Macro-5 Staging TD Candidate Error Model — R2-B2 (2026-06-19)
Macro-5 Staging TD Candidate Error Model — R2-B2 (2026-06-19)
Date: 2026-06-19 · Workstream: R2-B2-MACRO-5-STAGING-BUILD-AUTHORIZATION-PACKAGE-2026-06-19 (Deliverable 19 of 110) · Editorial revision: rev1
Class: non-executable staging TD candidate (error model) · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NO write performed.
Metadata convention. Editorial revision (rev1) only. AgentData storage revision/
content_lengthauthoritative at read time.
NON_EXECUTABLE_TD_CANDIDATE. No SQL/DDL/command. Error behavior described, not coded.
0. Status and non-authorization
STATUS: PASS — engineering / design-only. The candidate error model: a no-op + a recorded reason, never a fabricated pass. Engineering PASS ≠ authority PASS. Default: HOLD.
1. Purpose
Define how a workbench run fails: fail-closed, per stage, with structured reasons.
2. Sources / evidence read
Macro-4 B2 error contract (D31, BI-1…12); Điều 0-G ("Fail → audit queue"); bad-input no-digest-pass rule (Macro-4 D53). Main process, no reader-agents.
3. Accepted baseline (carried)
On failure: no stamp for that row/stage + a failure record. Failure is a no-op + evidence append, never a fabricated pass.
4. Evidence / analysis — error classes (fail-closed)
| Class | Behavior |
|---|---|
| missing identity (BI-1/2) | no candidate PEN; append failure |
| already certified (BI-3) | skip; out of scope |
| ambiguous partial stamp (BI-4) | mark ambiguous; Owner-gated review; never certify (BAD_INPUT_BEHAVIOR_UNCLEAR) |
| Điều 0-G unresolved (BI-5) | SOURCE_RECOVERY_REQUIRED; no stamp |
| asked to certify/canonicalize (BI-6/7) | reject |
blanket now() (BI-8) |
reject as fused-shortcut |
| out-of-order (BI-11) | reject; row waits at its stage |
| out-of-scope role (BI-12) | skip (BAD_INPUT_BEHAVIOR_UNCLEAR for observed) |
5. Candidate / requirement / gate / result
Every error resolves to no production write + a structured candidate_error_code/candidate_reject_reason + an evidence append. Fail-open (stamp/certify on bad input) is disqualifying (F-OPEN-1…4). No error path is executed here.
6. Owner-gated future work
Wiring the error path to a built audit sink is Owner-gated; forbidden now.
7. What remains unresolved
BI-4 / BI-12 remain BAD_INPUT_BEHAVIOR_UNCLEAR; concrete error codes are future TD.
8. Ready for GPT/Codex review
Yes — Codex should confirm every class maps to a fail-closed no-op.