KB-7ACA
RS3C-07 — Rerun: Replay / Nonce / Logical-Key / Attempt State Machine (C1) — 2026-06-21
8 min read Revision 1
rs3creplayauthorization-noncelogical-request-keyattempt-idC1rerun2026-06-21
RS3C-07 — Rerun: Replay / Nonce / Logical-Key / Attempt State Machine (Codex C1) — 2026-06-21
Macro: RS3C (Mục tiêu D, reruns RS3B-05) · Deliverable: 07 of 13
Codex C1: "define durable single-use consumption for authorization_nonce separately from logical_request_key." RS3B-05 specified uniqueness on replay_key but did not separately persist the nonce consume record. Fixed here.
Date: 2026-06-21 · read-only · 0 mutations · design-criteria (no schema created)
1. Three distinct identities (must never be conflated)
| Identity | Meaning | Durable constraint REQUIRED | Must NOT |
|---|---|---|---|
logical_request_key |
"what effect is being requested" — canonical (operation, target, deployed_artifact_hash, owner/approval binding) | logical_request_key_unique — one committed effect per logical key |
be bypassed by a new attempt or fresh nonce |
authorization_nonce |
"this specific authorization grant, single-use" — issued by the authority, consumed once | authorization_nonce_unique — separate durable consume row, one consume per nonce |
be reused across two requests; be inferred from the logical key |
attempt_id |
"this execution attempt" — retry/runtime identity | attempt_id_not_unique_for_effect — attempts may recur; attempt_id is NON-keying for the effect |
ever be the uniqueness axis that admits an effect |
Required, explicit (per macro §1.4):
logical_request_key_unique✅ (effect-level uniqueness)authorization_nonce_unique✅ (separate durable single-use consume — the C1 fix)attempt_id_not_unique_for_effect✅ (attempt identity never gates the effect)
2. Why two independent constraints, not one
RS3B-05 collapsed authorization into replay_key = H(…, owner_or_approval_binding, …, nonce, …). Codex C1 is correct: a hash that includes the nonce proves the nonce was present, not that it was consumed exactly once. Single-use is a state transition (issued → consumed), which needs its own durable, uniquely-constrained record, separate from the effect-uniqueness record. Two independent unique constraints:
- Effect axis:
UNIQUE(logical_request_key)(equivalentlyUNIQUE(replay_key)where replay_key is the canonical effect digest excluding the nonce, or with the nonce as a non-identity attribute) — guarantees one committed effect per logical request. - Authorization axis:
UNIQUE(authorization_nonce)on a dedicated consume record — guarantees the grant is spent once, independent of which effect or attempt used it.
3. Does existing code/source have idempotency behavior? (macro §1.4 #5)
YES, and it is defective — not a usable replay surface.
- The registrar's only idempotency is the unanchored
grep -qF "$filepath"againstSELECT file_path FROM dot_tools WHERE file_path IS NOT NULL(RS3C-03 B7–B8). It compares absolute disk paths to normalized/relative stored paths → never matches → fails open (re-registers). - There is no DB UNIQUE on
dot_tools(onlydot_tools_pkey(id), RS3C-03 B9) → no backstop. - There is no nonce, no logical key, no attempt record anywhere in the registrar.
- Conclusion: the source provides no fit-for-purpose idempotency and no replay/authorization surface. This is
REPLAY_SURFACE_NOT_FITconfirmed at source level.
4. Candidate existing surface — iu_route_attempt — REJECTED as the store
Fresh constraint read (pg_constraint, 2026-06-21):
iu_route_attempt_pkey PRIMARY KEY (id)
iu_route_attempt_idem_uniq UNIQUE (idempotency_key, attempt_no)
iu_route_attempt_no_chk CHECK (attempt_no >= 1)
iu_route_attempt_kind_chk CHECK (route_kind IN ('inbound','outbound'))
iu_route_attempt_status_chk CHECK (status IN ('pending','dry_run','sent','skipped','failed','disabled'))
UNIQUE(idempotency_key, attempt_no)is a retry ledger keyed withattempt_no— by construction the same key recurs across attempts. It is the opposite of single-use; it admits repeats.REPLAY_ATTEMPT_NO_BYPASSconfirmed in live schema.- It binds no nonce, no logical-effect, no run_id columns;
route_kindis IU-routing (inbound/outbound), not registration. - Verdict:
iu_route_attemptis NOT the replay/authorization store. Reusing it would letattempt_nobypass the logical key — forbidden (must-not-do #23).
5. Required surface criteria (defined, not invented as built)
A fit replay/authorization surface (future, governed; not created here) must provide, in one atomic transaction with the inert registration:
- Effect record with
UNIQUE(logical_request_key)(orUNIQUE(replay_key)excluding nonce-as-identity). - Nonce consume record with
UNIQUE(authorization_nonce), written in the same transaction as the effect (C1: separate durable consume). - Attempt record keyed by
attempt_idthat is non-unique for the effect (FK to the effect, but never the admission gate). - Atomic Phase-1: {consume nonce, write inert effect, record attempt} commit together; pre-commit failure rolls all back (no orphan consume, no orphan row).
- Post-commit verification failure retains the consumed nonce + logical key (does not "un-consume"); only compensation is allowed.
- Freshness/retention does not erase consumed state (must-not-do #24).
6. The ten required behaviors (macro §1.4)
| # | Behavior | Specified result |
|---|---|---|
| 1 | logical_request_key durable uniqueness |
UNIQUE(logical_request_key) — one committed effect per logical request |
| 2 | authorization_nonce durable single-use |
separate UNIQUE(authorization_nonce) consume row (C1 fix) |
| 3 | attempt_id non-keying execution identity |
attempts recur; never the uniqueness axis (attempt_id_not_unique_for_effect) |
| 4 | One surface carrying both? | Allowed only if one state record has two independent unique constraints (logical_request_key AND authorization_nonce) with explicit issued→consumed transitions; otherwise two records. A single UNIQUE(idempotency_key, attempt_no) is insufficient (admits repeats). |
| 5 | Existing code idempotency? | YES but defective + no DB backstop (§3) → not usable |
| 6 | If no surface fits | define required surface (§5) — REPLAY_DOMAIN_FAIL_CLOSED_UNTIL_SURFACE_FIT_PROVEN |
| 7 | Exact retry (same logical key + same nonce already consumed) | return the prior committed decision; perform no new effect (idempotent replay) |
| 8 | Fresh nonce, duplicate logical effect | REJECT — logical_request_key already committed; a new nonce must not buy a second identical effect |
| 9 | Stale request vs consumed-state | consumed-state wins; staleness/freshness never re-opens a consumed nonce or already-committed key |
| 10 | Compensation-only post-commit failure | logical key + nonce remain consumed; remediate via compensation, never by replay/re-consume |
7. Status
- Deliverable:
REPLAY_C1_RESOLVED_AT_DESIGN—authorization_nonce_uniquenow specified as a separate durable consume, distinct fromlogical_request_key_unique;attempt_id_not_unique_for_effectretained. - Live confirmation:
iu_route_attemptrejected (retry ledger,REPLAY_ATTEMPT_NO_BYPASS); no fit surface exists →REPLAY_DOMAIN_FAIL_CLOSED. - Not
RS3C_HOLD_REPLAY_NONCE_MODEL_INSUFFICIENT: the model is now sufficient at design level (two independent constraints); it stays fail-closed only because no surface is built — which is correct (no schema created here). - Registration gate unchanged:
REGISTRATION_HOLD·CAN_PROCEED = NO.