Codex Review — R2-B2 Matrix-Stamp Governance Registration Readiness — 2026-06-20

STATUS: PASS_WITH_CAVEATS
REVIEW VERDICT: ACCEPT_CLAUDE_HOLD_AND_PROCEED_TO_RS1
Operational gate: REGISTRATION_READINESS_HOLD · REGISTRATION_CAN_PROCEED = NO
Review class: independent read-only governance review · non-enacting · non-authorizing · no technical design · no implementation · no blocker resolution
Date: 2026-06-20

Evidence limitation: the referenced Claude Macro-AB report was not present in the supplied chat attachment and was not found in AgentData searches. It is therefore marked SOURCE_NOT_READ and is not evidence for this review. The summarized Claude conclusion is accepted only because it was independently reproduced from primary contract, validator, evidence, handbook, law-note, and risk sources. The exact claimed appendix count of “23 extra cases” is not accepted as verified.

1. Verdict

Accept the summarized HOLD, with corrected scope.

The Macro-9B2 contract/validator shell is an engineering artifact that may remain PASS_WITH_CAVEATS for its bounded authored test scope.
That engineering result is not authority, registration, wiring, or real-run readiness.
Registration must remain on HOLD because the surrounding registration substrate is not trusted.
“No validator fail-open” is valid only for the enumerated baseline actually evidenced. It is not a universal property.
The next activity should be Option A / RS1, constrained to a read-only registration-substrate hardening survey, design-entry criteria, and adversarial review. It must not create or register a DOT, mutate a registry, approve an APR, or touch runtime.

2. Major Findings

F1 — BLOCKER: registration substrate is not trusted

The central blocker is correctly stated as REGISTRATION SUBSTRATE NOT TRUSTED. It is supported by five independent gaps:

Approval authority bypass: the Điều 32 and Điều 35 compatibility notes carry the confirmed fn_auto_approve_add bypass and 160 unvoted applies. The live risk analysis explains that BEFORE-INSERT auto-approval skips the pending-to-approved UPDATE where quorum and self-approval checks run.
Owner authority is not established: the R2-B2 packets report no operative ownership row for this registration lane. This review did not perform a new live DB query, so the numeric claim governance_object_ownership=0 is treated as packet evidence, not a fresh runtime observation.
Snapshot trust is absent: Guard 3 compares evidence supplied to the validator. Equality of caller-provided before/after values does not prove that either value came from an authoritative production-untouched observer.
Hardening remains open: the validator has malformed-input and target-identity gaps described in §4.
Registration path is unproven: the Macro-9B1 admission record explicitly authorizes no registration, wiring, or run; the Macro-9B2 contract is explicitly NOT REGISTERED / NOT WIRED / NOT RUN.

Any one of the authority bypass, untrusted snapshot source, or unproven registration path is enough to keep registration closed.

F2 — HIGH: bounded validator evidence must not be generalized

The v2 evidence reports 64 rows (52 matrix cases plus 12 simulations) and eight meta-assertions, with no fail-open among those enumerated rows. That proves a bounded baseline, not total-input safety. It does not cover every Python type, PostgreSQL identifier collision, owner-reference forgery, or evidence-source substitution.

F3 — HIGH: engineering PASS and authority PASS remain separate

The Macro-9B2 remediation closes the seven findings from the previous Codex review within its contract boundary: required channel/actor, full-string/control-character checks, exact boolean gate typing, explicit Guard 3 evidence, shared Guard 4 helper, and expanded test evidence. None of these creates Owner authority, authenticates an approval reference, establishes a trusted observation channel, or proves the governed registration transaction.

F4 — HIGH: no existing collection is a safe disposable workbench

The Collections handbook correctly rejects reuse of existing surfaces for the R2-B2 disposable workbench:

public candidate/draft tables are production-public and non-disposable.
iu_core is an IU/content staging domain, not a generic run-scoped DDL workbench.
sandbox_tac is persistent and lacks the required proven owner/access/delete-fast properties for this lane.

This supports a capability gap, but it does not itself authorize a new schema DOT.

F5 — HIGH: existing DOT inventory does not provide a trusted registration solution

The DOT handbook can support reuse discovery and status classification. It does not show an already authorized run-scoped schema shell DOT that satisfies this exact contract. The new DOT_R2_B2_STAGING_SCHEMA_SHELL artifacts remain authored/admitted in KB only and explicitly unregistered. “Admission” must not be read as “registered” or “runnable.”

3. Claude Points — Accepted, Corrected, Rejected

Point	Decision	Codex assessment
`REGISTRATION_READINESS_HOLD`	ACCEPTED	Independently supported by primary sources.
Engineering shell is PASS_WITH_CAVEATS	ACCEPTED	Limited to authored contract/validator and bounded evidence.
Authority/runtime registration is HOLD	ACCEPTED	Owner authority, trusted snapshots, hardening, and governed registration are unresolved.
No validator fail-open	CORRECTED	Only “no fail-open in the enumerated 64-row baseline.” Universal wording is unsupported.
23 extra cases	SOURCE_NOT_READ	Macro-AB body/appendix was unavailable; exact count and outcomes are not verified.
N07/N12/N16/N22 are harmless	REJECTED if asserted	Each exposes a registration-readiness gap; details follow.
Registration may proceed because DOT origin/content match a local mirror	REJECTED	Mirror/origin consistency is useful provenance, not live VPS runtime or registration proof.

4. Validator and Security Review

N07 — fabricated owner reference and caller-supplied snapshots

A non-empty owner_authorization_ref, a literal boolean gate=true, and equal supplied before/after evidence can satisfy the validator without proving that the owner reference exists or that snapshots came from a trusted observer.

Classification: not necessarily a lexical validator fail-open under the current narrow contract, but a registration/runtime authority fail-open risk if the caller is trusted to self-assert those fields.

Closure required before registration: an external trusted authority resolver and a trusted read-only snapshot provider must bind the values passed into the validator. The validator must not be treated as the source of either fact.

N12 — run_id substring acceptance

The target validation accepts the run ID when it appears as a substring. This is consistent with loose “embeds run_id” wording but weaker than the stated target family r2_b2_wb_<run_id>.

Risk: prefix/suffix ambiguity can select a different target than the intended run-scoped identity.

Closure required before registration: exact target identity or an unambiguous token boundary must be contractually enforced and negatively tested.

N16 — PostgreSQL identifier length

The validator does not establish the PostgreSQL 63-byte identifier boundary.

Risk: PostgreSQL truncation can create collisions or cause create/drop verification to address a different effective identifier.

Closure required before registration: validate the encoded identifier length and test collision/truncation negatives.

N22 — non-object request

A None or other non-mapping request can raise an exception instead of producing a structured reject. Other malformed field types can likewise escape the normal verdict path.

Risk: this is not acceptance of a bad request, but it violates a robust fail-closed API contract and can produce uncontrolled runner behavior.

Closure required before registration: reject non-mapping requests and malformed field types with deterministic error codes; add adversarial tests.

Security conclusion

The current validator can remain an engineering shell. It must not be wired to a mutation-capable runner until N07/N12/N16/N22 are closed and trusted authority/snapshot adapters are independently verified. Guard 3 proves equality of provided evidence, not provenance of evidence.

5. DOT and Collection Governance

Reuse-first remains mandatory. The handbooks are valid discovery aids, not authority documents.
No safe existing collection/workbench was established. The Collections conclusion is not an overclaim because it is scoped to the disposable R2-B2 workbench requirements, not a universal statement that the system has no staging assets.
The local mirror is evidence-limited. Matching dot_origin and script content supports artifact consistency. It does not prove the live /opt/incomex/dot/bin state, executor behavior, or current VPS registration.
A new DOT cannot bootstrap its own legitimacy. Birth/admission, owner authority, registration, pairing, coverage, and rollback evidence must come through an already trusted governance path.
No manual SQL fallback. A registration blocker cannot be “temporarily” resolved through generic SQL, a direct registry insert, or an ungoverned helper.

6. Registration Substrate Assessment

Verdict: HOLD.

Trust property	Current state	Gate
Điều 32 quorum path trustworthy	Confirmed bypass remains in source evidence	HOLD
Điều 35 live governance production-ready	Compatibility note says production-readiness FAIL	HOLD
Owner authority resolvable	Not established for this lane	HOLD
Trusted production-untouched snapshots	No authoritative source binding proved	HOLD
Validator total-input fail-closed behavior	Bounded baseline only; N12/N16/N22 open	HOLD
DOT registration transaction/rollback	Not proved through trusted path	HOLD
Live executor/script identity	Local mirror/origin consistency only	HOLD
Macro-9B artifacts	Authored/admitted; not registered/wired/run	HOLD

The persisted-layer GUC evidence may support “no persisted bypass found.” Because transient sessions were not readable, no report may claim that every transient bypass is absent.

7. `DOT_GOVERNANCE_DOT_ADMISSION` Decision

Decision: DEFER / DO NOT AUTHOR OR REGISTER NOW.

Necessity has not been proved. Creating it before the existing Điều 32/35 path is made trustworthy risks a new mini-governance island that owns admission, approval, registration, evidence, and execution at once.

A future proposal is admissible only if RS1 proves that no existing governed primitive can supply the missing function. Its conceptual boundary must remain narrow:

consume already authoritative approval/owner/admission evidence;
perform only one bounded DOT-registration responsibility through existing registries;
expose a paired read-only verifier;
avoid creating a new authority store, approval model, birth system, graph, scheduler, or generic registry platform;
have exact rollback and postcondition evidence.

These are review constraints, not a technical design or implementation authorization.

8. Recommended Single Next Macro

Option A: Macro-RS1 — Registration Substrate Trust Survey and Design-Entry Gate
Timebox: 60–90 minutes.
Mode: read-only, no mutation, no registration, no APR creation, no new DOT, no technical design execution.

Required outputs

Source/read register with revision and evidence tier; Macro-AB remains SOURCE_NOT_READ unless supplied.
Read-only map of the actual Điều 32/35 approval and DOT-registration path, including the fn_auto_approve_add bypass boundary.
Reuse matrix for existing approval, owner, admission, registration, and read-only verification primitives.
Trust contract for owner-reference resolution and production-untouched snapshots, expressed as acceptance criteria rather than implementation.
Adversarial closure criteria for N07/N12/N16/N22 and malformed-type handling.
Registration transaction/rollback proof obligations, without executing or designing the write.
Mốc 01 alignment: source-authority map, usable QCM, explicit pilot slice, slice-bounded gap report, staging only after trust path is clean, delete-fast/rollback boundary, and no canonical production write.
One consolidated Owner decision packet after independent Codex review; no micro-approval chain.

Stop states

HOLD_RISK_BYPASS, HOLD_OWNER_AUTHORITY_MISSING, HOLD_SNAPSHOT_SOURCE_UNTRUSTED, HOLD_MANUAL_PATH_OPEN, HOLD_REGISTRATION_PATH_UNPROVEN, HOLD_REUSE_NOT_PROVEN, SOURCE_NOT_READ.

RS1 exit rule

RS1 may conclude only that design entry is ready or still held. It must not conclude that registration or runtime is authorized. Owner confirmation is requested only after Codex verifies the RS1 evidence and a single consolidated decision is ready.

9. Must Not Do

Do not register, wire, or run DOT_R2_B2_STAGING_SCHEMA_SHELL.
Do not create DOT_GOVERNANCE_DOT_ADMISSION.
Do not patch fn_auto_approve_add, triggers, tables, registries, schemas, or Directus.
Do not perform DDL/DML, manual SQL, direct registry inserts, APR creation, or blocker resolution.
Do not treat KB admission as runtime registration.
Do not treat local mirror parity as live VPS proof.
Do not treat equal caller-provided snapshots as trusted no-production-touch proof.
Do not claim transient GUC bypass absence.
Do not expand RS1 into whole-system design, full backfill, new registry families, or a mega governance service.

10. Self-Check

Check	Result	Evidence
Operating Rules and Constitution read	PASS	AgentData direct search/read; OR v51 and Constitution v44 observed during review
Primary Macro-9B/9B1/9B2 package considered	PASS	Contract rev2, validator rev2, matrix/guards rev2, evidence rev1, admission rev9, Codex re-review rev1
DOT and Collections handbooks considered	PASS	Both handbook records observed at rev11; relevant reuse/gap sections searched directly
Điều 4/32/35/39 notes considered	PASS	Full readback, each rev1
Required stamps/promote status scoped	PASS	`required-stamps.v0.1.json` rev6 is DRAFT; promote checker remains documentary-only
Claude Macro-AB read	SOURCE_NOT_READ	Not present in supplied attachment/chat and not found by AgentData searches
23 extra cases verified	SOURCE_NOT_READ	Exact appendix unavailable; not used as evidence
Runtime mutation performed	PASS — NONE	Review/KB report only
DDL/DML/manual SQL performed	PASS — NONE	No database write or query tool used
Technical design/implementation performed	PASS — NONE	Constraints and next-macro acceptance criteria only
Blocker resolved or authority claimed	PASS — NONE	Registration remains HOLD

Source Register

Primary sources used include:

knowledge/dev/laws-new/newlaws/dot-manage/specs/dot-r2-b2-staging-schema-shell.contract.md — rev2.
Macro-9B2 validator — rev2; v2 evidence — rev1; guards/matrix — rev2.
knowledge/dev/laws-new/newlaws/dot-manage/admission/dot-r2-b2-staging-schema-shell-birth-admission-2026-06-19.md — rev9.
knowledge/dev/laws-new/newlaws/dot-manage/dot-usage-handbook.md — rev11.
knowledge/dev/laws-new/newlaws/collections-manage/collections-usage-handbook.md — rev11.
Điều 4/32/35/39 compatibility notes — rev1.
knowledge/dev/laws-new/required-stamps.v0.1.json — rev6.
knowledge/dev/laws-new/promote-checker-v0.1-spec.md — rev11.
R2-B2 inspect-producer TD-prep, TD-readiness, and R1/R2 LEGO scoping records — rev1.
Auto-approve hardening risk note and SB-1 fail-closed/quorum analysis — rev1.

Final Attestation

DO NOT IMPLEMENT. This review performed no runtime mutation, no DDL/DML, no implementation, no technical design, no blocker resolution, no current-corpus creation, no source-law edit, and no draft adoption.