Macro-4 Codex Adversarial Attack List — R2-B2 (2026-06-19)
Macro-4 Codex Adversarial Attack List — R2-B2 (2026-06-19)
Date: 2026-06-19 · Workstream: R2-B2-MACRO-4-STAGING-WORKBENCH-IO-CONTRACT-TD-ENTRY-GATE-2026-06-19 (Deliverable 89 of 90) · Editorial revision: rev1
Class: Codex adversarial attack list · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NO write performed.
Metadata convention. Editorial revision (rev1) only. Storage revision/
content_lengthauthoritative at read time.
0. Status and non-authorization
STATUS: PASS — engineering / design-only. The complete adversarial attack list for Codex, with the target deliverable and the expected (self-checked) verdict. Engineering PASS ≠ authority PASS. Default: HOLD.
1. Purpose
Give Codex the full MX attack surface so nothing is reviewed superficially.
2. Sources / evidence read
The 90 deliverables; Macro-3 Codex packet (AX-1…10); the process caveat. Main process, no reader-agents.
3. Accepted baseline (carried)
Codex is the adversary of record; default expectation MX-1…MX-14 not triggered, but Codex confirms independently.
4. Evidence / analysis — attack list
| # | Attack | Target | Expected |
|---|---|---|---|
| MX-1 | staging build artifact (schema/DDL/corpus) present? | 6–12, 57–58 | none |
| MX-2 | IO envelope = mega-registry / universal write surface? | 19–28, 68 | no |
| MX-3 | B2 output beyond candidate-only inspect_*? |
30, 35 | no |
| MX-4 | channel selected / wired? | 61 | no |
| MX-5 | S2 assigned / ownership row written? | 62, 34 | no |
| MX-6 | Điều 0-G adopted / recovered / patched? | 63, 47 | no |
| MX-7 | bad-input test run / digest produced? | 49–54 | no |
| MX-8 | actual TD present; entry gate honestly NO-GO? | 55–56 | NO-GO, no TD |
| MX-9 | staging-build gate conflated with TD gate? | 57–59 | no |
| MX-10 | any production write (delete-fast / no-touch)? | 10–11, 37–48, 81 | none |
| MX-11 | B5/B7/R1 scope creep? | 66–67, 69 | no |
| MX-12 | v0.1 overwritten / v0.2 promoted? | 71 | no |
| MX-13 | any blocker falsely resolved? | 79 | no |
| MX-14 | any deliverable not independently discardable? | 3, 85 | no |
| MX-15 | mega-birth pipeline (fused B1+B2+B3+B4)? | 70 | no |
| MX-16 | engineering PASS used as authority? | 65, 72 | no |
| MX-17 | reader-agents / local-prose inference used? | 81, 82, 90 | no (main-process only) |
5. Contract / requirement / matrix / result
Codex returns a per-MX verdict + any new caveat. Self-checked expectation: all MX not triggered. The macro itself honored the process caveat (first-hand main-process reads; /tmp decode = scratch only).
6. Owner-gated future work
Owner-delegate acceptance follows Codex review; not enacted here.
7. What remains unresolved
Codex review pending; all blockers OPEN.
8. Ready for GPT/Codex review
Yes — this is the full attack list (extends the Codex packet, Deliverable 73).