KB-BA16
Codex-Style Adversarial Self-Review
3 min read Revision 1
c1stagingcodex-r2-fixself-reviewmatrix2026-06-23
08 — CODEX-STYLE ADVERSARIAL SELF-REVIEW
Adversarial pass against the four R2 findings + the four safety invariants. Every row must PASS to claim READY_FOR_CODEX_R3.
| Row | Adversarial question | Evidence | Verdict |
|---|---|---|---|
| P1 partial failure cleanup | Can P1 create a DB and exit nonzero without dropping it? | Trap armed before create; P1_CREATED_DB=1 immediately after a successful single-statement CREATE DATABASE; every later step under set -e → trap drops; P1_DONE=1 only after SANDBOX_JSON; cleanup-failure → exit 70. |
PASS |
| P2 cleanup failure not swallowed | Can the plan exit 0 with a live sandbox? | exit 0 requires rc==0 AND cleanup_rc==0; cleanup_rc==0 requires P2 success AND c1_staging_% count==0 (or no sandbox); unverifiable count → cleanup_rc=87. No ` |
|
| P6 digest includes harness rows | Can a digest/P6_DONE be emitted that omits or pre-dates the harness rows? | c1_digest() hashes c1_test_results (7 fields) + canonical_operation; computed inside the SHARE-locked gated txn AFTER the gate; persisted then read back; gate RAISE → psql exit 3 → no INSERT/COMMIT/readback. |
PASS |
| P1 --force provenance / disabled | Can --force (or any create-path branch) blind-drop a pre-existing DB? |
--force → stg_die … 4 at parse; existing sandbox → fail closed; remaining drops act only on the just-created candidate; all user-DB drops go through P2's active-registry gate. Guard test: exit 4. |
PASS |
| official runtime unchanged | Did any official write occur? | Before (09:14:09Z) == After (09:27:53Z) on 12 metrics incl. dot_tools=309, appr=231, apr_action_types=14, APR-0415 pending, abs=unimplemented; only read-only SELECTs issued. | PASS |
| staging_DBs remains 0 | Was any sandbox DB created? | staging_dbs=0 before, 0 after guard tests, 0 after; no CREATE DATABASE executed (guards exit before it). |
PASS |
| dry-run not executed | Did the pipeline run? | Plan/P1→P3→P4→P5→P6→P2 never invoked; dry-run gate now requires CODEX_R3_PASS; only the no-create guard self-tests ran. |
PASS |
| scope inside /opt/incomex/staging/c1/ | Any out-of-scope edit? | Only 4 source files patched + README/ROLLBACK/registry/ledger regenerated, all under the staging path; no official runtime / dot/bin / Directus / APR mutation. | PASS |
Adversarial residual notes (disclosed, not blocking)
- The fixes are validated statically; the P6 atomic-txn behaviour and P1 trap compensating-drop are proven by code reasoning + structure checks, not by a live dry-run (forbidden this round). Live confirmation is exactly what Codex R3 → dry-run is for.
- shellcheck info notes (SC2015/SC1091) remain, matching the R1-accepted style; no warning/error-level findings.
Self-review result: all 8 rows PASS → eligible for C1_STAGING_CODEX_R2_FIXES_READY_FOR_CODEX_R3.