Macro RS4A-PATCH1 — Contract Identity, Inert State, Suite Reconciliation (Executive Rollup) — 2026-06-21
Macro RS4A-PATCH1 — Contract Identity, Inert State, Persistence Boundary, and Suite Reconciliation — Executive Rollup — 2026-06-21
Class: read-only / KB-design correction addendum · 0 mutations · design-only.
Opened after: Codex RS4A review NEED_RS4A_PATCH (HOLD, stop state RS4A_NEEDS_PATCH).
Verdict: RS4A_PATCH1_READY_FOR_CODEX_REVIEW (not forced).
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO.
Controlling finding retained: SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIOR · REPLACE_FOR_GOVERNED_REGISTRATION + REJECT_CURRENT_REAL_RUN_PATH.
Does NOT overwrite RS4A — addendum only.
1. One-paragraph summary
Codex held RS4A because its replace-not-wrap registrar contract, though correct in direction and fail-closed in posture, was not precise enough to accept: the effect identity was unstable (it hashed run_id and an undefined approval binding), the inert status was a placeholder, the DB uniqueness axis was undecided, the contract drew envelope fields as if they were dot_tools columns, the nonce was misclassified as a caller field, several phase/audit semantics were impossible or ambiguous, two overclaims overstated absence, two tests were malformed, and the suite arithmetic was wrong. RS4A-PATCH1 closes all 13 (C1–C13) as a read-only KB-design addendum, using live query_pg reads that Codex did not have. The pivotal result is that the inert status resolves to a concrete governed value (draft) rather than forcing a HOLD, so the package is genuinely ready for Codex review — while every still-open item (owner-of-record, replay surface, hash carrier, audit sink, status CHECK) remains the same class of Owner/future-surface blocker that RS4A already carried.
2. The 13 closures
| # | Defect | Closure | Status |
|---|---|---|---|
| C1 | effect identity unstable (run_id, approval) | canonical effect_identity; explicit exclusions; authority scope+policy canonicalization; AUTHORITY_BINDING_IDENTITY_UNSTABLE |
CLOSED |
| C2 | no canonical inert status | draft (governed Directus choice; ≠active ⇒ no notify) |
CLOSED |
| C3 | uniqueness axis undefined | U1 effect + U2 nonce (mandatory, separate) + U3 code-head + U4 artifact (policy) | CLOSED_FAIL_CLOSED |
| C4 | unavailable columns implied | logical envelope ≠ dot_tools columns; carriers REQUIRED_NOT_PRESENT |
CLOSED_FAIL_CLOSED |
| C5 | nonce misclassified | AUTHORITY_CREDENTIAL, not request_proposed |
CLOSED |
| C6 | Phase 2/3 consume | Phase 2 reserves; Phase 3 sole atomic consume+write | CLOSED |
| C7 | Phase 4 verifier pair | independent postcondition_verifier_ref; carry RS3C-C2 |
CLOSED |
| C8 | Phase 5 audit impossible | audit after rollback in a separate txn; failure-audit only | CLOSED |
| C9 | Interface F overclaim | "no proven carrier among reviewed candidates" | CLOSED_FAIL_CLOSED |
| C10 | audit immutability overclaim | "immutability not proven"; lane/type/dedup = requirements | CLOSED_FAIL_CLOSED |
| C11 | malformed T-P5-1 / T-P6-3 | both repaired | CLOSED |
| C12 | suite count 42/92 | 97 (50+47); +8 ⇒ 105 augmented | CLOSED |
| C13 | D13 mislabeled | SRC+SCHEMA environment/contract blocker | CLOSED |
3. Live evidence that upgraded the package (db directus, read-only, 2026-06-21)
- C2 decisive:
directus_fields.dot_tools.statuschoices ={draft, active, deprecated, retired}(validation null, not required) →draftis governed + accepted;fn_context_pack_on_dot_registernotifies only onstatus='active'→draftis inert at the producer. - C3/C13:
dot_toolsconstraints = onlyPRIMARY KEY (id)+ tier/coverage/trigger CHECK + domain FK — no UNIQUE, no status CHECK. - C4:
dot_tools28 columns carry no hash/owner-envelope/approval-envelope; only free-textowner+extra_metadatajsonb. - authority:
governance_object_ownership= 0;apr_action_types= 14 with noregister_dot(register-shaped codes allunimplemented). - C1:
iu_route_attemptUNIQUE(idempotency_key, attempt_no)— retry ledger, re-rejected. - C9:
context_pack_manifest— no UNIQUE on either checksum, no immutability trigger. - C10:
event_outbox— only a BEFORE INSERT validate trigger (immutability not proven, not disproven).
4. Deliverables (11 files, all rev1)
reports/rs4a-patch1/: index · 01 closure-map · 02 effect-identity+axes · 03 inert-state=draft · 04 carrier-boundary · 05 nonce+phase · 06 interface-F/audit-narrowing · 07 suite-97 · 08 decision-packet · codex-review-packet. reports/: this rollup. RS4A files untouched.
5. Blockers & sequencing
Open (carried, same class as RS4A): G2 owner=0 / G3 no register_dot (NEEDS_OWNER_DECISION, deciding authority); G4 hash carrier / G5 replay surface (U1/U2) / G6 append-only audit sink (NEEDS_FUTURE_SURFACE); G7 activation (fenced by draft; G7-consumer unread); NEW STATUS_DOMAIN_NOT_DB_ENFORCED (add status CHECK backstop). None blocks PATCH1 readiness.
NEXT: Codex reviews PATCH1 only → on ACCEPT_RS4A_PATCH1, single next step = G2 Owner-of-record decision; RS-VALIDATOR-HARDENING, per-block hardening, and registrar-replacement implementation come after, not bundled. A residual defect → scoped RS4A-PATCH2 on that item only.
6. Must-not-do held (confirmed)
No runtime mutation; no DDL/DML; no schema/table/column/constraint; no DOT register/wire/run; no Owner/APR/register_dot created or approved; no gate flip; no registrar/validator/source patch; no implementation/migration/Directus mutation payload; no RS-VALIDATOR/RS2B/registration opened; no RISK-BYPASS cleared; no mega-registry/graph/birth pipeline. Held principles: hash ≠ signature; caller ≠ authority; snapshot/manifest ≠ trusted provider; run_id/attempt_id/nonce/timestamp ≠ effect identity; fresh approval ≠ new effect; no placeholder as persisted value; absent carriers ≠ current columns; audit in a rolled-back txn does not survive; inert insert does not emit notify; suite not executed; default HOLD; KB admission ≠ runtime registration.
Builds on / corrects [[project_laws_new_macro_rs4a_registrar_hardening_design_source_aware_2026_06_21]].