KB-4CFE
14-internal-codex-prewrite-review-2026-06-22.md
3 min read Revision 1
c1-legoprewrite-gate
14 — Internal Codex pre-write review (self-attack, macro §3.5)
Stance: attack the package, the KB canonicalization, and the gate. If any attack succeeds, HOLD.
| # | Attack | Finding | Succeeds? |
|---|---|---|---|
| A1 | Package only local, not in KB | 31/31 files uploaded to AgentData KB; list_documents count=31; readback OK (file 12). |
No |
| A2 | Local staging overclaimed as SSOT | 00a maps local=STAGING / VPS=CODE SSOT / KB=EVIDENCE SSOT; all artifacts banner-labeled; claims re-grounded on VPS. | No |
| A3 | A W step uses manual SQL | None — W-gate table (13.A): every step DOT/DOT-approved-deploy. | No |
| A4 | A W step uses manual Directus POST | None — W4 uses the patched governed registrar; W5 the contract-register DOT (idempotent), not hand POST. | No |
| A5 | A W step bypasses the DOT registrar | No — registration only via patched dot-dot-register; reuse-first confirmed on VPS. |
No |
| A6 | Registrar would insert 287/15 backlog | Prevented — --only-prefix dot-c1- → 7 named rows (runC2); bare forbidden; --max-new abort. |
No |
| A7 | DOT_C1 lifecycle missing birth/gov/ledger | Lifecycle staged (07) + ledger in KB (12); armed HOLD if ledger skipped. | No |
| A8 | Contract registration unproven | Path proven + staged + precedent migration located (13.C G3a). | No |
| A9 | Endpoint deploy unproven | Source located + hash-matched + concrete additive patch + rebuild/rollback (13.C G3b). | No |
| A10 | Grant issuer unimplemented hidden | NOT hidden — surfaced as the binding HOLD (…GRANT_ISSUER_UNIMPLEMENTED, 13.C G3c). |
No (disclosed) |
| A11 | Rollback/retire missing | Every W1–W9 has rollback/retire (13.A). | No |
| A12 | Plan too big / non-LEGO | Each W is one domain, bounded deltas (09); LEGO confirmed (13.A). | No |
| A13 | False-ready for Codex/dry-run | Verdict is a HOLD, not ready; Codex=NO, dry-run=NO, prod=NO. | No |
KB-integrity specific attacks
- Re-typed content corrupts evidence? Caught on runA; switched to
jq --rawfilebyte-exact upload + Pythonstrict=Falsehash verify; 31/31 MATCH. No corruption survives. - Hash check is tautological (KB vs KB)? No — compares local
shasumvs KB-sidesha256(readback); independent sides.
Result
PASS for everything except the disclosed grant-issuer blocker. No attack found a manual write, a DOT bypass, a registrar mass-insert, a hidden gap, a missing rollback, an evidence-corruption, or a false-ready. A10 correctly forces the HOLD rather than a ready-overclaim — which is the intended behavior. No GOVERNED_C1_DRYRUN_REJECT_* fired.