Codex Re-Review - RS4A-PATCH1 Contract Identity, Inert State, and Suite Reconciliation - 2026-06-21
Codex Re-Review - RS4A-PATCH1 Contract Identity, Inert State, and Suite Reconciliation - 2026-06-21
STATUS: HOLD
VERDICT: NEED_RS4A_PATCH2
Stop state: RS4A_PATCH1_RESIDUAL_DEFECTS
Registration gate: REGISTRATION_HOLD - REGISTRATION_CAN_PROCEED = NO
Runtime observation: NO_CODEX_LIVE_READ
Single next step: RS4A-PATCH2-EFFECT-IDENTITY-HEAD-UNIQUENESS-AND-SUITE-ID-RECONCILIATION
Class: independent read-only re-review; non-enacting; non-authorizing; no implementation; no runtime mutation
1. Scope and Source Register
Codex read the complete RS4A-PATCH1 addendum directly from AgentData KB. The package contains 10 documents under reports/rs4a-patch1/ plus one rollup under reports/; all are revision 1 and truncated=false.
| Source | content_length |
|---|---|
| Executive rollup | 6,235 |
| Index | 5,371 |
| 01 closure map | 9,124 |
| 02 effect identity and uniqueness | 13,962 |
| 03 canonical inert state | 8,063 |
| 04 persistence carrier boundary | 8,263 |
| 05 nonce and phase semantics | 9,776 |
| 06 Interface F/audit narrowing | 7,520 |
| 07 acceptance suite reconciliation | 7,587 |
| 08 decision packet | 6,308 |
| Codex review packet | 6,095 |
The prior Codex RS4A HOLD report remains the controlling defect source. Codex had no live PostgreSQL/VPS tool; all PATCH1 live claims remain CLAUDE_READ_ONLY_PACKET evidence.
2. Executive Finding
PATCH1 materially fixes most of the RS4A defects. It is not accepted because four residual inconsistencies remain inside the corrected contract itself:
- authority scope/policy still participates in effect identity, allowing the same registration effect to acquire a new U1 key after authority-policy change;
- U3 is defined only for
status='active', while registration writesstatus='draft', so duplicate draft heads are not structurally excluded; - test IDs
T-PX-4,T-PX-5, andT-PX-6have different meanings in different PATCH1 documents, and repaired T-P6-3 is split into two kept variants without a deterministic count rule; - Phase 4 still says durable audit is required for success while the Phase-5 correction says success audit is not required.
These are scoped PATCH2 issues. They do not reopen source recovery, replace-not-wrap, Interface F, or the overall fail-closed posture.
3. Effect Identity Re-Review
PARTIAL PASS, RESIDUAL HOLD.
Correctly fixed:
run_id,attempt_id,attempt_no, nonce, timestamps, TTL, operator/session, and volatile approval-instance IDs are excluded;- one name,
effect_identity = logical_request_key, replaces the ambiguous replay-key alias; - fresh run, nonce, or approval instance under unchanged policy does not create a new key;
- inability to canonicalize authority fails closed.
Residual defect: the formula still hashes canonical_owner_scope and canonical_authority_policy_ref. A reassigned owner scope or policy-version change therefore creates a new U1 key for the same operation, code, artifact identity, and artifact hash. PATCH1 explicitly calls that a “different effect.” It is not: authority determines whether an effect is authorized; it does not change the registry effect being requested.
This matters because a policy change could bypass U1 and attempt a second registration. The prior Codex requirement was to retain authorization evidence as bound non-identity attributes. PATCH2 must split:
effect_identity: stable business effect only, such as operation + canonical target + canonical artifact identity/hash;authorization_binding_digest: owner scope + authority policy + approval/nonce evidence, bound to the attempt/consume record but excluded from U1.
Policy/owner changes may authorize or deny a new attempt, but must not mint a new registration effect. Re-registration under changed lifecycle must use an explicit different operation, not a changed authorization digest.
4. Inert State Re-Review
PASS_WITH_CAVEAT. draft is a concrete, declared Directus choice, is accepted because no DB CHECK rejects it, and does not satisfy the producer condition NEW.status='active'. It is a valid canonical target state for the design.
Precision correction: directus_fields.options.choices with validation=null is governed vocabulary metadata, not an enforced Directus constraint. The live published rows demonstrate that the vocabulary can drift. PATCH1 correctly carries STATUS_DOMAIN_NOT_DB_ENFORCED; the status CHECK/backstop remains required before implementation.
T-PX-1 must mean “the status-specific invariant passes” rather than overall registration acceptance, because U1/U2/carriers/status backstop remain absent and registration is still HOLD.
5. Uniqueness Axes Re-Review
PARTIAL PASS, RESIDUAL HOLD.
U1 effect and U2 nonce are now explicit, mandatory, separate, and REQUIRED_NOT_PRESENT. Code and artifact policies are no longer conflated with effect identity.
Residual U3 defect: UNIQUE(canonical_target_dot_code) WHERE status='active' does not protect the state created by registration, because Phase 3 writes status='draft'. Two different artifacts or authority-policy versions can therefore create multiple draft rows for the same code before either becomes active. This also contradicts Phase 4's requirement to read exactly one row for dot_code.
PATCH2 must not prescribe active-only U3 as the candidate head policy. It must either:
- define one current/head row across all non-terminal lifecycle states, including
draftandactive; or - leave the exact U3 formula unresolved for the Owner while explicitly failing closed before any draft write.
U4 may remain Owner policy, but it cannot be relied upon to repair an unstable U1 or draft-head gap.
6. Carrier Boundary Re-Review
PASS. PATCH1 cleanly separates logical envelope fields, real dot_tools columns, and absent persistence carriers. It does not treat owner, extra_metadata, caller input, or nonexistent columns as authority. Every required carrier is REQUIRED_NOT_PRESENT, so the contract correctly emits no write today.
7. Nonce and Phase Semantics Re-Review
PASS_WITH_ONE_CONTRADICTION.
Accepted corrections:
- nonce is
AUTHORITY_CREDENTIAL, notrequest_proposedor effect identity; - Phase 2 performs validation/advisory reservation only;
- Phase 3 alone performs atomic U1/U2 consume + one draft row + attempt record;
- Phase 4 uses an independent pre-existing verifier reference and creates no per-target verifier row;
- failure audit occurs after rollback in a separate transaction.
Residual contradiction: PATCH1-05 section 3 retains the Phase-4 success condition “audit durably written => success,” while section 4 states durable audit is required only on failure and success audit is optional. PATCH2 must remove audit-readback from the success verifier unless a separate success-decision logging contract is adopted. Failure audit cannot be a precondition for a successful transaction that did not fail.
8. Interface F and Audit Narrowing Re-Review
PASS. The claims are correctly narrowed to:
- no proven per-artifact carrier among reviewed candidates;
- audit immutability not proven;
- event type, lane, and dedup key are requirements, not proven current fields/values.
The fail-closed conclusions remain justified without global absence claims.
9. Acceptance Suite Re-Review
HOLD. The baseline reconciliation is correct: 50 carried + 47 unique RS4A T-series = 97. The repaired audit and consumer semantics are directionally correct. No execution or PASS is claimed.
The augmented count is not deterministic because test IDs collide across documents:
| ID | PATCH1-03/04 meaning | PATCH1-07 meaning |
|---|---|---|
T-PX-4 |
Phase-4 readback confirms draft and no notify |
same effect with different run_id |
T-PX-5 |
reject envelope fields as nonexistent dot_tools columns |
fresh approval instance, same effect |
T-PX-6 |
reject trusted envelope in extra_metadata |
fresh nonce, duplicate effect |
PATCH1-07 also merges the two carrier cases into T-PX-8, while the source addenda retain them as T-PX-5 and T-PX-6. These are different test semantics under the same IDs.
Additionally, repaired T-P6-3 says both T-P6-3a and T-P6-3b are kept. If both are executable cases, the 47-case baseline increases by one; if they are alternatives under one case, the package must choose one or define them as subcases that count once.
PATCH2 must publish one authoritative test registry with unique IDs and one row per counted semantic case, then recompute the augmented total. Based on the currently preserved semantics, the total may be 105, 106, or 107; Codex will not select one by inference.
Add two explicit residual tests:
- same operation/code/artifact under changed owner/policy remains the same U1 effect; authority is revalidated but cannot mint a new registration;
- two draft registrations for the same code are rejected by the decided U3/head policy before commit.
10. Closure Status C1-C13
| Closure | Re-review result |
|---|---|
| C1 stable effect identity | PARTIAL - authority still incorrectly keys effect |
C2 inert draft |
PASS_WITH_CAVEAT |
| C3 uniqueness axes | PARTIAL - U3 active-only misses draft heads |
| C4 carrier boundary | PASS |
| C5 nonce classification | PASS |
| C6 Phase 2/3 | PASS |
| C7 independent verifier | PASS |
| C8 audit semantics | PARTIAL - Phase-4 success contradiction remains |
| C9 Interface F narrowing | PASS |
| C10 audit narrowing | PASS |
| C11 test repair | PARTIAL - two T-P6-3 variants/count ambiguous |
| C12 count reconciliation | BASELINE PASS; AUGMENTED HOLD |
| C13 D13 evidence tier | PASS |
11. Accepted Points
- PATCH1 package is complete, read-only, revision 1, and does not overwrite RS4A.
- Canonical
draftresolves the placeholder at design level. - Logical envelope fields are no longer misrepresented as current columns.
- Nonce and Phase 2/3 semantics are corrected.
- Verifier cardinality no longer regresses RS3C-C2.
- Interface F and audit claims are epistemically scoped.
- Baseline suite count is 97 and no execution is claimed.
- Registration, implementation, Owner/APR, and RS-VALIDATOR remain closed.
12. Required PATCH2 Scope
Open exactly one scoped addendum: RS4A-PATCH2-EFFECT-IDENTITY-HEAD-UNIQUENESS-AND-SUITE-ID-RECONCILIATION.
It must:
- remove owner scope and authority policy from U1 effect identity and bind them separately as authorization evidence;
- correct U3 so registration cannot create multiple current draft heads, or leave U3 unresolved and fail closed before draft write;
- remove the success-audit contradiction from Phase 4;
- assign globally unique test IDs, decide whether T-P6-3a/b count as one or two, and recompute the augmented total;
- add changed-authority/same-effect and duplicate-draft-head tests.
Do not reopen source fidelity, replace-not-wrap, C4-C7, C9-C10, or D13. Do not bundle Owner execution, schema, implementation, validator hardening, or registration.
13. Sequencing and Gate
Because PATCH1 is not accepted, the G2 Owner execution step and RS-VALIDATOR remain queued. The only next step is PATCH2. G2-G7, U1/U2 carriers, status-domain backstop, audit sink, and Interface F remain open/fail-closed.
REGISTRATION_HOLD - REGISTRATION_CAN_PROCEED = NO.
14. Must-Not-Do Confirmation
This re-review performed no runtime mutation, DDL/DML, DOT register/wire/run, schema/table/column/constraint creation, Owner/APR/action creation or approval, gate flip, registrar/validator/source patch, executable implementation, migration SQL, Directus mutation payload, RISK-BYPASS clearance, or registration. Hash was not treated as signature; caller input was not treated as authority; consumed state was not expired; RS-VALIDATOR was not opened.
15. Final Verdict
NEED_RS4A_PATCH2. PATCH1 closes most of the prior HOLD, but effect identity still conflates authorization with the business effect, active-only U3 does not protect draft registrations, Phase-4 success audit remains internally contradictory, and the augmented suite has conflicting IDs/count semantics.
Final gate: REGISTRATION_HOLD - REGISTRATION_CAN_PROCEED = NO.