Incomex AI Portal
KB-3E87

RS4A-PATCH1-06 — Interface F and Audit Overclaim Narrowing — 2026-06-21

8 min read Revision 1
rs4a-patch1interface-faudit-immutabilityoverclaim-narrowingcontext-pack-manifestevent_outboxfail-closeddesign-only2026-06-21

RS4A-PATCH1-06 — Interface F and Audit Overclaim Narrowing — 2026-06-21

Macro: RS4A-PATCH1 · Mục tiêu G (closes Codex C9 Interface F overclaim, C10 audit immutability overclaim) Deliverable: 06 of 10 · design-only · correction addendum (does NOT overwrite RS4A-06/08) Builds on / corrects: RS4A-06 §2 (context_pack_manifest language) and RS4A-08 §2–§3 (event_outbox immutability language). Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO Status: OVERCLAIMS_NARROWED — both fail-closed conclusions are retained, but the reasons are narrowed to what the evidence actually proves: "no proven carrier among reviewed candidates" and "immutability not proven," never an exhaustive global claim.

The correction here makes the package weaker in claim, identical in conclusion (still fail-closed) — which is exactly what an adversarial reviewer should accept.

1. C9 — Interface F overclaim narrowing (closes Codex §8 / §16.2)

Defect: RS4A-06 reasoned partly from the presence of aggregate count columns in context_pack_manifest to conclude its checksums are not per-artifact. Codex: "the presence of aggregate count columns … does not by itself prove the semantic scope of each checksum. The accepted conclusion is narrower and sufficient: no reviewed evidence proves a unique immutable per-artifact binding, so the candidate is unfit and Interface F emits nothing. Likewise, say no proven carrier among reviewed candidates, not an exhaustive global absence unless all carrier surfaces have been inventoried."

Live re-confirmation (Claude read-only query_pg, 2026-06-21), context_pack_manifest constraints:

context_pack_manifest_pkey                      PRIMARY KEY (id)
context_pack_manifest_health_status_check       CHECK (health_status IN ('healthy','warn','stale','fail'))
context_pack_manifest_kb_mirror_status_check    CHECK (kb_mirror_status IN ('pending','live','failed'))
context_pack_manifest_publish_status_check      CHECK (publish_status IN ('staging','live','failed'))
context_pack_manifest_section_count_check       CHECK (section_count > 0)
context_pack_manifest_trigger_source_fkey       FOREIGN KEY (trigger_source) -> context_trigger_sources(code)
  • No UNIQUE on logical_checksum_sha256 or file_checksum_sha256.
  • No immutability (UPDATE/DELETE-blocking) trigger/constraint.

Corrected statement (replaces RS4A-06 §2 reasoning):

No reviewed evidence proves a unique, immutable, per-artifact deployed-hash binding on any candidate carrier. Specifically, context_pack_manifest exposes logical_checksum_sha256/file_checksum_sha256 but carries no UNIQUE constraint on either checksum and no immutability enforcement (live), and nothing in the reviewed evidence proves either checksum is scoped to a single deployed DOT artifact rather than to the whole context pack. Therefore the candidate is unfit, and Interface F emits nothing trusted. This is a statement about the reviewed candidates (dot_tools, wf_fs_dot_bin_snapshot, context_pack_manifest, dot_tools.extra_metadata), not an exhaustive proof that no carrier exists anywhere in the database.

What is dropped: the inference "aggregate count columns ⇒ checksum is aggregate." What is kept (and is sufficient): no UNIQUE + no immutability + no proven per-artifact scope ⇒ unfit ⇒ fail-closed. The fail-closed verdict INTERFACE_F_FAIL_CLOSED is unchanged.

Scope label corrected: RS4A-06's "G4 confirmed live: there is no per-artifact hash carrier at all in live runtime" is narrowed to "no per-artifact hash carrier among the reviewed candidates; other surfaces were not exhaustively inventoried" (NO_PROVEN_CARRIER_AMONG_REVIEWED, not GLOBAL_CARRIER_ABSENCE).

2. C10 — Audit immutability overclaim narrowing (closes Codex §10 / §16.3)

Defect: RS4A-08 treated the absence of UPDATE/DELETE-blocking triggers as establishing absence of immutability. Codex: "Absence of UPDATE/DELETE-blocking triggers does not establish global absence of immutability if grants, rules, or policies were not enumerated. State immutability not proven, which is enough to fail closed. The proposed event type, delivery lane, and dedup_key are contract requirements, not fields/values proven available on the current table."

Live re-confirmation (Claude read-only query_pg, 2026-06-21), event_outbox user triggers:

trg_event_outbox_type_validate   BEFORE INSERT  -> fn_event_type_validate()
(no other user trigger; in particular no UPDATE/DELETE-blocking trigger)

Corrected statement (replaces RS4A-08 §2/§3 immutability language):

event_outbox has no UPDATE/DELETE-blocking trigger (live: only a BEFORE INSERT type-validate trigger). This is not proof of global mutability or of global immutability: table/column grants, rules, and row-level policies were not enumerated from the read-only role, so whether UPDATE/DELETE is actually permitted for the registrar writer is unproven. The correct, sufficient statement is: immutability is NOT PROVEN, therefore the sink fails closed (AUDIT_SINK_UNAVAILABLE) until append-only enforcement is positively demonstrated.

Contract-requirement vs proven-field labeling (the second half of C10): the failure-audit envelope's event_type="registration_failure", delivery_lane="audit", and dedup_key=H(logical_request_key, phase, run_id) are contract REQUIREMENTS the chosen sink must satisfy, not fields/values proven to exist on event_outbox today. RS4A-08 §4 is relabeled accordingly:

failure_audit_envelope (REQUIRED shape; NOT proven-present on event_outbox):
  event_type    = "registration_failure"   # REQUIRED to be a non-executing audit type; existence/non-execution UNPROVEN
  delivery_lane = "audit"                   # REQUIRED non-execution lane; that such a lane exists & is inert is UNPROVEN
  dedup_key     = H(logical_request_key, phase, run_id)  # REQUIRED unique dedup; no such UNIQUE exists today (only PK on id)

The fail-closed verdict SINK_CANDIDATE_SELECTED_FAIL_CLOSED is unchanged; only the basis is narrowed from "disproved by trigger absence" to "not proven."

3. Symmetry note (both narrowings, one principle)

Both C9 and C10 are the same overclaim shape: "absence of one piece of evidence ⇒ global negative." The patch replaces each with the epistemically honest minimum that still forces fail-closed:

Original (overclaim) Narrowed (sufficient) Conclusion
aggregate columns ⇒ checksum is aggregate ⇒ no carrier exists at all no reviewed candidate proves unique+immutable+per-artifact binding Interface F emits nothing (unchanged)
no UPDATE/DELETE trigger ⇒ no immutability ⇒ mutable immutability not proven (grants/rules/policies not enumerated) sink fails closed (unchanged)

This strengthens the package against an adversarial review: every fail-closed now rests on "not proven," which cannot be refuted by finding one un-inventoried surface.

4. Status

  • Interface F: OVERCLAIM_NARROWED to NO_PROVEN_CARRIER_AMONG_REVIEWED; INTERFACE_F_FAIL_CLOSED retained.
  • Audit sink: OVERCLAIM_NARROWED to IMMUTABILITY_NOT_PROVEN; SINK_CANDIDATE_SELECTED_FAIL_CLOSED retained; event_type/delivery_lane/dedup_key relabeled as contract requirements, not proven fields.
  • No carrier/sink created, no DDL. Gate REGISTRATION_HOLD · CAN_PROCEED = NO.
Back to Knowledge Hub knowledge/dev/laws-new/reports/rs4a-patch1/06-interface-f-and-audit-overclaim-narrowing-2026-06-21.md