Codex Review - RS4A Registrar-Hardening Design Source-Aware - 2026-06-21

STATUS: HOLD
VERDICT: NEED_RS4A_PATCH
Stop state: RS4A_NEEDS_PATCH
Package state retained: RS4A_READY_FOR_CODEX_REVIEW only; not accepted as the controlling contract
Registration gate: REGISTRATION_HOLD - REGISTRATION_CAN_PROCEED = NO
Runtime observation: NO_CODEX_LIVE_READ
Single next step: RS4A-PATCH1-CONTRACT-IDENTITY-INERT-STATE-AND-SUITE-RECONCILIATION
Class: independent read-only review; non-enacting; non-authorizing; no implementation; no runtime mutation

1. Source Register

Codex read the following directly from AgentData KB in full. All were revision 1 and truncated=false.

Source	content_length	Role
Prior Codex RS3C review	13,836	controlling gate and P1-P5
RS4A executive rollup	5,211	package claims and sequencing
RS4A index	4,731	package inventory
RS4A-01 defect ledger	14,641	24 defects
RS4A-02 target contract v0.2	10,672	target input/output/invariants
RS4A-03 delta matrix	6,671	24 deltas and replacement decision
RS4A-04 phase model	9,399	Phases 0-6 and proof obligations
RS4A-05 Owner/APR contract	5,612	authority envelope
RS4A-06 Interface F v0.2	7,982	artifact attestation envelope
RS4A-07 replay/nonce contract	7,964	logical key, nonce, attempt model
RS4A-08 failure-audit sink	5,188	event_outbox candidate contract
RS4A-09 trigger/gate closure	7,733	producer condition and G7 consumer caveat
RS4A-10 replacement decision	4,726	replace versus wrapper
RS4A-11 acceptance suite	10,129	claimed 92-case suite
RS4A-12 blockers/sequencing	5,588	G2-G7 and next steps
RS4A Codex packet	5,785	review request
RS3C-02/03/04/07/09 baseline	15,634 / 9,407 / 4,770 / 7,638 / 6,547	source, producer boundary, replay, trigger baseline

Governing context was read/searched directly: Operating Rules SSOT v7.58, Constitution v4.6.3, and relevant DOT-registration governance material. No live PostgreSQL/VPS query tool was available to Codex; RS4A runtime facts are therefore CLAUDE_READ_ONLY_PACKET, not Codex-live observations.

2. Package Completeness Assessment

PASS. AgentData lists exactly 14 files under knowledge/dev/laws-new/reports/rs4a/ plus the executive rollup under reports/, for 15 package files total. Every required artifact exists, is revision 1, has non-empty content, and read back without truncation. The Codex packet is present.

Completeness of files does not establish completeness of the contract. The blockers below are semantic and internal-consistency defects.

3. Source-Defect Ledger Assessment

PASS_WITH_CORRECTION. The ledger enumerates D01-D24 and directly anchors the controlling defects to the recovered source: mass scan L121, loop L131, no scalar target L95-L100, POST L156, active status L173, no transaction, false success L156/L176, no authority/hash fields, root SSH/hardcoded host, curl -k, and no registrar-authored audit.

P1-P5 are mostly honored: snapshot hash is not called a signature; writer scope is limited to the two scripts; dedup is described as fragile/fail-open-prone; notification is conditional; the package is design-only.

Required correction: D13 (no DB UNIQUE) is schema evidence, not a source-line defect. The ledger may retain it as an environment/contract blocker, but must not claim that all 24 defects are line-cited source defects. D13 should be relabeled or tied explicitly to a source behavior plus separate schema evidence. Also, function-name interpretations for birth, normalization, origin, and code triggers remain inference where bodies were not read.

4. Contract v0.2 Assessment

HOLD. The high-level contract is directionally correct: scalar single artifact, no mass scan, proposed/attested separation, Owner/APR envelope, Interface F, three replay identities, atomic write, no activation, post-commit verification, durable failure audit, and structured reject codes. It remains specification-only and contains no executable replacement code or mutation payload.

Four blocking contract defects remain:

1. No canonical inert status. The output uses status: "<inert/non-active>". A testable contract must select or govern an exact persisted value and prove it is accepted by current metadata/constraints and ignored by activation consumers. A placeholder cannot support deterministic validation or readback.
2. Identity axis undefined. The contract requires UNIQUE on identity axis, but never decides whether identity is code, canonical path, artifact hash, a composite, or multiple independent constraints. T-P3-1 assumes duplicate code, while other sections reason from path/hash. This must be explicit before schema or implementation design.
3. Intent names unavailable columns without a carrier disposition. deployed_artifact_hash, owner_envelope_ref, and approval_envelope_ref are shown as dot_tools columns while the package also proves those carriers do not exist. The contract must distinguish logical envelope fields from persisted dot_tools columns and state the fail-closed carrier interface; it must not imply the current table can store them.
4. Nonce placement is inconsistent. The prose says the single-use authority argument is separate from the dict, but the input table classifies authorization_nonce as request_proposed. The contract must define the nonce as an authority-issued credential/envelope input, not an ordinary caller-proposed field.

5. Delta Matrix Assessment

PASS_WITH_CAVEATS. The matrix has 24 rows and the listed MUST_REPLACE set contains 17 unique row numbers. The central conclusion is supported: no wrapper can call the current real-run path and satisfy scalar input, atomicity, authority, inertness, and honest-success requirements.

Rows depending on live schema/function evidence must retain packet-tier provenance. The matrix cannot mark CONTRACT_BACKSTOP as closed until the exact identity axis, inert state, carrier, replay surface, and audit sink are defined and accepted.

6. Phase Model Assessment

HOLD. Phases 0-6 exist and each includes input, producer, consumer, fail-closed behavior, rollback, audit, proof, and tests. Phase 3 is correctly intended as the atomic unit; Phase 6 keeps activation separate.

Required corrections:

• Phase 2 is described as a separate consume phase but its mutation occurs inside Phase 3. Rename it as validation/reservation criteria or explicitly state that no durable consumption occurs until the Phase-3 transaction.
• Phase 4 assumes a paired verifier in the DOT-HEALTH-DOT family. This must be an independent verifier contract/reference, not an inferred per-target pair or automatically created registry row. Carry C2 explicitly.
• Phase 5 says failure audit is written outside a rolled-back transaction, but test T-P5-1 says audit written from rolled-back txn should survive. That is impossible. The test must say the failure occurs in the rolled-back transaction and the audit is written afterward in a separate transaction.
• Clarify whether durable audit is required for every successful decision or only failures. Current Phase 4/output language requires an audit envelope for success while RS4A-08 defines a failure-audit sink.

7. Owner/APR Authority Assessment

PASS_AS_FAIL_CLOSED_CRITERIA. The contract treats owner zero and absent register_dot as independent blockers, does not create Owner/APR/action rows, does not use dot_tools.owner or caller text as authority, and requires artifact-bound quorum proof.

The reported counts, function existence, enums, and action status are packet evidence because Codex had no live runtime read. quorum_passed('register_dot') must not be treated as a proven correct binding until its input semantics and function body are verified in the future authority decision.

8. Interface F Assessment

PASS_AS_FAIL_CLOSED_CRITERIA_WITH_CORRECTION. The five-hash taxonomy is useful and correctly keeps hash distinct from signature and authority. R1-R10 prevent emission of trusted_attested.* when carrier, immutability, writer, per-artifact binding, origin, or freshness is unproven. No current carrier is accepted.

Overclaim to correct: the presence of aggregate count columns in context_pack_manifest does not by itself prove the semantic scope of each checksum. The accepted conclusion is narrower and sufficient: no reviewed evidence proves a unique immutable per-artifact binding, so the candidate is unfit and Interface F emits nothing. Likewise, say no proven carrier among reviewed candidates, not an exhaustive global absence unless all carrier surfaces have been inventoried.

9. Replay/Nonce Contract Assessment

HOLD. Separate UNIQUE(logical_request_key), separate durable UNIQUE(authorization_nonce), and non-keying attempt_id correctly preserve C1. iu_route_attempt is correctly rejected as a domain-mismatched retry ledger. No surface is claimed built.

The logical-effect identity is not yet stable enough:

• The sample replay_key includes run_id, although run_id is execution context. A new run would change the digest.
• logical_request_key includes owner/approval binding without defining whether volatile APR/approval record IDs participate. A fresh approval could change the key and accidentally buy a duplicate effect.
• Calling UNIQUE(logical_request_key) equivalent to UNIQUE(replay_key) is unsafe while their canonical derivations differ.

PATCH requirement: define one canonical effect identity from stable effect fields, explicitly exclude attempt_id, attempt_no, run_id, nonce, timestamps, and replaceable approval-instance IDs, and retain authorization evidence as bound non-identity attributes. Then define exact-retry and fresh-approval behavior against that identity.

10. Audit Sink Contract Assessment

PASS_AS_CANDIDATE_ONLY_WITH_CORRECTION. event_outbox remains fail-closed; immutability, writer restriction, retention, dedup, and non-executing lane are all open. No new ledger or DDL was created.

Absence of UPDATE/DELETE-blocking triggers does not establish global absence of immutability if grants, rules, or policies were not enumerated. State immutability not proven, which is enough to fail closed. The proposed event type, delivery lane, and dedup_key are contract requirements, not fields/values proven available on the current table.

11. Trigger/Gate Closure Assessment

PASS_WITH_PACKET-TIER_CAVEAT. The reported fn_context_pack_on_dot_register body supports the producer condition: notification occurs only for a watched tier and status='active'. RS4A correctly keeps the consumer body open and does not claim context_pack_mode='warn' proves consumer inertness.

Codex did not reproduce the function read live, so P4 is closed at CLAUDE_READ_ONLY_PACKET evidence tier only. The structural no-notify proof still depends on resolving the exact valid inert status. Claims that both birth triggers create rows or that normalization explains the dedup mismatch remain inferred until those function bodies are read.

T-P6-3 is malformed: an inert insert does not satisfy the producer condition and therefore does not emit the notification whose consumer is being tested. Replace it with an independently injected/observed context_pack_event consumer test, or an active-update scenario explicitly outside registration, while keeping registration fail-closed.

12. Replacement-vs-Wrapper Decision Assessment

PASS. REPLACE_FOR_GOVERNED_REGISTRATION and REJECT_CURRENT_REAL_RUN_PATH are supported by source. The existing script has no safe scalar real-run mode; a wrapper either invokes the unsafe mass writer or invokes --dry-run and writes nothing. Dry-run discovery/report and pure classification helpers may be reused only as advisory inputs. No wrapper may call the mass-scan real-run path.

13. Acceptance Suite Assessment

HOLD - COUNT AND SEMANTICS PATCH REQUIRED. The suite exceeds the minimum, but its claimed arithmetic is wrong.

Codex independently counted unique T-series IDs:

Block	Unique cases
P0	9
P1	6
P2	8
P3	8
P4	5
P5	4
P6	4
SRC	3
New total	47
Carried	50
Actual suite total	97

RS4A claims 42 new and 92 total in RS4A-11, index, and rollup. The correct listed count is 47 new and 97 total. Coverage-map repeats are references, not additional cases.

All 13 mandatory categories are represented and no execution/PASS is claimed. Before acceptance, fix the count everywhere and repair T-P5-1 and T-P6-3 as described above. Add explicit tests for canonical inert status, stable logical-effect derivation across run/APR changes, exact identity-axis uniqueness, and absence/presence of required persistence carriers.

14. Blocker/Sequencing Assessment

PASS_WITH_SEQUENCE_HOLD. RS4A correctly leaves G2-G7 open, identifies G2 as deciding authority, and does not authorize implementation or registration. RS-VALIDATOR is gated on Codex acceptance of the corrected contract.

Because this review does not accept RS4A, neither G2/G3 execution, RS-VALIDATOR, per-block hardening implementation, nor registrar replacement implementation is opened. The only next step is RS4A-PATCH1. Owner decision remains queued after contract acceptance; it is not resolved by this review.

15. Accepted Points

1. Package inventory is complete and read back.
2. Source-derived unsafe registrar finding remains valid.
3. Replace-not-wrap is the correct governed-registration decision.
4. Current real-run path remains rejected; dry-run/helper reuse is advisory only.
5. Owner/APR, Interface F, replay, and audit envelopes retain fail-closed posture.
6. P1-P3 and P5 are honored; P4 is materially advanced at packet evidence tier.
7. G2-G7 remain open and registration remains HOLD.
8. No acceptance test execution or registrar PASS is claimed.

16. Corrected Points

1. Acceptance suite is 97 listed unique cases, not 92.
2. context_pack_manifest checksum scope is unproven as per-artifact; aggregate columns alone do not prove checksum semantics.
3. Audit immutability is unproven, not globally disproved solely by trigger absence.
4. Trigger consumer testing must not assume a notification from an inert insert.
5. D13 is schema evidence, not a fully line-cited source defect.

17. Rejected/Overclaimed Points

• REJECT the current replay-key formula as a stable effect identity while it includes run_id and undefined approval-binding identity.
• REJECT <inert/non-active> as a final contract value.
• REJECT an unspecified identity axis as sufficient for DB uniqueness design.
• REJECT implied current dot_tools carrier columns that the package proves absent.
• REJECT T-P5-1's claim that an audit written inside a rolled-back transaction survives.
• REJECT the 42-new/92-total suite count.
• REJECT opening Owner execution, RS-VALIDATOR, implementation, registration, or activation from this package revision.

18. Next Macro/Next Decision

Single next step: RS4A-PATCH1-CONTRACT-IDENTITY-INERT-STATE-AND-SUITE-RECONCILIATION.

The patch must remain design-only and do exactly the following: define stable logical/effect identity and exact uniqueness axes; select/govern a canonical inert persisted state; separate logical envelope fields from unavailable persistence carriers; resolve nonce input classification; remove automatic verifier-pair ambiguity; reconcile Phase-5 audit semantics; narrow Interface F/audit overclaims; correct malformed trigger/audit tests; and change the acceptance count to 47 new / 97 total. Do not bundle Owner creation, validator hardening, carrier/sink/replay implementation, or registrar code.

19. Must-Not-Do Confirmation

This review performed no runtime mutation, DDL/DML, DOT register/wire/run, schema/table/collection creation, APR creation/approval, gate flip, validator patch, registrar patch, source edit, executable replacement, migration SQL, Directus mutation payload, allowlist patch, service restart, RISK-BYPASS clearance, or 142/18 merge/sanction decision. It did not treat hash as signature, caller input as authority, a pure validator as nonce owner, snapshot/manifest as trusted provider, attempt identity as effect identity, or stale requests as erasing consumed state.

20. Final Verdict

NEED_RS4A_PATCH. RS4A is a complete and generally fail-closed review package, and its replace-not-wrap decision is correct, but the controlling contract is not precise enough to accept. Stable effect identity, exact uniqueness axes, canonical inert state, persistence-carrier boundaries, phase/audit semantics, and acceptance-suite arithmetic/tests must be corrected first.

Final gate: REGISTRATION_HOLD - REGISTRATION_CAN_PROCEED = NO. No Owner execution, RS-VALIDATOR, implementation, or registration is authorized.