Macro-4 Standard IO Contract Envelope — R2-B2 (2026-06-19)
Macro-4 Standard IO Contract Envelope — R2-B2 (2026-06-19)
Date: 2026-06-19 · Workstream: R2-B2-MACRO-4-STAGING-WORKBENCH-IO-CONTRACT-TD-ENTRY-GATE-2026-06-19 (Deliverable 19 of 90) · Editorial revision: rev1
Class: standard IO contract envelope · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · IO_CONTRACT_OVERREACH guard · NO write performed.
Metadata convention. Editorial revision (rev1) only. Storage revision/
content_lengthauthoritative at read time.
Envelope, not registry. This standardizes the shape of a per-block IO contract. It is a contract envelope only — not a mega-registry, mega-graph, universal write surface, or shared mutable hidden state. Any drift toward a centralized store is
IO_CONTRACT_OVERREACH→ HOLD.
0. Status and non-authorization
STATUS: PASS — engineering / design-only. The canonical envelope every LEGO block's IO contract instantiates. Engineering PASS ≠ authority PASS. Default: HOLD.
1. Purpose
Answer macro question 7 — what contract envelope should be standardized? — so blocks connect only through explicit, versioned contracts.
2. Sources / evidence read
Inspect-producer §4 (accepted 13-field B2 contract template); Registries/Pivot interface 13-field template (carried); prompt §9.2 (envelope fields). Main process, no reader-agents.
3. Accepted baseline (carried)
The accepted 13-field contract template (responsibility, input, output, authority/owner, mutate?, evidence, depends-on, must-not-depend, replacement boundary, safe failure mode, rollback boundary, bad input, expected rejection). Macro-4 expresses it as an explicit-surface envelope.
4. Evidence / analysis — the envelope fields
| Field | Meaning | Deliverable |
|---|---|---|
contract_id |
stable identifier of the block contract | this |
contract_version |
immutable, audit-preserving version | 20 |
block_id / block_role |
which block, what role (e.g. B2 = inspect producer) | this |
input_surface |
exactly what the block reads | 21 |
output_surface |
exactly what the block writes | 22 |
error_surface |
how failure is represented (fail-closed) | 23 |
evidence_surface |
append-only, records-not-decides | 24 |
rollback_surface |
the per-run rollback/delete unit | 25 |
owner_surface |
the governance owner + approval path | 26 |
promotion_surface |
the explicit Owner-gated promotion (never automatic) | 27 |
forbidden_surfaces |
what the block must never touch | this / 35 |
delete_fast_unit |
the one disposal unit | 10/37 |
no_production_touch_proof |
the before/after proof obligation | 11/43 |
bad_input_reject_rule |
invalid input ⇒ fail-closed reject | 49–53 |
authority_gate |
Điều 37→32 gate before any write | 26/65 |
5. Contract / requirement / matrix / result
The envelope is per-block and local: each block carries its own envelope; there is no shared mutable surface and no implicit cross-block mutation. Blocks compose only by referencing each other's output_surface as their input_surface through explicit, versioned contracts. This is standardization, not centralization.
6. Owner-gated future work
Binding any envelope to a runtime block is Owner-gated; forbidden now.
7. What remains unresolved
The envelope is a template; no block's contract is bound to runtime here.
8. Ready for GPT/Codex review
Yes — Codex should attack any reading of the envelope as a mega-registry or universal write surface.