Incomex AI Portal
KB-322D

Macro — RS5B-CLOSEOUT-PATCH1 (Dependency-Safe Rollback + Gate Split) rollup — 2026-06-21

9 min read Revision 1
macro-rolluprs5b-closeout-patch1dependency-safe-rollbackrollback-validity-oraclec7-conditionalitygate-splitregistration-hold2026-06-21

Macro — RS5B-CLOSEOUT-PATCH1 (Dependency-Safe Rollback + Gate Split) rollup — 2026-06-21

Opened after: Codex HOLD on RS5B-CLOSEOUT-P2-ENTRYSTATUS: HOLD, VERDICT: REJECT_LEGO_BOUNDARY_INSUFFICIENT, stop RS5B_CLOSEOUT_P2_ENTRY_HOLD_DEPENDENCY_SAFE_ROLLBACK_AND_GATE_SPLIT_REQUIRED. Job A accepted (§3); Job B held (§4/§5/§6/§7). Verdict: RS5B_CLOSEOUT_PATCH1_READY_FOR_GPT_REVIEW (not forced) Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 mutations (KB-only, design-only, no live runtime read) PASS level: narrow Job-B patch consolidation + design-review-ready only — not authority / runtime / implementation / registration / activation PASS; not P2 authorization; not rollback-execution authorization. Class: additive narrow patch. Does not reopen the accepted RS5B consolidated contract (Codex §12).

1. Scope (narrow — only what Codex §11 required)

Five corrections to closeout Job B, nothing else: dependency-safe rollback for C1–C7; rollback validity (not presence); new adversarial XBI; deterministic C7 conditionality; baseline-vs-P2-open gate split. No P2 opened. No runtime. No registration. No rollback executed. Job A untouched.

Guiding principle: do not prove "I wrote the word rollback" — prove "a destructive / orphaning / history-erasing / authority-weakening rollback, or an early-P2 / overclaim attempt, is rejected before any PASS."

2. Codex residual closure map (8 residuals → closed)

  • R1 C1 vocabulary rollback orphans C2 → versioned retire/supersession with historical resolution (file 02 C1; edge E1; XBI-11). CLOSED.
  • R2 C3 owner/scope rollback orphans bindings/audit/decisions → revoke/supersede preserving row identity + audit (file 02 C3; E2/E8; XBI-12). CLOSED.
  • R3 C4 hash rollback breaks reproducibility → preserve hash evidence, supersede for new use only (file 02 C4; E3; XBI-13). CLOSED.
  • R4 C5 policy-ref rollback orphans/re-means C2 → policy version supersession + compatibility (file 02 C5; E4; XBI-14). CLOSED.
  • R5 C7 approval rollback erases evidence / weakens envelopes → versioned transition preserving prior approval-required envelopes + evidence (file 02 C7; E6/E8; XBI-15/16). CLOSED.
  • R6 XBI-7 checks presence not safety → rollback-validity oracle RBP-0..RBP-9/PASS; destructive-but-present plan cannot reach PASS (file 04 §3; XBI-11..19). CLOSED.
  • R7 C7 optional+mandatory → deterministic approval_mode rule (file 05; XBI-20/21). CLOSED.
  • R8 R12 mixes baseline + plan-specific review → Gate A / Gate B split with distinct outputs (file 06; XBI-22..25). CLOSED.

3. Dependency-safe rollback contract (file 02)

Invariants I1–I10: stable identity · historical evidence · reference integrity · semantic immutability · authority non-weakening · forward fail-closed · versioned/compensating (never destructive deletion) · auditability · locality · no runtime permission. Per-carrier allowed/forbidden/postcondition for C1–C7. ROLLBACK_CONTRACT_VALID_FOR_REVIEW is necessary-not-sufficient (not execution permission, not P2 authorization). "Deletion is not rollback." LEGO_BOUNDARY_HELD (I9 forbids cross-carrier silent mutation).

4. Carrier dependency map (file 03)

Explicit 8-edge graph: C1/C3/C4/C5/C6/C7 → C2 (reference edges, conditional C7→C2 under APPROVAL_USED); C2 → historical decisions; C3/C4/C7 → audit/history. Each edge: producer · consumer · reference field · destruction impact · safe rollback rule · post-rollback invariant · bad input → oracle code. No edge without a bad input.

5. Rollback-validity oracle + new XBI (file 04)

RBP classifier with total precedence: RUNTIME_MUTATION_REJECTED < DELETES_REFERENCED_IDENTITY < ORPHANS_DEPENDENCY < ERASES_HISTORY < CHANGES_HISTORICAL_SEMANTICS < WEAKENS_AUTHORITY < SUCCESSOR_RULE_ABSENT < AUDIT_TRAIL_ABSENT < NOT_LOCAL < PLAN_ABSENT < CONTRACT_VALID_FOR_REVIEW. Key proof: ROLLBACK_PLAN_ABSENT is second-from-last, so plan-existence does not advance toward PASS; PASS = conjunction of all invariants, so any destructive predicate (RBP-2..9) blocks PASS. XBI-11..XBI-25 added: 11 destructive-vocab, 12 owner-delete, 13 hash-delete, 14 policy-orphan, 15 approval-evidence-erase, 16 authority-weaken, 17 no-successor, 18 no-audit, 19 not-local, 20 C7-required-when-used, 21 C7-optionality-conflict, 22 baseline-as-P2-open, 23 no-Chairman-token, 24 Chairman-scope-mismatch, 25 P2-open-rollback-proof-missing. All fail closed; none yields PASS/seal/digest.

6. C7 conditionality (file 05)

approval_mode ∈ {APPROVAL_USED, APPROVAL_NOT_USED_BY_POLICY}. Rule A: C7 mandatory, exist+PASS before P3, missing ⇒ C7_REQUIRED_WHEN_APPROVAL_USED. Rule B: C7 not mandatory, but policy must prove non-use, else APPROVAL_MODE_POLICY_UNPROVEN; demanding C7 anyway ⇒ C7_OPTIONALITY_CONFLICT. Closeout 06 §4 "all seven … before P3" superseded → C1–C6 unconditional, C7 conditional. Applied consistently to C2/gate/carriers/XBI/P3/review packet.

7. Two-gate split (file 06)

Gate A — Baseline design acceptanceP2_BASELINE_ENTRY_DESIGN_ACCEPTED: accepts the closeout/P2-entry design baseline; permits only preparing a carrier-specific plan; opens no P2, authorizes no write, never substitutes for Chairman. Gate B — P2-open for a specific carrier planP2_OPEN_AUTHORIZED_FOR_NAMED_CARRIER_PLAN_ONLY: requires Gate A + carrier-specific plan + named carriers + per-carrier dependency-safe rollback proof + current read-only preflight + exact-scoped Chairman token + independent plan review + no runtime mutation. Authorizes only the named design/build lane — no registration/activation/register_dot/P3/runtime write. No "Gate A → P2 open" transition.

8. Impact map (file 07)

M1–M6 destructive C1–C7 rollback lines, M7 presence-only XBI-7/R6, M8 "all seven before P3", M9 R12 dual-object review, M10 circular P2_ENTRY_DESIGN_READY_FOR_INDEPENDENT_REVIEW — all SUPERSEDED_BY_RS5B_CLOSEOUT_PATCH1. §5 NOT-reopened: consolidated contract, S1–S4, effect_identity/binding field set, canonical_operation, BI oracle, 13-element packet, caveats C1–C5, XBI-1..10, RS4A-PATCH2-02/RS5A-PATCH4/models/U1-U3/owner-bootstrap-handler, LEGO rule.

9. Adversarial self-review (file 08)

20 attacks A1–A20 (destructive / orphan / erasure / authority-weakening / C7 / gate / overclaim) — all rejected before any PASS; result table single-coded. CLOSEOUT_PATCH1_ADVERSARIAL_SELF_CHECK_PASSED_NO_FAIL_OPEN.

10. Files (11 in package + this rollup)

reports/rs5b-closeout-patch1/: index, 01 source-register+codex-hold-reconstruction, 02 dependency-safe-rollback-contract, 03 carrier-dependency-map, 04 rollback-validity-oracle+xbi, 05 c7-conditionality, 06 two-gate-sequencing, 07 impact-map, 08 adversarial-self-review, 09 decision-packet, codex-review-packet. Plus reports/macro-rs5b-closeout-patch1-rollback-gate-split-2026-06-21.md (this rollup). All revision 1 at creation (this rollup quotes AgentData metadata, never a stale "all revision 1" body sentence — caveat C1 discipline).

11. Carried blockers (UNCHANGED) + next step

G2–G7 + STATUS_DOMAIN_NOT_DB_ENFORCED + U3_PARTIAL_UNIQUE_SURFACE_ABSENT + OWNER_MINT_PATH_FAIL_CLOSED + QUORUM_EFFECT_BINDING_INSUFFICIENT + QUORUM_APPROVER_IDENTITY_UNVERIFIED + BOOTSTRAP_AUTHORITY_UNRESOLVED + CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT. No new blocker, no new reject code (RBP/C7/gate codes are classifier labels, not runtime blockers).

Single next step: GPT/independent review of this PATCH1 only → on accept, Codex review → corrected Job-B wording carries into the closeout, which becomes the Gate A baseline → only after a later independent acceptance of a carrier-specific build plan at Gate B plus an exact-scoped Chairman authorization may a named P2 design/build lane open → a still-later separate gate decides P3 registration. No P2 / runtime / registration / rollback-execution authorized here. Residual ⇒ future RS5B-CLOSEOUT-PATCH2.

Default HOLD. Deletion is not rollback. Rollback validity ≠ rollback presence. Rollback-contract validity ≠ rollback-execution authorization. Baseline acceptance ≠ P2-open authorization. Independent review ≠ Chairman authorization. Engineering PASS ≠ authority PASS. Contract PASS ≠ runtime PASS. Builds on / corrects [[project_laws_new_macro_rs5b_closeout_p2_entry_scope_2026_06_21]].