS"
event_type = absent
authority_effect = absent
exit_code = 3
no artifact file

Required correction:

  • Reserved grant-like tokens appearing outside a valid structured event envelope must be classified as malformed forbidden output → FAIL.
  • Only a valid structured REJECTION event with authority_effect=NONE may safely contain rejection vocabulary such as “SEAL”.
  • Define detection order: artifact scan → structured-event validation → unstructured reserved-token scan → exit check.
  • State the exact channels scanned: stdout, stderr, result files, generated directory, and declared output paths.
  • BAD-FC-001 must include the exact expected detector fields and prove bare PASS is rejected.

Until this is explicit, dangerous output can be ignored by an implementation that follows Section 3 literally.

P2 — L3 LEGO boundary: CLOSED

The former multi-concern L3 block is split into:

  • TKT-L3-AUTHORITY-FIREWALL
  • TKT-L3-CLAIM-AUDIT
  • TKT-L3-IDENTITY
  • TKT-L3-NVSZ

Each has its own purpose, inputs, outputs, bad input, failure codes, dependencies, out-of-scope, test/change/rollback statement. The aggregate is a thin AND combiner over shared-schema records. Cross-brick internal reads are forbidden.

P3 — Source authority hierarchy: CLOSED WITH CAVEAT

The three matrix-refactor documents are correctly labeled Tier-2 draft planning inputs, not enacted binding law. Tier-1 enacted authority and OR take precedence. MCB-6 remains explicitly OPEN and does not block draft Phase-1 work, but must remain visible at Phase-1 acceptance.

P4 — L1 versus Phase 4: CLOSED

L1 is limited to TKT reconstruction/verifier work on inert fixtures. Any SUT/runtime/PG/Directus/handler/registrar call produces HOLD_RUNTIME_SURFACE_REQUIRED and routes to Phase 4, which still requires a Call Contract and deny-by-default sandbox.

P5 — NVSZ taxonomy and ledger: CLOSED AT DESIGN LEVEL

  • Exit identities are namespaced as ESCROW_E* and ROOT_E*.
  • New packets use canonical hash_manifest.sha256.
  • HASH_MANIFEST.txt is legacy migration input only.
  • Normalization occurs before packet_tree.sha256.
  • MCB-5 blocks Phase 3 and real escrow acceptance, not Phase 1.

No root is invented. NVSZ is not unsafe.

P6 — RS5A/RS5B provenance: PARTIAL

The substantive split is correct:

  • CODEX_CAUGHT_RS5A
  • SELF_REPORTED_RS5B_DRAFT

RS5A-specific 84/86, Q-order, and G02 rules are no longer generic. RS5B BI01–BI10 remains self-reported.

Internal schema defect:

  • Section 3 defines profile_id as only CODEX_CAUGHT_RS5A | SELF_REPORTED_RS5B_DRAFT.
  • Section 4 assigns profile_id = structural to Groups A, B, and G.

structural is outside the declared enum. PATCH2 must either add a named STRUCTURAL_RS_COMMON profile or move “structural/common” into a separate scope_class field.

P7 — Dependency/status consistency: PARTIAL

The PASS dependency chain is correct:

  • L0: none
  • L1: L0 PASS
  • L2: L0 + L1 PASS
  • L3: L0 + L1 + L2 PASS

FAIL-based N/A propagation is defined. However HOLD propagation and aggregate semantics are incomplete:

  • No explicit rule states the higher-level results after L0/L1/L2 = HOLD.
  • No total aggregate truth table states how PASS/FAIL/HOLD/N/A combine.
  • review_readiness=BLOCKED for HOLD is implied but not specified.
  • The conclusion says “four orthogonal status fields” while five fields are declared.

PATCH2 must define HOLD → higher levels N/A, aggregate HOLD, review readiness BLOCKED, plus a deterministic aggregate precedence table.

4. Adversarial P1 cases

Case PATCH1 result
Bad input prints bare PASS, exits 3 AMBIGUOUS — blocker
Bad input creates cert/seal/authority-digest artifact, exits 3 FAIL — correct
Bad input exits 0 without forbidden artifact FAIL — correct
Structured REJECTION contains SEAL, authority_effect=NONE Safe reject — correct

Because the first mandatory case is ambiguous, P1 cannot be marked CLOSED.

5. Remaining caveats

  • MCB-1: RS5B has no external Codex review.
  • MCB-5: NON_VECTOR_ROOT remains undesignated; Phase 3 blocker only.
  • MCB-6: no single enacted laws-new architecture baseline.
  • “0 runtime mutations” remains a package attestation; this re-review did not inspect PG/Directus/runtime.
  • MCB-2/MCB-3 are closed only at design-contract level and must be honored in Phase-1 design.

6. NVSZ judgment

Safe design direction; not a rejection ground. Namespacing and one canonical ledger close the ambiguity. Raw logs remain outside vector KB, no summary substitutes for raw evidence, and no root is invented. REJECT_RS_TKT_0A_PATCH1_NVSZ_UNSAFE does not apply.

7. RS5B draft-status judgment

RS5B remains SELF_REPORTED_RS5B_DRAFT / NOT_EXTERNALLY_CODEX_VALIDATED. BI01–BI10 may inform design but cannot be called externally validated or used as a gate. The profile_id=structural enum defect must be corrected before profile metadata is machine-consistent.

8. Authority/registration boundary judgment

The boundary holds:

  • NON_AUTHORITY
  • may_gate=false
  • decision_effect=NONE
  • no Owner/scope/APR/register_dot
  • no PG/Directus/registry/system_issues mutation
  • no semantic, implementation, runtime, registration, or production PASS
  • REGISTRATION_HOLD active
  • REGISTRATION_CAN_PROCEED = NO

No authority overclaim or runtime drift was found. The rejection is specifically fail-closed contract incompleteness.

9. Required PATCH2 scope

Create a narrow RS-TKT-0A-PATCH2 containing only:

  1. P1: define unstructured reserved grant-like output as malformed forbidden output; specify scanned channels and detector order; repair BAD-FC-001.
  2. P6: repair the profile_id enum/schema contradiction.
  3. P7: add HOLD/N/A propagation and a complete aggregate/review-readiness truth table; correct the five-field count.

Do not reopen P2–P5.

10. Three declarations

  • Vĩnh viễn: PATCH2 must close the output protocol itself, so future implementations cannot choose whether bare PASS is dangerous.
  • Nhầm được không: reserved-token handling, structured-envelope validation, channel coverage, profile enums, and a total status table must make every case deterministic.
  • 100% tự động: each bad-output shape and every level-state combination must map mechanically to one expected result without reviewer interpretation.

11. Steps 0→6 compliance

  • Step 0 — Read skill, OR v7.58, Constitution v4.6.3, Điều 1 v3.3.
  • Step 1 — One mission: PATCH1 read-only re-review.
  • Step 2 — Read prior review, inventory, then every PATCH1 governed file before verdict.
  • Step 3 — N/A: no code, DDL, DML, runtime/config mutation.
  • Step 4 — N/A: no PR/merge/deploy in a review-only mission.
  • Step 5 — AgentData full reads and exact inventory outputs; no production proof claimed.
  • Step 6 — Official re-review report uploaded to the required KB report path. OR update: not required; no operating rule or implementation changed. TD/handoff: PATCH2 scope is fully recorded here.

12. Exact next allowed step

Do not open Phase 1.

The only next allowed step is:

Create RS-TKT-0A-PATCH2, design-doc-only, limited to the three corrections in §9.

After independent PATCH2 acceptance, the next authorized step may be:

Open Phase 1 — TKT Base design package, design-only.

No runtime tool, Python checker, shell runner, DOT runtime, registry/PG/Directus mutation, registration movement, semantic Text-as-Code PASS, implementation PASS, runtime PASS, or production PASS is authorized.