KB-7151 rev 2
Codex Review — DOT Manage + Collections Manage Joint Review (2026-06-19)
13 min read Revision 2
codexreviewdot-managecollections-managemacro-9bholdread-onlyre-review2026-06-19
Codex Review — DOT Manage + Collections Manage Joint Review (2026-06-19)
STATUS: HOLD
Independent re-review: 2026-06-19. All seven source documents were read again from AgentData KB. Their revisions/content lengths are unchanged from the first review. The 309-row and 382-row inventories were recounted from the current bodies, and all three HOLD defects remain present:
cutter_gov/cutter_governanceschema drift, Group-E 82/92 scope contradiction, and Group-A "every row writes" wording despite 63 Write / 16 Read / 11 Unknown.
Executive Summary
The two canonical folders exist, all seven required files were readable, and their principal safety conclusion is aligned: Directus/Postgres/schema work is DOT-only; manual SQL, psql, docker exec psql, and Directus generic collection/table creation are forbidden; existing DOTs and stores do not satisfy the run-scoped disposable R2-B2 staging requirement; Macro-9A must not proceed with existing surfaces.
The inventories are structurally complete: DOT §5.3 contains 309 contiguous unique rows (1–309) with all ten required columns; Collections §5 contains 382 contiguous unique rows (1–382) with all ten required columns. Dangerous DOTs remain forbidden/frozen/monitored, and unknowns are disclosed.
The joint manuals are nevertheless placed on HOLD as current operator manuals because the Collections row-level inventory has an unresolved schema-identity defect: its scope, summary, and related KB evidence name cutter_governance, while all 24 affected inventory rows and their access paths name cutter_gov. The same handbook also states that Group E has 82 objects but gives a breakdown of 58 + 24 + 8 + 2 = 92; the actual §5 Group-E rows are 58 public + 24 cutter_gov = 82, while sandbox_tac and iu_core staging rows are Group H. An operations manual must not contain ambiguous schema call paths or internally inconsistent scope arithmetic.
A smaller DOT wording defect also requires correction: the §5.3 legend says every Group-A row "writes" production public, but Group A actually contains 63 Write, 16 Read, and 11 Unknown rows. The safe conclusion remains valid, but the wording should say the group targets/probes the existing production schema and no row is a run-scoped staging-schema builder.
Review Basis
knowledge/dev/ssot/operating-rules.md— v7.58.knowledge/dev/laws/constitution.md— v4.6.3.knowledge/dev/laws/law-01-foundation-principles.md— body v3.3, AgentData revision 12..claude/skills/incomex-rules.md— 36 controls / 8-step workflow.- Seven mission-specified DOT/Collections files, read directly from AgentData KB.
- Related KB evidence for the restricted schema consistently names
cutter_governance; no alias declaration forcutter_govwas found.
Files Reviewed
| File | Revision | content_length | Verdict |
|---|---|---|---|
dot-manage/README.md |
1 | 1047 | PASS |
dot-manage/dot-usage-handbook.md |
1 | 106855 | PASS_WITH_CAVEATS |
dot-manage/reports/macro9a0-dot-usage-handbook-execution-report-2026-06-19.md |
1 | 10463 | PASS_WITH_CAVEATS |
dot-manage/reports/macro9a0-dot-usage-handbook-full-row-inventory-supplement-report-2026-06-19.md |
1 | 7430 | PASS_WITH_CAVEATS |
collections-manage/README.md |
1 | 1646 | PASS |
collections-manage/collections-usage-handbook.md |
6 | 90865 | HOLD |
collections-manage/reports/macro9a1-collections-usage-handbook-execution-report-2026-06-19.md |
1 | 11092 | PASS_WITH_CAVEATS; does not detect the handbook defects |
DOT-Manage Audit
| Check | Verdict | Issue |
|---|---|---|
| Canonical folder and README exist | PASS | Exact canonical paths are declared. |
| Human-facing DOT map | PASS | Taxonomy, channels, guardrails, focused sections, and update rules are present. |
dot_tools denominator |
PASS | 309. |
| §5.3 row-level inventory | PASS | 309 rows; STT 1–309; 309 unique; no gaps. |
| Required columns | PASS | STT / Tên DOT-tool / Nhóm / Sử dụng khi / Cách gọi / Read-Write / Surface / Authority / Status / Ghi chú. |
| Dangerous surfaces | PASS | Six registry rows map to three physical dangerous tools: 4 frozen and 2 monitored; all six use Forbidden authority. Duplicate codes are disclosed. |
| Unknown disclosure | PASS_WITH_CAVEATS | 77 Unknown/needs-triage rows are visible; classifications are inferred, not execution-proven. |
| Schema DOT staging suitability | PASS | No confirmed run-scoped disposable schema DOT; existing schema writers target production public. |
| Group-A wording accuracy | HOLD-CORRECTION | Legend says every Group-A row "writes" prod public; actual distribution is 63 Write / 16 Read / 11 Unknown. Replace "writes" with precise target/probe wording. |
§17 dot_operator_catalog |
PASS | Candidate/design-note only; not created; requires proven authorized DOT path and Owner gate. |
| Canonical vs legacy copy | PASS_WITH_CAVEAT | Current canonical metadata is rev 1 / 106855. Current legacy metadata is rev 6 / 107014, not the pre-verification rev 5 / 106856. After removing the legacy-only canonical-promotion banner and trailing newline, substantive bodies match exactly. |
Collections-Manage Audit
| Check | Verdict | Issue |
|---|---|---|
| Canonical folder and README exist | PASS | Exact canonical path is declared. |
| Human-facing collection/table map | PASS_WITH_CAVEATS | Major domains and operator sections are present. |
| §5 base-object inventory | PASS | 382 rows; STT 1–382; 382 unique; 380 tables + 1 matview + 1 foreign. |
| Required columns | PASS | STT / Schema / Collection-Table-View / Nhóm / Sử dụng khi / Access-call path / Read-Write / Authority / Status / Ghi chú. |
| Public object summary | PASS | 346 tables / 685 views / 1 matview / 1 foreign; views are family-summarized rather than row-listed. |
| Four-schema coverage | HOLD | Scope says cutter_governance; all 24 corresponding §5 rows say cutter_gov. No alias is declared. Exact schema identity and access path must be corrected. |
| Restricted-schema visibility | PASS_WITH_CAVEATS | cutter_governance and sandbox_tac are disclosed as read-denied/metadata-only. |
| Directus metadata and critical surfaces | PASS | Directus system metadata and production-critical collections are represented. |
| Staging/draft/candidate/workbench | PASS | Existing surfaces are listed and rejected as Macro-9A workbench substitutes. |
| Birth/B2/inspect/certification | PASS | Dedicated section and guarded/frozen surfaces are present. |
| KG/provenance, IU/context, DOT/governance | PASS | Dedicated sections and row coverage are present. |
| Functions/procedures/triggers | PASS_WITH_CAVEATS | Section reports 618 functions, 1 procedure, and 410 non-internal triggers; not individually row-listed. |
| Dangerous and unknown sections | PASS | Frozen/monitored and UNKNOWN/NEED TRIAGE are explicit. |
| Group-E scope arithmetic | HOLD | Text says 82 = 58 public + 24 cutter + 8 sandbox + 2 iu. Actual Group E is 58 + 24 = 82; sandbox and iu staging rows are Group H. |
| No reusable R2-B2 workbench | PASS | Explicitly states no run-scoped disposable store exists and existing stores must not be reused. |
§17 collection_operator_catalog |
PASS | Candidate/design-note only; not created; DOT-only preconditions are explicit. |
DOT-Only Rule Audit
| Rule | DOT handbook | Collections handbook | Verdict |
|---|---|---|---|
| Directus/Postgres/schema changes are DOT-only | Explicit | Explicit | PASS |
| Manual SQL forbidden | Explicit | Explicit | PASS |
psql forbidden |
Explicit | Explicit | PASS |
docker exec psql forbidden |
Explicit | Explicit | PASS |
| Directus generic schema/table creation forbidden | Explicit | Explicit | PASS |
| If DOT cannot do it, it must not be done | Explicit in DOT §3; inherited by joint conclusion | Consistent | PASS |
| Existing paths authorize Macro-9A build | No | No | PASS |
Non-Authorization Audit
| Forbidden action | Verdict | Evidence |
|---|---|---|
| DB write / DDL / DML | PASS | Reviewed artifacts state zero mutating substrate calls and authorize none. This Codex review made no runtime call. |
| Schema/table/collection creation | PASS | Explicitly excluded; no future catalog is treated as created. |
| Directus mutation / DOT execution | PASS | Explicitly excluded; runtime mutating gates are recorded as closed. |
| Runtime config flip / channel wiring / owner row | PASS | Explicitly excluded and not authorized. |
| KG write / birth / certify / promote / backlog / bad-input / B2 logic | PASS | Explicitly excluded. |
| Source-law or handbook patch | PASS | Codex did not patch source law or either handbook. |
| Macro-9B launch | PASS | Recommended as a later separately authorized stage only; not launched. |
This audit verifies the contents and recorded evidence of the reviewed KB package. It is not independent runtime forensics and does not elevate report assertions into execution proof.
Joint Macro-9B Implication Audit
| Check | Verdict | Issue |
|---|---|---|
| DOT handbook says no authorized run-scoped schema DOT exists | PASS | §15 is explicit. |
| Collections handbook says no suitable workbench store exists | PASS | §16 rejects persistent/read-denied/content-staging substitutes. |
| Macro-9A may proceed with existing surfaces | PASS (NO) | Both manuals say NO-GO. |
| Joint next step is dedicated Macro-9B DOT | PASS_WITH_GATE | Required before build, but the handbook identity/scope corrections must be made first. |
| Required guardrails are preserved | PASS | Staging-only allowlist, production public/prod rejection, abort-on-drift, delete-fast, Owner authorization, explicit runtime gate. |
| Manual SQL/Directus generic create as fallback | PASS (FORBIDDEN) | No fallback is authorized. |
Future Registry Audit
| Candidate | Verdict | Issue |
|---|---|---|
dot_operator_catalog |
PASS | Paper candidate only; no enactment or creation. |
collection_operator_catalog |
PASS | Paper candidate only; no enactment or creation. |
Caveat Audit
| Caveat | Accepted? | Impact |
|---|---|---|
| DOT fields inferred, not per-DOT executed | YES | Requires confirmation before use; 77 unknown rows remain. |
| Duplicate registry codes for dangerous physical tools | YES | Six rows correctly remain Forbidden; no unsafe marking. |
| Restricted schemas read-denied | YES | Partial visibility is explicit. |
| 685 views summarized by family | YES | Scope limitation is explicit. |
| Planner estimates used for row counts | YES | Exact counts must be re-queried before action. |
| Other DBs not inventoried | YES | Scope is explicit. |
| Canonical-vs-legacy metadata changed | YES | Pre-verification is stale; substantive canonical content remains aligned after legacy banner normalization. |
cutter_governance vs cutter_gov |
NO | Operator path ambiguity; patch required. |
| Group-E 82/92 scope contradiction | NO | Internal taxonomy/arithmetic defect; patch required. |
| Group-A "every row writes" wording | NO | Contradicts 16 Read + 11 Unknown rows; precision patch required. |
Three Declarations
- Permanent: do not work around the missing staging path; the recorded root remedy is one governed run-scoped staging-schema DOT, after handbook correctness is restored.
- Cannot be mistaken: future authority must be infrastructure-enforced through allowlist, production-schema rejection, abort-on-drift, delete-fast, Owner authorization, and an explicit runtime gate.
- 100% automatic: no manual SQL or generic Directus fallback is acceptable; creation and cleanup must be performed by the governed DOT. This capability is not implemented or authorized by this review.
Next-Step Decision
- Are
dot-manageandcollections-manageaccepted as current operations manuals? No — HOLD pending precision corrections. - Is any patch required before Macro-9B? Yes. Correct the 24 schema identifiers/access paths, the Group-E scope statement, and the Group-A write wording.
- May Macro-9A build proceed with existing DOTs/collections? No.
- Is Macro-9B required before build? Yes, after handbook correction and a separate Owner-authorized design/hardening prompt.
- Recommended next action: issue a KB-document-only correction mission for the three defects, then independently read back and re-review the corrected manuals. Do not combine that correction with Macro-9B execution.
Final Recommendation
- Proceed to Macro-9B design/hardening prompt now? No — first correct and re-verify the operator manuals.
- Proceed to Macro-9A build? No.
- Do not implement confirmation: Confirmed. No runtime mutation, DDL/DML, DOT execution, schema/table/collection creation, source-law patch, handbook patch, blocker resolution, technical design, future-registry creation, or Macro-9B launch was performed by this review.