Tool-Kiem-Thu — Object Registry (Phase 2 / Phase 3 / B4′ / B7)

• Date: 2026-06-10
• Macro: Birth/Governance Onboarding + Auto-Governance Audit
• Authority of THIS doc: KB-level governance record (design/governance authority), NOT a production registry insertion. No PG/Directus/birth_registry row was created by this macro.
• Source rule: KB-FIRST / PG-FIRST / NATIVE-DRIVEN / LOCAL-LAST. Article 13 + 14 in force.
• Companion machine file: tool-kiem-thu-object-registry-2026-06-10.json.

Legend

• Authority class: evidence-only · design-authority · provisional-non-authority · governed-authority · deferred · prohibited.
• Lifecycle: active-pilot · reference-evidence · provisional · superseded · retained-evidence · pending-promotion · pending-cleanup · deferred-future.
• Owner class: SYSTEM (design/report artifact — project/KB owner) · OPERATOR (runtime/sandbox/CI venue) · AUTHORITY (promotion/gate/catalog — owner+Codex).
• Auto-gov: NONE (no native detection path) · BORN-UNCERTIFIED (auto-births into a governed collection but certified=false/owner=null) · GOVERNED (fully governed by native auto-system). See auto-detection coverage matrix for evidence.

A. Tool / code objects

ID	Object	Type	Location	By	Status	Authority	Lifecycle	Owner	Auto-gov	Allowed / Prohibited
TKT-OBJ-001	ip_dot_inspector (rev4 offline non-gating inspector, ~1069 LOC/11 modules)	tool/code	repo Huyen1974/tool-kiem-thu-ci:ip_dot_inspector/	Phase 2	PASS (built+ran, exit 1 READ_LEVEL_FAIL)	evidence-only (pilot)	active-pilot	OPERATOR	NONE	Allowed: offline packet read→local report. Prohibited: live PG/KB read, gate use, KB write, production.
TKT-OBJ-002	tools/build_guard.py (L2 static capability guard, 180 ln)	tool/code	same repo	Phase 2	PASS (NO_BUILD_GUARD_VIOLATION)	evidence-only	active-pilot	OPERATOR	NONE	Allowed: build-time guard. Prohibited: treat as runtime authority.
TKT-OBJ-003	inspector/main.py (12-probe B4′ harness, 142 ln)	tool/code	same repo	B4′	PASS (12/12)	evidence-only	reference-evidence	OPERATOR	NONE	Allowed: attestation probe.
TKT-OBJ-004	b7_validate.py (packet validator, stdlib)	tool/code	local /tmp/tki-ci/b7_validate.py	B7	PASS (10/10 + 7/7)	evidence-only	retained-evidence (local, non-authority)	OPERATOR	NONE	Prohibited: treat as governed validator; local-last only. Needs cleanup/retention rule.
TKT-OBJ-005	tests/test_acceptance.py (+conftest, 31 tests, 365 ln)	test harness	same repo	Phase 2	PASS (31/31, run 27248508492)	evidence-only	active-pilot	OPERATOR	NONE	Allowed: acceptance/negative suite.

B. Sandbox / security-profile objects

ID	Object	Type	Location	By	Status	Authority	Lifecycle	Owner	Auto-gov
TKT-OBJ-006	seccomp-startup-safe.json (sha256 d11c2bb0…09260)	security profile	repo	B4′	PASS (used in 12/12)	evidence-only	reference-evidence	OPERATOR	NONE
TKT-OBJ-007	seccomp-deny-by-default.json (sha256 68b07c17…e8dbe)	security profile	repo	B4′	UNRUNNABLE under runc (honest defect; structural no-shell used instead)	evidence-only	superseded-by TKT-OBJ-006 for attestation	OPERATOR	NONE
TKT-OBJ-008	deny-by-default docker run invocation (L1 boundary)	runtime config	design doc + CI workflows	B4′	PASS (boundary realized)	design-authority	reference-evidence	OPERATOR	NONE
TKT-OBJ-009	Dockerfile.sandbox / Dockerfile.mvp (distroless python3-debian12:nonroot, USER 65532)	container def	repo	Phase2/B4′	PASS	evidence-only	active-pilot	OPERATOR	NONE
TKT-OBJ-010	built image digest sha256:a75f6235…fb46e (Docker 28.0.4)	container image	ephemeral CI	B4′	ephemeral (not retained)	evidence-only	pending-cleanup (ephemeral)	OPERATOR	NONE

C. CI repo / runner / workflow / venue objects

ID	Object	Type	Location	By	Status	Authority	Lifecycle	Owner	Auto-gov
TKT-OBJ-011	repo Huyen1974/tool-kiem-thu-ci (private, no secrets/WIF/terraform, workflow_dispatch-only)	CI repo/venue	GitHub	Phase2/3 CI route	RETAINED (inert)	evidence-only	retained-evidence	OPERATOR	NONE (no GitHub sensor)
TKT-OBJ-012	.github/workflows/b4-prime-sandbox-attestation.yml (158 ln)	CI workflow	repo	B4′	PASS	evidence-only	reference-evidence	OPERATOR	NONE
TKT-OBJ-013	.github/workflows/phase2-3-mvp.yml (148 ln)	CI workflow	repo	Phase2/3	PASS	evidence-only	reference-evidence	OPERATOR	NONE
TKT-OBJ-014	GitHub-hosted ephemeral ubuntu-latest runner (not Mac-local)	runner venue	GitHub	Phase2/3/B4′	ephemeral	evidence-only	n/a (ephemeral)	OPERATOR	NONE
TKT-OBJ-015	CI run artifacts phase2-3-offline-mvp-evidence, B4′ attestation artifact (runs 27247749834,27248508492,27247543884)	evidence artifact	GitHub (30-day retention)	Phase2/3/B4′	retained 30d	evidence-only	retained-evidence (auto-expire)	OPERATOR	NONE

D. Packet / fixture / catalog objects (B7)

ID	Object	Type	Location	By	Status	Authority	Lifecycle	Owner	Auto-gov
TKT-OBJ-016	packet PKT-B7-REF-2026-06-10-001 (schema b7-governed-packet/v1, 6 items, manifest sha256:bba872b9…6097)	governed export packet	local /tmp/tki-ci/b7-governed-packet-sample-2026-06-10.json	B7	reference-validated (10/10+7/7)	evidence-only	retained-evidence (local, non-authority)	OPERATOR	NONE (file); native precedent context_pack_manifest exists
TKT-OBJ-017	fixtures/fix7-fixture-A-packet.json (+ A′/B/C/D matrix fixtures)	fixture	repo	Phase3/B7	PASS (bound to tests)	evidence-only	reference-evidence	OPERATOR	NONE
TKT-OBJ-018	6 named-query IDs NQ-*-V1 (provisional catalog entries)	named-query catalog	design doc / packet	B7	PROVISIONAL	provisional-non-authority	provisional / pending-promotion (B7-EXP-1)	AUTHORITY	NONE (no governed named-query registry surface); adapts native dot_iu_command_catalog shape

E. Schema / contract objects (B7) — KB design docs

ID	Object	KB path	By	Status	Authority	Lifecycle	Owner
TKT-OBJ-019	Packet schema b7-governed-packet/v1	designs/b7-governed-packet-schema-2026-06-10.md	B7	design-complete, reference-validated	design-authority	pending-promotion	AUTHORITY
TKT-OBJ-020	Export-step contract	contracts/b7-governed-export-step-contract-2026-06-10.md	B7	design-complete	design-authority	pending-promotion (§12 owner+Codex)	AUTHORITY
TKT-OBJ-021	Named-query catalog spec	designs/b7-named-query-catalog-spec-2026-06-10.md	B7	provisional	provisional-non-authority	pending-promotion (B7-EXP-1)	AUTHORITY
TKT-OBJ-022	MVP consumption contract	contracts/offline-mvp-governed-packet-consumption-contract-2026-06-10.md	B7	design-complete	design-authority	reference-evidence	SYSTEM
TKT-OBJ-023	B7 acceptance test matrix	designs/b7-governed-export-packet-acceptance-test-matrix-2026-06-10.md	B7	design-complete	design-authority	reference-evidence	SYSTEM
TKT-OBJ-024	Authority Contract v0.1 (+json)	contracts/authority-contract-v0-1-2026-06-09.md(.json)	Phase 0	sealed B/C/D/G/H	design-authority	active	AUTHORITY

F. Evidence / report / raw-log / checkpoint objects (KB docs)

ID	Object class	KB path(s)	Status	Authority	Lifecycle	Owner
TKT-OBJ-025	Phase 2 MVP execution report (+json)	reports/phase2-offline-mvp-execution-report-2026-06-10.*	PASS	evidence-only	retained-evidence	SYSTEM
TKT-OBJ-026	Phase 2+3 CI route execution report (+json)	reports/phase2-phase3-ci-operator-route-execution-report-2026-06-10.*	PASS	evidence-only	retained-evidence	SYSTEM
TKT-OBJ-027	B4′ attestation evidence (+json)	reports/b4-prime-sandbox-attestation-evidence-2026-06-10.*	PASS	evidence-only	retained-evidence	SYSTEM
TKT-OBJ-028	Phase 3 FIX7 pilot execution report (+json)	reports/phase3-fix7-read-report-pilot-execution-report-2026-06-10.*	PASS	evidence-only	retained-evidence	SYSTEM
TKT-OBJ-029	B7 validation report	reports/b7-governed-export-packet-validation-report-2026-06-10.md	PASS	evidence-only	retained-evidence	SYSTEM
TKT-OBJ-030	Acceptance matrix binding	reports/phase2-offline-mvp-acceptance-matrix-binding-2026-06-10.md	PASS	evidence-only	retained-evidence	SYSTEM
TKT-OBJ-031	Raw-log indices (×3)	reports/*-raw-log-index-2026-06-10.md	retained	evidence-only	retained-evidence	SYSTEM
TKT-OBJ-032	Checkpoints (B7, Phase2/3 CI route, B4′, etc.)	checkpoints/*	retained	evidence-only	retained-evidence	SYSTEM
TKT-OBJ-033	Action-ready blocker packets	checkpoints/action-ready-blocker-*	open	evidence-only	active	SYSTEM/AUTHORITY
TKT-OBJ-034	Phase 4 readiness map	planning/phase4-call-contract-readiness-map-after-b7-2026-06-10.md	READY	design-authority	active	SYSTEM
TKT-OBJ-035	CI workflow/harness packet	planning/ci-phase2-phase3-workflow-and-harness-packet-2026-06-10.md	APPLIED_AND_RUN	evidence-only	retained-evidence	OPERATOR

The full tool-kiem-thu KB folder holds 113 docs (rev86 index). All inherit class TKT-OBJ-025..035 governance (evidence-only / design-authority, SYSTEM owner, KB-SSOT). None is a production authority.

G. New taxonomy / label / status / blocker / phase objects (introduced by this project)

ID	Object	Type	Status	Authority	Owner	Auto-gov
TKT-OBJ-036	New object species proposed: offline-inspector-tool, sandbox-attestation-profile, ci-evidence-repo, governed-export-packet, provisional-named-query-catalog, evidence-bundle, non-gating-report-artifact, action-ready-blocker-packet	species/taxonomy	PROVISIONAL (not in native entity_species)	provisional-non-authority	AUTHORITY	NONE — see taxonomy-gap report
TKT-OBJ-037	New lifecycle statuses used: reference-validated, provisional-non-authority, retained-evidence, deferred-action-ready	status vocab	PROVISIONAL	provisional-non-authority	AUTHORITY	NONE
TKT-OBJ-038	New authority classes: provisional-non-authority, design-authority, evidence-only	authority vocab	PROVISIONAL	provisional-non-authority	AUTHORITY	NONE
TKT-OBJ-039	New blocker classes: B7-EXP-1, B7-EXP-2/D9, D10 (KB writer), D11 (gate consumer), Phase-4 D4–D8, B0‴	blocker taxonomy	open	evidence-only	AUTHORITY	NONE
TKT-OBJ-040	New roadmap phase: Phase 3.5 Birth/Governance Onboarding	roadmap object	created by this macro	design-authority	SYSTEM	NONE

H. Self-referential: this macro's own deliverables

ID	Object	Type	Status	Authority	Owner	Auto-gov
TKT-OBJ-041	The 15 governance deliverables of THIS macro (registry, reports, maps, blockers, checkpoint, index update) under governance/, reports/, planning/, checkpoints/	governance doc	created 2026-06-10	KB-level governance authority (not production registry)	SYSTEM	BORN-UNCERTIFIED if synced to knowledge_documents (certified=false/owner=null) — same gap they document

I. FIX7 checkability-support objects (added 2026-06-10, same-macro birth per future-macro rule)

ID	Object	Type	KB path	By	Status	Authority	Lifecycle	Owner	Auto-gov	Allowed / Prohibited
TKT-OBJ-042	Checkable FIX7 Blueprint Package (claim/artifact inventory of the T1 FIX7 build blueprint)	checkable-package (derived view)	designs/fix7-blueprint-checkable-package-2026-06-10.md	FIX7-support macro	built	provisional-non-authority	reference (re-derivable)	SYSTEM	BORN-UNCERTIFIED-if-synced	Allowed: feed the inspector check. Prohibited: become a 2nd canonical authority over the blueprint (would trip Lens 4); seal/approve.
TKT-OBJ-043	Article-14 Executable-Evidence Check Report (5-lens, applied)	check-report	reports/fix7-blueprint-article14-executable-evidence-check-report-2026-06-10.md	FIX7-support macro	FAIL (non-gating)	evidence-only	retained-evidence	SYSTEM	BORN-UNCERTIFIED-if-synced	Allowed: advise approver. Prohibited: gate/override Codex Recheck-8.
TKT-OBJ-044	Approval-Acceleration Punch-List (7-item)	advisory-report	reports/fix7-blueprint-approval-acceleration-punch-list-2026-06-10.md	FIX7-support macro	READY (advisory)	evidence-only	active	SYSTEM	BORN-UNCERTIFIED-if-synced	Allowed: speed re-approval. Prohibited: approve the blueprint (owner/Codex only).
TKT-OBJ-045	Article-14 5-Lens Detector Spec (reusable check definitions, this-blueprint-scope)	design-spec	designs/article14-executable-evidence-5lens-detector-spec-2026-06-10.md	FIX7-support macro	defined	design-authority (provisional)	active	SYSTEM/AUTHORITY	BORN-UNCERTIFIED-if-synced	Allowed: check definitions for this blueprint. Prohibited: promote to reusable framework product without owner+Codex (Recheck-8 K scope).
TKT-OBJ-046	Checkpoint — FIX7 blueprint checkability support	checkpoint	checkpoints/checkpoint-fix7-blueprint-checkability-support-2026-06-10.md	FIX7-support macro	created	evidence-only	retained-evidence	SYSTEM	BORN-UNCERTIFIED-if-synced	—

Same-macro governance note: these 5 objects do NOT patch the auto-birth system; their native auto-gov status is BORN-UNCERTIFIED-if-synced (identical gap documented in the auto-system audit). They carry no authority over the FIX7 blueprint (its SSOT = FIX7-CANON-V1 canonicalizer; sealer = Codex). No production mutation.

J. FIX7 executable-approval-lane objects (added 2026-06-10, same-macro birth per future-macro rule)

ID	Object	Type	KB path / location	Status	Authority	Lifecycle	Owner	Allowed / Prohibited
TKT-OBJ-047	materialize_canonicalizer.py (P1 byte-extraction command)	tool-script	packet run artifact (README §3)	run, exit 0	non-authority utility	active	OPERATOR	Allowed: extract .py from SSOT .md. Prohibited: become authority.
TKT-OBJ-048	canonicalizer-fix7-canon-v1-ssot.py (materialized)	derived-executable	packet run artifact	runs, 22/22, exit 0	derived from SSOT .md (NOT independent authority)	active	OPERATOR	Allowed: run selftest. Prohibited: duplicate authority.
TKT-OBJ-049	fix7_canon_v1_ssot_extended.py (production-complete canonicalizer reference)	canonicalizer-reference	packets/fix7-codex-recheck-9-2026-06-10/fix7_canon_v1_ssot_extended.py (sha256 196d98…)	36/36 PASS; produces 6/8 digests; runnable-from-KB	provisional reference; becomes SSOT fence via P-EXT-1	active, candidate	SYSTEM/AUTHORITY	Allowed: reference + patch source. Prohibited: treat as sealed SSOT before Codex.
TKT-OBJ-050	FIX7-CODEX-RECHECK-9-PACKET (README_FOR_CODEX, manifest.json, RERUN.sh, HASH_MANIFEST, raw logs)	evidence-packet	packets/fix7-codex-recheck-9-2026-06-10/	reproducible, runnable-from-KB	provisional-non-authority, evidence-only	active	SYSTEM	Allowed: Codex recheck-9 verification. Prohibited: seal/approve.
TKT-OBJ-051	Master report	report	reports/fix7-executable-approval-lane-master-report-2026-06-10.md	created	provisional-non-authority	retained-evidence	SYSTEM	—
TKT-OBJ-052	Executable claim ledger	report	reports/fix7-executable-claim-ledger-2026-06-10.md	created	provisional-non-authority	retained-evidence	SYSTEM	—
TKT-OBJ-053	Patch packet P-EXT-1	patch-packet	checkpoints/fix7-article14-repair-patch-packet-2026-06-10.md	ready, not-applied	provisional; apply gated (owner/T1)	active	SYSTEM/AUTHORITY	Allowed: apply on authorization. Prohibited: silent in-place mutation of artifact under Codex review.
TKT-OBJ-054	Artifact evidence report	report	reports/fix7-executable-artifact-evidence-report-2026-06-10.md	created	provisional-non-authority	retained-evidence	SYSTEM	—
TKT-OBJ-055	Digest/seal reproduction report	report	reports/fix7-digest-seal-reproduction-report-2026-06-10.md	created	provisional-non-authority	retained-evidence	SYSTEM	—
TKT-OBJ-056	Forbidden-scope enforcement report	report	reports/fix7-forbidden-scope-enforcement-report-2026-06-10.md	created	provisional-non-authority	retained-evidence	SYSTEM	—
TKT-OBJ-057	Tool-Kiem-Thu support package	design/support	designs/fix7-tool-kiem-thu-support-package-2026-06-10.md	created	provisional-non-authority, non-gating	active	SYSTEM	Prohibited: claim gate PASS.
TKT-OBJ-058	Cross-impact report	report	reports/fix7-approval-lane-cross-impact-report-2026-06-10.md	created	provisional-non-authority	retained-evidence	SYSTEM	—
TKT-OBJ-059	New-object governance update (this section's source)	governance	governance/fix7-approval-lane-new-object-governance-update-2026-06-10.md	created	governance (KB-level)	active	SYSTEM	—
TKT-OBJ-060	Action-ready blocker	checkpoint	checkpoints/action-ready-blocker-after-fix7-executable-approval-lane-2026-06-10.md	open	provisional-non-authority	active	SYSTEM/AUTHORITY	—
TKT-OBJ-061	Final checkpoint	checkpoint	checkpoints/checkpoint-fix7-executable-approval-lane-2026-06-10.md	created	provisional-non-authority	retained-evidence	SYSTEM	—
TKT-OBJ-062	Roadmap/current-state update	planning	planning/fix7-tool-kiem-thu-current-state-and-next-roadmap-2026-06-10.md	created	provisional-non-authority	active	SYSTEM	—

Same-macro governance note: these 16 objects do NOT patch the auto-birth system (BORN-UNCERTIFIED-if-synced). They carry NO authority over the FIX7 blueprint (SSOT = FIX7-CANON-V1 canonicalizer; sealer = Codex). 049 is the proposed SSOT fence via P-EXT-1; it becomes load-bearing only after owner/T1 apply + Codex seal. 048 is explicitly derived from the .md (no duplicate authority). No production mutation; the SSOT .md was NOT mutated in place. The 10 staged input docs are FIX7-blueprint-owned inputs (byte-exact copies; hashes in manifest), not TKT objects.

Orphan summary (see orphan-detection report)

Before this macro: every TKT-OBJ-* was orphaned w.r.t. the native auto-birth/governance system (0 rows in birth_registry). After this macro: every TKT-OBJ-* has a KB-level canonical ID, owner-class, authority, lifecycle, allowed/prohibited use, and a promotion/retention rule, OR an action-ready blocker. No known important object or accessory remains unclassified at KB level. Production-registry insertion remains a future AUTHORITY blocker (not performed here).

Z. Residual approval-seal lane macro additions (registry rev3 → rev4, 2026-06-10)

Macro RESIDUAL_APPROVAL_SEAL_LANE_MACRO_FIX7_P_EXT_1_TO_CODEX_RECHECK9_HANDOFF. See governance/fix7-p-ext-1-handoff-new-object-governance-update-2026-06-10.md (TKT-OBJ-068).

ID	Object	Type	Location	Status	Authority	Owner	Auto-gov
TKT-OBJ-063	manifest_tool.py (manifest generator + fail-closed verifier)	tool/code	packets/fix7-codex-recheck-9-2026-06-10/manifest_tool.py	--emit/--verify exit0; tamper→exit1 proven	non-authority-utility (NOT seal/gate)	OPERATOR/SYSTEM	NONE
TKT-OBJ-064	P-EXT-1 apply + recheck-9 handoff report	report	reports/fix7-p-ext-1-apply-and-recheck9-handoff-report-2026-06-10.md	created	provisional-non-authority	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-065	Codex recheck-9 final handoff	checkpoint	checkpoints/fix7-codex-recheck-9-final-handoff-2026-06-10.md	created	provisional-non-authority	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-066	Recheck-9 remaining authority blocker ledger	checkpoint	checkpoints/fix7-recheck9-remaining-authority-blocker-ledger-2026-06-10.md	open (N7/N8/P7/owner)	provisional-non-authority	SYSTEM/AUTHORITY	BORN-UNCERTIFIED-if-synced
TKT-OBJ-067	Checkpoint P-EXT-1 apply + handoff	checkpoint	checkpoints/checkpoint-fix7-p-ext-1-apply-and-recheck9-handoff-2026-06-10.md	created	provisional-non-authority	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-068	This rev4 governance update	governance	governance/fix7-p-ext-1-handoff-new-object-governance-update-2026-06-10.md	created	governance-KB-level	SYSTEM	BORN-UNCERTIFIED-if-synced

State transitions (no new id): SSOT canonicalizer .md rev1→rev2 (fence minimal→extended; 8f80f9f0…→144eb3d9…; still single canonical authority). TKT-OBJ-053 P-EXT-1 ready-not-applied→APPLIED (KB rev2, owner-authorized). TKT-OBJ-049 extended .py bytes are now the SSOT fence. TKT-OBJ-048 materialized .py now == extended (196d9801…, 36/36) → one canonical identity. TKT-OBJ-050 packet refreshed post-patch; manifest.json command-generated + fail-closed verified; manifest_tool.py added. Codex still seals N7/N8/P7 + authoritative canonicalizer_sha256/revision; owner's do-not-approve stands.

AA. Recheck-9 R9-B1..B5 hardening lane additions (registry rev4 → rev5, 2026-06-10)

Macro FIX7_RECHECK9_PACKET_HARDENING_APPROVAL_LANE_MACRO_R9_B1_TO_R9_B5. See governance/fix7-recheck9-hardening-new-object-governance-update-2026-06-10.md (TKT-OBJ-086).

ID	Object	Type	Location	Status	Authority	Owner	Auto-gov
TKT-OBJ-069	P-EXT-2 patch (fail-closed produce) APPLIED to SSOT fence	patch/state-transition	blueprint path canonicalizer-fix7-canon-v1-ssot.md (KB rev3)	applied; byte-exact re-fetch proven (49c386a9…)	load-bearing SSOT content change; candidate not sealed	OWNER-authorized via lane macro	NONE
TKT-OBJ-070	manifest format FIX7-R9-MANIFEST-V2 + manifest_tool.py V2 (authority/explanatory split; full recompute deep-diff verify; scan/complete/emit-hash-manifest modes)	tool/code	packets/fix7-codex-recheck-9-2026-06-10/manifest_tool.py (rev2)	verify exit0 nominal; every tamper class exit1	non-authority-utility (NOT seal/gate)	OPERATOR/SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-071	adversarial_suite.py (12 tamper classes + 4 controls; 22/22)	tool/code	packets/fix7-codex-recheck-9-2026-06-10/adversarial_suite.py	exit0; expected-fail tests gated	non-authority-utility	OPERATOR/SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-072	kb_fetch_reconstruct.py (KB fresh-fetch packet reconstruction, fail-closed)	tool/code	packets/fix7-codex-recheck-9-2026-06-10/kb_fetch_reconstruct.py	RECONSTRUCTION OK 28 files; tree identical 21752e19…	non-authority-utility; read-only	OPERATOR/SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-073	RERUN.sh V2 (strict 10-gate rerun)	tool/script	packets/fix7-codex-recheck-9-2026-06-10/RERUN.sh	exit0 nominal; exit1 on every tamper	non-authority-utility	OPERATOR/SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-074	HASH_MANIFEST.txt (28-entry bidirectional hash manifest)	evidence	packets/fix7-codex-recheck-9-2026-06-10/HASH_MANIFEST.txt	emitted; shasum -c OK	evidence-only	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-075	Packet V2 KB-native surface (19 docs: README/RERUN/HM/manifest/tools/evidence×6/logs×6; corpus via canonical blueprint ids; old divergent root extended.py DELETED)	packet	packets/fix7-codex-recheck-9-2026-06-10/	published; fresh-fetch reconstruction PASS	provisional-non-authority; evidence-only	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-076	R9-B1..B5 hardening master report	report	reports/fix7-recheck9-r9-b1-b5-hardening-master-report-2026-06-10.md	created	provisional-non-authority	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-077	Manifest verifier completeness report (R9-B1)	report	reports/fix7-recheck9-manifest-verifier-completeness-report-2026-06-10.md	created	provisional-non-authority	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-078	Produce fail-closed negative tests report (R9-B2)	report	reports/fix7-recheck9-produce-failclosed-negative-tests-2026-06-10.md	created	provisional-non-authority	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-079	RERUN strictness report (R9-B3)	report	reports/fix7-recheck9-rerun-strictness-report-2026-06-10.md	created	provisional-non-authority	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-080	KB-native packet completeness report (R9-B4)	report	reports/fix7-recheck9-kb-native-packet-completeness-report-2026-06-10.md	created	provisional-non-authority	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-081	Current KB byte hash proof (R9-B5)	report	reports/fix7-recheck9-current-kb-byte-hash-proof-2026-06-10.md	created	provisional-non-authority	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-082	Codex-adversarial selfcheck report	report	reports/fix7-recheck9-codex-adversarial-selfcheck-report-2026-06-10.md	created	provisional-non-authority	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-083	Packet V2 rerun handoff (supersedes V1 handoff)	checkpoint	checkpoints/fix7-codex-recheck-9-rerun-packet-v2-handoff-2026-06-10.md	created	provisional-non-authority	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-084	Checkpoint R9-B1..B5 hardening lane	checkpoint	checkpoints/checkpoint-fix7-recheck9-r9-b1-b5-hardening-2026-06-10.md	created	provisional-non-authority	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-085	Current-state: packet V2 hardened awaiting Codex rerun	current-state	knowledge/current-state/reports/fix7-recheck9-packet-v2-current-state-2026-06-10.md	created	provisional-non-authority	SYSTEM	BORN-UNCERTIFIED-if-synced
TKT-OBJ-086	This rev5 governance update	governance	governance/fix7-recheck9-hardening-new-object-governance-update-2026-06-10.md	created	governance-KB-level	SYSTEM	BORN-UNCERTIFIED-if-synced

State transitions (no new id): SSOT .md rev2→rev3 (P-EXT-2 fail-closed produce; 144eb3d9…→49c386a9…, byte-exact apply proven; candidate NOT sealed). TKT-OBJ-050→superseded by V2 packet (TKT-OBJ-075); TKT-OBJ-063→superseded by manifest_tool V2 (TKT-OBJ-070); TKT-OBJ-065→superseded by TKT-OBJ-083; TKT-OBJ-066 ledger→rev2 (R9-B5-RES added). Old packet-root fix7_canon_v1_ssot_extended.py KB doc deleted (divergent duplicate). Codex still seals N7/N8/P7 + authoritative canonicalizer_sha256/revision; owner's do-not-approve stands.