READY-TO-ASSEMBLE-LEGO1-PATCH1 05 — [P1-2] Authorization Verifier & Atomic Reserve/Consume — 2026-06-22

Closes Codex P1-2. Gate: REGISTRATION_HOLD · CAN_PROCEED = NO · 0 runtime mutations. The empty governance_build_authorization table is not "structurally complete" by columns alone; below is the proven verifier contract + atomic protocol it must satisfy.

---

1. Defect (reconstructed)

Columns ≠ enforcement. Prior PF5 was a conceptual predicate (scope=plan AND status valid), not an exact executable query against the jsonb structure + status domain; and prior file 06 consumed authorization at S8 (after table + value + audit writes), so two executors could pass the same unconsumed preflight, or a failure could leave writes done without consumption. SUPERSEDED.

2. Exact authorization verifier predicate (executable)

A grant in governance_build_authorization is valid for the C1 build iff all hold (exact, against the live column/jsonb domain, file 02 §3.4 of the base package):

-- VERIFIER (read-only check; executed at G0 preflight and re-checked atomically at G1)
SELECT auth_code FROM governance_build_authorization g
WHERE g.scope ->> 'carrier'        = 'C1'
  AND g.scope ->> 'plan_id'        = :plan_id                 -- LEGO1-C1-CANOPVOCAB-PLAN-...
  AND g.scope ->> 'plan_revision'  = :plan_revision           -- exact plan revision
  AND g.scope ->> 'manifest_digest'= :manifest_digest         -- binds to file 04 manifest
  AND g.scope ->> 'schema_digest'  = :schema_digest           -- binds to file 03 schema
  AND g.scope ->> 'environment'    = :environment
  AND g.scope ->> 'executor'       = :executor                -- executor identity binding
  AND (g.scope -> 'action_set')    @> :required_action_set    -- e.g. ["dot_iu_create_collection","staging_consume"]
  AND g.rollback_plan_ref          = :rollback_plan_ref       -- NOT NULL, binds file 06
  AND g.requires_sovereign_esign   = true
  AND g.sovereign_esign_ref IS NOT NULL                       -- sovereign e-sign present
  AND g.status                     = 'granted'                -- allowed status domain: granted→consumed/revoked
  AND g.consumed_at IS NULL                                   -- single-use not yet consumed
  AND g.revoked_at  IS NULL                                   -- not revoked
  AND g.expires_at  > now();                                  -- not expired
-- 0 rows ⇒ fail-closed: G2_EXECUTION_REQUIRES_SEPARATE_AUTHORIZATION / CHAIRMAN_AUTHORIZATION_SCOPE_MISMATCH
-- >1 row ⇒ fail-closed: AMBIGUOUS_AUTHORIZATION (must be exactly 1)

Binding set proven: plan id + plan revision + manifest digest + schema digest + carrier + environment + executor + action set + rollback ref + sovereign e-sign + status domain + expiry + revocation. (All bound to the canonical digests of file 09.)

3. Atomic reserve/consume protocol (before any write)

Consumption is moved to the front and made atomic, using two independent guards:

(a) Single-execution lease (dot_iu_runtime_lease):

INSERT INTO dot_iu_runtime_lease(lease_name, lease_holder, lease_token, acquired_at, expires_at)
VALUES ('lego1-c1-build', :executor, gen_random_uuid(), now(), now() + interval '30 min')
ON CONFLICT (lease_name) DO NOTHING
RETURNING lease_token;        -- 0 rows ⇒ another executor holds the lease ⇒ STOP (no double-run)

(b) Compare-and-set consume (single-winner on the grant), executed atomically with the start of the write transaction, not at the end:

UPDATE governance_build_authorization
   SET status='consumed', consumed_at=now(), consumed_by=:executor
 WHERE auth_code=:auth_code AND status='granted' AND consumed_at IS NULL
   AND revoked_at IS NULL AND expires_at > now()
RETURNING auth_code;          -- 0 rows ⇒ already consumed/expired/revoked ⇒ STOP fail-closed

Ordering (replaces S8): G1 = acquire lease → CAS-consume the grant → only the CAS winner proceeds to G5/G6 writes. If any later step fails, the grant is already consumed (single-use honored) and the failure path runs compensation (file 06) under the same lease; the grant is never re-usable. No two executors can both pass G1; no write occurs without a consumed grant.

4. Concurrency / replay exclusion

• Lease ON CONFLICT DO NOTHING ⇒ exactly one holder of lease_name.
• CAS WHERE status='granted' AND consumed_at IS NULL ⇒ exactly one consumer of the grant.
• manifest_digest/schema_digest/plan_revision binding ⇒ a replay with stale inputs fails the verifier.
• p_idempotency_root on the dispatcher (file 06) ⇒ retries dedupe rather than double-write.

5. Truthful status of the live surface

governance_build_authorization has 0 rows (file 02). It provides the necessary columns but no proof of any of the above until a grant is created and verified at Gate B. PATCH1 therefore states only that the table can carry an exact-scoped grant matching the §2 verifier — not that it is "structurally complete." Sovereign-esign verification, status transitions, and atomic consume are contract requirements, validated by the file-08 executable fixtures, not asserted from columns.

6. Boundary attestation

Design-only verifier + protocol; no grant created/consumed, no lease acquired, no write. REGISTRATION_HOLD retained; CAN_PROCEED = NO; 0 runtime mutations. Supersedes prior PF5 prose and the S8 consume ordering.