C1 Staging Codex R3 Fixes — Fix B: P6 Independent Verification
04 — FIX B: P6 INDEPENDENT VERIFICATION
sql/p6-evidence-readback.sql (sha256 a021c88b…). The gate runs in ONE txn under
LOCK TABLE canonical_operation, c1_test_results IN SHARE MODE; the evidence-ledger row + digest are
written only after the gate passes; nothing commits on a RAISE.
P6 no longer merely trusts P3/P4/P5 DONE stamps. It re-derives every PASS fact:
- Upstream DONE stamps + sandbox match —
c1_vocab_build,c1_verify,c1_bad_input_harnessmust each exist (RAISEP6_FATAL_MISSING_Pn), and every such stamp'ssandbox_idmust equal this sandbox'ssbx_meta.birth_certificate.sandbox_id(RAISEP6_FATAL_STAMP_SANDBOX_MISMATCH). With Fix A those stamps are provably post-gate. - Exact canonical set —
count=3AND no extra (P6_FATAL_UNEXPECTED_OP) AND no missing (P6_FATAL_MISSING_OP) vs the literal{C1.READ_BALANCE, C1.WRITE_POSTING, C1.VERIFY_DIGEST}.count=3alone is insufficient — this directly answers Codex's counterexample. - All validated —
count(status='validated')=3(P6_FATAL_NOT_ALL_VALIDATED). - Field + mode invariants — non-empty title; valid group; status='validated'; required_inputs,
expected_outputs, allowed_modes are each non-empty arrays — checked with CASE guards so
jsonb_array_lengthis never evaluated on a non-array (no reliance on undocumented OR short-circuit); everyallowed_modevalue ∈c1_allowed_mode(P6_FATAL_FIELD_INVARIANT,P6_FATAL_BAD_MODE). - Bad-input matrix re-derived from P6's OWN oracle —
total=9,accepted=0; a 9-roworacle(case_no → expected reject_code/SQLSTATE) is JOINed toc1_test_results; for each case P6 recomputes a verdict from(recorded expect == oracle)AND(actual reject_code/SQLSTATE == expect)ANDoutcome='rejected'. PASS requiresjoined_n=9ANDindep_pass=9ANDpass_disagree=0. The storedpasscolumn is not trusted;pass_disagree = count(verdict <> stored_pass)catches tampering (P6_FATAL_ORACLE_JOIN/ORACLE_VERDICT/PASS_TAMPER). - Isolation proof — case 8 rejected with SQLSTATE
42P01, checked directly (not via stored pass) (P6_FATAL_NO_ISOLATION_PROOF). - Zero orphans — every public table/function/trigger ∈
sbx_meta.object_registry(P6_FATAL_ORPHAN).
Read-only validation against live PG16.13 (no sandbox, no DDL/DML — VALUES/constants only)
P6's oracle re-derivation was exercised against one GOOD + six TAMPERED fixtures:
| fixture | total | joined | indep_pass | disagree | gate result |
|---|---|---|---|---|---|
| F0 GOOD | 9 | 9 | 9 | 0 | PASS |
| F1 case4 accepted (stored pass=true) | 9 | 9 | 8 | 1 | caught |
| F2 case4 wrong reject_code (stored pass=true) | 9 | 9 | 8 | 1 | caught |
| F3 case7 missing (8 rows) | 8 | 8 | 8 | 0 | caught (total≠9) |
| F4 case6 expect tampered ≠ oracle | 9 | 9 | 8 | 1 | caught |
| F5 case8 sqlstate ≠ 42P01 (isolation broken) | 9 | 9 | 8 | 1 | caught |
| F6 extra 10th row | 10 | 9 | 9 | 0 | caught (total≠9) |
Also proven read-only: exact-set EXCEPT (a count=3 wrong-set flags BOTH extra=C1.WRONG and
missing=C1.VERIFY_DIGEST); CASE-guarded invariants do not error on non-array inputs; allowed-mode
membership with a non-array row present does not error (WHERE typeof='array' filters before SRF expansion);
the whole gate's plpgsql compiles and runs (DO ok, exit 0).