Implementation Package DOT v0.1 — Gap-only Scope Spec (rev2)

Nature: the read/report-only scope spec for the future Implementation Package DOT v0.1 (a.k.a. Tool-Kiem-Thu v0.1), repaired after the Codex block BLOCKED_BY_AUTHORITY_OR_ARTICLE14_RISK (2026-06-09). It defines what the inspector is, what it is not, the read-only inputs it may consume, the report/JSON it may emit, its rev2 verdict model, its Article-14 evidence-adequacy chain, its evidence-class and claim-type models, its capability boundary, its failure/fail-closed rules, and the wall of prohibited overlaps. It is a gap-only spec: it specs only the read/report-only gap surface and carves out every execution-dependent capability behind future contracts. This is NOT a tool, NOT an implementation, NOT a schema, NOT a runner, NOT a law. It builds nothing and reopens no sealed decision. Date: 2026-06-09 · Supersedes: designs/implementation-package-dot-v0-1-gap-only-scope-spec-2026-06-09.md (rev1, readiness rejected by Codex). Status: GAP_ONLY_SCOPE_SPEC_v0_1_REV2_READY_FOR_CODEX. Production mutation: NO. No install, no PG/Directus/registry/filesystem mutation, no system_issues write, no tool/schema/runner created, no FIX7 resumed, no filesystem DOT invoked, no IU command invoked, no detector executed, no command run, no denominator collapsed, no Codex-sealed decision reopened, no fresh live read taken. writes_performed: the only writes are KB design documents under knowledge/dev/laws/tool-kiem-thu/ (the deliverables; sealed Domain I file-report-only). "Production mutation: NO" means no PG/Directus/registry/FS/system_issues write — it does not hide the disclosed KB design-doc writes (Codex fix 12). Governing authority (binding, in precedence order): (1) Codex-sealed decisions B/C/D/G/H (reviews/codex-seal-authority-matrix-bcdgh-2026-06-09.md, BCDGH_SEALED) — binding constraints, not reopened; (2) the Codex review 2026-06-09 (reviews/codex-review-gap-only-spec-fix7-pilot-mvp-readiness-2026-06-09.md) — the 12 required fixes, mirrored in reports/codex-fix-ledger-gap-only-spec-rev2-2026-06-09.md; (3) Authority Contract v0.1 (contracts/authority-contract-v0-1-2026-06-09.{md,json}) which records the sealed constraints but whose own status is READY_FOR_GPT_REVIEW — not yet ratified, not binding as a whole (Codex fix 11); (4) the baseline ledger and fresh-read closure as dated evidence only. Constitution anchors: NT14 (THỰC THI ĐƯỢC NGAY / Article 14) — a claim of an executable must answer the 6 questions and be backed by an executable that actually runs; "prose claims an executable that doesn't run" is the violation. NT13 (PG FIRST · NATIVE · DRIVEN / Article 13) — search PG first, use native features, let PG drive runtime; no parallel SSOT. NT10/NT11 — PG is truth, text is documentation; declare only what PG does not know.

0. Why rev2 exists — the Codex block in one paragraph

Codex rated rev1 BLOCKED_BY_AUTHORITY_OR_ARTICLE14_RISK. The decisive defect: rev1 equated "a referenced evidence artifact resolves" with "the executable claim is proven at read level," so READ_REPORT_PASS could be emitted while the load-bearing executable claim stayed unproven — exactly the Recheck-8 class (the declared .py canonicalizer SSOT did not exist and the exact invocation exited 2, yet documents resolved and a selftest PASS was asserted). Secondary defects: literal current counts embedded as normative inputs/outputs; a fabricated >=2 denominators invariant; literal 41/4 and 219/102 checks; exit 0 allowed for FLAG (fake-green); no-run/no-write asserted by module names rather than enforced capability; free-form claim extraction treated as complete; Authority Contract READY_FOR_GPT_REVIEW treated as binding; over-strong PROGRAM_MACRO_READY language. rev2 repairs all 12 (see the fix ledger). The read/report concept is viable after correction; the blocker was the unsupported positive verdict and the undefined claim/evidence authority inside that scope — not the no-run scope itself.

1. Final verdict (of this spec)

GAP_ONLY_SCOPE_SPEC_v0_1_REV2_READY_FOR_CODEX. This is the spec's own readiness for re-review; it is not an inspector output verdict (§4) and carries no "ready to build" meaning — MVP build stays unauthorized until Codex seals rev2.

2. What v0.1 IS / IS NOT

v0.1 IS: a read-only inspector that (a) reads a dossier's identity + declared claims from native KB surfaces; (b) for each claim, runs the Article-14 adequacy chain (§3) to a per-claim adequacy verdict; (c) reports denominators with full source provenance; (d) dual-reports IU/TAC separately; (e) reports registry↔FS reconciliation (canonical vs diagnostic, both directions); (f) emits an advisory dead-link/coverage report; (g) writes only a report triplet under the sealed KB path; (h) fails closed to FAIL/BLOCKED/UNVERIFIED on any doubt.

v0.1 IS NOT: a runner/dispatcher; a thing that can emit "ran / PASS"; a claim/evidence truth authority (it is best-effort + completeness-bounded, §7); a registry/graph/corpus/canonical-id authority; a logger or system_issues writer; a TAC↔IU bridge; a Directus mutator; a count invariant. It cannot prove command execution, selftest pass, runtime success, or hash recomputation — those require an accepted evidence artifact and the later sealed Call/Proof-of-run contract (§19).

3. The Article-14 evidence-adequacy chain (the core repair)

Every claim is evaluated through this 7-step chain. The chain exists precisely so that "a reference resolves" can never by itself prove a claim (Codex fix 2).

(1) claim                      ─ the prose assertion, extracted (best-effort, §7)
(2) claim_type                 ─ one of the 13 types (§6)
(3) required_evidence_class[]  ─ what KIND of evidence this claim type demands (§5/§6)
(4) evidence_artifact/reference ─ does something resolve read-only? (existence check)
(5) evidence_capability        ─ CAN the resolved thing prove THIS claim? right kind?
                                  bound to this claim? independent (non-self-ref)? provenanced?
(6) evidence_adequacy_verdict  ─ per-claim verdict (§4.1) from steps 3–5
(7) dossier_verdict + article14_status ─ overall (§4.3) from all claims + flags

Iron law (§3.IRON): step (4) "the reference resolves" yields only ARTIFACT_EXISTENCE_EVIDENCE. It is necessary but never sufficient. A positive per-claim verdict (EVIDENCE_SUFFICIENT_FOR_READ_LEVEL) requires steps (5) to pass and is forbidden for execution-class claim types (§6). The distinction Codex demanded — "artifact exists" vs "artifact proves this claim" — is steps (4) vs (5).

Structural binding fields (per claim record): claim_id, claim_type, required_evidence_class[], evidence_ref[], evidence_kind, resolves (bool, step 4), bound_to_claim (bool — does the evidence reference this claim's subject/command/artifact identity?), identity_match (subject/command/artifact), producer, observation_ts, independence (non_self_reference bool), conflict_set[] (contradicting evidence), evidence_adequacy_verdict, notes.

4. Verdict vocabulary (rev2) — `READ_REPORT_PASS` removed (Codex fix 1)

4.1 Per-claim `evidence_adequacy_verdict`

EVIDENCE_SUFFICIENT_FOR_READ_LEVEL — required evidence class present, right kind, bound to this claim, independent (not self-referential), provenanced. Available ONLY for non-execution claim types (§6). Never means proof-of-run.
EVIDENCE_INSUFFICIENT — required class absent, wrong kind, unbound, self-referential, or (execution claims) intrinsically unverifiable at read level with no structural evidence. (This is the Recheck-8 catch.)
EVIDENCE_CONFLICTING — ≥2 evidence artifacts contradict (e.g. exit 0 vs exit 2; prose PASS vs a log showing FAIL).
BLOCKED_BY_NO_CALL_CONTRACT — the claim's proof requires execution/run-binding that only the (unsealed) Call Contract can supply.
BLOCKED_BY_UNVERIFIED_SOURCE — the only evidence sits on a stale / unverifiable / out-of-scope surface (e.g. actual_count external-sync artifact, a local checkout, /opt/incomex/scripts).

4.2 Dossier-level FLAGS (raised in parallel; each forces FAIL)

FLAG_PROSE_ONLY_PASS — a success claim with no resolvable+capable evidence artifact.
FLAG_HARDCODED_DENOMINATOR — a count printed without a source-bound denominator record (§8), or a single collapsed canonical DOT number.
FLAG_AUTHORITY_VIOLATION — a sealed boundary breached in the dossier under inspection (e.g. TAC/IU chosen/merged; a review-ready contract treated as binding; a new resolver/registry asserted).

4.3 `article14_status` (mandatory field, separate from verdict)

ARTICLE14_NOT_APPLICABLE_NO_EXECUTABLE_CLAIMS — the dossier contains no execution-class claim.
ARTICLE14_NOT_PROVEN_EXECUTION_UNVERIFIED — the dossier contains ≥1 execution-class claim. Forced whenever any execution claim exists, regardless of how much evidence resolves. v0.1 can never clear it; only the sealed Call/Proof-of-run contract can.

4.4 Final dossier verdict (the only four)

READ_LEVEL_ACCEPTABLE — requires all of: article14_status == ARTICLE14_NOT_APPLICABLE_NO_EXECUTABLE_CLAIMS; every in-scope claim EVIDENCE_SUFFICIENT_FOR_READ_LEVEL; zero FLAG_*; claim_inventory_completeness != UNVERIFIED; zero high-risk UNPARSED_REGION. Never means proof-of-run.
READ_LEVEL_FAIL — any claim EVIDENCE_INSUFFICIENT / EVIDENCE_CONFLICTING, or any FLAG_* raised.
BLOCKED — cannot inspect (missing identity / blueprint_ref / revision), or a structural prohibition hit (denominator collapse, TAC/IU join, an attempted call/mutation in the dossier under inspection), or a capability CONTRACT_VIOLATION.
UNVERIFIED — structurally honest but unverifiable at read level: article14_status == ARTICLE14_NOT_PROVEN_EXECUTION_UNVERIFIED with structural evidence present-and-bound but unvalidatable; or claim_inventory_completeness == UNVERIFIED; or evidence rests on BLOCKED_BY_UNVERIFIED_SOURCE. UNVERIFIED is NOT green.

4.5 Deterministic precedence

BLOCKED > READ_LEVEL_FAIL > UNVERIFIED > READ_LEVEL_ACCEPTABLE. Evaluate top-down; first match wins. Consequence: the Recheck-8 case (execution claim, no/insufficient/contradictory evidence) ⇒ READ_LEVEL_FAIL + ARTICLE14_NOT_PROVEN_EXECUTION_UNVERIFIED. The honest case (execution claim, structurally-present bound independent evidence, but un-runnable at read level) ⇒ UNVERIFIED + ARTICLE14_NOT_PROVEN_EXECUTION_UNVERIFIED. Neither is ever READ_LEVEL_ACCEPTABLE.

4.6 What was removed

READ_REPORT_PASS, READ_REPORT_FLAG, READ_REPORT_BLOCKED, EVIDENCE_PRESENT (as a positive), and NOT_APPLICABLE (folded into article14 N/A) are deleted as v0.1 outputs. The deprecated names must not appear in any rev2 module, JSON, gate, or test.

5. Evidence class model (Codex fix 2 · 12 classes)

For each class: proves / cannot prove / required fields / allowed source / failure mode if absent / v0.1 may assess?

Class	Can prove	Cannot prove	Required fields	Allowed source	Failure if absent	v0.1 assesses?
CLAIM_DECLARATION	a claim was made	the claim is true	`claim_id, text, source_doc+revision, region`	dossier prose	nothing to inspect ⇒ article14 N/A	YES (best-effort)
ARTIFACT_IDENTITY_EVIDENCE	which artifact a claim names	that it exists/runs	`artifact_ref, identity_key(path/id), content_hash?`	dossier + named surface	claim unbindable ⇒ INSUFFICIENT	YES (identity only)
ARTIFACT_EXISTENCE_EVIDENCE	the artifact resolves as an object	it runs / passes	`surface, resolves(bool), observation_ts, match_key`	read surfaces only	EVIDENCE_ABSENT ⇒ the Recheck-8 catch	YES
LOG_EVIDENCE	a log artifact exists + what it records	the log reflects a real/current/reproducible run	`log_ref, producer, observation_ts, bound_claim_id`	KB doc / referenced artifact	run/selftest claim unprovable	presence+kind+binding only; caps at NOT_PROVEN
EXIT_CODE_EVIDENCE	an exit-code record exists	it is from a real current run	`exit_code, command_identity, producer, ts`	run ledger / referenced record	exit-code claim unprovable	presence+kind+binding; caps at NOT_PROVEN
HASH_EVIDENCE	a hash value is recorded	it matches a freshly recomputed artifact (v0.1 never recomputes)	`hash_value, algorithm, subject_identity, producer`	referenced artifact	hash_match claim unprovable	presence+kind+binding; caps at NOT_PROVEN
RUN_LEDGER_EVIDENCE	a run was recorded in a ledger	it corresponds to the claim's current artifact/version, or is reproducible	`run_id, command_identity, exit, ts, producer`	`dot_iu_command_run` (read-only)	command_run claim unbacked	presence+kind+binding; version-binding is the gap ⇒ NOT_PROVEN
SOURCE_SURFACE_EVIDENCE	the surface+query+timestamp of a fact/count	the count is an invariant	`surface, query/view/report_path, observation_ts, match_key, population, confidence`	PG views/tables/reports	bare count ⇒ FLAG_HARDCODED_DENOMINATOR	YES
AUTHORITY_CONTRACT_EVIDENCE	a decision's recorded status	more than its recorded status (review-ready ≠ binding)	`contract_ref, status_string, seal_authority, date`	`contracts/` + `reviews/` docs	authority claim unbacked ⇒ FLAG_AUTHORITY_VIOLATION if over-claimed	YES (status only; never upgrade)
DENOMINATOR_SOURCE_EVIDENCE	a denominator's definition+source+value+staleness	that it equals another denominator (no collapse)	full record per §8	named surfaces + baseline ledger	count is hardcode ⇒ FLAG	YES
CORPUS_DUAL_REPORT_EVIDENCE	both corpora separately, with independent provenance	any bridge / canonical choice (0 joining views)	`per_corpus{surface,count,observation_ts}, joined:false`	`information_unit` / `tac_logical_unit` (never joined)	if joined ⇒ FLAG_AUTHORITY_VIOLATION/BLOCKED	dual-report only
NEGATIVE_TEST_EVIDENCE	a prohibited action is structurally impossible	correctness of allowed behavior	`capability_probe, expected_refusal, actual`	static+runtime guard harness (future build)	no-run/no-write boundary unproven ⇒ MVP not acceptable	design-level now; structural at build

6. Claim type matrix (Codex fix 2 · 13 types)

For each: required evidence classes · allowed v0.1 verdict · forbidden verdict · result if only prose/reference exists · FIX7 pilot behavior. "Execution-class" = types 1–6 and 11 (any claim implying something ran/exists-as-runnable/was-written-by-running); these force ARTICLE14_NOT_PROVEN_EXECUTION_UNVERIFIED. Fail-closed classification rule: any claim whose type is uncertain, multi-matched, or sits in a region the extractor could not fully parse is classified execution-class by default (the stricter Article-14 ceiling), never the laxer non-execution path. A misclassification can therefore only lower a verdict (toward FAIL/UNVERIFIED), never raise one to READ_LEVEL_ACCEPTABLE. This closes the "misclassify an execution claim as non-execution to reach green" hole.

#	Claim type	Required evidence class(es)	Allowed v0.1 verdict (max)	Forbidden verdict	Only prose/reference exists ⇒	FIX7 pilot
1	executable exists	IDENTITY + EXISTENCE	`UNVERIFIED` (if EXISTENCE resolves) / `INSUFFICIENT`	`SUFFICIENT`, ACCEPTABLE, "ran"	`EVIDENCE_INSUFFICIENT` + FLAG_PROSE_ONLY_PASS	flag
2	command ran	RUN_LEDGER + EXIT_CODE	`UNVERIFIED` / `BLOCKED_BY_NO_CALL_CONTRACT`	`SUFFICIENT`, "ran"	`EVIDENCE_INSUFFICIENT`	flag
3	selftest PASS	LOG + EXIT_CODE (+ RUN_LEDGER)	`UNVERIFIED` / `INSUFFICIENT`	`SUFFICIENT`, "PASS"	`EVIDENCE_INSUFFICIENT`	flag (Recheck-8)
4	hash computed/matches	HASH + IDENTITY	`UNVERIFIED` / `INSUFFICIENT`	`SUFFICIENT`, "matches"	`EVIDENCE_INSUFFICIENT` (never recompute)	flag
5	exit code was 0	EXIT_CODE (+ RUN_LEDGER)	`UNVERIFIED` / `INSUFFICIENT`	`SUFFICIENT`, "exit 0"	`EVIDENCE_INSUFFICIENT`	flag
6	canonicalizer SSOT exists	IDENTITY + EXISTENCE (+ LOG/EXIT for selftest)	`UNVERIFIED` / `INSUFFICIENT`	`SUFFICIENT`, "runs"	`EVIDENCE_INSUFFICIENT`	flag (Recheck-8)
7	artifact is canonical	AUTHORITY_CONTRACT + IDENTITY	`SUFFICIENT` iff a sealed authority names it canonical; else `INSUFFICIENT`	choosing canonical itself	`EVIDENCE_INSUFFICIENT`	flag if unsealed
8	denominator count is X	DENOMINATOR_SOURCE	`SUFFICIENT` as dated provenance only (count never a gate)	treating X as invariant / collapsing	`FLAG_HARDCODED_DENOMINATOR` ⇒ FAIL	flag bare count
9	TAC/IU authority chosen	CORPUS_DUAL_REPORT	— (choice is prohibited)	any choice/merge	`FLAG_AUTHORITY_VIOLATION` ⇒ BLOCKED	block
10	Directus 100% DOT-controlled	AUTHORITY_CONTRACT (+ deferred DOT-control proof)	`UNVERIFIED` (PARTIAL_EVIDENCE_ONLY)	ACCEPTABLE, "100%"	`EVIDENCE_INSUFFICIENT`	flag
11	system_issues written	RUN_LEDGER/LOG of the write	`BLOCKED_BY_NO_CALL_CONTRACT` (write contract deferred)	"wrote"	`EVIDENCE_INSUFFICIENT`	flag
12	graph/orphan resolver sufficient	existing Đ19/Đ23/Đ39 coverage proof	`UNVERIFIED` (advisory)	resolver completeness / canonical-id coverage	`UNVERIFIED` (coverage advisory)	mark advisory
13	prose PASS / design PASS	— (no evidence class can satisfy)	—	any positive	`FLAG_PROSE_ONLY_PASS` ⇒ FAIL (never re-assert)	flag

7. Claim extractor — authority limitation (Codex fix 3)

Claim extraction is best-effort inventory only. The extractor is not an authority that "found all claims."
The extractor emits UNPARSED_REGION[] for every prose region it could not parse into a structured claim, each tagged risk ∈ {high, medium, low} (high = regions mentioning executables/selftest/hash/exit/canonical/wrote).
It emits claim_inventory_completeness ∈ {COMPLETE_BY_GOVERNED_CONTRACT, UNVERIFIED}. COMPLETE_BY_GOVERNED_CONTRACT is only possible if a governed claim-declaration/binding contract backs the dossier — none exists today, so the normal value is UNVERIFIED.
A high-risk UNPARSED_REGION ⇒ claim_inventory_completeness = UNVERIFIED ⇒ READ_LEVEL_ACCEPTABLE is unavailable and manual_review_required = true.
Free-form prose extraction is advisory; it can lower a verdict (find a problem) but can never raise one to ACCEPTABLE on its own.

8. Denominator source-record model (Codex fixes 5, 6, 7)

No literal count is normative. Every count is dated evidence carried in a denominator_source_record: { surface_name, query_or_view_or_report_path, observation_timestamp, denominator_definition, observed_value, stale_or_unverified_marker, confidence, match_key, population, no_collapse_rule }. observed_value is data, never a comparator/gate.
No-collapse rule (replaces >=2): enumerate all denominators relevant to the inspected claims/surfaces; prove none was collapsed into a single canonical DOT number; prove each is fully provenanced. No numeric minimum, no fixed maximum. One relevant denominator is valid; eight is valid. If the relevant set is undeterminable ⇒ UNVERIFIED (never a guessed minimum).
A single collapsed canonical DOT number anywhere ⇒ FLAG_HARDCODED_DENOMINATOR ⇒ READ_LEVEL_FAIL (or BLOCKED if it would drive a decision).
The seven historically-observed denominators (309 / 214 / 186 / 163 / 54 / 128·36 / 219·102) and diagnostics (41 vs 4, etc.) appear in this spec only as dated examples (as_of 2026-06-09, is_dated_example:true) to illustrate distinctness — they are not acceptance values and must not be reproduced as expected outputs anywhere. actual_count external-sync artifacts and local checkouts are BLOCKED_BY_UNVERIFIED_SOURCE, never denominators.

9. Allowed read-only input surfaces — PG-first, governed (Codex fix 5 · Article 13)

The inspector consumes existing PG/native read surfaces; it creates no alternate source of truth. The set of surfaces, claim kinds, and rules is not a frozen file policy: it is consumed from governed sources at runtime (the Authority Contract denominator records + live PG catalog / pg_catalog + the sealed Domain tables) or the relevant coverage is explicitly marked UNVERIFIED (§16). Each surface entry carries source_metadata pointing to a native table/view/report/contract — never a file-only surrogate.

Surfaces (named, read-only; counts here are dated examples only): dossier identity = KB document_id+path+revision; registry listing = dot_tools/meta_catalog CAT-006; canonical reconciliation = v_dot_reconciliation_reliability over wf_fs_dot_bin_snapshot (code-key); name-keyed diagnostic = v_dot_registry_no_file / v_dot_fs_reconciliation (separate, dated, never overrides canonical); FS presence = wf_fs_dot_bin_snapshot; command layer = dot_iu_command_catalog / dot_iu_command_run / dot_iu_runtime_lease (read-only report only); graph/impact = universal_edges / v_kg_edges_all / entity_dependencies; orphan = wf_orphan_digest_v2 / wf_orphan_remediation_queue / v_birth_orphan / v_workflow_orphan_v2; duplicate = v_birth_duplicate_issue_guard / v_rp_dedup_signature_gap / v_system_issue_semantic_duplicate_dashboard / v_system_issue_idempotency_guard; context pack = v_context_pack_latest / context_pack_manifest / Đ43 rendered surfaces; corpora = information_unit + tac_logical_unit (dual-report only, never joined); flows = directus_flows (observe only); issue sink = system_issues (read-only; the write sink fn_tac_log_checker_issue is named but never written in v0.1). Detector functions (e.g. fn_dot_wf_orphan_detector(_v2)) are never executed — presence of a view/function does not authorize running it (sealed Domain G).

10. Output contract (Codex fix 12)

Output surface: a report triplet under knowledge/dev/laws/tool-kiem-thu/ — reports/<name>.md, reports/<name>.json, checkpoints/checkpoint-<name>.md. Nothing else is written.

report.md sections (in order): header → final verdict + article14_status → dossier identity (document_id+revision+blueprint_ref) → claim/evidence inventory (per-claim adequacy chain table) → UNPARSED_REGION[] + claim_inventory_completeness → declared-artifact existence report → denominator ledger (every count with its full denominator_source_record) → dual-corpus note (IU/TAC separate, joined:false) → reconciliation report (canonical + diagnostic, both directions) → advisory dead-link/coverage (coverage=ADVISORY_UNVERIFIED) → unverified/stale → deferred carve-outs (the run-half + Call Contract) → writes_performed[] → cross-references.

report.json required keys: verdict_model (the §4 enums), final_verdict, article14_status, dossier_identity, claims[] (each = the §3 binding fields + evidence_adequacy_verdict), unparsed_regions[], claim_inventory_completeness, denominator_source_records[], dual_corpus{joined:false,...}, reconciliation{canonical{...},diagnostic{...},both_direction:true}, dead_link_coverage:"ADVISORY_UNVERIFIED", flags[], deferred_carveouts[], exit_code, writes_performed[] (exact KB paths written — the only writes), production_mutation:false (= no PG/Directus/registry/FS/system_issues write).

11. Exit / fake-green semantics (Codex fix 8 · design-only, no CLI built)

0 — read completed and final_verdict == READ_LEVEL_ACCEPTABLE (and article14_status N/A).
1 — read completed but final_verdict == READ_LEVEL_FAIL or any FLAG_* present.
2 — BLOCKED or UNVERIFIED (could not establish acceptability / blocked / unverified inputs).
3 — CONTRACT_VIOLATION / a prohibited action was attempted (capability breach).
4 — internal error.

Rule: FLAG / FAIL / BLOCKED / UNVERIFIED can never map to exit 0. There is no exit code that is "green but flagged." Since no CLI is built, this is design-only — but the spec must not permit fake-green, and the build gate + acceptance invariant enforce it.

12. Structural no-run / no-write capability model (Codex fix 9)

allowed_actions enum: READ_ONLY_QUERY, READ_FILE, WRITE_REPORT.
prohibited_actions enum: EXECUTE_COMMAND, INVOKE_DOT, MUTATE_PG, MUTATE_DIRECTUS, MUTATE_REGISTRY, WRITE_SYSTEM_ISSUES, CREATE_RESOLVER.
Every module declares allowed_actions[]. Any prohibited action appearing in a module's plan = CONTRACT_VIOLATION (the build is rejected; at runtime ⇒ exit 3).
Enforcement is structural, not by module name: the future build must include (a) a STATIC guard — capability/dependency lint that fails the build if any module imports a subprocess/shell/socket capability, a PG write driver, or a Directus write SDK, or writes outside the approved KB path allowlist; and (b) a RUNTIME guard — the inspector runs under a read-only PG role (context_pack_readonly) inside a read-only transaction, holds no Directus write credential, has no shell/subprocess capability, and its report writer is restricted to the approved KB path allowlist. (Article 13: the read-only role drives the boundary; it is PG-enforced, not asserted in prose.)
Negative capability tests (§ acceptance #14–#17) attempt each prohibited action and must observe a structural refusal. MVP acceptance is gated on the static+runtime guards existing and the negative tests passing.

13. TAC / IU dual-report rules (Codex fix 7 · sealed Domain H)

IU (information_unit) and TAC (tac_logical_unit) are two separate corpora; 0 joining views/functions exist in the sealed snapshot. The dual-corpus reporter emits them side-by-side with independent provenance and is structurally incapable of joining/choosing/merging/bridging; joined:false is always present.
The acceptance check is role/key/separation, not literal: assert each corpus is read from its distinct surface with its own provenance and joined == false. No literal corpus count appears in any criterion (the historical 219/102 are dated examples only). Any attempted join ⇒ FLAG_AUTHORITY_VIOLATION ⇒ BLOCKED. Corpus authority stays unresolved by design; the resolver is a deferred owner+Codex contract.

14. Registry ↔ FS reconciliation read/report (Codex fix 7 · sealed Domain D)

Report the canonical code-keyed diff (v_dot_reconciliation_reliability over wf_fs_dot_bin_snapshot) and the name-keyed diagnostic (v_dot_registry_no_file) separately, both directions, each with match_key + population + observation_ts. The diagnostic never overrides the canonical.
The acceptance check is role/key/population/provenance/separation — assert canonical.match_key != diagnostic.match_key, both shown, diagnostic non-overriding. No literal 41 or 4 in any criterion (dated examples only). Unmatched entries are NON-CALLABLE; no reconciliation mutation, no dot_tools fork.

15. Graph / orphan / dead-link coverage — ADVISORY only (Codex fix 10 · sealed Domain G)

readonly_dead_link_reporter consumes existing Đ19/Đ23/Đ39 surfaces (universal_edges, v_kg_edges_all, entity_dependencies, orphan/duplicate views) and emits coverage = ADVISORY_UNVERIFIED.
It claims no canonical-id coverage and no resolver completeness. Any "all references resolved / all dead links found" statement is prohibited. Missing or unproven coverage ⇒ UNVERIFIED. Doc-level canonical-id coverage remains UNPROVEN (sealed Domain G) — not a new gap, not a new resolver, not executed.

16. PG-first / native / driven conformance (Article 13 · Codex Gate-3)

Consumes existing PG/native read surfaces (§9); creates no alternate SSOT.
The file report is evidence only, never authority — it cannot be consumed as truth by anything downstream.
No static hardcoded source list where a dynamic source is available: the surface/claim-kind/rule sets are read from governed metadata (Authority Contract records + PG catalog) at runtime, or the coverage is marked UNVERIFIED. Where a governed source does not yet exist, the spec marks coverage incomplete rather than freezing a literal list.
source_metadata for every consumed fact points to a native table/view/report/contract.
No file-only surrogate for registry / context / graph / corpus authority — those remain in PG/Directus/Đ43/contracts.
Read-only capability is PG-driven (read-only role + read-only transaction), not module-name asserted (§12).

17. Failure modes + fail-closed rules (rev2)

#	Failure mode	Detected by	Verdict	Fail-closed behavior
F1	Missing dossier identity / blueprint_ref / revision	identity read	`BLOCKED`	Stop; emit blocked report; never ACCEPTABLE.
F2	Count printed without a `denominator_source_record`	provenance writer	`FLAG_HARDCODED_DENOMINATOR` ⇒ FAIL	Refuse to print the bare count.
F3	Collapsed denominator (single canonical DOT number)	denominator check	`BLOCKED`	Structurally prevented; fail closed.
F4	Execution claim with no/insufficient evidence	adequacy chain	`EVIDENCE_INSUFFICIENT` ⇒ FAIL	Never infer PASS; article14 = NOT_PROVEN.
F5	Prose-only PASS	adequacy chain	`FLAG_PROSE_ONLY_PASS` ⇒ FAIL	Never echo the PASS.
F6	Declared artifact does not resolve	existence resolver	`EVIDENCE_INSUFFICIENT` ⇒ FAIL	Report unresolved with surface+ts.
F7	Reference ambiguity (multi-match / undefined key)	existence resolver	`EVIDENCE_INSUFFICIENT`/`UNVERIFIED`	Do not pick a winner.
F8	TAC/IU joined/chosen/merged	dual-corpus reporter	`BLOCKED`	Structurally incapable; fail closed.
F9	Diagnostic (name-key) would override canonical (code-key)	reconciliation report	FAIL	Always show both separately.
F10	Evidence resolves but is the wrong kind / unbound / self-referential	adequacy chain (capability step)	`EVIDENCE_INSUFFICIENT` ⇒ FAIL	The Recheck-8 / "resolvable-but-insufficient" catch.
F11	Evidence artifacts contradict	adequacy chain	`EVIDENCE_CONFLICTING` ⇒ FAIL	Report the conflict set; never pick.
F12	High-risk prose region unparsed	claim extractor	`claim_inventory_completeness=UNVERIFIED` ⇒ UNVERIFIED + manual review	Never ACCEPTABLE on incomplete inventory.
F13	Evidence only on stale/unverifiable/out-of-scope surface	source check	`BLOCKED_BY_UNVERIFIED_SOURCE` ⇒ UNVERIFIED	Mark unverified; never assume.
F14	Attempt to invoke FS DOT / IU command / detector / write anything	capability guard	`CONTRACT_VIOLATION` ⇒ BLOCKED (exit 3)	No such capability exists (static+runtime guard).
F15	A FLAG/FAIL/BLOCKED/UNVERIFIED verdict mapped to exit 0	exit-code check	build/CI failure	Exit semantics forbid green-but-flagged.

Master fail-closed principle: when in doubt, flag / block / unverified, never accept. Absence or inadequacy of evidence is EVIDENCE_INSUFFICIENT/FAIL, never silent acceptance. ("Không chắc đúng = sai" — NT9.)

18. Prohibited-overlap wall

Carries the rev1 20-item wall (no runner; no FS-DOT invoke; no IU-command invoke; no Directus mutation; no PG mutation; no registry fork; no system_issues write; no new logger; no new graph/duplicate/orphan/canonical-id resolver; no detector execution; no TAC↔IU merge/bridge; no reconciliation cleanup/rebirth; no 3rd cut/verify/manifest lineage; no OPA/Conftest/Squawk/CI/Git-hook; no proof-of-run; no Directus-100%-DOT proof; no prose-only PASS; no collapsed counts; no build before seal; no FIX7 resume/run) plus the rev2 capability items: no module may declare any prohibited_action (§12); no literal count in any comparator (§8); no exit-0 for non-ACCEPTABLE (§11); no treating a READY_FOR_GPT_REVIEW contract as binding (§19); no claim-inventory completeness asserted without a governed contract (§7).

19. In-scope vs deferred carve-outs + Authority Contract status (Codex fix 11)

In scope (read/report-only): identity read; claim/evidence adequacy inventory; denominator provenance reporting; dual-corpus reporting; reconciliation reporting; advisory dead-link/coverage; report-triplet emission; fail-closed verdicting.

Deferred (behind named, Codex-mandatory future contracts): running any command + exit capture (Call Contract); binding a claim to a real run result / proof-of-run semantics; --selftest N/N + module_sha256 self-pin (post-seal build); generic package_manifest schema (lineage decision + Codex schema review); audit_dead_links() persistent engine + system_issues sink (write contract); Directus write (DOT-control proof contract); TAC↔IU bridge (owner decree + Codex); reconciliation mutation; OPA/Conftest/Squawk/CI/Git-hook gating.

Authority Contract status (normalized): Codex-sealed B/C/D/G/H are binding constraints for this workstream and are not reopened. Authority Contract v0.1 records those sealed constraints; the contract's own status is READY_FOR_GPT_REVIEW — it is not yet ratified and not binding as a whole, and remains subject to GPT/User review. No PROGRAM_MACRO_READY / "no engineering omissions remain" language is used anywhere in rev2.

20. Self-audit (Track 12)

Check	Verdict	Evidence
Article 14 (no prose-claims-executable-without-runnable-proof)	PASS	§3 adequacy chain + §4.3 article14_status forces NOT_PROVEN for all execution claims; ACCEPTABLE structurally unavailable for them.
No prose-only PASS	PASS	§4.2 FLAG_PROSE_ONLY_PASS ⇒ FAIL; claim type 13 forbidden positive; F5.
No hidden hardcode	PASS	§8 counts are dated examples only; §13/§14 checks are role/key/provenance; F2/F3.
No fake-green	PASS	§11 exit map; FLAG/FAIL/BLOCKED/UNVERIFIED never exit 0; F15.
PG-first / native / driven	PASS	§9/§16 consume governed PG surfaces; read-only role drives the boundary; no alternate SSOT.
No parallel authority	PASS	§18 wall; §15 advisory-only; §13 dual-report only; sealed B/C/D/G/H not reopened.
No run/write violation	PASS	§12 capability enums + static/runtime guard; §10 only KB report writes, disclosed via writes_performed.
Claim/evidence adequacy	PASS	§3 chain + §5 evidence classes + §6 claim matrix; reference-alone never positive.
Claim-inventory completeness honest	PASS	§7 best-effort + UNVERIFIED + manual review; not sole authority.
Codex 12 fixes addressed	PASS	`reports/codex-fix-ledger-gap-only-spec-rev2-2026-06-09.md` 12/12 = YES.

Cross-references

Fix ledger: reports/codex-fix-ledger-gap-only-spec-rev2-2026-06-09.md
JSON mirror: designs/implementation-package-dot-v0-1-gap-only-scope-spec-rev2-2026-06-09.json
FIX7 pilot rev2: designs/fix7-read-report-pilot-design-rev2-for-implementation-package-dot-v0-1-2026-06-09.md
MVP plan rev2: planning/mvp-read-report-inspector-implementation-plan-no-code-rev2-2026-06-09.md
Acceptance matrix rev2: designs/acceptance-test-matrix-implementation-package-dot-v0-1-rev2-2026-06-09.md
Sealed authority: reviews/codex-seal-authority-matrix-bcdgh-2026-06-09.md · Authority Contract: contracts/authority-contract-v0-1-2026-06-09.{md,json} (READY_FOR_GPT_REVIEW)
Codex review (12 fixes): reviews/codex-review-gap-only-spec-fix7-pilot-mvp-readiness-2026-06-09.md
Constitution: knowledge/dev/laws/constitution.md (NT13 Article 13, NT14 Article 14)
Superseded rev1: designs/implementation-package-dot-v0-1-gap-only-scope-spec-2026-06-09.{md,json}