Codex Adversarial Review — RS-TKT-0A Tool-Kiem-Thu LEGO Survey & Conversion Plan

Date: 2026-06-21
Review mode: read-only AgentData KB review; no PG/Directus/runtime inspection or mutation
Final verdict: NEED_RS_TKT_0A_PATCH1
Registration gate: REGISTRATION_HOLD
REGISTRATION_CAN_PROCEED = NO

1. Executive judgment

RS-TKT-0A is substantially complete as a survey package and gets the major authority boundaries right. It created the required deliverables, located real governed sources, preserves TKT as a non-authority support checker, caps Base at L0–L3, defers L4–L6, avoids a TKT-specific registry/graph/birth pipeline, keeps raw logs out of vector KB, does not designate an NVSZ root, and keeps registration closed.

It is not yet safe to open Phase 1 because its central fail-closed contract contradicts the review macro. The package says a PASS/seal token counts as “emitted” only when the producer exits 0. Therefore an invalid input may print PASS/cert/digest/seal-like output or create such an artifact, exit nonzero, and still be classified as not having emitted it. The package self-check then incorrectly answers “NO” to the bad-output question. This is a design-level fail-open in the planned oracle, not a cosmetic caveat.

PATCH1 is required before Phase 1.

2. Files actually read

Governing baseline

• .claude/skills/incomex-rules.md — all 36 items / steps 0–7.
• knowledge/dev/ssot/operating-rules.md — OR v7.58, revision 51.
• knowledge/dev/laws/constitution.md — Constitution v4.6.3 BAN HÀNH, revision 44.
• knowledge/dev/laws/law-01-foundation-principles.md — Điều 1 v3.3.

RS-TKT-0A package

• knowledge/dev/laws-new/tool-kiem-thu-lego/index.md — revision 2.
• 00-survey-source-inventory-2026-06-21.md.
• 01-old-tool-kiem-thu-reuse-gap-map-2026-06-21.md.
• 02-laws-new-lego-requirements-for-tkt-2026-06-21.md.
• 03-tkt-base-l0-l3-conversion-plan-2026-06-21.md.
• 04-tkt-checker-block-catalog-draft-2026-06-21.md.
• 05-nvsz-run-evidence-packet-assessment-2026-06-21.md.
• 06-rs5a-rs5b-pre-codex-profile-draft-2026-06-21.md.
• 07-conversion-roadmap-and-stop-states-2026-06-21.md.
• 08-final-survey-report-for-gpt-codex-review-2026-06-21.md.

All nine numbered deliverables are revision 1, complete and untruncated on full AgentData read.

Source spot-checks

• Old TKT prefix knowledge/dev/laws/tool-kiem-thu/: pagination returned 100 + 100 + 100 + 100 + 33 = 433 documents, next_offset=null.
• Old base pack inventory under .../tkt-base-structural-evidence-governance-pack-2026-06-11/: 30 documents, next_offset=null.
• Full reads:
  • checkers/fail_closed_probe_policy.md.
  • checkers/authority_firewall_policy.md.
  • checkers/nvsz_no_vector_evidence_policy.md.
  • knowledge/dev/laws/dieu38-trien-khai/P6-checker-dot-design-v0-2.md — OFFICIAL v0.2.
• laws-new direction sources:
  • matrix-refactor-implementation-plan.md — explicitly DRAFT / not enacted.
  • matrix-refactor-quick-rules.md — explicitly DRAFT / not enacted.
  • matrix-stamp-governance-addendum.md — DRAFT / not enacted.
• Direct inventories:
  • reports/codex/ = 41 documents.
  • reports/rs5a-patch3/ = 7.
  • reports/rs5a-patch4/ = 7.
  • reports/rs5b/ = 9.
• Full Codex review reads:
  • RS5A original NEED_PATCH1.
  • RS5A-PATCH1 NEED_PATCH2.
  • RS5A-PATCH2 NEED_PATCH3.
  • RS5A-PATCH3 rejection for quorum precedence.
  • RS5A-PATCH4 acceptance with registration hold.
• RS5B spot-checks:
  • 06-fail-closed-adversarial-self-check-and-bad-inputs-2026-06-21.md.
  • 07-rs5b-decision-packet-2026-06-21.md.

3. Acceptance points

1. Required deliverables exist: index plus 00–08.
2. The inventory is grounded in actual AgentData documents; the 433-document old-TKT count independently reconciles.
3. The reuse map correctly concentrates value in the decoupled base pack and retires/defer old DOT/FIX7/sandbox runtime machinery.
4. TKT remains a support checker: NON_AUTHORITY, may_gate=false, decision_effect=NONE.
5. Base scope is explicitly L0–L3; L4 IU traceability, L5 semantic Text-as-Code, and L6 release/bundle are deferred.
6. No production/registration implementation is authorized by the package.
7. No new TKT mega-registry, graph, birth pipeline, Owner, scope, APR, or register_dot is proposed.
8. NVSZ correctly separates raw evidence from vector KB and does not invent NON_VECTOR_ROOT.
9. The RS5A profile is traceable to actual Codex findings across the RS5A→PATCH4 chain.
10. Engineering/design PASS is clearly separated from authority, implementation, runtime, registration, and production PASS.
11. REGISTRATION_HOLD and REGISTRATION_CAN_PROCEED = NO are consistently preserved.

Runtime non-mutation is accepted only as a package attestation. This review did not independently inspect PG/Directus/runtime and therefore does not restate “0 mutations” as live Codex proof.

4. Required PATCH1 corrections

P1 — Fix the bad-output fail-open contract (BLOCKER)

Current rule in 04/08 and the reused old policy: a PASS/seal token counts as emitted only if exit == 0.

Required contract:

• For invalid input, any forbidden PASS/cert/digest/seal-like token or artifact is a failure regardless of process exit.
• Exit must also be nonzero; the two checks are conjunctive, not substitutes.
• Detect structured output fields/event types and forbidden artifacts, not raw substring matches. Rejection text such as ORACLE_CLAIMS_SEAL_REJECTED must use a separate event namespace and cannot be mistaken for a granted seal.
• Add explicit fields: any_cert_emitted_for_invalid, any_authority_digest_emitted_for_invalid, and artifact-file checks. Ordinary evidence hashes must be distinguished from cert/authority digests.
• Add mandatory probes:
  1. bad input prints PASS then exits 3;
  2. bad input writes a cert/seal/digest artifact then exits 3;
  3. rejection marker contains the word “SEAL” but structured event type is rejection.
• Update 08 self-check Q1/Q5/Q6; its current “NO fail-open” conclusion is unsupported.

P2 — Restore one-concern LEGO boundaries (BLOCKER)

TKT-L3-GOVERNANCE combines authority firewall, report-vs-file audit, object-ID collision/orphan checks, and NVSZ completeness. That is not one concern and contradicts R-TKT-1.

Split it into independent L3 bricks, for example:

• TKT-L3-AUTHORITY-FIREWALL
• TKT-L3-CLAIM-AUDIT
• TKT-L3-IDENTITY
• TKT-L3-NVSZ

Then define L3 as their aggregate. Each brick needs its own input, output, bad input, rollback, dependency, and out-of-scope contract.

P3 — Correct source authority labels (BLOCKER)

The three matrix-refactor documents used as “binding laws-new SSOT” explicitly declare themselves DRAFT / not enacted. PATCH1 must distinguish:

• enacted authority: Constitution v4.6.3 and enacted laws;
• OR v7.58 operating control;
• laws-new track design SSOT/proposals: controlling within the draft planning workspace only, not enacted authority.

Do not call DRAFT sources binding law without that qualifier. MCB-6 cannot be closed by inference.

P4 — Close the L1 versus Phase-4 execution ambiguity

L1 says clean-room “rerun” while Phase 4 defers the verifier that executes the subject under test. Define the boundary:

• L1 may execute only the TKT reconstruction/verifier recipe on inert packet fixtures.
• L1 may not invoke the candidate’s production/runtime behavior.
• Any call into the subject under test requires the Phase-4 Call Contract and sandbox.

Without this, a runtime execution verifier can be smuggled into Base.

P5 — Make NVSZ identifiers deterministic

• Namespace the two exit taxonomies by validator, e.g. ESCROW_E9 versus ROOT_E4; bare numeric codes are ambiguous.
• Select one canonical ledger filename for new packets.
• A legacy filename may be accepted only as migration input and normalized before the packet tree pin is computed. “Accept either and warn” must not create two canonical packet identities.
• State explicitly that MCB-2/MCB-3 must close before Phase-1 design can be accepted, though they do not require a root designation.

P6 — Separate RS5A externally grounded rules from RS5B provisional rules

The actual Codex-derived rules are RS5A/PATCH1–4 rules. RS5B has no external Codex review and its BI01–BI10 are self-reported.

• Rename/split the profiles.
• Mark each rule’s provenance as CODEX_CAUGHT_RS5A or SELF_REPORTED_RS5B_DRAFT.
• Do not describe RS5B rows as externally validated.
• Do not hardcode RS5A-specific 84/86 and Q-code rules as a generic RS-series contract; make stage/profile metadata explicit.

P7 — Repair dependency and output consistency

• L2 depends on successful L0 and L1, not only L0.
• L3 depends on cumulative L0–L2.
• Higher levels after a lower failure must be N/A, consistently; do not mix HOLD/PASS semantics with cumulative level claims.
• Define aggregate status separately from authority/gating language.

5. NVSZ taxonomy judgment

The NVSZ architecture itself is safe enough to retain: no root is invented, raw logs remain outside vector KB, and summary+hash+pointer+regen does not replace raw evidence.

MCB-2 is not a reason for REJECT_RS_TKT_0A_NVSZ_UNSAFE, but bare overlapping numeric taxonomies are not acceptable as a final design. Treat them as two named namespaces and reconcile them in Phase 1. MCB-5 (root undesignated) is not a Phase-1 blocker; it blocks Phase 3 and any real escrow acceptance.

6. RS5B draft-status judgment

RS5B-specific checks remain DRAFT / SELF_REPORTED / NOT_EXTERNALLY_CODEX_VALIDATED. This does not block surveying or Phase-1 Base design, but it blocks calling the RS5B profile validated and blocks using it as a gate. A later Codex RS5B review must update the defect catalog.

7. Authority and registration judgment

The package’s authority boundary is strong:

• no Owner/scope/APR/register_dot creation;
• no production or registration authorization;
• no semantic Text-as-Code PASS;
• no gate/seal power;
• registration remains HOLD/NO.

The phrase “binding laws-new SSOT” for DRAFT documents is a source-authority overstatement that must be patched, but the package does not cross into runtime authority overclaim. Therefore the correct verdict is PATCH1, not REJECT_RS_TKT_0A_AUTHORITY_OVERCLAIM.

8. Blockers and caveats

Blockers before opening Phase 1

1. Bad-output detector treats nonzero exit as erasing emitted dangerous output.
2. L3 is a multi-concern brick, violating the stated LEGO rule.
3. DRAFT laws-new sources are mislabeled as binding authority.
4. L1/Phase-4 execution boundary is ambiguous.

Caveats that may carry into Phase 1 after PATCH1

• MCB-1: RS5B lacks external Codex review.
• MCB-2: two NVSZ validator taxonomies; must be namespaced/reconciled during design.
• MCB-3: ledger filename migration; one canonical name required.
• MCB-5: no designated NVSZ root; blocks Phase 3, not design.
• MCB-6: no single enacted laws-new architecture doc; use explicit source-status hierarchy.

9. Three declarations

• Vĩnh viễn: PATCH1 fixes the oracle contract at its source so future bad inputs cannot be reclassified as safe merely because the producer exits nonzero.
• Nhầm được không: structured event/artifact detection, namespaced taxonomies, one canonical filename, and separate LEGO bricks remove interpretation-based decisions.
• 100% tự động: Phase-1 design must include machine-runnable negative fixtures for printed tokens, emitted artifacts, rejection markers, missing evidence, and cumulative dependencies. No manual reviewer interpretation may decide whether bad output “counts.”

10. Steps 0→6 compliance

• Step 0 — Read skill, OR v7.58, Constitution v4.6.3, and relevant foundation/source documents.
• Step 1 — One mission: independent read-only review of RS-TKT-0A.
• Step 2 — Reconstructed evidence and adversarial failure modes before issuing verdict.
• Step 3 — N/A: no code, DDL, DML, registry, PG, Directus, or runtime mutation.
• Step 4 — N/A: no implementation/PR/deploy; two-hat flow does not apply to a read-only design review.
• Step 5 — Full AgentData reads plus independent inventory counts; no production PASS claimed.
• Step 6 — Official report uploaded to the required KB report path. OR update: not needed because no operating rule or implementation changed. TD/handoff: PATCH1 items are contained in this report; no runtime debt created.

11. Final next step

Do not open Phase 1 yet.

Produce RS-TKT-0A-PATCH1, limited to P1–P7 above, then run one independent read-only re-review. On acceptance, the only authorized next step is:

Open Phase 1 — TKT Base design package, design-only.

No runtime tool, Python checker, shell runner, DOT runtime, registry/PG/Directus mutation, registration movement, semantic Text-as-Code PASS, or production PASS is authorized.