Codex FIX7 Blueprint Recheck 9 V3 — Black-Box CLI Oracle Rerun and Seal Review

Date: 2026-06-10
Final status: CODEX_RECHECK_9_V3_AUTHORITY_BLOCKED
Production mutation: NO
Engineering verdict: PASS
Seal decision: DO NOT AUTHOR N7/N8/P7 or approve the blueprint in this run; remaining blockers are authority inputs/actions only.

1. Scope

Reviewed only the prompt-defined V3 packet and adjacent proof risks. Read Codex V2 rejection, V3 handoff/reports/current-state, packet root, current canonicalizer SSOT rev3, current 10 active docs, Operating Rules SSOT v7.58, and Constitution v4.6.3 NT13/NT14. Work was read-only KB access plus safe/offline copies in /tmp. No FIX7 implementation, production mutation, REAL_RUN, QT001, permit, activation, repoint, cutover, registries-pivot, or auto-birth action occurred.

2. Fresh KB reconstruction and nominal rerun

Fresh governed-MCP reconstruction fetched 23 packet-root documents and 10 canonical active docs. All fetched revisions/bytes matched HASH_MANIFEST.

RECONSTRUCTION: OK (32 files fetched from KB; tree matches HASH_MANIFEST bidirectionally)
TREE_HASH=b95df0a5d2f41f80bea0cef8621c1f8bb0f6b49a40175116418494ed4141ca6d
TRACKED=32

Full reconstructed packet rerun:

PACKET_COMPLETENESS: OK (33 required files present; HASH_MANIFEST covers the tracked tree bidirectionally; all hashes match)
shasum -c: all 32 entries OK
negative CLI case 'missing': OBSERVED exit 4 + suppression markers + zero digest leak
negative CLI case 'extra': OBSERVED exit 4 + suppression markers + zero digest leak
negative CLI case 'invalid': OBSERVED exit 4 + suppression markers + zero digest leak
negative CLI case 'absentdir': OBSERVED exit 4 + suppression markers + zero digest leak
BLACKBOX_NEGATIVE_SUITE: PASS (10/10 observed-behavior checks; none inferred)
FAILOPEN_REGRESSION: PASS (6/6)
MANIFEST_VERIFY: OK — 6 REAL CLI executions observed against the static oracle
ADVERSARIAL_SUITE: PASS (25/25)
RERUN_RESULT: PASS (all 13 gates re-executed and enforced in this invocation)
exit=0

Standalone reruns independently returned PASS for manifest verify, black-box suite, fail-open regression, and adversarial suite.

3. Independent replay of the Codex V2 attack

On a copied V3 packet, changed the only error wrapper in the SSOT fence/materialized/extended files from sys.exit(4) to sys.exit(0), regenerated SUT-derived expected outputs, attempted manifest/hash republishing, then ran RERUN and suites.

REGEN_SELFTEST_EXIT=0
REGEN_PRODUCE_EXIT=0
ATTACK_EMIT_EXIT=1
ATTACK_VERIFY_EXIT=1
ATTACK_HASH_EMIT_EXIT=0
ATTACK_RERUN_EXIT=1
ATTACK_BLACKBOX_EXIT=1
ATTACK_ADVERSARIAL_EXIT=1
MUTATED_MISSING_CLI_EXIT=0

Decisive evidence:

ORACLE_VIOLATION ... cli_exit_observed: 0, cli_exit_expected: 4
NEGATIVE CLI CASE 'missing': OBSERVED exit 0 != 4 (oracle) — FAIL-OPEN
RERUN_RESULT: FAIL (black-box negative CLI gate)

The mutation genuinely made the CLI fail-open, but --emit, --verify, black-box suite, adversarial suite, and full RERUN rejected it. HASH emission remaining successful is correct because it proves byte transport, not behavior. R9-V2-B6 is closed.

4. Actual negative CLI evidence

Independent direct OS-process samples:

Case	Observed exit	Candidate suppression	Verdict
missing doc 05	4	all aggregate candidates suppressed	PASS
extra doc	4	all aggregate candidates suppressed	PASS
invalid doc	4	all aggregate candidates suppressed	PASS
absent docs dir	4	all aggregate candidates suppressed	PASS

Duplicate-active-doc on disk is recorded N/A, not PASS, because the current case-insensitive filesystem cannot host the casefold-equal pair; the exact validator path used by the CLI is executed with an adjacent duplicate-listing fixture.

5. Oracle and anti-hardcode verdict

CLI_ORACLE is an independent static verifier pin derived from the enacted SSOT invocation contract: valid produce/selftest exit 0; corpus-error produce exit 4; suppression marker/token required. It is not generated from SUT output. The actual CLI is observed at two levels: OS-process $? in RERUN gate 6 and runpy/SystemExit in the proof layer.

This is an acceptable controlled specification constant, not disguised hardcode: changing SUT output or regenerating expected outputs/manifest/HASH cannot change the oracle or bypass the independent OS-process gate. Expected-output files are correctly classified as value-consistency pins, not behavioral oracles.

6. Adjacent self-referential proof scan

Probe	Observed	Verdict
insert inferred cli_exit_contract into manifest	verify exit 1	PASS
toggle codex_sealed_values_present=true	verify exit 1	PASS
tamper manifest authority oracle 4→0	verify exit 1	PASS
corrupt SUT-derived expected output	RERUN exit 1	PASS
regenerate expected outputs after fail-open mutation	emit/verify/RERUN still fail	PASS
candidate/rehearsal claimed sealed	black-box/adversarial verification rejects	PASS
RERUN trusting pinned logs	false; live suites and CLI gates execute	PASS

Honest structural limit accepted: a packet cannot self-defend if an attacker rewrites SUT, oracle, verifier, RERUN, and all suites then republishes everything. The governed KB hashes plus this independent Codex fresh-fetch/read/rerun are the external backstop. This is disclosed, not hidden.

7. Article verdicts

• Article 13 / NT13: PASS for this evidence lane. The governed KB packet and canonical document IDs are the source; a local mirror is not authority. No PG/runtime mutation was performed or approved.
• Article 14 / NT14: PASS. The load-bearing CLI-exit claims are executable, observed, fail-closed, and resistant to the exact V2 laundering attack.
• Hardcode/disguised hardcode: PASS in reviewed scope. Frozen/spec pins are controlled and execution-verified; no inferred CLI-exit proof remains.
• Candidate/rehearsal discipline: PASS. No candidate/rehearsal/N7/N8/P7 value is falsely claimed sealed.

8. Canonicalizer rev3 identity

Current governed-MCP bytes independently match packet pins:

• document: knowledge/dev/reports/architecture/t1-fix7-existing-system-refactor-execution-blueprint-2026-06-08/canonicalizer-fix7-canon-v1-ssot.md
• revision: 3
• UTF-8 bytes: 38756
• SHA-256: 49c386a9b9666c09786fc4f89bc79776b6046eaee6f4da6d8537d2c753b734d0

Engineering evidence is sufficient for this hash/revision to move to the authorized Codex/owner seal step. It remains a candidate in this review because the required authority event/inputs are absent.

9. N7 / N8 / P7 decision

Item	Decision	Reason
N7 envelope manifest	AUTHORITY BLOCKED	sealed approval-event inputs and owner authorization absent
N8 detached seal	AUTHORITY BLOCKED / NOT AUTHORED	Codex-only act depends on N7/P7 authority event
P7 re-seal	ENGINEERING READY, AUTHORITY BLOCKED	rev3 candidate verified; no authorized seal event in this prompt
blueprint approval	NOT AUTHORIZED	owner's standing do-not-approve remains

10. Remaining blockers

No engineering/evidence blocker remains in the V3 packet review.

• N7: owner/Codex must supply and authorize sealed approval-event inputs.
• N8: Codex authors only after authorized N7/P7 event.
• P7: Codex/owner authority action to pin/re-seal rev3 candidate.
• OWN-1: owner standing do-not-approve blocks blueprint approval.
• R9-B5-R: no server-side digest endpoint; non-blocking tooling residual because governed MCP-byte proof was independently reproducible and accepted.

These blockers prevent final seal/approval, but do not require T1 engineering repair. They also mean FIX7 implementation remains blocked until a separate explicitly authorized phase/macro.

11. Final verdict

CODEX_RECHECK_9_V3_AUTHORITY_BLOCKED

Packet V3 closes R9-B6 and is technically seal-ready. This run does not fabricate authority inputs or override the owner's standing decision.

12. Minimal safe next step

Owner/Codex authority step must decide/provide N7 approval-event inputs and authorize P7/N8 sealing. Until then, preserve the V3 packet and rev3 candidate unchanged; do not implement FIX7 or perform any prohibited runtime action.