Macro RS4A-PATCH2 — Effect Identity, Head Uniqueness, Success-Audit, and Suite-ID Reconciliation (Executive Rollup) — 2026-06-21
Macro RS4A-PATCH2 — Effect Identity, Head Uniqueness, Success-Audit, and Suite-ID Reconciliation — Executive Rollup — 2026-06-21
Macro: RS4A-PATCH2 — scoped correction addendum after Codex re-review NEED_RS4A_PATCH2 (HOLD on RS4A-PATCH1).
Class: read-only / KB-design · 0 mutations · design-only.
Verdict: RS4A_PATCH2_READY_FOR_CODEX_REVIEW (not forced).
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO.
Controlling finding retained: SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIOR · REPLACE_FOR_GOVERNED_REGISTRATION + REJECT_CURRENT_REAL_RUN_PATH.
Does NOT overwrite RS4A or PATCH1.
1. Why
Codex re-reviewed RS4A-PATCH1 and held: PATCH1 fixed most defects but left four residual inconsistencies inside the corrected contract plus two missing tests. PATCH2 closes exactly those five (R1–R5) and nothing more; the Codex-accepted areas (source fidelity, replace-not-wrap, C2, C4–C7, C9–C10, C13) are not reopened.
2. The five residual fixes (all CLOSED)
| # | Residual defect | Fix |
|---|---|---|
| R1 | authority scope/policy still keyed U1 effect identity | effect_identity = business effect only (operation, canonical_target_dot_code, canonical_artifact_identity, canonical_artifact_hash); authority moved to a separate authorization_binding_digest bound to the attempt record (admission-required, not U1); changed authority ⇒ same effect ⇒ AUTHORIZATION_CHANGED_SAME_EFFECT_DUPLICATE; re-registration = explicit different operation |
| R2 | U3 WHERE status='active' missed the draft registration state |
Option 1: U3 = current head per code across {draft, active}; {deprecated, retired} terminal; registration writes draft only if no draft/active head; surface absent ⇒ fail closed before draft write |
| R3 | Phase-4 success still required durable audit | success verifier = row + status='draft' + metadata-match + no-notify + verifier-ref + readback; no audit; failure-audit failure-only; success-log optional/future |
| R4 | T-PX-4/5/6 collisions; T-P6-3a/b count ambiguous |
one authoritative PX2-001..015 registry; T-PX-* superseded; T-P6-3a/b = two cases; augmented total 111 (deterministic) |
| R5 | missing changed-authority + duplicate-draft-head tests | PX2-011, PX2-012 (+ PX2-005/006/007/015) |
3. Final formulas
effect_identity = H(protocol_version, operation="register_dot",
canonical_target_dot_code, canonical_artifact_identity, canonical_artifact_hash)
authorization_binding_digest = H(protocol_version, effect_identity,
canonical_owner_scope, canonical_authority_policy_ref,
approval_evidence_ref, quorum_evidence_ref,
authorization_nonce_issuer, authorization_window) # admission-required, NOT U1
U3 = UNIQUE(canonical_target_dot_code) WHERE lifecycle_role='current_head' # current_head = {draft, active}
4. Count
50 carried + (47 − 1 superseded T-P6-3) + 15 PX2 = 111. Baseline 97 unchanged (origin); augmented 111; designed, not executed. RS4A-11 42/92 and PATCH1 105 superseded.
5. Live facts (read-only query_pg, db directus, 2026-06-21)
status choices {draft, active, deprecated, retired} (validation null) · dot_tools only PRIMARY KEY (id) + 3 CHECK + 1 FK (no UNIQUE, no status CHECK) · status active 291 / published 16 (out-of-vocab) / null 2 / draft 0 · governance_object_ownership 0 · apr_action_types 14 (no register_dot).
6. Files (9, all rev1)
reports/rs4a-patch2/: index · 01 closure-map · 02 effect-identity+authz-binding · 03 U3 head-uniqueness · 04 Phase-4 success/audit · 05 test-registry-111 · 06 decision-packet · codex-review-packet. reports/: this rollup. RS4A + PATCH1 not overwritten.
7. Blockers carried (unchanged class)
G2 owner=0 (deciding) · G3 no register_dot · G4 hash carrier · G5 replay surface (U1/U2) · G6 audit sink · G7 activation/G7-consumer · STATUS_DOMAIN_NOT_DB_ENFORCED · U3 partial-unique surface REQUIRED_NOT_PRESENT. None blocks PATCH2 readiness.
8. Must-not-do confirmation
No runtime mutation; no DDL/DML; no schema/table/column/constraint; no DOT register/wire/run; no Owner; no APR; no register_dot; no APR approval; no gate flip; no registrar patch; no validator patch; no implementation; no migration SQL; no Directus mutation payload; RS-VALIDATOR not opened; Owner execution not opened; registration not opened; source fidelity / replace-not-wrap / C4–C7 / C9–C10 / D13 not reopened; owner/policy/approval/nonce/run/attempt kept out of U1; U3 not left active-only; success audit not required in Phase 4; no duplicate test IDs; T-P6-3a/b count made deterministic; no mega-registry/graph/birth pipeline.
9. Next step
Codex reviews RS4A-PATCH2 only. On ACCEPT_RS4A_PATCH2 → single next step = G2 Owner-of-record decision; RS-VALIDATOR-HARDENING + per-block hardening + registrar replacement sequenced after, not bundled. If a further residual defect: scoped RS4A-PATCH3 on that item only.
Builds on / corrects [[project_laws_new_macro_rs4a_patch1_contract_identity_inert_state_suite_reconciliation_2026_06_21]]. Default HOLD; authority ≠ effect identity; hash ≠ signature; caller ≠ authority; KB admission ≠ runtime registration.