Macro-RS4A — Registrar-Hardening Design (Source-Aware) Governance Contract Package — Rollup — 2026-06-21

Macro: RS4A — REGISTRAR-HARDENING-DESIGN-SOURCE-AWARE Opened after: Codex ACCEPT_RS3C_AND_PROCEED_TO_REGISTRAR_HARDENING_DESIGN (RS3C_ACCEPTED). Mode: read-only · 0 mutations · DESIGN-ONLY. Package verdict: RS4A_READY_FOR_CODEX_REVIEW (package complete — NOT a registrar PASS; PASS not forced). Controlling finding (carried): SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIOR. Replacement decision: REPLACE_FOR_GOVERNED_REGISTRATION + REJECT_CURRENT_REAL_RUN_PATH. Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO.

---

1. One-line outcome

The recovered, hash-verified source of dot-dot-register is turned into a multi-artifact governance contract package: a 24-defect line-level ledger, a registrar hardening target contract v0.2, a 24-row contract-vs-source delta matrix, a 7-phase model with proof obligations, four fail-closed envelope contracts (Owner/APR authority, Interface F artifact resolver, replay/nonce/attempt, durable audit sink), a trigger/gate closure that reads the activation function body live (closing caveat P4 at the producer), the decisive replace-not-wrap verdict, a 92-case acceptance suite, and a blocker/sequencing map. Everything is design-only and fail-closed; registration stays shut.

2. Why REPLACE, not WRAP

The operational registrar's real-run write path is irreducibly unsafe: mass glob ls .../dot-* (L121) + loop (L131) + status:"active" (L173) + independent REST POST per file (L156) + no transaction (L131–184) + fail-open success (curl no -f, $?-check, L156/L176) + no Owner/APR/gate/hash (L94–191) + hardcoded VPS IP/root-SSH key (L20–21) + curl -k (L156). There is no single-target, atomic, authorized, honest-success mode to wrap. ⇒ REPLACE_FOR_GOVERNED_REGISTRATION + REJECT_CURRENT_REAL_RUN_PATH; only --dry-run scan/report and the pure classify_* helpers are safe residual reuses.

3. Live verification this macro (Claude read-only, db directus, 2026-06-21)

• P4 closed at producer: fn_context_pack_on_dot_register body read live — notify is conditional (tier∈["A","B","C"] AND status='active'), SECURITY DEFINER; context_pack_mode='warn'; gates real_run_enabled=false, operator_runtime_enabled=false. (Consumer body unread ⇒ G7-consumer open.)
• governance_object_ownership=0 (G2); apr_action_types=14 codes, no register_dot, register-shaped codes unimplemented (G3); quorum_passed/fn_apr_quorum_check exist.
• dot_tools 309/291 active/81 NULL file_path; constraints only PK(id)+CHECKs+1 FK (no UNIQUE on identity); 28 cols, no hash (G4).
• context_pack_manifest checksums are per-pack aggregate (no per-artifact carrier — G4 sharpened); wf_fs_dot_bin_snapshot UNIQUE(source_key,object_key), no triggers; event_outbox only a BEFORE INSERT validate trigger — no immutability (G6).

4. Package files (15)

reports/rs4a/: index · 01 source-defect-ledger · 02 target-contract-v0.2 · 03 delta-matrix · 04 phase-model · 05 owner-apr-authority · 06 interface-f-v0.2 · 07 replay-nonce-attempt-v0.2 · 08 audit-sink-v0.2 · 09 trigger-gate-closure · 10 replacement-vs-wrapper · 11 acceptance-suite-92 · 12 blockers-sequencing · codex-review-packet. Plus this rollup at reports/.

5. Blockers and sequencing

G1 RESOLVED; NF1 OPEN-but-addressed-by-design; G2 (Owner-of-record, deciding) / G3 (register_dot) / G4 (carrier) / G5 (replay surface) / G6 (audit sink) / G7 (activation, fenced; consumer open) OPEN. RS4A closes none of G2–G7 (Owner/implementation-gated); it converts NF1 into a buildable contract and sharpens G4/G7. Next: Codex reviews RS4A → on acceptance, the deciding step is the G2 Owner-of-record decision (+ G3 action), which unblocks the per-block hardening designs and then the governed-registrar implementation. RS-VALIDATOR-HARDENING may start only after Codex accepts this contract; RS2B residue closure sequenced after, not bundled. No implementation/registration before Owner + gate + design acceptance.

6. Must-not-do held (35 locks)

No DB/DDL/DML mutation; no register/wire/run DOT; no schema/table/collection/registry creation; no APR create/approve; no gate flip; no validator patch; no registrar patch; no edit of dot-dot-register/dot-catalog-sync/source-law; no allowlist patch; no service restart; no mega-registry/mega-graph/mega-birth pipeline; no tightly-coupled system; no wrapper over the mass-scan real-run path; no RISK-BYPASS clearance; no 142/18 merge or sanction; hash ≠ signature; caller ≠ authority; pure validator ≠ nonce owner; snapshot/QT001/manifest ≠ trusted provider; attempt_id ≠ logical-key bypass; consumed-state not expired by staleness; RP-03 prose ≠ source. PASS not forced; default HOLD. KB admission ≠ runtime registration.

Builds on / consumes [[project_laws_new_macro_rs3c_source_recovery_rerun_2026_06_21]] and the RS3B envelopes. Sibling/sequence sources: RS3-PATCH1/PATCH2, RS3-BUNDLE, RS2-PATCH1.

Final gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO.