Codex Review — RS3-BUNDLE Owner Resolver / Trusted Snapshot / Validator Envelope / Residue Disposition — 2026-06-20

STATUS: HOLD
VERDICT: NEED_RS3_PATCH
Registration gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO
Stop state: RS3_NEEDS_PATCH
Runtime observation: NO_CODEX_LIVE_READ
Class: independent read-only review · non-enacting · non-authorizing · no implementation · no runtime mutation
Date reviewed: 2026-06-21

1. Verdict

RS3-BUNDLE is materially sound in scope, LEGO separation, reuse-first direction, and preservation of the registration HOLD. It is not yet an acceptable trust-envelope baseline.

Four load-bearing defects require one bounded RS3 patch before registrar-hardening design:

1. evidence_hash is repeatedly treated as if it made an envelope signed/authentic. An unkeyed hash proves neither issuer identity nor authorization.
2. governance_object_ownership does not itself bind operation=register_dot or artifact_hash; the report overstates that the existing row has the exact columns required to authorize the exact artifact.
3. nonce replay rejection has no assigned state owner or atomic consumption rule, while the future validator is required to remain pure.
4. integration provenance and several validator/snapshot edge cases are under-specified, including target authority, manifest substitution, capture chronology, exact schema identity, and all generated PostgreSQL identifiers.

These are contract defects, not implementation gaps that can safely be deferred to RS3B. RS3B-REGISTRAR-HARDENING-DESIGN would otherwise consume ambiguous authority and authenticity interfaces.

2. Source Register

Source	Revision / length	Read status	Evidence tier	Use
RS3-BUNDLE target	rev1 / 55,709	FULL_READ	REVIEW TARGET	Four blocks, envelopes, matrix K–O, next macro
Codex RS2-PATCH1 acceptance	rev1 / 17,282	FULL_READ	PRIOR GATE	Five caveats and registration HOLD
Operating Rules	v7.58	DIRECT_SEARCH_READ	GOVERNING SSOT	fail-closed, reuse-first, no guessing
Constitution	v4.6.3	DIRECT_SEARCH_READ	ENACTED FOUNDATION	PG-first, DOT pair, authority discipline
Validator source	rev2 / 14,415	FULL_READ	PRIMARY CODE	Confirms N07/N12/N16/N22 mechanics
Guard contract	rev2 / 11,333	FULL_READ	PRIMARY CONTRACT	Confirms Guard 3 consumes caller/runtime supplied evidence
Bad-input matrix	rev2 / 8,971	READ	PRIMARY CONTRACT	Existing 64-case boundary
Validator test evidence v2	rev1 / 10,292	READ	PRIMARY TEST RECORD	64/64 local engineering evidence only
RS1 trust survey	rev1 / 46,040	FULL_READ / TARGETED CHECK	SECONDARY + SOURCE MAP	Exact N07/N12/N16/N22 classifications
SB-2 ownership design	rev1 / 18,829	FULL_READ / TARGETED CHECK	PRIMARY DESIGN HISTORY	Confirms owner row lacks operation and artifact hash
laws-new five-document set	mixed; LAW_READING_INDEX rev2	DIRECT KB READ	PRIMARY LAWS-NEW / POINTER	LEGO, reuse, non-authorization, no old-law override
RS3-reported live DB reads	2026-06-20	PACKET_READ	CLAUDE RUNTIME PACKET	Counts/schema only; not Codex live proof
Registrar implementation	—	SOURCE_NOT_READ	NONE	Caveat retained
S142B primary authorization source	—	SOURCE_NOT_READ	NONE	No sanctioned/unsanctioned merits conclusion

NO_CODEX_LIVE_READ: Codex had no live runtime read tool. RS3 live counts and schemas are accepted only as packet evidence. No old /laws/ source was used to override laws-new/newlaws.

3. Accepted RS3 Points

1. RS3 read the prior Codex acceptance and retained the five caveats: registrar source unread, no fixed five-row cardinality, audit sinks unproven, no Codex live read, and registration HOLD.
2. The four blocks have distinct responsibilities, inputs, outputs, owners, and no mutation.
3. Coupling is envelope-oriented rather than hidden reads of another block's internal state.
4. governance_object_ownership = 0 is correctly fail-closed and is not Owner authority.
5. assign_governance_owner unimplemented/high and absence of register_dot remain blockers, not invitations to synthesize authority.
6. Guard 3 is correctly characterized as a pure verdict over supplied evidence. Missing evidence is UNKNOWN, but equal fabricated maps can still satisfy equality; provenance remains untrusted.
7. wf_fs_dot_bin_snapshot is a reuse candidate, not yet a trusted provider.
8. Validator purity is correct: it should verify bounded evidence and must not become a runtime lookup engine.
9. N07, N12, N16, and N22 are correctly identified as open engineering defects.
10. The 18, 142, and 8 residue populations remain separate; no deletion, relabeling, merging, or ratification occurred.
11. S142B remains SOURCE_NOT_READ; Điều 35 health re-verification remains a precondition to production-readiness claims.
12. Engineering PASS is not authority PASS; KB admission is not runtime registration; activation remains separate from registration.

4. Corrected RS3 Points

C1 — Hash is not a signature

The report calls the envelopes “signed” but defines only evidence_hash. A caller can recompute an unkeyed hash over fabricated content. The patched contract must choose one explicit authenticity model:

• a verifiable signature/MAC with signature, signature_algorithm, key_id, issuer trust-root reference, key lifecycle/revocation, and canonical payload version; or
• an immutable, authority-controlled evidence row referenced by ID and hash, with verifier rules proving that the caller cannot create or alter it.

Until then, use “hash-bound draft envelope,” not “signed envelope.”

C2 — Owner row does not authorize the exact operation/artifact by itself

The ownership table binds object, scope, owner, lifecycle, approval reference, and supersession. Its documented contract contains no operation or artifact_hash column. RS3 currently copies operation and artifact_hash into the envelope from other inputs, but does not prove that the Owner grant or APR authorized those exact values.

The patch must define a trusted binding chain, without creating a new registry:

ownership_row_ref → approval_ref/quorum artifact → exact operation + canonical target + artifact hash (or immutable admission/deployment reference).

If the existing APR payload cannot carry and preserve that binding, status is OWNER_ENVELOPE_INSUFFICIENT; the resolver must reject. Table existence alone is not enough.

C3 — Revocation source is invented

revocation_ref is emitted by the envelope, but no such owner-table column was demonstrated. audit_ref is not automatically a revocation reference. The patch must identify the authoritative revocation fact and precedence rule, or rely only on proven lifecycle/supersession fields and remove the invented field.

C4 — Replay ownership is unresolved

A pure validator cannot determine that a nonce was previously consumed without trusted state. The patch must assign:

• nonce issuer;
• uniqueness domain and TTL;
• atomic consumer, normally registrar Phase 1 or an existing authorized idempotency surface;
• replay persistence/retention;
• behavior after rollback and retry.

The validator may check nonce shape, binding, freshness, and signature. It cannot claim replay prevention by itself.

C5 — N12 should use canonical equality

The target criterion should compare canonical strings:

target_schema == "r2_b2_wb_" + run_id.lower()

after strict run-id validation. Building a regex from run_id is unnecessary and creates escaping ambiguity. The existing source confirms the defect is substring membership.

C6 — N16 must cover every emitted identifier

The requirement must cover all PostgreSQL identifiers generated by the future implementation, not only the schema and seven table names. Include indexes, constraints, sequences, triggers, policies, temporary names, and teardown-derived identifiers. Test UTF-8 bytes, deterministic truncation prohibition, and collision rejection.

C7 — S142B wording overclaims

Absence from the back-audit ledger plus missing primary source proves AUTHORIZATION_NOT_DEMONSTRATED, not a historical merits conclusion that the 142 are “demonstrably unsanctioned.” Keep them SOURCE_NOT_READ, outside governed ledger coverage, quarantined, and not callable sanctioned.

C8 — RS3B scope is incomplete in the recommendation

The next registrar design must explicitly include the dual-writer boundary between dot-dot-register and dot-catalog-sync, single-artifact criteria, and closed-at-registration semantics. These were required by the mission but are not all explicit in the final mandatory RS3B sub-block list.

5. Rejected RS3 Points

Rejected as currently written:

• “signed envelope” when only an unkeyed hash is specified;
• “exact columns an Owner Authority Envelope needs” when exact operation/artifact authorization is not stored or transitively proven;
• replay rejection without a state owner and atomic consumption rule;
• revocation_ref as a proven source field;
• “demonstrably unsanctioned” for the 142 while the primary source is unread;
• proceeding directly to RS3B before repairing the interfaces RS3B must consume.

The top-level scope, no-mutation claim, and registration HOLD are not rejected.

6. Block Boundary Assessment

Block	Boundary result	Assessment
A. Owner Resolver	NEEDS_PATCH	Responsibility is isolated, but authority binding and authenticity are incomplete
B. Trusted Snapshot	NEEDS_PATCH	Candidate primitives and bounded scope are valid; attestation, chronology, and manifest integrity need correction
C. Validator Closure	NEEDS_PATCH	Pure-validator boundary is correct; replay and exact-identity responsibilities are blurred
D. Residue Disposition	PASS_WITH_WORDING_PATCH	Populations and no-action constraints are sound; S142B merits wording must be neutral

No block mutates runtime. No mega-registry, mega-graph, mega-birth pipeline, or registrar implementation was introduced.

7. Owner Envelope Assessment

The field inventory is directionally complete, but the contract does not yet establish an authoritative envelope.

Required RS3-PATCH corrections:

1. Add authenticity mechanism and issuer trust-root verification.
2. Prove exact target/operation/artifact binding through existing ownership/APR/admission sources.
3. Define canonical target identity and scope normalization.
4. Resolve owner-kind vocabulary against the actual live/domain constraint; do not invent enum values in comments.
5. Define supersession-chain cycle/missing-head behavior.
6. Define revocation from a proven source.
7. Separate freshness validation from stateful nonce consumption.
8. Reject if any binding is unavailable; do not synthesize it from caller input.

Current outcome: OWNER_ENVELOPE_INSUFFICIENT as an accepted baseline, while correctly fail-closed at runtime because no owner rows exist.

8. Snapshot Envelope Assessment

Accepted: caller-supplied equality is insufficient; a bounded manifest is preferable to a full-DB snapshot; observer independence, freshness, completeness, same-observer continuity, and canonicalization are necessary.

Required additions:

• manifest identity/hash/version and authorization, so a caller cannot shrink the protected set;
• explicit operation phase and chronology: before capture must precede the bounded operation, after capture must follow it, both bound to the same attempt;
• snapshot sequence/monotonicity and clock-skew policy;
• separate per-surface evidence or a deterministic Merkle/canonical aggregate that identifies which surface drifted;
• proof that the observer credential/process is independent, not only a different string ID;
• write-set evidence provenance for append-only tables;
• authenticity/key fields consistent with C1;
• reject future timestamps, reversed intervals, duplicate snapshot refs, unknown algorithms, and manifest substitution.

wf_fs_dot_bin_snapshot covers filesystem observations and is only a candidate primitive. It does not by itself prove all 11 database/system surfaces.

9. Validator and Bad-Input Assessment

N07/N12/N16/N22 closure direction is correct, but matrix K–O is not sufficient for the proposed envelope contract.

Add adversarial cases for:

• invalid/missing signature or MAC, unknown/revoked key, unsupported canonicalization version;
• valid hash over fabricated payload;
• ownership row valid but APR bound to another target/operation/artifact;
• future issued_at, expires_at < issued_at, excessive clock skew;
• nonce reused at registrar atomic boundary and retry after rollback;
• supersession cycle or missing chain head;
• manifest substitution/shrink, duplicate surface, unknown surface, mixed canonicalization;
• after-capture earlier than before-capture or both captured before execution;
• cross-envelope mismatch for scope, actor/principal, attempt ID, version, and trust domain;
• all generated identifiers at 63/64-byte boundaries and collision-shaped multibyte inputs;
• mapping subclasses with hostile accessors, oversized nesting, and total input-size/depth limits.

No validator patch or test run is authorized by this review.

10. Residue Disposition Assessment

The 18 auto-apply-function population is packet-supported as scanner_apply_without_vote; the 8 system_auto_approve split is sufficiently precise for criteria-only work. Neither is ratified by this report.

For the 142 orchestrator-s142b rows, the only safe classification is:

SOURCE_NOT_READ · OUTSIDE_BACK_AUDIT_LEDGER · AUTHORIZATION_NOT_DEMONSTRATED · QUARANTINE_PENDING_SOURCE_AND_OWNER

No bulk delete, relabel, merge, or ratification is allowed. S142B primary source recovery and Điều 35 14-health read-only re-verification remain prerequisites to any later disposition decision.

11. Integration Envelope Assessment

The shared field set is incomplete and issuer ownership is ambiguous.

RS3-PATCH must publish a producer/consumer matrix for:

• canonical target and scope;
• operation;
• artifact_hash plus hash/canonicalization version;
• run_id and a separate registration attempt_id/correlation ID;
• actor/principal and delegated authority identity;
• issuer, audience, trust domain, envelope type/version;
• issued/expires timestamps and clock policy;
• nonce issuer and stateful consumer;
• signature/MAC, algorithm, key ID, key-status reference;
• source refs and decision ref.

An untrusted request may propose run_id, target, and operation, but it does not “issue” trusted values. Each trusted producer must attest its own view, and the validator/registrar must reject any mismatch. Snapshot Block B must also bind operation and scope, not only target/hash/run.

12. Next Macro Decision

Option D — Need RS3-PATCH first.

Single next macro:

RS3-PATCH1-AUTHENTICITY-BINDING-REPLAY-AND-INTEGRATION-CORRECTION

Mode: read-only / KB-design correction only. Timebox: 60–90 minutes. Owner approval to start: not required.

One bounded deliverable must:

1. correct envelope authenticity and canonical encoding;
2. prove owner/APR exact operation-target-artifact binding or fail closed;
3. assign replay state ownership and atomic consumption;
4. correct snapshot manifest integrity and chronology;
5. expand validator adversarial criteria and exact identifier coverage;
6. neutralize S142B overclaim;
7. repair the integration producer/consumer matrix;
8. restate the complete later RS3B scope, including registrar/catalog-sync dual-writer ownership.

After Codex accepts that patch, proceed to RS3B-REGISTRAR-HARDENING-DESIGN, front-loaded with registrar implementation-source recovery. Do not start RS-VALIDATOR-HARDENING or residue mutation from this review.

13. Must-Not-Do Confirmation

Confirmed no runtime mutation, DDL/DML, manual SQL, psql, docker-exec psql, Directus mutation, DOT registration/wiring/run, schema/registry/table/collection creation, validator patch, Điều 32/35 patch, gate flip, APR creation/approval, Owner claim, registrar implementation, Macro-9A/9C, B2 producer build, current-corpus creation, source-law edit, adoption, RISK-BYPASS clearance, S142B sanction claim, 18/142 merge, or activation.

The only write is this Codex report to the official AgentData KB path.

14. Self-Check

Check	Result
RS3-BUNDLE full read	PASS — rev1 / 55,709
Prior Codex gate read	PASS — rev1 / 17,282
Five carried caveats checked	PASS
Four LEGO blocks checked	PASS
Owner envelope checked	FAIL_BASELINE — patch required
Snapshot envelope checked	FAIL_BASELINE — patch required
Validator N07/N12/N16/N22 checked against source	PASS_WITH_CORRECTIONS
Matrix K–O checked	INSUFFICIENT — additions required
Residue criteria checked	PASS_WITH_WORDING_PATCH
Integration envelope checked	INSUFFICIENT — patch required
Single next macro selected	PASS — RS3-PATCH1
Registration HOLD retained	PASS
No-mega / reuse-first / DOT-only retained	PASS
Codex live runtime read	NO — NO_CODEX_LIVE_READ

Three Declarations

• Permanent/root-cause: require cryptographically or authority-store authenticated evidence and exact transitive binding, rather than trusting copied fields and recomputable hashes.
• Cannot be mistaken: every absent binding, unknown key, unowned replay state, manifest mismatch, or source gap rejects; no caller assertion upgrades itself into authority.
• 100% automatic: not claimed. Automation cannot be claimed until future governed components enforce the corrected envelopes, atomic replay rule, and independent verification.

OR/TD/handoff update: not required; this is an independent non-enacting review with no runtime, law, or implementation change.

15. Final Verdict

NEED_RS3_PATCH.

Proceed only to RS3-PATCH1-AUTHENTICITY-BINDING-REPLAY-AND-INTEGRATION-CORRECTION. Registration remains HOLD; REGISTRATION_CAN_PROCEED = NO.