KB-5C9E
Codex Fix Ledger — Gap-only Spec rev4 (Track-0 extraction of the 6 rev3 guard blockers → rev4 repair strategy → residual risk → MVP-still-blocked; 2026-06-09)
11 min read Revision 1
tool-kiem-thucodex-fix-ledgerrev4blocker-ledgerdenial-authoritysandboxkb-writernamed-queryenforcement-bound-testsdesign-only2026-06-09
Codex Fix Ledger — Gap-only Spec rev4 (Track 0)
Purpose: the Track-0 extraction of every blocker in the Codex rev3 re-seal (
GAP_ONLY_SPEC_REV3_PARTIAL_FIX_REQUIRED,reviews/codex-reseal-gap-only-spec-rev3-2026-06-09.md), mapped to its rev4 repair, residual risk, and whether MVP remains blocked. Design only; no mutation; no build. Date: 2026-06-09 · Status:CODEX_FIX_LEDGER_REV4_COMPLETE. · Production mutation: NO. Reading note: rev3 already PASSED Codex Gate 5 (FIX7 discoverability) and is no longer blocked on the Article-14 fake-green class. rev4 addresses only the six residual guard/authority blockers. Sealed B/C/D/G/H and the Article-14 chain are NOT reopened.
0. The decisive rev4 move (why one decision closes most blockers)
Codex's root finding: the no-run/no-write guard "relies on ungrounded process-level assertions." rev4 stops asserting a process sandbox it cannot prove and instead removes the live attack surface: the MVP becomes an offline, packet-derived, non-gating inspector (no network, no PG driver, no live query, no KB write, no secret, no arbitrary local-FS), running inside a deny-by-default sandbox that is named and specified (rev4 spec §12.1) and provisioned + negative-tested as build scope (B4′) — not pretended to already exist. This is the prompt-sanctioned fallback: "design MVP to use a bounded exported input packet" rather than fake KB-first/PG-first by granting unrestricted access.
1. Blocker ledger
| # | Codex blocker (rev3 re-seal) | Affected rev3 doc/section | Root cause | Rev4 repair strategy | Residual risk | MVP still blocked? |
|---|---|---|---|---|---|---|
| 1 | Negative verdicts (READ_LEVEL_FAIL/BLOCKED) can become a shadow denial authority |
rev3 spec §2/§4; Gate 1 PARTIAL; Gate 5 (taxonomy) PARTIAL | "never positive" ≠ "never authority": a classifier can be a shadow SSOT by denying/blocking, not only approving | Non-gating, non-global denial contract (rev4 spec §4.0): every output decision_effect=NONE, may_gate=false; v0.1 cannot declare global truth; only 5 bounded scoped verdicts (NOT_EVIDENCED_IN_ALLOWED_SURFACES, INSUFFICIENT_EVIDENCE_FOR_CLAIM, BLOCKED_BY_UNVERIFIED_SOURCE, BLOCKED_BY_UNSAFE_ACCESS, CONTRACT_VIOLATION_IN_DESIGN); READ_LEVEL_FAIL redefined = "not acceptable for reporting PASS," not "false"; mandatory scope_of_denial; mandatory non-global disclaimer; FLAG_GLOBAL_DENIAL_WORDING; any gate use deferred to a sealed consumer contract (B7) |
A future consumer could still misuse a non-gating output as a gate; mitigated by the explicit may_gate=false, F22, and test #20 — but the social contract is enforced only when the consumer contract is sealed |
Yes — until Codex seals rev4 and the consumer-gate boundary stays deferred |
| 2 | query_pg DB allowlist does not prove process-level network egress allowlist |
rev3 spec §9.1/§12.1; Gate 3 FAIL | conflated a gateway DB allowlist with a process egress allowlist; a tool with a socket can reach other endpoints | Offline MVP: no network at all (rev4 spec §12.1) — no network namespace; nothing to allowlist; the control is "the run environment denies all egress," enforced by namespace absence + seccomp socket/connect deny (provisionable + testable, test #27) |
The sandbox host must actually be provisioned with no network namespace; if mis-provisioned, egress could exist → caught by P1 self-check (F23, test #37) and is part of B4′ acceptance | Yes — until the sandbox host is provisioned + tested (B4′) |
| 3 | No sandbox enforces secret/local-filesystem/general-network restrictions | rev3 spec §12.2/§12.3; Gate 3 FAIL | static import denylist + runtime self-check are bypassable; they are not a structural boundary | Deny-by-default sandbox named (rev4 spec §12.1): no network namespace; RO input mount only; WO output mount only; no home/etc/project-tree/secret mounts; scrubbed env; seccomp execve/socket/connect/ptrace deny. In-process guards demoted to secondary defense-in-depth (§12.2). Structural-not-asserted argument (§12.3) | The sandbox is specified, not deployed — a real artifact must be provisioned + negative-tested (tests #25/#28/#29/#33) | Yes — B4′ gates acceptance on a real sandbox |
| 4 | No server-side bounded KB writer exists for the report path | rev3 spec §10/§12.4; Gate 3 FAIL; Gate 6 | the KB write connector exposes broad verbs (upload/update/patch/delete/ingest) with no server-enforced path scope | MVP does NOT write KB (rev4 spec §10/§13): report written only to a write-only local output mount; KB upload is a separate manual/governed step outside the tool; no bounded KB writer is claimed. Future path-scoped writer deferred to B7 | Manual KB upload is outside the tool's guarantees (a human/governed step); acceptable because the report is evidence-only/non-authority and the upload uses the existing governed channel | Yes — bounded KB writer deferred (B7); MVP acceptance does not depend on it |
| 5 | SELECT-only AST does not prevent side-effect functions | rev3 spec §12.2/§12.3; Gate 4 PARTIAL | SELECT-only validation does not reject functions with external/non-table side effects; exact query/function policy ungrounded | MVP issues no SQL (offline). The deferred governed export step (rev4 spec §12.6) accepts named query IDs only from a sealed, versioned, content-hashed catalog; each pre-approved side-effect-free; no raw/dynamic/multi-statement/CALL/DML/DDL; function calls only via an explicit read-only allowlist (empty today ⇒ none called) | Side-effect-function rejection now lives in the export-step contract (B7), tested there (matrix #32 → D9), not in the MVP; this is honest deferral, not closure | Yes — the live read surface is deferred to B7 |
| 6 | Negative tests name bypass classes but are not tied to real enforcement layers | rev3 plan §9; acceptance matrix rev3 #25–#37; Gate 6 PARTIAL | tests proved assertions, not structural refusal; #28 treated a gateway DB allowlist as process-egress grounding | Every negative test rebound to an enforcement layer (acceptance matrix rev4 §3–§6): each test names its enforcement layer (L1 host-sandbox / L2 static-build-guard / L3 runtime-self-check / L4 verdict-output-guard / L5 export-step-deferred), attempted bypass, block point, expected verdict, and proof-of-block evidence (seccomp EPERM / mount table / env keyset / build-time rejection / verdict-schema check); #27 corrected to a process-level egress denial, not a gateway DB allowlist | The tests are specified, not run (design only); B4′ requires they pass against a real sandbox | Yes — tests must be executed against the sandbox at B4′ |
2. Gate-by-gate disposition (Codex rev3 gate table → rev4)
| Codex Gate (rev3) | rev3 verdict | rev4 disposition |
|---|---|---|
| 1 — Taxonomy / rule authority | PARTIAL | Closed by §4.0 non-gating contract (decision_effect=NONE, may_gate=false, bounded scoped verdicts, gate-use deferred). Design-level. |
| 2 — KB-first / PG-first / native-driven | PARTIAL | Closed at design level: authority traces to KB/PG via packet provenance; location-is-not-authority added (authority-status field + precedence, §16.1); honesty clause §0.5. |
| 3 — Structural no-run/no-write guard feasibility | FAIL | Reframed to feasible: offline removes the surface; deny-by-default sandbox named (§12.1). Now FEASIBLE + SPECIFIED; proof requires the sandbox built + tested (B4′). |
| 4 — PG read-client write risk | PARTIAL | MVP issues no SQL / holds no driver; side-effect-function policy moved to the export-step named-query catalog (B7). |
| 5 — FIX7 artifact discoverability honesty | PASS | Preserved unchanged (verdict renamed to NOT_EVIDENCED_IN_ALLOWED_SURFACES; meaning identical). |
| 6 — Negative tests coverage | PARTIAL | Every test tied to an enforcement layer + proof-of-block evidence (matrix rev4). |
| 7 — MVP readiness | FAIL | Honest readiness model (rev4 spec §21): recommend Option C (offline packet-only) gated on the A discipline (guard harness in build scope), hard fallback to B. MVP not allowed today; decision now adjudicable. |
3. Codex's 5 "minimal safe next step" corrections (rev3 re-seal §10) → rev4 mapping
- "
decision_effect=NONE/may_gate=falsefor every triage output; prohibit automated allow/deny/block use without a sealed consumer contract." → rev4 spec §4.0 (verbatim intent); tests #18/#20; F22. - "Name a concrete deny-by-default runtime enforcement substrate for process egress, local FS, environment secrets, and capability exposure." → rev4 spec §12.1 (deny-by-default sandbox), §12.3 structural argument; tests #25/#27/#28/#29/#37.
- "Define a server-enforced KB report writer restricted to the report prefix and permitted verbs; all other KB mutation impossible." → rev4 honest answer (§10/§13): no such writer is proven; the MVP does not write KB; KB upload is a separate governed step; a path-scoped writer is deferred to B7. (We did not invent a writer we cannot prove.)
- "Define and ground exact PG query/function policy plus effective-grant/read-only evidence." → rev4 spec §12.6 named-query catalog (side-effect-free, no raw SQL); the rev3-verified
context_pack_readonlyrole attrs are cited (§9.1); side-effect-function policy lives in the export-step contract (B7). MVP issues no SQL. - "Bind negative tests to those controls; add arbitrary-KB-mutation/process-egress bypass cases." → acceptance matrix rev4 §4–§5, incl. process-egress (#27), arbitrary local read (#29), KB write (#34), live PG query (#35), report-write-outside-output (#33).
4. Honest residual (what rev4 does NOT claim)
- It does not claim the deny-by-default sandbox host exists — it is specified, and provisioning + passing the negative tests is B4′ build scope.
- It does not claim a bounded KB writer exists — the MVP does not write KB.
- It does not claim the live governed export step or its named-query catalog is built — both are deferred to B7.
- It does not authorize MVP implementation. rev4 makes the decision adjudicable by Codex; it does not grant the build.
- Sealed B/C/D/G/H and the Article-14 chain are not reopened.
Cross-references
- Gap-only Spec rev4:
designs/implementation-package-dot-v0-1-gap-only-scope-spec-rev4-2026-06-09.{md,json} - MVP plan rev4:
planning/mvp-read-report-inspector-implementation-plan-no-code-rev4-2026-06-09.md - Acceptance matrix rev4:
designs/acceptance-test-matrix-implementation-package-dot-v0-1-rev4-2026-06-09.md - FIX7 pilot rev4:
designs/fix7-read-report-pilot-design-rev4-for-implementation-package-dot-v0-1-2026-06-09.md - Codex re-seal (source):
reviews/codex-reseal-gap-only-spec-rev3-2026-06-09.md