Codex Adversarial Review — Macro-9B + Macro-9B1 DOT Package and Admission Governance

STATUS: HOLD

Executive Summary

The Macro-9B/Macro-9B1 package is bounded, well indexed, governance-conscious, and non-authorizing. It contains the primary DOT contract, four named guard contracts, a pure reference validator, a 37-case matrix, captured test output, an artifact index, a main report, and a readable KB admission record. The admission record lists all seven artifacts, marks the primary DOT and four guards candidate-born/engineering-admitted, preserves the existing runtime registries as authority, and provides an Admission Gate, Consumer Checklist, and anti-forget rule. No artifact is marked authorized-active.

The package is nevertheless on HOLD because the fail-closed claim is not correct for the current validator:

The primary contract says channel and actor are required on every invocation. The validator does not reject a missing channel and does not validate actor at all. A valid no-write request with either field omitted is accepted. These invalid cases are absent from the 37-case matrix.
ALLOWLIST_RE.match(...$) and RUN_ID_RE.match(...$) use Python $, which matches immediately before a trailing newline. Independent local regex probing against the exact patterns returned True for both r2_b2_wb_20260619t120000z\n and 20260619T120000Z\n. A malformed whitespace/control-character target can therefore pass the allowlist, contrary to the matrix's blanket whitespace-rejection claim.
DOT_PRODUCTION_UNTOUCHED_VERIFY is represented in the validator only as a static plan-returning function. It consumes no before/after evidence, emits no drift reject, and is not invoked in the real_run branch when the Owner gate is open. Therefore the report's claim that abort-on-drift is validator-proven is overstated.
The gate parameter is tested by truthiness rather than strict boolean identity. A non-empty string such as "false" supplied by an integration would be truthy and would bypass REAL_RUN_GATE_CLOSED. The runtime integration is not authored, but an engineering reference intended for later wiring must reject non-boolean gate values.
Guard 4 directly calls Guard 1 rather than being composed only by the router, which weakens the stated independent replace/rollback boundary. This is not a mega-system, but the implementation does not fully match the separability claim.

Per the mission's status rule, any accepted invalid input requires HOLD. The admission/anti-orphan work itself passes; it now points to validation evidence that must be superseded after correction.

Files Reviewed

File	Revision	content_length	Verdict
Macro-9B main report	2	17849	HOLD — fail-closed overclaim
Macro-9B artifact index	2	3501	PASS_WITH_CAVEATS
Birth/admission record	1	17392	PASS_WITH_CAVEATS
Macro-9B1 anti-orphan report	1	9581	PASS_WITH_CAVEATS
Primary DOT contract	1	8836	HOLD — contract/validator mismatch
Four guard contracts	1	8352	HOLD — Guard 3 not executable/proven in validator
Reference validator	1	8588	HOLD — accepted invalid inputs
Bad-input matrix	1	3563	HOLD — incomplete adversarial coverage
Validator test run	1	4384	HOLD — 37/37 only proves listed cases
DOT Usage Handbook	11	115013	PASS_WITH_CAVEATS
Collections Usage Handbook	11	94267	PASS_WITH_CAVEATS
Birth Registry Law	2	11681	PASS — authority reference
Operating Rules SSOT v7.58	51	5400	PASS — authority reference
Macro-8 Owner five-gate record	2	10716	PASS_WITH_CAVEATS — paper grant, execute not started
Điều 32 Approval Law v1.1	2	5601	PASS — readable; DOT/PG/quorum authority preserved

All files were read directly from AgentData KB. Điều 32 was readable; no authority-reference limitation applies.

DOT Package Audit

Check	Verdict	Evidence
Primary DOT contract exists	PASS	`DOT_R2_B2_STAGING_SCHEMA_SHELL`, six modes, seven shell tables, explicit stop states.
Four named components exist	PASS	Allowlist, audit proof, production-untouched verify, delete-fast contracts are present.
Validator exists and is pure	PASS_WITH_CAVEATS	No DB/network/exec imports; decision logic only, but validation gaps remain.
Bad-input matrix and run evidence exist	PASS_WITH_CAVEATS	33 invalid + 4 valid no-write cases; evidence is incomplete, not false as to the listed rows.
Artifact index and main report exist	PASS	Seven artifacts indexed and readable.
Bounded architecture	PASS	One primary DOT plus four guards; no mega-registry, mega-graph, or mega-birth pipeline.
Separately inspectable/testable	PASS_WITH_CAVEATS	Documents/functions are inspectable, but Guard 4 directly depends on Guard 1 and Guard 3 lacks executable verdict logic.
Replaceable/rollbackable through explicit contract	PARTIAL	Stated in contracts; direct Guard4→Guard1 call and unimplemented Guard3 enforcement weaken the proof.
Engineering-ready package	HOLD	Fail-closed and abort-on-drift claims must be corrected and retested first.

Fail-Closed Validation Audit

Input class	Verdict	Evidence
Protected targets: public, iu_core, cutter_governance, sandbox_tac, information_schema, pg_catalog	PASS	T01–T06 reject with protected/non-allowlist codes.
Non-allowlist / malformed / SQL injection	PASS_WITH_GAP	Listed cases reject, but trailing-newline target passes Python `match(...$)`.
Whitespace/control characters	HOLD	Space-padding test rejects; trailing newline is accepted by the exact regex.
Missing/invalid run_id	PASS_WITH_GAP	T15–T17 reject listed cases; trailing-newline run_id matches the current regex.
Missing owner_authorization_ref	PASS	T18–T19 reject.
Wrong mode / missing mode	PASS	T20–T21 reject.
Wrong dot_code	PASS	T22 rejects.
Directus generic create	PASS	T23/T24 reject.
psql/manual_sql/docker_exec_psql	PASS	T25–T27 reject.
Unknown channel	PASS	T28 rejects.
Missing channel	HOLD	Contract says required; validator explicitly skips rejection when `channel is None`.
Missing/blank actor	HOLD	Contract says required; validator only copies actor into audit and never rejects absence.
Production-data copy	PASS	T29 rejects truthy request flag.
real_run / teardown_real_run while default gate closed	PASS_WITH_GAP	T30–T31 reject with default boolean false; gate value is not type-checked.
False-like non-boolean gate value	HOLD	Truthiness check means `"false"` behaves as gate open.
Valid no-write modes	PASS	A01–A04 return zero writes; dry-run returns preview strings only.
Abort-on-drift before real_run	HOLD	Guard 3 returns only a plan and is not called in the real-run branch.
0 fail-open claim	FAIL FOR CURRENT EVIDENCE	Missing channel/actor and newline cases invalidate the universal claim.

Required correction before re-review: use strict full-string validation (for example fullmatch plus explicit type/control-character checks); reject missing/blank actor and channel; require the gate value to be exactly boolean True from an authoritative integration boundary; model Guard 3 inputs/results and require a PASS before write intent; expand and rerun the matrix. This is a review recommendation, not implementation authorization.

Birth / Admission / Anti-Orphan Audit

Check	Verdict	Evidence
Admission record exists/readable	PASS	Revision 1, content_length 17392.
All seven Macro-9B artifacts listed	PASS	Seven named artifact sections with identity, purpose, state, allowed/forbidden use, and evidence reference.
Primary DOT and four guards have candidate-born/engineering-admitted state	PASS	Explicit admission table; runtime remains held.
Any artifact marked authorized-active	PASS (NO)	Text only uses authorized-active as a prohibited overclaim/check condition.
Registry Bridge preserves old authority	PASS	`dot_tools`, `law_dot_enforcement`, `dot_config`, `dot_agent_api_contract`, and `governance_object_ownership` remain authoritative.
KB admission transitional/non-authoritative	PASS	Explicit throughout admission and Macro-9B1 report.
Admission Gate for next macro	PASS	`HOLD_ADMISSION_MISSING_OR_INVALID` defined.
Consumer Checklist	PASS	Nine-step checklist present.
Anti-forget rule	PASS	Missing/inconsistent/overclaimed admission forces HOLD.
Artifact orphaning	PASS	No package artifact is omitted.
Evidence quality after this review	HOLD-CAVEAT	Admission cites 37/37/0-fail-open evidence that must be superseded after validator correction.

Governance Compatibility Audit

Check	Verdict	Evidence
Birth Registry Law compatibility	PASS_WITH_CAVEATS	KB admission is transitional because the DOT is not runtime-registered; future runtime birth/registration must use governed registries and authorized DOT paths.
Điều 32 approval compatibility	PASS	Engineering admission is separated from Owner/quorum authority; no chat/prose grant is treated as runtime approval.
Existing registries remain runtime authority	PASS	Registry bridge is explicit and non-replacing.
Manual write to birth_registry/dot_tools/governance registries	PASS (FORBIDDEN)	Package forbids manual write and records no such mutation.
New authority model bypass	PASS (NO)	KB admission does not claim runtime authority.
Runtime registration state	PASS	`REGISTRATION_HOLD`; zero matching `dot_tools` rows reported.
Real-run authority	PASS	`HOLD_FOR_OWNER_REAL_RUN`; no Owner-of-record row.

LEGO Compatibility Audit

Check	Verdict	Evidence
Separate pieces and clear boundary	PASS	One router plus four named guards and explicit artifacts.
No tight mega-system	PASS	No registry/graph/orchestration pipeline introduced.
Generated/tested separately	PASS_WITH_CAVEATS	Separate functions/docs exist; only router-level matrix was captured. Guard-specific exception/drift tests are absent.
Replaced/rolled back separately	PASS_WITH_CAVEATS	Contract states this, but Guard 4 directly calls Guard 1.
Explicit composition	PASS_WITH_CAVEATS	Router composition documented; source diverges for Guard 4 and omits Guard 3 from real-run.
LEGO acceptance	HOLD	Boundaries are promising but validator must conform to the declared component contract.

Manual-Block / Runtime Gap Audit

Gap	Current state	Blocking stage
Generic `directus` app role has DB/public CREATE	OPEN and correctly disclosed	Must close before runtime registration/real_run
`workflow_admin` superuser exists	OPEN and correctly disclosed	Must not be DOT executor; harden before real_run
Dedicated isolated DOT-executor role	ABSENT and correctly disclosed	Required before registration/real_run
Generic Directus create policy block	NOT ENFORCED and correctly disclosed	Required before registration/real_run
Durable audit sink	NOT WIRED and disclosed	Required before write-enabled registration
Guard 3 before/after execution	PLAN ONLY; report overclaims proof	Must close before engineering acceptance and registration
Current execute gates	CLOSED	Keep closed
Manual SQL/psql/Directus generic create	FORBIDDEN	Never a valid closure path

The expected runtime gaps do not by themselves fail the engineering package. The validator/contract mismatches do.

Non-Authorization Audit

Forbidden action	Verdict	Evidence
DB write / DDL / DML	PASS	Package reports read-only runtime inspection; this Codex review made no runtime call.
`dot_tools` write	PASS	309 unchanged; primary/guards absent.
`law_dot_enforcement` write	PASS	Unchanged per package evidence.
`dot_config` write / gate flip	PASS	Gates remain closed.
`dot_agent_api_contract` write/binding	PASS	Two unrelated contracts only; package unbound.
`governance_object_ownership` row	PASS	Zero rows reported.
DOT execution	PASS	Validator/regex checks are local pure validation, not DOT execution.
Directus mutation	PASS	None reported or performed.
Schema/table/collection creation	PASS	Zero `r2_b2_wb_*` schemas reported.
`birth_registry` write	PASS	None.
Universal_edges/KG write	PASS	None.
Macro-9A build / Macro-9C real-run	PASS	Both remain unlaunched/NO-GO.
Operator/future governance catalogs	PASS	Candidate-on-paper only; none created.

This non-authorization audit validates the reviewed package's recorded evidence and this session's actions; it is not independent live runtime forensics.

Caveats

The DOT writer/runtime implementation is intentionally not authored and remains Owner-gated.
DOT bin source was unavailable to the package author because of file allowlisting.
Restricted schemas remain read-denied; handbook classifications are partly inferred.
Runtime role/grant/policy gaps remain open as correctly disclosed.
The admission layer is transitional KB governance, not runtime authority.
The 37-case evidence is valid only for its listed cases and must not be cited as universal fail-closed proof.
Guard 3, strict gate typing, required actor/channel handling, and control-character tests must be added before package acceptance.

Three Declarations

Permanent: fix the validator contract boundary and test model, not individual test outputs. Required fields, exact lexical validation, authoritative gate typing, and drift evidence must be structural.
Cannot be mistaken: missing/ill-typed fields and guard exceptions must deterministically reject; gate-open must be authoritative and exactly boolean; no runtime write intent may exist without a proven pre-write drift verdict.
100% automatic: admission checking is documented but not infrastructure-enforced yet. Future catalogs/gates remain deferred; no manual registration or manual SQL is an acceptable substitute.

Final Decision

Can Macro-9B + Macro-9B1 package be accepted as engineering-ready? No — HOLD pending validator/contract correction and expanded evidence.
Are the artifacts admitted and non-orphan at KB governance level? Yes, with the evidence caveat above.
Is runtime registration allowed now? No.
Is real_run allowed now? No.
Is Macro-9A build allowed now? No.
Is next step a separate Owner decision on DOT-registration path and manual-block runtime hardening? Not yet. First complete a KB/code-artifact-only validator remediation and Codex re-review; then route a separate Owner decision.
Do not implement confirmation: Confirmed. No runtime mutation, registration, DOT run, schema/table/collection creation, governance collection creation, Macro-9A, or Macro-9C action was performed by this review.