READY-TO-ASSEMBLE-LEGO1-PATCH2 05 — Authorization Verifier & Atomic Consume Proof (B3/B4) — 2026-06-22
READY-TO-ASSEMBLE-LEGO1-PATCH2 05 — Authorization Verifier & Atomic Consume Proof (B3/B4) — 2026-06-22
Closes Codex 5.4: verifier → AUTHORITY_MISSING_ONLY; consume handler → PREPARATION_GAP. Gate: REGISTRATION_HOLD · CAN_PROCEED = NO · 0 runtime mutations.
1. Codex residuals (reproduced)
status='granted'is unsatisfiable — livestatus_check IN (draft,active,consumed,expired,revoked);auth_count=0.action_set @> :reqpermits supersets (over-broad grant passes).sovereign_esign_ref IS NOT NULLproves presence, not authenticity (chk_sov_esignonly checks presence).- file 05 §3 used raw
INSERT/UPDATEfor lease + consume — not a governed handler; and CAS + writes were not proven to be one transaction.
2. Corrected verifier predicate (against the real columns/domain)
SELECT auth_code FROM governance_build_authorization g
WHERE g.scope->>'carrier' = 'C1'
AND g.scope->>'plan_id' = :plan_id
AND g.scope->>'plan_revision' = :plan_revision
AND g.scope->>'manifest_digest' = :manifest_digest -- file 04
AND g.scope->>'schema_digest' = :schema_digest -- file 03
AND g.scope->>'environment' = :environment
AND g.scope->>'executor' = :executor
-- EXACT set-equality (not @>): sorted canonical arrays must match
AND (SELECT array_agg(x ORDER BY x) FROM jsonb_array_elements_text(g.scope->'action_set') x)
= (SELECT array_agg(x ORDER BY x) FROM jsonb_array_elements_text(:required_action_set::jsonb) x)
AND g.rollback_plan_ref = :rollback_plan_ref -- NOT NULL column
AND g.requires_sovereign_esign = true
AND g.sovereign_esign_ref IS NOT NULL
AND fn_verify_sovereign_esign(g.sovereign_esign_ref, g.auth_code) = true -- AUTHENTICITY, not presence (handler, file 02)
AND g.status = 'active' -- REAL lifecycle: active → consumed
AND g.consumed_at IS NULL AND g.revoked_at IS NULL AND g.expires_at > now()
AND g.request_ref IN (SELECT code FROM approval_requests WHERE status = 'approved'); -- bound to an approved request
-- exactly 1 row required; 0 ⇒ fail-closed (AUTH_ABSENT/SCOPE_MISMATCH); >1 ⇒ AMBIGUOUS_AUTHORIZATION
Changes vs PATCH1: status='active'; exact sorted set-equality (no superset); authenticity via fn_verify_sovereign_esign (handler, not presence); binding to an approved approval_requests row (the real FK target).
3. Atomic reserve/consume via a GOVERNED handler (not raw DML)
PATCH1's raw INSERT … dot_iu_runtime_lease / UPDATE governance_build_authorization are replaced by a single governed handler DOT_C1_AUTH_RESERVE_CONSUME that, in one transaction, before any schema/value/audit write:
- re-runs the §2 verifier (
FOR UPDATE); - acquires the build lease (single holder);
- CAS-consumes:
status active→consumedonly if stillactive ∧ consumed_at IS NULL ∧ revoked_at IS NULL ∧ expires_at>now()—RETURNING0 rows ⇒ STOP; - hands the same transaction to the build state machine (file 06). Consume precedes writes, so no write occurs without a consumed grant, and a mid-build failure never leaves the grant reusable.
4. Bad-input matrix (each must reject before PASS)
zero grants→0 rows; two grants→AMBIGUOUS; expired/revoked→excluded; wrong plan/carrier/env/executor→0 rows; wrong/superset action set→set-equality fails; generic token→scope mismatch; consumed→CAS 0 rows; consume-fails→txn aborts, no writes; write-fails→txn aborts, grant stays consumed (single-use honored), compensation under same lease.
5. Honest status
- Verifier (B3): closed to
AUTHORITY_MISSING_ONLY. The predicate is exact against the real surface; the only residual is that no grant exists (auth_count=0) — a Gate-B/Chairman authority act. - Consume handler +
fn_verify_sovereign_esign(B4):PREPARATION_GAP. Both are absent governed handlers; registering them is forbidden to PATCH2. Per Codex's "executable contract may not be absent," this remains a preparation gap (tied to B1).
6. Boundary attestation
Design-only; no grant created/consumed, no lease, no write. REGISTRATION_HOLD retained; CAN_PROCEED = NO; 0 runtime mutations. Supersedes PATCH1 file 05 §2 (granted/@>) and §3 (raw DML).