KB-7C0C
READY-TO-ASSEMBLE-LEGO1 04 — C1 Carrier-Specific Contract Boundary — 2026-06-22
8 min read Revision 1
ready-to-assemble-lego1carrier-boundaryc1-canonical-operation-vocabularylego-boundaryregistration-hold2026-06-22
READY-TO-ASSEMBLE-LEGO1 04 — C1 Carrier-Specific Contract Boundary — 2026-06-22
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations.
Carrier: C1 — canonical_operation vocabulary contract. Runtime/write status of every boundary below: NOT_EXECUTED.
1. C1 design-only schema (the contract surface, NOT created)
Proposed governed table governance_canonical_operation_vocab (design-only; not created by this package):
| Field | Type | Role |
|---|---|---|
operation_code |
text PK | the governed canonical_operation value (e.g. a founding/scope/register operation type) |
protocol_version |
text | versioned vocabulary/canonicalization contract |
act_type |
text | governed act type the value is valid for |
status |
text | active / superseded / retired (never hard-deleted) |
successor_code |
text NULL | successor mapping when superseded/retired |
governing_authority_ref |
text | the governed entry's own authority reference (each value is itself governed) |
created_at/by, superseded_at/by, rollback_ref |
— | audit + supersession + rollback affordances (mirrors live governance_object_ownership conventions, file 02 §3.3) |
This shape is value-independent: the schema, constraints, admission rule, versioning, tests and rollback do not depend on which operation_code values exist. The authoritative values are added during the authorized build, each as its own governed entry (never invented here).
2. The four LEGO boundaries
2.1 Generate separately
- Required input: a
protocol_version, anact_type, a candidateoperation_code, and the value's owngoverning_authority_ref. - Expected output: one governed vocabulary row (status
active). - Valid example: add
operation_code='register_dot'foract_type='dot_registration'as one value example (closeout:register_dotis one value, not the default). - Invalid example: add a value whose
operation_codenames an authority/owner effect (e.g.assign_owner) as if it were a pure operation; or default an effect toregister_dot. - Reject code:
WRONG_CANONICAL_OPERATION_FOR_EFFECT(authority-named value rejected);CANONICAL_OPERATION_VOCABULARY_REQUIRED_NOT_PRESENT(resolving against a non-existent table);VOCABULARY_RUNTIME_OVERCLAIM(R5 — creating runtime rows without separate authorization). - Evidence/proof source: closeout §F (
effect_identityincludescanonical_operation;register_dot= one value); RS5B-PATCH2 R1 (canonical_operation ≠ hardcoded register_dot); file 02 §4 (liveREQUIRED_NOT_PRESENT). - Runtime/write status:
NOT_EXECUTED.
2.2 Check separately
- Required input: an
operation_code+act_type+protocol_version. - Expected output:
VOCAB_LOOKUP_OK(value exists,active, valid for the act type) or a single reject code. - Valid example: lookup of an
activevalue for its declared act type →VOCAB_LOOKUP_OK. - Invalid example: lookup of an absent value; lookup of a
retiredvalue for a new act; founding/scope act resolving toregister_dot. - Reject code:
CANONICAL_OPERATION_VALUE_ABSENT;CANONICAL_OPERATION_RETIRED_FOR_NEW_USE(forward-fail-closed, I6);WRONG_CANONICAL_OPERATION_FOR_EFFECT(founding/scope ≠ register_dot). - Evidence/proof source: OP-BI-1..4 family (closeout C1 fixtures: register_dot ≠ default, founding/scope ≠ register_dot, vocabulary-absent ⇒ HOLD).
- Runtime/write status:
NOT_EXECUTED(check is read-only at runtime; design fixtureDEFINED_NOT_EXECUTED).
2.3 Update separately
- Required input: a target
operation_code, a newprotocol_version, and the supersession authority ref. - Expected output: old value preserved-as-resolvable with
statusupdated andsuccessor_codeset under the new version. - Valid example: supersede
v1value with av2value, old value stays resolvable for historical effects, successor mapping recorded. - Invalid example: mutate the meaning of an existing value in place; drop a value referenced by a historical effect.
- Reject code:
ROLLBACK_CHANGES_HISTORICAL_SEMANTICS(RBP-5, in-place re-meaning);ROLLBACK_DELETES_REFERENCED_IDENTITY(RBP-2, drop-while-referenced). - Evidence/proof source: PATCH1 C1 allowed-rollback (retire by superseded, keep resolvable, add successor); E1 invariants I1/I3/I6.
- Runtime/write status:
NOT_EXECUTED.
2.4 Rollback separately
- Required input: a target value/version + a rollback reason +
rollback_ref. - Expected output: value marked
superseded/retired, still resolvable; new use fail-closed; rollback audited. - Valid example: retire a value; historical effects that hashed it still resolve; new use of the retired value is rejected unless a successor maps it.
- Invalid example: delete the value row; reset status so a retired value silently becomes usable again; rollback that requires editing C2.
- Reject code:
ROLLBACK_DELETES_REFERENCED_IDENTITY(RBP-2);ROLLBACK_FORWARD_FAIL_CLOSED_VIOLATED(RBP-8);ROLLBACK_NOT_LOCAL(RBP-10, if it needs to touch C2);ROLLBACK_SUCCESSOR_RULE_ABSENT(RBP-7, no successor rule);ROLLBACK_AUDIT_TRAIL_ABSENT(RBP-9, no rollback_ref). - Evidence/proof source: file 08 (full RBP-0..RBP-10 mapping); PATCH1 C1 postcondition; XBI-11/17/26.
- Runtime/write status:
NOT_EXECUTED.
3. Join through contract only
C1 joins to the rest of the system through exactly one explicit contract edge: C2 looks up a canonical_operation value via the vocabulary contract (edge E1, file 05). C1 never inlines into C2, and no other carrier joins to C1. The join is a read-only reference from consumer (C2) to producer (C1); there is no reverse edge.
4. Boundary proof table
| Boundary | Input | Output | Valid | Invalid | Reject code | Write status |
|---|---|---|---|---|---|---|
| Generate | version+act+code+authority | active row | register_dot as one value | authority-named value / default-to-register_dot | WRONG_CANONICAL_OPERATION_FOR_EFFECT / VOCABULARY_RUNTIME_OVERCLAIM |
NOT_EXECUTED |
| Check | code+act+version | VOCAB_LOOKUP_OK / reject |
active value lookup | absent / retired-for-new / founding≠register_dot | CANONICAL_OPERATION_VALUE_ABSENT / …_RETIRED_FOR_NEW_USE / WRONG_CANONICAL_OPERATION_FOR_EFFECT |
NOT_EXECUTED |
| Update | code+newversion+authority | superseded+successor | versioned supersession | in-place re-meaning / drop-while-referenced | RBP-5 / RBP-2 | NOT_EXECUTED |
| Rollback | value+reason+rollback_ref | retired+resolvable+audited | retire-with-successor | delete / silent re-enable / cross-carrier edit | RBP-2 / RBP-8 / RBP-10 / RBP-7 / RBP-9 | NOT_EXECUTED |
5. No-mega-registry / no-silent-coupling attestation
- This carrier does not create a mega-registry, mega-graph, or mega-birth pipeline. C1 is a single vocabulary table with one outgoing reference contract; it shares no table or lifecycle with any other carrier.
- It does not silently create other carriers. Building C1 creates only the vocabulary contract; it creates no C2 schema, no owner row, no approval, no nonce, no hash carrier, no
register_dot. - It does not require another carrier to mutate for its own rollback. C1 rollback is local (I9): retire a value/version within
governance_canonical_operation_vocab; it never edits C2 or any other carrier ⇒ any plan that would require a cross-carrier edit is rejectedROLLBACK_NOT_LOCAL(RBP-10).
6. Boundary attestation
This file defines a contract boundary at design level. It creates no carrier, writes no row, opens no P2/lane, executes no rollback, and clears no blocker. Every boundary's runtime/write status is NOT_EXECUTED. REGISTRATION_HOLD retained; REGISTRATION_CAN_PROCEED = NO; 0 runtime mutations; I1–I10 not weakened.