Codex Review — RS5A-PATCH4 Total Quorum Precedence & G02 Domain — 2026-06-21

STATUS: ACCEPTED_WITH_REGISTRATION_HOLD REVIEW VERDICT: ACCEPT_RS5A_PATCH4 Stop state: RS5A_PATCH4_ACCEPTED Registration gate: REGISTRATION_HOLD REGISTRATION_CAN_PROCEED = NO Evidence tier: AgentData KB contract-only review. NO_CODEX_LIVE_READ. Runtime state was not independently inspected or claimed as live proof.

1. Source Register

Codex read directly from AgentData KB in the main process:

1. knowledge/dev/ssot/operating-rules.md — OR v7.58, AgentData revision 51, full read, truncated=false, content_length=5400.
2. knowledge/dev/laws/constitution.md — Constitution v4.6.3 BAN HÀNH, AgentData revision 44, full read, truncated=false, content_length=19132.
3. knowledge/dev/laws/dieu32-approval-law.md — Điều 32 v1.1 BAN HÀNH, AgentData revision 2, full read, truncated=false, content_length=5601.
4. Prior Codex PATCH3 rejection: knowledge/dev/laws-new/reports/codex/codex-review-rs5a-patch3-deterministic-lifecycle-and-oracle-predicates-2026-06-21.md — revision 1, full read, truncated=false, content_length=13304.
5. PATCH4 rollup — revision 1, full read, truncated=false, content_length=6630.
6. PATCH4 index, closure map, total-order/evaluation-unit contract, compound fixtures, G02 domain correction, decision packet, and Codex packet — all revision 1, full read, truncated=false; content lengths 4657, 8247, 12146, 8702, 6612, 6242, and 5575.
7. Comparison references PATCH3-03 and PATCH3-04 — revision 1, full read, truncated=false, content lengths 10766 and 7406.

Direct list evidence:

• reports/rs5a-patch4/ returned count=7, next_offset=null, truncated=false; all seven files are revision 1.
• The separately located PATCH4 rollup exists at revision 1.
• RS5A returned count=14, PATCH1 count=9, PATCH2 count=7, and PATCH3 count=7; every listed prior document remains revision 1.
• The official PATCH4 Codex report path returned count=0 before upload.

No local prose or scratch file was used as package evidence.

2. Package Completeness

PASS.

The target package contains exactly eight required documents: one rollup plus seven files under reports/rs5a-patch4/. Every target is non-empty, revision 1, and returned truncated=false on full read.

The package is additive. Direct inventories show RS5A, PATCH1, PATCH2, and PATCH3 still present at revision 1. No target or prior Codex report was overwritten.

3. Closure Map Assessment

PASS, with one non-blocking editorial discrepancy.

The closure map identifies all five required residuals:

1. R1 — P1 multi-code ambiguity.
2. R2 — P3 multi-code ambiguity.
3. R3 — evaluation unit unspecified.
4. R4 — compound fixtures missing.
5. R5 — G02 partition overclaim.

For each residual it identifies the PATCH3 source phrase, states the PATCH4 correction, marks CLOSED, preserves the fail-closed posture, and does not reopen accepted lifecycle, delegation, identity, G02/G08, owner/bootstrap/handler, U1/U2/U3, or prerequisite semantics.

Editorial discrepancy: the R4 row says “eight compound fixtures CQ01–CQ08,” while PATCH4-03, the rollup, index, decision packet, and Codex packet correctly contain and cite nine fixtures CQ01–CQ09. CQ09 is present and complete, so this does not weaken coverage or require PATCH5; successor summaries should use “nine.”

4. Total Quorum Order Assessment

PASS.

The authoritative order is complete and matches the required contract:

Q00 CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT < Q10 FREE_TEXT_PRESIDENT_REJECTED < Q11 SELF_DECLARED_COUNCIL_IDENTITY_REJECTED < Q20 DELEGATION_REVOKED < Q21 DELEGATION_SCOPE_MISMATCH < Q22 DELEGATION_NOT_YET_EFFECTIVE < Q23 DELEGATION_EXPIRED < Q30 PRESIDENT_ROLE_UNRESOLVED < Q31 COUNCIL_PRINCIPAL_UNRESOLVED < Q40 APPROVER_ALIAS_DOUBLE_COUNT < Q41 CANONICAL_PRINCIPAL_DOUBLE_COUNT < Q50 QUORUM_NOT_SATISFIED.

PATCH4-02 explicitly states:

• predicates may overlap;
• the oracle does not rely on within-band mutual exclusivity;
• the lowest matching Q-code at the relevant evaluation unit wins;
• the Q-order is authoritative and overrides descriptive P-band labels.

This closes the PATCH3 defect. No future implementer must invent a tie-break.

Verified blocking inputs:

• free-text president plus self-declared ai_council matches Q10/Q11/Q31 and returns Q10 FREE_TEXT_PRESIDENT_REJECTED;
• president unresolved plus council unresolved matches Q30/Q31 and returns Q30 PRESIDENT_ROLE_UNRESOLVED.

The order remains valid in the future surface-present state; it is not merely masked by present-state Q00.

5. Evaluation Unit Assessment

PASS.

PATCH4 defines three nested units:

1. Context: Q00 structural precondition.
2. Single vote claim: Q10–Q31, comparing claimed fields and canonical/resolved fields.
3. Whole APR over valid claims: Q40, Q41, Q50.

The oracle sequence is deterministic:

• evaluate Q00 first;
• evaluate every vote claim and select its lowest matching per-vote Q-code;
• if any vote is invalid, the APR outcome is the lowest emitted per-vote Q-code;
• only when all vote claims are valid, evaluate APR duplicate/count predicates;
• otherwise return IDENTITY_PASS.

Per-vote invalidity therefore precedes APR-level duplicate/count. Q10–Q31 are numerically lower than Q40–Q50, so the staged algorithm is consistent with the global Q-order.

IDENTITY_PASS remains necessary-not-sufficient. Effect/artifact binding remains orthogonal and is not incorrectly inserted into the identity Q-order.

6. Compound Fixture Assessment

PASS.

PATCH4-03 contains CQ01–CQ09. Each fixture provides input shape, matching predicates or emitted per-vote codes, the total-order winner, the expected canonical outcome, and the evaluation unit.

Required checks verified:

• CQ01 → FREE_TEXT_PRESIDENT_REJECTED.
• CQ03 → PRESIDENT_ROLE_UNRESOLVED.
• CQ04 revoked plus expired → DELEGATION_REVOKED.
• CQ05 scope mismatch plus expired → DELEGATION_SCOPE_MISMATCH.
• CQ06 distinct aliases resolving to one principal → APPROVER_ALIAS_DOUBLE_COUNT.
• CQ07 exact repeated canonical reference → CANONICAL_PRINCIPAL_DOUBLE_COUNT.
• CQ08 valid but insufficient tally → QUORUM_NOT_SATISFIED.
• CQ09 two differently faulty votes → APR rollup selects the lowest emitted Q-code.

The fixtures assume the canonical-principal surface is present, correctly preventing Q00 from masking P1/P3 behavior.

CQ01–CQ09 are explicitly predicate-resolution fixtures, not new negative-suite executable scenarios. The suite count is therefore unchanged.

7. G02 Domain Assessment

PASS.

PATCH4 narrows the partition claim to:

D = same-nonce inputs for which a prior durable decision exists for that nonce.

Within D:

• different effect → G02b NONCE_REUSE_DIFFERENT_EFFECT;
• same effect plus different authorization envelope → G02c NONCE_REUSE_AUTHORIZATION_MISMATCH;
• same effect plus same envelope → G02a IDEMPOTENT_PRIOR_DECISION_RETRIEVAL.

This is exhaustive and mutually exclusive within D. The accepted G02a/b/c ordering and authorization-substitution protection are not reopened.

The required out-of-domain case — same nonce, same effect, same envelope, no prior durable decision — is labeled NO_PRIOR_DURABLE_DECISION_STATE_UNSPECIFIED and is clearly:

• design-only;
• not a reject code;
• not IDEMPOTENCY_BEHAVIOR_CASE;
• not an executable scenario;
• deferred to future replay-surface design and proof.

No new code or scenario is added. Count remains 84 parent IDs / 86 executable scenarios. The suite remains DEFINED_NOT_EXECUTED.

8. Accepted Points

1. Complete additive eight-file PATCH4 package.
2. R1 and R2 P1/P3 ambiguity are closed by a total code-level order.
3. R3 evaluation units are explicit and implementation-independent.
4. R4 compound fixtures cover single-vote, APR-level, and cross-unit multi-fault cases.
5. R5 G02 partition overclaim is closed by domain restriction.
6. Q-order is authoritative and P-band labels cannot override it.
7. The oracle returns one identity result per APR or IDENTITY_PASS.
8. Effect/artifact binding remains orthogonal.
9. Lifecycle and activation semantics accepted in PATCH3 are not reopened.
10. Delegation half-open interval and boundary outcomes are not reopened.
11. G02a/b/c mutual exclusion and G08 fixture are not reopened.
12. 84 parent IDs / 86 executable scenarios remains a definition, not execution evidence.
13. Owner/bootstrap/handler/identity/U1/U2/U3/prerequisite semantics are not reopened.
14. Package attests that no runtime artifact or mutation was created; this review did not independently live-verify that attestation.

9. Rejected or Overclaimed Points

No material semantic claim requires rejection.

Non-blocking corrections/caveats:

1. Closure-map R4 says eight fixtures although the package contains nine; future summaries should state CQ01–CQ09.
2. “Every APR maps” is accepted for the defined quorum-identity predicate universe inherited from PATCH2/PATCH3; it is not a claim that unrelated malformed transport/schema inputs are covered.
3. NO_PRIOR_DURABLE_DECISION_STATE_UNSPECIFIED is not resolved by PATCH4 and must not silently become fail-open during later replay implementation.
4. Safety statements of “0 mutations” are package attestations, not independent live evidence in this KB-only review.
5. The 86-scenario suite remains DEFINED_NOT_EXECUTED; no runtime PASS is inferred.

10. Sequencing and Gate

PATCH4 contract review is accepted.

The only next step is RS5B — G2 Owner-of-record execution-design / authorization-design.

RS5B remains non-mutating, must solve bootstrap authority, and must itself be separately authorized before any Owner, scope, APR, action, principal-surface, or runtime write.

REGISTRATION_HOLD remains active. REGISTRATION_CAN_PROCEED = NO.

No registration, activation, implementation, validator/registrar patch, or RS-VALIDATOR is authorized by this acceptance.

11. Three Declarations

• Permanent: the total Q-order converts overlapping predicates into one stable canonical outcome without relying on prose-only exclusivity assumptions.
• Mistake-resistant: context, vote, and APR units are explicit; lowest-Q selection prevents implementers from inventing tie-breaks.
• 100% automatic: CQ fixtures and the deterministic oracle can be translated directly into future automated tests, while undefined no-durable-decision behavior remains fail-closed until designed.

Conservation: no ID reuse, relationship deletion, or metadata reduction occurred; this mission creates only the official review report.

Assembly Gate: PG=N/A, Directus=N/A, Nuxt=N/A. This is a KB contract-only review with no runtime implementation.

Five design questions: model=total quorum identity oracle; closed process=context→vote→APR→identity result; tools=AgentData direct search/read/list/upload/readback; execution environment=KB only; golden principle=contract metadata before code.

Data flow: AgentData KB reads plus one official report write. No PG/Directus/Nuxt/runtime path was touched.

One mission: review RS5A-PATCH4 only.

12. Step-by-Step Compliance Record (0→6)

• Step 0 — Read skill, OR v7.58, Constitution v4.6.3, and Approval Law v1.1.
• Step 1 — Confirmed one PATCH4 review-only mission and preserved REGISTRATION_HOLD.
• Step 2 — Defined adversarial review checks before writing the report.
• Step 3 — N/A: no code, DDL, DML, runtime/config change, or local scratch artifact.
• Step 4 — N/A: no PR, merge, deploy, or implementation two-hat flow.
• Step 5 — Full KB readback and direct inventory evidence used; no production runtime proof required or claimed.
• Step 6 — Official report saved at the prescribed KB path and read back fully. OR/TD/handoff update not required because no implementation/runtime state changed and the report contains the only caveats.

13. Final Verdict

VERDICT: ACCEPT_RS5A_PATCH4

RS5A-PATCH4 closes the remaining PATCH3 rejection at the contract layer. The quorum identity oracle now has an authoritative total Q-order, explicit evaluation units, and compound fixtures that force one canonical result. The G02 partition is accurately limited to the prior-durable-decision domain.

Stop state: RS5A_PATCH4_ACCEPTED.

Single next step: RS5B — G2 Owner-of-record execution-design / authorization-design, non-mutating.

REGISTRATION_HOLD remains active. REGISTRATION_CAN_PROCEED = NO.

DO NOT IMPLEMENT: Confirmed. No runtime mutation, DDL/DML, Owner row, scope row, principal registry, APR, register_dot, approval, handler, registrar/validator patch, RS-VALIDATOR, registration, activation, or technical implementation was performed or authorized.