Codex Review — RS3-PATCH2 Replay Domain / Authority Provenance / Adversarial Completeness — 2026-06-21

STATUS: PASS_WITH_CAVEATS
VERDICT: ACCEPT_RS3_PATCH2_AND_PROCEED_TO_RS3B
RS3B gate: READY_FOR_RS3B
Registration gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO
Runtime observation: NO_CODEX_LIVE_READ
Class: independent read-only review · non-enacting · non-authorizing · no implementation · no runtime mutation
Date: 2026-06-21

1. Verdict

RS3-PATCH2 closes the RS3-PATCH1 HOLD sufficiently to open the large read-only RS3B-REGISTRAR-HARDENING-DESIGN macro.

The acceptance is scoped. PATCH2 correctly proves that the available replay surface is unfit, demotes QT001 and other unproven carriers, completes the requested snapshot/integration adversarial criteria, and keeps every unproven path fail-closed. It does not prove a working replay store, authority carrier, snapshot provider, registrar, or registration path.

Two replay-contract corrections are mandatory inputs to RS3B, but do not require PATCH3 because no runtime surface is claimed ready and registration remains blocked:

1. separate logical idempotency, authorization nonce single-use, and execution-attempt identity;
2. make transaction/rollback semantics internally consistent and retain consumed-state evidence independently of request freshness.

2. Source Register

Source	Revision / length	Read status	Evidence tier	Use
RS3-PATCH2 target	rev1 / 58,461	FULL_READ	REVIEW TARGET	Replay, carrier classification, SC-01…19, P2 matrix, RS3B gate
Codex RS3-PATCH1 HOLD	rev1 / 18,531	FULL_READ	PRIOR GATE	Eight required corrections
RS3-PATCH1 report	rev1 / 66,237	FULL_READ / TARGETED_COMPARE	PRIOR TARGET	P–X baseline and integration claims
Codex RS3-BUNDLE review	rev1 / 18,133	READ	PRIOR GATE	Authenticity/binding baseline
Validator source	rev2 / 14,415	FULL_READ	PRIMARY CODE	Confirms N12 substring, N22 pre-mapping .get, pure validator
Guard contract	rev2 / 11,333	FULL_READ	PRIMARY CONTRACT	Guard 3 uses caller/runtime-supplied evidence
Staging-shell contract	rev2 / 12,095	FULL_READ	PRIMARY CONTRACT	Current engineering contract and HOLD
Bad-input matrix	rev2 / 8,971	FULL_READ	PRIMARY CONTRACT	Existing A–J/64-case evidence, no P–X execution
Validator test run v2	rev1 / 10,292	FULL_READ	PRIMARY TEST RECORD	Local 64-case evidence only
Birth admission	rev9 / 19,500	FULL_READ	PRIMARY ADMISSION	KB admission and registration HOLD
QT001 signoff/audit records	mixed	SEARCH_READ	PRIMARY/SECONDARY RECORDS	Supports candidate-only downgrade and spoof-risk history
laws-new LEGO set	rev33/rev8/rev14/rev2	FULL_DIRECT_KB_READ	GOVERNING DRAFT/POINTER	Reuse-first, no new registry, no-mega, non-authorization
Operating Rules	v7.58	DIRECT_SEARCH_READ	GOVERNING SSOT	Unknown = fail/STOP; Assembly First
Constitution	v4.6.3	DIRECT_SEARCH_READ	ENACTED FOUNDATION	PG-first, DOT pair, authority discipline
PATCH2-reported live runtime reads	2026-06-21	PACKET_READ	CLAUDE READ-ONLY PACKET	Schema/count/grant observations; not Codex live proof
Registrar dot-dot-register.ts	—	SOURCE_NOT_READ	NONE	Must be recovered first in RS3B
S142B primary authorization source	—	SOURCE_NOT_READ	NONE	Neutral quarantine wording retained

NO_CODEX_LIVE_READ: Claude's runtime observations are packet evidence. No unavailable runtime fact is promoted to Codex-proven production fact, and no old /laws/ source overrides laws-new/newlaws.

3. Accepted RS3-PATCH2 Points

1. iu_route_attempt is correctly classified as an IU retry ledger, not a registration single-use nonce store.
2. UNIQUE(idempotency_key, attempt_no) does not enforce single-use because changing attempt_no admits the same idempotency key again.
3. attempt_no is correctly removed from the future single-use uniqueness domain.
4. Current replay status is correctly fail-closed: REPLAY_DOMAIN_FAIL_CLOSED_UNTIL_SURFACE_FIT_PROVEN and REPLAY_SURFACE_NOT_FIT.
5. The pure validator is limited to shape, canonical binding, freshness, and structural evidence checks; it does not own mutable replay state.
6. QT001 is correctly downgraded to REUSE_CANDIDATE_PRECEDENT, not proven authenticity.
7. A guard view is correctly distinguished from write-time enforcement.
8. Nullable checksum, empty binding table, unenumerated writer authority, and absent immutability evidence are correctly treated as fail-closed gaps.
9. Carrier classifications are conservative: ownership/APR/QT001 remain candidates, artifact and snapshot carriers remain source-unproven, and audit sinks are not mislabeled as authority carriers.
10. Lifecycle vocabulary is source-backed while transition authority remains unproven.
11. SC-01…SC-19 cover the missing manifest issuer, attempt, chronology, observer-independence, membership, write-set, substitution, shrink, canonicalization, freshness, and continuity cases.
12. P2-RP/AU/SN/IN identify the correct enforcement layers: validator (V), registrar (R), and future producer (F).
13. request_proposed.* is separated from trusted_attested.*; caller proposals cannot self-promote into authority.
14. Artifact hash, snapshot refs, timestamps, and unknown carriers are no longer treated as trusted merely because values exist or parse.
15. S142B remains SOURCE_NOT_READ · OUTSIDE_BACK_AUDIT_LEDGER · AUTHORIZATION_NOT_DEMONSTRATED and separate from the 18-row lineage.
16. Registration and activation remain separate; registration stays HOLD.

4. Corrected RS3-PATCH2 Points

C1 — Replay key conflates three identities

nonce | idempotency_key is ambiguous. RS3B must distinguish:

• logical_request_key: stable across exact client retries and unique for one intended registration effect;
• authorization_nonce: single-use authority credential, bound to the exact authority envelope and validity window;
• attempt_id: execution/retry identity, never part of logical-effect uniqueness.

One physical surface may carry all three only if it proves separate constraints and state transitions. A fresh authorization nonce must not permit a duplicate logical registration effect.

C2 — Post-consume rollback semantics are internally inconsistent

PATCH2 says consume occurs inside the Phase-1 transaction, but also describes a committed consume row while the registration-visible effect fails. Both cannot describe the same atomic transaction.

RS3B must use this state model:

1. Pre-commit failure: consume and registration writes roll back together; no committed result exists. Retry behavior must account for uncertain-commit recovery before issuing a new logical request.
2. Commit success: consume and inert registration result commit together; exact retry returns the durable prior result.
3. Post-commit verification failure: the inert registration exists; the same logical key remains consumed and returns failed/compensating state. A new nonce may authorize compensation, but must not recreate the registration effect.

Separate pre-commit of the nonce followed by a registration transaction is not accepted unless explicitly modeled as a durable state machine with recovery proof; the current baseline does not establish that model.

C3 — Freshness must not erase consumed-state meaning

P2-RP-07's REPLAY_STALE_ROW wording is unsafe if interpreted as allowing an old consume row to stop blocking replay. Request/envelope TTL determines whether a new request is admissible; it does not make an already-consumed logical key reusable.

RS3B must define retention or a permanent/tombstoned idempotency record for the required replay horizon. An old consume row still proves prior consumption unless an explicit, authority-approved key-reuse policy exists. No such policy is authorized here.

C4 — Current auth-label wording must remain status-first

HBA target is acceptable only as a target model label. The current state for zero-row ownership, missing register_dot, unproven transition writer, artifact carrier, and observer carrier remains SOURCE_UNPROVEN_FAIL_CLOSED or REUSE_CANDIDATE_PRECEDENT. RS3B must not shorten “target model” into “HBA proven.”

C5 — Minor report identity typo

PATCH2's must-not-do section says the only write is “this RS3-PATCH1 report.” The document is RS3-PATCH2. This is editorial only and does not affect evidence or verdict.

5. Rejected RS3-PATCH2 Points

Rejected readings, without rejecting the top-level PATCH2 verdict:

• a single replay_key containing an interchangeable nonce/idempotency token fully defines both exact retry and authorization replay;
• a committed consume plus failed same-transaction registration effect is an atomic Phase-1 outcome;
• a stale consume record may be ignored and the logical effect attempted again;
• HBA target means a current carrier is authority-proven;
• the P2 matrix has been executed; it remains criteria only.

No PATCH3 is required because PATCH2 expressly leaves replay, authority, artifact, and snapshot surfaces unproven/fail-closed, and RS3B is the bounded design macro responsible for selecting and reconciling those surfaces.

6. Replay Domain Assessment

Assessment: PASS_AS_FAIL_CLOSED_BASELINE_WITH_RS3B_CORRECTIONS.

The live-packet shape supports the core conclusion that iu_route_attempt is not fit. The proposed seven-tuple is useful as an authority-binding digest, but it is not sufficient as the sole identity model until C1–C3 are resolved.

Mandatory RS3B proof obligations:

1. stable logical-effect idempotency independent of retry attempt;
2. separate single-use authority nonce semantics;
3. atomic transition and durable prior-result readback;
4. uncertain-commit recovery;
5. no duplicate effect under fresh nonce, new attempt, or concurrent request;
6. TTL separated from consumed-state retention;
7. writer grants, mutation restrictions, retention, and conflict behavior proven on the selected surface;
8. failure injection before insert, after insert/pre-commit, at commit, and post-commit verification.

Until these pass, replay remains FAIL_CLOSED and registration cannot proceed.

7. Authority Provenance and Carrier Assessment

Carrier	Codex assessment
QT001 signoff family	REUSE_CANDIDATE_PRECEDENT; prior spoof-risk and nullable/empty binding evidence prohibit authenticity claims
governance_object_ownership	Candidate authoritative head store; zero rows and transition writer unproven; fail-closed
approval_requests / apr_approvals	Candidate transitive authority path; no governed register_dot plus artifact binding proven
Artifact hash carrier	SOURCE_UNPROVEN_FAIL_CLOSED; interface F must prove deployed-path/hash/origin/admission binding
wf_*_snapshot	Per-surface observation candidates only; not a trusted manifest provider
event_outbox	Candidate failure-audit sink only; no replay uniqueness or authority authenticity
iu_route_attempt	Retry-shape precedent only; not replay/authenticity fit
registry_changelog	Candidate audit sink; not authority carrier
governance_audit_log	Narrow candidate audit sink; not authority carrier

Promotion criteria are adequate: proven restricted writer, governance-controlled mutation/immutability, consumer readback, non-null binding/tamper evidence, retention, and lifecycle authority where relevant. No new registry is authorized before reuse candidates are evaluated.

8. Snapshot and Manifest Assessment

PASS as criteria, not provider proof.

SC-01…SC-19 close the missing adversarial categories identified by the prior Codex review. Together with PATCH1 U01…U08 they cover the requested negative space. Observer independence remains process/credential evidence, not a string comparison. wf_* and context_pack_manifest remain primitives/precedents only.

RS3B may select a provider or retain HOLD. It may not infer trust from row existence, hash presence, observer label, or a guard view.

9. Validator Matrix Assessment

PASS as an unexecuted test contract.

The current validator remains unchanged and still contains the independently confirmed N12 and N22 defects; existing local evidence covers only the previous 64 cases. P–X and P2 additions are future acceptance tests.

Layer allocation is sound:

• V: deterministic shape, canonical equality, cross-envelope binding, chronology/freshness, readback-required structure;
• R: atomic consume, concurrency, prior-result idempotency;
• F: writer authority, observer independence, manifest provenance, artifact resolution.

The anti-fail-open rule is retained: any invalid case yielding PASS or write intent fails the future hardening macro.

10. Integration Namespace and Auth-Label Assessment

PASS_WITH_CAVEAT.

The namespace split prevents direct caller promotion. Consumers must reread source rows and reject missing producer, wrong type, stale/invalid authority, mismatch, ambiguous active head, unknown carrier, and unsupported model.

Required RS3B refinement: “trusted_attested” is a contract namespace, not a current trust claim. A value enters that namespace only after its producer/carrier has passed the promotion criteria. Until then it remains absent and the consumer rejects.

11. RS3B Gate Decision

Option A — Accept and open RS3B.

Single next macro: RS3B-REGISTRAR-HARDENING-DESIGN.

Mode: read-only / KB-design only. Target duration: approximately 60 minutes. Owner approval to start: not required. No implementation.

Required verified deliverables:

1. recover and fully read bin/dot/dot-dot-register.ts; if unavailable, produce exact source-recovery proof and stop HOLD_REGISTRAR_SOURCE_NOT_READ;
2. reconstruct current registrar behavior from source, not RP-03 prose;
3. resolve dot-dot-register versus dot-catalog-sync writer ownership, concurrency, and clobber behavior;
4. define the exact single-artifact registration contract and reject broad scanning/mass registration;
5. define interface F and select or reject artifact-hash carriers using the PATCH2 classification;
6. define logical idempotency key, authorization nonce, attempt ID, atomic state machine, exact retry, uncertain commit, retention, and concurrency using C1–C3;
7. consume the owner/APR and lifecycle carrier classifications without upgrading unproven sources;
8. consume snapshot manifest criteria and either select a proven provider path or remain HOLD;
9. compare durable failure-audit sinks on schema, writer authority, retention, idempotency, and post-rollback write capability;
10. derive pair cardinality from the runtime contract, never fixed five rows;
11. account for every dot_tools trigger/notification side effect and prove closed-at-registration;
12. publish a phase-by-phase proof-obligation matrix and adversarial/failure-injection plan;
13. perform no code, schema, role, APR, gate, registration, or runtime change.

RS-VALIDATOR-HARDENING remains sequenced after RS3B because registrar/interface ownership must be fixed before the validator consumes the final contract.

12. Must-Not-Do Confirmation

Confirmed no runtime mutation, DDL/DML, manual SQL, psql, docker-exec psql, Directus generic mutation, DOT registration/wiring/run, schema/registry/table/collection creation, validator patch/test run, Điều 32/35 patch, gate flip, APR creation/approval, Owner claim, registrar implementation, Macro-9A/9C, B2 producer build, RISK-BYPASS clearance, S142B merits claim, 18/142 merge, current-corpus creation, source-law edit, or adoption.

Hash is not treated as signature; caller input is not authority; the pure validator is not replay-state owner; snapshot/QT001 candidates are not trusted providers.

The only write is this Codex review at the official AgentData KB path.

13. Self-Check

Check	Result
RS3-PATCH2 full read	PASS — rev1 / 58,461
Prior Codex PATCH1 HOLD full read	PASS — rev1 / 18,531
Replay key/single-use checked	PASS_WITH_RS3B_CORRECTIONS
iu_route_attempt not-fit checked	PASS — packet-supported, no Codex live proof
QT001 downgrade checked	PASS
Nine carriers checked	PASS
SC-01…SC-19 checked	PASS_AS_CRITERIA
P2-RP/AU/SN/IN checked	PASS_AS_UNEXECUTED_CRITERIA
Request/trusted namespace checked	PASS_WITH_CAVEAT
RS3B scope checked	PASS — large, LEGO-bounded, verifiable
Registration HOLD retained	PASS
No-mega/reuse-first/DOT-only retained	PASS
Codex live runtime read	NO — NO_CODEX_LIVE_READ

Three Declarations

• Permanent/root-cause: separate logical-effect idempotency, authority nonce, and retry attempt; bind each to authority-controlled readback and an atomic state transition.
• Cannot be mistaken: every unproven writer/carrier/provider remains absent from trusted_attested.*; conflict, ambiguity, stale authority, or unknown source rejects.
• 100% automatic: not claimed. Automation remains unproved until future governed components enforce replay, authority, artifact, snapshot, audit, and post-commit verification contracts.

OR/TD/handoff update: not required; this is an independent non-enacting review with no runtime, law, or implementation change.

14. Final Verdict

ACCEPT_RS3_PATCH2_AND_PROCEED_TO_RS3B.

Proceed only to the read-only RS3B-REGISTRAR-HARDENING-DESIGN macro with C1–C4 as mandatory inputs. Registration remains HOLD; REGISTRATION_CAN_PROCEED = NO.