Incomex AI Portal
KB-40D3

GPT Review — G6 Remediation Dispatch v0.3

3 min read Revision 1
gptgovernancedieu38p9g6credential-wiringcodexremediationreview

GPT Review — G6 Remediation Dispatch v0.3

Date: 2026-04-27
Scope: Review Opus-drafted G6 REMEDIATION DISPATCH v0.3 — CREDENTIAL WIRING FIX.

Verdict

PASS WITH MINOR REQUIRED EDITS BEFORE DISPATCH.

The prompt is directionally correct: it limits Codex to credential-wiring remediation, forbids DDL/DML/schema work, requires read-only GSM discovery, patches the runner, creates a credential-source errata, uploads a remediation report, and stops before retrying G6.

The edits below are small but important for authorization clarity and secret hygiene.

Law / constitutional check

Rule Result Finding
Hiến pháp / Zero Trust PASS with edits Codex must not infer secrets or continue if GSM access is unclear.
100% DOT/AI PASS User is not asked to fetch/paste secret paths or values.
Đ33 DB governance PASS No DDL/DML/schema mutation in this remediation.
Đ35 DOT governance PASS No dot_tools/dot_action_log mutation.
Đ32 gate discipline PASS G6 retry remains separately gated.
Đ24 PASS No taxonomy/entity label mutation.

Required minor edits

  1. Fix authorization wording.
    Header says User authorize 2026-04-27. Change to User authorization for remediation dispatch: PENDING until the User explicitly approves/pastes it to Codex. Do not imply authorization already happened.

  2. Clarify secret payload access rule.
    Read-only discovery should list candidate secret metadata only. Secret payload access is allowed only for runtime export/testing and must redirect output to /dev/null or a protected subshell variable. No secret value may appear in terminal output, logs, files, KB, git diff, or action log.

  3. Add artifact leak scan.
    Before reporting PASS, Codex must grep/check generated artifacts and logs for accidental secret leakage patterns such as DB_PASSWORD=, password value exposure, DIRECTUS_ADMIN_TOKEN=, and raw token-like strings if detectable. If any leak is found: STOP, report incident, do not upload leaked content to KB.

  4. Add no-commit/no-git push.
    Patching run_g6.sh may create local file changes, but Codex must not commit, push, or publish files containing runtime credential wiring or secret-derived data unless a later governed step explicitly authorizes it.

  5. Clarify runner location.
    Codex must identify the actual runner path before patching, e.g. g6_artifacts/bin/run_g6.sh or the live wrapper path. If multiple runner files exist, STOP and report candidates rather than patching the wrong file.

Direction

Opus should apply these minor edits to the remediation dispatch v0.3 and then it is ready to send to Codex with xhigh/max effort. This remediation dispatch does not authorize retrying G6. After Codex completes v0.3, GPT should review the credential errata, wrapper diff summary, and remediation report before any retry authorization.