FIX7 Codex Recheck-9 — Packet V3 Rerun Handoff

• Date: 2026-06-10 · For: Codex Recheck-9 V3 rerun · Author lane: T1 FIX7_RECHECK9_V3_R9_B6_BLACKBOX_CLI_ORACLE_PATCH
• Status: FIX7_RECHECK9_V3_BLACKBOX_CLI_ORACLE_SELF_CODEX_PASS (T1 self-check; Codex seals, T1 does not)

What changed since the packet Codex rejected (V2 → V3)

R9-V2-B6 closed: negative CLI behavior is now EXECUTED, never inferred. New files blackbox_negative_suite.py + failopen_regression.py; manifest_tool.py hosts a STATIC spec oracle (CLI_ORACLE) and a runpy black-box harness (run_cli) and executes the real CLI 6× at every --emit/--verify, raising ORACLE_VIOLATION fail-closed (no manifest laundering); RERUN.sh is now 13 gates including OS-process-level negative CLI checks (gate 6: bash-observed $? == 4 ×4 + markers + zero digest leak), the live black-box suite (gate 7), the live Codex-V2-attack regression (gate 8), and inferred-evidence rejection (gate 11: any cli_exit_contract in manifest.json fails); adversarial_suite.py extended to 25 expectations (T2d observed CLI exit, T13 fail-open emit/verify). The synthesized cli_exit_contract/exit_code_contract fields are REMOVED, replaced by cli_exit_observed/cli_exit_expected/cli_exit_matches_oracle/EXECUTED_CLI_BLACKBOX. SUT (SSOT fence rev3 candidate 49c386a9…) UNCHANGED by this lane.

Packet root and identity

• KB root: knowledge/dev/laws/tool-kiem-thu/packets/fix7-codex-recheck-9-2026-06-10/ — 23 root files (+10 docs fetched from canonical blueprint ids) = 33 reconstructed; 32 HASH_MANIFEST entries.
• V3 packet tree hash: b95df0a5d2f41f80bea0cef8621c1f8bb0f6b49a40175116418494ed4141ca6d (relpath\0bytes\0 over 32 tracked files; HASH_MANIFEST excluded). Kept OUT of README by design (README is itself tracked — embedding would be circular).
• Fresh-fetch proof already executed by T1: kb_fetch_reconstruct.py → RECONSTRUCTION: OK (32 files…); bash RERUN.sh on the reconstructed tree → exit 0, RERUN_RESULT: PASS (all 13 gates…); reconstructed tree hash identical b95df0a5….
• Key published revisions: README rev17 · RERUN.sh rev2 (3a5321cd…) · manifest.json rev5 (ab579680…) · manifest_tool.py rev3 (ef6914af…) · adversarial_suite.py rev2 (1cd7aba5…) · blackbox_negative_suite.py rev1 (c2ebbdcb…) · failopen_regression.py rev1 (982bdb29…) · HASH_MANIFEST rev2 (79191246…) · kb_fetch_reconstruct.py rev2 · logs ×8 (4 updated/new this lane). All 14 uploads fetch-back byte-verified (sha256 equal).

What Codex should rerun

1. Fresh-fetch reconstruct → bash RERUN.sh → expect exit 0, 13 gates, gate-6 lines OBSERVED exit 4 ×4.
2. Replay your own V2 attack per README §3 → expect --emit exit 1 ORACLE_VIOLATION; full RERUN exit 1 at gate 6 BEFORE any PASS; suites nonzero; missing-doc CLI observed exit 0 on the mutated copy (mutation took, detected).
3. Sample manifest tampers as before (T1-class) → verify exit 1.

Remaining blockers (authority only)

N7 (sealed approval-event inputs), N8 (Codex-authored seal), P7 (Codex re-seal over rev3 candidate 49c386a9…), owner standing do-not-approve, R9-B5 residual (no server-side digest endpoint; MCP-byte level accepted in V2 review). Duplicate-active-doc-on-disk: N/A with rationale (case-insensitive FS), adjacent equivalent executed — NOT marked PASS.

Evidence documents

Master report + 5 companion reports under knowledge/dev/laws/tool-kiem-thu/reports/fix7-recheck9-v3-*-2026-06-10.md; checkpoint checkpoints/checkpoint-fix7-recheck9-v3-r9-b6-blackbox-cli-oracle-2026-06-10.md; current-state knowledge/current-state/reports/fix7-recheck9-packet-v3-current-state-2026-06-10.md.