Codex Review - RS4A-PATCH2 Effect Identity, Head Uniqueness, and Suite-ID Reconciliation - 2026-06-21

STATUS: PASS_WITH_CAVEATS
VERDICT: ACCEPT_RS4A_PATCH2
Stop state: RS4A_PATCH2_ACCEPTED
Corrected contract: RS4A + RS4A-PATCH1 + RS4A-PATCH2 accepted as design-only contract
Registration gate: REGISTRATION_HOLD - REGISTRATION_CAN_PROCEED = NO
Runtime observation: NO_CODEX_LIVE_READ
Single next step: G2 Owner-of-record decision
Class: independent read-only review; non-enacting; non-authorizing; no implementation; no runtime mutation

1. Source Register

Codex read all required PATCH2 documents directly from AgentData KB in full. Every document was revision 1 and truncated=false.

Source	content_length	Role
Prior Codex PATCH1 re-review	12,225	controlling R1-R5 HOLD
PATCH2 executive rollup	5,289	package claims and sequencing
PATCH2 index	6,285	inventory and correction map
PATCH2-01 closure map	6,287	R1-R5 closure spine
PATCH2-02 effect identity/auth binding	13,466	R1
PATCH2-03 U3 current-head policy	9,149	R2
PATCH2-04 Phase-4 audit semantics	7,051	R3
PATCH2-05 authoritative test registry	10,793	R4-R5 and count
PATCH2-06 decision packet	6,675	verdict and gate
PATCH2 Codex review packet	6,252	review request

Package completeness: PASS. AgentData contains 8 files under reports/rs4a-patch2/ plus one rollup under reports/, matching the required inventory. No file was empty, missing, or truncated.

Governing context read/searched directly: Operating Rules SSOT v7.58, Constitution v4.6.3, and the mandatory Incomex skill. Codex had no live PostgreSQL/VPS tool; PATCH2 runtime facts remain CLAUDE_READ_ONLY_PACKET evidence and are not restated as Codex-live proof.

2. R1 Effect Identity Assessment

PASS. U1 now keys only the business effect:

H(protocol_version, operation, canonical_target_dot_code,
  canonical_artifact_identity, canonical_artifact_hash)

The contract explicitly excludes owner scope, authority-policy reference, approval/APR/owner row IDs, nonce, attempt ID/number, run ID, timestamps, TTL/freshness, operator, session, and host.

Authority is moved to a separate authorization_binding_digest, which binds the effect to owner scope, policy, approval evidence, quorum evidence, nonce issuer, and authorization window. It is required for admission, recorded as non-identity evidence on the Phase-3 attempt/consume record, and excluded from U1.

The decisive behavior is correct: changed authority with the same operation/code/artifact produces the same U1 key and is rejected as AUTHORIZATION_CHANGED_SAME_EFFECT_DUPLICATE; authority drift cannot mint a second registration. Intentional lifecycle re-registration requires an explicit governed different operation. Current owner/action absence remains admission fail-closed.

3. R2 U3 Current-Head Assessment

PASS_AS_DESIGN, SURFACE STILL ABSENT. U3 now protects both non-terminal registration states:

UNIQUE(canonical_target_dot_code) WHERE status IN ('draft','active')

The lifecycle-role form is explicitly defined as a derived classification, not assumed to be a current column. draft and active are current-head states; deprecated and retired are terminal/non-head states.

Required behavior is complete:

• registration may create draft only when no draft/active head exists;
• activation is in-place draft -> active and creates no second head;
• replacement must first terminalize the prior head or use an explicit governed lifecycle operation;
• absent U3 enforcement yields HEAD_POLICY_UNRESOLVED before any draft write.

The package does not claim the partial unique or status CHECK exists. U3 and STATUS_DOMAIN_NOT_DB_ENFORCED remain future Owner/design-gated backstops. This preserves fail-closed behavior.

4. R3 Phase-4 Audit Assessment

PASS. The controlling Phase-4 success verifier now requires only:

• exactly one current/head row;
• status='draft';
• metadata matching the admitted artifact;
• no activation-notify condition;
• resolved independent postcondition_verifier_ref;
• successful write/readback match.

It explicitly does not require failure_audit_envelope, a success audit, or a decision-log envelope. Failure audit remains failure/rollback-only, written after rollback in a separate transaction to a sink whose append-only properties must be proven. A future success-decision log is optional and can never gate success. The prior contradiction is removed.

5. R4/R5 Test Registry and Count Assessment

PASS_WITH_ASSERTION-SCOPE_CAVEAT. Codex independently parsed the authoritative registry:

• exactly 15 unique IDs: PX2-001 through PX2-015;
• no missing PX2 ID;
• each authoritative table row has one semantic;
• old T-PX-* IDs are superseded;
• T-P6-3a and T-P6-3b are two distinct cases, re-homed as PX2-013 and PX2-014;
• PX2-011 covers changed-authority/same-effect;
• PX2-012 covers duplicate draft head;
• PX2-015 covers Phase-4 success without audit;
• no execution or validator PASS is claimed.

Arithmetic independently recomputed:

Bucket	Count
Carried cases	50
RS4A T-series	47
Superseded baseline T-P6-3 slot	-1
Authoritative PX2 registry	15
Total	111

Interpretation caveat: PX2-001 and PX2-004 PASS only their named status/no-notify assertions. They must never be interpreted as a full registration PASS or as bypassing authority, carrier, U1/U2, U3, verifier, or gate prerequisites. Full Phase-4 success remains governed by PATCH2-04 and PX2-015.

6. Closure Map Assessment

Residual	Result	Evidence
R1 authority-keyed U1	PASS	authority removed from U1; separate admission digest
R2 active-only U3	PASS	current head spans draft + active; absent surface fails closed
R3 success-audit contradiction	PASS	audit removed from success verifier
R4 ID/count ambiguity	PASS	one PX2 registry; deterministic 111
R5 missing residual tests	PASS	PX2-011, PX2-012, PX2-015 present

No residual defect is merely renamed. Each controlling formula, state transition, verifier rule, or test registry is materially changed.

7. Accepted Points

1. Effect identity is stable and authorization-independent.
2. Authorization remains mandatory for admission and is bound separately.
3. U3 prevents multiple draft/active heads at the contract level.
4. Missing U1/U2/U3/status surfaces fail closed before write.
5. Phase-4 success has no audit prerequisite.
6. Failure audit remains separate-transaction and failure-only.
7. The 111-case registry is deterministic and unexecuted.
8. PATCH2 remains design-only and does not reopen source fidelity, replace-not-wrap, C4-C7, C9-C10, or D13.

8. Corrected Points and Caveats

• directus_fields choices are governed metadata, not a DB-enforced status domain; the status CHECK remains required before implementation.
• U3's lifecycle_role is a design classification with an equivalent status predicate, not a current persisted column.
• All reported live counts/constraints are packet-tier evidence because Codex had no live tool.
• Engineering contract acceptance is not authority acceptance, runtime readiness, or test execution.

No blocking overclaim remains in the PATCH2 controlling text.

9. Three Foundational Questions

• Permanent: U1 is derived only from stable business-effect fields; authority and execution changes cannot reintroduce duplicate effects. U3 handles lifecycle heads separately.
• Mistake-resistant: unresolved authority, U1/U2/U3, carrier, status-domain, audit, or verifier surfaces produce explicit fail-closed outcomes before registration write.
• Automatic: the contract defines deterministic machine-checkable identities, predicates, reject codes, and a 111-case registry. Automation is not claimed implemented or executed; runtime remains closed until the required surfaces exist and pass their own gates.

10. Sequencing and Gate

On ACCEPT_RS4A_PATCH2, the corrected RS4A design contract is accepted. The single next step is the G2 Owner-of-record decision, not Owner execution.

Still closed and not authorized by this review:

• creating an Owner row, APR, or register_dot action;
• U1/U2 replay surface, U3 partial unique, or status CHECK implementation;
• Interface F carrier or audit-sink hardening;
• RS-VALIDATOR-HARDENING;
• registrar replacement implementation;
• any registration, activation, gate flip, wiring, or runtime execution.

Per-block hardening, validator work, and registrar implementation remain sequenced after contract acceptance plus the required Owner decision and their own design/authorization gates.

11. Must-Not-Do Confirmation and Final Verdict

This review performed no runtime mutation, DDL/DML, schema/table/column/constraint creation, DOT register/wire/run, Owner/APR/action creation or approval, gate flip, registrar/validator/source patch, executable implementation, migration SQL, Directus mutation payload, RISK-BYPASS clearance, RS-VALIDATOR opening, Owner execution, or registration.

FINAL VERDICT: ACCEPT_RS4A_PATCH2. R1-R5 are closed at the design-contract level. The corrected contract may proceed to the G2 Owner-of-record decision only.

Final gate: REGISTRATION_HOLD - REGISTRATION_CAN_PROCEED = NO.

OR/TD update: not required; this was an independent review-only mission and changed no operating rule or technical-debt surface.