RS3C-11 — Decision Packet — 2026-06-21
RS3C-11 — Decision Packet — 2026-06-21
Macro: RS3C — SOURCE RECOVERY + RS3B AFFECTED RERUN · Deliverable: 11 of 13 Date: 2026-06-21 · read-only · 0 DB/domain/runtime mutations · 0 operational config changes
1. Verdict
PACKAGE VERDICT: RS3C_READY_FOR_CODEX_REVIEW
(source recovered + hash-verified, RS3B-01/02/03/05/07/08 reruns complete, Codex C1/C2/C3 incorporated)
CONTROLLING SOURCE FINDING: SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIOR
(the deployed OPERATIONAL registrar is non-compliant with the single-artifact / closed-at-registration / authority / atomicity targets)
REGISTRATION GATE: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO
Read precisely:
READY_FOR_CODEX_REVIEWmeans the work product (source recovery + reruns) is complete and ready for independent review. It is not a registrar PASS and not registration approval. The source proves the current registrar must be hardened/replaced before any registration; the gate stays shut. PASS was not forced.
2. Source recovery result
| Item | Result |
|---|---|
| Channel used | Method 3 (read-only local code channel) + VPS wf_fs_dot_bin_snapshot sha256 cross-check |
| Allowlist patch (Method 1) | NOT performed, NOT required (Method 3 succeeded; allowlist also unreachable with available tools) |
| Registrar source | RECOVERED & HASH-VERIFIED — 31d5cf15… == deployed OPERATIONAL |
| Catalog-sync source | RECOVERED & HASH-VERIFIED — 7dd84cda… == deployed OPERATIONAL |
| Mutations | 0 (read-only throughout) |
3. Codex correction status
| Correction | Requirement | Status | Where |
|---|---|---|---|
| C1 | authorization_nonce separate durable single-use consume, distinct from logical_request_key |
RESOLVED (design) — logical_request_key_unique + separate authorization_nonce_unique + attempt_id_not_unique_for_effect; iu_route_attempt rejected |
RS3C-07 |
| C2 | Do not infer two rows per target from the registrar's existing pair | CONFIRMED BY SOURCE — one primary row; paired_dot is a field reference to existing DOT-HEALTH-DOT; no auto verifier row |
RS3C-08 |
| C3 | Reconcile 14 claimed vs 13 listed triggers | RECONCILED — 13 user triggers (12 enabled + 1 disabled) + 4 internal FK; no missing trigger; RS3B over-counted by one | RS3C-09 |
4. Blocker register (G1–G7 updated + new finding)
| ID | Blocker | Prior (RS3B) | RS3C status | Evidence |
|---|---|---|---|---|
| G1 | Registrar source unreadable | OPEN (upstream-most) | RESOLVED — source recovered & hash-verified | RS3C-01/02 |
| NF1 | Operational registrar unsafe for governed registration | (latent) | OPEN — new controlling source finding | RS3C-03 §4, RS3C-06 |
| G2 | Owner-of-record absent (governance_object_ownership = 0) |
OPEN (deciding authority) | OPEN — live 0 rows; registrar has no Owner check | RS3C-03 B19; live count 0 |
| G3 | No register_dot quorum-bound action type |
OPEN | OPEN — registrar writes via raw REST, no APR path | RS3C-03 B19 |
| G4 | No deployed-artifact-hash carrier | OPEN | OPEN — dot_tools 0 hash cols; source carries no hash |
RS3C-03 B20; live hash_cols=0 |
| G5 | No fit replay/idempotency surface | OPEN | OPEN — iu_route_attempt rejected; source dedup defective + no DB UNIQUE |
RS3C-07; RS3C-03 B8–B9 |
| G6 | No durable immutable audit sink | OPEN | OPEN — registrar writes no audit; event_outbox candidate-only |
RS3C-03 B22 |
| G7 | Activation side-effect at registration | OPEN | OPEN — status:"active" + trg_context_pack_dot_register |
RS3C-03 B12/B17; RS3C-09 §4 |
Deciding authority blocker = G2 (Owner-of-record). Upstream code blocker now = NF1 (the registrar itself), which G1's resolution exposed in full.
5. Live source-tier reads (2026-06-21, read-only)
dot_tools: 309 rows, 291 active, 0 hash columns, 81 NULL file_path, constraints = only PK(id) (no UNIQUE on code/file_path).governance_object_ownership: 0 rows.iu_route_attempt:UNIQUE(idempotency_key, attempt_no)+CHECK(attempt_no >= 1)→ retry ledger, not single-use.dot_toolstriggers: 13 user (12 enabled + 1 disabled) + 4 internal FK.wf_fs_dot_bin_snapshot: OPERATIONAL hashes for registrar31d5cf15…and catalog-sync7dd84cda…(observed 2026-06-21 02:10:14+00).
6. Decision logic applied (macro §2)
- source recovered + rerun complete →
RS3C_READY_FOR_CODEX_REVIEW✅ - trigger count reconciled → not
RS3C_HOLD_TRIGGER_INVENTORY_UNRECONCILED✅ - source does show unsafe behavior → carried as controlling finding
SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIOR, registration HOLD (gate not opened; package still ready for review) ✅ - dual-writer boundary resolved by source → not
RS3C_HOLD_DUAL_WRITER_BOUNDARY_UNPROVEN✅ - replay nonce model now sufficient at design → not
RS3C_HOLD_REPLAY_NONCE_MODEL_INSUFFICIENT✅ - no scope drift / no fail-open admission → not
REJECT_*✅
7. Single next step
Design (not implement) a compliant replacement/hardening of the registrar against RS3C-06 §4 criteria, gated on the G2 Owner-of-record decision — i.e. the next macro is the registrar-hardening design that consumes the now-recovered source, plus the four envelopes (Owner authority, snapshot evidence, replay surface, durable sink). Do not implement, do not wire/run the DOT, do not open registration, do not patch the live registrar. RS-VALIDATOR-HARDENING and RS2B residue closure remain sequenced after, not bundled.
8. Must-not-do confirmation (this macro)
No DB mutation, no DDL/DML, no DOT register/wire/run, no schema, no APR create/approve, no gate flip, no validator patch, no edit of dot-dot-register / dot-catalog-sync / source-law, no allowlist patch, no service restart, no new registry/table/collection, no RISK-BYPASS clearance, no 142/18 merge or sanction claim, hash treated as integrity-not-signature, caller input not treated as authority, RP-03 prose not substituted for source, PASS not forced.