Incomex AI Portal
KB-3F6E rev 16

FIX7 Codex Recheck-9 Reproducible Packet V2 — README_FOR_CODEX (2026-06-10)

14 min read Revision 16

FIX7 Canonicalizer — Codex Recheck-9 Reproducible Packet V2 (README_FOR_CODEX)

  • Date: 2026-06-10 · Packet ID: FIX7-CODEX-RECHECK-9-PACKET-V2 · Object ID: TKT-OBJ-050 (superseding rev)
  • Authority: provisional-non-authority, evidence-only, decision_effect=NONE, may_gate=false. Tool-Kiem-Thu does not seal/approve. Codex remains the sole sealing authority; owner's standing decision ("do not approve the construction blueprint") is preserved.
  • Codex consulted: NO · Production mutation: NO · REAL_RUN/QT001/apply/permit/activation/repoint/cutover: NO · auto-birth repair: NO
  • Target: T1 FIX7 Existing-System Refactor Execution Blueprint canonicalizer SSOT, at Codex Recheck-9 = CODEX_RECHECK_9_NEEDS_T1_FIX.

0. What this packet V2 is — R9-B1..R9-B5 closed as one lane

Codex Recheck-9 rejected packet V1 on five blockers. V2 closes them:

blocker Codex's failing test (V1) V2 repair V2 acceptance (executable)
R9-B1 verifier incomplete tamper forbidden_scope.forbidden_operations_found=999 → verify exit 0, RERUN PASS manifest.json split into authority (EVERY field recomputed from disk + real executions at --verify; deep-diffed; schema-closed: no extra key allowed) vs explanatory (declared non-authority, excluded from PASS) adversarial_suite.py T1/T3/T4/T10/T11/T12 — any authority-field tamper → verify exit 1
R9-B2 produce not fail-closed remove doc 05 → EXTRACT_ERROR yet membership_frozen_ok: True, exit 0 SSOT fence patched (P-EXT-2): any missing/extra/duplicate/extract-error/invalid member suppresses EVERY candidate digest (SUPPRESSED_CORPUS_NOT_OK), forces corpus_ok=false + membership_frozen_ok=false, exits 4; membership is computed over PRESENT+VALID members suite T2; selftest R9-B2 fixtures; --verify re-executes 4 produce negative tests live
R9-B3 RERUN unenforced set -u only; selftest/produce exits printed not checked; no shasum/forbidden/negative rerun RERUN.sh v2: set -euo pipefail + ERR trap; 10 gates ALL re-executed live (completeness, shasum -c, materialize+cmp, 2 selftests byte-diffed, produce byte-diffed, cross-tool membership, forbidden scan, full manifest verify, adversarial suite); PASS printed only after every gate tamper any packet byte → RERUN aborts nonzero before PASS
R9-B4 local mirror ≠ KB packet KB packet root not_found for RERUN.sh/HASH_MANIFEST/logs; manifest divergence EVERY packet file (this README, RERUN.sh, HASH_MANIFEST.txt, manifest.json, manifest_tool.py, adversarial_suite.py, evidence/, docs/×10, logs/) published byte-exact at the KB packet root; fresh-fetch reconstruction proof in the KB-native completeness report fetch every doc listed in §6, write bytes, run bash RERUN.sh — identical hash tree
R9-B5 current KB byte seal unproven content_length match only; no independent SHA-256 of current KB bytes MCP full-content fetch → SHA-256 over UTF-8 bytes for the 10 current docs + current SSOT, bound to document_id + revision + char/byte lengths (see byte-hash-proof report); residual: no server-side digest endpoint (named tooling blocker, NOT claimed sealed) re-fetch any doc via MCP full=true, hash UTF-8 bytes, compare

1. Files in this packet (ALL at the KB packet root — no local-only artifact)

file role
README_FOR_CODEX.md this file (NON_AUTHORITY explanation)
manifest.json machine truth: authority (every field recomputed fail-closed) + explanatory (non-authority)
manifest_tool.py --emit / --verify (full authority recompute + deep diff, exit 1 on ANY mismatch) / --scan (forbidden ops) / --complete (required files + HASH_MANIFEST bidirectional coverage) / --emit-hash-manifest
adversarial_suite.py the Codex-adversarial selfcheck: 4 positive controls + 12 tamper expectations (T1..T12); exit 0 only if EVERY tamper is caught. Excluded from the forbidden scan BY DESIGN (it embeds forbidden tokens as test vectors); hash-pinned instead
kb_fetch_reconstruct.py R9-B4 fresh-fetch tool: rebuilds the runnable packet from the KB surface alone (packet root + the 10 canonical blueprint doc ids), verifies the reconstructed tree against HASH_MANIFEST bidirectionally, fails closed. READ-ONLY; no API key embedded. Excluded from the forbidden scan with reason (governed-MCP HTTPS read tooling, not seal-path); hash-pinned instead
RERUN.sh strict 10-gate rerun (see §2)
HASH_MANIFEST.txt sha256 of every tracked packet file (bidirectional coverage enforced by --complete)
evidence/canonicalizer-fix7-canon-v1-ssot.md the PATCHED SSOT (P-EXT-2 applied; python fence = fail-closed extended canonicalizer) — byte-equal to the KB blueprint-path SSOT at its current revision
evidence/canonicalizer-fix7-canon-v1-ssot.py materialized from the SSOT fence; byte-identical to the extended reference (ONE canonical identity)
evidence/fix7_canon_v1_ssot_extended.py extended reference (same bytes as the materialized fence)
evidence/materialize_canonicalizer.py P1 byte-extraction command
evidence/selftest-expected-output.txt, evidence/produce-expected-output.txt byte targets RERUN diffs against
docs/ ×10 the active members. NOT duplicated as KB packet copies — the governed source is the 10 CANONICAL blueprint document ids (one authority, one nature); kb_fetch_reconstruct.py rebuilds docs/ from those ids and the pinned hashes (manifest authority + HASH_MANIFEST) fail closed if the live corpus ever diverges from the pinned state
logs/ raw sealing-run logs: materialized-selftest.log, extended-selftest.log, produce.log, forbidden-scope.log (pinned in manifest authority) + manifest-verify.log, adversarial-suite.log (generated after manifest emission → pinned by HASH_MANIFEST only; pinning them inside manifest.json would be circular)

Authority / non-authority (Article 14). The single executable authority is the SSOT fence. The hash-truth source is manifest.jsonauthority, every field of which is recomputed at --verify from disk bytes + live executions (produce run, selftest run, forbidden scan, negative-test executions). NOTHING in authority is hand-authored; an unverifiable field is structurally not allowed there (extra keys fail the schema). explanatory is declared non-authority and excluded from PASS. No value here is a Codex seal (codex_sealed_values_present: false, enforced fail-closed).

2. Exact rerun (what Codex runs)

bash RERUN.sh     # exit 0 + final line "RERUN_RESULT: PASS" ONLY if all 10 gates pass live:
                  # 0 completeness · 1 shasum -c · 2 materialize+cmp · 3/4 selftests byte-diff
                  # 5 produce byte-diff · 6 cross-tool membership · 7 forbidden scan
                  # 8 FULL manifest verify (recomputes everything incl. negative tests)
                  # 9 adversarial suite (12 tamper classes must be CAUGHT)

Offline, stdlib-python3 + shasum/diff/cmp; writes only ./rerun-out/ + OS temp dirs.

Key expected values (machine truth = manifest.json; these are convenience copies):

  • SSOT .md sha256 (P-EXT-2 candidate): 49c386a9b9666c09786fc4f89bc79776b6046eaee6f4da6d8537d2c753b734d0
  • materialized/extended .py sha256: d9caa9fe9f46854c38c996747d50d2e73bc5074705730e869fd6b1f8cc26f3e5
  • frozen membership: f2bda8effc7be19b54722828126b82d7d2d48bee5e5e5dc0c8f347ce210fe251
  • selftest: 45/45 (unit + production-path + R9-B2 fail-closed corpus-gate fixtures)
  • produce: corpus_ok: True, membership_frozen_ok: True, exit 0 — and exit 4 + full digest suppression on ANY corpus problem

3. What changed in the SSOT (P-EXT-2, authorized by the R9 hardening lane macro)

The Recheck-9 R9-B2 verdict required the production path itself to fail closed; that path lives in the SSOT fence, so the fence was patched (P-EXT-2):

  • --produce validates the docs-dir listing against the frozen membership (missing / extra / duplicate detection, pure function validate_corpus_listing), records per-member extract errors, computes membership over PRESENT+VALID members, and on ANY problem suppresses all candidate digests and exits 4.
  • new fail-closed status ACTIVE_CONTENT_EMPTY; corpus-level report statuses LOCAL_FILE_MISSING, DOCS_DIR_MISSING, GUARD_SET_SOURCE_MISSING, SUPPRESSED_CORPUS_NOT_OK.
  • selftest extended 36 → 45 checks (R9-B2 corpus-gate fixtures, suppression wiring, empty-content rejection).
  • For a VALID corpus every digest value is UNCHANGED from V1 (the encoder is untouched; N1×10, N3, N4, N5 reproduce exactly; N6 rehearsal reproduces; membership reproduces f2bda8…fe251).
  • The candidate canonicalizer_sha256 necessarily changed (the SSOT bytes changed): old rev2 144eb3d9…412arev3 candidate 49c386a9…b734d0. Both rev1 and rev2 hashes are RECORDED HISTORICAL constants in explanatory. Codex still seals the authoritative value over KB bytes at the sealed revision.

4. What Codex verifies

  1. bash RERUN.sh → exit 0, RERUN_RESULT: PASS (all 10 gates live).
  2. Adversarially: repeat your Recheck-9 probes — they are now packet tests:
    • tamper authority.forbidden_scope.forbidden_operations_found--verify exit 1 and RERUN aborts (suite T1);
    • remove docs/05-rollback-blueprint.md--produce exit 4, ALL digests SUPPRESSED_CORPUS_NOT_OK, membership_frozen_ok: False; --verify exit 1; --complete exit 1 (suite T2);
    • tamper ANY authority field (hash, count, class, boolean) → --verify exit 1 (suite T3/T4/T10/T11/T12);
    • remove any raw log / HASH_MANIFEST entry / RERUN.sh → fail (suite T5/T6/T7);
    • byte-flip any packet file → shasum -c + --complete + --verify fail (suite T8);
    • insert a forbidden token into seal-path code → --scan + --verify fail (suite T9).
  3. Fresh-fetch reconstruction (R9-B4): fetch every §6 document from the KB packet root (full content), write bytes, bash RERUN.sh — same hash tree, same PASS.
  4. Current-KB byte identity (R9-B5): re-fetch the 10 active docs + SSOT via MCP, hash UTF-8 bytes, compare to manifest.jsonauthority.artifacts / per_doc and the byte-hash-proof report.

5. What Codex should NOT infer

  • (a) No digest VALUE here is sealed/approved — candidates/rehearsals only; sealing is Codex's act (codex_sealed_values_present: false, fail-closed enforced).
  • (b) The blueprint is NOT approved — owner's "do not approve" stands.
  • (c) N7/N8 are NOT produced — BLOCKED_NEEDS_SEALED_INPUTS / CODEX_ONLY by design.
  • (d) The authoritative canonicalizer_sha256/canonicalizer_revision are NOT pinned — 49c386a9… is a CANDIDATE over the patched KB bytes; Codex seals over KB MCP bytes at the sealed revision.

6. KB packet root (fresh-fetch list) and reconstruction

Packet root: knowledge/dev/laws/tool-kiem-thu/packets/fix7-codex-recheck-9-2026-06-10/ holding 19 files: README_FOR_CODEX.md, RERUN.sh, HASH_MANIFEST.txt, manifest.json, manifest_tool.py, adversarial_suite.py, kb_fetch_reconstruct.py, evidence/canonicalizer-fix7-canon-v1-ssot.md, evidence/canonicalizer-fix7-canon-v1-ssot.py, evidence/fix7_canon_v1_ssot_extended.py, evidence/materialize_canonicalizer.py, evidence/selftest-expected-output.txt, evidence/produce-expected-output.txt, logs/materialized-selftest.log, logs/extended-selftest.log, logs/produce.log, logs/forbidden-scope.log, logs/manifest-verify.log, logs/adversarial-suite.log.

The 10 docs/ members are fetched from their CANONICAL blueprint ids (NOT duplicated under the packet root — one authority surface): knowledge/dev/reports/architecture/t1-fix7-existing-system-refactor-execution-blueprint-2026-06-08/ + 00-readme-first.md, 01-live-existing-system-inventory.md, 02-design-to-live-mapping.md, 03-gap-classification.md, 04-dependency-safe-construction-order.md, 05-rollback-blueprint.md, 06-test-guard-blueprint.md, 07-implementation-package-split.md, 08-hard-blocks-do-not-touch-list.md, 12-final-verdict.md.

Reconstruction (either way):

  1. MCP_URL=… MCP_KEY=… python3 kb_fetch_reconstruct.py <outdir> — fetches all 29 documents (19 root + 10 docs), writes bytes verbatim, prints per-file sha256, verifies the tree against HASH_MANIFEST bidirectionally, fails closed; then cd <outdir> && bash RERUN.sh.
  2. Manually: fetch each id with FULL (untruncated) content via the governed MCP, write the content as UTF-8 bytes to the same relative path (docs into docs/), then bash RERUN.sh.

The KB-native packet completeness report records the sealed packet hash tree this reconstruction must reproduce. If any live blueprint doc has changed since pinning, HASH_MANIFEST/--complete/--verify fail closed — that is correct behavior (the seal candidate is corpus-bound).

7. Remaining blockers before a seal (authority, not engineering)

  1. N7 envelope_manifest — needs sealed sub-digests + approval-event fields (Codex/owner).
  2. N8 detached_seal — Codex-authored.
  3. P7 — Codex re-seal of the artifact whose load-bearing fence changed (now P-EXT-2 / SSOT rev3 candidate 49c386a9…).
  4. Owner's standing do-not-approve.
  5. R9-B5 residual (tooling): no governed server-side byte-export/digest endpoint exists; the byte proof is MCP-fetch-level (method + hashes in the byte-hash-proof report). If Codex requires a server-computed digest, that endpoint must be built first (action-ready blocker; NOT claimed sealed here).

Verdict

FIX7_RECHECK9_PACKET_V2_SELF_CODEX_HARDENED — every Recheck-9 adversarial failure is now an executable packet test that fails closed; the packet is KB-native, fresh-fetch reconstructible, and self-verifying. Remaining gates are Codex/owner authority plus the named R9-B5 tooling residual.

Back to Knowledge Hub knowledge/dev/laws/tool-kiem-thu/packets/fix7-codex-recheck-9-2026-06-10/README_FOR_CODEX.md