KB-4985
Codex Fix Ledger — Gap-only Spec rev3 (Track-0 extraction of the re-seal blockers → rev3 repair → status → residual risk, 2026-06-09)
12 min read Revision 1
tool-kiem-thucodex-fix-ledgerrev3re-sealpg-firsttaxonomy-authoritycapability-guarddiscoverabilitynegative-tests2026-06-09
Codex Fix Ledger — Gap-only Spec rev3 (re-seal blockers)
Nature: Track-0 ledger. Extracts every blocker, gate verdict, and required correction Codex returned in
reviews/codex-reseal-gap-only-spec-rev2-2026-06-09.md(GAP_ONLY_SPEC_REV2_PARTIAL_FIX_REQUIRED), maps each to the affected rev2 artifact/section, the rev3 repair strategy, the rev3 artifact/section, completion status, and residual risk. This ledger decides nothing; it is the audit trail. Date: 2026-06-09 Source verdict (binding constraint):GAP_ONLY_SPEC_REV2_PARTIAL_FIX_REQUIRED· MVP implementation allowed: NO. Production mutation: NO. Read-only verification (PG role probe + KB discovery) performed and disclosed (rev3 spec §9.1/§21); the only writes are KB design documents.
1. What Codex returned (full extraction)
Gate table from the re-seal: Gate 1 (12-fix ledger) PARTIAL · Gate 2 (Article 14) PASS · Gate 3 (FIX7 Recheck-8 sufficiency) PARTIAL · Gate 4 (Hardcode/fake-green) PARTIAL · Gate 5 (PG-first/native/driven) FAIL · Gate 6 (No parallel authority) PARTIAL · Gate 7 (MVP readiness) FAIL. These collapse into four blocker classes (the prompt's enumeration), plus Codex's five "required rev3 corrections." All are tracked below. Gate 2 (Article 14) = PASS — Codex said "preserve unchanged, do not weaken." rev3 preserves it and only strengthens it (the single green terminal state is removed).
2. The four blocker classes → rev3 repair
| Blocker | Codex finding (verbatim intent) | Affected rev2 artifact/section | rev3 repair strategy | rev3 artifact/section | Status | Residual risk |
|---|---|---|---|---|---|---|
| B-1 — Taxonomy/rule authority (Gates 4/5/6) | The claim/evidence/action/surface rule sets are normative runtime policy with no identified, binding, PG-driven governed source → disguised hardcode / shadow SSOT. Required correction #1: pick one fail-closed model — identify a governed runtime source, or make v0.1 negative/triage-only and remove READ_LEVEL_ACCEPTABLE/exit 0 until such a source exists; do not create schema/registry. |
spec rev2 §4 (verdicts), §5/§6 (taxonomies), §16 (PG-first); plan rev2 G6; matrix rev2 #1/#2 | Took the fail-closed branch (no governed source exists — verified): v0.1 demoted to negative/triage-only non-authoritative inspector; READ_LEVEL_ACCEPTABLE removed, exit 0 reserved/unused; taxonomy = Option C provisional, PROVISIONAL_NON_AUTHORITY, versioned + provenanced, unknown ⇒ fail-closed, never proof-of-run, never positive; promotion requires a separate sealed authority contract. A classifier that never emits positive authoritative truth cannot be a shadow SSOT. |
spec rev3 §2, §4 (no positive state), §5/§6 (governance wrapper), §16; plan rev3 §1/G6; matrix rev3 #1/#3/#18/#19 | YES | A positive verdict stays genuinely deferred to a future sealed taxonomy authority (by design, not a gap). The triage-only inspector is still useful (it surfaces FAIL/BLOCKED/UNVERIFIED gaps). |
| B-2 — No-run/no-write structural feasibility (Gate 4/7) | Not structurally implementable: no socket conflicts with allowed remote reads; a PG read driver can still write; shell/network/credential restrictions have no named enforcement substrate. Required correction #2: name the concrete sandbox/connectors/roles; don't ban socket; require a read-only role + server-enforced privileges + read-only transactions; distinguish KB reads from filesystem reads; replace any production Directus-write probe with non-mutating introspection/mock. |
spec rev2 §12 (capability model); plan rev2 G4/G5 | Replaced the contradiction with an endpoint allowlist (not a socket ban): allowed egress = exactly {KB read connector, PG read gateway}; all else denied. PG write risk resolved two ways: (a) no direct DB driver — only the governed query_pg gateway; (b) the gateway's role context_pack_readonly is server-side de-privileged + every statement in a READ ONLY transaction + AST-validated SELECT-only ⇒ writes server-refused. Grounded by a real read-only probe (verified role attributes; DB allowlist; postgres [DENIED]). KB read verbs distinguished from filesystem reads (READ_KB_DOC ≠ arbitrary local read). 10 enforcement layers specified. |
spec rev3 §12 (12.1 allowlist, 12.2 write-risk, 12.3 layers, 12.4 KB-vs-FS), §9.1; plan rev3 G4/G5/G11 + §12 | YES (design/feasibility) | The guards are specified but unbuilt (v0.1 builds nothing). MVP acceptance is gated on building them + passing negative tests (B4). Feasibility — the thing Codex blocked — is now established and grounded. |
| B-3 — FIX7 artifact discoverability (Gate 3) | Allowed read surfaces have not been proven to locate the real canonicalizer artifact identity/existence; a missing executable may be UNVERIFIED, not deterministic C1/FAIL. Required correction #4: identify the authoritative read-only artifact identity/existence surface; if unavailable, Fixture A must expect UNVERIFIED, not deterministic FAIL; do not claim global absence. |
fix7 pilot rev2 §6 Fixture A (expected READ_LEVEL_FAIL, "the .py does not resolve" = treated as absence); matrix rev2 #20 |
Ran the read-only discovery chain (verified, not asserted): the declared FIX7-CANON-V1-CANONICALIZER resolves only as a .md on KB; the load-bearing .py resolves on no governed surface (wf_fs_dot_bin_snapshot scope = /opt/incomex/dot/bin, disjoint). ⇒ .py existence = BLOCKED_BY_UNVERIFIED_SOURCE. Fixture A expected corrected to UNVERIFIED/BLOCKED_BY_UNVERIFIED_SOURCE for existence (FAIL only via independent prose-only/wrong-kind/contradiction flags); added Fixture A′ (pure discoverability ⇒ UNVERIFIED, NOT FAIL). Honesty: "not adequately evidenced via allowed surfaces" ≠ "does not exist anywhere"; global absence is the deferred run-half (how Codex established it: ran the invocation → exit 2). |
pilot rev3 §3.1/§3.2, §4 C1, §6 Fixture A/A′; spec rev3 §12.1/§21; matrix rev3 #4/#36/#37 | YES | v0.1 still cannot prove the executable runs or that it is globally absent — explicitly out of scope, deferred to the Call/Proof-of-run contract. |
| B-4 — Negative tests omit bypass paths (Gate 4) | Negative tests do not cover: shell/subprocess; dynamic import; general network/credential; write through the PG read client. Required correction #3: add explicit cases. | matrix rev2 #14–#17; plan rev2 §9 N14–N17 | Expanded the negative test set to every bypass path: shell/subprocess (os.system/subprocess.run/exec/spawn/pty), dynamic import (importlib/__import__), off-allowlist network egress, credential/secret access, PG write via read client, multi-statement SQL, SELECT side-effect function, direct DB driver, filesystem write outside report, Directus write, exit-0 attempt, local-first authority, taxonomy-as-authority, FIX7 identity-not-found. |
matrix rev3 #21–#33 (capability/bypass) + #34/#35 (local-first) + #37 (discoverability); plan rev3 §9 N16–N28 | YES | Tests are design-level until the build exists; passing them is an MVP acceptance gate (B4). |
3. Codex's five "required rev3 corrections" → coverage
| # | Required correction | Covered by | rev3 location |
|---|---|---|---|
| 1 | Policy authority: one fail-closed model; remove READ_LEVEL_ACCEPTABLE/exit 0 if no governed source; no schema/registry in rev3 |
B-1 | spec §2/§4/§5/§6/§16 |
| 2 | Capability enforcement: name sandbox/connectors/roles; no socket ban; read-only role + server privileges + read-only txn; KB vs FS reads; non-mutating Directus introspection/mock | B-2 | spec §9.1/§12; plan G4/G5/G11; matrix #20–#33 |
| 3 | Negative tests: shell/subprocess, dynamic import, general network, credential, PG-write-via-read-client | B-4 | matrix #21–#33; plan §9 |
| 4 | FIX7 artifact resolution: identify the surface; else Fixture A = UNVERIFIED, not FAIL |
B-3 | pilot §3.1/§3.2/§6; spec §12.1/§21; matrix #36/#37 |
| 5 | Authority wording: preserve normalized review-ready/nonbinding; specify which sealed clauses (if any) govern runtime | carried | spec §19 (Authority Contract = READY_FOR_GPT_REVIEW, not binding as a whole; only sealed B/C/D/G/H are binding constraints; the runtime policy is the provisional non-authority taxonomy, which governs nothing positively) |
4. Gate-by-gate disposition after rev3
| Gate | rev2 verdict | rev3 disposition |
|---|---|---|
| 1 — fix ledger | PARTIAL | Addressed: fix 9 (structural guard) now feasible+grounded; fix 11 authority reliance specified (provisional non-authority; only sealed B/C/D/G/H binding). |
| 2 — Article 14 | PASS | Preserved unchanged + strengthened (green terminal state removed). |
| 3 — FIX7 sufficiency | PARTIAL | Addressed: discovery chain run; Fixture A→UNVERIFIED; Fixture A′ added; no global-absence claim. |
| 4 — Hardcode/fake-green | PARTIAL | Addressed: taxonomy demoted non-authority+versioned; no positive verdict ⇒ fake-green structurally impossible; bypass negatives added. |
| 5 — PG-first/native/driven | FAIL | Addressed (triage-only scope): no positive/authoritative policy behavior ⇒ no PG-authority source required; governed surfaces consumed; verified read-only substrate; positive verdict deferred to a sealed taxonomy authority. |
| 6 — No parallel authority | PARTIAL | Addressed: classifier PROVISIONAL_NON_AUTHORITY, fail-closed, never positive; wall extended; no runner/SQL-executor/network-client authority. |
| 7 — MVP readiness | FAIL | Read/report-only MVP design is ready for re-seal (B0″); MVP build/acceptance still gated on B4 (guards built + negative tests). Execution surface stays on B1/B2/B3. No build authorized. |
5. Disposition
All four blocker classes and all five required corrections are addressed with explicit design changes, a grounded read-only substrate, and revised acceptance tests. Residual risks are either (a) genuinely deferred capabilities behind sealed future contracts (positive verdict, run-proof, global absence), or (b) build-time guarantees gated on implementation that v0.1 does not perform. None is an unaddressed Codex finding.
Status: CODEX_FIX_LEDGER_REV3_COMPLETE — routed with the rev3 packet to Codex re-review.
Cross-references
- Source re-seal:
reviews/codex-reseal-gap-only-spec-rev2-2026-06-09.md - Repaired spec:
designs/implementation-package-dot-v0-1-gap-only-scope-spec-rev3-2026-06-09.{md,json} - Repaired pilot:
designs/fix7-read-report-pilot-design-rev3-for-implementation-package-dot-v0-1-2026-06-09.md - Repaired plan:
planning/mvp-read-report-inspector-implementation-plan-no-code-rev3-2026-06-09.md - Repaired matrix:
designs/acceptance-test-matrix-implementation-package-dot-v0-1-rev3-2026-06-09.md - Checkpoint packet rev3:
reviews/codex-checkpoint-packet-gap-only-spec-and-fix7-pilot-rev3-2026-06-09.md - Blocker packet rev3:
checkpoints/action-ready-blockers-after-gap-only-spec-rev3-2026-06-09.md - Main checkpoint rev3:
checkpoints/checkpoint-gap-only-spec-rev3-after-codex-pgfirst-block-2026-06-09.md - Constitution NT13/NT14:
knowledge/dev/laws/constitution.md