KB-6A27
RS-TKT-1-PATCH1B · 06 Adversarial Preflight Probe Results
11 min read Revision 1
tool-kiem-thulegolaws-newrs-tkt-1phase1-designpatch1badversarial-preflightself-breaknon-authorizing2026-06-22
RS-TKT-1-PATCH1B · 06 — Adversarial Preflight Probe Results
Lane: RS-TKT-1 — Phase 1 TKT Base Design Package · PATCH1B (dry-run readiness preflight / proof-doc-only)
Date: 2026-06-22
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations
Authority: NON_AUTHORITY · may_gate=false · decision_effect=NONE
Closes: Codex F8 (self-validation must actively attack, not restate). This file is the self-break pass: I tried to make the design emit a PASS/digest/seal/cert/authority/registration effect from a bad input, tried to make a HOLD become PASS, tried to upgrade an aggregate with N/A, tried to confuse readiness with execution — and recorded what I had to fix before reporting.
1. Method (active attack — Codex-style)
1. I did not trust the old matrices (17/16) or PATCH1's prose; I attacked the PATCH1B catalog (02), map (04), and readiness packet (05).
2. For each mandatory adversarial fixture I asked: can this bad input still yield PASS / digest / seal / cert / aggregate-PASS / any authority/registration effect?
3. I attacked the SCHEMA itself: can a fixture carry two codes, two namespaces, two layers, two types, or a non-enum status?
4. I attacked the READINESS framing: can readiness be mistaken for execution; can Phase 2 open by itself; can a pseudo-command be run; can paths be unresolved?
5. Every probe that exposed an ambiguity was FIXED in the catalog/map/readiness file (§4) BEFORE this report. Then I re-ran. safe=NO count must be 0.
2. Mandatory adversarial probe battery (macro §4.3 — 15 probes)
| probe_id | bad_input_shape | expected rejection | canonical_fixture_id | check_status | canonical_outcome_code | actual design response | safe |
|---|---|---|---|---|---|---|---|
| PB-01 | bare PASS + exit 3 |
reject bare grant token | BAD-FC-001 | FAIL | FAIL_UNSTRUCTURED_FORBIDDEN_TOKEN |
FAIL closed; no grant; nonzero exit cannot erase token (PATCH2 01 §4 rule 5) | YES |
| PB-02 | bare SEMANTIC_TEXT_AS_CODE_PASS + exit 3 |
reject L5 overclaim token | BAD-FC-006 | FAIL | FAIL_UNSTRUCTURED_FORBIDDEN_TOKEN |
FAIL closed | YES |
| PB-03 | REGISTRATION_CAN_PROCEED = YES + exit 3 |
reject registration-open token | BAD-FC-007 | FAIL | FAIL_UNSTRUCTURED_FORBIDDEN_TOKEN |
FAIL closed | YES |
| PB-04 | cert/seal/authority-digest artifact + exit 3 | reject forbidden artifact | BAD-FC-002 | FAIL | FAIL_FORBIDDEN_AUTHORITY_ARTIFACT |
FAIL closed regardless of exit | YES |
| PB-05 | missing scan surface | HOLD, never PASS | BAD-FC-008 | HOLD | HOLD_OUTPUT_SURFACE_UNAVAILABLE |
HOLD; missing visibility ≠ pass | YES |
| PB-06 | L0 HOLD treated as PASS | aggregate must be HOLD | BAD-PROP-001 | FAIL | FAIL_HOLD_TREATED_AS_PASS |
design lint FAIL; 06 row 2 forces HOLD/BLOCKED | YES |
| PB-07 | N/A upgrades aggregate | aggregate unchanged | BAD-PROP-002 | FAIL | FAIL_NA_UPGRADES_AGGREGATE |
design lint FAIL; aggregate has no N/A value (06 §3) | YES |
| PB-08 | RS5B draft promoted generic | stays self-reported draft | BAD-RS-001 | FAIL | FAIL_RS5B_DRAFT_PROMOTED |
FAIL; no auto-promotion (PATCH2 02 §6; MCB-1) | YES |
| PB-09 | L3 brick reads another L3 brick's internals (design) | reject recombination | BAD-L3-001 | FAIL | REJECT_MEGA_SYSTEM_DRIFT |
design rejected; four bricks stay independent (05 §6) | YES |
| PB-10 | L3 cross-brick internal read (runtime) | runtime FAIL | BAD-L3-002 | FAIL | FAIL_L3_CROSS_BRICK_INTERNAL_READ |
runtime FAIL; split from PB-09 by layer | YES |
| PB-11 | raw log in vector KB | reject raw-in-vector | BAD-NVSZ-001 | FAIL | ESCROW_E5 |
FAIL closed (R0.1) | YES |
| PB-12 | invented NON_VECTOR_ROOT (escrow view) |
reject invented root | BAD-NVSZ-002 | FAIL | ESCROW_E9 |
FAIL closed; root never invented; ROOT_E4 split to Phase 3 (BAD-NVSZ-003) | YES |
| PB-13 | pseudo-CLI mistaken as executable | paper-only; not runnable | (05 §10 / 11 §2 assertion) | N/A | — (paper-only assertion) | PSEUDO_COMMAND_ONLY/NOT_EXECUTABLE banner; no binary exists |
YES |
| PB-14 | future layout mistaken as created folders | drawing only; no folder created | (09 §1 assertion) | N/A | — (paper-only assertion) | 09–15 carry NON_EXECUTABLE banners; no folder created | YES |
| PB-15a | Phase 2 opened automatically | Owner-only; never auto-open | (05 §8 / 21 assertion) | N/A | — (governance assertion) | stops at HOLD_NO_EXEC_SURFACE; GATE-2 Owner-only | YES |
| PB-15b | engineering PASS mistaken as authority PASS | effects constant NONE | (06 §4 distinction check) | N/A | — (governance assertion) | authority_effect/registration_effect = NONE on every fixture/row; aggregate advisory only | YES |
safe = NO count = 0. No bad input yields a PASS/digest/seal/cert-like output or any authority/registration effect.
Note: BAD-FC-003/005 have check_status = PASS but their outcome is SAFE_REJECT (a clean rejection), NOT a grant/artifact/seal;
effects remain NONE. PASS-of-a-safe-reject ≠ authority PASS.
3. Codex-style preflight checklist (macro §3.2 — 24 checks, each answered)
01 do not trust reports; locate governed files .................... DONE (read Codex report + PATCH1 01–07 + PATCH2 01–03 + 06/17 fresh from KB)
02 fresh-reconstruct from KB ...................................... DONE (catalog 02 rebuilt from 04/05/06/07/08 + PATCH1/PATCH2)
03 do not trust old fixture matrices .............................. DONE (17/16 superseded; 02/04 are authoritative)
04 normalize every fixture into canonical schema .................. DONE (01 §1; 46 fixtures all-fields)
05 split every multi-code fixture ................................. DONE (BAD-L3-001/002; BAD-NVSZ-002/003)
06 reject prose-only outcome codes ................................ DONE (RS_* + DESIGN_LINT registries; prose_only=0)
07 validate every status enum .................................... DONE (invalid_status_values=0; SAFE_REJECT not a status)
08 count coverage for every brick ................................ DONE (03 §1; 14/14 covered)
09 count positive/negative controls .............................. DONE (15 positive / 25 negative / 6 adversarial)
10 count mandatory contract fields ............................... DONE (280/280)
11 count traceability rows ....................................... DONE (04 §5; missing=0)
12 invalid input cannot emit PASS/digest/seal/cert ............... DONE (PB-01..PB-05; fail_closed_unresolved=0)
13 HOLD cannot become PASS ....................................... DONE (PB-06; 06 §1/§8)
14 N/A cannot upgrade aggregate .................................. DONE (PB-07; 06 §3/§5)
15 RS5B cannot be promoted without external review ............... DONE (PB-08; PATCH2 02 §6)
16 L3 bricks cannot read each other's internals .................. DONE (PB-09/PB-10; 05 §6)
17 raw logs cannot enter vector KB ............................... DONE (PB-11; ESCROW_E5)
18 NON_VECTOR_ROOT cannot be invented ............................ DONE (PB-12; ESCROW_E9 / ROOT_E4 Phase 3)
19 pseudo-command cannot be mistaken for runnable ................ DONE (PB-13; banners)
20 dry-run readiness cannot be mistaken for execution ............ DONE (PB-15a/§4 R3; 05 §1)
21 Phase 2 cannot open automatically ............................. DONE (PB-15a; GATE-2 Owner-only)
22 engineering PASS cannot become authority PASS ................. DONE (PB-15b; effects NONE)
23 REGISTRATION_HOLD remains active .............................. DONE (every file header; registration_drift=0)
24 REGISTRATION_CAN_PROCEED remains NO ........................... DONE (every file header)
4. Ambiguities found during self-break, and the fix applied (genuine self-fix, not restatement)
| id | ambiguity an attacker could exploit | where found | fix applied (before this report) |
|---|---|---|---|
| FIX-1 | "A BAD-prefixed fixture (BAD-FC-003/005) used as a POSITIVE control" could read as a mislabel / dual role |
catalog 02 §1 |
explicitly set fixture_type = POSITIVE and documented the stable-id rationale (a clean safe-rejection the brick handled IS a PASS of the fail-closed contract); note added in 02 §1 |
| FIX-2 | "Is a fixture NEGATIVE or ADVERSARIAL?" — the macro lists ADVERSARIAL as a third fixture_type, risking dual classification |
schema 01 §1.2 |
defined a disjoint, total partition 15 POSITIVE / 25 NEGATIVE / 6 ADVERSARIAL = 46, and stated the 06 probe battery is an operational view over fixtures, not a third type assignment |
| FIX-3 | dryrun_source/output_paths and permissions could be read as "unresolved (Owner gap)", making dryrun_*_unresolved nonzero |
readiness 05 §2/§3/§9 |
resolved the design decision via SAFE_DEFAULT_SELECTED (macro §0A authorizes), and drew an explicit line: resolving what is read/written ≠ granting execution-time permission, which stays the Owner Phase-2 open gate (05 §8) |
| FIX-4 | dryrun_owner_decision_gaps could be read as nonzero because Owner decisions remain |
readiness 05 §12 |
defined the count precisely as unclassified/undecidable Owner decisions = 0; the two remaining Owner/Codex items are expected gates, enumerated in 05 §8, not gaps |
| FIX-5 | BAD-L3-001 (design) vs BAD-L3-002 (runtime) could collapse back into one dual-code cell under the macro's "L3 cross-brick internal read" single bullet |
catalog 02 §7 / map 04 |
kept them as two rows, two codes, two layers, two phases; both referenced distinctly in coverage 03 and map 04 |
After FIX-1..FIX-5, re-ran the battery (§2) and the checklist (§3): safe=NO count = 0; no residual ambiguity.
These were design-doc clarifications to PATCH1B's own new files; no prior file was edited; no runtime/authority created.
5. Distinction checks (engineering vs authority; design vs runtime; readiness vs execution)
[x] engineering/design PASS ≠ authority PASS — effects constant NONE (01 §1.1 R5; 03 §5; 04 per-row).
[x] dry-run readiness ≠ dry-run execution — 05 §1; nothing executed; Owner Phase-2 open still required.
[x] construction blueprint ≠ construction — 09–15 paper-only; PATCH1B adds no code.
[x] no HOLD becomes PASS — 06 §1/§8; BAD-PROP-001 FAILs.
[x] no N/A upgrades aggregate — 06 §3/§5; BAD-PROP-002 FAILs; aggregate has no N/A value.
[x] REGISTRATION_HOLD active · CAN_PROCEED = NO — every file header.
6. Self-break verdict
15/15 mandatory probes safe = YES. 24/24 checklist items DONE. 5 ambiguities found and fixed (FIX-1..FIX-5). 0 residual.
This is an ENGINEERING/DESIGN + PROOF self-break ONLY. It is NOT a Codex PASS, authority PASS, implementation/runtime/production PASS.
It does NOT open Phase 2 and does NOT run dry-run. Independent Codex confirmation still required.
RESULT: adversarial preflight PASS (engineering/design + proof only); safe=NO count = 0.