Incomex AI Portal
KB-1E90

Macro — RS5B-CLOSEOUT-P2-ENTRY-SCOPING (rollup) — 2026-06-21

8 min read Revision 1
macro-rolluprs5b-closeoutp2-entryconsolidated-contractregistration-holddesign-only2026-06-21

Macro — RS5B-CLOSEOUT-P2-ENTRY-SCOPING (rollup) — 2026-06-21

Opened after: Codex ACCEPT_RS5B_PATCH2 (STATUS: PASS_WITH_CAVEATS; stop RS5B_PATCH2_ACCEPTED_CONTRACT_ONLY_REGISTRATION_HOLD), on top of ACCEPT_RS5A_PATCH4 and the intervening NEED_RS5B_PATCH2 HOLD. Verdict: RS5B_CLOSEOUT_P2_ENTRY_READY_FOR_GPT_REVIEW (not forced) Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 mutations (KB-only, design-only, no live runtime read) PASS level: closeout-consolidation + P2-entry-design-review-ready only — not authority / runtime / implementation / registration / activation PASS; not P2 authorization. Class: additive consolidation package. Direct KB reads of 18 sources (3 Codex + RS5B 8 + PATCH1 3 + PATCH2 4); two jobs — (A) one consolidated corrected-contract view, (B) a future-only P2 entry gate.

1. Scope (two jobs, nothing else)

  • Job A — Consolidated RS5B acceptance (contract layer only): RS5B_CONTRACT_AS_CORRECTED_BY_PATCH1_PATCH2. States exactly what is / is not accepted.
  • Job B — P2 entry gate design (future only): the evidence, authority packet, carriers, checks, rollback surfaces, LEGO boundaries that must exist before any P2 build/carrier work begins. P2 must not start until a later independent review accepts this entry-gate design.

Creates no Owner/scope/APR/register_dot/approval/handler; opens no P2 lane; clears no gate.

2. Consolidated contract (file 02) — the 8 controlling points

  1. Bootstrap: Model D-as-design on top of Model E-as-runtime-HOLD.
  2. Authority source: Constitution v4.6.3 + Chairman = design-level founding source, not runtime authorization by itself; design-solved ≠ runtime-resolved.
  3. Authorization packet: 13 elements, necessary-not-sufficient; item 13 (Chairman) final + unconditional.
  4. effect_identity: pure business effect — canonical_operation + canonical target type/ref + canonical artifact identity/hash; no authority/credential/execution fields.
  5. authorization_binding_digest: includes effect_identity; binds the pure effect to the envelope (owner scope/head/policy, approval/quorum/principal refs if used, nonce/window, artifact refs, U3/status/audit refs, founding_authority_ref).
  6. Canonical operation: register_dot is one specialization; owner designation + scope creation need distinct operations; vocabulary absent ⇒ CANONICAL_OPERATION_VOCABULARY_REQUIRED_NOT_PRESENT (fail-closed).
  7. BI oracle: BI-E6 Layer-1 digest-shape first; BI-E1 Layer-2 approval-binding only-if-L1-passed; discriminator P = (effect_identity ∈ authorization_binding_digest input schema); BINDING_CHECK_PASS necessary-not-sufficient.
  8. Caveats: rollup revision typo (PATCH2-06 = rev 2); contract-classifier-only totality; design fixtures ≠ runtime tests.

3. Supersession map (file 03)

  • S1: RS5B-05 item-5 "kept out of the authorization binding" → SUPERSEDED_BY_RS5B_PATCH1 (effect pure and bound inside the digest).
  • S2: PATCH1-02 general operation="register_dot" → PATCH2 canonical_operation general formula (register_dot = specialization only).
  • S3: PATCH1-04 overlapping BI-E1/BI-E6 → PATCH2 two-layer disjoint classifier (precedence MISSING_EFFECT < NOT_BOUND).
  • S4: PATCH2 rollup "All revision 1" → corrected by caveat C1 (PATCH2-06 = revision 2).
  • NOT reopened: authorization_binding_digest field set, RS4A-PATCH2-02 register_dot semantics, RS5A-PATCH4 quorum/G02/total-Q-order, candidate models, 13-element packet, U1/U2/U3, owner/bootstrap/handler posture.

4. Caveat ledger (file 04)

C1 rollup revision typo (non-blocking; quote metadata) · C2 oracle totality classifier-scoped (forbids runtime-totality promotion) · C3 design fixtures DEFINED_NOT_EXECUTED · C4 no live runtime verification (attestation only; P2 must re-run preflight) · C5 no P2/Chairman/runtime authorization. All five propagated; none blocks closeout; all become binding constraints on any future P2 lane.

5. P2 entry gate (file 05) — 12 fail-closed requirements

R1 accepted consolidated contract · R2 explicit Chairman authorization packet · R3 scope = carrier/policy build design, not registration · R4 read-only preflight · R5 vocabulary design not runtime rows (unless separately authorized) · R6 rollback per carrier · R7 separate LEGO boundaries · R8 no inherited authority (approval↛registration↛activation) · R9 no unsafe registrar reuse (replace-not-wrap) · R10 no register_dot real admission · R11 no RS-VALIDATOR unless separately authorized · R12 independent review before any write. Deterministic gate order; P2_ENTRY_DESIGN_READY_FOR_INDEPENDENT_REVIEW is necessary-not-sufficient.

6. Minimal P2 carriers (file 06) — LEGO, design-only

P2-C1 canonical_operation vocabulary · P2-C2 effect_identity/authorization_binding_digest schema · P2-C3 owner/scope binding · P2-C4 artifact hash · P2-C5 U3/status/audit policy refs · P2-C6 replay/nonce · P2-C7 approval/quorum/principal (if approval used). Each born/tested/changed/rolled-back separately, joined only by explicit reference edges; all pre-runtime (activation is the only post-registration-capable scope, never inherited). Must-not-inherit: DOT_APPROVAL_QUORUM_AUTHORITY ↛ DOT_REGISTRATION_AUTHORITY ↛ DOT_ACTIVATION_AUTHORITY. LEGO_BOUNDARY_HELD. No rows/schema/code/handler/migration/validator/registrar created.

7. Bad inputs (file 07) — all fail closed

XBI-1 AUTHORITY_OVERCLAIM · XBI-2 P2_OPENED_EARLY · XBI-3 VOCABULARY_RUNTIME_OVERCLAIM · XBI-4 PASS_LEVEL_OVERCLAIM · XBI-5 IMPLICIT_AUTHORITY_INHERITANCE_REJECTED · XBI-6 LEGO_BOUNDARY_INSUFFICIENT · XBI-7 ROLLBACK_PLAN_ABSENT · XBI-8 UNSAFE_REGISTRAR_REUSE_REJECTED · XBI-9 P2_SCOPE_DRIFT_REGISTRATION_ATTEMPT · XBI-10 RUNTIME_MUTATION_REJECTED (short-circuit). No invalid input yields PASS/seal/digest/certificate/authority-token/registration-ready. CLOSEOUT_ADVERSARIAL_SELF_CHECK_PASSED_NO_FAIL_OPEN.

8. Files (10 in package + this rollup)

reports/rs5b-closeout-p2-entry/: index, 01 source-register, 02 consolidated-contract, 03 supersession-map, 04 caveat-ledger, 05 p2-entry-gate, 06 carrier-scope, 07 bad-inputs, 08 decision-packet, codex-review-packet. Plus reports/macro-rs5b-closeout-p2-entry-scope-2026-06-21.md (this rollup). All revision 1 at creation (this rollup will quote AgentData metadata, never a stale "all revision 1" body sentence — caveat C1).

9. Carried blockers (UNCHANGED) + next step

G2–G7 + STATUS_DOMAIN_NOT_DB_ENFORCED + U3_PARTIAL_UNIQUE_SURFACE_ABSENT + OWNER_MINT_PATH_FAIL_CLOSED + QUORUM_EFFECT_BINDING_INSUFFICIENT + QUORUM_APPROVER_IDENTITY_UNVERIFIED + BOOTSTRAP_AUTHORITY_UNRESOLVED + CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT. No new blocker, no new reject code.

Single next step: GPT/independent review of this closeout + P2 entry-gate design only → on accept, Codex review → only after a later independent acceptance of the P2 entry-gate design plus explicit Chairman authorization may a separately-authorized P2 lane (carrier/policy build design, replace-not-wrap) open; a still-later independent gate decides P3 registration. No P2 / runtime / registration authorized here. Residual ⇒ future RS5B-CLOSEOUT patch.

Default HOLD. Contract acceptance ≠ execution authorization. Approval-authority ≠ registration-authority ≠ activation-authority. Design-solved ≠ runtime-resolved. BINDING_CHECK_PASS ≠ registration PASS. Vocabulary REQUIRED_NOT_PRESENT ≠ invent rows. P2 entry = future gate only; not opened. Builds on / consolidates [[project_laws_new_macro_rs5b_patch2_canonical_operation_and_bi_domain_separation_2026_06_21]] and [[project_laws_new_macro_rs5b_g2_owner_execution_authorization_design_2026_06_21]].