KB-22E7
10 — Internal Codex Negative Review (2026-06-22)
6 min read Revision 1
10 — Internal Codex Negative Review
Macro: DOT_MANAGE_LEGO_TRANSITION_SURVEY_FOR_C1_DRYRUN · Date: 2026-06-22.
Answers macro §3.9. Each attack is run adversarially (default = the attack succeeds unless defended by evidence). If any attack succeeds, the macro verdict must HOLD. Disclosed bounded residuals are listed even where the attack is defended.
| # | Attack | Verdict | Defense / evidence | Residual (disclosed) |
|---|---|---|---|---|
| A1 | Missed an existing DOT-manage source | DEFENDED | §0.1 core (README, handbook rev12, legacy operations/ copy, 9a0 reports), §0.2 registry/CAT-006, §0.3 Macro-9 specs/admission/reports, §0.4 four C1 packages + Codex review, §0.5 live probes — all in 01. Premise corrections recorded (legacy handbook exists; CAT-006 is a catalog record not a step). |
Reconstruction leaned on faithful agent summaries + verbatim quotes rather than byte-reading every doc; quotes are cited so claims are checkable. Not a missed source. |
| A2 | Invented a new path despite a reusable Macro-9 path | DEFENDED | 04 evaluates Macro-9 FIRST and reuses Path A registration (03); no new birth/registration path invented. The conclusion that the dry-run uses the collection+contract route (not a CREATE SCHEMA staging shell) is reasoned (04 §8): a DRY_RUN never writes, so a disposable schema is a REAL_RUN concern. Macro-9 is kept as the REAL_RUN sandbox template. |
If a future decision wants the dry-run to run inside a forked C1 staging schema, that is an additive option, not a contradiction. |
| A3 | Reused a forbidden/frozen DOT | DEFENDED | No frozen DOT (dot-birth-trigger-setup, dot-birth-backfill, dot-schema-birth-registry-ensure) and no forbidden lane appears anywhere in 05/07/09; all are bucketed DO_NOT_USE in 06. |
The live registry does NOT enforce the freeze flag — surfaced as a REPAIR/operator action, not relied upon. |
| A4 | Failed to identify registry/catalog status | DEFENDED | Live: dot_tools=309, CAT-006 active (309 vs actual 163), dot_agent_api_contract=2 (KG only), table_registry=21, gates closed, OSPA=0, ownership=0, C1 absent on every surface — all in 02 with command log in 01. |
CAT-006 309↔163 drift is pre-existing; flagged for reconcile, not C1-blocking. |
| A5 | Failed to update DOT manage | DEFENDED | Applied (readback-confirmed): standalone transition-status addendum (rev1) + README pointer (rev2) + this package + rollup (08 §A). Governed-registry updates recorded as exact operator actions (08 §B). |
Canonical handbook §20 inline edit deliberately skipped (full-body rewrite risk); covered by the addendum + README pointer instead. |
| A6 | Local sandbox overclaimed as governed runtime | DEFENDED | Every reference to the C1 sandbox is labeled LOGIC-only / NOT_GOVERNED (02,05,07, addendum). Verdict explicitly says SURVEY_COMPLETE ≠ C1 dry-run ready; C1 REGISTERED=NONE, RUNNABLE=NO stated repeatedly. |
— |
| A7 | Plan still leaves an unknown prerequisite | DEFENDED (with named residuals) | 09 closes capability→specs→collection→registration→authority→preflight→dry-run→review. No prerequisite is unknown; the items below are verify-during-execution within named phases, not hidden blockers. |
Named residuals to verify in-phase: (i) which existing DOT actually creates a composite-PK + write-once table — DOT_COLLECTION_REGISTER vs DOT_C1_SCHEMA_ENSURE + a trigger step (verify at P2); (ii) executor endpoint :8090/dispatch liveness (verify at P6); (iii) apr_action_types still exposes exactly 14 active rows at dry-run time (verify at P6.2). All disclosed, bounded, in-scope. |
| A8 | Plan would create an orphan DOT | DEFENDED | 09 P1.3 mandates one birth/admission record per new C1 DOT (anti-orphan), with stop-state HOLD_ADMISSION_MISSING_OR_INVALID. |
— |
| A9 | Plan bypasses DOT birth/governance | DEFENDED | All registration via the lawful registrar dot-dot-register (09 P3.1); [DOT]-only actions; explicit "NEVER by hand". No manual SQL / token-mint / generic Directus create anywhere. |
Depends on operator honoring DOT-only at execution time (out of this macro's control; stated as a hard rule). |
| A10 | Plan is too small / lắt nhắt | DEFENDED | 09 is 8 phases / ~25 steps closing ALL prerequisites + a completeness assertion + an explicit deferred REAL_RUN follow-on; it does not stop at the first missing item. |
— |
| A11 | Plan cannot lead to C1 dry-run readiness | DEFENDED | The path is lawful and achievable: the only gating dependency is P0 (operator grants the Gate-B capability + creds the existing registrar). Given P0, P2–P6 are concrete governed-DOT actions that produce a dispatchable DRY_RUN. | Readiness is conditional on P0; if the operator never grants Gate-B, the system stays at the current HOLD — which is correctly reported, not overclaimed. |
Adjudication
- 0 of 11 attacks succeed. All are defended on evidence.
- The disclosed residuals (A7) are bounded execution-time verifications inside named phases, not unknown prerequisites — naming them strengthens, not weakens, the survey.
- The survey did NOT overclaim: it asserts SURVEY_COMPLETE, explicitly distinct from C1 readiness, with
REGISTRATION_HOLDACTIVE and the single operator-only blocker named.
Internal review verdict: PASS. No attack forces a HOLD. The macro may verdict DOT_MANAGE_LEGO_TRANSITION_SURVEY_COMPLETE_FOR_C1_DRYRUN. (Had A2/A3/A6/A8/A9/A10 failed, the mapped reject would be …REJECT_DOT_BYPASS / …REJECT_FORBIDDEN_DOT_REUSE / …REJECT_SANDBOX_OVERCLAIM / …REJECT_ORPHAN_DOT_RISK; had A1/A4/A5/A7/A11 failed, the mapped HOLD would be …HOLD_SOURCE_READ_FAILED / …HOLD_DOT_REGISTRY_UNCLEAR / …HOLD_DOT_MANAGE_UPDATE_INCOMPLETE / …HOLD_PLAN_TOO_SMALL.)