Codex Review — RS3-PATCH1 Authenticity / Binding / Replay / Integration Correction — 2026-06-21

Reviewer: Codex, independent source review
Mode: read-only review; no implementation; no runtime mutation
Final verdict: NEED_RS3_PATCH2
Stop state: RS3_PATCH1_NEEDS_FIX · REGISTRATION_HOLD
Registration: REGISTRATION_CAN_PROCEED = NO
Codex runtime evidence: NO_CODEX_LIVE_READ

RS3-PATCH1 sửa đúng phần lớn hướng thiết kế và không có scope drift. Tuy nhiên, nó chưa đóng đủ HOLD để mở RS3B: replay uniqueness/domain vẫn chưa có contract fail-closed đủ chặt; reuse precedent của QT001 bị diễn đạt mạnh hơn evidence; adversarial matrix P–X chưa có test criterion cho một số failure mode đã được Codex yêu cầu trực tiếp; và một số dòng integration gán authenticity model trước khi authority-controlled carrier/producer được chứng minh.

1. Source register

Source	Read mode	Result / use
`knowledge/dev/laws-new/reports/macro-rs3-patch1-authenticity-binding-replay-and-integration-correction-2026-06-21.md`	FULL, AgentData KB, rev1, 66,237 chars	Primary target
`knowledge/dev/laws-new/reports/codex/codex-review-rs3-bundle-owner-resolver-trusted-snapshot-validator-envelope-residue-disposition-2026-06-20.md`	FULL, AgentData KB, rev1, 18,133 chars	Previous HOLD and mandatory closure criteria
`knowledge/dev/laws-new/reports/macro-rs3-bundle-owner-resolver-trusted-snapshot-validator-envelope-residue-disposition-criteria-2026-06-20.md`	Targeted AgentData read	Original RS3 claims and envelope
`knowledge/dev/laws-new/reports/codex/codex-review-rs2-patch1-existing-registrar-reuse-and-atomic-registration-boundary-2026-06-20.md`	AgentData read	Prior registrar gate
`knowledge/dev/laws-new/reports/macro-rs2-patch1-existing-registrar-reuse-and-atomic-registration-boundary-correction-2026-06-20.md`	Targeted AgentData read	Registrar/dual-writer/interface-F design baseline
`dot-r2-b2-staging-schema-shell.validator.py`	FULL, AgentData KB, rev2, 14,415 chars	Actual validator behavior
`dot-schema-write-guards.contract.md`	FULL, AgentData KB, rev2, 11,333 chars	Guard provenance semantics
`dot-r2-b2-staging-schema-shell.contract.md`	FULL, AgentData KB, rev2, 12,095 chars	Staging shell contract
`dot-r2-b2-bad-input-matrix.md`	FULL, AgentData KB, rev2, 8,971 chars	Existing 64-case matrix
`dot-r2-b2-validator-test-run-v2.txt`	FULL, AgentData KB, rev1, 10,292 chars	Existing local 64/64 evidence only
`dot-r2-b2-staging-schema-shell-birth-admission-2026-06-19.md`	FULL, AgentData KB, rev9, 19,500 chars	Admission/HOLD state
`knowledge/dev/ssot/operating-rules.md`	Direct AgentData search/read	v7.58 active; unknown = fail/STOP; Assembly First
`knowledge/dev/laws/constitution.md`	Direct AgentData search/read	v4.6.3 BAN HÀNH
laws-new/LEGO sources requested in mission	Direct AgentData search/read	Reuse-first, no shadow registry, DOT-only boundary retained
Runtime tables/views/functions listed by mission	Not read live by Codex	`NO_CODEX_LIVE_READ`; Claude live-read claims are packet evidence, not independent Codex live proof

No source required for the findings below was substituted with local prose. No unavailable live fact is promoted to Codex-proven production fact.

2. Accepted RS3-PATCH1 points

It correctly removes “signed” semantics and chooses HASH_BOUND_AUTHORITY_ROW / HASH_BOUND_OBSERVER_ROW, not cryptographic signature/MAC.
It correctly limits evidence_hash to integrity/binding within an attempt; hash alone is not authenticity.
It correctly concludes OWNER_BINDING_FAIL_CLOSED_UNTIL_APR_PAYLOAD_SUPPORT.
It removes invented revocation_ref and uses actual lifecycle/supersession vocabulary.
It keeps the pure validator out of replay-state ownership.
It assigns registrar Phase 1 as the intended replay-state owner; that is the correct architectural layer.
It keeps the wf_*_snapshot family as reuse candidates only and states SNAPSHOT_MANIFEST_SOURCE_UNPROVEN.
Its MF manifest/chronology criteria materially improve the earlier bundle.
It adds P–X categories without patching the validator or claiming a new test run.
It uses the required neutral S142B wording.
Its RS3B scope is a coherent 60–90 minute design macro, LEGO-bounded and non-implementing.
It keeps REGISTRATION_HOLD.

3. Corrected RS3-PATCH1 points

3.1 QT001 is a candidate precedent, not authenticity proof

The QT001 signoff family demonstrates a useful shape: checksum/binding fields, reviewer/signoff rows, lifecycle and guard views. That is enough for REUSE_CANDIDATE_PRECEDENT.

It does not, from the evidence reviewed, prove all of:

authority-controlled writer identity;
immutable/append-only enforcement;
trusted readback enforcement at the consuming boundary;
independence of the observer process/credential;
prevention of a caller from supplying both claim and attestation.

Therefore “implements exactly” or “proves reusable authenticity” must be downgraded. Reuse remains preferred and no new registry is authorized.

3.2 Lifecycle is source-backed state vocabulary, not proven transition authority

active/superseded/revoked/expired and supersedes_id are valid source-backed semantics. But the writer/transition authority and durable audit provenance were not independently proven by Codex. Resolver criteria may consume these facts only after the governing writer and active-head constraints are proved; otherwise reject.

3.3 Replay surface shape does not yet provide nonce single-use

UNIQUE(idempotency_key, attempt_no) rejects a duplicate exact pair. It does not by itself reject reuse of the same nonce/idempotency key under a new attempt_no, nor does it prove the key is canonically bound to operation, target, artifact, owner resolution and run.

The PATCH1 phrase SURFACE_SHAPE_PROVEN is acceptable only as storage-shape evidence. It is not sufficient for REPLAY_STATE_OWNER_ASSIGNED to be treated as a closed contract. Phase 1 is the correct owner, but the atomic consume rule and uniqueness domain remain open.

3.4 Integration authenticity labels must follow proven producer/carrier state

Where artifact_hash, snapshot references, timestamps or attestation references have only a candidate carrier or an unproven authority writer, the matrix status must be SOURCE_UNPROVEN / FAIL_CLOSED, not already HASH_BOUND_AUTHORITY_ROW. The latter is the selected target model, not a current proven property.

4. Rejected RS3-PATCH1 points

The following closure implications are rejected:

Replay HOLD closed: rejected. Exact-pair uniqueness is not single-use replay protection.
QT001 proves the authenticity model is reusable as-is: rejected. It proves a candidate row/binding pattern only.
P–X is a complete adversarial closure matrix: rejected. Categories exist, but several explicitly required cases are absent.
Every integration field already has a trusted producer/auth model: rejected where carrier/writer authority remains unproven.
RS3B may start immediately: rejected until the localized PATCH2 contract correction is reviewed.

These are localized trust-envelope defects, not grounds for REJECT_RS3_PATCH1_SCOPE_DRIFT or wholesale source rejection.

5. Codex HOLD closure assessment

HOLD item	Assessment
Hash is not signature	CLOSED_AS_CRITERIA
Authenticity model explicit	PARTIAL — model is correct; precedent/provenance wording needs correction
Owner row does not authorize exact operation/artifact	CLOSED_FAIL_CLOSED
Invented `revocation_ref`	CLOSED
Source-backed lifecycle/supersession	PARTIAL — vocabulary/source accepted; transition authority unproven
Replay state owner / atomic single-use	OPEN
N12 canonical equality	CLOSED_AS_REQUIRED_VALIDATOR_CRITERION, not engineering closure
N16 every emitted identifier	CLOSED_AS_REQUIRED_VALIDATOR_CRITERION, not engineering closure
Snapshot manifest integrity/chronology	PARTIAL — design criteria strong; provider and several negative cases remain open
Validator adversarial matrix	OPEN/PARTIAL
Integration producer/consumer matrix	OPEN/PARTIAL
S142B neutral wording	CLOSED
RS3B scope completeness	CLOSED_AS_SCOPE, but RS3B remains gated behind PATCH2

6. Authenticity model assessment

There is no Codex live proof of a signature/MAC/key trust root. PATCH1 correctly avoids claiming one.

The target contract should remain:

HASH_BOUND_AUTHORITY_ROW: a hash/binding record is authentic only because a proven authority-controlled writer creates an immutable or governance-controlled row and the consumer rereads that row from the authority store.
HASH_BOUND_OBSERVER_ROW: analogous, but also requires observer credential/process independence and a write path the subject under observation cannot forge.
evidence_hash: integrity and equality binding only; never signer identity.

A view named “guard” is not automatically enforcement. Writer grants, constraints/triggers or equivalent governed write-path evidence, and consumer readback behavior are required before the model becomes proven.

No new registry is required or authorized. Reuse-first remains mandatory.

7. Owner/APR binding assessment

PATCH1's fail-closed conclusion is correct:

governance_object_ownership does not itself bind exact operation plus artifact hash.
approval_requests does not provide a proven artifact-hash authority binding.
The enumerated action surface does not establish register_dot.
A caller-provided/free-text proposed_action_code is a proposal, not authority.
Caller-supplied target/operation/artifact values must never be synthesized into an attestation and then accepted as if independently authorized.

The allowed result is therefore no owner authorization until an authority payload/source binds, at minimum, canonical operation, canonical target, deployed artifact hash, request/approval identity, active owner head and applicable lifecycle state. Missing, ambiguous, inactive or cyclic chains reject.

8. Revocation and supersession assessment

Accepted:

revocation_ref is removed.
lifecycle_status='revoked', plus active/superseded/expired semantics, are source-backed packet facts.
Active-head resolution must reject cycle, missing link, multiple active heads, inactive head and ambiguous head.
Owner-kind vocabulary must match the actual source enum; no invented value.

Caveat:

The presence of lifecycle columns does not prove who can transition them or whether transition history is tamper-resistant. PATCH2 must state this as an authority prerequisite, not invent a new revocation store.

9. Replay / nonce assessment

The validator should validate shape, canonical bindings, freshness and referenced-attestation structure. It must not own mutable nonce state.

Registrar Phase 1 is the correct intended owner because registration needs an atomic fail-closed consume before any registration-visible commit. But the contract still needs all of the following in one canonical rule:

replay_key = H(protocol_version, nonce/idempotency_key, canonical_operation, canonical_target, deployed_artifact_hash, owner_or_approval_binding, run_id)

The rule must define:

which component is unique for single use;
whether an exact retry returns the prior result or creates a new attempt;
why changing attempt_no cannot bypass single-use;
TTL/freshness interaction;
atomic insert/consume and conflict behavior;
rollback behavior before and after the replay record commits;
which proven writer owns the state.

Until the existing iu_route_attempt surface is shown to enforce that domain—or is rejected as unfit—replay remains WRITER_AUTHORITY_AND_DOMAIN_FIT_UNPROVEN.

10. Snapshot manifest / chronology assessment

The snapshot sources are correctly treated as candidates, not trusted providers.

The MF criteria cover much of the necessary contract: manifest identity/hash/version/authorization, declared surface set, per-surface provenance, attempt binding, before/after phases, monotonic sequence, time ordering, operation/scope binding, and observer independence.

However, manifest criteria and adversarial cases are not the same closure. The P–X matrix needs explicit reject cases for at least:

unauthorized manifest issuer/writer;
snapshot from a different attempt;
future timestamp / clock-skew violation;
duplicate snapshot reference for the same (attempt, phase);
operation or scope not bound to the snapshot;
observer credential/process not independent;
aggregate-manifest versus per-surface membership mismatch;
absent write-set provenance.

Thus SNAPSHOT_MANIFEST_SOURCE_UNPROVEN remains correct, and engineering/trust closure is not achieved.

11. Validator adversarial matrix assessment

The existing source test evidence is only the prior local 64/64 run. It does not execute P–X.

The actual validator still has known gaps relevant to this review:

target validation uses normalized substring membership after regex matching, not required canonical equality;
validate_request reads .get before proving the request is a mapping;
every emitted identifier is not checked by UTF-8 byte length;
owner evidence is effectively non-empty input, not an authority read;
Guard 3 compares supplied before/after structures and does not prove their runtime provenance.

PATCH1 correctly does not patch the validator. But its P–X matrix is incomplete because the snapshot/manifest cases listed in section 10 are missing as explicit adversarial cases. Therefore it may be called a matrix framework, not complete validator closure.

12. Integration producer/consumer matrix assessment

The matrix is materially better than RS3-BUNDLE because it names producer, consumer, source, auth model, TTL/replay and reject behavior.

Remaining correction:

request-proposed values and trusted-attested values must be separate fields/namespaces;
every consumer must reread the trusted row rather than trust a caller-carried copy;
artifact_hash cannot be HBA until interface F resolves the deployed artifact and an authority-controlled carrier/writer is proven;
snapshot operation/scope/attempt bindings must be explicit producer-to-consumer edges;
issuer timestamps are not trusted merely because they parse;
missing producer, unknown carrier, stale row, mismatch or ambiguous authority must reject.

The integration matrix is therefore SUFFICIENT_STRUCTURE / INSUFFICIENT_PROVENANCE.

13. S142B wording assessment

Required wording is present and accepted:

SOURCE_NOT_READ · OUTSIDE_BACK_AUDIT_LEDGER · AUTHORIZATION_NOT_DEMONSTRATED · QUARANTINE_PENDING_SOURCE_AND_OWNER

It does not call S142B sanctioned or demonstrably unsanctioned. It does not merge 142 with 18 and does not ratify, relabel or delete either set. This HOLD item is closed.

14. Single next macro decision

Selected option: B — RS3-PATCH2-REPLAY-DOMAIN-AUTHORITY-PROVENANCE-AND-ADVERSARIAL-COMPLETENESS-CORRECTION

This is one 60–90 minute correction macro, not a list of independent microtasks. Its single output must revise the trust envelope end-to-end by:

pinning the canonical replay/single-use domain and exact-retry/rollback semantics against the actual iu_route_attempt surface;
downgrading QT001 and all unproven carriers from proven authenticity to candidate/fail-closed status until writer and consumer-readback authority are evidenced;
completing the missing manifest/chronology/observer adversarial cases in P–X;
making integration auth labels consistent with the proven source/carrier state.

No implementation, schema, APR, validator patch or runtime mutation belongs in PATCH2. After Codex accepts PATCH2, the next eligible macro is the already-sized RS3B-REGISTRAR-HARDENING-DESIGN.

15. Must-not-do confirmation

This review performed no runtime mutation, DDL, DML, SQL, psql, Docker psql, Directus create/update/delete, DOT register/wire/run, schema creation, APR creation/approval, owner claim, gate flip, validator patch, Đ32/Đ35 patch, activation, registry creation, Macro-9A/9C work, B2 producer work or registrar implementation.

It did not treat hash as signature, caller input as authority, validator as replay owner, snapshot candidate as trusted provider, or S142B as sanctioned/unsanctioned.

The only write is this new KB report.

16. Self-check

Check	Result
RS3-PATCH1 read full	PASS
Previous Codex RS3 HOLD read full	PASS
Hash/signature checked	PASS
Authenticity model checked	PASS_WITH_CORRECTION
Owner/APR binding checked	PASS
Revocation/supersession checked	PASS_WITH_CAVEAT
Replay/nonce owner and uniqueness checked	FAIL_CLOSED / PATCH2 REQUIRED
Snapshot manifest/chronology checked	PARTIAL / PATCH2 REQUIRED
Validator P–X checked	INCOMPLETE
Integration matrix checked	INCOMPLETE_PROVENANCE
S142B wording checked	PASS
RS3B scope checked for 60–90 min size	PASS
Registration HOLD retained	PASS
LEGO/no-mega/reuse-first retained	PASS
DOT-only retained	PASS
Codex live runtime read	NO — `NO_CODEX_LIVE_READ`

Three declarations

Root-cause/permanent: authenticity and replay must derive from authority-controlled state, canonical domain binding and atomic consumer behavior; hashes and caller-carried evidence cannot substitute for authority.
Temporary: retain REGISTRATION_HOLD, fail closed on missing/ambiguous authority, snapshot provenance or replay state.
Reuse/no-duplication: harden existing registrar, APR/ownership, QT001 candidate patterns, snapshot candidates and replay surfaces where proven fit; create no shadow registry or parallel authority system.

17. Final verdict

NEED_RS3_PATCH2

RS3-PATCH1 is directionally correct and closes hash wording, owner fail-closed behavior, invented revocation reference, S142B wording and RS3B scope. It does not yet close replay single-use/domain semantics, authority provenance overclaims, or complete adversarial/integration coverage. Therefore:

READY_FOR_RS3B = NO
REGISTRATION_CAN_PROCEED = NO
REGISTRATION_HOLD remains mandatory.