<!-- DOC_STATUS: ACTIVE_NON_AUTHORITY -->

Checkpoint - FIX7 P0 Codex-Rejected SQLite Reproducibility Fix (2026-06-13)

Status: FIX7_P0_CODEX_REJECTED_SQLITE_REPRODUCIBILITY_FIXED_CAPSULE_READY Macro: FIX7_P0_FIX_CODEX_REJECTED_SQLITE_REPRODUCIBILITY_AND_RESEAL_CAPSULE_MACRO_2026_06_13 Host: T1 / CLEAN TERMINAL Production mutation: NO . Live contact: NO . CI trigger: NO . Secrets: NO . Real production data: NO . Decision selected: NO . Codex rejection evidence deleted: NO

Sequence executed (all proven from local raw bytes)

1. Preserved Codex's rejection-run evidence (the 4 regenerated JSONs it left on disk, mtime 2026-06-13 04:19) byte-exact into logs/codex-rejection-evidence-preserved-2026-06-13/ BEFORE any rerun.
2. Reproduced the rejection before fixing: VERIFY_CAPSULE.sh exit 1 + RERUN_ALL.sh exit 1; exactly rollback-evidence.json and surrogate-rehearsal-execution-evidence.json mismatched (logs/codex-rejection-reproduced-before-fix.log).
3. Root cause proven: fresh generations are byte-stable within one runtime but differ across SQLite builds: 3.42.0 -> 5a6ad463..., 3.51.0 -> a7c5bddd..., Codex env -> 1fbf9607...; diff vs seal confined to raw-file-hash fields. Old evidence put raw FILE hashes in the pass/fail path.
4. Fix (preferred canonical-logical-evidence option): NEW canonicalize_sqlite_state.py (6997da40...69715c41, CANONICAL_LOGICAL_STATE_V1, selftest 6/6 incl. raw-bytes-differ-while- canonical-equal and tamper fail-closed); surrogate_rehearsal.py now records canonical state hashes (full-db + mutated-table-subset entries) as the ONLY pass/fail hashes and adds canonical fail-closed guards; raw file + iterdump hashes moved to raw-sqlite-diagnostic.json (regenerated, UNSEALED, never compared). Hardened validator e6547e69...956c47 UNCHANGED; generator UNCHANGED; no safety check removed.
5. Resealed: packet tree b476b547... -> ad9e15112d378ca2734707d04b4ff21614148f040d534c43df77d89be574f401 (25 sealed files); capsule manifest 203 files; capsule tree 86e553b8cdb5e15cc2c633cb8ed2516f0bc70ead95fbbd737f9aaa1a15541822. Updated VERIFY_CAPSULE.sh (13 steps, new canonical step), RERUN_ALL.sh (14 steps), EXPECTED_HASHES_AND_TREES.json (incl. fixture canonical pin ec8a584c...adc8bd + defect_fix_2026_06_13 supersession block), EVIDENCE_PATH_MAP.json, expected-results.json, capsule manifest.json, CODEX_AUDIT_INSTRUCTIONS.md (first commands UNCHANGED), README_FOR_CODEX.md, REQUIRED_READ_ORDER.md, fixture provenance docs; sealed defect-fix report md+json added under reports/. 2026-06-12 lane reports + prior Codex BLOCKED audit preserved byte-intact.
6. Proofs after fix: fresh process packet RERUN x2 PASS (3.42.0); fresh-tempdir packet RERUN on DIFFERENT build (3.51.0) PASS with 4/4 sealed evidence byte-identical; VERIFY_CAPSULE.sh exit 0; RERUN_ALL.sh exit 0 (14/14 incl. post-rerun seal integrity); bad-input regression capsule 10/10 + packet 12/12 fail-closed, 0 forbidden-token leaks; validator selftest PASS. All logs under capsule logs/ per macro spec.

Governance

No canonical fold; registry/index untouched. New objects TKT-OBJ-531..539 reserved ONLY in the standalone addendum (APPLY_NOW=NO, above 530): fix7-p0-codex-rejected-sqlite-reproducibility-fix-governance-addendum-2026-06-13.md.

Next

Owner routes Codex back to the capsule (/Users/nmhuyen/Documents/Manual Deploy/web-test/codex_review_evidence/fix7-p0-final-pre-real-data-readiness-2026-06-12/); prompt: fix7-p0-final-codex-audit-prompt-from-capsule-2026-06-13.md. First commands unchanged. Production/real-data decisions remain owner-only, default HOLD_REAL_DATA; nothing here authorizes them.