Incomex AI Portal
KB-AE86

doc 00 Self-Reference Resolution (Option 1)

4 min read Revision 1

04 - doc 00 Self-Reference Resolution (Option 1)

(Codex recheck-5 blocker C.) Codex flagged that doc 00 cannot compute a full_document_sha256 over bytes that include the envelope value which contains that very hash — and that the recheck-4 design kept a contradictory "full-doc hash" alongside an EXCLUDE-region semantics. T1 must choose one clean model and state it. T1 chooses Option 1.

The two options Codex offered

  • Option 1doc00_content_sha256 excludes the envelope block via explicit EXCLUDE sentinels; full_document_sha256 for doc 00 is not load-bearing and is marked NON_AUTHORITY_DIAGNOSTIC.
  • Option 2 — store the envelope in a detached document outside doc 00; doc 00's full_document_sha256 then includes no self-reference.

T1's choice: Option 1 (generalized), stated unambiguously

  1. The load-bearing per-document content hash is always normalized_active_content_sha256 (doc 02, FIX7_DOC_NORMALIZED_CONTENT_V1). For the sole self-host (doc 00) it is computed over doc-00 bytes with the <!-- ENVELOPE:EXCLUDE-BEGIN -->..<!-- ENVELOPE:EXCLUDE-END --> region removed inclusive. The envelope (which holds the hashes) is inside that region, so the hash never includes any hash value → no circularity.
  2. full_document_sha256 is NON_AUTHORITY_DIAGNOSTIC for every member (a declared exclusion policy bound as full_document_hash_policy). It is recorded for human cross-check only; no guard depends on it. Making it diagnostic for every member — not just doc 00 — removes any "full-doc-vs-exclude" contradiction across the corpus with one rule.

There is therefore exactly one content-authority hash per document and zero contradiction. This is Option 1; Option 2 was not taken because the existing EXCLUDE-region design already cleanly separates the envelope from doc 00's content hash, and the detached-seal anchor (doc 06) provides the immutable copy of record that Option 2 would otherwise motivate.

How the live envelope is still tamper-protected (the second-order hole)

Excluding the envelope from doc 00's content hash means editing the envelope does not change doc 00's normalized_active_content_sha256. Left there, the envelope would be editable after seal — the exact mutable-authority hole this chain polices. It is closed not by doc 00's content hash but by the detached seal:

  • the live envelope_manifest_sha256 is recomputed (canonically) over the live STAGED envelope at authoring time;
  • it must equal the Codex detached seal's sealed_envelope_manifest_sha256 (an immutable, Codex-authored record — doc 06);
  • editing the live envelope changes the recomputed manifest → diverges from the sealed anchor → ACTIVE_AUTHORITY_ENVELOPE_MISMATCH (G-CODEX-DETACHED-SEAL-ANCHOR, G-ACTIVE-AUTHORITY-HASH-MATCH).

So: doc 00's content hash excludes the envelope (no self-reference) and the envelope is immutable after seal (via the detached seal). Both properties hold without contradiction. Self-audit test 5 (doc 08) verifies "change doc00 envelope only → no self-reference loop, manifest mismatch".

Net invariants

This is a non-runtime construction-document change only. No runtime surface / readiness gate / #20 column / catalog family / runtime hash contract is added; 27/11/14/7 preserved (H01..H07 stay 7).

Back to Knowledge Hub knowledge/dev/reports/architecture/t1-fix7-blueprint-patch-after-codex-recheck-5-canonical-envelope-2026-06-09/04-doc00-self-reference-resolution.md