RS4A-PATCH1-04 — Persistence Carrier Boundary Correction — 2026-06-21
RS4A-PATCH1-04 — Persistence Carrier Boundary Correction — 2026-06-21
Macro: RS4A-PATCH1 · Mục tiêu D (closes Codex C4 carrier/column disposition)
Deliverable: 04 of 10 · design-only · correction addendum (does NOT overwrite RS4A-02; does NOT create any column/table)
Builds on / corrects: RS4A-02 §3 registered_row_intent.columns, which listed deployed_artifact_hash, owner_envelope_ref, approval_envelope_ref under table: "dot_tools" as if they were persisted columns.
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO
Status: CARRIER_BOUNDARY_SEPARATED — logical envelope fields are now distinct from persisted dot_tools carriers; the envelope carriers are REQUIRED_NOT_PRESENT (fail-closed). No column is implied to exist.
0. The Codex defect this file closes
C4 (Codex §4.3 / §17): "deployed_artifact_hash, owner_envelope_ref, and approval_envelope_ref are shown as dot_tools columns while the package also proves those carriers do not exist. The contract must distinguish logical envelope fields from persisted dot_tools columns and state the fail-closed carrier interface; it must not imply the current table can store them." Codex §17: "REJECT implied current dot_tools carrier columns that the package proves absent."
The defect is a representation error in RS4A-02 §3: the write-intent block nested the envelope fields inside columns: { … } under table: "dot_tools", which reads as "these are columns of dot_tools." They are not.
1. Live carrier evidence (Claude read-only query_pg, db directus, 2026-06-21)
dot_tools has 28 columns. The complete list:
id, status, sort, user_created, date_created, user_updated, date_updated,
code, name, name_en, description, classification, owner, script_path, token_type,
category, usage_count, _dot_origin, tier, domain, operation, paired_dot,
trigger_type, cron_schedule, file_path, last_executed, coverage_status, extra_metadata
None of the RS4A envelope carriers exists as a column:
| Logical envelope field (RS4A) | Is it a dot_tools column? |
Closest live column (NOT a carrier) |
|---|---|---|
deployed_artifact_hash |
NO | none — dot_tools has zero hash/checksum columns (G4) |
owner_envelope_ref |
NO | owner (free-text varchar) — not an envelope ref; RS4A-05 already rules governance_object_ownership head, not this column, is authority |
approval_envelope_ref |
NO | none |
authority_policy_ref |
NO | none |
logical_request_key / effect_identity |
NO | none |
authorization_nonce_ref |
NO | none |
audit_envelope_ref |
NO | none — extra_metadata (jsonb) is caller-writable, request_proposed-tier only |
So every persisted carrier the contract needs is absent. The only columns that look relevant (owner, extra_metadata) are untrusted (free-text/caller-writable), never an envelope carrier.
2. Corrected representation: three explicit layers
RS4A-02 §3 is corrected to separate the logical envelope (what the contract reasons over) from the persisted carrier (what dot_tools can actually store) from the carrier status (whether it exists).
logical_envelope_fields: # contract-level inputs/outputs; NOT columns
deployed_artifact_hash -> produced by Interface F as trusted_attested.artifact_hash (RS4A-06)
owner_envelope_ref -> reference into governance_object_ownership head (RS4A-05)
approval_envelope_ref -> reference into register_dot APR + quorum proof (RS4A-05)
authority_policy_ref -> canonical_authority_policy_ref (PATCH1-02 §3)
effect_identity -> logical_request_key (PATCH1-02 §1)
authorization_nonce_ref -> dedicated consume record (PATCH1-02 U2 / RS4A-07)
audit_envelope_ref -> durable failure-audit sink record (RS4A-08)
current_persistence_carrier: # what dot_tools actually stores today (LIVE 28 cols)
dot_tools currently has NO column for ANY logical_envelope_field above
(closest columns owner:varchar and extra_metadata:jsonb are untrusted, NOT carriers)
carrier_status:
REQUIRED_NOT_PRESENT for every logical_envelope_field
=> FAIL_CLOSED: the contract MUST NOT persist or read these from dot_tools today
2.1 Corrected registered_row_intent (write-intent only)
The write-intent block must list only real dot_tools columns as columns, and carry the envelope fields in a separate, clearly-non-persisted bound_envelopes section that references their producers:
registered_row_intent = {
table: "dot_tools",
columns: { # REAL dot_tools columns only
code, name, file_path, tier, domain, operation, paired_dot,
status: "draft" # canonical inert value (PATCH1-03)
},
bound_envelopes: { # NOT dot_tools columns; references to producers, fail-closed if absent
deployed_artifact_hash: <trusted_attested from Interface F | FAIL_CLOSED>,
owner_envelope_ref: <governance_object_ownership head | OWNER_ABSENT>,
approval_envelope_ref: <register_dot APR + quorum | APR_NOT_BOUND_TO_ARTIFACT>,
effect_identity: <logical_request_key | MISSING_LOGICAL_KEY>,
authorization_nonce_ref:<consume record | REPLAY_SURFACE_REQUIRED_NOT_PRESENT>,
audit_envelope_ref: <durable sink record | AUDIT_SINK_UNAVAILABLE>
} | FAIL_CLOSED # any unresolved binding => no write
}
Key correction: the envelope fields are no longer columns of dot_tools. They are bound references whose persistence carriers do not exist today. Until a governed carrier is designed (a hash carrier per Interface F R-criteria, an owner/approval binding surface, a replay/consume surface, an audit sink), the contract is CARRIER_REQUIRED_NOT_PRESENT and fails closed — it must not pretend dot_tools can store them, and it must not silently drop them into extra_metadata (which is caller-writable and therefore not a trusted carrier).
3. The fail-closed carrier interface (what "required carrier contract" means)
For each absent carrier, the contract states a required carrier contract, never "column exists":
| Logical field | Required carrier contract (future, governed) | NOT |
|---|---|---|
deployed_artifact_hash |
a proven per-artifact carrier binding (canonical_path, origin) → hash under immutability + restricted writer + observer independence (Interface F R1–R10, RS4A-06) |
a dot_tools hash column (none exists), extra_metadata jsonb, or a caller copy |
owner_envelope_ref |
a reference resolvable to a governance_object_ownership accountable head (RS4A-05) |
the free-text dot_tools.owner varchar |
approval_envelope_ref |
a reference to a register_dot APR with quorum proof bound to the attested hash (RS4A-05) |
any caller-supplied approval string |
effect_identity / authorization_nonce_ref |
U1 + separate U2 constrained records on a registration-domain replay surface (PATCH1-02 §2; RS4A-07) | iu_route_attempt (rejected) or any dot_tools column |
audit_envelope_ref |
a durable append-only failure-audit sink record (RS4A-08) | a dot_tools column |
No schema design, no DDL, no column added. This file only relabels: logical fields ≠ persisted columns; current carriers are REQUIRED_NOT_PRESENT ⇒ fail-closed.
4. Added acceptance tests (feed PATCH1-07)
| New case | Input/state | Expected | Layer |
|---|---|---|---|
T-PX-5 |
contract attempts to persist deployed_artifact_hash/owner_envelope_ref/approval_envelope_ref as dot_tools columns |
REJECT CARRIER_REQUIRED_NOT_PRESENT (no such columns; do not imply they exist) |
R/SCHEMA |
T-PX-6 |
envelope value stuffed into extra_metadata jsonb and treated as trusted |
REJECT REQUEST_PROPOSED_AS_TRUSTED (caller-writable ≠ carrier) |
V/F |
5. Status
- Carrier boundary:
CARRIER_BOUNDARY_SEPARATED— logical envelope fields explicitly distinguished from the 28 livedot_toolscolumns; every envelope carrier isREQUIRED_NOT_PRESENT⇒ fail-closed. - No column implied to exist; no schema, no DDL. Gate
REGISTRATION_HOLD·CAN_PROCEED = NO.