Mega Gate — Codex Review Packet

Date: 2026-06-18 · Workstream: LEGO-PILOT-SLICE-0-B2-MEGA-GATE-BUNDLE-2026-06-18 (Deliverable 19 of 20) · Editorial revision: rev1 Class: design-only / Codex review preparation / adversarial control · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NOT remediation · NOT technical design · NOT implementation · NO blocker resolved · NO runtime touched.

Metadata convention. Editorial revision (rev1) only. AgentData storage revision and content_length are authoritative in AgentData metadata at read time; not pinned in this body.

Review-packet lock. This packet prepares the adversarial Codex review of the 20-file Mega Gate Bundle — the checks, the drift audits, the questions Codex must answer. It performs no review verdict for Codex, resolves nothing, and authorizes nothing. Codex's own independent control review is a separate step (the next-step chain).

0. Status and non-authorization

STATUS: PASS — engineering / design-only. This is a complete design-only Codex review preparation packet: the adversarial method Codex should apply, the per-layer audit dimensions, the drift audits (TD / channel-authority / staging-schema / scope-creep / R1-creep), the metadata/source-read/tool-lock audits, and the primary review questions Codex must answer.

Engineering PASS ≠ authority PASS. A PASS means the review packet is complete on paper. It is not a Codex verdict and not an authorization. Default disposition: HOLD.

Pipeline position (downstream-only). Deliverable 19 of the Mega Gate Bundle; it answers "what Codex adversarial review should check next" (macro question 7). The actual Codex review is a separate, independent step.

Non-authorization (explicit). As Deliverable 1 §0 (no DB write/DDL/DML; no runtime mutation; no inspect/certified writes; no gate flip; no owner assignment; no contract promotion; no pg_cron/queue enable; no source/prior-report patch; no current/staging corpus; no TD; no implementation; no blocker resolved; no channel selected; v0.1/FIX7 V3 not overwritten; v0.2 not authority).

Evidence basis — INHERITED_EVIDENCE. No runtime queried. AgentData metadata authoritative at read time. CAV-1…CAV-6 carried.

Reading discipline (Codex caveat, honored). All sources read directly from AgentData KB, bounded/sequential, by the main process — no parallel/background reader-agents, no sub-agents, no local-prose inference. /tmp = decode-scratch only, never SSOT.

1. Purpose

Answer the macro's seventh question: what should the next Codex adversarial review check? The packet answers:

What adversarial method should Codex apply? — §4.
What must Codex audit per layer / per deliverable? — §5 audit dimensions.
What drift audits must Codex run? — §5 drift audits.
What primary questions must Codex answer? — §5 questions.

The one rule, above all detail. Codex reviews independently, from the AgentData KB, in the main process; it treats every claim as untrusted until grounded; it distinguishes engineering PASS from authority PASS; it rejects any TD / channel-authority / staging-schema / scope-creep / R1-creep drift. This packet prepares that review; it does not perform it.

2. Sources read

All 25 required sources read first-hand from AgentData KB, by the main process, sequentially; none SOURCE_NOT_READ (full list in Deliverable 20 §2). Used principally: the prior Codex reviews (planning bundle; B2 TD-prep; interface; block-contract; modular — their audit structures and caveats, incl. the Process Caveat on reader-agents); the 6 caveats CAV-1…6 + 3 wording constraints; the mandatory preamble's safety locks (carried as the drift audits).

3. The 20 deliverables under review (carried)

The bundle's 20 files (19 consolidation + 1 report). Codex audits each against its layer's contract:

Layer	Deliverables
Owner / decision	1 Owner decision options · 2 No-Go closure matrix · 3 Next-3 macro roadmap
Channel	4 R2-D2 channel authority recommendation · 5 host-cron vs agent-api brief · 6 channel proof obligations
B2 TD gate	7 B2 actual-TD entry gate · 8 B2 non-TD outline · 9 B3/B4 compatibility readiness · 10 Điều 0-G source authority gap
Staging / verification	11 staging build readiness · 12 no-production-touch proof matrix · 13 delete-fast proof obligations · 14 bad-input oracle requirements · 15 minimal pilot acceptance criteria
Evidence / rollback / cross-check	16 S7 evidence writer readiness · 17 S8 rollback/downstream-certify readiness · 18 R1/KG invariant cross-check · 19 this Codex review packet · 20 execution report

4. Adversarial method Codex should apply (carried)

Do not trust the reports; find the actual governed surfaces. Re-ground every claim against the real identifiers (birth_registry.inspect_pen/stamp/gate, certified/certified_at, canonical_address, trg_birth_auto_certify → fn_birth_auto_certify, the Đ0-G PEN/STAMP/GATE rule-set, the channel substrate facts) read first-hand from AgentData KB — not from this bundle's prose.
Fresh-reconstruct from KB, not local prose. The VPS PostgreSQL directus DB is the substrate-of-truth; local checkout is stale; AgentData metadata is authoritative at read time.
Use exact KB paths + exact governed names. Audit the 20 files at their exact paths; treat AgentData revision/content_length as authoritative (not the body's editorial rev1).
Construct bad-input scenarios outside the happy path. For the bad-input/oracle deliverables (14/15), check the fail-open conditions, not just the happy path.
Apply the fail-open test: would invalid input still create a digest / PASS / stamp / certify? If any deliverable's logic would let it → fail-open → reject.
Distinguish engineering PASS from authority PASS. No PASS in the bundle authorizes a write; verify every §0 says so.
Read directly in the main process — no background agents (the Process Caveat); verify the bundle followed the same discipline.

5. What Codex must check

5.1 Metadata / source-read / tool-lock audits

Audit	What Codex verifies
Files / metadata	exactly 20 files at the exact KB paths (19 consolidation + 1 report); editorial rev1 in bodies; no volatile storage revision/content_length pinned in bodies; AgentData metadata authoritative; no 21st file / schema / corpus / code file
Source-read / no-parallel-agent	the bundle read all 25 required sources first-hand, by the main process, sequentially; no parallel/background reader-agents, no sub-agents, no local-prose inference; the Process Caveat honored (the reader-agent pattern not repeated)
Tool / packet lock	v0.1-stable / FIX7 V3 baseline carried, not overwritten; v0.2-hardening separate, not authority (BAD-10/BI-10/B2-AC-11); the oracle lessons reused as requirements ≠ v0.2 promotion
Caveats	CAV-1…CAV-6 + the 3 wording constraints carried, not resolved; no overclaim (no executor process-log proof; no live `/opt/incomex/dot/bin` byte read; no claim transient bypass GUCs certainly absent)

5.2 Per-layer audit dimensions

Layer	Codex must verify
Owner / decision (1–3)	Options A–G classified; A=HOLD/No-Go-unless-accepted; G=rejected scope creep; the recommendation is recommendation-only; the roadmap scales prompt not coupling; no tier transitions automatically
Channel (4–6)	`RECOMMENDATION_ONLY — NOT AUTHORITY` throughout; no channel marked selected/use/wire/promote; both host cron + agent-api kept as candidates; pg_cron/job_queue risky/future-gated; manual one-shot rejected; B2-AC-7 restated; no scheduler/contract/install spec; recommendation does not overreach
B2 TD gate (7–10)	entry gate No-Go today; hard floor intact; the non-TD outline contains only obligations, no schema/DDL/function/SQL/cron/runner/command/rollback-script; B3/B4 unchanged; Đ0-G gap documented, not recovered/adopted
Staging / verification (11–15)	staging is IO-contract/readiness only — no schema/table/SQL/corpus/extraction; no-touch + delete-fast are proof requirements, not results; bad-input oracle requirements only (no test run); minimal-pilot acceptance is all-of + engineering≠authority + promotion firewall
Evidence / rollback / cross-check (16–18)	S7 records-not-decides, writers future-gated, channel-id present; S8 unit defined, downstream-certify accounted, HOLD-2 OPEN, no script; R1/KG cross-check CLEAN (no S3/S4/edge/provenance/quarantine/Qdrant/runner touch; Điều 39 not violated; `R1_SCOPE_CREEP` not triggered)

5.3 Drift audits (the safety locks — Codex must find none triggered)

Drift	Codex verifies it did NOT occur
`ACTUAL_TD_DRIFT`	no schema/DDL/table/migration/function-body/SQL-mutate/scheduler/runner/cron/command-sequence/rollback-script/staging-schema anywhere in the 20 files
`CHANNEL_AUTHORITY_DRIFT`	no channel selected/used/wired/promoted as authority; recommendation-only wording only
`STAGING_SCHEMA_OR_CORPUS_DRIFT`	no staging schema/table/corpus/SQL/extraction created
`B5_B7_SCOPE_CREEP`	B5 (backlog) and B7 (GUC) referenced as dependencies only, never opened as design
`R1_SCOPE_CREEP`	R1/KG used as cross-check only; no KG backfill/quarantine/Qdrant/runner work opened
`MEGA_BIRTH` / `B2_OVERREACH`	B2 stays inspect-only; no mega-pipeline / mega-registry / hidden shared write surface; no certify/canonical/identity/KG by B2
Owner-gate weakening	every future write `OWNER_GATE_REQUIRED` / FORBIDDEN_NOW; no PASS authorizes a write

5.4 Primary review questions Codex must answer

Are the 20 files valid design-only deliverables (no TD, no implementation)?
Did the macro stay LEGO (each deliverable a separate control surface; no merged mega-plan; no hidden shared write surface)?
Is B2 still the only primary block; are B5/B7 dependencies only?
Is the channel recommendation recommendation-only; is no channel selected as authority?
Is actual B2 TD still No-Go / not opened; is the non-TD outline obligations-only?
Is staging kept IO-contract/readiness only; no schema/corpus/extraction?
Are no-touch / delete-fast / bad-input kept as requirements/obligations, with no test run and no silent PASS?
Is the R1/KG cross-check clean (Điều 39 invariant respected, not violated; no KG work opened)?
Are all future writes Owner-gated and forbidden now?
Are all blockers still OPEN (none resolved)?
Is engineering PASS distinguished from authority PASS in every deliverable?
Is the tool/packet lock preserved (v0.1 not overwritten; v0.2 not authority)?
Is any further Claude patch needed before acceptance?

Expected Codex disposition (recommendation-only, not a verdict for Codex): consistent with the prior chain, a likely PASS_WITH_CAVEATS — design-only altitude accepted, with the carried caveats (Đ0-G source open; channel undecided; bad-input/staging conceptual-only; aggregate No-Go) remaining open. Codex decides independently.

6. Owner-gated future work

Future work	Gate required	Forbidden now?
Codex performs the adversarial control review	the next-step chain (GPT → Codex → Owner)	Yes (Codex's own step)
Owner chooses a next path from Deliverable 1's options	Owner decision after review	Yes
Any write-enabled remediation	Điều 32 + the full gated chain	Yes

7. What remains unresolved

This packet prepares the review; it is not the review. Codex's verdict is independent and separate.
The expected disposition is recommendation-only — Codex decides.
All caveats CAV-1…6 + 3 wording constraints carried — Codex must verify no overclaim.
Blockers — all OPEN, none resolved: CONS-002, CONS-003, CELL-003/004/007, HOLD-1, HOLD-2, RISK-BYPASS, GOV-016/017, GOV-REUSE-001, Điều 39 runtime-EMPTY, Điều 35 production-readiness FAIL.
FUTURE_TECHNICAL_DESIGN_REQUIRED (NOT written here): everything the bundle deferred.

8. Ready for GPT/Codex review

Yes — as a design-only Codex review preparation packet; it is itself one of the 20 files Codex will audit.

Core rule, kept above all detail: Codex reviews independently from the KB in the main process, treats every claim as untrusted until grounded, applies the fail-open test, distinguishes engineering from authority PASS, and verifies that none of the drift audits (TD / channel-authority / staging-schema / B5-B7 / R1 / mega-birth) triggered and that all blockers stay OPEN. This packet prepares the review; it performs none.

Default disposition: HOLD. Engineering PASS = a complete review packet on paper; it is not a Codex verdict and not an authorization. No PASS authorizes writes. All blockers remain OPEN.