Incomex AI Portal
KB-769A

F3 Owner Decision Record — IO Contract + Formula + Assembly Machine / DOT gate

18 min read Revision 1
laws-newf3owner-decisiondecision-gateread-onlynon-authorizing2026-06-16

F3 Owner Decision Record — IO Contract + Formula + Assembly Machine / DOT gate

Ngày: 2026-06-16 · Soạn: Claude Code CLI (read-only AgentData KB) · Track: knowledge/dev/laws-new/ Records: GPT/Owner decision closing the F3 decision gate after the F3 bundle (execution report rev6 + reuse-survey packet rev1) + Codex review + source-currency patch. Evidence basis (carried-pinned): F3 execution report reports/f3/f3-io-formula-assembly-dot-execution-report-2026-06-16.md rev6 (len 38290, STATUS PARTIAL) · F3 packet f3-io-formula-assembly-dot-reuse-survey-packet.md rev1 · F2 owner decision record rev1 (F2 gate CLOSED) · F2 execution report rev1 + F2 packet rev1 · F1 decision rev1 · F0 decision rev1 · framework rev56 (§6c F4 = D8+D9+canonical-output D10) · de-bai rev33 · catalog rev82 · constitution v4.6.3 (NT9/NT14/NT15/Đ20/Đ32) · OR v7.58. Layer: F3 = §6c domains D6 + D7 (IO Contract + Formula + Assembly Machine / DOT), one layer above F2, below F4 (Stamp Lifecycle + Checker / Promote / Rollback — where canonical birth is the output at promote).

0. STATUS (one line at top)

STATUS: F3 DECISION GATE CLOSED. GPT/Owner accept the F3 bundle (execution report rev6 + reuse-survey packet rev1) as the evidence basis after the source-currency patch, accept the Codex PASS_WITH_MINOR_FIXES, accept the source-currency patch as GPT-accepted (no further Codex re-review required for the patch), and accept the PARTIAL status as honest and non-blocking. The F3 boundary is accepted: IO Contract is thin — NOT Module Contract First; Formula / Assembly Machine / DOT = documentary only; no DOT registration / no DOT run; no formula execution; no assembly build; no checker / no scanner; no cell_id / dot_role materialization; no canonical birth; no BIRTH_STAMP. CONS-002 remains an unresolved BLOCKER; CONS-003 and CELL-003/004/007 remain unresolved BLOCKERs; HOLD-1 remains Phase-1-gated; HOLD-2 (atomic promote) remains an F4 subject, not resolved here; STG-012 / STG-015 / STG-REUSE-001/003 remain unresolved; DOT-CAP-001/004/006/010 and RISK-GC / RISK-CAP / RISK-BYPASS remain open. This record unlocks the F4 Program Macro only — no Phase-1, no DB/runtime, no implementation, no schema/registry, no DOT/formula/assembly execution, no checker/scanner, no canonical birth, no cell_id/dot_role materialization. Documentary ≠ live proof · Prior-session ≠ current proof · Engineering PASS ≠ Authority PASS · Reuse-now ≠ live-proven · Codex PASS ≠ Owner phase-authorization.

1. Owner View — 3 câu hỏi (control surface, simple)

Câu hỏi Owner Trả lời tại gate này
Q1 — Cái gì đang có và dùng lại được? The F3 bundle is accepted as evidence: the IO Contract 5-field boundary (nhận·trả·schema_min·fail·rollback, NOT Module Contract First), the Smart Brick shape inherited from F1/F2, the candidate-packet-as-view binding (candidate_id + packet_hash), the Formula / Assembly Machine / DOT documentary patterns, dot_tools (~309, wrapper-only), fn_iu_cut_from_manifest (~70% reusable, maybe formula.v0.1), the rollback/delete-fast boundary, and the F0/F1/F2 source/evidence/decision baseline. All carried into F4 as documentary candidates — NOT live-proven.
Q2 — Cái gì đang có nhưng cần sửa/kiểm chứng mới dùng lại được? The carried blockers/gaps are acknowledged, not resolved: IO examples/templates = GAP (CONS-002 which-source-wins BLOCKER); Formula per layer = GAP (formula.v0.1 deferred); Assembly Machine "chưa designed"; DOT coverage matrix = GAP; dot_tools lacks dot_role/cell_id (no schema patch); checker/verdict-only not executable live (= F4); candidate-packet binding depends on STG-015 packet_hash; temp-store live substrate depends on HOLD-1; cell context depends on CONS-003 / CELL-003/004/007; rollback/delete-fast depends on STG-012 + RISK-GC/CAP; RISK-BYPASS + DOT-CAP-001/004/006/010 open; runtime/checkout sync not proven (CONS-005 caveat).
Q3 — Cái gì thật sự còn phải làm thêm? The F4 Program Macro (preparation packet + internal-gated read-only execution) for the next §6c layer — F4 = Stamp Lifecycle + Checker / Promote / Rollback (= D8 + D9 + the canonical-output of D10; canonical birth + BIRTH_STAMP close at promote). Nothing else is authorized: no Phase-1, no DB/runtime, no checker/promote/canonical-birth execution, no schema/materialization.

2. What was decided (decision table)

Decision item Recorded? Decision
F3 bundle accepted as evidence basis ✅ Yes Accepted after the source-currency patch. F3 execution report rev6 (PARTIAL) + F3 reuse-survey packet rev1 are the evidence basis for closing F3 and unlocking F4. See §0.
Codex review accepted ✅ Yes Codex PASS_WITH_MINOR_FIXES accepted. Codex = control verdict only, not Owner phase-authorization (constitution NT-discipline; OR §8).
Source-currency patch accepted ✅ Yes Source-currency patch applied and GPT-accepted. No further Codex re-review required for the patch.
PARTIAL accepted as honest/non-blocking ✅ Yes PARTIAL accepted as honest and non-blocking. PARTIAL (not PASS) is correct because every F3 asset is DOCUMENTARY_ONLY or GAP and the gating conflicts/risks are carried, not resolved. Engineering PASS ≠ Authority PASS.
F3 boundary accepted ✅ Yes IO Contract thin (not Module Contract First); Formula/Assembly/DOT documentary only; no DOT registration/run; no formula execution; no assembly build; no checker/scanner; no cell_id/dot_role materialization; no canonical birth; no BIRTH_STAMP. See §3.
CONS-002 ◻ Carried NOT decided here. IO Contract 5-field vs DOT/evidence/owner — which source wins — remains an unresolved BLOCKER. See §4.
CONS-003 + CELL-003/004/007 ◻ Carried NOT decided here. 6-tầng vs 7-Lớp/dimensions composition conflict + cell_id dimension sources remain unresolved BLOCKERs. See §4.
HOLD-1 ◻ Carried NOT decided here. iu_staging_record/iu_staging_payload live state remains Phase-1-gated (separate Owner gate). See §5.
HOLD-2 ◻ Carried NOT decided here. Atomic promote (no real transaction) remains an F4 subject, not resolved. See §5.
STG-012 / STG-015 / STG-REUSE-001/003 ◻ Carried NOT decided here. Cleanup scheduler / packet_hash coverage / shared-store sufficiency / no-new-packet-store remain unresolved. See §4.
DOT-CAP-001/004/006/010 + RISK-GC / RISK-CAP / RISK-BYPASS ◻ Carried NOT decided here. DOT capability blockers + GC/CAP/BYPASS risks remain open. See §4.
CONS-004 (authority order) ✅ Reused DECIDED at F0 — applied, not re-opened. Authority basis for this record.
CONS-005 (freeze baseline) ✅ Reused DECIDED at F0 (accepted, KB-only) — caveat: no runtime/checkout sync proof.
What this unlocks ✅ Yes F4 Program Macro only. See §7.

3. F3 boundary (ACCEPTED — not re-opened)

The following F3 boundary, held throughout the F3 execution report rev6, is accepted and is not re-opened at F4:

  • IO Contract is thin — NOT Module Contract First. The IO Contract is the 5-field boundary nhận · trả · schema_min · fail · rollback between assembly cells/bricks (de-bai §III.6/§VI.3; framework §6b row 1, D6). DOT-check and evidence/stamp are the execution/verification layer that travels with the IO Contract, not stuffed inside it. Module Contract First / Federated Registry stays reference-only for canonical/high-risk (de-bai §V.16).
  • Formula = documentary pattern, not an engine. No formula registry, no formula engine, 0 DOT assemble (catalog FORMULA-001/003/006 = "KHÔNG"); formula.v0.1 deferred; fn_iu_cut_from_manifest-as-formula.v0.1 recorded as a hypothesis only.
  • Assembly Machine = documentary position, not a runtime machine. "Machine per layer chưa designed" (framework D7); DOT is only a possible machine/check/wrapper.
  • DOT / dot_tools = documentary candidate, wrapper-only. dot_tools ~309 rows is DOCUMENTARY_ONLY, reportedly lacks dot_role / cell_id; DOT coverage matrix = GAP; the One-Roof scanner does not exist.
  • No DOT registration / no DOT run · no formula execution · no assembly build · no checker / no scanner.
  • No cell_id / dot_role materialization. CONS-003 + CELL-003/004/007 stay unresolved; cell context stays pending (framework §6.3, §19 schema-change STOP).
  • No canonical birth, no BIRTH_STAMP. Canonical birth + BIRTH_STAMP are the OUTPUT at the promote boundary → F4 (framework D10 canonical-output; de-bai §V.5/§V.10), never F3.

This boundary is accepted exactly as the F3 execution report stated it (report §1/§4/§5/§6/§7/§12). The adversarial check in the report (§11, 14 numbered bad-assumptions, all Rejected) confirms F3 execution was not fail-open.

4. Carried blockers — remain unresolved (NOT decided here)

These conflicts/risks are carried forward to F4 and Phase-1 as obligations, not resolved at this gate:

  • CONS-002 (IO Contract 5-field vs DOT/evidence/owner — which source wins for IO Contract v0.1 fields) — TODO / BLOCKER. Keep the 5 fields meanwhile. Owner decision.
  • CONS-003 (6 tầng vs 7 Lớp Cấu tạo / 7 dimensions composition levels) — CONFLICT / BLOCKER. Constitution Đ0-B "7 Lớp Cấu tạo (33 species)" / Đ29 "33 species, 7 dimensions" vs drafts; NT6 "5 TẦNG ĐỒNG BỘ"; Đ5 "5 Tầng Kiến trúc" — the ambiguity is confirmed but not adjudicated. Blocks cell placement, cell_id dimension resolution, and CELL_STAMP. Owner decision.
  • CELL-003 (layer source) / CELL-004 (species source, 2 namespaces) / CELL-007 (chuẩn 6-tầng / composition_level chưa enacted) — BLOCKERs. Block the cell_id Tầng/Loài dimensions and tier catalog. Owner + Phase-1.
  • STG-012 (cleanup scheduler — who calls fn_iu_staging_cleanup; no pg_cron) — TODO / BLOCKER. Blocks trusting TTL/delete-fast. Phase-1.
  • STG-015 (packet_hash coverage — whether it covers cell_id + stamps) — PARTIAL / BLOCKER. Blocks candidate-packet tamper-binding. Owner/spec + Phase-1.
  • STG-REUSE-001 (shared-store sufficiency) — TODO / BLOCKER. Blocks iu_staging_* as shared kho tạm for all tiers v0.1. Phase-1.
  • STG-REUSE-003 (no new packet store) — BLOCKER-if-proposed. Default NO (de-bai §V.13).
  • DOT-CAP-001 / 004 / 006 / 010BLOCKERs. Block DOT capability contract, no-mutation flag, ≥8 bad-input tests, read-vs-mutate classification — before any DOT is trusted. Owner/spec + Phase-1.
  • RISK-GC (blob_ref orphan / cleanup) — OPEN. Blocks trusting payload blob lifecycle + delete-fast. Phase-1.
  • RISK-CAP (CASCADE / 10 MiB cap) — OPEN. Blocks trusting payload under load. Phase-1.
  • RISK-BYPASS (birth gate warning + bypass kill-switch surface; framework D10 "birth_gate chưa block (warning); bypass kill-switch = BYPASS surface", inherited from F1) — OPEN. Blocks trusting the gate at promote. Phase-1 + controlled+audited pilot gate.

No blocker above is resolved by this record. Resolving any of them is future Owner work, not implied by closing F3.

5. HOLD-1 (Phase-1-gated) and HOLD-2 (F4) — carried

  • HOLD-1iu_staging_record / iu_staging_payload (the proposed live home for the brick, candidate packet, pre-promote stamps, and any DOT/formula output) remain UNKNOWN→likely-LIVE / "HOLD FOR SYSTEM CHECK". This is Phase-1-gated and requires a separate Owner gate for a scoped read-only substrate survey. Not opened by this record.
  • HOLD-2Atomic promote (the all-or-nothing transaction that creates canonical birth, closes BIRTH_STAMP + PROMOTE_STAMP, and consumes the staging record) has no real transaction + no rehearsal proof and is therefore BLOCKED. HOLD-2 is explicitly an F4 subject (framework D9/D10; de-bai §V.5/§V.7). It is carried into the F4 macro as the subject to be surveyed documentary-only — not resolved, not designed, not run by closing F3.

6. What is still NOT authorized (boundary)

Closing the F3 gate does NOT authorize any of the following. They remain forbidden until their own separate Owner gates:

  • No Phase-1 survey; no live DB / Postgres / Directus / runtime / production query or mutation.
  • No touching iu_staging_*, dot_tools, or birth_registry live.
  • No code / migration / DDL / DML / schema / table / registry / index / source-manifest.
  • No cell_id / dot_role materialization.
  • No DOT creation / registration / run; no formula execution; no assembly-machine build.
  • No checker creation or execution; no scanner creation or execution.
  • No promote execution; no canonical birth write; no closing of BIRTH_STAMP; no writing of PROMOTE_STAMP; no writing of a PROMOTE_BLOCKED state.
  • No fn_birth_register / fn_birth_gate live call.
  • No resolution of CONS-002 / CONS-003 / CELL-003/004/007.
  • No treating documentary row counts (e.g. birth_registry "162 triggers / enacted v1.0", dot_tools ~309) as live proof.
  • No treating the Codex PASS as Owner authorization for any future phase.

7. What this unlocks — F4 Program Macro only

This gate unlocks exactly one thing: running the F4 Program Macro for the next §6c layer —

F4 — Stamp Lifecycle + Checker / Promote / Rollback (framework rev56 §6c, = domains D8 + D9 + the canonical-output of D10). F4 = the stamp lifecycle (required-stamps.v0.1.json vocabulary; the 7 core stamps; pre-promote vs post-promote; precondition ≠ output; runtime delivery UNKNOWN), the verdict-only checker (promote-checker-v0.1-spec; PROMOTE_OK is not a mutation; PROMOTE_BLOCKED is a verdict/state), the promote / Atomic Promote Contract boundary (HOLD-2, all-or-nothing, no real transaction yet), the rollback / delete-fast path, and the canonical birth boundary (canonical birth + BIRTH_STAMP + PROMOTE_STAMP are the OUTPUT at promote, never earlier). It reuses the IO Contract 5-field boundary, the Smart Brick shape, the candidate-packet-as-view binding, and the F0/F1/F2 baseline. NOT checker implementation, no promote execution, no canonical birth write, no schema/materialization, no Phase-1.

The F4 Program Macro is itself non-authorizing: it produces a preparation packet + an internal-gated read-only execution report, and must again preserve the 3 reuse-first Owner questions and remain non-authorizing until its own GPT → Codex → Owner gate. Closing F3 does not open F4 execution beyond that internal-gated read-only survey, and does not open Phase-1 or any design/implementation.

8. Self-check (recorder discipline)

  1. Recorded the F3 bundle acceptance after the source-currency patch? Yes (§0/§2).
  2. Recorded Codex PASS_WITH_MINOR_FIXES accepted + patch GPT-accepted + no further Codex re-review for the patch? Yes (§0/§2).
  3. Recorded PARTIAL accepted as honest and non-blocking? Yes (§0/§2).
  4. Recorded the full F3 boundary (IO thin / Formula·Assembly·DOT documentary / no DOT-run / no formula-run / no assembly-build / no checker·scanner / no cell_id·dot_role / no canonical birth / no BIRTH_STAMP)? Yes (§3).
  5. Carried CONS-002, CONS-003 + CELL-003/004/007, HOLD-1, HOLD-2, STG-012/015, STG-REUSE-001/003, DOT-CAP, RISK-GC/CAP/BYPASS as unresolved/open? Yes (§4/§5).
  6. Kept HOLD-2 explicitly as the F4 subject, not resolved? Yes (§5).
  7. Recorded that "what this unlocks" = F4 Program Macro only? Yes (§7).
  8. Resolved any conflict / wrote any schema / touched any live system / authorized any implementation? No — this is a read-only decision record only.
  9. Kept Owner/GPT as the only phase authority; Codex = control verdict only? Yes (§0/§2).
  10. Distinguished documentary vs live proof throughout? Yes (§0/§3/§4/§6).

9. Next action

  1. GPT/Owner read this F3 decision record.
  2. Run the F4 Program Macro: create f4-stamp-checker-promote-rollback-reuse-survey-packet.md, run its internal §10 gate, and — only if the gate passes — create reports/f4/f4-stamp-checker-promote-rollback-execution-report-2026-06-16.md (read-only documentary survey).
  3. Route the F3 decision + F4 packet + F4 report (if created) together to Codex for an independent control review.
  4. After Codex, Owner decides whether F5 (Scanner / Observability + Runtime / Operational Safety) may proceed, or whether Phase-1 / CONS-002 / CONS-003 / CELL- / HOLD-1 / HOLD-2* must be resolved first.
  5. Default = HOLD. Codex PASS ≠ Owner phase-authorization.

F3 Owner Decision Record | 2026-06-16 | STATUS: F3 DECISION GATE CLOSED. Unlocks the F4 Program Macro only. READ-ONLY, NON-AUTHORIZING. IO Contract thin ≠ Module Contract First. Formula / Assembly Machine / DOT = documentary only. No DOT registration/run · no formula execution · no assembly build · no checker/scanner · no cell_id/dot_role · no canonical birth · no BIRTH_STAMP. CONS-002 / CONS-003 / CELL-003/004/007 carried (BLOCKER). HOLD-1 Phase-1-gated. HOLD-2 = F4 subject (not resolved). STG-012/015 / STG-REUSE-001/003 / DOT-CAP-001/004/006/010 / RISK-GC/CAP/BYPASS open. Documentary ≠ live proof. Engineering PASS ≠ Authority PASS. Codex PASS ≠ Owner phase-authorization.