RS5B-CLOSEOUT-PATCH1 08 — Codex-Style Adversarial Self-Review — 2026-06-21

Purpose: before emitting a verdict, attack PATCH1 the way Codex would. The bar is not "did I write the word rollback" — it is "does a malicious rollback (destroys dependency, erases evidence, weakens authority) or an early-P2 / authority-overclaim attempt get rejected before any PASS." Every attack below is run against the PATCH1 contract (files 02–06). Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 mutations. Attacks are design fixtures (DEFINED_NOT_EXECUTED).

---

1. Source register reconstruction

I read the controlling Codex HOLD report in full (content_length 13156, truncated=false) and all ten closeout files + rollup in full (file 01 records path/revision/length/truncated for each). I did not trust the old decision packet's "READY_FOR_GPT_REVIEW" verdict — Codex superseded it with HOLD. I reconstructed the eight Job-B residuals (file 01 §4) directly from Codex §4/§5/§6/§7/§11, not from any summary. The read-unblock digest was not used as controlling evidence.

2. What I tried to break

I tried to make PATCH1 emit a PASS (ROLLBACK_CONTRACT_VALID_FOR_REVIEW, P2_BASELINE_ENTRY_DESIGN_ACCEPTED, P2_OPEN_AUTHORIZED_FOR_NAMED_CARRIER_PLAN_ONLY) for an input that should be rejected: a destructive rollback, an orphaning rollback, a history-erasing rollback, an authority-weakening rollback, a C7 contradiction, a gate short-circuit, and a runtime/authority overclaim. If any produced a PASS/seal, PATCH1 would not be ready.

3. Destructive rollback attacks

• A1 — "drop the vocabulary value, it's just cleanup": RBP-2 ROLLBACK_DELETES_REFERENCED_IDENTITY fires (deletion of a C2-referenced identity), which precedes RBP-1/PASS. Cannot PASS.
• A2 — "delete the owner row, we superseded it logically": if the row is deleted (not status-superseded), RBP-2 fires. The only path that avoids RBP-2 is preserve-identity revoke/supersede (file 02 C3) — which is the safe pattern, not a bypass.
• A3 — "drop the hash, the artifact is gone anyway": RBP-4 ROLLBACK_ERASES_HISTORY fires; reproducibility evidence cannot be removed. Cannot PASS.

Result: every destructive deletion matches an RBP-k (k≥2) that outranks PASS. No destructive rollback reaches ROLLBACK_CONTRACT_VALID_FOR_REVIEW.

4. Orphan dependency attacks

• A4 — "disable the status policy; nothing else references it" (it actually is referenced by old C2): RBP-3 ROLLBACK_ORPHANS_DEPENDENCY fires via edge E4. The dependency map (file 03) makes the reference explicit, so the claim "nothing references it" is checkable and false.
• A5 — "roll back C6 by resetting the replay surface": edge E5 shows consumed-nonce history is referenced; reset → reuse possible → RBP-6 ROLLBACK_WEAKENS_AUTHORITY. Cannot PASS.

Result: the explicit edge graph (file 03) converts every "nothing references it" assertion into a verifiable predicate; orphaning is caught by RBP-3 (or RBP-6 when it also weakens authority).

5. History erasure attacks

• A6 — "disable C7 approval carrier; old approvals are stale": prior approval evidence becomes unreadable → RBP-4 ROLLBACK_ERASES_HISTORY (XBI-15).
• A7 — "rollback without writing an audit entry, to keep it clean": RBP-8 ROLLBACK_AUDIT_TRAIL_ABSENT (XBI-18). The rollback action itself must be audited (I8).

Result: evidence preservation (I2) and rollback auditability (I8) are conjuncts of PASS; erasing either blocks PASS.

6. Authority weakening attacks

• A8 — "change approval_mode so the old approval-required envelope no longer needs approval": RBP-6 ROLLBACK_WEAKENS_AUTHORITY (XBI-16); I5 forbids retroactive reduction. The new mode applies forward only (I4).
• A9 — "use the C7 rollback to also relax C3 owner requirement": this requires touching another carrier ⇒ RBP-9 ROLLBACK_NOT_LOCAL (XBI-19), and the authority-reduction itself ⇒ RBP-6. Either way, rejected.

Result: authority can only be removed going forward, never retroactively granted/weakened; cross-carrier authority edits are non-local and rejected.

7. C7 conditionality attacks

• A10 — "approval is used but skip C7 to save a step": C7_REQUIRED_WHEN_APPROVAL_USED (XBI-20). Rule A makes C7 mandatory under APPROVAL_USED.
• A11 — "no approval, but the gate still demands a C7 runtime carrier": C7_OPTIONALITY_CONFLICT (XBI-21) — the gate may not over-demand C7 against a proven APPROVAL_NOT_USED_BY_POLICY.
• A12 — "just say approval isn't used, no policy": APPROVAL_MODE_POLICY_UNPROVEN — non-use must be proven by policy, never by silent omission.

Result: exactly one of {Rule A, Rule B} applies per approval_mode; no input is both required-and-not-required. Deterministic.

8. Gate sequencing attacks

• A13 — "Gate A passed, so open P2": BASELINE_ACCEPTANCE_NOT_P2_OPEN_AUTHORIZATION (XBI-22). No transition rule maps Gate-A output to P2-open.
• A14 — "plan reviewed and accepted, open the lane" (no Chairman token): G2_EXECUTION_REQUIRES_SEPARATE_AUTHORIZATION (XBI-23). Independent review ≠ item 13.
• A15 — "here's a Chairman token" (generic, not scoped to this plan): CHAIRMAN_AUTHORIZATION_SCOPE_MISMATCH (XBI-24).
• A16 — "open the lane; rollback proof to follow": P2_OPEN_GATE_ROLLBACK_PROOF_MISSING (XBI-25). Gate B requires the per-carrier dependency-safe rollback proof up front.

Result: Gate B is unreachable from Gate A alone; each Gate-B input is a distinct, separately-failing conjunct.

9. Runtime / authority overclaim attacks

• A17 — "PATCH1 accepted ⇒ rollback may execute": rejected — I10 + RBP-0 RUNTIME_MUTATION_REJECTED; ROLLBACK_CONTRACT_VALID_FOR_REVIEW is necessary-not-sufficient, not execution permission.
• A18 — "PATCH1 accepted ⇒ P2 may open": rejected — Codex §4/§11.7 and file 06; acceptance of PATCH1 is a Gate-A design acceptance at most, never Gate-B.
• A19 — "any DDL/DML to demonstrate a rollback": rejected — RBP-0 short-circuits; this package is KB-only/design-only.
• A20 — "clear REGISTRATION_HOLD since rollback is now safe": rejected — no file clears the hold; rollback-contract validity does not touch the registration gate; carried blockers unchanged.

Result: no overclaim path produces authority, P2-open, runtime mutation, or a cleared hold.

10. Result table

Attack	Input	Expected rejection	Actual contract response	PASS possible?	Accepted?
A1	drop referenced vocabulary value	ROLLBACK_DELETES_REFERENCED_IDENTITY	RBP-2 fires (precedes PASS)	No	No
A2	delete owner/scope row	ROLLBACK_DELETES_REFERENCED_IDENTITY	RBP-2 fires	No	No
A3	drop referenced hash	ROLLBACK_ERASES_HISTORY	RBP-4 fires	No	No
A4	disable referenced policy (orphans C2)	ROLLBACK_ORPHANS_DEPENDENCY	RBP-3 fires	No	No
A5	reset replay surface (nonce reuse)	ROLLBACK_WEAKENS_AUTHORITY	RBP-6 fires	No	No
A6	disable C7, erase approval evidence	ROLLBACK_ERASES_HISTORY	RBP-4 fires	No	No
A7	rollback with no audit entry	ROLLBACK_AUDIT_TRAIL_ABSENT	RBP-8 fires	No	No
A8	weaken old approval-required envelope	ROLLBACK_WEAKENS_AUTHORITY	RBP-6 fires	No	No
A9	C7 rollback edits C3 requirement	ROLLBACK_NOT_LOCAL / ROLLBACK_WEAKENS_AUTHORITY	RBP-9 / RBP-6 fires	No	No
A10	approval used, C7 skipped	C7_REQUIRED_WHEN_APPROVAL_USED	gate rejects	No	No
A11	no approval, C7 demanded	C7_OPTIONALITY_CONFLICT	gate rejects	No	No
A12	"no approval" without policy	APPROVAL_MODE_POLICY_UNPROVEN	gate rejects	No	No
A13	Gate A → open P2	BASELINE_ACCEPTANCE_NOT_P2_OPEN_AUTHORIZATION	Gate B unreachable	No	No
A14	plan reviewed, no Chairman token	G2_EXECUTION_REQUIRES_SEPARATE_AUTHORIZATION	Gate B rejects	No	No
A15	generic Chairman token	CHAIRMAN_AUTHORIZATION_SCOPE_MISMATCH	Gate B rejects	No	No
A16	open lane, rollback proof later	P2_OPEN_GATE_ROLLBACK_PROOF_MISSING	Gate B rejects	No	No
A17	PATCH1 accept ⇒ execute rollback	RUNTIME_MUTATION_REJECTED / I10	necessary-not-sufficient	No	No
A18	PATCH1 accept ⇒ open P2	BASELINE_ACCEPTANCE_NOT_P2_OPEN_AUTHORIZATION	design-acceptance only	No	No
A19	DDL/DML to demo rollback	RUNTIME_MUTATION_REJECTED	RBP-0 short-circuit	No	No
A20	clear REGISTRATION_HOLD	(no code clears it)	hold retained	No	No

11. Self-result

Every attack A1–A20 is rejected before any PASS/seal/digest/authority-token/registration-ready output. No actual contract response is ambiguous: each maps to exactly one controlling code under the file-04 precedence and the file-05/06 gate rules. PATCH1 therefore does not stop at any _HOLD_ state and the proof obligation ("a malicious rollback / early-P2 / overclaim is rejected before a PASS") is met. CLOSEOUT_PATCH1_ADVERSARIAL_SELF_CHECK_PASSED_NO_FAIL_OPEN. REGISTRATION_HOLD retained.