CODEX REVIEW — READY-TO-ASSEMBLE-LEGO1 Preparation Package — 2026-06-22

STATUS: HOLD REVIEW VERDICT: READY_TO_ASSEMBLE_LEGO1-PATCH1_REQUIRED CATEGORY COMPLETENESS: PASS — the package contains the expected index, files 01–13, Codex packet, and reports-level rollup. TECHNICAL DETAIL: FAIL — material preparation gaps remain; authority/execution are not the only residuals. STOP STATE: REGISTRATION_HOLD remains active; REGISTRATION_CAN_PROCEED = NO; P2 and the named C1 lane remain closed and unauthorized. REVIEW SCOPE: read-only review of the AgentData KB package. No runtime mutation, DDL/DML, implementation, blocker resolution, current-corpus creation, registration, activation, or adoption was performed.

1. Scope and evidence

Reviewed the 15 AgentData documents under:

knowledge/dev/laws-new/reports/ready-to-assemble-lego1/

and the reports-level rollup:

knowledge/dev/laws-new/reports/macro-ready-to-assemble-lego1-2026-06-22.md (revision 3, content_length 5879).

Directory readback showed exactly 15 package documents: index revision 2; files 01–13 and the Codex review packet revision 1. The package categories are present and navigable.

This Codex session did not expose query_pg, pg_schema, or Docker log/runtime tools. Therefore the package's live database observations could not be independently rerun in this review. They remain attributed observations, not independently reproduced Codex evidence.

2. Findings

[P0] The planned write path violates the mandatory DOT/Directus governance path

File 06 explicitly plans raw SQL:

• CREATE TABLE governance_canonical_operation_vocab (...);
• direct INSERT INTO governance_canonical_operation_vocab;
• direct audit inserts;
• direct update/consume of governance_build_authorization.

This conflicts with the controlling workspace rules: DOT 100%, no manual operation, schema changes through the Directus Fields API, and no manual SQL INSERT. Labelling a prohibited command WRITE_PLANNED_NOT_RUN prevents present mutation but does not make the future plan valid.

Required PATCH1 correction: replace the raw DDL/DML execution design with a named DOT operation and Directus API-based schema/data path, including dual-trigger, metadata-first behavior, idempotency, dry-run, and production verification evidence. The package cannot be called preparation-complete until that executable path is specified.

[P0] C1 identity and versioning are internally inconsistent

The proposed table uses operation_code text PRIMARY KEY, while lookup, history, hashing, and rollback are described as version-aware through protocol_version. This model cannot deterministically represent the same operation code across protocol versions, and successor_code references only operation_code, not a versioned identity.

The rollback template also updates only by operation_code, so it can target the wrong version. The promised old-version resolvability and non-remeaning guarantees are not enforced by the proposed schema.

Required PATCH1 correction: define the canonical vocabulary/value identity, version identity, uniqueness axes, successor identity, immutable semantic fields, and exact version-aware lookup key. Add constraints for successor existence, no self/cycle link, compatible version progression, and lifecycle-field consistency.

[P1] The governed value set is a preparation input, not an execution detail

Files 06, 12, and 13 defer the actual vocabulary values and their governing sources until build execution while claiming no preparation gap remains. Execution must not invent the operation set. At minimum, Gate B needs a reviewed, hashed input manifest or an authoritative resolver/source that deterministically yields the exact values and authority references.

Without that input, the expected diff remains +N, tests cannot be instantiated, hashes cannot be precomputed, and authorization cannot bind to exact effects. This is PREPARATION_INPUT_MISSING, not merely AUTHORITY_MISSING_ONLY.

[P1] Authorization enforcement is overclaimed and the consume ordering is unsafe

The existence of columns in an empty governance_build_authorization table does not prove:

• exact JSON scope matching;
• allowed status values or transitions;
• sovereign e-sign verification;
• plan/artifact hash binding;
• atomic single-use consumption;
• concurrency/replay exclusion;
• revocation/expiry enforcement;
• executor identity binding.

PF5 uses a conceptual predicate (scope=plan AND status valid) rather than an exact executable query against the JSON structure and status domain. More critically, file 06 places authorization consumption at S8, after table creation and value/audit writes. Two executors could pass the same unconsumed preflight, or a failure could leave writes completed without token consumption.

Required PATCH1 correction: provide the proven verifier contract and exact predicate; bind authorization to plan revision, artifact hashes, carrier, environment, executor, action set, and rollback reference; reserve/consume atomically with the authorized write or through a proven fail-closed DOT transaction/lease protocol. Do not describe the current empty table as “structurally complete” based on columns alone.

[P1] The build and rollback steps lack an atomic failure model

S2–S8 are separate writes, but the package does not define transaction boundaries, compensation checkpoints, retry/replay behavior, or what happens when failure occurs after DDL, after partial value admission, after audit insertion, or before authorization consumption.

The rollback SQL permits :successor = NULL, does not prove the successor exists and is admissible, does not bind target/successor versions, and does not atomically require the audit record. Prose reject codes do not enforce these conditions.

Required PATCH1 correction: define an executable state machine with atomicity/idempotency semantics, partial-failure stop states, retry rules, and enforced rollback invariants. Rollback authorization must remain a separate authorized act as already stated.

[P1] Preflight and test evidence are incomplete

File 09 records PF7 as “not tailed; available” but files 12/13 conclude discovery and preparation are complete. PF8 proves denial on the non-allowlisted postgres database; it does not prove writes are blocked on the allowed directus database or through the eventual DOT/Directus execution path.

The test matrix is specification prose, not an executable suite. Several checks are too weak:

• count > 0 does not prove vocabulary validity;
• “by construction” is not rejection evidence;
• admission and rollback negative cases require an executable transactional fixture, not a read-only query against a populated table;
• no tests cover duplicate/version identity, successor cycles, concurrent token use, partial failure, retry, forged authority reference, ambiguous hash serialization, or audit-write failure.

Required PATCH1 correction: complete current read-only checks, distinguish observed from planned evidence, and provide executable test commands/fixtures with deterministic assertions and output capture.

[P2] Dependency and blast-radius claims are too strong

“No incoming carrier edge” in E1–E8 does not mean no build dependency. governing_authority_ref, the authorization verifier, Directus metadata, audit sink, and DOT registrar are operational dependencies and need explicit join/preflight contracts.

Likewise, “blast radius = 0” does not follow from C2 being absent. A new production schema surface, Directus metadata, audit writes, authorization consumption, and future lookup contract all have non-zero operational blast radius. The correct claim is narrower: no currently proven C2 data reference would be orphaned.

[P2] Evidence hashing is underspecified

The proposed SHA-256 input operation_code|protocol_version|act_type|governing_authority_ref has no escaping, normalization, encoding, null handling, field-version, or canonical serialization specification. Delimiter ambiguity can produce non-portable evidence.

Required PATCH1 correction: specify a versioned canonical byte representation (for example canonical JSON with fixed field names and UTF-8 normalization), and bind the plan, schema definition, value manifest, authorization, execution log, and readback to that representation.

3. Category assessment

Preparation category	Assessment	Reason
Package/index/source register	PASS_WITH_CAVEATS	Present; file 01 mentions subagent use, which conflicts with the project rule forbidding background agents.
Carrier selection	PASS_WITH_CAVEATS	C1 is a plausible first carrier, but “lowest risk” does not remove its authority/source dependencies.
Contract boundary	FAIL	Versioned identity, uniqueness, successor, authority reference, and lifecycle enforcement are incomplete.
Dependency map	FAIL	Carrier graph is listed, but operational dependencies and blast radius are understated.
Build plan	FAIL	Future path uses prohibited raw DDL/DML and lacks atomic/idempotent orchestration.
Test/adversarial matrix	FAIL	Defined but not executable; important concurrency/version/failure cases are absent.
Rollback plan	FAIL	Good non-destructive intent, but proposed schema/SQL cannot enforce the stated invariants.
Preflight plan	FAIL	PF7 not run; PF8 does not prove the claimed fence; PF5 is not an exact verifier.
Evidence plan	FAIL	Evidence tiers are separated correctly, but canonical hashing and binding are incomplete.
Gate B/Chairman packet	FAIL	Template exists, but verifier, exact binding, and atomic consume are not proven.
Hold/non-authorization language	PASS	The package consistently retains HOLD and does not assert current write authority.

4. Required PATCH1 closure set

1. Replace all future raw DDL/DML with the compliant DOT + Directus API execution contract.
2. Correct the C1 versioned identity/schema and enforce lifecycle/successor invariants.
3. Lock an authoritative, reviewable value manifest or deterministic authority-backed resolver before Gate B.
4. Define and prove exact authorization verification plus atomic one-time consume/replay control.
5. Define atomicity, idempotency, partial-failure, retry, and rollback execution semantics.
6. Complete PF7/PF8/PF5 with exact reproducible checks and truthfully scoped claims.
7. Provide executable tests for identity/version, constraints, concurrency, partial failures, rollback, and evidence.
8. Replace ambiguous hashes with a versioned canonical serialization and full artifact binding.
9. Remove “blast radius zero”, “structurally complete”, “inventory complete”, and “only authority/execution remains” until supported.

5. Decision

The package is organized and its non-authorization boundaries are generally disciplined. However, completeness of document categories is not equivalent to preparation completeness. The current package must not advance to Gate B or C1 assembly.

VERDICT: READY_TO_ASSEMBLE_LEGO1-PATCH1_REQUIRED

DO NOT IMPLEMENT: Confirmed. No runtime mutation, no DDL/DML, no implementation, no technical-design execution, no blocker resolution, no current corpus, no registration, no activation, and no adoption were performed by this review.