Macro-RS3-PATCH2 — Replay Domain, Authority Provenance, and Adversarial Completeness Correction — 2026-06-21
Macro-RS3-PATCH2 — Replay Domain, Authority Provenance, and Adversarial Completeness Correction — 2026-06-21
STATUS: PASS_WITH_CAVEATS
VERDICT: RS3_PATCH2_READY_FOR_CODEX_REVIEW
Registration gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO
Runtime observation: RS3_PATCH2_LIVE_READ (Claude read-only query_pg, DB directus, role context_pack_readonly, 2026-06-21) · 0 substrate mutations · NO_CODEX_LIVE_READ retained as a separate caveat
Class: read-only / KB-design / correction-addendum macro · non-enacting · non-authorizing · no implementation · no runtime mutation · no validator patch · no schema · no new registry
Deliverable: this report only (new file). Does NOT overwrite RS3-PATCH1, RS3-BUNDLE, RS2-PATCH1, RS2, RS1, or any Codex review.
Triggered by: Codex review NEED_RS3_PATCH2 / RS3_PATCH1_NEEDS_FIX (…/reports/codex/codex-review-rs3-patch1-authenticity-binding-replay-and-integration-correction-2026-06-21.md rev1)
Corrects (addendum to): …/reports/macro-rs3-patch1-authenticity-binding-replay-and-integration-correction-2026-06-21.md rev1
Date: 2026-06-21
1. STATUS
PASS_WITH_CAVEATS. This patch closes the five corrected/rejected load-bearing items Codex raised against RS3-PATCH1, in one bounded read-only / KB-design pass, and keeps every RS3-PATCH1 point Codex accepted (hash ≠ signature; HASH_BOUND_AUTHORITY_ROW/HASH_BOUND_OBSERVER_ROW direction; owner-binding fail-closed; invented revocation_ref removed; neutral S142B wording; RS3B scope; REGISTRATION_HOLD).
It corrects: (A) the replay/single-use domain — pinning a canonical replay_key, proving from fresh live schema that iu_route_attempt's UNIQUE(idempotency_key, attempt_no) does not guarantee single-use, and fail-closing the surface; (B) authority provenance — downgrading QT001 and every unproven carrier from "implements exactly / proven" to candidate/fail-closed, with live evidence (no immutability triggers, nullable checksum, writers not enumerable from read-only); (C) snapshot/manifest adversarial completeness — adding every missing reject case Codex enumerated; (D) integration namespaces and auth labels — splitting request_proposed.* from trusted_attested.* and demoting artifact_hash/snapshot refs/timestamps to SOURCE_UNPROVEN / FAIL_CLOSED; (E) the validator adversarial matrix — adding the explicit replay / authority-readback / snapshot / integration cases.
It is not an authority pass and it does not authorize registration. Engineering/criteria PASS ≠ Owner authority PASS. KB admission ≠ runtime registration. Default = HOLD.
2. VERDICT
RS3_PATCH2_READY_FOR_CODEX_REVIEW.
READY_FOR_RS3B = NO_UNTIL_CODEX_ACCEPTS_PATCH2REGISTRATION_CAN_PROCEED = NOREGISTRATION_HOLDremains mandatory.- No fail-open discovered; nothing ratified, relabelled, merged or deleted; no scope drift. PATCH2 is a localized trust-envelope correction, not an RS3B implementation.
Per-objective result line: replay = REPLAY_DOMAIN_FAIL_CLOSED_UNTIL_SURFACE_FIT_PROVEN (+ REPLAY_SURFACE_NOT_FIT for iu_route_attempt single-use, criteria + canonical replay_key pinned) · authority provenance = QT001 → REUSE_CANDIDATE_PRECEDENT, all carriers classified, unproven ones SOURCE_UNPROVEN_FAIL_CLOSED · lifecycle = vocabulary source-backed, transition authority UNPROVEN (consume only after writer + active-head proven) · snapshot/manifest = adversarial cases completed as criteria, SNAPSHOT_MANIFEST_SOURCE_UNPROVEN retained · integration = request_proposed.* / trusted_attested.* split; artifact_hash/snapshot/timestamps demoted to fail-closed · validator matrix = missing cases added as criteria (no patch, validator stays pure) · RS3B = RS3B_ALLOWED_AFTER_CODEX_ACCEPTS_PATCH2.
3. EXECUTIVE SUMMARY
3.0 What changed vs RS3-PATCH1 (and what did not)
RS3-PATCH1 was directionally correct. Codex accepted twelve points and NEED_RS3_PATCH2'd on four corrected + five rejected items. PATCH2 changes only those, by addendum:
| RS3-PATCH1 said | Codex correction | PATCH2 resolution |
|---|---|---|
SURFACE_SHAPE_PROVEN on UNIQUE(idempotency_key, attempt_no); REPLAY_STATE_OWNER_ASSIGNED |
Exact-pair uniqueness ≠ single-use; changing attempt_no bypasses |
§6: live-proven NOT single-use; canonical replay_key + atomic-consume rule pinned; surface fail-closed (REPLAY_SURFACE_NOT_FIT) |
| QT001 "implements exactly this shape", "proves Model 2 reusable" | Candidate precedent only; not proven authenticity | §7: downgraded to REUSE_CANDIDATE_PRECEDENT with live why (no triggers, nullable checksum, writers unseen, guards are views) |
artifact_hash/snapshot rows labelled HBA/HBO in the matrix |
Must be SOURCE_UNPROVEN / FAIL_CLOSED until carrier/writer proven |
§9: demoted; HBA/HBO are target models, not current properties |
lifecycle revoked/superseded proven values |
Vocabulary source-backed, transition authority unproven | §7.4: consume lifecycle only after governing writer + active-head proven; else reject |
| P–X is the adversarial matrix | Several required cases absent | §8 + §10: all enumerated cases added |
Kept intact (Codex-accepted, not reopened): hash ≠ signature; Model 2 HASH_BOUND_AUTHORITY_ROW / HASH_BOUND_OBSERVER_ROW is the right target; evidence_hash = integrity-within-attempt only; OWNER_BINDING_FAIL_CLOSED_UNTIL_APR_PAYLOAD_SUPPORT; revocation_ref removed (lifecycle revoked is the authoritative fact); validator stays pure (registrar owns replay state); wf_*_snapshot are reuse candidates only; neutral S142B wording; RS3B scope is a coherent 60–90-minute LEGO macro; REGISTRATION_HOLD.
3.1 The single most load-bearing live finding
iu_route_attempt (live, 2026-06-21) is an IU-routing retry ledger, not a single-use nonce store. Columns: id, route_code, route_kind ∈ {inbound,outbound}, event_ref, idempotency_key(text, NOT NULL), attempt_no(int, NOT NULL, default 1, CHECK >= 1), status ∈ {pending,dry_run,sent,skipped,failed,disabled}, error_*, payload_snapshot, started_at, finished_at. Constraints: PK(id); iu_route_attempt_idem_uniq = UNIQUE(idempotency_key, attempt_no). No operation, canonical_target, run_id, deployed_artifact_hash, or owner/approval column. No triggers observed. 68 rows.
Therefore the same idempotency_key is by design allowed to recur with attempt_no = 1, 2, 3, … — that is the retry mechanism. A unique constraint that includes attempt_no cannot reject reuse of the nonce under a new attempt_no. It does not enforce single-use, and it binds none of the replay_key components. This is exactly Codex §3.3 / C4, now confirmed against live schema. PATCH2 therefore fail-closes the replay surface and pins the required domain instead of claiming closure.
3.2 The second load-bearing finding — authority provenance is structurally unproven
QT001 (live): qt001_independent_review_signoff (2 rows) and qt001_signoff_plan_binding (0 rows). The signoff table carries the right shape (reviewed_plan_checksum, reviewer_type CHECK {CODEX,T2_HUMAN,OWNER,OTHER} plus a stricter {CODEX,T2_HUMAN} check, valid_until, superseded/superseded_by, verdict CHECK). But: no immutability or append-only trigger exists on it; reviewed_plan_checksum is NULLABLE (binding can be absent); the plan-binding table is empty; the only grant visible from the read-only role is context_pack_readonly SELECT — the writers cannot be enumerated, so authority-controlled-writer identity is unproven from this vantage; and the v_qt001_*_guard objects are VIEWs (read-side projections), which cannot enforce write-time immutability on the base table. So QT001 proves a candidate row/binding pattern, not authenticity. This is REUSE_CANDIDATE_PRECEDENT, and reuse remains preferred — no new registry.
3.3 Posture
Default HOLD. Fail-closed on missing/ambiguous authority, snapshot provenance, or replay state. Reuse-first; no shadow registry, no mega-graph, no mega-birth pipeline; each block born/checked/replaced separately, joined only by contract/envelope. The only write performed by this macro is this KB report.
4. SOURCE REGISTER
Evidence tiers: RS3_PATCH2_LIVE = fresh read-only query_pg this cycle (2026-06-21); KB_SOURCE = full read from AgentData KB this cycle; PATCH1_PACKET = carried from RS3-PATCH1 (not re-verified live this cycle); CODEX = Codex correction; CARRIED = prior-cycle conclusion not re-read this cycle; SOURCE_NOT_READ / SOURCE_UNPROVEN = could not establish.
| Source | Revision / length | Read status | Evidence tier | Used for | Caveat |
|---|---|---|---|---|---|
…/codex/codex-review-rs3-patch1-…-2026-06-21.md |
rev1 / 18,531 chars | FULL | CODEX | The current gate (NEED_RS3_PATCH2); item list |
Codex NO_CODEX_LIVE_READ |
…/reports/macro-rs3-patch1-…-2026-06-21.md |
rev1 / 66,237 chars | FULL (verbatim extraction) | PATCH1_PACKET | Target being patched; accepted points to preserve | not overwritten |
…/codex/codex-review-rs3-bundle-…-2026-06-20.md |
rev1 / 18,133 chars | FULL | CODEX | Original mandatory closure criteria (C1–C8, §7–§12) | — |
…/reports/macro-rs3-bundle-…-2026-06-20.md |
rev1 / 55,709 chars | FULL | KB_SOURCE | 4 envelopes, N07/N12/N16/N22, interface F, K–O | — |
…/codex/codex-review-rs2-patch1-…-2026-06-20.md |
rev1 | CARRIED | CARRIED | Registrar/dual-writer/interface-F baseline | not re-read this cycle |
…/reports/macro-rs2-patch1-…-2026-06-20.md |
rev4 | CARRIED | CARRIED | Atomic-boundary / durable-sink baseline | not re-read this cycle |
dot-r2-b2-staging-schema-shell.validator.py |
rev2 / 14,415 chars | FULL | KB_SOURCE | Actual validator behavior; reject codes; gaps | pure validator; local 64/64 only |
dot-schema-write-guards.contract.md |
rev2 / 11,333 chars | FULL | KB_SOURCE | Guard provenance semantics (enforced vs supplied) | — |
dot-r2-b2-staging-schema-shell.contract.md |
rev2 / 12,095 chars | FULL | KB_SOURCE | Canonical operation/target; no artifact hash; no replay | — |
dot-r2-b2-bad-input-matrix.md |
rev2 / 8,971 chars | FULL | KB_SOURCE | Existing 64-case matrix (A–J); coverage gaps | tops out at category J |
dot-r2-b2-validator-test-run-v2.txt |
rev1 / 10,292 chars | CARRIED | PATCH1_PACKET | Local 64/64 evidence only (does not execute P–X) | not a runtime proof |
dot-r2-b2-staging-schema-shell-birth-admission-2026-06-19.md |
rev9 | CARRIED | CARRIED | Admission/HOLD state | not re-read this cycle |
de-bai-cai-tien.md / matrix-refactor-quick-rules.md / matrix-stamp-governance-addendum.md / LAW_READING_INDEX.md |
— | CARRIED_NOT_RE_READ | CARRIED | LEGO / reuse-first / no-mega constraints | FULL_READ in RS1-PATCH1 cycle; Codex confirmed retained; PATCH2 creates no registry/table/graph so nothing in dispute |
Live query_pg (DB directus, role context_pack_readonly, 2026-06-21): iu_route_attempt cols+constraints+indexes; qt001_independent_review_signoff/qt001_signoff_plan_binding cols+constraints+counts; governance_object_ownership cols+count; approval_requests/apr_approvals cols; event_outbox/registry_changelog/governance_audit_log cols; wf_fs_dot_bin_snapshot/wf_metric_snapshot/wf_docker_container_snapshot/context_pack_manifest cols; triggers + grants on the authority/replay/snapshot tables; row counts |
— | FULL | RS3_PATCH2_LIVE | §6 replay, §7 carrier classification, §8 snapshot | read-only role: writer grants not enumerable; trigger absence may be true-absence or visibility-limited — either way enforcement UNPROVEN |
Runtime gates (process_dot_runtime.real_run, iu_core.operator_runtime, iu_create.gateway) |
— | NOT_RE_READ_THIS_CYCLE | CARRIED | — | carried SHUT from RS2-PATCH1/RS3-PATCH1; REGISTRATION_HOLD retained regardless |
bin/dot/dot-dot-register.ts (registrar implementation source) |
— | SOURCE_NOT_READ | SOURCE_NOT_READ | — | deferred to RS3B; read_file allowlist exposes only /opt/incomex/docs, /opt/incomex/dot/specs, /var/log/nginx |
| S142B primary authorization source | — | SOURCE_NOT_READ | SOURCE_NOT_READ | — | unchanged; neutral wording retained |
No source needed for a finding below was substituted with local prose. No unavailable live fact is promoted to a Codex-proven production fact.
5. CODEX PATCH2 ITEM CLOSURE MAP
Status legend: CLOSED_AS_CRITERIA · FAIL_CLOSED_BY_ABSENCE · SOURCE_UNPROVEN_FAIL_CLOSED · STILL_HOLD · REJECTED_WITH_REASON.
| # | Codex PATCH2 item | Required correction | PATCH2 result | Evidence | Status |
|---|---|---|---|---|---|
| 1 | Replay single-use / domain | Pin canonical replay_key; show why exact-pair uniqueness ≠ single-use; define unique component, exact-retry, attempt_no bypass, rollback before/after, TTL, atomic consume, conflict, writer; fail-closed if surface unfit |
Canonical replay_key rule pinned (§6); live-proven iu_route_attempt cannot enforce single-use and binds no replay_key component → REPLAY_SURFACE_NOT_FIT; surface fail-closed; required future surface defined, not invented |
RS3_PATCH2_LIVE (cols/constraints, attempt_no default 1, no replay_key cols, no triggers) | CLOSED_AS_CRITERIA (fail-closed) |
| 2 | QT001 downgrade | REUSE_CANDIDATE_PRECEDENT, not AUTHENTICITY_PROVEN |
Downgraded with live why: no immutability triggers, nullable reviewed_plan_checksum, empty binding table, writers not enumerable, guards are VIEWs |
RS3_PATCH2_LIVE | CLOSED_AS_CRITERIA |
| 3 | Authority provenance downgrade | Classify all 9 carriers; criteria to move candidate→proven | Carrier table (§7.3); unproven carriers SOURCE_UNPROVEN_FAIL_CLOSED; promotion criteria stated |
RS3_PATCH2_LIVE + CODEX | CLOSED_AS_CRITERIA / SOURCE_UNPROVEN_FAIL_CLOSED per carrier |
| 4 | Lifecycle transition authority caveat | Vocabulary is source-backed but transition authority unproven; consume only after writer/active-head proven | §7.4: lifecycle facts consumable only after governing writer + active-head constraints proven; else reject; no new revocation store | RS3_PATCH2_LIVE (no triggers; writers unseen) + PATCH1_PACKET (enums, uq_gov_obj_accountable) |
CLOSED_AS_CRITERIA (fail-closed caveat) |
| 5 | Snapshot/manifest missing adversarial cases | Add unauthorized issuer, different-attempt, future ts, clock-skew, duplicate ref, op/scope unbound, observer non-independent, aggregate vs per-surface mismatch, absent write-set provenance, substitution/shrink/unknown/duplicate surface, mixed canonicalization, both-before, after-before-before, stale, false continuity | §8 adversarial completion table (all 19 cases, mapped to MF criteria) | CODEX §10 + RS3_PATCH2_LIVE (snapshot cols absent) | CLOSED_AS_CRITERIA |
| 6 | Validator P–X incompleteness | Add the explicit replay/authority/snapshot/integration cases Codex listed | §10 PATCH2 additions matrix (P2-RP/AU/SN/IN), criteria only, validator stays pure, enforcement layer annotated | CODEX §9/§11 + KB_SOURCE (validator gaps) | CLOSED_AS_CRITERIA |
| 7 | Integration auth labels | artifact_hash not HBA until F proves carrier/writer; snapshot refs not HBO until observer writer proven; timestamps not trusted on parse; caller-carried refs not trusted |
§9: demoted to SOURCE_UNPROVEN_FAIL_CLOSED; reread + clock-skew + provenance rules |
CODEX §12 + RS3_PATCH2_LIVE | CLOSED_AS_CRITERIA (SOURCE_UNPROVEN_FAIL_CLOSED for artifact_hash/snapshot) |
| 8 | request_proposed vs trusted_attested namespaces |
Separate fields/namespaces; consumer rereads trusted row; mismatch rejects | §9.1 namespace split + §9.2 matrix with both columns and reject-on-mismatch/source-gap | CODEX §12 | CLOSED_AS_CRITERIA |
No item is STILL_HOLD or REJECTED_WITH_REASON. The fail-closed sub-states (1, 4, 7) are by-design conservative closures, not open defects: the contract now rejects in each unproven case rather than claiming a property.
6. REPLAY DOMAIN AND SINGLE-USE RULE
6.1 Canonical replay_key (pinned)
replay_key = H(
protocol_version,
nonce | idempotency_key, # caller-minted per logical attempt
canonical_operation, # e.g. register_dot (governed action_code; absent today)
canonical_target, # governance_object_ownership.object_type+object_ref
deployed_artifact_hash, # interface F (carrier UNPROVEN today)
owner_or_approval_binding, # ownership_row_ref / approval_ref + quorum
run_id # validated registration run id
)
H is a documented canonical hash over a canonicalized, version-tagged tuple. replay_key is the single-use axis. It binds the nonce to the exact operation, target, artifact, owner/approval and run, so a nonce minted for one (operation, target, artifact) cannot be replayed against another.
6.2 The 10 mission questions, answered
| # | Question | Answer |
|---|---|---|
| 1 | Which component is unique for single use? | replay_key as a whole (equivalently, a single-use uniqueness on nonce/idempotency_key that is independent of attempt_no and bound to operation/target/artifact/owner/run). attempt_no must never be part of the single-use uniqueness key. |
| 2 | Can attempt_no be changed to bypass? |
No — and the live iu_route_attempt shape would currently allow exactly that bypass. UNIQUE(idempotency_key, attempt_no) admits (key, 1), (key, 2), …; incrementing attempt_no reuses the same nonce. The single-use surface must reject a second consume of the same replay_key regardless of any attempt counter. attempt_no may exist only as a non-keying retry-count attribute. |
| 3 | Exact retry → prior result or new attempt? | Exact retry (same replay_key) returns the prior committed decision/result (idempotent replay); it must not produce a second registration-visible effect. |
| 4 | Rollback before the consume row commits? | The in-transaction consume row rolls back with the txn; a legitimate retry may re-consume. To avoid colliding with a sibling that did commit, a retry mints a fresh nonce → fresh replay_key; the original replay_key, if never committed, is simply unused. |
| 5 | Rollback after the consume row commits (registration effect failed)? | The committed consume row stays consumed (single-use is burned). A retry must mint a new nonce/replay_key. The consume must be atomic with / ordered before the registration-visible effect so a replay can never yield a second effect. The failed attempt is recorded by a durable failure audit written OUTSIDE the rolled-back txn. |
| 6 | TTL / freshness interaction? | Envelope issued_at/expires_at bound freshness; now > expires_at or future issued_at → reject (stale/future) before consume. Freshness is a pure validator check; it is separate from and additional to single-use consumption (an unused-but-expired nonce still rejects; a fresh nonce already consumed still rejects). |
| 7 | Atomic insert/consume where? | A single INSERT … ON CONFLICT DO NOTHING/RETURNING against a single-use surface keyed by replay_key (one row per replay_key), executed inside the registrar Phase-1 transaction. Conflict (0 rows inserted) ⇒ replay ⇒ reject and return the prior decision. |
| 8 | Conflict behavior? | Conflict = REPLAY_NONCE_CONSUMED; the registrar reads the prior committed row and returns its decision (idempotent), never a second effect. |
| 9 | Proven writer? | Registrar Phase 1 is the intended owner (correct layer). Writer authority over any concrete surface is UNPROVEN this cycle: from the read-only role only context_pack_readonly SELECT is visible on iu_route_attempt; the registration-writer role/grants cannot be enumerated. → WRITER_AUTHORITY_UNPROVEN. |
| 10 | If iu_route_attempt does not fit → fail-closed how? |
REPLAY_DOMAIN_FAIL_CLOSED_UNTIL_SURFACE_FIT_PROVEN + REPLAY_SURFACE_NOT_FIT. Define the required future surface (below); do not invent it here. |
6.3 Replay component table
| Component | Rule | Source (live) | Failure mode | Reject condition |
|---|---|---|---|---|
canonical replay_key |
single-use axis; H(...) over the 7-tuple |
derived (canonical rule) | nonce reused across (op,target,artifact) | duplicate replay_key ⇒ REPLAY_NONCE_CONSUMED |
nonce / idempotency_key |
minted by the registration request producer, once per logical attempt | iu_route_attempt.idempotency_key (text, NOT NULL) exists |
malformed / missing / reused under new attempt_no |
NONCE_MALFORMED / NONCE_UNBOUND / REPLAY_ATTEMPT_NO_BYPASS |
attempt_no |
retry counter only; NOT part of single-use key | iu_route_attempt.attempt_no (int, default 1, CHECK >=1) |
used as a single-use axis | reject any design that keys single-use on (key, attempt_no) |
| uniqueness domain | replay_key (op,target,artifact,owner,run,nonce,version) |
— | partial binding (e.g. nonce alone) | nonce not bound to op/target/artifact ⇒ NONCE_UNBOUND |
| TTL / freshness | issued_at/expires_at; reject stale/future |
envelope fields (validator, interface E) | stale or future issuance | ENVELOPE_STALE / ENVELOPE_FUTURE_ISSUED |
| atomic consumer | INSERT one row per replay_key inside Phase-1 txn; ON CONFLICT reject |
registrar Phase 1 (writer authority UNPROVEN) | non-atomic / outside txn / TOCTOU | REPLAY_NONCE_CONSUMED on conflict |
| exact-retry semantics | same replay_key ⇒ return prior committed decision |
— | second effect on retry | duplicate effect ⇒ fail-open ⇒ REJECT_FAIL_OPEN |
| rollback before commit | consume rolls back; retry mints fresh nonce | txn semantics | re-consume collision | n/a (nothing committed) |
| rollback after commit | consume stays burned; retry needs new nonce | txn semantics | replay yields 2nd effect | reuse of committed replay_key ⇒ reject |
| durable failure audit | failed attempt recorded OUTSIDE rolled-back txn | candidate sinks: event_outbox / registry_changelog / governance_audit_log (sink UNPROVEN) |
audit lost on rollback | P-FAILAUDIT (audit absent ⇒ fail) |
| writer authority | registrar role with INSERT on the single-use surface | not enumerable from read-only | unauthorized writer | WRITER_AUTHORITY_UNPROVEN ⇒ fail-closed |
| validator boundary (pure) | checks nonce shape, binding, freshness, authority-ref presence only | validator rev2 (import re only) |
validator claims replay prevention | forbidden: a pure validator cannot own mutable nonce state |
6.4 Why iu_route_attempt is REPLAY_SURFACE_NOT_FIT (live)
- Single-use not enforced.
UNIQUE(idempotency_key, attempt_no)+attempt_nodefault 1, CHECK>= 1⇒ same key recurs across attempts. This is a retry ledger; the unique key includes the retry axis. - No replay_key binding. No
operation,canonical_target,run_id,deployed_artifact_hash, orowner/approvalcolumn ⇒ the nonce is unbound to the operation it would authorize. - Wrong domain.
route_code,route_kind ∈ {inbound,outbound},event_ref,status ∈ {pending,dry_run,sent,skipped,failed,disabled}⇒ this is the IU message-routing domain, not DOT registration. - Writer authority unproven. Only
context_pack_readonly SELECTis visible; no enumerable registration-writer. - No triggers. No immutability/append-only enforcement observed.
Conclusion: REPLAY_DOMAIN_FAIL_CLOSED_UNTIL_SURFACE_FIT_PROVEN. iu_route_attempt is a useful shape precedent for atomic INSERT … ON CONFLICT idempotency, but is not the single-use replay surface for registration.
6.5 Required future surface (defined, not built)
A registration-attempt / replay surface that, to earn REPLAY_DOMAIN_READY_AS_CRITERIA, must prove all of: (a) single-use uniqueness on replay_key (one row per key, attempt_no non-keying); (b) columns binding operation, canonical_target, run_id, deployed_artifact_hash, owner_or_approval_binding; (c) registration domain (not IU routing); (d) an atomic in-Phase-1 consume with ON-CONFLICT reject; (e) a proven registrar writer (governed INSERT grant) with append-only/immutability evidence; (f) a durable failure audit outside the rolled-back txn; (g) exact-retry returns prior decision. Surface selection and writer-authority/domain-fit proof belong to RS3B durable-sink evaluation — no surface is invented here.
7. AUTHORITY PROVENANCE DOWNGRADE AND CARRIER CLASSIFICATION
7.1 The model is unchanged; the labels are corrected
Codex accepted the target model. PATCH2 does not reopen it: HASH_BOUND_AUTHORITY_ROW (HBA) and HASH_BOUND_OBSERVER_ROW (HBO) remain the correct targets. PATCH2 corrects the claim level: a carrier is HBA/HBO only when a proven authority-controlled writer creates an immutable / governance-controlled row and the consumer rereads that row from the authority store. Until then the carrier is a candidate or fail-closed — never already-HBA in a published matrix.
7.2 Candidate → proven promotion criteria (general)
A carrier moves from REUSE_CANDIDATE_PRECEDENT to PROVEN_AUTHORITY_CONTROLLED_CARRIER only when all are evidenced:
- Writer authority — the write path is restricted to a governed role (enumerable grants), not any app/admin role.
- Immutability / append-only or governance-controlled mutation — trigger/constraint/revoked-UPDATE-DELETE evidence, or a governed supersession-only mutation rule.
- Consumer readback — the consuming boundary rereads the row from the authority store and does not trust a caller-carried copy.
- Tamper evidence — row hash / checksum binding the protected payload, with non-null enforcement.
- Retention — the row survives rollback/retry windows for audit.
- Revocation / supersession (where relevant) — a proven lifecycle/supersession fact with a governing transition writer.
A "guard" view does not satisfy (1)–(3): a view is a read-side projection and cannot enforce base-table write authority or immutability.
7.3 Carrier classification table (live)
Classes: PROVEN_AUTHORITY_CONTROLLED_CARRIER · REUSE_CANDIDATE_PRECEDENT · SOURCE_UNPROVEN_FAIL_CLOSED · NOT_FIT_FOR_AUTHENTICITY.
| Carrier | Current evidence (live 2026-06-21) | Classification | Required to prove | Consumer rule | Caveat |
|---|---|---|---|---|---|
QT001 signoff family (qt001_independent_review_signoff 2 rows; qt001_signoff_plan_binding 0 rows) |
Right shape: reviewed_plan_checksum, reviewer_type CHECK {CODEX,T2_HUMAN,OWNER,OTHER} + strict {CODEX,T2_HUMAN}, valid_until, superseded/superseded_by, FK binding→signoff. No triggers; reviewed_plan_checksum NULLABLE; binding table empty; only context_pack_readonly SELECT visible; v_qt001_*_guard are VIEWs |
REUSE_CANDIDATE_PRECEDENT |
enumerable governed writer; immutability/append-only on the base table; non-null checksum binding; consumer readback; reviewer independence proven by credential/process | resolver/validator rereads signoff+binding rows from the store and verifies checksum == target; never accept a caller-carried copy; reject if checksum null |
writer authority SOURCE_NOT_READ from read-only vantage; guards are read-side only |
| governance_object_ownership (0 rows; 20 cols) | owner_kind, lifecycle_status (default active), approval_ref, audit_ref, supersedes_id, effective_from/to; no operation, artifact_hash, revocation_ref |
REUSE_CANDIDATE_PRECEDENT (head store) → owner binding FAIL_CLOSED |
≥1 active accountable owner row; APR payload binding op+artifact; uq_gov_obj_accountable active-head enforcement; transition writer |
reread active head; reject on 0 rows / ambiguous / inactive head | OWNER_BINDING_FAIL_CLOSED_UNTIL_APR_PAYLOAD_SUPPORT (kept) |
| approval_requests (cols live) | action varchar default 'add'; proposed_action_code(text); proposed_action(jsonb); request_type_code; entity_type/entity_code; target_collection/target_entity_code. No artifact_hash; no signature/MAC/key column |
REUSE_CANDIDATE_PRECEDENT (transitive op/target) + SOURCE_UNPROVEN_FAIL_CLOSED (artifact + register_dot) |
governed implemented register_dot action type; attested artifact ref in payload; quorum proof |
reread APR row + apr_approvals/quorum; reject caller free-text proposed_action_code as authority |
action enum excludes register_dot; free-text proposal ≠ attestation |
| artifact_hash carrier (interface F) | dot_tools has no hash column (carried); wf_fs_dot_bin_snapshot.hash exists but nullable, no run/attempt binding |
SOURCE_UNPROVEN_FAIL_CLOSED |
F resolver: admission→canonical path→content hash + hash_algorithm/canonicalization_version + origin + immutable admission ref + drift; governed writer |
reread F-attested row; reject any caller-supplied hash; reject on drift | carrier must be designed in RS3B |
wf_*_snapshot (wf_fs_dot_bin_snapshot 289 rows; also script/docker/metric/host/systemd/kb) |
hash (nullable), single observed_at, status default OBSERVED. No manifest_id/hash/version, observer credential, run_id, attempt_id, before/after pairing, sequence, operation, scope. No triggers |
NOT_FIT_FOR_AUTHENTICITY as manifest provider (candidate per-surface primitive only) |
full manifest envelope (MF-01…18); independent observer credential/process; attempt binding; before/after chronology | reject as trusted provider; treat only as candidate primitive | SNAPSHOT_MANIFEST_SOURCE_UNPROVEN (kept) |
| event_outbox (cols live) | correlation_id(text, nullable, no unique), actor_ref(NOT NULL), safe_payload(jsonb), occurred_at/created_at; only context_pack_readonly SELECT visible |
REUSE_CANDIDATE_PRECEDENT (durable failure-audit sink only; authenticity = none) |
writer authority for post-rollback audit; retention; replay/idempotency semantics | n/a for authenticity; used as audit sink | no uniqueness for replay; sink unproven |
| iu_route_attempt (68 rows) | UNIQUE(idempotency_key, attempt_no), attempt_no default 1; no replay_key columns; IU-routing domain; no triggers |
NOT_FIT_FOR_AUTHENTICITY + REPLAY_SURFACE_NOT_FIT (authenticity = none) |
single-use on replay_key (attempt_no non-keying); registration domain; proven registrar writer |
registrar atomic consume; reject replay | shape precedent only (§6) |
| registry_changelog (14 cols) | action, entity_*, changed_by, alert_*, resolved; no hash, no replay uniqueness |
REUSE_CANDIDATE_PRECEDENT (audit sink only; authenticity = none) |
writer authority; retention; post-rollback write path | n/a for authenticity | not an authority carrier |
| governance_audit_log (6 cols) | relation_id, checked_at, checked_by, result, detail(json); no hash, no replay uniqueness |
REUSE_CANDIDATE_PRECEDENT (audit sink only; authenticity = none) |
writer authority; retention | n/a for authenticity | narrow schema |
7.4 Lifecycle transition authority (corrected caveat)
lifecycle_status ∈ {active, superseded, revoked, expired} and owner_kind ∈ {accountable, supporting, delegated, exception} are source-backed CHECK enums (PATCH1, confirmed live: governance_object_ownership.lifecycle_status default 'active'). revocation_ref stays removed; revoked is the authoritative revocation value. But the presence of a lifecycle column does not prove who may transition it, nor that transition history is tamper-resistant. Live: no triggers on governance_object_ownership, and the transition writer is not enumerable from the read-only role. Therefore:
- A resolver may consume
active/superseded/revoked/expiredand the active-head constraint (uq_gov_obj_accountable) only after the governing transition writer and active-head uniqueness are independently proven. - Until then:
LIFECYCLE_TRANSITION_AUTHORITY_UNPROVEN→ reject (do not consume a lifecycle fact whose transition authority is unproven). No new revocation store is invented.
8. SNAPSHOT/MANIFEST ADVERSARIAL COMPLETENESS
Criteria only — no validator patch. These complete the cases Codex §10 said were absent from P–X. Live confirms the gap is structural: wf_fs_dot_bin_snapshot has a single observed_at, nullable hash, and no manifest/observer/run/attempt/before-after/sequence/operation/scope columns; context_pack_manifest has logical_checksum_sha256/file_checksum_sha256 (manifest-identity precedent) but no per-surface membership, observer independence, or operation/scope binding. So SNAPSHOT_MANIFEST_SOURCE_UNPROVEN is retained and the cases below are the reject contract a future provider must satisfy.
| Case ID | Category | Bad input | Expected reject | Why (maps to) |
|---|---|---|---|---|
| SC-01 | Manifest authorization | manifest issued/written by a non-governed identity | MANIFEST_UNAUTHORIZED_ISSUER |
MF-04; caller cannot define/reduce the protected set |
| SC-02 | Attempt binding | snapshot row from a different attempt than the registration | SNAPSHOT_ATTEMPT_MISMATCH |
MF-09; both captures bound to same run_id+attempt_id |
| SC-03 | Time (future) | captured_at_* > now + skew |
SNAPSHOT_FUTURE_TIMESTAMP |
MF-13 |
| SC-04 | Time (clock-skew) | observer clock vs registration clock beyond bound | SNAPSHOT_CLOCK_SKEW |
MF-10 |
| SC-05 | Duplicate ref | same snapshot ref reused for the same (attempt, phase) |
SNAPSHOT_DUPLICATE_REF |
MF-12 |
| SC-06 | Operation unbound | snapshot not bound to the registration operation |
SNAPSHOT_OPERATION_UNBOUND |
MF-17 |
| SC-07 | Scope unbound | snapshot not bound to scope |
SNAPSHOT_SCOPE_UNBOUND |
MF-17 |
| SC-08 | Observer independence | observer credential/process not distinct from caller/registrar/DOT (a different string id is not enough) | SNAPSHOT_OBSERVER_NOT_INDEPENDENT |
MF-18 |
| SC-09 | Aggregate vs per-surface | aggregate manifest membership ≠ per-surface set | MANIFEST_AGGREGATE_MEMBERSHIP_MISMATCH |
MF-15/MF-16 |
| SC-10 | Write-set provenance | append-only surfaces lack write-set-empty provenance (raw count used instead) | SNAPSHOT_WRITESET_PROVENANCE_ABSENT |
MF-06; append-only tables use write-set, not count |
| SC-11 | Manifest substitution | after-manifest is a different manifest than before | MANIFEST_SUBSTITUTION |
MF-05 |
| SC-12 | Manifest shrink | after-manifest drops a surface present before | MANIFEST_SHRINK |
MF-05 |
| SC-13 | Unknown surface | a surface not in the authorized manifest appears | MANIFEST_UNKNOWN_SURFACE |
MF-16 |
| SC-14 | Duplicate surface | a surface listed twice in the manifest | MANIFEST_DUPLICATE_SURFACE |
MF-06 |
| SC-15 | Mixed canonicalization | per-surface hashes computed under different canonicalization versions | MANIFEST_MIXED_CANONICALIZATION |
MF-06/MF-15 |
| SC-16 | Both before execution | both before- and after-captures precede operation_start |
SNAPSHOT_BOTH_BEFORE_OP |
MF-07/MF-08 |
| SC-17 | After before before | captured_at_after < captured_at_before |
SNAPSHOT_REVERSED_INTERVAL |
MF-14 |
| SC-18 | Stale | capture older than the freshness window | SNAPSHOT_STALE |
MF-13 / freshness |
| SC-19 | False continuity | same_observer_continuity = true asserted but before/after observers differ |
SNAPSHOT_CONTINUITY_FALSE |
MF-18 / continuity |
All nineteen are criteria for a future trusted provider. Until a provider proves the MF-01…18 envelope and an independent observer credential, snapshot evidence remains SNAPSHOT_MANIFEST_SOURCE_UNPROVEN and the resolver/validator must reject any snapshot offered as trusted.
9. INTEGRATION NAMESPACE AND AUTH-LABEL CORRECTION
9.1 request_proposed.* vs trusted_attested.* (hard split)
The integration envelope must carry two separate namespaces:
request_proposed.*— values an untrusted caller may propose:request_proposed.run_id,request_proposed.target,request_proposed.operation,request_proposed.artifact_hash,request_proposed.actor,request_proposed.nonce. These are never trusted and are never synthesized into an attestation.trusted_attested.*— values a proven producer attests, each backed by a reread authority/observer/artifact row:trusted_attested.canonical_target,trusted_attested.scope,trusted_attested.operation,trusted_attested.artifact_hash,trusted_attested.owner_or_approval_binding,trusted_attested.actor_principal,trusted_attested.issued_at,trusted_attested.expires_at,trusted_attested.source_refs,trusted_attested.decision_ref.
Consumer rule (mandatory): for every field with a trusted counterpart, the consumer rereads the trusted row and compares it to the proposed value. request_proposed.X is accepted only when a matching trusted_attested.X from a proven producer agrees. Any of: missing trusted producer, unknown carrier, stale row, mismatch, ambiguous authority, request_proposed.* accepted as trusted_attested.* ⇒ reject.
9.2 Producer/consumer matrix (request-proposed vs trusted-attested split)
Auth labels corrected per Codex §12: HASH_BOUND_AUTHORITY_ROW (HBA) and HASH_BOUND_OBSERVER_ROW (HBO) are targets and are not asserted where the carrier/writer is unproven; those rows read SOURCE_UNPROVEN / FAIL_CLOSED.
| Field | request_proposed? |
Trusted producer (attests) | Consumer (rereads) | Source of truth | Auth label (corrected) | Reject on mismatch / source gap |
|---|---|---|---|---|---|---|
canonical_operation |
yes (proposal) | Owner Resolver (A) via APR | E, registrar | governed apr_action_types.action_code (register_dot, absent today) |
SOURCE_UNPROVEN / FAIL_CLOSED (no governed op) |
op ≠ register_dot / unattested ⇒ reject |
canonical_target |
yes | Owner Resolver (A) + Artifact Resolver (F) | B, E, registrar | governance_object_ownership.object_type+object_ref |
HBA target (carrier present; 0 rows ⇒ fail-closed) | target disagreement across A/B/F ⇒ reject |
scope |
no | Owner Resolver (A) | B, E, registrar | governance_object_ownership.scope |
HBA target (fail-closed: 0 rows) | scope uncovered/mismatch ⇒ reject |
deployed_artifact_hash |
yes | Artifact Resolver (F) | A, B, E, registrar | governed carrier — UNPROVEN (dot_tools no hash col; wf_*_snapshot.hash nullable, unbound) |
SOURCE_UNPROVEN / FAIL_CLOSED (not HBA until F proves carrier+writer) |
any hash disagreement / drift / caller-supplied hash ⇒ reject |
owner_or_approval_binding |
no | Owner Resolver (A) | E, registrar | ownership_row_ref + approval_ref + quorum |
HBA target (fail-closed until op+artifact bound) | binding absent/ambiguous ⇒ reject |
actor / principal |
yes (proposal) | Owner Resolver (A) | E, registrar | APR/owner row + event_outbox.actor_ref |
HBA target (fail-closed) | actor/principal mismatch ⇒ reject |
run_id |
yes (proposal) | registration request, validated | B (canonical-eq), E (N12), registrar | request, validated vs schema | none (validated, not trusted) | substring / inequality ⇒ reject |
attempt_id / correlation_id |
no | registrar entry | B, E, Phase-4 audit | new per attempt; event_outbox.correlation_id (nullable, no unique) |
none | attempt/correlation mismatch ⇒ reject |
nonce / idempotency_key |
yes (proposal) | request producer | E (shape/binding/freshness), registrar Phase 1 (consume) | single-use surface — UNPROVEN/NOT_FIT (§6) | none (bound; consume by registrar) | replay / reuse / attempt_no-bypass ⇒ reject |
replay_key |
no | registrar (derived) | registrar Phase 1 | H(...) over the 7-tuple |
none (single-use axis) | duplicate ⇒ REPLAY_NONCE_CONSUMED |
| snapshot before/after refs | no | Trusted Snapshot Provider (B) | E, post-commit verifier (Phase 2) | observer-controlled rows — UNPROVEN | SOURCE_UNPROVEN / FAIL_CLOSED (not HBO until observer writer+independence proven) |
observer non-independent / chronology / substitution ⇒ reject (§8) |
issued_at / expires_at |
no | A, B | E | producer clock + TTL | none (not trusted merely because they parse) | future issued_at / reversed validity / beyond clock-skew ⇒ reject |
trust_domain / audience / envelope_type / envelope_version |
no | each block | E, registrar | block contract | none (declared) | trust-domain / audience / type / version mismatch ⇒ reject |
source_refs |
no | A, B, F | E, post-commit verifier | the governed rows above | HBC (references only) | provenance missing / source_ref points to wrong envelope type ⇒ reject |
decision_ref |
no | validator (E); later registrar txn ref | Phase-2 verifier, Phase-4 audit | validator verdict / txn | none | decision_ref missing or mismatched ⇒ reject |
evidence_hash (envelope) |
no | A, B, F | E | canonical payload | HBC (integrity within one attempt only; never signer identity) | tamper within attempt ⇒ reject |
key_id / key_status_ref |
no | — (no key infra) | — | n/a | reserved (Model 1) | present-but-unsupported ⇒ reject |
Hard rule (kept from PATCH1, sharpened): the envelope evidence_hash provides integrity within a single attempt, not authenticity; authenticity is always delegated to a reread authority/observer/artifact row. A caller-proposed run_id/target/operation/artifact_hash/actor/nonce is a proposal; only the matching trusted_attested.* produced by a proven producer and reread by the consumer makes it trusted. Timestamps are trusted only within the clock-skew/freshness policy, never because they parse.
10. VALIDATOR ADVERSARIAL MATRIX COMPLETION
Criteria only. No validator patch. The validator stays pure (import re only) and is not the replay-state owner. Each case names its enforcement layer: V = pure-validator-checkable (shape/binding/freshness/structure/readback-required), R = registrar-atomic-enforced (consume/single-use), F = future-producer-attested (carrier/observer/manifest). The existing local 64/64 evidence (matrix categories A–J) does not execute these; they are the contract a future RS-VALIDATOR-HARDENING patch must satisfy. PATCH1's P–X stand; the rows below are the PATCH2 additions Codex enumerated.
10.1 Replay (P2-RP)
| Case ID | Layer | Bad input | Expected reject | Why |
|---|---|---|---|---|
| P2-RP-01 | R | same nonce/idempotency_key with a different attempt_no |
REPLAY_ATTEMPT_NO_BYPASS |
attempt_no must not be a single-use axis (§6.2 Q2) |
| P2-RP-02 | R | exact retry, same replay_key, same attempt |
return prior decision (no 2nd effect); a 2nd write-intent ⇒ REJECT_FAIL_OPEN |
exact-retry is idempotent (Q3) |
| P2-RP-03 | R | retry after rollback-before-consume with a fresh nonce | accept (legitimate retry) | nothing committed (Q4) |
| P2-RP-04 | R | retry after commit reusing the committed replay_key |
REPLAY_NONCE_CONSUMED |
single-use burned (Q5) |
| P2-RP-05 | V | expired nonce but unused (now > expires_at) |
ENVELOPE_STALE |
freshness is separate from consumption (Q6) |
| P2-RP-06 | V | fresh nonce but mismatched target/artifact | NONCE_UNBOUND |
nonce must bind operation/target/artifact |
| P2-RP-07 | V/R | stale replay row offered as current consume proof | REPLAY_STALE_ROW |
a stale ledger row is not a live consume |
10.2 Authority provenance (P2-AU)
| Case ID | Layer | Bad input | Expected reject | Why |
|---|---|---|---|---|
| P2-AU-01 | V/F | QT001 candidate row present but writer authority unproven | AUTHORITY_WRITER_UNPROVEN |
candidate ≠ proven (no enumerable writer) |
| P2-AU-02 | V/F | guard view says OK but base row is mutable (no immutability) | AUTHORITY_ROW_MUTABLE |
a view is not enforcement |
| P2-AU-03 | V | consumer accepts a caller-carried row hash without reread | AUTHORITY_READBACK_MISSING |
consumer must reread the authority store |
| P2-AU-04 | V | lifecycle state changed after envelope issuance | LIFECYCLE_CHANGED_POST_ISSUANCE |
resolve against current active head, not a snapshot of it |
| P2-AU-05 | V/F | transition authority unknown for the lifecycle change | LIFECYCLE_TRANSITION_AUTHORITY_UNPROVEN |
§7.4 |
| P2-AU-06 | V | row readback mismatch (reread row ≠ envelope copy) | AUTHORITY_READBACK_MISMATCH |
caller copy must equal authority row |
10.3 Snapshot (P2-SN) — validator-visible structural checks of §8
| Case ID | Layer | Bad input | Expected reject | Why |
|---|---|---|---|---|
| P2-SN-01 | F | unauthorized manifest issuer/writer | MANIFEST_UNAUTHORIZED_ISSUER |
SC-01 / MF-04 |
| P2-SN-02 | V/F | snapshot from a different attempt | SNAPSHOT_ATTEMPT_MISMATCH |
SC-02 / MF-09 |
| P2-SN-03 | V | future timestamp | SNAPSHOT_FUTURE_TIMESTAMP |
SC-03 / MF-13 |
| P2-SN-04 | V | clock-skew violation | SNAPSHOT_CLOCK_SKEW |
SC-04 / MF-10 |
| P2-SN-05 | V | duplicate snapshot ref for (attempt, phase) |
SNAPSHOT_DUPLICATE_REF |
SC-05 / MF-12 |
| P2-SN-06 | V | operation/scope not bound to the snapshot | SNAPSHOT_OPERATION_UNBOUND / SNAPSHOT_SCOPE_UNBOUND |
SC-06/07 / MF-17 |
| P2-SN-07 | F | observer credential/process not independent | SNAPSHOT_OBSERVER_NOT_INDEPENDENT |
SC-08 / MF-18 |
| P2-SN-08 | V/F | aggregate-manifest vs per-surface membership mismatch | MANIFEST_AGGREGATE_MEMBERSHIP_MISMATCH |
SC-09 / MF-15/16 |
| P2-SN-09 | F | absent write-set provenance (append-only surfaces) | SNAPSHOT_WRITESET_PROVENANCE_ABSENT |
SC-10 / MF-06 |
10.4 Integration (P2-IN)
| Case ID | Layer | Bad input | Expected reject | Why |
|---|---|---|---|---|
| P2-IN-01 | V | a request_proposed.* value accepted as trusted_attested.* |
REQUEST_PROPOSED_AS_TRUSTED |
§9.1 hard split |
| P2-IN-02 | V/F | missing trusted producer for a trusted field | TRUSTED_PRODUCER_ABSENT |
every trusted field needs a producer |
| P2-IN-03 | V/F | unknown carrier referenced | UNKNOWN_CARRIER |
carrier must be governed/known |
| P2-IN-04 | V | stale row (producer row older than freshness) | STALE_TRUSTED_ROW |
reread must be fresh |
| P2-IN-05 | V | ambiguous authority (≥2 active heads) | AMBIGUOUS_AUTHORITY |
active head must be unique |
| P2-IN-06 | V | source_ref points to the wrong envelope type |
SOURCE_REF_WRONG_ENVELOPE_TYPE |
provenance type must match |
| P2-IN-07 | V | decision_ref missing or mismatched |
DECISION_REF_MISSING / DECISION_REF_MISMATCH |
decision must be traceable |
Anti-fail-open meta-rule (kept): if any case above yields a write-intent string or a PASS digest, classify FAIL_OPEN; the macro discovering it must REJECT_FAIL_OPEN.
11. REVISED RS3B GATE
Decision: RS3B_ALLOWED_AFTER_CODEX_ACCEPTS_PATCH2.
PATCH2 closes the trust-envelope defects as criteria/fail-closed with no fail-open and no scope drift. Per Codex §14, after Codex accepts PATCH2 the next eligible macro is the already-sized RS3B-REGISTRAR-HARDENING-DESIGN. Until that acceptance, RS3B is STILL_BLOCKED_BY_TRUST_ENVELOPE (do not start RS3B on an unreviewed PATCH2).
RS3B scope (unchanged from PATCH1 §14; carried, must retain all of):
- Registrar implementation-source recovery — read
bin/dot/dot-dot-register.ts; ifread_fileallowlist does not exposebin/dot/*.ts(today it exposes only/opt/incomex/docs,/opt/incomex/dot/specs,/var/log/nginx), degrade toHOLD_REGISTRAR_SOURCE_NOT_READ. dot-dot-register↔dot-catalog-syncdual-writer boundary — resolve thedot_toolsdual-writer hazard; one single-artifact registrar; catalog-sync must not race/clobber a registration.- Single-artifact criteria — register exactly the one admitted artifact; reject mass-registration of all untracked
bin/dot-*. - Deployed-artifact resolver (interface F) — bind admission → canonical path + content hash +
hash_algorithm/canonicalization_version+ origin + immutable admission ref + drift; consumes the §7.3artifact_hashcarrier classification (todaySOURCE_UNPROVEN_FAIL_CLOSED). - Closed-at-registration — registration opens no gate;
dot_configcreated/verified closed; activation is a separate Owner-gated Phase 3. - Replay_key / nonce domain & atomic consume — implement the §6 single-use surface (NOT
iu_route_attemptas-is); prove writer authority + domain fit + atomic consume + exact-retry; closeREPLAY_DOMAIN_FAIL_CLOSED_UNTIL_SURFACE_FIT_PROVEN. - Carrier classification consumption — consume §7.3: prove writer/immutability/readback for any carrier promoted from candidate to proven; no shadow registry.
- Snapshot manifest criteria — consume §8 / MF-01…18 + independent observer; select/justify a trusted provider or keep fail-closed.
- Durable failure-audit sink selection — evaluate
event_outbox/registry_changelog/governance_audit_logon schema fit, writer authority, retention, replay/idempotency, post-rollback authorized writer; no new ledger until evaluated. - Pair cardinality — contract-derived persisted representation; prove one primary runtime identity; not fixed five rows.
- Trigger side-effect accounting — account for
dot_toolstriggers so registration writes fire no unintended side-effects. - No implementation — design + acceptance criteria only.
Sequenced after RS3B (unchanged): RS-VALIDATOR-HARDENING (the actual validator.py patch for N07/N12/N16/N22 + categories P–X + the §10 PATCH2 cases) and RS2B-RISK-RESIDUE-AND-Đ35-HEALTH-CLOSURE. The deciding upstream blocker remains Owner-of-record (0 owner rows + assign_governance_owner unimplemented + no register_dot action type) — Owner-gated, not designable away.
12. MUST-NOT-DO CONFIRMATION
All 30 prohibitions held. This macro did not: (1) perform any runtime mutation; (2) DDL; (3) DML; (4) manual SQL; (5) psql; (6) docker exec psql; (7) Directus generic create/update/delete; (8) register/wire/run a DOT; (9) create a schema; (10) open Macro-9A; (11) open Macro-9C; (12) build the B2 producer; (13) write/author/design DOT_GOVERNANCE_DOT_ADMISSION; (14) create a new registry/table/collection; (15) patch the validator; (16) patch Đ32/Đ35; (17) flip a gate; (18) create an APR; (19) approve an APR; (20) claim Owner authority; (21) use /laws/ to override laws-new/newlaws; (22) turn PATCH2 into RS3B implementation; (23) survey the whole system; (24) clear RISK-BYPASS; (25) call the 142 S142B sanctioned or demonstrably unsanctioned; (26) merge 142 with 18; (27) treat hash as signature; (28) treat caller-provided operation/artifact as authority binding; (29) treat the pure validator as the nonce replay-state owner; (30) treat a snapshot candidate as a trusted provider or QT001 as proven authenticity without writer/readback/immutability proof.
All query_pg calls executed as the read-only context_pack_readonly role inside read-only transactions (AST-validated, statement_timeout 5s, hard LIMIT 500). 0 substrate mutations. The only write is this KB report.
13. STOP STATE
READY_FOR_CODEX_REVIEW.
RS3_PATCH2_READY_FOR_CODEX_REVIEW·REGISTRATION_HOLD·REGISTRATION_CAN_PROCEED = NO·READY_FOR_RS3B = NO_UNTIL_CODEX_ACCEPTS_PATCH2.- Per-leg: replay =
REPLAY_DOMAIN_FAIL_CLOSED_UNTIL_SURFACE_FIT_PROVEN+REPLAY_SURFACE_NOT_FIT(criteria + canonicalreplay_keypinned) · authority =QT001 REUSE_CANDIDATE_PRECEDENT; carriers classified; unproven ⇒SOURCE_UNPROVEN_FAIL_CLOSED· lifecycle =LIFECYCLE_TRANSITION_AUTHORITY_UNPROVEN(vocabulary source-backed) · snapshot =SNAPSHOT_MANIFEST_SOURCE_UNPROVEN(adversarial cases complete) · integration = namespaces split, auth labels corrected · validator matrix = additions defined as criteria (pure validator). - Carried
SOURCE_NOT_READ: registrar implementationbin/dot/dot-dot-register.ts; S142B primary authorization source;NO_CODEX_LIVE_READ.
Single next macro: Codex reviews RS3-PATCH2 → on ACCEPT → RS3B-REGISTRAR-HARDENING-DESIGN (read-only / KB-design; consumes §6 replay surface criteria, §7 carrier classification, §8 snapshot criteria, §9 integration split). The deciding upstream blocker stays Owner-of-record.
14. SELF-CHECK
| # | Check | Result |
|---|---|---|
| 1 | Read Codex RS3-PATCH1 review (the gate)? | PASS (FULL) |
| 2 | Read RS3-PATCH1 target? | PASS (FULL verbatim extraction; not overwritten) |
| 3 | Fixed replay_key single-use? |
PASS — canonical replay_key pinned; single-use axis = replay_key (attempt_no non-keying) |
| 4 | Handled attempt_no bypass? |
PASS — live-proven bypass on iu_route_attempt; REPLAY_ATTEMPT_NO_BYPASS reject; surface NOT_FIT |
| 5 | Downgraded QT001 correctly? | PASS — REUSE_CANDIDATE_PRECEDENT with live why (no triggers, nullable checksum, writers unseen, guards are views) |
| 6 | Classified authority carriers correctly? | PASS — 9 carriers classified; unproven ⇒ SOURCE_UNPROVEN_FAIL_CLOSED |
| 7 | Split request_proposed and trusted_attested? |
PASS — §9.1 split + §9.2 matrix |
| 8 | Added snapshot/manifest adversarial cases? | PASS — §8 (SC-01…19) |
| 9 | Added validator matrix missing cases? | PASS — §10 (P2-RP/AU/SN/IN), criteria only |
| 10 | Corrected integration auth labels? | PASS — artifact_hash/snapshot demoted to SOURCE_UNPROVEN / FAIL_CLOSED; timestamps not trusted on parse |
| 11 | Kept REGISTRATION_HOLD? |
PASS |
| 12 | Kept no-mega-system / reuse-first / LEGO? | PASS — no new registry/table/graph; carriers reused; blocks joined by envelope |
| 13 | Any mutation? | NONE — 0 substrate mutations; only write is this report |
| 14 | Hash treated as signature anywhere? | NO |
| 15 | Caller input treated as authority? | NO |
| 16 | Pure validator treated as replay owner? | NO — registrar Phase 1 owns consume; validator pure |
| 17 | Snapshot candidate treated as trusted provider? | NO |
| 18 | Fail-open discovered? | NO |
| 19 | Codex live runtime read? | NO — NO_CODEX_LIVE_READ; Claude live reads are packet evidence |
Three declarations
- Root-cause / permanent: single-use and authenticity must derive from an authority-controlled, immutable, reread row and an atomic consume keyed by the full
replay_key; an exact-pair unique index that includes the retry counter, a nullable checksum, a guard view, a caller-carried copy, or a parseable timestamp cannot substitute for proven writer + immutability + readback. - Temporary: retain
REGISTRATION_HOLD; fail closed on missing/ambiguous authority, unproven snapshot provenance, orREPLAY_SURFACE_NOT_FIT. - Reuse / no-duplication: harden the existing registrar, APR/ownership, QT001 candidate pattern, snapshot candidates and idempotency surfaces where writer/immutability/readback can be proven; create no shadow registry or parallel authority system.
15. APPENDIX — Live read evidence (RS3_PATCH2_LIVE, DB directus, 2026-06-21)
iu_route_attempt: colsid,route_code,route_kind∈{inbound,outbound},event_ref,idempotency_key(text NOT NULL),attempt_no(int NOT NULL default 1, CHECK>=1),status∈{pending,dry_run,sent,skipped,failed,disabled},error_code,error_detail,payload_snapshot(jsonb),started_at,finished_at. Constraints: PK(id);iu_route_attempt_idem_uniqUNIQUE(idempotency_key,attempt_no); CHECKs (kind, attempt_no≥1, status). Indexes: pkey; idem_uniq;idx_iu_route_attempt_route(route_code,status,started_at DESC). Triggers: none observed. Rows: 68.qt001_independent_review_signoff: colsreview_id(PK),reviewer_type,reviewer_name,reviewed_plan_checksum(nullable),verdict,scope,valid_until,evidence_path,superseded(bool default false),superseded_by,created_at,notes. CHECKs: reviewer_type{CODEX,T2_HUMAN,OWNER,OTHER}+ strict{CODEX,T2_HUMAN}; verdict{SAFE,NOT_SAFE,DATA_VALID_APPLY_BLOCKED,PENDING}. Triggers: none observed. Rows: 2.qt001_signoff_plan_binding: colsbinding_id(PK),review_id(FK→signoff),plan_id,plan_version,plan_checksum(NOT NULL),scope_collection,tier_intended,verdict_at_binding(CHECK{SAFE,DATA_VALID_APPLY_BLOCKED}),evidence_path,bound_by,valid_until,superseded,bound_at. Rows: 0.governance_object_ownership: 20 cols inclowner_kind,owner_gov_code,lifecycle_status(defaultactive),approval_ref,audit_ref,rollback_ref,supersedes_id,effective_from/to,created_by/updated_by; nooperation/artifact_hash/revocation_ref. Triggers: none observed. Rows: 0.approval_requests: inclaction(varchar default'add'),proposed_action_code(text),proposed_action(jsonb),request_type_code,entity_type,entity_code,target_collection,target_entity_code; noartifact_hash, no signature/MAC/key col.apr_approvals:apr_id,approver,approver_type,decision,rationale,created_at.event_outbox: inclcorrelation_id(text nullable, no unique),actor_ref(NOT NULL),safe_payload(jsonb),occurred_at,created_at.registry_changelog: 14 cols (action,entity_*,changed_by,alert_*,resolved,…).governance_audit_log: 6 cols (relation_id,checked_at,checked_by,result,detail).wf_fs_dot_bin_snapshot: inclhash(nullable),observed_at(single),statusdefaultOBSERVED,mapped_dot_code; no manifest/observer/run/attempt/before-after/sequence/operation/scope. Triggers: none observed. Rows: 289. (wf_docker_container_snapshotsame shape;wf_metric_snapshot=id,captured_at,metrics(jsonb).)context_pack_manifest: incllogical_checksum_sha256,file_checksum_sha256,git_commit,trigger_source,publish_status,health_status,_dot_origin,generated_at,published_at, counts. (Manifest-identity precedent; no per-surface membership / observer independence / op-scope binding.)- Grants visible from
context_pack_readonly: onlySELECTon each of the above (writer roles not enumerable from this read-only role).
End of Macro-RS3-PATCH2.