KB-269E
10-internal-codex-negative-review-2026-06-22.md
6 min read Revision 1
c1-legoprewrite-gate
10 — Internal Codex negative review (self-attack)
Stance: I do not trust this package. I attack every claim, the SSOT map, and the plan. If any production write happened, any local file is passed off as governed proof, any mitigation is illusory, any READY is overclaimed, or any HOLD is forced — I HOLD/REJECT.
A. Production-write & SSOT attacks
| # | Attack | Finding | Survives? |
|---|---|---|---|
| A1 | A prod write slipped in | Only ssh ls, read-only SELECT, docker exec cat/inspect, local Read/grep, offline sim. No INSERT/UPDATE/DELETE, no directus_create, no write_file to prod, no registrar real-run, no secret value read. before==after (309/2/21/164/0/14). |
No write |
| A2 | Local file passed as governed proof | Caught and corrected: report 00a maps local=STAGING, VPS=CODE SSOT. Every governed-code claim re-grounded on VPS (00a §5). All staged artifacts banner-labeled LOCAL_STAGING_NOT_SSOT…. |
No overclaim |
| A3 | Registrar mechanism cited from local (wrong runtime) | Diff vs VPS = 3 PG-env lines only; matcher/write-site byte-identical ⇒ citation authoritative for VPS. | No |
| A4 | Local==VPS assumed | Disproven explicitly: different branch/commit/hash, 163 vs 209 scripts. Local declared a divergent subset. | No |
| A5 | Executor "source" guessed | Located + hash-proven: host /opt/incomex/deploy/agent-api-executor/main.py == container /app/main.py (09cdd867…). |
No |
B. G1 (registrar defect) attacks
| # | Attack | Finding | Survives? |
|---|---|---|---|
| B1 | "287" is hand-waved | Reproduced: OLD matcher over real VPS disk(287)/registered(228) → 287; matches live --dry-run. |
No |
| B2 | Mitigation untested | Patched artifact run over real inputs: B=15, C1=0, C2=7, all exit 0 (evidence/). | No |
| B3 | Normalization fix is enough → bare run safe | Refuted by Run B = 15 unrelated rows. Hence --only-prefix is MANDATORY, --max-new abort as backstop. This is the central hardening, not a footnote. |
No |
| B4 | Filter still leaks non-C1 | Run C2 shows the diff is exactly the 7 DOT_C1_* codes, nothing else. |
No |
| B5 | Mitigation depends on manual Directus edit | No — it is the governed registrar DOT patched via patch_ops_code. |
No |
C. G2 (DOT-approved registration) attacks
| # | Attack | Finding | Survives? |
|---|---|---|---|
| C1 | "Targeted POST" = manual Directus bypass | Prior plan's W2 was that; this package replaces it with the patched governed registrar. The bypass verdict does NOT fire. | No |
| C2 | Registrar's internal curl == manual POST | Distinguished (report 03 §3): write issued by the registered DOT via dot-auth = governed; by hand = bypass. Only the former is used. | No |
| C3 | A second hidden POST path | VPS SSOT grep: only dot-dot-register creates; the other 3 update/read. | No |
D. G3a/b/c (engineering paths) attacks
| # | Attack | Finding | Survives? |
|---|---|---|---|
| D1 | Contract-register is a generic registry | Scoped to exactly 2 C1 rows, idempotent pre-check; VPS confirms 0 existing writers. | No |
| D2 | Endpoint = mega rewrite | 3 additive changes; KG path byte-unchanged; PLAN_ONLY works with only the fixture. | No |
| D3 | Endpoint can write in DRY_RUN | writes_db:false everywhere; read-only role; REAL_RUN 403 inherited; STOP if writable txn. |
No (designed) |
| D4 | Grant issuer = general authz | Hard scope-lock to one C1 scope; single-active guard; single-use; manifest-bound; full reject matrix. | No |
| D5 | Grant/issuer claimed runnable now | Disclosed unimplemented (authorize_build_step); staged only; 0 grants. |
No (disclosed) |
E. Lifecycle / ledger / READY attacks
| # | Attack | Finding | Survives? |
|---|---|---|---|
| E1 | DOT created without birth/admission | None created this turn; lifecycle staged with strict order (report 07). | N/A |
| E2 | Ledger silently skipped | Armed HOLD …LEDGER_NOT_UPDATED; W4/W5 readback checks each row. |
No |
| E3 | Orphan DOT | Every Cấp-A paired; DOT_C1_ROLLBACK_CHECK asserts no orphan. |
No |
| E4 | Write without rollback | Every W1–W9 has retire/revoke/redeploy. | No |
| E5 | READY overclaim | Verdict is …HARDENED_FOR_OWNER_STEP_APPROVAL; ready-for-Codex=NO, dry-run=NO, prod=NO. |
No |
| E6 | HOLD forced to look like progress | Not forced: gaps G1/G2/G3/G4 are genuinely closed-as-staged; only irreducible items (endpoint deploy, unimplemented issuer handler, off-checkout admission) remain, each disclosed with a lawful path. | No |
F. Residual honest weaknesses (owner must see)
- Endpoint deploy (W6) is the one non-CLI step — image rebuild on the VPS SSOT, operator/deploy-pipeline. Disclosed; not a
dot-*CLI. authorize_build_step+ ownership handlers areunimplemented— W7 needs the staged issuer DOT born+registered, or an operator migration (precedent:…/docs/mcp-writes/dot-agent-api-contract-2026-06-04/v5_apply.sql).- DOT-manage/admission store is off-checkout — W2/W9 ledger writes target the governed SoR (AgentData KB), not local.
- Mitigation dry-run is offline over real inputs; the live confirmation is W1's first action.
- Local checkout diverges from VPS SSOT (branch/commit/scripts) — all artifacts are staging; operators must apply against
/opt/incomex, not assume parity.
Result
PASS — plan HARDENED, SSOT CONFIRMED, no attack succeeded. No production write, no local-as-governed overclaim, no illusory mitigation, no orphan/bypass/unrollbackable write, no forced HOLD, no READY overclaim. No GOVERNED_C1_DRYRUN_REJECT_* and no …LOCAL_STAGING_OVERCLAIM condition fired.