READY-TO-ASSEMBLE-LEGO1-PATCH2 11 — Internal Codex Negative Review (A1–A22) — 2026-06-22

Posture: I review PATCH2 as Codex would — distrusting my own report, demanding actual registered artifacts + read-only definition evidence, rejecting raw SQL, prose-as-contract, and overclaim. I report READY only if every attack is defended by an existing, read-back-verifiable artifact or a genuinely authority/runtime-only residual. Gate: REGISTRATION_HOLD · CAN_PROCEED = NO · 0 runtime mutations.

Why PATCH1's self-review failed (root of B12): it was a category checklist that marked every blocker PASS without live inspection. It missed the dispatcher REAL_RUN exception, the IU-create semantics, the impossible granted status, the 0-row resolver join, and the unrelated harness. This review reproduces from live evidence first.

A1–A22

#	Attack	Live/source check	Defended?	Verdict
A1	raw SQL path still possible	file 02/05 remove raw DDL/DML; DOT-only + block_after_guard	by design, but governed handler absent	HOLD (B1/B4)
A2	named DOT not wired	c1_contracts=0, c1_dot_tools=0	contracts absent	HOLD
A3	C1 DOT pair absent	dot_agent_api_contract=DOT_KG only	absent	HOLD
A4	Directus collection creation not proven	no Directus-DDL primitive in 54-cmd catalog; c1_table=0	unproven (artifact absent)	HOLD
A5	manifest invents values	R_C1 projects governed apr_action_types only	yes	PASS
A6	manifest hash not recomputable	real bytes+SHA-256+command (file 09)	yes	PASS
A7	wrong-scope auth passes	exact set-equality + status='active' + esign authenticity (file 05)	by spec; grant absent	PASS-spec / AUTHORITY
A8	loose action superset passes	@> replaced by sorted set-equality	yes	PASS
A9	consume after write possible	consume at S1 before writes, one txn (file 05/06)	by spec; handler absent	HOLD (B4)
A10	duplicate retry duplicates rows	c1_build_run resume + per-value idempotency	by spec; table/handler absent	HOLD (B5)
A11	partial failure leaves orphan	named COMP_* stop states	by spec; handlers absent	HOLD (B5)
A12	rollback deletes	no-DELETE; versioned retire/supersede	by spec; handler absent	HOLD (B5)
A13	rollback keeps retired valid	forward-fail-closed (RBP-8)	by spec	PASS-spec
A14	PF7 checks wrong gate	C1 view required; v_dotkg not reused; c1_preflight_views=0	view absent	HOLD (B7)
A15	T1–T20 not executable	T16/T18/T20 runnable now; rest need absent artifacts	partial	HOLD (B6)
A16	cser ambiguous	cser-v1 pinned; real digest	yes	PASS
A17	evidence can't prove readback	read-only packet (file 10); AFTER needs artifacts	partial	HOLD (B9⊂B1)
A18	blast-radius misses artifacts	file 10 lists all absent artifacts + shared-config caveat	yes	PASS
A19	prep gap hidden as authority-only	file 02/05/06/07/08 explicitly classify B1/B4/B5/B6/B7 as PREPARATION_GAP	yes	PASS (honesty)
A20	dry-run-ready-now overclaim	verdict says NO to both gates	yes	PASS
A21	engineering PASS = authority PASS	distinguished throughout	yes	PASS
A22	invalid input creates digest/PASS/seal	fail-closed at verifier/cser/resolver; absent artifacts can't seal	yes	PASS

Verdict

A2, A3, A4, A9, A10, A11, A14, A15, A17 are HOLD: the defenses are specified but rest on executable contracts that do not exist and that PATCH2 may not create. Codex's bar ("authorization may remain absent; the executable contract may not") is therefore not met.

INTERNAL VERDICT: READY_TO_ASSEMBLE_LEGO1_PATCH2_HOLD_DOT_DIRECTUS_PATH_INCOMPLETE (not forced). Had the C1 executable contracts existed and been read-back-verifiable (with only the grant + runtime flips remaining), this review would have returned …_READY_FOR_GPT_REVIEW. They do not, so it returns HOLD.

Boundary attestation

Internal review only; no mutation. REGISTRATION_HOLD retained; CAN_PROCEED = NO; 0 runtime mutations.