Incomex AI Portal
KB-7752

Codex Re-seal Gap-only Scope Spec rev3 — PG-first / Guard Check

13 min read Revision 1
tool-kiem-thucodexresealrev3pg-firstguardtaxonomyfix7read-only2026-06-09

Codex Re-seal — Gap-only Scope Spec rev3

Date: 2026-06-09
Mode: narrow adversarial re-seal of the four rev2 blocker classes only
Production mutation: NO
Implementation/tool/schema/runner/FIX7 execution: NOT PERFORMED
Final verdict: GAP_ONLY_SPEC_REV3_PARTIAL_FIX_REQUIRED

0. Scope and evidence inspected

Inspected only the prompt-defined rev3 packet, the rev2 Codex re-seal blocker record, Operating Rules SSOT v7.58, and Constitution v4.6.3/Article 14 via authoritative KB reads. Local filesystem was not used as project truth.

Rev3 documents inspected:

  • designs/implementation-package-dot-v0-1-gap-only-scope-spec-rev3-2026-06-09.md and .json
  • designs/fix7-read-report-pilot-design-rev3-for-implementation-package-dot-v0-1-2026-06-09.md
  • planning/mvp-read-report-inspector-implementation-plan-no-code-rev3-2026-06-09.md
  • designs/acceptance-test-matrix-implementation-package-dot-v0-1-rev3-2026-06-09.md
  • reports/codex-fix-ledger-gap-only-spec-rev3-2026-06-09.md
  • reviews/codex-checkpoint-packet-gap-only-spec-and-fix7-pilot-rev3-2026-06-09.md

1. Final verdict

GAP_ONLY_SPEC_REV3_PARTIAL_FIX_REQUIRED

Rev3 correctly repairs the FIX7 discoverability overclaim and materially improves the taxonomy, KB-first, PG-read-only, and negative-test design. It is not sealable for MVP implementation yet because the structural guard still relies on ungrounded process-level assertions, and the provisional negative taxonomy can still become a shadow denial authority.

The decisive residual gaps are:

  1. Negative authority remains possible. Removing positive verdicts prevents false-green but does not prevent READ_LEVEL_FAIL, BLOCKED, flags, and exit codes from becoming an authoritative downstream gate. A classifier can be a shadow SSOT by denying/blocking, not only by approving.
  2. Endpoint allowlist is not structurally grounded. The cited query_pg database allowlist proves only that the gateway restricts target databases. It does not prove that the future inspector process cannot make general network calls to other endpoints.
  3. Secret/local/KB-write boundaries remain assertions. Static import denylist and runtime self-check do not make environment-secret access, local filesystem access, or arbitrary KB update/delete/ingest impossible. WRITE_KB_REPORT has no named server-enforced path-scoped writer/credential.
  4. SELECT-side-effect protection is underspecified. Read-only transaction and SELECT-only AST validation are strong for PG data mutation, but SELECT-only alone does not prove rejection of functions with external or non-table side effects. The exact query grammar/function policy and enforcement owner are not identified.

Under Không chắc đúng = sai, MVP implementation remains unauthorized.

2. Gate table

Gate Verdict Evidence inspected Issue found Required correction
1 — Taxonomy / rule authority PARTIAL spec §§2,4–7,16,18; JSON taxonomy governance; matrix #18/#19 PROVISIONAL_NON_AUTHORITY, version/provenance, no positive verdict, unknown fail-closed, and future promotion contract are correct. However READ_LEVEL_FAIL/BLOCKED/flags/exit codes can still operate as a negative authority if consumed as a gate. “Never positive” does not prove “never authority.” Make every inspector result explicitly advisory with decision_effect=NONE; prohibit automated allow/deny/block decisions based on it; either rename authoritative-looking final verdicts to triage findings or define a separate sealed consumer contract before any gate use.
2 — KB-first / PG-first / native-driven PARTIAL spec §§0,9,10,16; plan §§3–5; matrix #34/#35 Local-last and governed-source citation are correctly specified. But the rule “all authoritative project data lives on KB/PG/native” is too broad: KB location alone does not establish authority; draft/review-ready/evidence documents remain non-authority. Require source authority metadata/status and precedence for every consumed source; a KB path alone must never make a source authoritative. Preserve report as evidence-only/non-authority.
3 — Structural no-run/no-write guard feasibility FAIL spec §12; plan G4/G5/G11; matrix #25–#33 Endpoint allowlist, no-direct-driver, action manifest, and denylist are stated, but no concrete process sandbox/network policy/path-scoped KB writer is named. DB allowlist ≠ process egress allowlist. Static scans/self-checks are bypassable and do not structurally deny env secrets, local FS, or arbitrary KB mutations. Rev4 must name the enforcement substrate: process/container sandbox or equivalent deny-by-default capability host; network policy/proxy allowing only connector endpoints; no local-FS mount/access; scrubbed env; and a server-enforced KB writer restricted to create/update only under the report prefix, with delete/ingest/patch outside scope impossible.
4 — PG read-client write risk PARTIAL spec §§9.1,12.2–12.3; plan G11/§12; matrix #20–#24 No direct DB driver + context_pack_readonly + READ ONLY transaction + single-query gateway is a sound direction. Role attributes alone do not prove grants; SELECT-only AST does not by itself block side-effect functions; exact function/query policy is not grounded. Require evidence of effective grants/default privileges; define exact allowed SQL grammar/surface allowlist; deny all function calls unless explicitly governed read-only; verify transaction_read_only=on; test server refusal and provenance logging.
5 — FIX7 artifact discoverability honesty PASS pilot §§3.1–3.2,6,8; spec §21; matrix #36/#37 Rev3 correctly says the .py is not adequately evidenced through allowed governed surfaces, not globally absent. Fixture A′ correctly yields UNVERIFIED; no command is run. Preserve unchanged.
6 — Negative tests coverage PARTIAL plan §9; matrix #20–#37 All prompt-listed bypass categories are named. Some acceptance criteria depend on guards that are not yet structurally specified. Test #28 incorrectly treats a gateway DB allowlist as grounding general process egress denial. No explicit arbitrary KB update/delete/patch/ingest outside report-prefix test exists. Bind tests to the concrete rev4 enforcement substrate; add arbitrary KB mutation outside report-prefix tests; correct #28 to verify process-level egress denial; add bypass tests against alternate HTTP/client libraries and env/local-FS access.
7 — MVP readiness FAIL all gates above Building now would require the implementer to invent the sandbox, network, secret, KB-write, SQL-function, and downstream-consumer boundaries. Return to T1 for a narrow rev4. No implementation yet.

3. Previous blocker closure table

Previous blocker class Closure Evidence basis Residual risk
1. Taxonomy/rule shadow SSOT PARTIALLY FIXED provisional/non-authority, versioned, no positive verdict/exit 0, unknown fail-closed Negative verdicts can still become authoritative denial/blocking policy downstream.
2. No-run/no-write structural feasibility PARTIALLY FIXED socket ban removed; endpoint allowlist proposed; governed PG gateway/read-only transaction named No concrete process-level egress/sandbox/secret/local-FS/KB-write enforcement substrate.
3. FIX7 artifact discoverability FIXED actual governed-surface discovery chain; global absence explicitly not claimed; Fixture A′ None within read-level scope. Execution/global absence remains correctly deferred.
4. Negative-test bypass coverage PARTIALLY FIXED all requested categories listed in matrix/plan Several tests currently prove only assertions; general egress and arbitrary KB mutation remain insufficiently covered.

4. KB-first / PG-first verdict

Verdict: PARTIAL.

Rev3 correctly makes KB/PG/native reads primary, removes arbitrary local-path input capability, records governed-source provenance, and keeps local copies/report files non-authoritative.

Residual defect: location is not authority. A KB document may be draft, review-ready, evidence-only, superseded, or binding. Rev4 must require an authority-status field and precedence check for every source. “KB-first” must mean read authoritative-status metadata first, not treat every KB document as truth.

5. Taxonomy / shadow-SSOT verdict

Verdict: PARTIAL.

Rev3 closes positive-authority/fake-green risk. It does not fully close shadow authority because a provisional classifier emitting READ_LEVEL_FAIL, BLOCKED, flags, and nonzero exits can still block a build or workflow.

Required rev4 rule: all outputs have authority_status=PROVISIONAL_NON_AUTHORITY, decision_effect=NONE, and may_gate=false. Any downstream gate/block/authorization use requires a separate sealed consumer/authority contract. The inspector may route findings for review but cannot itself decide readiness.

6. Guard feasibility verdict

Verdict: FAIL.

The PG gateway boundary is plausible, but the whole-process guard is not yet structural:

  • gateway database allowlist does not enforce general process endpoint allowlist;
  • import denylist/runtime self-check is not a sandbox;
  • no enforcement prevents alternate HTTP libraries, raw local-file APIs, or environment access;
  • KB write connector exposes broader mutation verbs unless a path-scoped server-side writer is defined;
  • report-path restriction is currently a plan assertion, not an infrastructure guarantee.

7. FIX7 discoverability verdict

Verdict: PASS.

Rev3 is honest and adequate for read-level discovery:

  • does not claim global absence;
  • reports .py as BLOCKED_BY_UNVERIFIED_SOURCE;
  • keeps actual run/global-absence proof deferred;
  • catches wrong-kind/prose-only evidence defects;
  • runs no canonicalizer or command.

8. Negative tests verdict

Verdict: PARTIAL.

The matrix lists all prompt-required categories, including shell/subprocess, dynamic import, general network, credential access, PG write, multi-statement, side-effect function, filesystem write, local-first, taxonomy-as-authority, and FIX7 discoverability.

Required corrections:

  • bind each test to a named enforcement mechanism;
  • test process-level network denial, not only gateway DB denial;
  • add alternate-client/import bypasses;
  • add arbitrary KB update/delete/patch/ingest/upload outside the report prefix;
  • prove env is scrubbed and local filesystem is unavailable/read-denied;
  • prove side-effect function rejection using the exact gateway query policy.

9. MVP readiness

  • MVP implementation allowed now: NO
  • Potential later allowed scope: negative/triage-only read/report inspector; no execution; no mutation beyond a path-scoped KB report writer; no local-first input; no proof-of-run; no taxonomy authority.
  • Prohibited scope: runner/invoker, direct DB driver, general network, credential access, local filesystem authority, arbitrary KB mutation, Directus/PG/registry/system_issues mutation, TAC/IU bridge, positive or negative automated gate authority.
  • Remaining blockers: negative-authority consumer boundary; process-level sandbox/egress/secret/local-FS controls; path-scoped KB writer; exact PG query/function policy and effective-grant proof; enforcement-bound negative tests.

10. Minimal safe next step

Return to T1 for rev4.

Narrow rev4 corrections only

  1. Define decision_effect=NONE/may_gate=false for every triage output and prohibit all automated allow/deny/block use without a future sealed consumer contract.
  2. Name a concrete deny-by-default runtime enforcement substrate for process egress, local FS, environment secrets, and capability exposure.
  3. Define a server-enforced KB report writer restricted to the exact report prefix and permitted verbs; all other KB mutation verbs/paths must be impossible.
  4. Define and ground exact PG query/function policy plus effective-grant/read-only evidence.
  5. Bind negative tests to those controls and add arbitrary-KB-mutation/process-egress bypass cases.

11. Three declarations

  • Vĩnh viễn: rev4 must close the root authority and capability boundaries so later implementation agents cannot invent them.
  • Nhầm được không: not yet; current design can still be misused as a negative authority and process-level restrictions can be bypassed.
  • 100% tự động: not yet proven; the required structural enforcement and acceptance tests are unbuilt and partially unspecified.