RS3B-10 — Registrar Hardening Decision Packet — 2026-06-21
RS3B-10 — Registrar Hardening Decision Packet — 2026-06-21
Macro: RS3B-REGISTRAR-HARDENING-DESIGN (read-only / KB-design)
Deliverable: 10 of 10 · Executive decision packet (Mục tiêu J)
Date: 2026-06-21 · 0 mutations · NO_CODEX_LIVE_READ
Controlling verdict: RS3B_HOLD_REGISTRAR_SOURCE_NOT_READ
Registration gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO
1. Executive summary
RS3B opened under the Codex gate ACCEPT_RS3_PATCH2_AND_PROCEED_TO_RS3B (READY_FOR_RS3B) with C1–C4 as mandatory inputs. The macro's first required deliverable is to recover and fully read the registrar source bin/dot/dot-dot-register.ts and reconstruct behavior from code. That source is structurally unreadable: the only file channel (VPS read_file) is allowlisted to /opt/incomex/docs, /opt/incomex/dot/specs, /var/log/nginx, and the registrar lives at bin/dot/... (confirmed by the live dot_tools.DOT-REGISTER.file_path), outside every prefix. No KB copy of the source exists (RS3B-01). Per macro §0.5 / §5 and must-not-do #35, the controlling verdict is RS3B_HOLD_REGISTRAR_SOURCE_NOT_READ — PASS is not forced.
The remaining nine read-only deliverables are produced at design/criteria level and each carries its own fail-closed sub-status. Every unproven writer/carrier/provider/surface stays absent from trusted_attested.*; registration stays HOLD.
2. Deliverable roll-up
| # | Deliverable | Sub-status |
|---|---|---|
| 01 | Source recovery + behavior reconstruction | SOURCE_NOT_READ · behavior reconstruction HELD |
| 02 | Dual-writer boundary (register vs catalog-sync) | DUAL_WRITER_BOUNDARY_PARTIAL_SOURCE_NOT_READ |
| 03 | Single-artifact registrar contract v0.1 | CONTRACT_CRITERIA_DEFINED_PENDING_SOURCE |
| 04 | Interface F deployed-artifact resolver v0.1 | INTERFACE_F_CARRIER_SOURCE_UNPROVEN_FAIL_CLOSED |
| 05 | Replay / idempotency / attempt state machine v0.1 | REPLAY_DOMAIN_FAIL_CLOSED_UNTIL_SURFACE_FIT_PROVEN · REPLAY_SURFACE_NOT_FIT |
| 06 | Durable failure-audit sink selection | SINK_CANDIDATE_SELECTED_FAIL_CLOSED_UNTIL_IMMUTABILITY_RETENTION_PROVEN (lead: event_outbox) |
| 07 | Pair / guard representation decision | PAIR_GUARD_REPRESENTATION_DERIVED (2 registry rows + 4 content-bound guards; not five) |
| 08 | Trigger side-effect + closed-at-registration | TRIGGER_SIDE_EFFECT_INVENTORIED (activation surface = trg_context_pack_dot_register) |
| 09 | Adversarial / fail-open matrix | ADVERSARIAL_MATRIX_DEFINED_NOT_EXECUTED (40 cases) |
| 10 | This decision packet | — |
3. Codex C1–C4 consumption
- C1 (three identities): RS3B-05 §1 splits
logical_request_key/authorization_nonce/attempt_id; a fresh nonce cannot re-authorize a duplicate logical effect;attempt_idis non-keying. - C2 (txn/rollback): RS3B-05 §3 single atomic Phase-1 (consume + inert registration together); S1 pre-commit rollback + uncertain-commit recovery, S2 exact-retry returns prior, S3 post-commit verify fail keeps key consumed + compensation only.
- C3 (freshness ≠ consumed-erasure): RS3B-05 §4 retention/tombstone for the replay horizon; stale request inadmissible but consumed key still blocks.
- C4 (status-first labels): all carriers stay
SOURCE_UNPROVEN_FAIL_CLOSED/REUSE_CANDIDATE_PRECEDENT; "HBA target" never shortened to "HBA proven" (RS3B-04, RS3B-06).
4. Gap report (single-sufficient blockers)
| Gap | Evidence | Blocks |
|---|---|---|
| G1 registrar source unreadable | allowlist denies bin/dot/dot-dot-register.ts; no KB copy |
behavior reconstruction, contract reconciliation, dual-writer write/clobber proof |
| G2 owner of record = 0 rows | governance_object_ownership = 0; assign_governance_owner has no function + unimplemented |
owner binding (A38) |
G3 no register_dot action |
apr_action_types = 14, none is register_dot; register-shaped codes all high-risk + unimplemented |
APR-bound-to-artifact (A39) |
| G4 no artifact-hash carrier | dot_tools no hash column; snapshot hash nullable/unbound; context_pack_manifest sha256 not-null but no UNIQUE/immutability/observer |
interface F (A10–A16) |
| G5 no fit replay surface | iu_route_attempt = retry ledger UNIQUE(idempotency_key,attempt_no), wrong domain |
single-use replay (A22–A31) |
| G6 no immutable audit sink | no UPDATE/DELETE-blocking trigger on event_outbox/registry_changelog/governance_audit_log |
durable failure audit (A32–A33) |
| G7 activation side-effect | trg_context_pack_dot_register → pg_notify on watch-tier + status='active' |
closed-at-registration (A34) |
Each of G1–G7 is independently sufficient to keep registration on HOLD. G1 is upstream-most for code-level hardening; G2 (owner-of-record) remains the deciding authority blocker carried from RS2/RS3.
5. Single next recommendation
Recover the registrar source before any further registrar hardening: extend the read_file allowlist to the directory holding bin/dot/dot-dot-register.ts + bin/dot/dot-catalog-sync (or admit a faithful line-level KB source mirror, or provide a read-only git/code channel). Then re-run RS3B-01/02/03 to reconcile the contract + dual-writer boundary against real code. RS-VALIDATOR-HARDENING stays sequenced after RS3B (registrar/interface ownership must be fixed before the validator consumes the final contract). RS2B-RISK-RESIDUE remains separate. No implementation, no registration, until G1–G7 clear and Owner authorizes.
6. Status block
- Controlling verdict:
RS3B_HOLD_REGISTRAR_SOURCE_NOT_READ - Registration gate:
REGISTRATION_HOLD·REGISTRATION_CAN_PROCEED = NO· 0 mutations - No-mega-system / DOT-only / reuse-first / no-new-registry all held