Codex Review — RS5B-CLOSEOUT-PATCH1 Dependency-Safe Rollback + Gate Split — 2026-06-21

STATUS: HOLD REVIEW VERDICT: REJECT_ROLLBACK_VALIDITY_ORACLE_INCOMPLETE Stop state: RS5B_CLOSEOUT_PATCH1_HOLD_ORACLE_PRECEDENCE_I6_AND_GATE_WORDING_REQUIRED Registration gate: REGISTRATION_HOLD REGISTRATION_CAN_PROCEED = NO P2 status: CLOSED · NOT_OPENED · NOT_AUTHORIZED Evidence tier: AgentData KB contract-only review · NO_CODEX_LIVE_READ · NO_RUNTIME_VERIFICATION.

1. Source Register

Codex read the controlling sources directly from AgentData KB in the main process:

1. Operating Rules SSOT: knowledge/dev/ssot/operating-rules.md, v7.58 returned by direct search_knowledge.
2. Constitution: knowledge/dev/laws/constitution.md, v4.6.3 BAN HÀNH returned by direct search_knowledge.
3. Prior official Codex HOLD: revision 1, content_length 13156, truncated=false.
4. PATCH1 index: revision 1, content_length 4117, truncated=false.
5. PATCH1-01 source/HOLD reconstruction: revision 1, content_length 13026, truncated=false.
6. PATCH1-02 rollback contract: revision 1, content_length 11089, truncated=false.
7. PATCH1-03 dependency map: revision 1, content_length 10450, truncated=false.
8. PATCH1-04 rollback oracle/XBI: revision 1, content_length 16837, truncated=false.
9. PATCH1-05 C7 conditionality: revision 1, content_length 5804, truncated=false.
10. PATCH1-06 Gate A/Gate B split: revision 1, content_length 6568, truncated=false.
11. PATCH1-07 impact map: revision 1, content_length 8696, truncated=false.
12. PATCH1-08 adversarial self-review: revision 1, content_length 9116, truncated=false.
13. PATCH1-09 decision packet: revision 1, content_length 8723, truncated=false.
14. PATCH1 Codex/GPT packet: revision 1, content_length 5815, truncated=false.
15. PATCH1 macro rollup: revision 1, content_length 8464, truncated=false.

All target package files and the prior HOLD were read fully from governed AgentData paths. No local mirror, chat summary, or read-unblock digest was used as controlling evidence.

2. Package Completeness

PASS. AgentData inventory contains the required eleven files under knowledge/dev/laws-new/reports/rs5b-closeout-patch1/ plus the required reports-level rollup. Every listed file is revision 1 and non-empty. The package is additive.

Job A remains accepted and was not reopened. This review is limited to dependency-safe rollback, rollback validity, C7 conditionality, and Gate A/Gate B sequencing.

3. Prior HOLD Closure Map

Residual	Assessment
Destructive C1/C3/C4/C5/C7 rollback wording	PASS
C6 replay rollback hardening	PASS
Dependency impact and postconditions C1–C7	PASS_WITH_CAVEATS
E1–E8 dependency map	PASS
Rollback validity rather than presence	FAIL
XBI orphan/history/authority/reference coverage	NEEDS_PATCH
C7 conditionality	PASS
Baseline vs plan-specific gate split	PASS_WITH_CAVEAT
HOLD/no runtime/no P2 discipline	PASS

The package fixes most structural residuals, but the controlling oracle remains internally inconsistent and does not yet prove that every invalid rollback is rejected before PASS.

4. Dependency-Safe Rollback Contract

PASS_WITH_CAVEATS. PATCH1-02 correctly replaces destructive deletion with versioned retirement, supersession, preserved evidence, compatibility, and compensating transition. C1, C3, C4, C5, C6, and C7 no longer authorize destructive drop/delete/reset behavior. Historical IDs, references, evidence, old schema interpretation, consumed nonces, and approval records are preserved.

However, the contract says all I1–I10 are conjunctive while its coverage matrix marks I5 authority non-weakening as not applicable to C2. That exclusion is unsafe:

• C2 defines the authorization_binding_digest schema and required authority references.
• A successor C2 schema could preserve old packets while weakening required fields for new packets.
• The current C2 rollback rule forbids changing old semantics but does not forbid a forward successor from dropping owner, authority-policy, founding-authority, approval-mode, or nonce requirements without a separately governed authority-policy transition.

I5 must cover C2 wherever schema evolution can weaken required authorization inputs. “Authority fields live in C3/C6/C7” is not sufficient because C2 controls whether those references are required in the envelope.

5. Dependency Map

PASS. E1–E8 each provide producer, consumer, reference field, destruction impact, safe rollback rule, post-rollback invariant, and a bad-input mapping. The graph preserves explicit reference edges and does not merge carriers.

The edge model remains design-level. It is not runtime proof, and no rollback execution is authorized.

6. Rollback-Validity Oracle

FAIL — blocking. The published precedence matches the requested order, but the oracle’s predicates, proof, and fixtures do not compose deterministically.

6.1 PASS formula omits plan absence

PATCH1-04 states:

PASS ⇔ ¬RBP0 ∧ ¬RBP2 ∧ … ∧ ¬RBP9

It then says RBP-1 (plan absent) is “not a conjunct of PASS.” This contradicts both the ordered classifier and the claim that plan existence is necessary-not-sufficient. If ROLLBACK_PLAN_ABSENT matches, PASS must be impossible.

The controlling formula must include every rejecting predicate:

PASS ⇔ ¬RBP0 ∧ ¬RBP1 ∧ ¬RBP2 ∧ … ∧ ¬RBP9

or equivalently “no reject predicate matches.” The current proof is not implementation-independent.

6.2 I6 has no complete reject predicate

I6 requires new use of a retired/superseded value to fail closed. PATCH1 says I6 is enforced jointly by RBP-7 and per-carrier postconditions, but RBP-7 only tests whether a successor/compatibility rule is absent.

A plan can have a successor rule and still allow new use of the retired value. Such a plan can preserve identity/history/references, avoid authority weakening, be audited and local, and therefore reach PASS despite violating I6.

The oracle needs an explicit predicate such as ROLLBACK_FORWARD_FAIL_CLOSED_VIOLATED, or RBP-7 must be redefined to reject both absent and non-enforcing successor transitions. A fixture must prove that “successor exists but retired value remains admissible” cannot PASS.

6.3 XBI-13 contradicts precedence

XBI-13 drops a hash record referenced by effect_identity and audit, but assigns ROLLBACK_ERASES_HISTORY (RBP-4).

The oracle definition says RBP-2 fires when rollback “deletes an identity referenced by C2 / audit / prior decision.” The XBI-13 hash record satisfies that predicate. If the package chooses not to classify a hash record as an identity, deleting it still makes edge E3 dangling, matching RBP-3. Both RBP-2 and RBP-3 precede RBP-4.

The fixture cannot override the authoritative precedence by an explanatory sentence. Predicates must be made mutually precise, or XBI-13 must use the actual earliest matching code. PATCH1-08 repeats the same inconsistent A3 result.

6.4 Multi-outcome fixtures

XBI-14 lists both ROLLBACK_ORPHANS_DEPENDENCY and ROLLBACK_CHANGES_HISTORICAL_SEMANTICS as expected outcomes, then narrows the current input to the orphan case. XBI-19 similarly describes ROLLBACK_NOT_LOCAL but acknowledges an earlier RBP-5 result when meaning changes.

Each fixture must define one exact input and one exact expected code. Variants must be split into separate fixtures. Otherwise the package’s “each single-coded” claim is overstated.

7. XBI Assessment

NEEDS_PATCH. XBI-11–XBI-25 contain the required fields and all state “No” for PASS/seal/digest. The C7 and gate fixtures are materially useful.

The set does not yet provide a deterministic executable oracle because:

1. XBI-13 conflicts with the global precedence.
2. XBI-14 and XBI-19 contain multiple behavioral variants under one fixture.
3. No fixture covers a present successor rule that fails to block new use of the retired value.
4. No fixture covers a C2 successor schema that weakens forward authorization requirements.

No invalid input is intentionally declared PASS, but the proof that invalid inputs cannot reach PASS is incomplete.

8. C7 Conditionality

PASS_WITH_CAVEAT. The controlling discriminator is clear:

• APPROVAL_USED: C7 is mandatory and must pass before P3.
• APPROVAL_NOT_USED_BY_POLICY: C7 runtime presence is not mandatory, but governed policy must prove non-use.
• silent omission yields APPROVAL_MODE_POLICY_UNPROVEN.

The unconditional “all seven carriers” wording is superseded correctly.

A later implementation contract must also reject absent, null, or out-of-enum approval_mode; this review accepts the current rule only within its declared well-formed mode domain.

9. Gate A / Gate B Split

PASS_WITH_CAVEAT. Gate A and Gate B now have distinct objects, inputs, and outputs:

• Gate A accepts the baseline and only permits preparing a carrier-specific plan.
• Gate B requires a named plan, named carriers, rollback proof, current read-only preflight, exact-scoped Chairman token, and independent plan review.

A generic Chairman token is rejected, and Gate A cannot satisfy Gate B.

The non-overclaim wording remains internally inconsistent: PATCH1-06 says “Neither gate opens P2,” while Gate B is explicitly the P2-open gate and emits P2_OPEN_AUTHORIZED_FOR_NAMED_CARRIER_PLAN_ONLY. The intended distinction appears to be that this PATCH1 review does not execute Gate B, while a future successful Gate B authorizes opening only the named lane.

PATCH2 must state that distinction directly:

• this package and Gate A do not open P2;
• a future, actually satisfied Gate B may authorize opening the named lane;
• Gate B still does not authorize registration, activation, real register_dot, or any runtime write not separately gated.

10. Scope and Non-Overclaim

PASS. PATCH1 performed no runtime mutation, DDL/DML, P2 opening, rollback execution, Owner/scope/APR/register_dot/approval/handler creation, canonical-operation runtime row creation, registrar/validator patch, RS-VALIDATOR, implementation, registration, or activation.

No Chairman authorization is asserted to exist. Package “0 mutations” remains an attestation, not live verification.

REGISTRATION_HOLD remains active. REGISTRATION_CAN_PROCEED = NO. P2 remains closed.

11. Accepted Points

1. Complete additive package.
2. Job A remains accepted and untouched.
3. Destructive carrier rollback wording is superseded.
4. I1–I10 provide a strong rollback-invariant framework.
5. E1–E8 dependency edges are explicit and complete at design level.
6. Plan presence is no longer intended as sufficient.
7. C7 conditionality is resolved.
8. Gate A and Gate B are structurally separated.
9. Exact-scoped Chairman authorization is required at Gate B.
10. No runtime, P2, rollback execution, registration, or activation is authorized.

12. Rejected or Overclaimed Points

1. Rejected: the current PASS formula proves plan absence cannot PASS.
2. Rejected: RBP-7 fully enforces I6.
3. Rejected: XBI-13’s expected RBP-4 result follows the published precedence.
4. Rejected: every XBI is unambiguously single-coded.
5. Rejected: I5 is irrelevant to C2 schema evolution.
6. Rejected: “Neither gate opens P2” is compatible without clarification with a Gate-B P2-open output.
7. Not accepted: this PATCH1 acceptance opens P2 or authorizes rollback execution.

13. Required PATCH2

A narrow RS5B-CLOSEOUT-PATCH2 must:

1. correct the PASS formula to include ¬RBP1;
2. add an explicit I6 reject predicate or strengthen RBP-7 to cover unsafe successor rules;
3. add an XBI for “successor exists but retired value remains valid for new use”;
4. make RBP-2/RBP-3/RBP-4 predicates non-overlapping or apply precedence consistently to XBI-13;
5. split XBI-14 and XBI-19 variants into single-input/single-code fixtures;
6. apply I5 to C2 authorization-schema evolution and add a forward-authority-weakening fixture;
7. clarify that this package/Gate A does not open P2, while only a future fully satisfied Gate B may authorize the named lane;
8. retain all existing non-authorization and registration HOLD boundaries.

Do not reopen the accepted dependency-safe carrier patterns, dependency graph, C7 rule, or Job A.

14. Final Verdict

VERDICT: REJECT_ROLLBACK_VALIDITY_ORACLE_INCOMPLETE

The patch fixes the destructive rollback architecture and most sequencing defects, but the rollback-validity oracle is not yet deterministic enough to become the controlling Gate-A baseline. Its PASS proof omits plan absence, I6 can fail while a successor rule exists, and its hash-deletion fixture contradicts the authoritative precedence.

Stop state: RS5B_CLOSEOUT_PATCH1_HOLD_ORACLE_PRECEDENCE_I6_AND_GATE_WORDING_REQUIRED.

Single next step: RS5B-CLOSEOUT-PATCH2 limited to the oracle/predicate/XBI corrections, C2-I5 coverage, and Gate-B wording clarification listed above.

REGISTRATION_HOLD remains active. REGISTRATION_CAN_PROCEED = NO. P2 remains CLOSED, NOT_OPENED, and NOT_AUTHORIZED.

DO NOT IMPLEMENT: Confirmed. No runtime mutation, DDL/DML, P2 open, rollback execution, Owner/scope/principal/APR/approval/register_dot/handler, canonical-operation runtime row, registrar/validator patch, RS-VALIDATOR, implementation, registration, activation, or blocker resolution was performed or authorized.

15. Three Declarations and Compliance

• Permanent: rollback validity must be expressed as one complete predicate system whose precedence and fixtures agree.
• Mistake-resistant: every invalid plan, including an unsafe present successor, must match a reject predicate before PASS.
• 100% automatic: not achieved until the oracle has a complete PASS condition and single-code fixtures.

Assembly Gate: PG/Directus/Nuxt = N/A; AgentData KB contract-only review. Data flow: direct AgentData reads plus one official Codex report write. OR/TD/handoff update is not required because no runtime or implementation state changed.