Incomex AI Portal
KB-4DA4

Codex Review — RS5A-PATCH3 Deterministic Lifecycle & Oracle Predicates — 2026-06-21

14 min read Revision 1
codex-reviewrs5a-patch3need-patch4quorum-precedenceregistration-holdread-only2026-06-21

Codex Review — RS5A-PATCH3 Deterministic Lifecycle & Oracle Predicates — 2026-06-21

STATUS: HOLD REVIEW VERDICT: REJECT_RS5A_PATCH3_QUORUM_PRECEDENCE_INSUFFICIENT Stop state: QUORUM_PRECEDENCE_INSUFFICIENT Registration gate: REGISTRATION_HOLD REGISTRATION_CAN_PROCEED = NO Evidence tier: AgentData KB contract-only review. NO_CODEX_LIVE_READ. No runtime proof is claimed or required.

1. Source Register

Codex read directly from AgentData KB in the main process:

  1. knowledge/dev/ssot/operating-rules.md — OR v7.58, AgentData revision 51, full read, truncated=false, content_length=5400.
  2. knowledge/dev/laws/constitution.md — Constitution v4.6.3 BAN HÀNH, AgentData revision 44, full read, truncated=false, content_length=19132.
  3. knowledge/dev/laws/dieu32-approval-law.md — Điều 32 v1.1 BAN HÀNH, AgentData revision 2, full read, truncated=false, content_length=5601.
  4. Prior Codex PATCH2 HOLD: knowledge/dev/laws-new/reports/codex/codex-review-rs5a-patch2-semantic-closure-precision-2026-06-21.md — revision 1, full read, truncated=false, content_length=11413.
  5. PATCH3 rollup: knowledge/dev/laws-new/reports/macro-rs5a-patch3-deterministic-lifecycle-and-oracle-predicates-2026-06-21.md — revision 1, full read, truncated=false, content_length=5917.
  6. PATCH3 index, closure map, lifecycle, quorum, replay, decision packet, and Codex review packet — all revision 1, full read, truncated=false. Returned content lengths: 4429, 6125, 9712, 10766, 7406, 6278, and 5240.
  7. Comparison references PATCH2-03 and PATCH2-04 — revision 1, full read, truncated=false, content_length=9045 and 5697.

Direct AgentData list evidence:

  • reports/rs5a-patch3/ returned count=7, next_offset=null, truncated=false; every file revision=1.
  • The separately located PATCH3 rollup exists at revision 1.
  • reports/rs5a-patch2/ returned count=7; every file revision=1.
  • reports/rs5a-patch1/ returned count=9; every file revision=1.
  • The official report path did not exist before this upload (count=0).

No local prose or scratch file was used as package evidence.

2. Package Completeness Assessment

PASS.

The required package contains exactly eight target documents: one rollup plus seven documents under reports/rs5a-patch3/. All eight are revision 1 and every direct full read returned truncated=false with non-zero content_length.

The package is additive. PATCH1 and PATCH2 directory inventories remain present at revision 1. No evidence shows an overwrite of RS5A, PATCH1, or PATCH2.

3. Closure Map Assessment

The closure map contains exactly three residuals:

  1. R1 lifecycle availability versus persistence.
  2. R2 quorum reject-code precedence and delegation interval.
  3. R3 replay/idempotency mutual exclusion and G08 fixture.

For each residual, the PATCH2 phrase, PATCH3 correction, CLOSED claim, and fail-closed/caveat state are present.

Assessment of the claims:

  • R1: CLOSED — accepted.
  • R2: NOT CLOSED — the interval is deterministic, but reject-code selection is not deterministic for all valid input shapes.
  • R3: CLOSED for the required G02a/b/c mutual-exclusion and G08 fixture checks, with one overclaim caveat described below.

4. Lifecycle Availability / Persistence / Business-Transition Assessment

PASS.

PATCH3-02 cleanly separates:

  • Axis A: first availability before real register_dot admission.
  • Axis B: post-admission persistence/operation.
  • Axis C: governed business-transition timing.

Verified outcomes:

  • Replay exists and passes before admission; it remains operational after admission for idempotent retry and prior-decision retrieval; it is not activation.
  • Audit exists and passes before admission; records persist and the surface remains operational for failure verification, forensics, and lifecycle audit; it is not a business transition.
  • Artifact/hash, U3, status, authority, and approval surfaces exist before admission, persist after admission, and do not become post-registration business transitions.
  • Activation is not required for the inert draft registration write.
  • Draft-to-active may occur only later under separate activation authority.
  • Registration authority does not imply or transfer activation authority.

The pre-admission gate is preserved. PATCH3 does not permit replay or audit to be first introduced after registration.

5. Quorum Precedence and Delegation Interval Assessment

FAIL — BLOCKING.

Accepted

The following are correct and deterministic:

  • Inter-band order P0 → P1 → P2 → P3 → P4 → P5.
  • Named overlap outcomes:
    • free-text president versus generic president unresolved;
    • self-declared ai_council versus generic council unresolved;
    • distinct aliases/delegations versus exact canonical-reference repetition.
  • P2 internal order: revoked → scope mismatch → not-yet-effective/expired.
  • Delegation interval [effective_from, effective_to).
  • effective_from boundary is valid.
  • effective_to and later are DELEGATION_EXPIRED.
  • earlier than effective_from is DELEGATION_NOT_YET_EFFECTIVE.
  • revocation overrides interval checks.
  • The new not-yet-effective code is design/oracle-only.
  • Present-state P0 fail-closed gate is retained; no principal, registry, or scope was created.

Blocking counterexample

PATCH3-03 states that predicates inside each band are mutually exclusive, but it does not define predicates or an internal ordering that makes P1 mutually exclusive.

One input can contain both:

  • approver free text that claims president authority, such as “president-bot”; and
  • approver_type=ai_council without canonical_voting_body membership.

After P0 is eventually satisfied, this single input matches both:

  • FREE_TEXT_PRESIDENT_REJECTED; and
  • SELF_DECLARED_COUNCIL_IDENTITY_REJECTED.

P0 does not solve the future contract: it only masks the ambiguity while the principal surface is absent. P1 has no discriminator, tuple-level constraint, or within-band precedence selecting exactly one code. Therefore the package has not established “one input maps to exactly one reject code.”

P3 has the same specification weakness: PRESIDENT_ROLE_UNRESOLVED and COUNCIL_PRINCIPAL_UNRESOLVED are listed in one band without a stated input discriminator or internal precedence. A future implementation would have to invent behavior not contained in this contract.

Required PATCH4 correction:

  1. Define mutually exclusive predicates for every multi-code band, especially P1 and P3; or define a total order between every code.
  2. Include compound adversarial fixtures, not only pairwise P1-versus-P3 fixtures.
  3. State the exact evaluation unit (single vote, claimed slot, resolved slot, or whole APR) so a multi-fault input has one canonical outcome.
  4. Propagate the corrected total order to the oracle and decision packet.

Until then, R2 remains open.

6. Replay / Idempotency and G08 Fixture Assessment

PASS on requested checks; caveat on an overclaim.

Verified:

  • G02a requires same nonce, same effect_identity, same authorization envelope/digest, a prior durable decision, and exact retry/recovery.
  • G02b requires same nonce with different effect_identity.
  • G02c requires same nonce, same effect_identity, and different authorization envelope/digest.
  • Different effect is checked first; changed envelope second; exact durable retry third.
  • The authorization-substitution case lands only on G02c.
  • G08 is distinguished from G02a by client-observation fixture: known-response retry versus lost/unknown-response recovery.
  • Both retain IDEMPOTENT_PRIOR_DECISION_RETRIEVAL.
  • Count is correctly stated as 84 parent IDs / 86 executable scenarios.
  • Suite remains DEFINED_NOT_EXECUTED.

Required caveat: PATCH3-04 overclaims that the three branches partition every same-nonce input. Same nonce + same effect + same envelope + no prior durable decision matches none of G02a/b/c. This does not reintroduce G02a/G02c overlap, so it is not the primary blocker for this scoped review, but PATCH4 should either narrow the “partition” claim to same-nonce inputs with a prior durable decision or define the missing in-flight/no-durable-decision state before implementation.

7. Accepted Points

  1. Complete additive eight-file PATCH3 package.
  2. R1 lifecycle correction is accepted.
  3. Replay and audit remain hard pre-admission prerequisites and persist/operate afterward.
  4. Activation remains the only post-registration business transition and has separate authority.
  5. Delegation half-open interval and boundary outcomes are accepted.
  6. Named spoof/unresolved and alias/canonical overlap cases are resolved as requested.
  7. G02a/b/c are mutually exclusive for their stated predicates.
  8. G08 is a distinct client-observation fixture with the same server-side outcome.
  9. 84 parent IDs / 86 executable scenarios is accepted as definition, not execution evidence.
  10. No accepted RS4A/PATCH2 owner, bootstrap, handler, identity, U1/U2/U3, or hard-prerequisite semantics were reopened.
  11. No runtime artifact was created.

8. Required Caveats

  1. P0 is a present-state fail-closed condition, not proof that the future P1/P3 oracle is total.
  2. DELEGATION_NOT_YET_EFFECTIVE is contract text only, not a runtime implementation.
  3. The 86-scenario suite is DEFINED_NOT_EXECUTED; no PASS claim is accepted.
  4. The G02 partition statement is too broad unless prior durable decision existence is part of the domain being partitioned.
  5. This review performed no live/runtime read and claims no live proof.

9. Rejected / Overclaimed Points

  1. Rejected: “within a band, the listed predicates are mutually exclusive” for P1 and P3.
  2. Rejected: “one input maps to one code” as a complete quorum contract.
  3. Rejected: R2 status CLOSED.
  4. Overclaimed: G02a/b/c cover every same-nonce input without a prior-durable-decision domain restriction.
  5. Not accepted as evidence: package statements of 0 runtime mutation are contract attestations; this review did not independently inspect runtime.

10. Sequencing and Gate

  1. Produce RS5A-PATCH4 limited to total quorum reject predicates/order and the G02 partition wording/state caveat.
  2. Re-review PATCH4.
  3. Only after acceptance may RS5B Owner-of-record execution-design / authorization-design begin.
  4. RS5B remains non-mutating unless separately authorized later.

REGISTRATION_HOLD remains active. REGISTRATION_CAN_PROCEED = NO.

No Owner row, scope row, principal registry, APR, register_dot, approval, handler, registrar/validator patch, RS-VALIDATOR, implementation, registration, or activation is authorized.

11. Three Declarations

  • Permanent: the review rejects a precedence ladder that would force future implementers to invent tie-break behavior; PATCH4 must make the oracle total at the contract layer.
  • Mistake-resistant: every multi-fault input must be structurally forced to one canonical code through exclusive predicates or a complete code-level order.
  • 100% automatic: future tests can be automated only when compound fixtures have one expected code without human interpretation.

Conservation: no ID reuse, relationship deletion, or metadata reduction occurred because this mission created only this review report.

Assembly Gate: PG=N/A, Directus=N/A, Nuxt=N/A. This is a KB contract-only review; no implementation was authorized.

Five design questions: overall model=contract review; closed process=read→adversarial predicate test→verdict→gate; tools=AgentData direct reads/list/upload/readback; execution environment=KB only; golden principle=contract metadata before code.

Data flow: AgentData KB read and one official report write only. No PG/Directus/Nuxt/runtime path was touched.

One mission: review RS5A-PATCH3 only.

12. Step-by-Step Compliance Record (0→6)

  • Step 0 — Read skill, OR v7.58, Constitution v4.6.3, and relevant Approval Law v1.1.
  • Step 1 — Confirmed one review-only mission and REGISTRATION_HOLD.
  • Step 2 — Designed adversarial checks before any report write; no code/design implementation.
  • Step 3 — N/A: no code, DDL, DML, runtime/config mutation, or local scratch artifact.
  • Step 4 — N/A: no PR, merge, deploy, or two-hat implementation flow for a review-only mission.
  • Step 5 — Verified all contract sources by full AgentData read; no production runtime verification was required or claimed.
  • Step 6 — Official report saved at the prescribed KB path and read back in full. OR/TD/handoff update not required because there is no implementation/runtime change and the official report contains the only follow-up.

13. Final Verdict

VERDICT: REJECT_RS5A_PATCH3_QUORUM_PRECEDENCE_INSUFFICIENT

PATCH3 closes lifecycle persistence and replay/idempotency overlap, and it fixes delegation boundaries. It does not yet provide a total quorum reject oracle: at least one concrete compound input maps to two P1 codes, while P3 also lacks explicit intra-band discrimination.

Single next step: RS5A-PATCH4, narrowly limited to total code-level quorum precedence/exclusive predicates and the G02 partition caveat.

DO NOT IMPLEMENT: Confirmed. No runtime mutation, DDL/DML, Owner row, scope row, principal registry, APR, register_dot, approval, handler, registrar/validator patch, RS-VALIDATOR, registration, activation, or technical implementation was performed or authorized.

Back to Knowledge Hub knowledge/dev/laws-new/reports/codex/codex-review-rs5a-patch3-deterministic-lifecycle-and-oracle-predicates-2026-06-21.md