KB-26A6
12 — Internal Codex Negative Review (2026-06-22)
4 min read Revision 1
12 — Internal Codex Negative Review (adversarial) — 2026-06-22
LABELS: LOCAL_DISPOSABLE_SANDBOX_DOT_EMULATOR · NOT_GOVERNED_RUNTIME · NOT_PRODUCTION · NOT_DIRECTUS_GOVERNED_WRITE · NOT_A_SUBSTITUTE_FOR_DOT_C1_REGISTRATION
Each attack is run against the result; the verdict must survive. Where an attack would succeed against a broad READY claim, it is honored by withholding the broad claim and using the narrower verdict.
| # | Attack | Finding | Disposition |
|---|---|---|---|
| A1 | missed capability route | 16 routes surveyed incl. docker/native-pg/CLI/CI/secret-mgr/existing-lane; none stop-at-first-denial | PASS — none missed |
| A2 | sandbox not isolated | dedicated cluster, own data_dir/port/socket, trust-local, no prod creds, destroyable | PASS |
| A3 | contract exists only as prose | 11 executable functions + 7 contract rows read back; dry-run/apply executed | PASS |
| A4 | C1 scope not enforced | wrong_carrier + c2_cross_mutation rejected; resolver C1-only | PASS |
| A5 | wiring absent | sandbox wiring present & read back; governed wiring absent → disclosed as B-gap, not hidden | PASS (honest) |
| A6 | manifest hash not recomputable | cross-tool shasum MATCH on 2123 bytes |
PASS |
| A7 | authorization matching loose | 11 distinct reject codes; exact carrier/plan/hash/action-set; single-use CAS | PASS |
| A8 | preflight false-ready | preflight READY is sandbox readiness; governed readiness explicitly NOT claimed | PASS (scoped) |
| A9 | dry-run not actually routed | dry-run uses the real dispatcher code path (shared with apply), not a stub | PASS |
| A10 | bad-input harness missing | 19-case matrix executed | PASS |
| A11 | invalid input emits PASS/digest/seal | aggregate any_seal=f, not_fail_closed=0 |
PASS |
| A12 | rollback/clean-state unproven | apply→single-use→write-once→dismantle→clean; orphan=0; audit retained | PASS |
| A13 | production touched | governed BEFORE==AFTER; 0 mutations; only read-only + 1 denied write | PASS |
| A14 | C2/C3 touched | only schema c1; cross-carrier rejected |
PASS |
| A15 | evidence not read back | sandbox + KB readback (file 11) | PASS |
| A16 (added) | sandbox masquerades as governed proof | This is the central risk. Caught: every file labeled; A/B/C split; verdict is the narrow one | PASS — by construction |
| A17 (added) | new governed DOT created unrecorded → registry HOLD | No governed DOT created; sandbox DOTs are category E, deliberately unregistered; HOLD precondition false | PASS — HOLD does not apply |
| A18 (added) | reuse-first skipped | 309-tool registry searched; schema-ensure family + verifier pairing identified as reuse targets (file 04b) | PASS |
Adversarial conclusion
- The sandbox-logic claims (A) survive every attack.
- The attacks that would defeat a broad READY (A5/A8/A13/A16) are exactly why the broad READY is withheld. The honest verdict is the narrow one.
- No
READY_OVERCLAIM, noFAIL_OPEN, noSCOPE_DRIFT, noPRODUCTION_MUTATION, noC2_CROSS_MUTATION, noDOT_REGISTRY_NOT_UPDATED(no governed DOT created). - Internal review: PASS for the narrow verdict; correctly FAILS any attempt to assert governed-runtime readiness.