Macro-RS3-PATCH1 — Authenticity, Binding, Replay, and Integration Correction (2026-06-21)
Macro-RS3-PATCH1 — Authenticity, Binding, Replay, and Integration Correction — 2026-06-21
STATUS: PASS_WITH_CAVEATS
VERDICT: RS3_PATCH1_READY_FOR_CODEX_REVIEW
Registration gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO
Runtime observation: RS3_PATCH1_LIVE_READ (Claude read-only query_pg, DB directus, 2026-06-21) · 0 substrate mutations · NO_CODEX_LIVE_READ retained as a separate caveat
Class: read-only / KB-design / correction-addendum macro · non-enacting · non-authorizing · no implementation · no runtime mutation · no validator patch
Deliverable: this report only (new file). Does NOT overwrite RS3-BUNDLE, RS2-PATCH1, RS2, RS1, or any Codex review.
Triggered by: Codex review NEED_RS3_PATCH / HOLD (…/reports/codex/codex-review-rs3-bundle-…-2026-06-20.md rev1)
Corrects (addendum to): …/reports/macro-rs3-bundle-owner-resolver-trusted-snapshot-validator-envelope-residue-disposition-criteria-2026-06-20.md rev1
Date: 2026-06-21
1. STATUS
PASS_WITH_CAVEATS. This patch addresses the four load-bearing defects and eleven correction items Codex raised against RS3-BUNDLE, in one bounded read-only / KB-design pass. It corrects the authenticity model (hash ≠ signature), proves-or-fail-closes the owner/APR operation–target–artifact binding against fresh live schema, removes the invented revocation_ref, assigns replay/nonce state ownership to an atomic consumer (validator stays pure), corrects snapshot manifest integrity and chronology, expands the validator adversarial criteria, publishes an integration producer/consumer matrix, neutralizes the S142B overclaim, and restates the complete RS3B scope.
It is not an authority pass and it does not authorize registration. All five carried RS2-PATCH1 caveats and all four RS3-BUNDLE caveats remain in force. The four RS3 LEGO blocks (Owner Resolver, Trusted Snapshot, Validator Closure, Residue Disposition), their no-mutation property, the envelope-only coupling, the 18/142/8 split, and the registration HOLD are all kept, not re-opened. Engineering PASS ≠ Authority PASS; KB admission ≠ runtime registration; activation ≠ registration.
Headline corrections vs RS3-BUNDLE (all live-grounded this cycle):
- RS3 called the envelopes "signed" but defined only
evidence_hash→ downgraded toHASH_BOUND, because no signature / MAC / key / nonce / trust-root table exists in the substrate (PL4). The only available authenticity root is an authority-/observer-controlled immutable evidence row — and a live reuse precedent for it exists (qt001 signoff family, PL6/PL11). - RS3 said
governance_object_ownership"already has the exact columns an Owner Authority Envelope needs" → false for operation/artifact: the table has nooperation, noartifact_hash, norevocation_refcolumn (PL2). Owner binding is thereforeFAIL_CLOSED_UNTIL_APR_PAYLOAD_SUPPORT. - RS3 said the 142 are "demonstrably unsanctioned" → neutralized to
AUTHORIZATION_NOT_DEMONSTRATED(PL9/PL10 confirm they remain outside the back-audit ledger; the primary source is still unread).
2. VERDICT
RS3_PATCH1_READY_FOR_CODEX_REVIEW.
Justification against the allowed-verdict set:
- Not
RS3_PATCH1_OWNER_ENVELOPE_INSUFFICIENTas a stop: the owner envelope is corrected to fail-closed with a clear binding chain and a defined APR-payload-support condition. Per the mission's contingency (§5), a clear fail-closed criteria set permitsREADY_FOR_CODEX_REVIEWwhile the binding status itself isOWNER_BINDING_FAIL_CLOSED_UNTIL_APR_PAYLOAD_SUPPORT. - Not
RS3_PATCH1_SNAPSHOT_ENVELOPE_INSUFFICIENTas a stop: the snapshot manifest integrity/chronology criteria are defined; the provider is correctly held atSNAPSHOT_MANIFEST_SOURCE_UNPROVEN(candidate, not ready). - Not
RS3_PATCH1_INTEGRATION_INSUFFICIENT: the producer/consumer matrix (§12) covers every required field with producer, consumer, source-of-truth, authenticity model, replay/TTL, and reject-on-mismatch. - Not
RS3_PATCH1_SOURCE_NOT_READ_BLOCKER: every load-bearing surface for this correction was read live (PL1–PL12) or distilled from primary KB sources; the two genuineSOURCE_NOT_READitems (registrar implementationdot-dot-register.ts; S142B primary authorization source) are not load-bearing for this correction and are carried, not closed. - Not
RS3_PATCH1_REJECT_SCOPE_DRIFT: scope held to the eight correction objectives; no registrar implementation, no validator patch, no mutation, no whole-system survey. - Not
RS3_PATCH1_REJECT_FAIL_OPEN: no fail-open was found in the corrected criteria. Every absent binding / unknown authenticity / unowned replay state / unproven manifest / source gap rejects.
Registration is not authorized and cannot be authorized by this macro. Codex must re-review this patch before RS3B-REGISTRAR-HARDENING-DESIGN.
3. EXECUTIVE SUMMARY
Codex accepted RS3-BUNDLE's scope, LEGO separation, reuse-first direction, and registration HOLD, but HOLD'd it as a trust-envelope baseline on four load-bearing defects (hash≠signature; owner row does not authorize the exact operation/artifact; replay has no state owner; integration/snapshot/identifier edges under-specified) plus seven correction items. RS3-PATCH1 closes them as criteria, grounded in a fresh live read Codex could not perform (NO_CODEX_LIVE_READ).
The biggest contribution of this patch is that the live schema decides several questions RS3 left open or got wrong:
-
There is no cryptographic authenticity infrastructure to build on. A targeted catalog scan for
key|sign|mac|hmac|nonce|idempot|cert|token|secret|credential|attest|trust(PL4) returned only views and unrelated base tables — no signature table, no MAC table, no key table, no nonce table, no trust-root table. Per the mission contingency (§5), the only defensible authenticity model is the authority-/observer-controlled immutable evidence row (HASH_BOUND_AUTHORITY_ROW) — never "signed". And a live reuse precedent already implements exactly this shape: theqt001_independent_review_signoff/qt001_signoff_plan_bindingfamily (PL6) binds a verdict to a target by checksum, with independent reviewer identity, validity window, and supersession (superseded/superseded_by), enforced by exact-binding guard views (v_qt001_signoff_target_hash_guard,v_qt001_exact_signoff_binding_guard,v_qt001_signoff_identity_constraint_guard). No new registry and no crypto infrastructure are justified. -
The owner row cannot authorize the exact operation or artifact.
governance_object_ownership(PL2) has nooperation, noartifact_hash, norevocation_refcolumn. The operation and target can be carried only transitively, viaapproval_ref → approval_requests(PL1:proposed_action_code/action+entity_type/entity_code/target_collection/target_entity_code), and theapproval_requests.actionenum is constrained to{add, modify, delete, review}(PL12) — soregister_dotcannot live in the constrainedaction; it could only live in free-textproposed_action_code, which is caller-proposed, not attested. There is noartifact_hashcolumn anywhere in the APR path. ⇒ Owner binding isOWNER_BINDING_FAIL_CLOSED_UNTIL_APR_PAYLOAD_SUPPORT: the resolver must reject until (a) a governed implementedregister_dotaction type exists, and (b) the APR payload carries an attested artifact reference (interface F) — never synthesized from caller input. -
owner_kindandlifecycle_statusare proven enums; revocation is expressible without invention. CHECK constraints (PL12) proveowner_kind ∈ {accountable, supporting, delegated, exception}(RS3's commented guesspresident|owner|delegate|exceptionwas invented — corrected) andlifecycle_status ∈ {active, superseded, revoked, expired}. So revocation is a proven lifecycle value (revoked), not a separaterevocation_refcolumn → the invented field is removed; the partial unique indexuq_gov_obj_accountable(PL11) gives a single active accountable head per(object_type, object_ref, scope)for deterministic head resolution. -
A uniqueness-backed atomic replay-consume surface exists in shape.
iu_route_attempthasUNIQUE(idempotency_key, attempt_no)(PL11) — a real atomic idempotency/replay consumer shape. The validator stays pure (checks nonce shape/binding/freshness only); the registrar Phase 1 consumes the nonce atomically against an idempotency surface of this shape. The surface shape is proven; the registrar's authority to write it and its domain-fit are unproven →REPLAY_STATE_OWNER_ASSIGNED · SURFACE_SHAPE_PROVEN · WRITER_AUTHORITY_UNPROVEN. -
Snapshot observers have per-object hashes but no manifest integrity or chronology. The
wf_*_snapshotfamily (PL7) carries per-objecthash+observed_atbut no manifest id/hash/version, no observer credential, no run/attempt binding, no before/after pairing, no sequence →SNAPSHOT_MANIFEST_SOURCE_UNPROVEN. A manifest base table (context_pack_manifest, PL8) exists as a precedent. The provider stays a candidate, not a trusted provider. -
The residue split holds, neutrally. Fresh group-bys (PL9/PL10) reconfirm
orchestrator-s142b = 142,auto-apply-function = 18,system_auto_approve = 8; the back-audit ledger = 26 (= 18 + 8); the 142 are absent from the ledger. The 142 are restated asSOURCE_NOT_READ · OUTSIDE_BACK_AUDIT_LEDGER · AUTHORIZATION_NOT_DEMONSTRATED · QUARANTINE_PENDING_SOURCE_AND_OWNER— never "demonstrably unsanctioned".
The four blocks remain joined only by the Integration Envelope; each is still born/checked/replaced/rolled-back separately. The single next macro remains RS3B-REGISTRAR-HARDENING-DESIGN, scope restated in §14 to include the dot-dot-register↔dot-catalog-sync dual-writer boundary, single-artifact criteria, and closed-at-registration semantics.
4. SOURCE REGISTER
Evidence-tier legend: PRIMARY_RUNTIME_READONLY (this macro's live query_pg, 2026-06-21) · PRIMARY_CODE_OR_SCRIPT · PRIMARY_CONTRACT · PRIMARY_LAWS_NEW · PRIMARY_HANDBOOK · SECONDARY_REPORT · SOURCE_NOT_READ.
4.1 Fresh PATCH1 live reads (PRIMARY_RUNTIME_READONLY, DB directus, 2026-06-21, read-only role, 0 mutations)
| # | Live read | Result (verbatim facts) | Used for | Caveat |
|---|---|---|---|---|
| PL1 | information_schema.columns approval_requests |
26 cols incl. proposed_action(jsonb), proposed_action_code(text), action(varchar), request_type_code(text), entity_type/entity_code(text), target_collection/target_entity_code(varchar), current_state/alternative_actions(jsonb), evidence(text), source_context(json), issue_signature(text), status/reviewed_by. No artifact_hash; no signature/MAC/key column |
§7 binding (operation+target carried; artifact not) | issue_signature = dedup text (PL11), not crypto |
| PL2 | information_schema.columns governance_object_ownership |
20 cols: object_type, object_ref, scope, owner_kind, owner_gov_code, is_inherited_anchor, effective_from, effective_to, lifecycle_status, approval_ref, audit_ref, rollback_ref, source_law_ref, source_design_ref, supersedes_id, created_*, updated_*. No operation, no artifact_hash, no revocation_ref, no nonce, no signature |
§6 authenticity, §7 binding, §8 revocation | confirms Codex C2/C3 |
| PL3 | information_schema.columns apr_action_types |
8 cols: action_code, description, handler_ref, risk_level, status, _dot_origin, created_at, retired_at. No operation/target/artifact binding columns |
§7 (operation vocabulary lives here) | 14 rows / no register_dot (RS3 L3 carried) |
| PL4 | catalog scan ~* '(key|sign|mac|hmac|nonce|idempot|cert|token|secret|credential|attest|trust)' |
38 hits = all views (v_*) or unrelated base tables (axis_assignment, design_templates, kg_signal_config, qt001_*). No signature/MAC/key/nonce/token/cert/credential/trust-root TABLE |
§6 authenticity model decision | absence ⇒ HASH_BOUND, not signed |
| PL5 | columns of event_outbox, iu_route_attempt, registry_changelog, governance_audit_log |
event_outbox(16): …actor_ref, correlation_id, payload_classification, safe_payload(jsonb), occurred_at; iu_route_attempt(13): route_code, route_kind, event_ref(uuid), idempotency_key(text), attempt_no(int), status, error_code, error_detail, payload_snapshot(jsonb), started_at, finished_at; registry_changelog(16); governance_audit_log(6) |
§9 replay, §12 integration, §14 RS3B sinks | sink reuse still unproven (Codex C3) |
| PL6 | columns of qt001_independent_review_signoff, qt001_signoff_plan_binding, qt001_signal_registry |
signoff(12): review_id, reviewer_type, reviewer_name, reviewed_plan_checksum, verdict, scope, valid_until, evidence_path, superseded, superseded_by, created_at, notes; binding(12): binding_id, review_id, plan_id, plan_version, plan_checksum, scope_collection, tier_intended, verdict_at_binding, evidence_path, bound_by, valid_until, superseded, bound_at; signal_registry(7): signal_key, value_kind, value_source, snapshot_column, validation_tier, active, created_at |
§6 reuse precedent (hash-bound authority row + independent reviewer + supersession + validity), §10 independent observer | live precedent for the chosen authenticity model |
| PL7 | columns of wf_fs_dot_bin_snapshot, wf_fs_script_snapshot, wf_docker_container_snapshot, wf_metric_snapshot |
fs/docker(15 each): source_key, object_key, object_type, path_or_ref, command, schedule, hash(text), observed_at, status, error, mapped_process_candidate, mapped_dot_code, mapped_rp_node, raw(jsonb); metric(3): id, captured_at, metrics(jsonb). No manifest_id/hash/version, no observer_credential, no run_id/attempt, no before/after pairing, no sequence |
§10 snapshot manifest integrity/chronology | candidate observer only; not a provider |
| PL8 | catalog scan ~* '(manifest|snapshot|observ)' |
18 hits incl. base table context_pack_manifest, the 7 wf_*_snapshot, evolution_snapshots, qt001_plan_snapshot, process_component_observation, process_run_observation, manifest views |
§10 manifest precedent | none proven as protected-surface manifest |
| PL9 | approval_requests group-by reviewed_by (Σ=230) |
orchestrator-s142b=142, null=29, system_auto_expire=19, auto-apply-function=18, system_auto_approve=8, S178-Fix21-P3-V2=7, president=5, desktop=1, Claude Desktop S145=1 |
§13 residue | identical to RS3 L10 |
| PL10 | v_authority_back_audit_ledger group-by bypass_class×disposition |
scanner_apply_without_vote/applied_live_effect=18; insert_path_auto_approve = 3 applied_live_effect + 1 approved_undisposed + 4 remediated_inert (=8). Σ=26 = 18+8; NO s142b row |
§13 residue (142 outside ledger) | confirms RS3 L13 |
| PL11 | pg_indexes for owner/APR/route/qt001 |
iu_route_attempt_idem_uniq UNIQUE(idempotency_key, attempt_no); idx_apr_dedupe UNIQUE(request_type, target_collection, target_entity_code, issue_signature) WHERE status='pending'; uq_gov_obj_accountable UNIQUE(object_type, object_ref, scope) WHERE owner_kind='accountable' AND lifecycle_status='active'; ix_qt001_signoff_binding_ck(plan_checksum, scope_collection) WHERE NOT superseded |
§9 atomic consumer, §6/§8 head resolution, §7 APR dedup | shapes proven; writer-authority not |
| PL12 | pg_get_constraintdef CHECKs |
governance_object_ownership.owner_kind ∈ {accountable, supporting, delegated, exception}; lifecycle_status ∈ {active, superseded, revoked, expired}; chk_delegated_ttl (delegated ⇒ effective_to NOT NULL); approval_requests.action ∈ {add, modify, delete, review}; status ∈ {pending, approved, applied, rejected, expired}; chk_apr_target_collection (target_collection NOT NULL); apr_action_types.risk_level ∈ {low, medium, high}, status ∈ {active, deprecated, retired} |
§6/§7 owner-kind vocab (Codex §7.4), §8 revocation states | proven enums; resolves "do not invent enum" |
4.2 KB design sources read this cycle
| Source | Rev / length | Read status | Evidence tier | Used for |
|---|---|---|---|---|
| Codex review RS3-BUNDLE (current gate) | rev1 / 18,133 | FULL_READ | SECONDARY_REPORT (Codex correction) |
Every correction item C1–C8, §7–§11 |
| RS3-BUNDLE target | rev1 / 55,709 | FULL_READ | SECONDARY_REPORT (correction target) |
Blocks A–D, envelopes, matrix K–O |
…/specs/dot-r2-b2-staging-schema-shell.validator.py |
rev2 / 14,415 | FULL_READ | PRIMARY_CODE_OR_SCRIPT |
§11 validator mechanics, N07/N12/N16/N22 confirmation |
…/specs/dot-schema-write-guards.contract.md |
rev2 / 11,333 | FULL_READ | PRIMARY_CONTRACT |
§10 Guard 3 caller-supplied; §11 |
…/specs/dot-r2-b2-staging-schema-shell.contract.md |
rev2 / 12,095 | FULL_READ | PRIMARY_CONTRACT |
§11 gate, identifier inventory (N16) |
…/specs/dot-r2-b2-bad-input-matrix.md |
rev2 / 8,971 | FULL_READ | PRIMARY_CONTRACT |
§11 existing 64-case categories + gaps |
…/specs/dot-r2-b2-validator-test-run-v2.txt |
rev1 / 10,292 | FULL_READ | PRIMARY_CONTRACT |
§11 meta-assertions, gate∧Guard3 |
…/admission/dot-r2-b2-…-birth-admission-2026-06-19.md |
rev9 / 19,500 | FULL_READ | PRIMARY_CONTRACT |
§14 admission identity, pair cardinality |
| Codex review RS2-PATCH1 (prior gate) | rev1 / 17,282 | FULL_READ | SECONDARY_REPORT |
§4.4 five carried caveats |
| RS2-PATCH1 report | rev4 / 55,030 | FULL_READ | SECONDARY_REPORT |
5-phase model, interfaces A–F, P-REPLAY, §14 RS3B |
laws-new/de-bai-cai-tien.md |
DRAFT / 29,088 | FULL_READ | PRIMARY_LAWS_NEW |
§VI LEGO; reuse-first §IV.5/6 |
laws-new/matrix-refactor-implementation-plan.md |
rev5 / 27,905 | FULL_READ | PRIMARY_LAWS_NEW |
§6 retire mega-constructs; One-Roof §4.3 |
laws-new/matrix-refactor-quick-rules.md |
rev8 / 6,057 | FULL_READ | PRIMARY_LAWS_NEW |
#18–23 anti-bloat / no-new-registry; #26/#32 fail-closed |
laws-new/matrix-stamp-governance-addendum.md |
rev14 / 26,474 | FULL_READ | PRIMARY_LAWS_NEW |
reuse-existing-ledgers; packet_hash binding precedent |
laws-new/newlaws/LAW_READING_INDEX.md |
rev2 / 28,225 | FULL_READ | PRIMARY_LAWS_NEW |
RISK-BYPASS open; Đ35 FAIL #10; PASS≠authority |
4.3 Not read this cycle (carried)
| Source | Status | Rationale |
|---|---|---|
bin/dot/dot-dot-register.ts (registrar implementation) |
SOURCE_NOT_READ |
Carried Codex caveat. Out of scope for RS3-PATCH1 (registrar hardening = RS3B). read_file allowlist is /opt/incomex/{docs,dot/specs}, /var/log/nginx; bin/dot/*.ts may be outside it → recovery may need an Owner-supplied path. Must be recovered first in RS3B. |
| S142B primary authorization source (the 142) | SOURCE_NOT_READ |
Not located in KB or runtime; the 142 are absent from the governed ledger (PL10). Criteria-only correction does not require it; ratification would. |
| Owner-kind/lifecycle row data | N/A (0 rows) |
governance_object_ownership holds 0 rows; vocab proven from CHECK constraints (PL12), not from data. |
5. CODEX HOLD ITEM CLOSURE MAP
Status legend: CLOSED_AS_CRITERIA · FAIL_CLOSED_BY_ABSENCE · SOURCE_NOT_READ · STILL_HOLD · REJECTED_WITH_REASON.
| # | Codex item | Required correction | PATCH1 result | Evidence | Status |
|---|---|---|---|---|---|
| 1 | Hash is not a signature (C1) | Choose an explicit authenticity model; stop calling hash-only envelopes "signed" | All envelopes relabeled HASH_BOUND; authenticity model = authority-/observer-controlled immutable evidence row; "signed" forbidden unless signature/MAC fields exist (none do) |
PL4 (no key/sig infra); PL6 (qt001 reuse precedent) | CLOSED_AS_CRITERIA |
| 2 | Owner row lacks operation/artifact binding (C2) | Prove transitive binding ownership → approval → exact op + canonical target + artifact hash, or fail closed |
Binding chain defined; operation+target representable via approval_ref → approval_requests, but artifact_hash absent and action enum cannot hold register_dot → OWNER_BINDING_FAIL_CLOSED_UNTIL_APR_PAYLOAD_SUPPORT; never synthesize from caller |
PL2, PL1, PL3, PL12 | FAIL_CLOSED_BY_ABSENCE |
| 3 | Revocation source invented (C3) | Identify the authoritative revocation fact or remove the invented field | revocation_ref removed; revocation expressed by proven lifecycle_status='revoked', expiry by 'expired'/effective_to, supersession by 'superseded'/supersedes_id |
PL2 (no column), PL12 (enum proven) | CLOSED_AS_CRITERIA |
| 4 | Replay ownership unresolved (C4) | Assign nonce issuer, domain, TTL, atomic consumer, persistence, rollback/retry; validator may not claim replay prevention | State owner = registrar Phase 1; atomic consume against an idempotency surface with UNIQUE(idempotency_key, attempt_no) shape; validator pure (shape/binding/freshness only) |
PL5, PL11 | CLOSED_AS_CRITERIA (writer-authority unproven) |
| 5 | N12 canonical equality (C5) | Compare canonical strings target_schema == "r2_b2_wb_" + run_id.lower(); drop regex-from-run_id |
Criterion restated as canonical-equality after strict run-id validation; substring in test (live defect) replaced |
validator rev2 _validate_target (substring in) |
CLOSED_AS_CRITERIA |
| 6 | N16 all generated identifiers (C6) | Cover every emitted PostgreSQL identifier (schema, tables, indexes, constraints, sequences, triggers, policies, temp, teardown), UTF-8 bytes, truncation prohibition, collision | Criterion broadened to all emitted identifiers; current spec emits only schema + 7 tables but all implicitly generated identifiers (PK/seq/index/constraint names) added as required coverage | validator rev2 (no byte-len check); contract §3 (schema + 7 tables only) | CLOSED_AS_CRITERIA |
| 7 | S142B wording overclaim (C7) | Drop "demonstrably unsanctioned"; keep SOURCE_NOT_READ/quarantined |
Restated to AUTHORIZATION_NOT_DEMONSTRATED · OUTSIDE_BACK_AUDIT_LEDGER · QUARANTINE_PENDING_SOURCE_AND_OWNER; "unsanctioned"/"demonstrably unsanctioned" struck |
PL9, PL10 | CLOSED_AS_CRITERIA |
| 8 | RS3B scope incomplete (C8) | Add dot-dot-register↔dot-catalog-sync dual-writer boundary, single-artifact criteria, closed-at-registration |
§14 restates the full RS3B mandatory sub-blocks incl. dual-writer boundary, single-artifact, closed-at-registration | RS2-PATCH1 §6.1/§6.5 | CLOSED_AS_CRITERIA |
| 9 | Snapshot manifest integrity/chronology (C8/§8) | Add manifest id/hash/version/authorization, chronology, clock-skew, anti-substitution, per-surface evidence, observer independence | §10 defines all 18 criteria; provider held SNAPSHOT_MANIFEST_SOURCE_UNPROVEN |
PL7, PL8 | CLOSED_AS_CRITERIA |
| 10 | Validator adversarial matrix incomplete (§9) | Add signature/key, fabricated-payload, binding-mismatch, time, replay, supersession, manifest, cross-envelope, exhaustive-identifier, mapping/DoS cases | §11 adds categories P–X as criteria (validator stays pure; no patch, no test run) | RS3 §11 K–O baseline; validator rev2 | CLOSED_AS_CRITERIA |
| 11 | Integration matrix incomplete (§11) | Publish producer/consumer matrix with attestation semantics; bind operation+scope in snapshot too | §12 full matrix: producer/consumer/SoT/authenticity/replay-TTL/reject for all required fields; Snapshot binds operation+scope | RS3 §14; PL5/PL6 | CLOSED_AS_CRITERIA |
Carried (not items to close here): registrar implementation source SOURCE_NOT_READ; S142B primary source SOURCE_NOT_READ; NO_CODEX_LIVE_READ; audit sinks candidate-only; pair cardinality not fixed-5.
6. AUTHENTICITY MODEL CORRECTION
Root decision (forced by PL4): the substrate has no signature/MAC/key/nonce/trust-root table. Therefore — per the mission contingency (§5: "if no signature/key infrastructure, choose authority-controlled evidence row model; label HASH_BOUND_AUTHORITY_ROW, not signed") — every RS3 envelope is corrected from "signed" to HASH_BOUND, with authenticity rooted in an immutable, authority-/observer-controlled evidence row referenced by ID + row-hash, whose anti-forgery property is writer-authority + immutability + readback, not a cryptographic signature.
Two authenticity models (mission §1.1):
- Model 1 — Signature/MAC envelope: fields
signature, signature_algorithm, key_id, issuer_trust_root_ref, key_status_ref, canonical_payload_version, signature_scope, signed_at, verification_rule. Not adoptable now — no key/signature infrastructure exists (PL4). Recorded only as the future upgrade path. - Model 2 — Immutable authority-controlled evidence row: fields
authority_evidence_row_ref, authority_table, row_hash, row_version, writer_authority_ref, immutability_rule, readback_rule, tamper_detection_rule. Adopted for all envelopes this cycle.
Live reuse precedent for Model 2 (PL6/PL11): the qt001 signoff family already implements the shape — qt001_independent_review_signoff binds verdict to a target by reviewed_plan_checksum, with reviewer_type/reviewer_name (independent identity), valid_until (validity), superseded/superseded_by (lifecycle), enforced by v_qt001_signoff_target_hash_guard / v_qt001_exact_signoff_binding_guard / v_qt001_signoff_identity_constraint_guard and negative-test views. qt001_signoff_plan_binding binds review_id → plan_id + plan_version + plan_checksum (exact artifact identity by checksum + version) with a WHERE NOT superseded partial index. This proves Model 2 is reusable without a new registry or crypto stack.
| Envelope | RS3 issue | Chosen authenticity model | Required fields (Model 2) | Reject if | Caveat |
|---|---|---|---|---|---|
| Owner Authority Envelope | called "signed"; only evidence_hash |
HASH_BOUND_AUTHORITY_ROW | authority_evidence_row_ref = governance_object_ownership.id (+ transitively approval_requests.id); authority_table; row_hash; row_version (from updated_at/lifecycle); writer_authority_ref (the Owner-gated assign_governance_owner path / APR quorum); immutability_rule; readback_rule; tamper_detection_rule; canonical_payload_version |
row absent / not active head / row_hash mismatch on readback / writer-authority not a governed Owner path / payload not canonical | writer-authority for owner rows is currently unimplemented (assign_governance_owner handler unimplemented) → resolver fail-closed |
| Snapshot Evidence Envelope | "signed"; caller-equality | HASH_BOUND_OBSERVER_ROW | observer_evidence_row_ref(s) into wf_*_snapshot; authority_table; per-surface row_hash (reuse wf_*.hash); manifest_hash; writer_authority_ref = the observer's governed read-only write identity; canonical_payload_version; tamper_detection_rule |
observer not distinct / observer row not from a governed observer identity / manifest_hash mismatch / hash absent (equality-only) | observer credential independence unproven (PL7 has no credential field) → SNAPSHOT_MANIFEST_SOURCE_UNPROVEN |
| Deployed Artifact Envelope (interface F) | artifact_hash treated as trusted field | HASH_BOUND_AUTHORITY_ROW | artifact_evidence_row_ref (governed carrier — candidate wf_fs_dot_bin_snapshot.hash / governed extra_metadata); canonical_path; content_hash + hash_algorithm/canonicalization_version; origin; immutable_admission_ref; drift_state |
hash mismatch vs deployed artifact / carrier absent / drift detected | dot_tools has no hash column (carried) → carrier must be designed in RS3B |
| Integration Envelope | shared fields ungoverned | HASH_BOUND (composite, references only) | canonical_payload_version; evidence_hash over canonical payload (tamper-evidence within an attempt only); source_refs to the authority/observer/artifact rows above |
any referenced authority/observer/artifact row missing or hash-mismatched | the envelope hash is integrity within an attempt, not an authenticity proof; authenticity is delegated to the referenced rows |
| Validator Decision Envelope | n/a (RS3 implicit) | NOT an authenticity artifact | decision_ref; verdict; consumed_envelope_refs; canonical_input_hash |
n/a | a verdict over supplied evidence; the validator is pure and asserts no authenticity of its own |
Hard rules: (1) No envelope may be called "signed" while only a hash is present. (2) A HASH_BOUND envelope's anti-forgery property is the writer-authority + immutability + readback of the referenced row, never the recomputable hash itself (a caller can recompute an unkeyed hash over fabricated content). (3) Every envelope declares canonical_payload_version. (4) The future Model-1 upgrade (signature/MAC + issuer_trust_root_ref + key_status_ref) is the only path to "signed" and is out of scope until key infrastructure exists.
7. OWNER/APR OPERATION-TARGET-ARTIFACT BINDING
Codex C2 demand: prove ownership_row_ref → approval_ref/quorum artifact → exact operation + canonical target + artifact hash (or immutable admission/deployment ref), or fail closed; never synthesize from caller input.
Live findings (PL1/PL2/PL3/PL11/PL12):
governance_object_ownershipbinds operation? NO — nooperationcolumn. artifact_hash? NO — no such column. It binds only object (object_type+object_ref),scope, owner (owner_kind+owner_gov_code), validity (effective_from/effective_to),lifecycle_status,approval_ref,audit_ref,rollback_ref,supersedes_id.approval_requestscan carry operation viaproposed_action_code(text) /request_type_code(text) /action(varchar) and target viaentity_type+entity_code/target_collection+target_entity_code(chk_apr_target_collection:target_collection NOT NULL). But the constrainedactionenum is{add, modify, delete, review}(PL12) —register_dotcannot be theaction; it could only appear in free-textproposed_action_code, which is caller-proposed, not attested.- No
artifact_hashcolumn exists anywhere in the ownership→APR path.proposed_action(jsonb) is a caller proposal, not an attested deployed-artifact identity. - There is no
register_dotaction type (PL3: 14 rows, none), andassign_governance_owner(the write that would create an owner row) ishandler_ref='unimplemented'.
Answers to the mission's 10 binding questions: (1) ownership binds operation = No; (2) binds artifact_hash = No; (3) APR carries operation/target = Yes (operation via free-text proposed_action_code; target via entity_*/target_*), artifact hash = No; (4) fields: proposed_action_code/action/request_type_code (operation), entity_type+entity_code/target_collection+target_entity_code (target); (5) if not supported → resolver rejects (REJECT_OPERATION_BINDING_UNATTESTED / REJECT_ARTIFACT_BINDING_ABSENT); (6) artifact bindable via immutable admission/deployment ref = only through interface F (attested), not the caller's proposed_action; (7) canonical operation register_dot lives, when it exists, in a governed implemented apr_action_types.action_code (today absent); (8) canonical target = governance_object_ownership.object_type+object_ref, cross-checked to approval_requests.entity_type+entity_code; (9) scope normalization = governance_object_ownership.scope cross-checked to APR scope (canonical lowercase, trimmed); (10) if binding unavailable → status OWNER_BINDING_FAIL_CLOSED_UNTIL_APR_PAYLOAD_SUPPORT.
Binding chain criteria (fail-closed):
| Binding link | Required proof | Existing source | Status | Reject condition |
|---|---|---|---|---|
| ownership row → active head | exactly one active accountable row for (object_type, object_ref, scope) |
uq_gov_obj_accountable UNIQUE WHERE owner_kind='accountable' AND lifecycle_status='active' (PL11) |
READY (proven head) | 0 rows (live default) / >1 (prevented) / not active |
| ownership row → approval_ref | approval_ref resolves to an approval_requests.code |
governance_object_ownership.approval_ref → approval_requests.code (UNIQUE, PL11) |
READY (as criteria) | approval_ref null / not found |
| approval → exact operation | APR encodes operation = register_dot in a governed field |
apr_action_types has no register_dot; action enum excludes it; only free-text proposed_action_code |
FAIL_CLOSED | operation not a governed implemented action code |
| approval → canonical target | APR entity_type+entity_code (or target_collection+target_entity_code) == ownership target |
approval_requests (PL1) |
READY (as criteria) | target disagreement |
| approval → artifact hash / immutable admission ref | APR carries an attested artifact reference | none (no artifact_hash column; proposed_action is caller-proposed) |
FAIL_CLOSED | artifact binding absent/unattested → must come from interface F |
| APR votes → quorum | apr_approvals + quorum_passed() fail-closed |
RS2 live: quorum_passed fail-closed; NULL-map must not pass |
READY (as criteria) | quorum unproven / NULL-map pass |
| owner row lifecycle → active | lifecycle_status='active' |
PL12 enum | READY | superseded/revoked/expired/draft |
| supersession chain → current head | head via uq_gov_obj_accountable; supersedes_id consistency |
PL2/PL11 | READY (see §8) | cycle/missing/inactive/ambiguous head |
Conclusion: OWNER_BINDING_FAIL_CLOSED_UNTIL_APR_PAYLOAD_SUPPORT. The resolver is designable now and provably rejects today, on three independent single-sufficient grounds: (a) 0 owner rows; (b) no governed register_dot operation; (c) no attested artifact binding. No operation or artifact value may ever be synthesized from caller input. The path to OWNER_BINDING_READY_AS_CRITERIA requires, upstream and Owner-gated: a governed implemented register_dot action type, an attested artifact reference in the APR payload (or an immutable admission/deployment ref via interface F), and at least one active accountable owner row.
8. REVOCATION AND SUPERSESSION SEMANTICS
Codex C3 demand: revocation_ref is invented (no such column); use only proven lifecycle/supersession fields, or identify the authoritative revocation fact.
Live findings (PL2/PL11/PL12): there is no revocation_ref column. But lifecycle_status is a proven CHECK enum {active, superseded, revoked, expired} — so revocation is a proven, first-class lifecycle value, not a missing source. Supersession is carried by supersedes_id(bigint self-ref) and the active-head partial unique index. Delegated owners must have a TTL (chk_delegated_ttl: owner_kind='delegated' ⇒ effective_to NOT NULL).
Correction: remove revocation_ref from the required envelope. Express lifecycle from proven fields only:
| State | Source field (proven) | Rule | Reject condition |
|---|---|---|---|
| active | lifecycle_status='active' + now ∈ [effective_from, effective_to] |
the only state that may issue an envelope; head via uq_gov_obj_accountable |
not active |
| expired | lifecycle_status='expired' OR now > effective_to |
reject; delegated owners always have effective_to (chk_delegated_ttl) |
present ⇒ reject |
| revoked | lifecycle_status='revoked' |
authoritative revocation fact (no separate ref) | present ⇒ reject |
| superseded | lifecycle_status='superseded' and/or pointed to by another row's supersedes_id |
only the current head is valid | resolving a superseded row ⇒ reject |
| cycle | supersedes_id chain forms a loop |
detect before walking | cycle ⇒ reject |
| missing head | supersedes_id references a non-existent id |
head must exist and be active | missing ⇒ reject |
| inactive head | head's lifecycle_status ≠ 'active' |
head must be active | inactive ⇒ reject |
| ambiguous head | >1 active accountable row for the key | prevented by uq_gov_obj_accountable; resolver still asserts exactly one |
>1 ⇒ reject |
| unknown source | a lifecycle value outside the proven enum | enum is CHECK-bound to 4 values | impossible by constraint; defensive reject |
Supersession-chain resolution rule: resolve the active accountable head for (object_type, object_ref, scope) directly via uq_gov_obj_accountable (single-row guarantee), then verify the supersedes_id chain from that head is acyclic and terminates; reject on cycle / missing / inactive / ambiguous. The qt001 precedent (superseded/superseded_by, WHERE NOT superseded partial index, PL6/PL11) corroborates this head-by-non-superseded pattern. No revocation is ever inferred from audit_ref (Codex: "audit_ref is not automatically a revocation reference").
9. REPLAY / NONCE STATE OWNERSHIP
Codex C4 demand: a pure validator cannot know a nonce was consumed; assign issuer, domain, TTL, atomic consumer, persistence, rollback/retry behavior; validator may check shape/binding/freshness/authenticity only.
Live findings (PL5/PL11): no nonce table exists, but iu_route_attempt has idempotency_key(text) + attempt_no(int) with UNIQUE(idempotency_key, attempt_no) — a real atomic idempotency/replay-consume surface shape. event_outbox carries correlation_id (no uniqueness). Idempotency-guard views (v_birth_register_idempotency_guard, v_system_issue_idempotency_guard) exist as patterns.
Assignment (mission §1.4 / §3.6):
| Nonce concern | Rule | State owner / consumer | Rollback / retry | Reject condition |
|---|---|---|---|---|
| issuer | per-attempt nonce minted by the registration request producer (the resolver/registrar entry), not the validator | producer | new nonce per logical attempt | nonce absent/malformed shape |
| uniqueness domain | (operation, canonical_target, run_id, attempt) |
— | — | nonce reused within domain |
| TTL / freshness | envelope issued_at/expires_at window; reject stale |
validator checks freshness | re-issue on retry | now > expires_at / future issued_at |
| atomic consumer | INSERT into an idempotency surface with UNIQUE(idempotency_key, attempt_no) inside the Phase-1 transaction; second use violates the unique → reject |
registrar Phase 1 | — | duplicate key ⇒ reject (replay) |
| persistence / retention | the attempt row persists in the idempotency ledger | registrar / ledger | retained across retries | — |
| rollback behavior | if Phase-1 txn rolls back, the in-txn nonce-consume row rolls back too (so a legitimate retry can re-consume) | registrar | retry uses a new attempt_no |
— |
| durable failure record | the failed attempt is recorded outside the rolled-back txn (e.g. event_outbox/iu_route_attempt post-rollback writer) |
Phase 4 writer | survives rollback | audit lost on rollback ⇒ fail (P-FAILAUDIT) |
| shape / freshness / binding / authenticity-ref | checked by the pure validator (interface E) | validator | — | malformed/stale/unbound/missing authority-ref |
| replay rejection | happens at the registrar atomic boundary (true replay) AND at the validator (shape/freshness) | registrar + validator | — | — |
Validator boundary (kept pure): the validator checks nonce shape, binding (to operation/target/run_id/attempt), freshness, and presence of the authority/observer evidence refs. It cannot and does not claim replay prevention by itself.
Status: REPLAY_STATE_OWNER_ASSIGNED (registrar Phase 1) · SURFACE_SHAPE_PROVEN (UNIQUE(idempotency_key, attempt_no) exists) · WRITER_AUTHORITY_AND_DOMAIN_FIT_UNPROVEN (the registrar's authority to write iu_route_attempt, and whether the IU-routing domain is the right home vs. a dedicated registration-attempt surface, are unproven — to be settled in RS3B durable-sink selection). This is not REPLAY_STATE_OWNER_UNPROVEN (a state owner is assigned and a uniqueness-backed surface shape does exist), but it stops short of claiming a proven, authorized consumer.
10. SNAPSHOT MANIFEST INTEGRITY AND CHRONOLOGY
Codex §8 demand: add manifest identity/hash/version/authorization, anti-shrink, chronology (before precedes operation, after follows it, same attempt), clock-skew, monotonic sequence, duplicate/future/reversed rejection, per-surface evidence/Merkle, unknown-surface rejection, operation+scope binding, observer credential/process independence.
Live findings (PL7/PL8): the wf_*_snapshot family carries per-object hash + observed_at (good per-surface evidence primitive), but no manifest id/hash/version, no observer credential, no run/attempt binding, no before/after pairing, no monotonic sequence. A base manifest table (context_pack_manifest) exists as a precedent shape but is not a protected-surface manifest. Guard 3 today is caller-supplied equality with no observer/hash (N07 snapshot leg).
| # | Criterion | Rule | Evidence | Reject condition |
|---|---|---|---|---|
| MF-01 | manifest identity | manifest has a stable manifest_id |
context_pack_manifest precedent (PL8) |
id absent |
| MF-02 | manifest hash | manifest_hash over the canonicalized protected-surface list |
reuse wf_*.hash discipline (PL7) |
hash absent/mismatch |
| MF-03 | manifest version | declared manifest_version |
— | absent/unknown |
| MF-04 | manifest authorization | manifest issued by a governed authority (anti-shrink: caller cannot define/reduce the protected set) | Model-2 authority row (§6) | manifest from caller / unauthorized |
| MF-05 | anti manifest-shrink | the after-manifest must equal the before-manifest set (no surface dropped) | set-equality of manifest_hash |
shrink/substitution |
| MF-06 | protected-surface canonicalization | surfaces enumerated and canonically ordered (the 11 verify-surfaces + write-set-empty set) | guards contract REQUIRED_VERIFY_SURFACES |
non-canonical / unbounded |
| MF-07 | before precedes operation | captured_at_before < operation_start |
wf_*.observed_at |
before ≥ operation_start |
| MF-08 | after follows operation | captured_at_after > operation_end |
wf_*.observed_at |
after ≤ operation_end |
| MF-09 | same-attempt binding | both captures bound to the same run_id + attempt_id |
(no field today) | attempt mismatch |
| MF-10 | clock-skew policy | bounded max skew between observer clock and registration clock | — | skew beyond bound |
| MF-11 | monotonic sequence | snapshot sequence strictly increasing per attempt |
(no field today) | non-monotonic / duplicate sequence |
| MF-12 | duplicate snapshot rejection | a snapshot ref may be used once per (attempt, phase) | — | duplicate ref |
| MF-13 | future timestamp rejection | captured_at_* ≤ now + skew |
wf_*.observed_at |
future timestamp |
| MF-14 | reversed interval rejection | captured_at_before < captured_at_after |
wf_*.observed_at |
reversed |
| MF-15 | per-surface evidence / aggregate | per-surface hash plus a deterministic Merkle/canonical aggregate that identifies which surface drifted |
wf_*.hash (PL7) |
drift without surface identification |
| MF-16 | unknown surface rejection | any surface not in the authorized manifest ⇒ reject | MF-06 | unknown surface present |
| MF-17 | operation + scope binding | the snapshot binds operation and scope (Codex §11), not only target/hash/run |
— | operation/scope unbound |
| MF-18 | observer credential/process independence | observer is a governed read-only identity distinct from caller/registrar/DOT — proven by credential/process, not a different string id | (no credential field today, PL7) | observer not provably independent |
Status: SNAPSHOT_MANIFEST_SOURCE_UNPROVEN. The wf_*_snapshot family is a reuse candidate for per-surface observer evidence (it has the hash + observed_at primitives), but it does not today provide manifest integrity, chronology, attempt-binding, sequence, or proven observer-credential independence. The provider is not a trusted provider; the manifest carrier and the observer-credential proof must be designed (RS3B / a snapshot-observer macro). wf_fs_dot_bin_snapshot is not overclaimed as a provider.
11. VALIDATOR ADVERSARIAL MATRIX PATCH
Criteria only — no validator patch, no test run in this macro. The validator stays pure (import re only; no DB/network/exec). Confirmed live defects (validator rev2): N22 (req.get(...) with no isinstance(req, Mapping) guard), N12 (substring token not in raw.lower(), not canonical equality), N16 (no byte-length check anywhere), N07 owner leg (owner_authorization_ref non-empty check only), N07 snapshot leg (Guard 3 caller-supplied equality, no observer/hash). Meta-rule M-EXT (retained): any case below that yields a write-intent string or PASS digest ⇒ FAIL_OPEN ⇒ the discovering macro must REJECT_FAIL_OPEN.
Extends the existing 64 cases (A/B/S) and RS3's K–O with new categories P–X:
| Case | Category | Bad input | Expected reject | Why |
|---|---|---|---|---|
| P01 | Authenticity | envelope lacks signature/MAC but is presented as "signed" | AUTHENTICITY_MODEL_MISLABELED |
hash ≠ signature (C1) |
| P02 | Authenticity | unknown/absent authority_evidence_row_ref |
AUTHORITY_ROW_ABSENT |
Model-2 root missing |
| P03 | Authenticity | row_hash mismatch on readback |
AUTHORITY_ROW_TAMPER |
recomputed hash over altered row |
| P04 | Authenticity | valid hash over a fabricated payload | AUTHORITY_ROW_NOT_GOVERNED |
unkeyed hash proves nothing without writer-authority |
| P05 | Authenticity | unsupported canonicalization_version |
UNSUPPORTED_CANONICALIZATION |
version must be known |
| P06 | Authenticity | (future Model-1) unknown/revoked key_id |
UNKNOWN_OR_REVOKED_KEY |
reserved for signature model |
| Q01 | Binding | ownership row valid but APR bound to another target | BINDING_TARGET_MISMATCH |
C2 |
| Q02 | Binding | APR bound to another operation | BINDING_OPERATION_MISMATCH |
C2 |
| Q03 | Binding | APR bound to another artifact hash | BINDING_ARTIFACT_MISMATCH |
C2 |
| Q04 | Binding | operation present only in caller-proposed free text | OPERATION_UNATTESTED |
no synthesize-from-caller |
| Q05 | Binding | artifact reference absent / not attested | ARTIFACT_BINDING_ABSENT |
interface F required |
| R01 | Time | future issued_at |
ENVELOPE_FUTURE_ISSUED |
clock policy |
| R02 | Time | expires_at < issued_at |
ENVELOPE_REVERSED_VALIDITY |
clock policy |
| R03 | Time | excessive clock skew | ENVELOPE_CLOCK_SKEW |
skew bound |
| R04 | Time | stale (now > expires_at) |
ENVELOPE_STALE |
freshness |
| S01 | Replay | nonce reused at registrar atomic boundary | REPLAY_NONCE_CONSUMED |
unique-key violation at consume |
| S02 | Replay | retry after rollback with same attempt_no |
REPLAY_ATTEMPT_REUSE |
retry must use new attempt_no |
| S03 | Replay | nonce shape malformed | NONCE_MALFORMED |
validator shape check |
| S04 | Replay | nonce unbound to operation/target/run_id | NONCE_UNBOUND |
binding check |
| T01 | Supersession | supersession cycle | SUPERSESSION_CYCLE |
§8 |
| T02 | Supersession | missing chain head | SUPERSESSION_MISSING_HEAD |
§8 |
| T03 | Supersession | inactive/expired head | SUPERSESSION_HEAD_NOT_ACTIVE |
§8 |
| T04 | Supersession | ambiguous head (>1 active) | SUPERSESSION_AMBIGUOUS_HEAD |
§8 |
| U01 | Manifest | manifest substitution | MANIFEST_SUBSTITUTION |
MF-04/05 |
| U02 | Manifest | manifest shrink (surface dropped) | MANIFEST_SHRINK |
MF-05 |
| U03 | Manifest | duplicate surface | MANIFEST_DUPLICATE_SURFACE |
MF-12 |
| U04 | Manifest | unknown surface | MANIFEST_UNKNOWN_SURFACE |
MF-16 |
| U05 | Manifest | mixed canonicalization | MANIFEST_MIXED_CANONICALIZATION |
MF-06 |
| U06 | Chronology | after-capture earlier than before-capture | SNAPSHOT_REVERSED_INTERVAL |
MF-14 |
| U07 | Chronology | both snapshots captured before execution | SNAPSHOT_BOTH_BEFORE_OP |
MF-07/08 |
| U08 | Chronology | non-monotonic sequence | SNAPSHOT_SEQUENCE_NONMONOTONIC |
MF-11 |
| V01 | Cross-envelope | scope mismatch across envelopes | CROSS_ENVELOPE_SCOPE_MISMATCH |
§12 |
| V02 | Cross-envelope | actor/principal mismatch | CROSS_ENVELOPE_ACTOR_MISMATCH |
§12 |
| V03 | Cross-envelope | attempt-id mismatch | CROSS_ENVELOPE_ATTEMPT_MISMATCH |
§12 |
| V04 | Cross-envelope | envelope version mismatch | CROSS_ENVELOPE_VERSION_MISMATCH |
§12 |
| V05 | Cross-envelope | trust-domain mismatch | CROSS_ENVELOPE_TRUST_DOMAIN_MISMATCH |
§12 |
| W01 | Identifier (N16) | any generated identifier at 64 bytes (schema, table, index, constraint, sequence, trigger, policy, temp, teardown) | IDENTIFIER_TOO_LONG |
C6 — all emitted identifiers |
| W02 | Identifier | identifier exactly 63 bytes | accept (boundary) | C6 |
| W03 | Identifier | multibyte ≤63 chars but >63 bytes | IDENTIFIER_TOO_LONG |
UTF-8 bytes |
| W04 | Identifier | collision-shaped multibyte identifiers | IDENTIFIER_COLLISION_RISK |
truncation/collision prohibition |
| W05 | Identifier (N12) | r2_b2_wb_<run_id> where run_id is a substring but not canonical-equal |
SCHEMA_RUNID_NOT_EXACT |
C5 canonical equality |
| X01 | Mapping (N22) | request None/[]/""/0/b"..." |
MALFORMED_REQUEST_NOT_MAPPING |
isinstance guard |
| X02 | Mapping | mapping subclass with hostile accessors | MALFORMED_REQUEST_HOSTILE_MAPPING |
defensive read |
| X03 | DoS | oversized nesting | INPUT_DEPTH_EXCEEDED |
depth limit |
| X04 | DoS | total input-size beyond limit | INPUT_SIZE_EXCEEDED |
size limit |
These are criteria for a future RS-VALIDATOR-HARDENING test matrix; they are not executed here. The N12 closure is restated per C5 as canonical equality target_schema == "r2_b2_wb_" + run_id.lower() after strict run-id validation (no regex-from-run_id). The N16 closure per C6 covers every emitted identifier, not only schema + 7 tables.
12. INTEGRATION PRODUCER/CONSUMER MATRIX
An untrusted request may propose values (run_id, target, operation); it does not "issue" trusted values. Each trusted producer attests its own view; the validator/registrar rejects any mismatch. The Snapshot Block must bind operation and scope, not only target/hash/run. Authenticity model abbreviations: HBA = HASH_BOUND_AUTHORITY_ROW; HBO = HASH_BOUND_OBSERVER_ROW; HBC = HASH_BOUND_COMPOSITE (references only); none = not an authenticity-bearing field.
| Field | Trusted producer | Trusted consumer | Source of truth | Authenticity model | Replay/TTL rule | Reject on mismatch |
|---|---|---|---|---|---|---|
canonical_target |
Owner Resolver (A) + Artifact Resolver (F) | B, validator (E), registrar | governance_object_ownership.object_type+object_ref |
HBA | n/a | target disagreement across A/B/F |
scope |
Owner Resolver (A) | B, E, registrar | governance_object_ownership.scope |
HBA | n/a | scope uncovered/mismatch |
operation |
Owner Resolver (A) via APR | E, registrar | governed apr_action_types.action_code (register_dot, absent today) |
HBA | n/a | operation ≠ register_dot / unattested |
artifact_hash |
Artifact Resolver (F) | A, B, E, registrar | governed carrier (candidate wf_fs_dot_bin_snapshot.hash / extra_metadata) |
HBA | n/a | any hash disagreement / drift |
artifact_hash_algorithm |
F | E, registrar | F carrier metadata | none (declared) | n/a | unknown algorithm |
canonicalization_version |
each block | E | block contract | none (declared) | n/a | unsupported version |
run_id |
registration request (proposed) | B (canonical-eq), E (N12), registrar | request, validated against schema | none (validated) | bound into nonce domain | substring / inequality |
attempt_id / correlation_id |
registrar entry | B, E, Phase-4 audit | new per attempt; event_outbox.correlation_id carrier |
none | distinct per attempt | attempt/correlation mismatch |
actor / principal |
Owner Resolver (A) | B, E, registrar | APR/owner row + event_outbox.actor_ref |
HBA | n/a | actor/principal mismatch |
| delegated authority identity | Owner Resolver (A) | E, registrar | owner_kind='delegated' + chk_delegated_ttl |
HBA | TTL required (effective_to) |
delegation without TTL/expired |
issuer |
each block | E | block id | none | n/a | unknown issuer |
audience |
A, B, F | E, registrar | block contract | none | n/a | validator/verifier not in audience |
trust_domain |
each block | E | block contract | none | n/a | trust-domain mismatch |
envelope_type / envelope_version |
each block | E | block contract | none | n/a | type/version mismatch |
issued_at |
A, B | E | producer clock | none | freshness anchor | future issued_at |
expires_at |
A, B | E | producer clock + TTL | none | TTL ceiling | stale / reversed validity |
nonce |
request producer | E (shape/binding/freshness), registrar Phase 1 (consume) | minted per attempt | none (bound) | atomic consume UNIQUE(idempotency_key, attempt_no) |
replay / reuse |
nonce_state_owner |
n/a (declared) | registrar Phase 1 | idempotency surface (iu_route_attempt-shape) | none | owns consume + retention | owner absent ⇒ fail-closed |
| authority-row ref (signature/MAC if any) | A (ownership_row_ref,approval_ref), B (observer_evidence_row_ref), F (artifact_evidence_row_ref) |
E, post-commit verifier | the referenced governed rows | HBA / HBO | n/a | referenced row missing / hash mismatch |
key_id / key_status_ref |
— (no key infra) | — | n/a | reserved (Model 1) | n/a | present-but-unsupported ⇒ reject |
source_refs |
A, B, F | E, post-commit verifier | the governed rows above | HBC | n/a | provenance missing |
decision_ref |
validator (E); later registrar txn ref | Phase-2 verifier, Phase-4 audit | validator verdict / txn | none | n/a | verdict/txn ref missing |
evidence_hash (envelope) |
A, B, F | E | canonical payload | HBC (integrity within attempt only) | n/a | tamper within attempt |
Hard rule: the envelope evidence_hash provides integrity within a single attempt, not authenticity; authenticity is always delegated to the referenced authority/observer/artifact rows (§6). A caller-proposed run_id/target/operation is a proposal; only the matching attested producer view makes it trusted.
13. S142B WORDING AND DISPOSITION CORRECTION
Codex C7 demand: drop "demonstrably unsanctioned"; keep SOURCE_NOT_READ, outside governed ledger, quarantined, not callable sanctioned.
Live reconfirmation (PL9/PL10): orchestrator-s142b = 142; auto-apply-function = 18 (scanner_apply_without_vote / all applied_live_effect); system_auto_approve = 8 (insert_path_auto_approve: 3 applied_live_effect + 1 approved_undisposed + 4 remediated_inert). Back-audit ledger = 26 = 18 + 8. The 142 appear in zero ledger rows.
Corrected disposition wording for the 142:
SOURCE_NOT_READ · OUTSIDE_BACK_AUDIT_LEDGER · AUTHORIZATION_NOT_DEMONSTRATED · QUARANTINE_PENDING_SOURCE_AND_OWNER
- Strike from any RS3-derived statement: "the 142 are demonstrably unsanctioned" and the bare adjective "unsanctioned". Absence from the ledger + missing primary source proves only
AUTHORIZATION_NOT_DEMONSTRATED, not a historical merits conclusion in either direction. - Keep separate: the 142 are never merged with the 18; different lineage (
orchestrator-s142bnot-in-ledger vsscanner_apply_without_votein-ledger) and different evidentiary state. - No action shortcuts: no bulk delete, no relabel, no merge, no ratify until the S142B primary authorization source is located and read, and the Owner decides.
reviewed_by/bypass_classvalues are evidence, not editable cosmetics. - 18 and 8 unchanged from RS3:
scanner_apply_without_vote(18) andinsert_path_auto_approve(8: 4 inert / 3 ratify-candidate / 1 undisposed) stay criteria-only, not ratified here. - Đ35 precondition retained: Đ35 14-health read-only re-verify (live "PRODUCTION READINESS FAIL", LAW_READING_INDEX §4.1 #10) remains a precondition to any ratify-leg; not executed here.
This correction is wording + disposition state only; it ratifies, relabels, deletes, and merges nothing.
14. REVISED RS3B SCOPE
Single next macro after Codex accepts this patch: RS3B-REGISTRAR-HARDENING-DESIGN (read-only / KB-design; large, 60–90 min; one LEGO block = the registrar). No implementation. It consumes the corrected envelopes (§6–§12) and interface F. It does not create a new registry and does not author DOT_GOVERNANCE_DOT_ADMISSION (DEFER stands).
Mandatory sub-blocks (now complete per Codex C8), in order:
- Registrar implementation-source recovery — read
bin/dot/dot-dot-register.ts(carriedSOURCE_NOT_READ). If theread_fileallowlist does not exposebin/dot/*.ts, degrade toHOLD_REGISTRAR_SOURCE_NOT_READand stop (no code-level hardening without the source). dot-dot-register↔dot-catalog-syncdual-writer boundary — resolve the dual-writer hazard: both writedot_tools(DOT-REGISTER=register;DOT-015=dot-catalog-sync=sync,operation=NULL,paired_dot=NULL). Define which is the single-artifact registrar and how catalog-sync must not race/clobber a registration (Codex C8; RS2-PATCH1 §6.1/§6.5).- Single-artifact criteria — registrar registers exactly the one admitted artifact (not "all untracked
bin/dot-*"); reject mass-registration (Codex C8). - Deployed-artifact resolver (interface F) — bind KB admission → canonical executable path + content hash +
hash_algorithm/canonicalization_version+ origin + immutable admission ref + drift state; assesswf_fs_dot_bin_snapshot.hashand a governedextra_metadatacarrier (dot_toolshas no hash column). - Closed-at-registration — registration must not open any gate;
dot_configrow created/verified closed; activation is a separate Owner-gated Phase 3 (Codex C8; P-CLOSED). - Idempotency / concurrency — uniqueness on
code/file_path; advisory-lock or unique-constraint concurrency; reuse a uniqueness-backed surface for the replay nonce atomic consume (§9;iu_route_attempt-shapeUNIQUE(idempotency_key, attempt_no)), resolving the writer-authority/domain-fit caveat (P-IDEM / P-CONC). - Durable failure-audit candidate evaluation — compare
event_outbox/iu_route_attempt/registry_changelog/governance_audit_logon schema compatibility, writer authority, retention, replay/idempotency, and post-rollback authorized writer; no new ledger until candidates are evaluated (Codex C3; P-FAILAUDIT). - Pair cardinality — contract-derived persisted representation — derive the persisted representation from the accepted registrar design; prove one primary runtime identity; prove all four guards are content/hash-bound, independently testable, and reachable only through the primary; register separate rows only if an explicit contract requires them. Not fixed five rows (Codex; P-PAIR).
- Trigger side-effect accounting — account for
dot_toolstriggers (e.g.trg_context_pack_dot_registerpg_notify on COMMIT; before-birth-gate; validate-dot-origin) so registration writes do not fire unintended side-effects (Codex C8 spirit; carried trigger inventory). - No implementation — design + acceptance criteria only; no code, no schema, no run, no gate flip, no APR.
Sequenced siblings after RS3B (not bundled): RS-VALIDATOR-HARDENING (the actual validator.py patch for N07/N12/N16/N22 + categories P–X) and RS2B-RISK-RESIDUE-AND-Đ35-HEALTH-CLOSURE (S142B source hunt + residue disposition + Đ35 14-health re-verify). The deciding upstream blocker remains Owner-of-record (0 owner rows + assign_governance_owner unimplemented + no register_dot action type), which is Owner-gated and cannot be designed away.
15. MUST-NOT-DO CONFIRMATION
All 30 prohibitions held:
- No runtime mutation ✓ (0 writes) · 2. No DDL/DML ✓ · 3. No manual SQL beyond read-only SELECT ✓ · 4. No psql ✓ · 5. No docker-exec psql ✓ · 6. No Directus generic create/update/delete ✓ · 7. No register/wire/run DOT ✓ · 8. No schema creation ✓ · 9. Macro-9A not opened ✓ · 10. Macro-9C not opened ✓ · 11. No B2 producer built ✓ · 12.
DOT_GOVERNANCE_DOT_ADMISSIONnot authored/designed (DEFER stands) ✓ · 13. No new registry/table/collection ✓ · 14. Validator not patched ✓ · 15. Đ32/Đ35 not patched ✓ · 16. No gate flipped ✓ · 17. No APR created ✓ · 18. No APR approved ✓ · 19. No Owner authority claimed ✓ · 20./laws/not used to overridelaws-new/newlaws✓ · 21. Not turned into RS3B implementation ✓ · 22. No whole-system survey (scoped to the 8 correction objectives + reuse-precedent checks) ✓ · 23. RISK-BYPASS not cleared ✓ · 24. 142 not called sanctioned or "demonstrably unsanctioned" ✓ · 25. 142 not merged with 18 ✓ · 26. Hash not treated as signature ✓ · 27. Caller-provided operation/artifact not treated as authority binding ✓ · 28. Pure validator not treated as nonce replay-state owner ✓ · 29. Snapshot candidate not treated as trusted provider ✓ · 30. Activation not opened with registration ✓.
The only write is this RS3-PATCH1 report to the official AgentData KB path. RS3-BUNDLE and all prior reports are untouched.
16. STOP STATE
READY_FOR_CODEX_REVIEW.
- All eight correction objectives reached criteria depth, grounded in fresh primary live reads (PL1–PL12); no fail-open was found.
- Registration remains
REGISTRATION_HOLD/REGISTRATION_CAN_PROCEED = NO(no write requested or performed; gates not re-read this cycle — RS2-PATCH1 packet evidence stands). - Per-objective status: authenticity =
HASH_BOUNDmodel adopted (no "signed") · owner binding =OWNER_BINDING_FAIL_CLOSED_UNTIL_APR_PAYLOAD_SUPPORT· revocation = corrected (revocation_refremoved;lifecycle_status='revoked'proven) · replay =REPLAY_STATE_OWNER_ASSIGNED · SURFACE_SHAPE_PROVEN · WRITER_AUTHORITY_UNPROVEN· snapshot =SNAPSHOT_MANIFEST_SOURCE_UNPROVEN(criteria defined) · validator matrix = extended as criteria · integration = matrix published · S142B = neutralized. - Carried caveats (unchanged): registrar implementation source unread; pair cardinality not fixed-5 (contract-derived); audit sinks candidate-only;
NO_CODEX_LIVE_READ; S142BSOURCE_NOT_READ; owner-of-record absent + write-path unimplemented; Đ35 production-readiness FAIL not re-verified; RISK-BYPASS open. - Single next macro:
RS3B-REGISTRAR-HARDENING-DESIGN(front-loaded with registrar-source recovery + dual-writer boundary + interface F).
Sequence to registration (each gated): Codex re-reviews RS3-PATCH1 → RS3B-REGISTRAR-HARDENING-DESIGN → (RS-VALIDATOR-HARDENING ‖ RS2B-RISK-RESIDUE-AND-Đ35-HEALTH-CLOSURE) → Owner decision on owner-of-record + governed register_dot action type + attested artifact binding → registration (Phase 0→1, gate stays shut) → separate Owner-gated activation (Phase 3). Default HOLD throughout.
17. SELF-CHECK
- Read Codex RS3 HOLD? Yes — rev1/18,133, full (§4.2); all C1–C8 + §7–§11 mapped (§5).
- Read RS3-BUNDLE? Yes — rev1/55,709, full; corrected, not overwritten.
- Fixed hash/signature wording? Yes — all envelopes
HASH_BOUND; "signed" forbidden absent signature fields (§6). - Chose an authenticity model? Yes — Model 2 authority-/observer-controlled evidence row, with live reuse precedent (qt001) (§6).
- Checked owner/APR exact binding? Yes — live: no operation/artifact column on owner; APR carries operation+target but no attested artifact;
actionenum excludesregister_dot(§7). - Fail-closed if binding absent? Yes —
OWNER_BINDING_FAIL_CLOSED_UNTIL_APR_PAYLOAD_SUPPORT; never synthesize from caller (§7). - Handled
revocation_ref? Yes — removed;lifecycle_status='revoked'/'expired'/'superseded'+supersedes_idproven (§8). - Assigned nonce state owner? Yes — registrar Phase 1; atomic consume on
UNIQUE(idempotency_key, attempt_no)shape (§9). - Limited pure validator role? Yes — shape/binding/freshness/authenticity-ref only; no replay-prevention claim (§9).
- Fixed snapshot manifest integrity? Yes — MF-01…MF-06, MF-15/16 (§10).
- Fixed snapshot chronology? Yes — MF-07…MF-14, MF-17/18 (§10).
- Expanded adversarial matrix? Yes — categories P–X added as criteria; no patch, no run (§11).
- Produced producer/consumer matrix? Yes — all required fields with producer/consumer/SoT/authenticity/replay-TTL/reject (§12).
- Neutralized S142B wording? Yes —
AUTHORIZATION_NOT_DEMONSTRATED; "unsanctioned" struck (§13). - Restated RS3B scope fully? Yes — 10 sub-blocks incl. dual-writer boundary, single-artifact, closed-at-registration (§14).
- Any mutation? No — read-only
query_pg+ KB authoring of this one new report only. - Registration HOLD kept? Yes —
REGISTRATION_HOLD/REGISTRATION_CAN_PROCEED = NO. - No-mega-system kept? Yes — reuse existing tables/views (governance_object_ownership, approval_requests, qt001 signoff family, iu_route_attempt, wf_*_snapshot); no new registry; LEGO boundaries intact.
Did NOT: mutate runtime; run DDL/DML/manual-SQL/psql; create/approve an APR; flip a gate; register/wire/run a DOT; create a schema/registry/table/collection; patch the validator or Đ32/Đ35; author DOT_GOVERNANCE_DOT_ADMISSION; claim Owner authority; clear RISK-BYPASS; call the 142 sanctioned or "demonstrably unsanctioned"; merge 18 and 142; design registrar code-level hardening; overwrite RS3-BUNDLE/RS2-PATCH1/RS2/RS1/Codex. Default HOLD. Hash ≠ signature. Caller assertion ≠ authority binding. Engineering PASS ≠ Authority PASS. KB admission ≠ runtime registration.
— End Macro-RS3-PATCH1 report (2026-06-21).