02 — R3 FINDING AND FIX REVIEW

R3 rejection reconstructed

R3 rejected because P3/P4/P5 committed ledger rows before fatal gates, while P6 treated them as DONE and did not independently enforce the exact canonical set.

R3 fixes accepted

• P3/P4/P5 fatal gates are now before DONE and COMMIT in the same transaction.
• P6 independently enforces exact three operation codes, validated status, field/mode constraints and a nine-case oracle.
• P6 rechecks case 8 isolation 42P01 and zero orphan objects.
• P6 digest includes canonical rows, P4 evidence bytes, harness rows and upstream stamp rows.
• plan requires CODEX_R4_PASS; old R2/R3 gates return 64.
• governed cleanup requires RETIRED_OK: <SBX>.
• owner JSON is escaped before jq validation.
• official runtime remains unchanged.

Remaining R4 blocker

P6 lines 73–75 check only EXISTS(... WHERE op=...). Lines 79–82 reject a stamp only when its sandbox_id is absent from the entire birth_certificate table. They do not require l.sandbox_id = current_database(), do not require equality with the invoked sandbox, and do not enforce exactly one current-run success stamp per phase. The comment promises “THIS sandbox”; the SQL implements “ANY birth row”.

Also, no P6 gate checks detail->>'gate' for P3_GATE_OK, P4_GATE_OK, or P5_GATE_OK.