KB-5503

RS4A-PATCH1-08 — Decision Packet — 2026-06-21

7 min read Revision 1

rs4a-patch1decision-packetverdictregistration-holddesign-only2026-06-21

RS4A-PATCH1-08 — Decision Packet — 2026-06-21

Macro: RS4A-PATCH1 — CONTRACT IDENTITY, INERT STATE, PERSISTENCE BOUNDARY, AND SUITE RECONCILIATION Deliverable: 08 of 10 · design-only Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO

1. Verdict

RS4A_PATCH1_READY_FOR_CODEX_REVIEW

Not forced. The verdict is earned: every Codex defect C1–C13 is closed or fail-closed with a precise disposition, and the one defect that could have forced a HOLD — C2 canonical inert status — is resolved to a concrete, governed, live-proven value (draft), so RS4A_PATCH1_HOLD_INERT_STATE_UNPROVEN does not apply. No implementation drift, no scope drift, no fail-open.

Controlling finding retained from RS4A/RS3C: SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIOR · REPLACE_FOR_GOVERNED_REGISTRATION + REJECT_CURRENT_REAL_RUN_PATH.

2. Exact corrections C1–C13 (one line each)

C1 — one canonical effect_identity = logical_request_key; excludes run_id/attempt/nonce/timestamp/replaceable-approval-instance; authority canonicalized to scope+policy; AUTHORITY_BINDING_IDENTITY_UNSTABLE fail-closed. → CLOSED
C2 — canonical inert status = draft (governed Directus choice; draft≠active ⇒ no activation notify). → CLOSED
C3 — uniqueness axes U1(effect, mandatory) / U2(nonce, mandatory, separate) / U3(code-head, policy) / U4(artifact, policy); all REQUIRED_NOT_PRESENT ⇒ fail-closed. → CLOSED_FAIL_CLOSED
C4 — logical envelope fields separated from dot_tools columns; carriers REQUIRED_NOT_PRESENT; no column implied. → CLOSED_FAIL_CLOSED
C5 — authorization_nonce reclassified AUTHORITY_CREDENTIAL, not request_proposed. → CLOSED
C6 — Phase 2 = validation/reservation (no durable consume); Phase 3 = only atomic consume + inert write + attempt. → CLOSED
C7 — Phase 4 verifier = independent postcondition_verifier_ref; no auto-created/per-target pair; carry RS3C-C2. → CLOSED
C8 — Phase 5 audit written after rollback in a separate txn; failure-audit only (success-audit not required); audit_envelope nullable/scoped. → CLOSED
C9 — Interface F narrowed to "no proven carrier among reviewed candidates"; emits nothing. → CLOSED_FAIL_CLOSED
C10 — audit "immutability not proven" (not disproved by trigger absence); event_type/lane/dedup_key = contract requirements. → CLOSED_FAIL_CLOSED
C11 — T-P5-1 repaired (audit-after-rollback/separate-txn); T-P6-3 repaired (consumer-injected OR active-update-outside-registration). → CLOSED
C12 — count corrected to 50 + 47 = 97 (+8 PATCH1 ⇒ 105 augmented, explained); 42/92 superseded. → CLOSED
C13 — D13 relabeled SRC+SCHEMA environment/contract blocker; "all-24-line-cited" claim corrected (23 line-cited + D13 schema-tier). → CLOSED

3. Inert-state outcome

CANONICAL_INERT_STATE_RESOLVED = "draft" (Option 1).

Governed (not invented): directus_fields.dot_tools.status.options.choices includes draft (LIVE).
Accepted: no PG CHECK on status; Directus validation=null, required=false (LIVE).
Inert at producer: draft ≠ 'active' ⇒ fn_context_pack_on_dot_register notify condition false ⇒ no context_pack_event (LIVE body).
Carried backstop (not a blocker): STATUS_DOMAIN_NOT_DB_ENFORCED — add a governed status CHECK so the vocabulary can't be bypassed; G7-consumer for the separate activation-UPDATE path only.

4. Uniqueness axes

Axis	Constraint	Required	Live status
U1	`UNIQUE(effect_identity)`	mandatory	absent (only PK(id)) → fail-closed
U2	`UNIQUE(authorization_nonce)` (separate record)	mandatory	absent → fail-closed
U3	`UNIQUE(code) WHERE status='active'`	policy (Owner)	absent → undecided/fail-closed
U4	`UNIQUE(artifact_identity/hash)`	policy (Owner)	absent (no hash col) → undecided/fail-closed

5. Suite count

Reconciled baseline: 97 (50 carried + 47 new T-series). Corrects RS4A-11's 92.
PATCH1 additions: +8 (T-PX-1…8: inert-value, effect-stability across run_id/approval, U1–U4 axes, carrier-absent).
Augmented total: 105. Designed, not executed; no PASS claimed.

6. Files created (PATCH1 package, all rev1)

knowledge/dev/laws-new/reports/rs4a-patch1/
  rs4a-patch1-index-contract-identity-inert-state-suite-reconciliation-2026-06-21.md
  01-codex-defect-closure-map-2026-06-21.md
  02-stable-effect-identity-and-uniqueness-axes-2026-06-21.md
  03-canonical-inert-state-resolution-2026-06-21.md
  04-persistence-carrier-boundary-correction-2026-06-21.md
  05-nonce-classification-and-phase-semantics-correction-2026-06-21.md
  06-interface-f-and-audit-overclaim-narrowing-2026-06-21.md
  07-acceptance-suite-reconciliation-97-cases-2026-06-21.md
  08-rs4a-patch1-decision-packet-2026-06-21.md
  codex-review-packet-rs4a-patch1-contract-identity-inert-state-suite-reconciliation-2026-06-21.md
knowledge/dev/laws-new/reports/
  macro-rs4a-patch1-contract-identity-inert-state-suite-reconciliation-2026-06-21.md

RS4A files are not overwritten; PATCH1 is an addendum.

7. Registration gate

REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO. No Owner created, no APR created, no register_dot action created, no gate flipped, no registrar/validator patch, no schema/column/constraint, no DOT registered/wired/run, no RISK-BYPASS cleared, no implementation, no migration SQL, no Directus mutation payload. RS-VALIDATOR and registrar-replacement implementation remain unopened.

8. Single next recommendation

Codex reviews RS4A-PATCH1 only. On ACCEPT, the controlling RS4A contract is accepted-as-corrected and the single next step is the G2 Owner-of-record decision (author the governance_object_ownership accountable head + a governed register_dot APR action with quorum binding) — the deciding blocker. Per-block hardening design (U1/U2 replay surface, Interface F carrier, append-only audit sink, status CHECK backstop) and RS-VALIDATOR-HARDENING are sequenced after Codex acceptance and the Owner decision; they are not bundled here.

If Codex instead finds a residual defect, the next step is a scoped RS4A-PATCH2 on that item only; do not reopen the whole package.