RS3C — Codex Review Packet (Source Recovery + RS3B Affected Rerun) — 2026-06-21

Macro: RS3C · Deliverable: 12 of 13 (review router) · read-only · 0 mutations Requested verdict: RS3C_READY_FOR_CODEX_REVIEW with controlling source finding SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIOR, REGISTRATION_HOLD.

---

1. What changed since RS3B (which Codex accepted at HOLD)

RS3B stopped at RS3B_HOLD_REGISTRAR_SOURCE_NOT_READ. Codex accepted the HOLD and ordered source recovery + rerun of 01/02/03/05/07/08 with three corrections (C1 nonce, C2 cardinality, C3 trigger count). All done.

2. Source recovery result (the headline)

• Both source files recovered and proven byte-identical to the deployed OPERATIONAL VPS files via a read-only local code channel cross-checked against wf_fs_dot_bin_snapshot (same-day, 2026-06-21 02:10 UTC).
  • registrar dot-dot-register sha256 31d5cf15… == OPERATIONAL.
  • dot-catalog-sync sha256 7dd84cda… == OPERATIONAL.
• No allowlist patch, no service restart, no mutation — Method 3 succeeded; Method 1 was unnecessary and also unreachable with the available tool surface.
• A stale web-test checkout's registrar matched only the deployed backup (dot-dot-register.bak-s164c, NOISE_BACKUP) and was rejected — fidelity was decided by hash, not by convenience.

3. Does the source confirm or contradict RS3B criteria?

RS3B criterion	Source verdict
Single-artifact contract	CONTRADICTED — registrar mass-scans ls .../dot-* and loops (multi-register)
Closed-at-registration / inert	VIOLATED — status:"active" hardcoded
Atomic transaction boundary	ABSENT — independent POST per file, no txn/rollback
Authority binding	ABSENT — no Owner/APR/gate check in source
Artifact-hash carrier	ABSENT — no hash carried; 0 hash cols
Dual-writer on registry	DISPROVEN — catalog-sync writes only meta_catalog.record_count, never dot_tools
Per-target cardinality (C2)	CONFIRMED one row — paired_dot is a field reference, not a second row
Fail-open success logging	CONFIRMED defect — curl exit checked, not HTTP status (no -f)
Dedup idempotency	CONFIRMED defective — absolute-vs-normalized path mismatch + no DB UNIQUE

4. Corrections incorporated

• C1: separate durable authorization_nonce_unique consume + logical_request_key_unique + attempt_id_not_unique_for_effect; iu_route_attempt rejected (live UNIQUE(idempotency_key,attempt_no) = retry ledger). → RS3C-07.
• C2: one primary row per target; control pair (DOT-REGISTER↔DOT-HEALTH-DOT) ≠ per-target two-row rule. → RS3C-08.
• C3: 13 user triggers (12 enabled + 1 disabled) + 4 internal FK; "14" was an over-count; no missing trigger. → RS3C-09.

5. Remaining blockers

• NF1 operational registrar unsafe (new controlling source finding).
• G2 Owner-of-record (governance_object_ownership = 0) — deciding authority.
• G3 no register_dot action type · G4 no artifact-hash carrier · G5 no fit replay surface · G6 no immutable audit sink · G7 activation side-effect. (G1 source-unreadable = RESOLVED.)

6. Claims, caveats, requested action

• Claims: source is faithful (hash-proven); behavior reconstruction is fully line-cited; corrections C1–C3 closed; dual-writer & cardinality resolved by source; registration stays HOLD.
• Caveats: REST DOT_TOKEN scope not provable from the registrar file alone (dot-auth not read) — "ADMIN" only partially supported; behavior of the BEFORE-INSERT triggers (gen_code, fn_birth_gate, fn_validate_dot_origin, fn_normalize_dot_filepath) is inferred from names/timing, function bodies not read this cycle; wf_fs_dot_bin_snapshot hash trusted as integrity, not signature.
• Requested next step: review RS3C; then a registrar-hardening DESIGN macro consuming the recovered source + four envelopes, gated on the G2 Owner decision. No implementation, no registration.

7. Self-check

No runtime mutation, DDL/DML, DOT register/wire/run, schema, APR create/approve, gate flip, validator patch, source edit, allowlist patch, service restart, RISK-BYPASS clearance, 18/142 merge, Owner-authority claim. PASS not forced; HOLD retained on the gate.