Macro-RS3C — Source Recovery and RS3B Affected Rerun (Executive Rollup) — 2026-06-21
Macro-RS3C — Source Recovery and RS3B Affected Rerun — Executive Rollup — 2026-06-21
Class: read-only audit + faithful source recovery + design rerun · 0 DB/domain/runtime mutations · 0 operational config changes (no allowlist patch, no service restart)
Verdict: RS3C_READY_FOR_CODEX_REVIEW · controlling source finding SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIOR · REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO
Triggered by: Codex ACCEPT_RS3B_HOLD_AND_PROCEED_TO_SOURCE_RECOVERY (corrections C1/C2/C3).
Package: 13 files under knowledge/dev/laws-new/reports/rs3c/ + this rollup.
1. What this macro did
RS3B stopped at RS3B_HOLD_REGISTRAR_SOURCE_NOT_READ — the registrar/catalog-sync source was outside the VPS read_file allowlist. RS3C recovered the source through a different, lower-footprint channel and re-ran every affected deliverable against the real code.
Source recovery (Mục tiêu A/B):
- Located faithful copies of both files on the operator workstation and proved them byte-identical to the deployed OPERATIONAL VPS files by sha256 cross-check against the live
wf_fs_dot_bin_snapshot(observed 2026-06-21 02:10:14 UTC):- registrar
dot-dot-register→31d5cf15…== OPERATIONAL (id 6022). dot-catalog-sync→7dd84cda…== OPERATIONAL (id 5963,DOT-015).
- registrar
- Did NOT patch the allowlist or restart any service — Method 3 (read-only local code channel) succeeded, and Method 1 was both unnecessary and unreachable with the available tools. Zero operational mutation.
- Rejected a stale
web-testcheckout whose registrar matched only the deployed backupdot-dot-register.bak-s164c— fidelity decided by hash, not convenience. - Admitted a faithful line-level KB mirror of both files (RS3C-02) so the reconstruction is independently auditable.
Behavior reconstruction (line-cited, source wins over RP-03):
- The registrar is a bash mass-scan auto-registrar:
ls /opt/incomex/dot/bin/dot-*→ loop →curl POST /items/dot_toolsper file,status:"active"hardcoded, no transaction, fail-open success logging (curl exit checked, not HTTP status), defective dedup (absolute-vs-normalized path; no DB UNIQUE), no Owner/APR/gate check, no artifact hash. - Catalog-sync is read/scan + report: its only write is
meta_catalog.record_count; it never writesdot_tools.
2. Codex corrections (all closed)
- C1 — nonce: separate durable
authorization_nonce_uniqueconsume +logical_request_key_unique+attempt_id_not_unique_for_effect;iu_route_attemptrejected as the store (liveUNIQUE(idempotency_key, attempt_no)= retry ledger, admits repeats). RESOLVED at design. (RS3C-07) - C2 — cardinality: per-target registration creates one primary
dot_toolsrow;paired_dotis a text field referencing the pre-existingDOT-HEALTH-DOT, not a second row; the registrar control pair ≠ a per-target two-row rule. CONFIRMED BY SOURCE. (RS3C-08) - C3 — triggers: ground-truth from
pg_catalog.pg_trigger= 13 user triggers (12 enabled + 1 disabledtrg_count_dot_tools) + 4 internal FK constraint triggers. RS3B's "14" was a +1 over-count; the 13 listed names are complete; no missing trigger. RECONCILED. (RS3C-09)
3. Source-aware verdicts on the reruns
| Deliverable | RS3B (no source) | RS3C (source-aware) |
|---|---|---|
| Dual-writer boundary | "potential" / fenced | DISPROVEN on registry — catalog-sync writes only meta_catalog.record_count |
| Single-artifact contract | pending source | CONFLICTS with source — registrar mass-registers; contract = required hardening target |
| Replay/nonce (C1) | nonce-store gap | RESOLVED at design — two independent unique constraints |
| Pair/cardinality (C2) | conflated | one row + field reference, verifier only on explicit demand |
| Trigger inventory (C3) | 14/13 mismatch | 13 user + 4 FK, reconciled |
| Adversarial matrix | 40 cases | 50 cases (10 new, source-grounded) |
4. Blockers
- G1 source-unreadable → RESOLVED (source recovered & hash-verified).
- NF1 (new, controlling code finding): the OPERATIONAL registrar is unsafe for governed registration (9 source-confirmed defects, RS3C-03 §4).
- G2 Owner-of-record (
governance_object_ownership = 0) — deciding authority blocker, OPEN. - G3 no
register_dotaction type · G4 no artifact-hash carrier (0 hash cols) · G5 no fit replay surface · G6 no immutable audit sink · G7 activation side-effect (status:active+trg_context_pack_dot_register) — all OPEN.
5. Live source-tier reads (2026-06-21, read-only)
dot_tools 309 rows / 291 active / 0 hash cols / 81 NULL file_path / constraints = only PK(id); governance_object_ownership 0; iu_route_attempt UNIQUE(idempotency_key,attempt_no)+CHECK(attempt_no>=1); dot_tools triggers 13 user (12 on / 1 off) + 4 FK; wf_fs_dot_bin_snapshot OPERATIONAL hashes confirmed.
6. Next step
A registrar-hardening DESIGN macro that consumes the now-recovered source + the four envelopes (Owner authority, snapshot evidence, replay surface, durable sink), gated on the G2 Owner-of-record decision. RS-VALIDATOR-HARDENING and RS2B residue closure sequenced after, not bundled. Do not implement, wire/run the DOT, patch the live registrar, or open registration.
7. Held throughout (must-not-do)
No DB mutation, no DDL/DML, no DOT register/wire/run, no schema, no APR create/approve, no gate flip, no validator patch, no edit of dot-dot-register / dot-catalog-sync / source-law, no allowlist patch, no service restart, no new registry/table/collection, no RISK-BYPASS clearance, no 18/142 merge or sanction claim. Hash = integrity, not signature; caller input ≠ authority; pure validator ≠ nonce owner; RP-03 prose not substituted for source; PASS not forced — registration gate stays shut.
Builds on / consumes: RS3B package and Codex RS3B review (C1/C2/C3); prior gates RS3-PATCH2/PATCH1/RS3-BUNDLE. KB admission ≠ runtime registration. Default HOLD.