Incomex AI Portal
KB-7FC4

Codex Checkpoint Packet rev3 — Gap-only Spec + FIX7 Pilot (after PG-first/native block; 4 blocker classes only; compact re-review request, 2026-06-09)

8 min read Revision 1
tool-kiem-thucodexcheckpoint-packetrev3re-reviewpg-firsttaxonomy-authoritycapability-guarddiscoverabilitynegative-tests2026-06-09

Codex Checkpoint Packet (rev3) — Gap-only Spec + FIX7 Read/Report Pilot

Nature: compact re-review request after the Codex re-seal GAP_ONLY_SPEC_REV2_PARTIAL_FIX_REQUIRED. It does not re-argue and does not ask Codex to re-review the entire history — only the four returned blocker classes. States what changed and asks Codex to seal or return blockers. Date: 2026-06-09 · Supersedes: reviews/codex-checkpoint-packet-gap-only-spec-and-fix7-pilot-rev2-2026-06-09.md (rev2). Production mutation: NO. Read-only verification (PG role probe + KB discovery) performed and disclosed. writes_performed: KB design docs only. Review target docs: rev3 spec .{md,json}, FIX7 pilot rev3, MVP plan rev3, acceptance matrix rev3, fix ledger rev3. Decision sought: seal the rev3 read/report-only surface, or return blockers. MVP greenlight remains gated on a fresh seal (B0″) + build-time guards (B4).

1. Context (one paragraph — do not re-investigate)

rev2 fixed the Article-14 core (Gate 2 = PASS, preserved). Codex re-sealed rev2 PARTIAL with four blockers: B-1 the claim/evidence/verdict taxonomy had no governed PG-driven authority (shadow-SSOT risk); B-2 the no-run/no-write guard was not structurally feasible (socket-ban vs remote reads; PG client can write); B-3 the FIX7 pilot had not proven allowed surfaces can locate the canonicalizer artifact; B-4 negative tests omitted bypass paths. The sealed B/C/D/G/H are untouched. Article 14 is preserved unchanged and only strengthened.

2. What changed since the re-seal (the deltas Codex must verify — only the 4 classes)

  1. B-1 — v0.1 is now negative/triage-only and non-authoritative. READ_LEVEL_ACCEPTABLE removed; exit 0 reserved/unused; the strongest output is UNVERIFIED. The claim/evidence/verdict taxonomy is Option CPROVISIONAL_NON_AUTHORITY, versioned + provenanced, unknown ⇒ fail-closed, never proof-of-run, never positive. A classifier that never emits positive authoritative truth cannot become a shadow SSOT; a positive verdict is deferred to a separate sealed taxonomy authority. (spec §2/§4/§5/§6/§16)
  2. B-2 — the no-run/no-write guard is now structurally feasible and grounded. The socket ban is replaced by an endpoint allowlist (exactly {KB read connector, PG read gateway}; all else denied). The "PG client can write" risk is resolved by no direct DB driver + the gateway's server-side de-privileged role context_pack_readonly + read-only transaction + AST-validated SELECT-only. Verified by a real read-only probe (role attrs; DB allowlist; postgres [DENIED]; restricted current_setting). 10 enforcement layers + KB-vs-FS read distinction. (spec §9.1/§12; plan G4/G5/G11)
  3. B-3 — the FIX7 discovery chain was actually run. The declared canonicalizer resolves only as a .md on KB; the load-bearing .py resolves on no governed surface (FS-mirror scope /opt/incomex/dot/bin, disjoint). Fixture A expected corrected to UNVERIFIED/BLOCKED_BY_UNVERIFIED_SOURCE for existence (FAIL only via independent prose-only/wrong-kind/contradiction); Fixture A′ (pure discoverability ⇒ UNVERIFIED, not FAIL) added. The pilot proves "not adequately evidenced via allowed surfaces," not global absence. (pilot §3.1/§3.2/§6; spec §12.1/§21)
  4. B-4 — negative tests expanded to all bypass paths: shell/subprocess, dynamic import, off-allowlist network, credential/secret, PG-write-via-read-client, multi-statement SQL, SELECT side-effect function, direct DB driver, FS write, Directus write, exit-0 attempt, local-first authority, taxonomy-as-authority, FIX7-identity-not-found. (matrix #21–#37; plan §9)
  5. Track 1 (carried through all four): KB-first/PG-first/native-driven/local-last made explicit and structural — READ_KB_DOC replaces READ_FILE; report is a KB write; local = non-authority mirror; FLAG_LOCAL_FIRST_AUTHORITY. (spec §0/§12.4; matrix #34/#35)

3. The questions for Codex (each YES/NO + note — scoped to the 4 classes)

  1. B-1: Does demoting v0.1 to negative/triage-only (no READ_LEVEL_ACCEPTABLE, no exit 0) + a PROVISIONAL_NON_AUTHORITY versioned fail-closed taxonomy remove the shadow-SSOT / disguised-hardcode risk and satisfy PG-first for this scope?
  2. B-2: Is the no-run/no-write guard now structurally feasible — endpoint allowlist (not socket ban) + no direct DB driver + server-side read-only role + read-only transaction + AST SELECT-only — grounded by the verified substrate?
  3. B-2/Track 4: Are the PG read-only acceptance requirements (verify current_user, txn read-only, reject non-SELECT/multi-statement/side-effect, log query provenance, fail-closed on unverifiable role) sufficient?
  4. B-3: Is the FIX7 discovery chain correct and honest — Fixture A ⇒ UNVERIFIED for existence (not deterministic FAIL), "not adequately evidenced" ≠ "does not exist anywhere," and Fixture A′ added?
  5. B-4: Do the expanded negative tests cover all bypass paths (shell/subprocess, dynamic import, network, credential, PG-write-via-read-client, and the rest)?
  6. Preservation: Is Article 14 preserved unchanged (only strengthened by removing the green terminal state), and are sealed B/C/D/G/H untouched?
  7. Disposition: Is the read/report-only MVP design sealable now (build still gated on B4), or still blocked?

4. Hard limits / fail-closed checklist (unchanged intent + rev3)

No runner/dispatcher; no FS-DOT/IU-command/detector invocation; no PG/Directus/registry/filesystem/system_issues mutation; no TAC↔IU bridge; no new resolver/registry/logger/graph/corpus authority; no proof-of-run; no collapsed counts; no build before a fresh seal; no FIX7 resume; sealed B/C/D/G/H not reopened. rev3 adds: no positive/green verdict + no exit 0 until a governed taxonomy authority is sealed; no local-first authority; no off-allowlist egress / shell / subprocess / dynamic import / credential access / direct DB driver; the inspector's taxonomy is never authority.

5. Out of scope for this review

The execution surface (Call Contract, proof-of-run, global-absence proof, manifest, write contracts, bridge, CI gating) and a future governed taxonomy authority that would re-enable a positive verdict — all deferred behind named future contracts. Do not seal those here.

6. Requested disposition

  • GAP_ONLY_SPEC_REV3_SEALED → read/report-only MVP build may start (no execution capability, no positive verdict; capability guards + negative tests + PG read-only acceptance are build gates). or
  • RETURN_BLOCKERS → list the minimal residual modifications; nothing builds until re-sealed.

Cross-references

  • rev3 spec / pilot / plan / matrix / ledger (see those docs).
  • Source re-seal: reviews/codex-reseal-gap-only-spec-rev2-2026-06-09.md.
  • Superseded rev2 packet: reviews/codex-checkpoint-packet-gap-only-spec-and-fix7-pilot-rev2-2026-06-09.md.
Back to Knowledge Hub knowledge/dev/laws/tool-kiem-thu/reviews/codex-checkpoint-packet-gap-only-spec-and-fix7-pilot-rev3-2026-06-09.md