KB-1055
Codex Fix Ledger — Gap-only Spec rev2 (12 required fixes, 2026-06-09)
14 min read Revision 1
tool-kiem-thucodex-fix-ledgerrev2article-14hardcodefake-greenpg-first12-fixes2026-06-09
Codex Fix Ledger — Gap-only Spec rev2 (12 required fixes)
Nature: Track-0 ledger. Extracts the exact 12 required fixes Codex enumerated in
reviews/codex-review-gap-only-spec-fix7-pilot-mvp-readiness-2026-06-09.md§7, maps each to the affected rev2 document/section, the planned repair, completion, and residual risk. This ledger decides nothing; it is the audit trail proving every Codex finding is addressed with an explicit design change. Date: 2026-06-09 Source review verdict (binding constraint):BLOCKED_BY_AUTHORITY_OR_ARTICLE14_RISK· MVP build allowed: NO. Production mutation: NO. No install, no PG/Directus/registry/filesystem mutation, nosystem_issueswrite, no tool/schema/runner created, no FIX7 resumed, no command run, no detector executed, no denominator collapsed, no sealed decision reopened, no fresh live read taken. The only writes performed are KB design documents underknowledge/dev/laws/tool-kiem-thu/(the requested deliverables; Domain I file-report-only boundary).
1. Count of required fixes found
Codex §7 enumerates a numbered list 1–12. Exactly 12 required fixes were found. No item was invented; no item was dropped. Two cross-cutting findings from §3 (H1–H6) and §4 (Article-14) and §5 (parallel authority) are folded into the 12 (they are the evidence behind fixes 1–12), and are tracked in the residual-risk column where a fix only partially closes them at read-level.
2. The 12-fix ledger
| # | Codex requirement (verbatim intent) | Affected rev2 document / section | Planned repair | Repair completed | Residual risk |
|---|---|---|---|---|---|
| 1 | Remove READ_REPORT_PASS from v0.1. Use a neutral completion verdict + a separate fail-closed Article-14 status; executable claims force ARTICLE14_NOT_PROVEN_EXECUTION_UNVERIFIED. |
spec rev2 §4 (verdict vocabulary), §3 (adequacy chain); json rev2 verdict_model; fix7 pilot rev2 §5; mvp plan rev2 §11; acceptance matrix rev2 #1–#3 |
READ_REPORT_PASS deleted everywhere. New final verdicts = READ_LEVEL_ACCEPTABLE / READ_LEVEL_FAIL / BLOCKED / UNVERIFIED. New mandatory field article14_status ∈ {NOT_APPLICABLE_NO_EXECUTABLE_CLAIMS, NOT_PROVEN_EXECUTION_UNVERIFIED}. Rule: any execution-class claim ⇒ article14_status = ARTICLE14_NOT_PROVEN_EXECUTION_UNVERIFIED and READ_LEVEL_ACCEPTABLE is structurally unavailable. |
YES | None at read level. The positive proof of execution remains genuinely deferred to the sealed Call Contract (by design, not a gap). |
| 2 | Define structural claim↔evidence binding fields + validation rules. Reference resolution alone must never produce a positive claim verdict. | spec rev2 §3 (adequacy chain), §5 (evidence class model), §6 (claim type matrix) | Added the 7-step adequacy chain with evidence_capability and evidence_adequacy_verdict steps between "artifact resolves" and any verdict. Binding fields: claim_id, claim_type, required_evidence_class[], evidence_ref[], evidence_kind, bound_to_claim(bool), subject/command/artifact_identity_match(bool), producer, observation_ts, independence(non_self_reference, bool), conflict_set[]. Iron law: a resolving reference = ARTIFACT_EXISTENCE_EVIDENCE only — never EVIDENCE_SUFFICIENT_FOR_READ_LEVEL. |
YES | Binding correctness depends on the future build's parser fidelity; bounded by fix 3 (completeness = UNVERIFIED) and capability tests (fix 9). |
| 3 | State free-form prose claim discovery is incomplete/advisory unless backed by a governed declaration contract. Missing completeness proof blocks positive dossier status. | spec rev2 §7 (claim extractor limitation); fix7 pilot rev2 §4; mvp plan rev2 §6/§9; acceptance matrix rev2 #C3 | Extractor demoted to best-effort inventory. New outputs: UNPARSED_REGION[] (risk-classified) + claim_inventory_completeness ∈ {COMPLETE_BY_GOVERNED_CONTRACT, UNVERIFIED}. A high-risk UNPARSED_REGION ⇒ claim_inventory_completeness = UNVERIFIED ⇒ READ_LEVEL_ACCEPTABLE unavailable + manual_review_required = true. Extractor is explicitly not the sole authority for "all claims found." |
YES | A governed claim-declaration contract does not yet exist, so completeness is normally UNVERIFIED ⇒ dossiers with risky prose cannot reach ACCEPTABLE. Accepted as honest, not a defect. |
| 4 | Correct FIX7 pilot scope: it catches missing/ambiguous evidence bindings only, not full Recheck-8. Add the resolvable-but-insufficient-evidence counter-fixture. | fix7 pilot rev2 §2/§6/§8; acceptance matrix rev2 #20/#21/#22 | Pilot scope narrowed in writing: "catches evidence-presence/binding/adequacy defects at read level; full Recheck-8 proof requires the future execution contract." Added Fixture C (evidence document resolves but lacks artifact identity / exit-code / log / hash, or contradicts the executable) → expected READ_LEVEL_FAIL + ARTICLE14_NOT_PROVEN_EXECUTION_UNVERIFIED, never EVIDENCE_PRESENT/ACCEPTABLE. Recheck-8 modelled per the review's facts (declared .py SSOT absent, invocation exited 2). |
YES | The pilot still cannot prove the executable runs — explicitly out of read-level scope, deferred to Call Contract. |
| 5 | Remove literal current counts from normative JSON, gates, module responsibilities, acceptance outcomes. Keep only as dated examples. | spec rev2 §8/§9; json rev2 (no count in normative keys); mvp plan rev2 §2/§7; acceptance matrix rev2 #9–#12 |
All counts (309/214/186/163/54/128/36/219/102/41/4/2199/2259/142…) removed from normative positions. They survive only inside denominator_source_record examples explicitly tagged as_of: 2026-06-09 and is_dated_example: true. Normative checks compare surface role / query provenance / match key / population / observation timestamp / separation behavior — never literal values. |
YES | Build must enforce "no literal count in any comparator." Negative test added (acceptance #11). |
| 6 | Replace >=2 denominators with "all relevant discovered denominators remain distinct and fully provenanced." No numeric minimum/maximum. |
spec rev2 §8 (denominator rules); mvp plan rev2 §7 G2; acceptance matrix rev2 #9 | Gate G2 rewritten: enumerate all denominators relevant to the inspected claims/surfaces, prove none collapsed, prove each fully provenanced. No >=2, no fixed cap. A single relevant denominator is valid; eight is valid. |
YES | "Relevant set" is determined per dossier from the claims/surfaces in scope; if undeterminable ⇒ UNVERIFIED, never a guessed minimum. |
| 7 | Replace literal 41/4 and 219/102 acceptance checks with role/key/population/provenance/separation checks. |
spec rev2 §13/§14; mvp plan rev2 §7 G7; acceptance matrix rev2 #10/#11 | G7 and tests #10/#11 rewritten to assert: canonical code-keyed reconciliation source ≠ name-keyed diagnostic source (by match_key + population + observation_ts), both shown, diagnostic never overrides canonical; IU and TAC reported from distinct surfaces with joined:false. No literal 41, 4, 219, or 102 in any criterion. |
YES | None; the example values move to fixtures (named as fixtures). |
| 8 | Make FLAG/BLOCKED machine-failing; exit 0 cannot be interpreted as green. |
spec rev2 §11; mvp plan rev2 §11; acceptance matrix rev2 #18 | Exit map: 0 only iff READ_LEVEL_ACCEPTABLE (+ article14 N/A); 1 = FAIL or any FLAG; 2 = BLOCKED or UNVERIFIED; 3 = CONTRACT_VIOLATION; 4 = internal error. FLAG/FAIL/BLOCKED/UNVERIFIED can never map to 0. |
YES | Design-only until a CLI exists; enforced as an acceptance invariant + build gate. |
| 9 | Replace design assertions about no-run/no-write with enforceable capability boundaries + negative capability tests. | spec rev2 §12; mvp plan rev2 §7 G4/G5 + §2; acceptance matrix rev2 #14–#17 | Added allowed_actions enum {READ_ONLY_QUERY, READ_FILE, WRITE_REPORT} and prohibited_actions enum {EXECUTE_COMMAND, INVOKE_DOT, MUTATE_PG, MUTATE_DIRECTUS, MUTATE_REGISTRY, WRITE_SYSTEM_ISSUES, CREATE_RESOLVER}. Every module declares allowed_actions; any prohibited action in a module plan = CONTRACT_VIOLATION. Enforcement = STATIC guard (capability/dependency lint) + RUNTIME guard (read-only PG role context_pack_readonly in read-only txn; no Directus write credential; report writer restricted to approved KB path allowlist; no shell/subprocess capability). Negative capability tests required before MVP acceptance. |
YES | Capability guards are specified but unbuilt (v0.1 builds nothing); MVP acceptance is gated on them being implemented + passing the negative tests. |
| 10 | Mark dead-link/doc-reference coverage advisory/unverified until existing graph authority proves coverage; do not imply resolver completeness. | spec rev2 §15; mvp plan rev2 §2 (readonly_dead_link_reporter); acceptance matrix rev2 #19 |
readonly_dead_link_reporter output forced to coverage = ADVISORY_UNVERIFIED; it consumes existing Đ19/Đ23/Đ39 surfaces (universal_edges, v_kg_edges_all, entity_dependencies, orphan/duplicate views) and claims no canonical-id coverage. Any "all references resolved" statement is prohibited; missing-coverage ⇒ UNVERIFIED. |
YES | Doc-level canonical-id coverage remains UNPROVEN per sealed Domain G — correctly not a new gap, not a new resolver. |
| 11 | Normalize the Authority Contract status; remove PROGRAM_MACRO_READY / "no engineering omissions remain" until re-sealed. |
spec rev2 §19; main checkpoint; blocker packet rev2; 00-index rev2 | Wording standardized everywhere: "Codex-sealed B/C/D/G/H are binding constraints; Authority Contract v0.1 records them; the contract's own status is READY_FOR_GPT_REVIEW — not yet ratified / not binding as a whole, subject to GPT/User review." All PROGRAM_MACRO_READY and "no engineering omissions remain" language removed/down-graded to NEEDS_T1_FIX → REV2_READY_FOR_CODEX. |
YES | The contract still awaits formal GPT/User ratification; rev2 does not claim it. |
| 12 | Add explicit output fields for writes_performed / approved KB report writes so "Production mutation: NO" cannot hide evidence-output mutation. |
spec rev2 §10 (output contract); json rev2 output_contract.writes_performed; mvp plan rev2 §4; acceptance matrix rev2 #17 |
Output contract now mandates writes_performed[] = the exact KB report paths written (the only writes), plus production_mutation:false meaning no PG/Directus/registry/FS/system_issues write — explicitly distinct from the declared KB report-triplet writes. The KB design-doc writes are disclosed, not hidden. |
YES | None; KB report-only writes are within sealed Domain I. |
3. Cross-finding coverage (Codex §3 H1–H6, §4, §5 mapped to the 12)
| Codex sub-finding | Closed by fix(es) | Note |
|---|---|---|
| H1 — current observations embedded as normative machine inputs | 5, 7 | Counts now dated examples only. |
H2 — >=2 denominators fabricated invariant |
6 | Replaced by "all relevant, distinct, provenanced." |
| H3 — static claim kinds / C1–C7 treated as complete coverage | 3 | claim_inventory_completeness=UNVERIFIED; taxonomy advisory. |
H4 — exit 0 for FLAG is fake-green |
8 | FLAG/FAIL/BLOCKED/UNVERIFIED never exit 0. |
| H5 — module-name assertions are not enforcement | 9 | Capability enums + static/runtime guard + negative tests. |
| H6 — over-strong readiness language | 11 | PROGRAM_MACRO_READY removed. |
| §4 Article-14 structural fake-green | 1, 2, 3, 4 | Adequacy chain + article14_status + completeness + counter-fixture. |
| §5 new claim/evidence authority (UNRESOLVED/BLOCKING) | 2, 3 | Claim/evidence truth bounded by completeness=UNVERIFIED + no governed declaration contract yet; extractor not an authority. |
| §5 registry/graph/corpus parallel-authority RISK | 5, 7, 10 | File policy de-authorized; surfaces consumed read-only; coverage advisory; dual-report only. |
4. Disposition
All 12 required fixes are addressed with explicit design changes recorded above (12/12 = YES). Residual risks are either (a) genuinely deferred capabilities behind sealed future contracts, or (b) build-time guarantees gated on implementation that v0.1 does not perform. None is an unaddressed Codex finding.
Status: CODEX_FIX_LEDGER_REV2_COMPLETE — routed with the rev2 packet to Codex re-review.
Cross-references
- Source review:
reviews/codex-review-gap-only-spec-fix7-pilot-mvp-readiness-2026-06-09.md - Repaired spec:
designs/implementation-package-dot-v0-1-gap-only-scope-spec-rev2-2026-06-09.{md,json} - Repaired pilot:
designs/fix7-read-report-pilot-design-rev2-for-implementation-package-dot-v0-1-2026-06-09.md - Repaired plan:
planning/mvp-read-report-inspector-implementation-plan-no-code-rev2-2026-06-09.md - Repaired matrix:
designs/acceptance-test-matrix-implementation-package-dot-v0-1-rev2-2026-06-09.md - Repaired checkpoint packet:
reviews/codex-checkpoint-packet-gap-only-spec-and-fix7-pilot-rev2-2026-06-09.md - Repaired blocker packet:
checkpoints/action-ready-blockers-after-gap-only-spec-rev2-2026-06-09.md - Main checkpoint:
checkpoints/checkpoint-gap-only-spec-rev2-after-codex-block-2026-06-09.md - Constitution NT13/NT14:
knowledge/dev/laws/constitution.md