10 — Internal Codex negative review (adversarial self-attack)

Standard: Codex confirms, does not discover. I attack my own package; survivors are disclosed.

#	attack	verdict	resolution
A1	"Verdict overclaims — handler isn't built."	HONORED	Verdict is …PATCH_STAGED_FOR_OWNER_REVIEW = staged/not-applied/not-dry-run-ready/not-Codex-ready. No READY claim. Files 00/11 state all four gates = NO.
A2	"This builds a generic authorization system."	REFUTED	Handler refuses any action_code != authorize_build_step (Gate 0), any scope ≠ the C1 allowlist (Gate A). One arm, one fn, one scope, one table. No generic dispatch added.
A3	"Handler does a manual Directus POST bypass like the old one."	REFUTED	Writes via run_pg INSERT (gba is a raw PG table); precedent = execute_patch_ops_code→vps_deploy_log. No Directus write. The grant requires an APR (FK) that passed quorum — structurally un-bypassable.
A4	"Binding handler_ref is manual SQL ⇒ should HOLD …BINDING_PATH_NOT_DOT_APPROVED."	REFUTED (with care)	PATH 1 = operator governed migration = the §3.4-listed authority-approved path that bound the 4 existing handlers (origin=MIGRATION). NOT ad-hoc raw psql. Raw psql is explicitly excluded. PATH 2 (update_item APR) disclosed as unreliable, not relied on.
A5	"Grant minted BEFORE the apply-time quorum re-proof ⇒ orphan grant if re-proof RAISEs."	HONORED → mitigated	Handler adds Gate D: quorum_passed(apr_code) re-check BEFORE INSERT. If it would RAISE at apply, Gate D already returned FAIL and minted nothing. Residual: if quorum changes between Gate D and the apply PATCH (sub-second), a grant could exist with the APR not marked applied — but the grant is single-active + revocable + manifest-bound; runbook STEP 7 readback catches a grant whose APR≠applied. Disclosed, low-risk.
A6	"Self-patching dot-apr-execute mid-run corrupts the running process."	REFUTED	execute_patch_ops_code uses atomic mv after the process already sourced the file; in-flight run unaffected, new code live next invocation. Runbook STEP 2 loads new code before any grant APR. Disclosed self-edit caveat in file 04 §C.
A7	"update_item binding works fine — you invented the Directus-drop problem."	REFUTED by evidence	directus_fields for apr_action_types = 0 rows (queried this turn); dot-apr-propose v2.0.1 changelog documents this Directus drops unregistered fields. So PATH 2 is genuinely unreliable; PATH 1 chosen.
A8	"Reject matrix is claimed runtime-proven."	HONORED	File 07 explicitly labels it design-proven, runtime proof DEFERRED to the runbook (no governed exec channel this turn). No fail-closed runtime claim.
A9	"You wrote to production (KB/docs)."	PARTIAL — disclosed	0 writes to VPS DB / runtime / governance. Writes are: evidence package to the LOCAL web-test tree + AgentData KB (evidence SoR, the sanctioned channel, same as predecessor report). No governance_build_authorization, apr_action_types, code, or Directus write. before==after baseline holds (gba=0, action_types=14, handler_ref=unimplemented).
A10	"commit_allowed could be flipped true by a crafted payload."	REFUTED	Handler writes the literal false (not the payload value) AND Gate B rejects commit_allowed!=false. Two independent locks.
A11	"Scope check is a string compare; a sneaky target slips through."	REFUTED	Allowlist is exact equality on three fields (namespace,axis,target); anything else → FAIL:reject_scope_not_c1_dryrun. Default-deny, not pattern-allow.
A12	"TTL could create an already-expired or eternal grant."	REFUTED	TTL clamped 60..86400; chk_expiry enforces expires_at>granted_at.
A13	"Idempotency: a retried APR double-mints."	REFUTED	Deterministic auth_code + ON CONFLICT (auth_code) DO NOTHING; readback returns OK without a 2nd row. Plus Gate E single-active.
A14	"You touched process_axis_action_vocabulary / executor / C2..C7."	REFUTED	None touched. W7 path uses dot-apr-execute+apr_action_types only. Executor (W6) and the axis-UI function are out of scope (file 04 §D).
A15	"Issuer rework still a loose script, so issuer-rework is incomplete."	HONORED (scoped)	Design-complete (governed propose path, no bypass, dry-run). Its DOT lifecycle registration is the separate owner-gated step (file 06 §F) — not claimed done. The macro's §3.5 asks the script be reworked to call the governed path; that IS done.

Net

No attack defeats the verdict. Survivors (A1,A5,A8,A9,A15) are honestly disclosed and bound the claim to "staged for owner review", not "ready". ⇒ C1_AUTH_HANDLER_HOLD_INTERNAL_CODEX_REVIEW_FAILED does not fire. No …REJECT_READY_OVERCLAIM, no …REJECT_GRANT_BYPASS, no …REJECT_GENERIC_AUTH_SYSTEM_DRIFT.