RS3C-06 — Rerun: Single-Artifact Registrar Contract, Source-Aware — 2026-06-21

Macro: RS3C (Mục tiêu C, reruns RS3B-03) · Deliverable: 06 of 13 Inputs: RS3C-03 registrar reconstruction (source 31d5cf15…). Date: 2026-06-21 · read-only · 0 mutations

---

1. The contradiction (do not hide it)

The RS3B-03 target is a single-artifact contract: accept one scalar DOT + one artifact, reject lists/globs/all-untracked, separate proposed vs attested, structured reject codes, post-commit verifier, no activation.

The operational registrar source does the opposite of the input contract:

Contract clause (RS3B-03 target)	Operational source behavior	Verdict	Evidence
Accept exactly one DOT + one artifact	scans all dot-* and loops over every untracked file	CONTRADICTED	RS3C-03 B4–B6 (L121, L131)
Reject globs / all-untracked input	glob is the input model (ls .../dot-*)	CONTRADICTED	L121
Separate request_proposed.* vs trusted_attested.*	caller-derived heuristic fields posted directly as truth	CONTRADICTED	RS3C-03 B13–B14
Structured output / reject codes	logs [OK]/[WARN] text; fail-open (curl exit, not HTTP code)	CONTRADICTED	RS3C-03 B18
Inert/valid non-active status at registration	status:"active" hardcoded	CONTRADICTED	RS3C-03 B12 (L173)
Post-commit verifier required	none in source; pairing is a text field only	ABSENT	RS3C-03 B15, B22
Prohibit activation	active insert fires context-pack notify	VIOLATED	RS3C-03 B17
Atomic transaction boundary	independent POST per file, no txn	ABSENT	RS3C-03 B16
Deployed-artifact hash bound	no hash carried; 0 hash cols	ABSENT	RS3C-03 B20

2. Actual risk classification (source mass-registers)

Per macro Mục tiêu C ("if source mass-registers, classify actual risk"):

• Severity: HIGH / fail-open. A single real-run invocation enumerates the entire dot-* directory and attempts to register every file not matched by the (defective) dedup grep, each as status:"active", each firing the activation trigger, with no transaction and fail-open success logging.
• Blast radius: bounded by the directory contents (~165 dot-* files observed in the recovered web-test/dot/bin/ listing) and by which already have a substring-matching file_path in dot_tools. Because the dedup compares absolute disk paths against normalized/relative stored paths (RS3C-03 B8) and 81/309 rows have NULL file_path (excluded from the dedup SELECT), the practical effect is broad over-registration / duplicate creation, not a clean no-op.
• Why it has not already corrupted the registry: dot_tools.DOT-REGISTER.last_executed IS NULL and no UNIQUE constraint exists, so the registrar appears not to have run in real mode against the current registry recently; the risk is latent, realized on next real-run.
• Containment today: the danger is gated only by not invoking the tool in real mode. There is no in-code safety (no Owner/APR/gate check, RS3C-03 B19).

3. Verdict on the rerun

• SINGLE_ARTIFACT_CONTRACT_CONFLICTS_WITH_SOURCE — the contract is the required hardening target, and the current operational registrar is NON-COMPLIANT with every material clause.
• The contract is not abandoned; it stands as the spec the registrar must be rewritten/replaced to satisfy. The source proves the gap is real and large, not cosmetic.
• This is a primary basis for the package finding SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIOR and for keeping REGISTRATION_HOLD.

4. Required transformation (criteria only — no implementation here)

To make a compliant registrar (future macro, not now): replace mass-glob with a one-target argument; reject lists/globs; bind one deployed-artifact hash; write a single inert row inside one transaction; verify-readback post-commit; emit structured reject codes; check HTTP status (use curl --fail + readback); add Owner/APR authority binding; add a DB UNIQUE on the identity axis; do not set status=active at registration.

5. Status

• Deliverable: SINGLE_ARTIFACT_CONTRACT_CONFLICTS_WITH_SOURCE (contract = target; source = non-compliant).
• Registration gate unchanged: REGISTRATION_HOLD · CAN_PROCEED = NO.