Codex FIX7 Blueprint Recheck 9 V2 — Packet Rerun and Seal Review
Codex FIX7 Blueprint Recheck 9 V2 — Packet Rerun and Seal Review
Date: 2026-06-10
Final status: CODEX_RECHECK_9_V2_NEEDS_T1_FIX
Production mutation: NO
Seal decision: REJECT / DO NOT SEAL N7, N8, P7, canonicalizer hash/revision, or blueprint approval.
1. Scope and sources
Read the prompt-defined V1 rejection, V2 handoff, hardening report, adversarial report, current-state report, packet root, current canonicalizer SSOT rev3, current 10 active documents, Operating Rules SSOT v7.58, and Constitution v4.6.3 Articles/NT13-NT14. Work was read-only KB review plus safe/offline reconstruction and tamper tests in /tmp; no FIX7 implementation or production/runtime mutation.
2. Nominal and KB-native evidence
Fresh governed-MCP fetch reconstructed all 19 packet-root documents plus the 10 canonical active documents. Two independent fetch passes returned the same revisions, byte lengths, and SHA-256 values.
RECONSTRUCTION: OK (28 files fetched from KB; tree matches HASH_MANIFEST bidirectionally)
TREE_HASH=21752e19c76f76613ba1680b734686c558a130e05d64dbc9eb5131b822fba480
TRACKED=28
Nominal rerun:
PACKET_COMPLETENESS: OK (29 required files present; HASH_MANIFEST covers the tracked tree bidirectionally; all hashes match)
shasum -c: all 28 entries OK
MANIFEST_VERIFY: OK — ENTIRE authority section (17 top fields, 25 artifact hashes, selftest 45/45, forbidden hits 0, 8 negative tests) recomputed and equal
ADVERSARIAL_SUITE: PASS (22/22 expectations met)
RERUN_RESULT: PASS (all 10 gates re-executed and enforced in this invocation)
exit=0
3. Required sampled tamper tests
| Probe | Observed |
|---|---|
authority.forbidden_scope.forbidden_operations_found=999 |
manifest_tool.py --verify exit 1; full RERUN exit 1 |
| extra authority key | verify exit 1; full RERUN exit 1 |
| explanatory-only extra field | verify exit 0, as required for non-authority explanation |
| missing active doc 05 | actual canonicalizer CLI exit 4; all candidate digests suppressed; RERUN exit 1 |
| extra active doc | actual CLI exit 4; all candidates suppressed |
| invalid active doc | actual CLI exit 4; all candidates suppressed |
| absent docs directory | actual CLI exit 4; all candidates suppressed |
| active-doc hash tamper | verify exit 1; RERUN exit 1 |
| missing raw log | verify exit 1; completeness exit 1; RERUN exit 1 |
The current P-EXT-2 implementation is functionally fail-closed on all directly sampled corpus-error CLI paths.
4. Decisive remaining engineering defect
R9-V2-B6 — CLI exit contract is synthesized, not executed by the packet proof
manifest_tool.py:run_negative_tests() calls canon.produce() in-process, then creates:
cli_exit_contract = 0 if corpus_ok and membership_frozen_ok else 4
It never executes the canonicalizer CLI wrapper or observes its process/SystemExit result. adversarial_suite.py T2 also calls canon.produce() and checks suppression, but does not exercise the CLI exit. Therefore the authority field negative_tests.*.cli_exit_contract=4 is a recomputed hard-authored inference, not executable evidence of the actual CLI contract.
Independent exploit/probe on a copied packet:
- Changed only the canonicalizer error wrapper from
sys.exit(4)tosys.exit(0)consistently in the SSOT fence/materialized/extended copies. - Regenerated expected valid-corpus output, manifest, and HASH_MANIFEST using the packet's own publishing commands.
- Ran full
bash RERUN.sh. - Removed doc 05 and ran the actual canonicalizer CLI.
BYPASS_RERUN_EXIT=0
MANIFEST_VERIFY: OK ... 8 negative tests recomputed and equal
ADVERSARIAL_SUITE: PASS (22/22 expectations met)
RERUN_RESULT: PASS (all 10 gates re-executed and enforced in this invocation)
BYPASS_MISSING_DOC_CLI_EXIT=0
corpus_ok: False
membership_frozen_ok: False
ALL CANDIDATE DIGESTS SUPPRESSED ... -> exit 4
The printed -> exit 4 is prose while the observed exit is 0. This reproduces the exact old failure class under a freshly self-consistent packet, yet V2 verifier/RERUN/adversarial suite all pass. It is an Article-14 failure and disguised-hardcode/current-PASS gap.
Who acts: T1.
Exact required fix: replace synthesized cli_exit_contract evidence with execution of the real CLI wrapper for missing/extra/invalid/absent-dir cases, asserting observed exit exactly 4 and suppression output/state. Add an executable regression where a forced CLI error-exit of 0 makes both adversarial suite and full RERUN fail. A safe in-process runpy/SystemExit harness is acceptable; do not weaken forbidden-operation scanning.
5. R9-B1 through R9-B5 verdicts
| Blocker | Verdict | Reason |
|---|---|---|
| R9-B1 manifest completeness | NOT CLOSED | Most authority fields deep-diff correctly, but negative_tests.*.cli_exit_contract is synthesized rather than observed; a fail-open CLI can still receive manifest PASS. |
| R9-B2 fail-closed produce | CLOSED FUNCTIONALLY | Current real CLI returns 4 and suppresses all candidate digests for missing/extra/invalid/absent-dir samples; valid-corpus values remain stable. |
| R9-B3 strict RERUN | NOT CLOSED | Nominal exits are enforced, but negative-test gate does not execute the actual CLI exit contract; full RERUN passes a self-consistent fail-open CLI packet. |
| R9-B4 KB-native packet | CLOSED | Fresh KB-only reconstruction succeeded, current tree hash is identical, required runnable/log artifacts are KB-readable, no local mirror was used as authority. |
| R9-B5 current KB byte proof | CLOSED at MCP-byte level | Governed full-content MCP fetch is sufficient: IDs, revisions, byte lengths, and SHA-256 were independently reproduced twice. A server-side digest endpoint is useful but not required for this rerun. |
6. Current KB byte identity
The current 10 canonical docs match packet pins at revisions 49, 6, 33, 6, 39, 24, 70, 55, 17, 64. Current canonicalizer SSOT is revision 3, 38756 UTF-8 bytes, SHA-256:
49c386a9b9666c09786fc4f89bc79776b6046eaee6f4da6d8537d2c753b734d0
This byte identity is independently verified and may remain a candidate. It is not authoritatively pinned/sealed in this review because engineering proof remains defective.
7. Constitution and hardcode verdicts
- Article 13 / NT13: PASS for this evidence lane. The packet is KB-native; fresh fetch, not a local mirror, is the governed source. No production PG/runtime behavior was changed or approved.
- Article 14 / NT14: FAIL. The packet says it proves nonzero CLI error exits, but its executable tests synthesize the value and cannot catch a fail-open CLI wrapper.
- Hardcode / disguised hardcode: FAIL for the load-bearing CLI-exit proof. Frozen membership pins and controlled fixtures are acceptable; the synthesized
cli_exit_contract=4presented as executed negative evidence is not. - Candidate/rehearsal discipline: PASS. No N7/N8/P7/candidate value is currently claimed sealed.
8. N7 / N8 / P7 and seal decision
- N7: DO NOT SEAL; sealed approval-event inputs and owner authority remain absent.
- N8: DO NOT AUTHOR.
- P7: DO NOT RE-SEAL until T1 closes R9-V2-B6 and Codex reruns the corrected packet.
- Canonicalizer rev3 hash/revision: byte identity verified, candidate only; DO NOT PIN as authoritative yet.
- Blueprint approval: NOT AUTHORIZED; owner's standing do-not-approve remains.
9. Final verdict
CODEX_RECHECK_9_V2_NEEDS_T1_FIX
This is not AUTHORITY_BLOCKED because an independent engineering/evidence defect remains before the authority-only step.
10. Minimal safe next step
T1 must patch the packet proof so every negative corpus case executes and asserts the actual CLI exit contract, add the fail-open-wrapper regression test, publish Packet V3/corrected V2, then route a fresh Codex Recheck-9 rerun. No implementation, REAL_RUN, QT001, permit, activation, repoint, cutover, or production mutation is authorized.