Incomex AI Portal
KB-83DC

Codex cross-check — Text-as-Code reuse audit — 2026-06-09

13 min read Revision 1
codexcrosschecktool-kiem-thudottext-as-codereuse-audit

Codex cross-check — Text-as-Code reuse audit

Date: 2026-06-09
Mode: read-only investigation cross-check
Production mutation: NO
Final verdict on Claude/T1 audit: CLAUDE_AUDIT_UNSAFE_TO_USE_FOR_PLANNING
Revised recommendation: NEEDS_FRESH_BASELINE_FIRST

1. Scope and question

This review adversarially checks whether text-as-code-reuse-anti-duplication-audit-2026-06-09.md is sufficiently complete and reliable to be the planning baseline for test-tool construction.

The review does not implement a tool, mutate production, open a permit, or authorize an execution phase. It tests the investigation itself against the repository, dated system reports, operating rules, Constitution/PG principles, and known authority surfaces.

2. Executive verdict

The T1 audit contains useful discovery, but it is not safe to use for planning.

The decisive defect is the absence of a canonical, dated, multi-surface baseline. It discusses reuse while leaving the DOT universe, execution universe, Directus mutation routes, IU/TAC current corpus, logger authority, manifest authority, graph/duplicate authority, and evidence/report authority unresolved.

The DOT-count concern is confirmed. Existing evidence does not support one undifferentiated DOT count. It supports several different sets with different meanings and dates. Treating any of them as “the number of DOTs” would be a false invariant and a disguised hardcode.

Accordingly:

  • REUSE_EXTRACTION_FIRST is rejected as the immediate next phase.
  • NEEDS_FRESH_BASELINE_FIRST is required.
  • Reuse extraction may follow only after authority and set reconciliation.

3. DOT and registry count cross-check

The following numbers are not interchangeable:

Date / context Count What it actually counts Confidence
Historical prior inventory 29, then 3 documented Earlier audit states, not current universe Historical only
2026-03-05 75 VPS; 82 repo; 7 unsynced; 0 VPS orphan File/repo comparison at that time High for dated snapshot
2026-03-06 93 registered; 95 actual Registry/file comparison at that time High for dated snapshot
2026-03-08 97 dot_tools at that time High for dated snapshot
2026-04-17 272 total; 256 active Migration report registry population High for dated snapshot
2026-06-05 287 snapshot rows, approximately 288 files VPS /opt/incomex/dot/bin snapshot High for that surface/date
2026-06-05 309 registry/non-retired dot_tools registry entries High for registry count only
2026-06-05 54 dot_iu_command_catalog entries High for command-catalog count only
2026-06-05 42 /opt/incomex/scripts snapshot High for that separate script surface
2026-06-09 local workspace 163 executable files in dot/bin Current local checkout only, not production High for local surface only

Additional quality/reconciliation evidence from the June 5 reports:

  • Registry-no-file: 41.
  • File-no-registry: approximately 18–19.
  • Only approximately 119 of 309 registry entries have script_path; approximately 190 are DB/non-file entries.
  • Pairing: 131/309 paired, 178 unpaired.
  • Operation populated: 50/309.
  • coverage_status null: 103.
  • Tier null: 19.
  • File path populated: 228/309.
  • CAT-006 and CAT-DOT expose a direct 309-versus-163 count conflict.

Therefore:

  • Confidence in a single unified “DOT count”: LOW / unsupported.
  • Confidence in the individual dated snapshots above: HIGH within their explicit denominator.
  • The Claude audit omitted the required count ledger and reconciliation implications.
  • Planning from a single DOT number would violate PG-driven behavior because the number would be frozen outside the authoritative live surfaces.

4. Claim-by-claim validation

T1 audit claim Codex verdict Reason
Major reuse candidates are sufficiently identified PARTIAL / UNVERIFIED Candidates exist, but authority, currentness, callable boundary, and deployment status are unresolved.
Two cutter lineages are the primary ownership decision INCOMPLETE Execution is layered; later runner discovery identifies at least four execution layers, not merely two cutter choices.
IU/TAC conflict is recognized ACCEPTED BUT INCOMPLETE Counts and current-state evidence are broader: 98, 175, and 219 appear in dated evidence; lifecycle/current resolver remains unresolved.
Generic command runner is true-new CONFLICTING_EVIDENCE Earlier “no runner” finding was corrected by later layered-runner discovery. Existing runner/executor/lease/catalog surfaces must be reconciled first.
Generic package manifest is true-new REJECTED AS UNPROVEN IU/cutter, Context Pack, FIX7 manifest sets, One-Roof release manifests, and approval envelopes already form multiple manifest families. A new generic manifest may create a third authority.
--selftest N/N + module_sha256 is true-new REJECTED AS UNPROVEN Existing provenance, source SHA256, pair signatures, release-manifest SHA256, and cutter test-count evidence require reuse/authority analysis.
audit_dead_links() is true-new PARTIAL / UNVERIFIED Existing graph views, orphan/inverse checks, dependency registries, and birth scanners may already provide the engine; likely need an adapter/query, not a new authority.
Duplicate resolver can integrate an existing guard NOT READY Điều 14 duplicate engine is pending; One-Roof scanners are design-only/absent in cited evidence; FIX7 guard was found prose-only in recheck evidence.
fn_tac_log_checker_issue is the reusable generic logger REJECTED AS UNIVERSAL AUTHORITY It is TAC-specific and wraps canonical fn_log_issue; using it generically risks semantic coupling and another writer route.
Clone/adapt cutter_agent/dryrun.py REJECTED AS REUSE STRATEGY The file is domain-specific and artifact-only. Cloning creates a parallel engine. First identify/extract the canonical callable/library boundary.
REUSE_EXTRACTION_FIRST REJECTED FOR CURRENT PHASE Extraction before baseline/authority resolution can preserve the wrong component or create parallel authorities.

5. Directus / PG-first-native-driven check

The Directus operating rule establishes the target: schema/mutation must route through authorized DOT surfaces, and direct MCP CRUD is forbidden. That rule is not proof that the current estate is already 100% compliant.

Conflicting/incomplete current-state evidence remains:

  • Directus flow documentation warns that it may be stale and cites approximately 50+ flows.
  • Other architecture evidence cites approximately 127 flows.
  • A registry sync report records 18 flows for six registry collections.
  • The local workspace contains several Directus setup/schema/permission scripts. They may be authorized wrappers, legacy assets, or violations; their status has not been reconciled.

Conclusion:

  • PG-first/native/driven remains mandatory.
  • Current 100% Directus DOT control is UNVERIFIED, not accepted as fact.
  • A test-tool plan must discover and consume live PG/registry authority, not encode flow names, counts, collections, runners, or exception lists in source.

6. Missing authority surfaces and conflict risks

The T1 audit asks too few owner questions. Q1/Q2 are insufficient. Before planning, the following decisions/evidence gates are required:

  1. Canonical DOT universe and a reconciliation contract among dot_tools, filesystem DOTs, command catalog, schedules, runners, and non-file entries.
  2. Canonical execution runner/command ledger, including leases, status, output, and dry-run semantics.
  3. Directus mutation route and live flow-registry authority.
  4. Checker/logger authority and approved system_issues writer route.
  5. Package/manifest/envelope authority and compatibility rules.
  6. Duplicate-authority engine ownership and executable readiness.
  7. Graph/reference resolver authority and read/write boundaries.
  8. Text-as-Code current corpus, current resolver, lifecycle states, compatibility view, and supersession semantics.
  9. Evidence/report storage authority and event-domain registration.
  10. Tool taxonomy, placement, pairing, and registry obligations under Điều 23/35.

The largest duplication/conflict risk is selecting or cloning a runner, manifest, logger, duplicate checker, or graph checker before these authority decisions. That would create a new parallel engine while appearing to “reuse” existing code.

7. Text-as-Code / IU current-state gaps

The current Text-as-Code/IU state cannot be inferred from one count or one report:

  • P3D requirements are explicitly re-authored, not original authority.
  • A P3D completed-state SSOT exists and corrects earlier matrices.
  • Phase 5C2 reports migration completion while still listing remaining UI cutover, IU vector collection, IU event emission, and TAC compatibility-view work.
  • information_unit counts appear as 98, 175, and 219 in different dated evidence.

A fresh current resolver/corpus baseline is mandatory before binding packages, tests, docs, and supersession behavior.

8. Method and evidence-quality defects

The T1 report states that five parallel auditors were used. This conflicts with the explicit main-process-only/no-background-agent rule and weakens traceability of what was actually read, how conflicts were resolved, and which evidence supports each conclusion.

Other evidence-quality defects:

  • Dated snapshots and live authorities are mixed without a denominator ledger.
  • Design-only, prose-only, pending, deployed, local-only, and production-live assets are not consistently separated.
  • “Exists” is treated too often as “reusable as-is”.
  • Reuse candidates are not checked for callable boundary, owner, deployment status, authority role, or non-regression obligations.
  • Absence of evidence is sometimes converted into TRUE_NEW.

Under the rule “không chắc đúng = sai”, these claims cannot authorize planning.

9. Hardcode and disguised-hardcode assessment

No test-tool implementation was reviewed or authorized here. However, the investigation itself contains planning inputs that would become disguised hardcodes if adopted:

  • A single DOT count without denominator/date.
  • Fixed Directus flow counts or names from stale documents.
  • A fixed list of runners based on incomplete discovery.
  • Treating one TAC-specific logger as a universal writer.
  • Treating one manifest format as generic authority.
  • Copying a domain-specific dry-run file as a generic engine.
  • Encoding a current IU/TAC count or resolver behavior from stale snapshots.

All future tools must query authoritative PG/registry surfaces and report set identity, timestamp, source, and both-direction diffs. They must not embed system inventory as source-code constants.

10. Revised recommendation

Required phase: NEEDS_FRESH_BASELINE_FIRST

Only after the fresh baseline is complete and owner/authority conflicts are resolved may the program decide whether the next phase is reuse extraction, adapter authoring, registry repair, or genuinely new implementation.

This does not reject reuse. It prevents reuse of the wrong authority and prevents new parallel engines.

11. Exactly one minimal safe next step

Execute one read-only, multi-surface baseline/reconciliation snapshot that emits separately named sets, timestamps, source authorities, and both-EXCEPT diffs for:

dot_tools; filesystem DOTs; dot_iu_command_catalog; runners/schedules/leases; Directus flows and mutation tools; IU/TAC current corpus/resolver; approved system_issues writers; graph/reference/duplicate engines.

Do not merge the counts into one total, do not mutate any surface, and do not begin tool implementation from this step.

Evidence paths reviewed

  • knowledge/dev/laws/tool-kiem-thu/reports/text-as-code-reuse-anti-duplication-audit-2026-06-09.md
  • knowledge/dev/laws/tool-kiem-thu/checkpoints/checkpoint-text-as-code-reuse-anti-duplication-audit-2026-06-09.md
  • knowledge/dev/laws/tool-kiem-thu/00-index.md
  • knowledge/current-state/reports/dot-registry-audit-report.md
  • knowledge/current-state/reports/registry-diff-report
  • knowledge/dev/laws/dieu43-migrations/report-pre-d-prime.md
  • knowledge/dev/reports/architecture/parallel-terminal2-registries-pivot-count-reliability-bug-audit-2026-06-05/06-dot-tool-count-reliability.md
  • knowledge/dev/reports/architecture/law-capability-discovery-official-lists-automation-2026-05-30/08-dot-registry-list-pilot.md
  • knowledge/dev/ssot/directus/directus-operating-rules.md
  • knowledge/dev/ssot/directus/directus-flows.md
  • Runner/executor discovery reports dated 2026-06-04
  • P3D / Phase 5C2 / registries-pivot current-state evidence
  • Local read-only workspace inventory and local IU-cutter source inspection

Final disposition

CLAUDE_AUDIT_UNSAFE_TO_USE_FOR_PLANNING

NEEDS_FRESH_BASELINE_FIRST

Back to Knowledge Hub knowledge/dev/laws/tool-kiem-thu/reviews/codex-crosscheck-text-as-code-reuse-audit-2026-06-09.md