KB-2ED2 rev 6
Codex Re-seal Gap-only Scope Spec rev2 — Article 14 / Hardcode / PG-first Review
15 min read Revision 6
tool-kiem-thucodexresealrev2article-14hardcodepg-firstread-only2026-06-09
Codex Re-seal — Gap-only Scope Spec rev2
Date: 2026-06-09
Mode: narrow adversarial re-seal; read/report only; no full-baseline replay
Production mutation: NO
Implementation/tool/schema/runner/FIX7 execution: NOT PERFORMED
Final verdict: GAP_ONLY_SPEC_REV2_PARTIAL_FIX_REQUIRED
0. Scope and evidence inspected
Inspected only the prompt-defined rev2 packet and directly relevant authority/law records:
reviews/codex-review-gap-only-spec-fix7-pilot-mvp-readiness-2026-06-09.mdreviews/codex-checkpoint-packet-gap-only-spec-and-fix7-pilot-rev2-2026-06-09.mddesigns/implementation-package-dot-v0-1-gap-only-scope-spec-rev2-2026-06-09.mdand.jsondesigns/fix7-read-report-pilot-design-rev2-for-implementation-package-dot-v0-1-2026-06-09.mdplanning/mvp-read-report-inspector-implementation-plan-no-code-rev2-2026-06-09.mddesigns/acceptance-test-matrix-implementation-package-dot-v0-1-rev2-2026-06-09.mdreports/codex-fix-ledger-gap-only-spec-rev2-2026-06-09.mdcontracts/authority-contract-v0-1-2026-06-09.md00-index.md- Operating Rules SSOT v7.58; Constitution v4.6.3, with special attention to Article 14 / no fake evidence.
No production fact was mutated or re-baselined.
1. Final verdict
GAP_ONLY_SPEC_REV2_PARTIAL_FIX_REQUIRED
Rev2 makes a material and correct repair to Article-14 evidence adequacy: a resolving reference alone cannot create an acceptable verdict; execution-class claims remain unproven; READ_REPORT_PASS is removed; exit 0 cannot accompany fail/flag/block/unverified states.
Rev2 is not sealed for MVP implementation because two load-bearing implementation boundaries remain underspecified:
- the claim/evidence/action/surface rule sets are normative runtime policy but have no identified, binding, PG-driven governed source; and
- the proposed no-run/no-write guard is not structurally implementable as written (
no socketconflicts with allowed remote reads; a PG read driver is also capable of writes; shell/network/credential restrictions have no named enforcement substrate).
Under Không chắc đúng = sai, these are build blockers, not documentation polish.
2. Gate table
| Gate | Verdict | Evidence inspected | Issue found | Required correction |
|---|---|---|---|---|
| 1 — Codex 12-fix ledger | PARTIAL | rev2 spec/JSON, plan, matrix, pilot, ledger, index | Core fixes are present, but fix 9 (structural no-run/no-write) remains a design assertion and fix 11 remains incomplete because runtime reliance on a review-ready/nonbinding contract is unclear. Index wording was normalized during this re-seal. | Rev3 must define the enforceable capability boundary and exact authority reliance. |
| 2 — Article 14 | PASS | adequacy chain, verdict model, article14_status, exit semantics, fixtures B/C |
Rev2 structurally prevents prose-only PASS and evidence-reference-only PASS. Execution claims force not-proven/unverified. | Preserve unchanged. Do not weaken in rev3. |
| 3 — FIX7 Recheck-8 sufficiency | PARTIAL | rev2 pilot, Fixture C, Recheck-8 canonicalizer finding | The adequacy class is caught, but the pilot has not proven that allowed read surfaces can resolve the actual canonicalizer artifact identity/existence. A missing executable may therefore be UNVERIFIED, not deterministically C1/FAIL. No command is run, correctly. |
Identify the authoritative read-only artifact identity/existence surface; otherwise specify actual Fixture A result as UNVERIFIED. |
| 4 — Hardcode / fake-green | PARTIAL | denominator rules, exit rules, claim/evidence matrices, acceptance tests | Numeric production comparators and exit fake-green are removed. Residual disguised hardcode risk remains: fixed normative taxonomies/actions/surface roles are used without a governed runtime owner/version/extension contract. Static token scan alone cannot prove semantic absence. | Govern/demote the taxonomies and add semantic negative capability tests. |
| 5 — PG-first / native / driven | FAIL | rev2 PG-first wording, Authority Contract, Constitution/OR | pg_catalog cannot supply business/governance mappings for 12 evidence classes, 13 claim types, required-evidence mapping, verdict precedence, actions, and surface roles. The Authority Contract is a KB document at READY_FOR_GPT_REVIEW, not a binding PG-native runtime source. Implementation would hardcode policy or create a file shadow authority. |
Rev3 must either identify a sealed governed runtime source or remove positive/authoritative policy behavior from this MVP. |
| 6 — No parallel authority | PARTIAL | prohibited-overlap wall, capability model, Authority Contract | No runner/logger/registry/resolver/TAC-IU bridge/proof-of-run authority is added. However, the rev2 file taxonomy risks becoming a parallel claim/evidence policy authority. | Explicitly demote it to bounded fail-closed non-authority, or bind it to an approved authority source before implementation. |
| 7 — MVP readiness | FAIL | MVP plan rev2, acceptance matrix rev2, gates above | Building now would force the implementer to improvise authority and enforcement mechanics. | Return to T1 for a narrow rev3; no implementation yet. |
3. Previous blocker closure table
3.1 Twelve required fixes
| # | Required fix | Closure | Evidence basis | Residual risk |
|---|---|---|---|---|
| 1 | Remove READ_REPORT_PASS; separate Article-14 status |
FIXED | rev2 verdict vocabulary + separate article14_status |
None found. |
| 2 | Structural claim/evidence binding | FIXED | explicit claim→type→class→artifact→capability→adequacy→verdict chain | Runtime policy source remains unresolved under fixes 9/11. |
| 3 | Do not overclaim prose extraction completeness | FIXED | best-effort extraction; UNPARSED_REGION; completeness normally UNVERIFIED |
MVP usefulness is negative/triage-only until a governed declaration contract exists. |
| 4 | Narrow FIX7 pilot; add resolvable-but-insufficient fixture | PARTIALLY FIXED | Fixture C correctly catches inadequate evidence | Actual artifact resolver coverage/path remains unproven. |
| 5 | Remove literal counts from normative logic | FIXED | counts demoted to dated fixtures/source records | Preserve this separation. |
| 6 | Remove >=2 denominator rule |
FIXED | role/key/provenance/separation rules | No numeric gate found. |
| 7 | Remove literal 41/4, 219/102 checks |
FIXED | no literal count invariant | No residual numeric comparator found. |
| 8 | No exit-0 fake-green | FIXED | exit 0 only for ACCEPTABLE; fail/flag/block/unverified nonzero |
Positive verdict authority remains unresolved. |
| 9 | Structural no-run/no-write guard + negative tests | PARTIALLY FIXED | capability enum, lint/probe/test design exist | Guard is internally inconsistent and lacks concrete enforcement substrate. |
| 10 | Dead-link coverage advisory/unverified | FIXED | coverage is not overclaimed | Preserve. |
| 11 | Normalize Authority Contract status/readiness | PARTIALLY FIXED | rev2 docs say review-ready/nonbinding; contradictory index wording was corrected during this re-seal | Runtime reliance on the nonbinding-as-a-whole contract remains unclear. |
| 12 | writes_performed disclosure |
FIXED | rev2 output contract/JSON includes disclosure | Must remain evidence-only. |
3.2 Decisive issues from prior verdict
| Prior decisive issue | Status | Basis |
|---|---|---|
| Reference existence could produce PASS | FIXED | Artifact existence is explicitly insufficient for adequacy. |
| FIX7 pilot detected only missing references | PARTIALLY FIXED | Fixture C covers inadequate evidence; actual artifact identity resolver remains unproven. |
| Claim extractor overclaimed full prose coverage | FIXED | Completeness fail-closes to UNVERIFIED. |
| Denominator numbers became hidden hardcode | FIXED | Runtime source records replace literal gates. |
| Exit 0 with FLAG | FIXED | Explicitly forbidden. |
| No-run/no-write boundary prose-only | PARTIALLY FIXED | Structural intent exists; enforceable mechanism is not yet coherent. |
| Authority Contract status overclaimed | PARTIALLY FIXED | Main rev2 and index wording are now normalized; runtime reliance on a nonbinding-as-a-whole contract remains unclear. |
4. Article 14 verdict
Verdict: PASS for the rev2 evidence-adequacy model.
Rev2 prevents:
- prose-only PASS;
- evidence-reference-only PASS;
- selftest/hash/exit-code/command-run claims from becoming proven without accepted run evidence;
- a green-looking dossier when any execution-class claim is unproven;
- exit
0for fail/flag/block/unverified conditions.
A command string, a report reference, or an artifact that merely resolves is not adequate evidence. This closes the prior central Article-14 failure.
The remaining FIX7 concern is not an Article-14 fake-green path; it is unresolved artifact-resolution authority. Fail closed to UNVERIFIED unless that path is proven.
5. Hardcode / fake-green verdict
Verdict: PARTIAL.
Closed:
- no hardcoded production denominator comparators found;
- fixture values are labelled as fixtures;
- no exit-0 fake-green path found;
- positive language is bounded by evidence adequacy and
article14_status.
Still open:
- the fixed lists of evidence classes, claim types, action enums, surface roles, required-evidence mapping, and verdict precedence are normative behavior without a governed runtime owner/version/extension source;
- the proposed static scan checks token presence/absence and cannot by itself detect semantic bypass;
- acceptance coverage needs explicit negative cases for shell/subprocess, dynamic import, general network/credential use, and write attempts through the same PG client used for reads.
These are disguised-hardcode/guard-bypass risks, not numeric-count hardcode.
6. PG-first / native / driven verdict
Verdict: FAIL for implementation readiness.
Rev2 correctly prefers existing PG/native read surfaces for facts and keeps file output as evidence only. However, it does not identify a binding PG-driven source for its own normative inspection policy.
The statement that rule sets are consumed from “Authority Contract records + live pg_catalog + sealed Domain tables” is insufficient:
- the Authority Contract is a KB document at
AUTHORITY_CONTRACT_V0_1_READY_FOR_GPT_REVIEW, not a binding runtime record source; pg_catalogdescribes database structure, not claim/evidence governance semantics;- no sealed Domain table/view/contract is identified for the rev2 taxonomy and verdict rules.
Therefore a build would either hardcode policy in code or promote the rev2 file into a shadow SSOT. Neither is acceptable under PG-driven / metadata>code.
7. Parallel-authority verdict
Verdict: PARTIAL.
Rev2 does not create runner, registry, logger/sink, graph/duplicate/orphan resolver, TAC/IU corpus, or proof-of-run authority. Those boundaries are correctly retained.
The remaining parallel-authority risk is narrower but blocking: the rev2 design file can become an unapproved claim/evidence policy authority if the implementation consumes its fixed taxonomies and verdict rules as normative runtime truth.
8. MVP readiness
- MVP implementation allowed now: NO
- Potential later allowed scope: read/report-only inspector; no execution; no mutation; no filesystem DOT/IU invocation; no
system_issueswrite; no Directus integration/write; no TAC/IU bridge; no proof-of-run semantics. - Prohibited scope remains: all runner/invoker/mutation/registry/logger/resolver/bridge/proof-of-run behavior.
- Remaining blockers:
- exact authority treatment/source for claim/evidence/action/verdict policy;
- coherent structural enforcement mechanism for no-run/no-write;
- authoritative read-only identity/existence resolver for the actual FIX7 canonicalizer artifact, or explicit
UNVERIFIEDresult; - exact runtime authority treatment for the review-ready/nonbinding-as-a-whole Authority Contract.
Required rev3 corrections, narrowly bounded
- Policy authority: choose and state one fail-closed model. Either identify an already approved governed runtime source, or explicitly make v0.1 a negative/triage-only non-authoritative inspector and remove
READ_LEVEL_ACCEPTABLE/exit0until such a source exists. Do not create schema/registry in rev3. - Capability enforcement: name the concrete execution sandbox/connectors/roles. Do not ban
socketwhile requiring remote reads. Do not claim “no PG write driver”; instead require a read-only PG role, server-enforced privileges, and read-only transactions. Distinguish AgentData KB reads from unrestricted filesystem reads. Replace any production Directus-write probe with non-mutating credential/capability introspection or a mock. - Negative tests: add explicit cases for shell/subprocess, dynamic import, general network, credential availability, and PG writes attempted through the allowed read client.
- FIX7 artifact resolution: identify the authoritative read-only artifact identity/existence surface and mapping. If unavailable, Fixture A must expect
UNVERIFIED, not deterministic FAIL. - Authority wording: preserve the normalized review-ready/nonbinding-as-a-whole wording and specify which sealed clauses, if any, may govern runtime behavior.
9. Three declarations for this mission
- Vĩnh viễn: the correction targets the root ambiguity: policy authority and enforceable capability boundary must be explicit before code, so later agents cannot improvise them.
- Nhầm được không: not yet. Rev2 blocks false-green verdicts, but does not yet make authority/capability misuse impossible; therefore implementation remains blocked.
- 100% tự động: not yet proven. Manual review is a fail-closed stop, not an automated acceptance path; no automated positive readiness is authorized.
10. Minimal safe next step
Return to T1 for rev3.