Incomex AI Portal
KB-78A7

Codex Review — RS5A G2 Owner-of-record Decision Dossier — 2026-06-21

14 min read Revision 1
codex-reviewrs5ag2owner-of-recordneed-patch1registration-holdread-only2026-06-21

Codex Review — RS5A G2 Owner-of-record Decision Dossier — 2026-06-21

STATUS: HOLD REVIEW VERDICT: NEED_RS5A_PATCH1 Stop state: RS5A_NEEDS_PATCH1 · SCOPE_DRIFT · OWNER_EXECUTION_DRIFT Registration gate: REGISTRATION_HOLD REGISTRATION_CAN_PROCEED = NO Evidence mode: NO_CODEX_LIVE_READ — AgentData package evidence reviewed; its live/runtime claims are not restated as independent Codex-live proof.

1. Source Register

Codex read the following documents directly from AgentData KB, all complete and untruncated at revision 1:

  1. Prior accepted Codex contract: knowledge/dev/laws-new/reports/codex/codex-review-rs4a-patch2-effect-identity-head-uniqueness-suite-id-reconciliation-2026-06-21.md.
  2. RS5A rollup: knowledge/dev/laws-new/reports/macro-rs5a-g2-owner-of-record-decision-2026-06-21.md.
  3. RS5A index: knowledge/dev/laws-new/reports/rs5a/rs5a-index-g2-owner-of-record-decision-2026-06-21.md.
  4. RS5A-01 through RS5A-12 under knowledge/dev/laws-new/reports/rs5a/.
  5. Codex review packet: knowledge/dev/laws-new/reports/rs5a/codex-review-packet-rs5a-g2-owner-of-record-decision-2026-06-21.md.

Operating Rules SSOT and Constitution v4.x were also read through direct AgentData search as required by repository instructions. No local prose copy was used as evidence for the RS5A verdict.

2. Package Completeness Assessment

PASS. The package contains the expected 15 documents: one rollup plus 14 files in the RS5A directory, including the index, twelve numbered deliverables, and Codex packet. AgentData list/readback evidence showed no missing, empty, or truncated file. The package's count and structure are internally traceable.

This completeness result does not imply contract correctness or authorization to execute.

3. Fresh Authority Reconstruction Assessment

PASS_WITH_CAVEAT. RS5A-02 presents surface-level evidence rather than merely citing an older report: table counts and columns, ownership constraints and foreign keys, scope and governance-registry rows, APR action rows, approval schema, and function bodies. Its conclusions are appropriately fail-closed:

  • zero ownership rows means no bound Owner-of-record;
  • no registration-specific responsibility scope is present;
  • register_dot is absent;
  • assign_governance_owner remains unimplemented;
  • APR and vote surfaces do not bind exact effect/artifact identity;
  • quorum proves vote-tier counts only;
  • president detection by ILIKE '%president%' is an identity-verification gap;
  • dot_tools.owner is free text and is not governance authority.

Codex had no independent live/runtime read tool for these database and function surfaces. Therefore the evidence is accepted as CLAUDE_READ_ONLY_PACKET_EVIDENCE, not Codex-live proof. The controlling marker is NO_CODEX_LIVE_READ.

4. Owner-of-record Concept Assessment

PASS_WITH_CAVEAT. RS5A-03 correctly defines Owner-of-record as an active, accountable governance head bound through governance_object_ownership, and correctly rejects caller, operator, Directus user/role, free-text dot_tools.owner, APR requester, validator, and registrar script as substitutes.

The live foreign-key model permits a governance-registry object/body to be the accountable head, so the concept does not require inventing a person or email. However, the package does not solve the bootstrap authority needed to create the first valid ownership row. Requiring an applied assign_governance_owner APR while that action is unimplemented and no accountable head exists is correctly fail-closed, but it makes the later instruction “the Owner-of-record executes the G2 designation” circular and non-executable.

5. Candidate Owner Matrix Assessment

PASS_WITH_CAVEATS. The candidate surface is grounded in governance_registry; GOV-DOT, GOV-SIV, and GOV-COUNCIL are candidates, not bound Owners. No person/email is invented, no candidate is silently selected, and NO_ACCOUNTABLE_HEAD_BOUND is retained.

Option B's mapping is directionally defensible: GOV-DOT for registration/admission and GOV-SIV for integrity/audit preserve separation of duties. The GOV-COUNCIL “high-risk approval/quorum” cluster is not mapped to one of RS5A-04's nine newly proposed scopes. Existing broad approval cannot silently substitute for a registration-specific approval authority after RS5A itself rejects broad scopes as insufficient. PATCH1 must either define the explicit scope/edge or state that GOV-COUNCIL is an approver body outside the ownership-scope assignment, with a separately governed identity-binding contract.

6. register_dot Action Contract Assessment

PASS_WITH_CAVEATS. RS5A-06 correctly keeps register_dot as REQUIRED_NOT_PRESENT, defines rather than creates it, assigns high risk, separates register/activate/supersede/revision/dry-run action families, and requires inert draft admission. It does not authorize action creation or execution.

Two corrections are required:

  1. The proposed handler reference dot-dot-register:governed must explicitly identify a replacement governed handler/artifact. It must not be interpreted as wrapping, relabeling, or reusing the accepted unsafe mass-scan registrar. This is required by the accepted replace-not-wrap contract.
  2. The contract cannot claim that registration is unlocked while replay, nonce, immutable failure-audit, artifact-hash, U3, status-domain, and authority-binding surfaces remain absent. They are admission prerequisites for real registration, not post-registration enhancements.

7. Authority Envelope Assessment

PASS. RS5A-07 preserves the accepted identity partition:

  • bound_effect_identity references U1;
  • owner scope/head/policy, nonce issuer/window, approval/quorum/artifact references, policy references, and attempt audit fields remain outside U1;
  • the authorization digest includes the bound effect identity, preventing approval substitution without making authority part of business-effect identity;
  • attempt ID, nonce, timestamp, and deciding head remain non-keying.

The envelope is design-only and currently evaluates fail-closed because required carriers are absent or unenforced. It does not clear any registration blocker.

8. Quorum Proof Assessment

PASS_WITH_CAVEAT. Based on the packet evidence, quorum function and trigger bodies were read and the package does not overclaim their semantics. It correctly classifies quorum_passed=true as necessary but insufficient: vote counts do not prove exact effect, artifact, governance-head identity, freshness, supersession state, or nonce authority. The president ILIKE match is explicitly identified as fail-open identity matching.

Codex does not independently attest those function bodies live. Before any implementation authorization, their hashes/definitions and trigger attachment must be re-read from the target runtime.

9. Negative Test Assessment

PASS_WITH_REQUIRED_ORACLE_CORRECTIONS. The suite contains 84 enumerated cases: A12 + B10 + C8 + D10 + E10 + F10 + G8 + H8 + I8 = 84. It is clearly marked DEFINED_NOT_EXECUTED and covers the mandatory spoofing, missing-action, effect/artifact binding, quorum insufficiency, replay, status/U3/audit, and activation non-inheritance classes. G08 and I05 are behavioral anti-fail-open cases rather than rejection cases; that is acceptable because they are explicit.

Several expected codes are not sufficiently discriminating and must be corrected before the suite becomes an executable acceptance oracle:

  • D07 (wrong risk tier) needs an action-contract/risk mismatch rejection; QUORUM_NOT_SATISFIED is not guaranteed because a weaker tier can still pass its own quorum.
  • H03 (out-of-vocabulary status), H07 (success audit forbidden), and I03 (notification on draft) must not use “policy undeclared” when a policy may exist. They need value/phase/side-effect-specific outcomes.
  • G02 replay and G08 exact retry must explicitly distinguish nonce reuse with changed request from idempotent retrieval of the same prior decision.

These are test-oracle defects, not evidence that tests executed.

10. Options and Recommendation Assessment

NEEDS_PATCH. Options A/B/C are present and Option B's separation-of-duties direction is preferable to a mega-owner. RS5A does not itself select an Owner.

However, Option A says it “unlocks” draft registration while replay/audit remain fail-closed, and Option B says authoring six gate scopes unlocks a registration path while treating replay/audit as deferred. Those claims conflict with the accepted hard prerequisites. Option B also assigns GOV-COUNCIL an approval/quorum cluster without an explicit scope or contract edge. Recommendation B can remain, but only as an Owner-decision design option whose complete prerequisite graph is unresolved.

11. LEGO Boundary Assessment

PASS_WITH_CAVEAT. The package avoids a new mega-registry, mega-graph, mega-birth pipeline, and forced mega-owner. Per-scope ownership rows, explicit foreign-key edges, separate action families, and block-local supersession are compatible with modular governance.

“One ownership row per scope” does not itself prove independent rollback if shared approval, nonce, artifact, or audit carriers are left implicit. PATCH1 must make those dependency edges explicit and must not use an undefined broad approval cluster as hidden coupling.

12. Accepted Points

  1. Package structure and readback completeness.
  2. Owner model and rejection of caller/operator/RBAC/free-text/requester/validator/registrar authority.
  3. Governance-registry object/body as a structurally valid candidate head, while no head is currently bound.
  4. register_dot absent and design-only; no action was created.
  5. Authority remains outside U1 and is separately bound to the effect.
  6. Quorum is necessary-not-sufficient and president text matching is unsafe.
  7. Eighty-four tests are defined, not executed.
  8. Option B's separation-of-duties direction and no-mega-system objective.
  9. REGISTRATION_HOLD and all prior G2-G7 blockers remain in force.

13. Required Corrections and Caveats

The single scoped RS5A-PATCH1 item is: repair the G2 prerequisite and sequencing contract. It must make the following aligned corrections across RS5A-04, RS5A-06, RS5A-09, RS5A-10, RS5A-12, rollup, index, and Codex packet:

  1. Replace “replay/audit can be after registration” with “may be designed after the G2 decision, but must exist and pass before any real register_dot admission.” Artifact hash, nonce/replay, failure audit, U3, status-domain, effect-bound approval, and authority carriers remain hard runtime prerequisites.
  2. Replace every “Owner executes/performs the G2 designation on accept” instruction with “proceed to a separate G2 execution-design/authorization-design step.” That step must solve bootstrap authority and must itself receive authorization before any Owner/scope/APR/action write.
  3. Resolve the GOV-COUNCIL approval/quorum role against an explicit scope or explicit non-owner approver-body contract; do not silently inherit broad approval authority.
  4. State that the future governed registrar replaces the unsafe registrar and cannot wrap or relabel it.
  5. Correct the negative-test oracle codes and replay/idempotency distinction listed in section 9.

14. Rejected or Overclaimed Points

  1. Rejected: “six gate scopes are enough before register_dot; replay/audit may follow runtime registration.” This is scope drift and can permit fail-open registration.
  2. Rejected: “Codex acceptance lets the Owner-of-record execute the G2 designation.” There is no bound Owner and the owner-mint path is unimplemented; this is circular bootstrap and execution drift.
  3. Rejected: “Option A/B unlocks registration” while mandatory carriers and policies are absent.
  4. Not independently proven by Codex: runtime counts, function bodies, and distributions. They remain packet evidence under NO_CODEX_LIVE_READ.
  5. Not accepted as executed evidence: the 84-case suite.

15. Sequencing and Gate

Current sequence:

  1. Produce and re-review the scoped RS5A-PATCH1 prerequisite/sequencing correction.
  2. If accepted, proceed only to G2 Owner-of-record execution-design / authorization-design.
  3. Separately authorize and implement each required carrier and policy block, preserving replace-not-wrap and explicit scope edges.
  4. Run the reconciled validator and negative suites against the target runtime with real evidence.
  5. Only a later independent gate may decide whether registration can proceed.

Until then: REGISTRATION_HOLD; REGISTRATION_CAN_PROCEED = NO; no Owner row, scope row, APR, action, registrar, validator, registration, or activation operation is authorized.

16. Final Verdict

VERDICT: NEED_RS5A_PATCH1

RS5A is substantively useful and most of its authority model is sound, but it is not yet safe to accept as the final G2 decision dossier. The replay/audit prerequisite wording, circular Owner execution instruction, unmapped approval/quorum cluster, replacement-handler ambiguity, and test-oracle mismatches are material because downstream execution would treat this dossier as controlling authorization.

Single next step: issue RS5A-PATCH1 limited to the prerequisite/sequencing contract corrections in section 13. Do not reopen accepted RS4A/PATCH1/PATCH2 identity semantics.

DO NOT IMPLEMENT: Confirmed. No runtime mutation, no DDL/DML, no Owner row, no APR, no register_dot, no approval, no scope creation, no gate flip, no registrar/validator patch, no RS-VALIDATOR, no registration, no activation, no technical implementation, and no blocker resolution were performed or authorized by this review.

Back to Knowledge Hub knowledge/dev/laws-new/reports/codex/codex-review-rs5a-g2-owner-of-record-decision-2026-06-21.md