READY-TO-ASSEMBLE-LEGO1 03 — Carrier Candidate Selection & Risk Ranking — 2026-06-22

Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations. Decision: LEGO #1 = C1 — canonical_operation vocabulary contract carrier (closeout carrier P2-C1).

---

1. Candidate set (the accepted C1–C7 surface)

From the accepted closeout (carriers P2-C1..P2-C7) and PATCH1 rollback specs C1–C7:

• C1 canonical_operation vocabulary contract
• C2 effect_identity / authorization_binding_digest schema
• C3 owner / scope / head binding
• C4 artifact hash carrier
• C5 U3 / status / audit policy references
• C6 replay / nonce carrier
• C7 approval / quorum / principal-resolution carrier (only if approval_mode = APPROVAL_USED)

2. Scoring rubric

Each axis scored LOW / MED / HIGH risk (LOW = safer). Axes per instruction §3.3: independence, dependency risk, runtime-write complexity, rollback complexity, authority risk, testability (HIGH testability = LOW risk), evidence clarity (HIGH clarity = LOW risk), risk of opening P2 too early, risk of mega-registry coupling. Live facts from file 02 are used, not assumed.

3. Per-carrier risk table

Axis (LOW=safer)	C1 vocab	C2 digest schema	C3 owner/scope	C4 artifact hash	C5 policy refs	C6 nonce/replay	C7 approval/quorum
Independence	LOW (root)	HIGH (consumes all)	MED	LOW	MED	MED	HIGH
Dependency risk (incoming edges)	LOW (none)	HIGH (E1–E6 in)	MED (feeds C2)	LOW (feeds C2)	MED	MED	HIGH (principal)
Runtime-write complexity	LOW (1 vocab table)	HIGH (2 digests, purity)	HIGH (owner mint)	MED	MED	MED	HIGH
Rollback complexity	LOW (version supersede)	MED (version supersede)	HIGH (revoke≠delete owner)	MED	MED	HIGH (no nonce reuse)	HIGH
Authority risk	LOW (reference data)	MED	HIGH (founding act/bootstrap)	LOW	MED	MED	HIGH (president unresolved)
Testability	LOW (HIGH testability)	MED	MED	LOW (hash match)	MED	MED	HIGH (Q00..Q50)
Evidence clarity	LOW (table inspectable)	MED	MED	LOW	MED	MED	HIGH
Risk of opening P2 early	LOW	MED	HIGH (owner=registration-adjacent)	LOW	LOW	LOW	MED
Mega-registry coupling risk	LOW (smallest LEGO)	HIGH (hub)	MED	LOW	MED	MED	HIGH
Aggregate	SAFEST	most coupled	most authority-loaded	2nd safest	mid	mid	highest authority

Live evidence backing the scores

• C1 root-producer / no incoming edge: dependency graph E1–E8 shows C1 is the producer of E1 (C1 → C2) and is the consumer of nothing — no E* edge ends at C1. Live: canonical_operation vocabulary is REQUIRED_NOT_PRESENT (file 02 §4), so there is no live consumer to orphan when it is built first.
• C2 is the hub: E1–E6 all terminate at C2 (canonical_operation, owner/scope, artifact hash, policy refs, nonce, approval refs are all C2 inputs). Building C2 first would require all producers ⇒ mega-coupling.
• C3 authority risk: writing governance_object_ownership (live count 0) is the founding act / first owner mint — the most authority-sensitive act in the system (BOOTSTRAP_AUTHORITY_UNRESOLVED, OWNER_MINT_PATH_FAIL_CLOSED).
• C7 authority risk: the "≥1 president" principal head does not exist in governance_registry (file 02 §3.5) ⇒ CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT / PRESIDENT_ROLE_UNRESOLVED are unresolved; C7 cannot be safely first.
• C4 is the runner-up: a hash record is reference/evidence data (low authority), pure producer (E3 → C2). It loses to C1 only because C1 is the explicitly-flagged REQUIRED_NOT_PRESENT gap that is an input to effect_identity itself, and a vocabulary table is simpler than a reproducibility-bearing hash carrier (which touches I2/I4 evidence semantics).

4. Decision: LEGO #1 = C1

Chosen carrier: C1 — the canonical_operation vocabulary contract carrier.

Why chosen (five required points, §1.2 carrier-choice rule):

1. Identified from the accepted C1–C7 surface — C1 is carrier P2-C1, a named member of the accepted minimal carrier set.
2. Lowest assembly risk — SAFEST on the aggregate of all nine axes (§3).
3. Safest for first assembly because: it is a root producer with zero incoming carrier dependencies, the lowest authority risk (a vocabulary of governed operation values is reference data — it mints no owner, grants no approval, registers no DOT), the cleanest local versioned-supersession rollback (retire a value/version, keep it resolvable, add successor mapping — never destructive deletion), and it is the live-confirmed REQUIRED_NOT_PRESENT gap (high value: canonical_operation is a direct input to effect_identity).
4. Why safer than alternatives: C2 is the dependency hub (consumes E1–E6 — building it first = mega-coupling); C3 is the founding-owner mint (highest authority risk / bootstrap); C7's president principal surface does not exist; C4/C5/C6 are safe-ish but each is a producer that ultimately exists to feed C2 and none is the flagged prerequisite gap. C1 is the only carrier that is simultaneously a root, low-authority, and the explicitly-required-not-present prerequisite.
5. Why it can be built independently: C1 is born as a standalone governed vocabulary table; tested by its own fixtures (vocabulary present/absent; value valid/invalid; register_dot ≠ default; founding/scope ≠ register_dot); changed per-value/per-version under protocol_version; rolled back by marking a value/version superseded (local, no cross-carrier mutation, I9); joined to C2 only by reference (C2 looks up canonical_operation, never inlines it). No other carrier must exist or mutate for C1 to be born, tested, changed, or rolled back.

5. Exact assembly unit

The C1 assembly unit is: a single governed vocabulary contract that defines the set of valid canonical_operation values per governed act type, with protocol_version, a per-value status (active/superseded/retired), a successor-mapping field, and an admission rule that every value is itself a governed entry. Proposed design-only artifact name (NOT created): table governance_canonical_operation_vocab. The unit is one table + its admission/versioning contract + its fixtures + its rollback rule — nothing more.

6. Explicitly out of scope (for LEGO #1)

• C2 schema, C3 owner/scope rows, C4 hash carrier, C5 policy refs, C6 nonce, C7 approval/quorum/principal — none is built or touched.
• No effect_identity / authorization_binding_digest computation.
• No owner mint, no approval, no quorum, no register_dot, no registration, no activation, no P3.
• No reuse/overloading of apr_action_types or dot_operations to "stand in for" the vocabulary (that would be coupling/scope drift).
• No invention of the authoritative canonical_operation value list (each value is a governed entry added under the authorized build).

7. What would count as accidental scope drift

• Adding any column/edge that makes C1 consume another carrier (turning the root into a non-root).
• Writing a canonical_operation value that names an authority/owner/approval effect rather than a pure operation type.
• Letting C1 build touch governance_object_ownership, approval_requests, or any register_dot path.
• Bundling C1 with C2 (or any other carrier) into a shared table/lifecycle ("for convenience") ⇒ LEGO_BOUNDARY_INSUFFICIENT (XBI-6) / mega-registry.
• Treating Gate A baseline acceptance as authorization to populate the vocabulary now (that is a Gate-B + Chairman act).

8. No safe candidate? — N/A

A safe candidate exists (C1), so the macro does not stop at READY_TO_ASSEMBLE_LEGO1_HOLD_NO_SAFE_CARRIER, and the user is not asked to choose (per §1.2, the Agent is authorized to choose and a safe candidate was found).

9. Boundary attestation

This file selects a carrier at design level. It creates no carrier, writes no row, opens no P2/lane, and clears no blocker. REGISTRATION_HOLD retained; REGISTRATION_CAN_PROCEED = NO; 0 runtime mutations; Job A not reopened; I1–I10 not weakened.