Incomex AI Portal
KB-4900

Codex Anchor Model Without Self-Hash (recheck-6 blocker E)

4 min read Revision 1

06 - Codex Anchor Model Without Self-Hash (recheck-6 blocker E)

Load-bearing copy: doc 00 §Codex detached seal anchor contract — acyclic, no self-hash. Rationale here.

The model

The SEALED copy of record is a CODEX_DETACHED_SEAL fenced-YAML block authored by Codex in the recheck-7 checkpoint (approved_by_recheck_checkpoint). It is an approval record, never trusted by path/name. The Codex checkpoint path/name alone is NOT authority. The seal is authority only if all of these hold:

  1. canonical encoding accepted (FIX7-CANON-V1; G-CANONICAL-ENCODING-CONTRACT + G-CANONICAL-FIELD-REJECT);
  2. seal hash graph acyclic (doc 05; G-SEAL-HASH-GRAPH-ACYCLIC);
  3. the detached-seal block is authored in the Codex recheck-7 checkpoint/report;
  4. the seal excludes itself (detached_seal_sha256 is computed over the seal fields EXCL itself + signature);
  5. read-back verifies the seal block exists unchanged AND the checkpoint's live platform kb_revision equals the recorded codex_checkpoint_kb_revision;
  6. later drift fails closed → fresh recheck.

The checkpoint does not hash itself as load-bearing. codex_checkpoint_content_sha256_excluding_seal is a diagnostic (N9) only.

Which artifact pins which (explicit, no mutual/self dependency)

  • active_corpus (N1) and membership (N2) pin the documents.
  • envelope_manifest_sha256 (N7) pins the corpus + approval metadata + checkpoint identity (path).
  • detached_seal_sha256 (N8), authored by Codex, pins N7 + N6 + N2 + N5 + parent_checkpoint_id (recheck-6 checkpoint — a backward hash-chain link) + report_documents[].
  • The platform kb_revision of the recheck-7 checkpoint pins the seal block out-of-band: you cannot edit the checkpoint content without the platform incrementing the revision, and read-back equality detects it.

Nothing pins anything that (transitively) pins it back.

Compensating controls (no cryptographic signature in tooling)

signature: signature_not_available_in_current_tooling. Substituted compensating fail-closed rule: (a) Codex authorship of the checkpoint (separation of duties — not T1/Directus-editable); (b) platform revision + read-back pin (monotonic, non-forgeable from inside the content); (c) content self-binding via detached_seal_sha256; (d) any change → fresh recheck.

Stated limitation (Codex required this be explicit)

These controls DETECT post-seal drift and single-sided tampering (editing only the checkpoint, or only the envelope). They do not cryptographically prevent a fully-privileged actor who can rewrite both the Codex checkpoint and the live envelope from forging a fresh, internally consistent seal. The compensating control for that residual is separation of duties (the checkpoint is authored by Codex, the design/approval owner) plus the standing "any checkpoint change → fresh Codex recheck" rule. If a genuine cryptographic/platform-immutable signature becomes available, it should replace controls (b)–(c). Until then the limitation is acknowledged and authoring stays gated on the read-back + revision equality. (G-CODEX-DETACHED-SEAL-ANCHOR, doc 06.)

Back to Knowledge Hub knowledge/dev/reports/architecture/t1-fix7-blueprint-patch-after-codex-recheck-6-byte-exact-envelope-2026-06-09/06-codex-anchor-model-without-self-hash.md