Codex Review Packet — RS4A-PATCH1 — 2026-06-21

For: Codex independent read-only review Scope of this review: RS4A-PATCH1 only. Do not re-review all of RS4A; PATCH1 is a correction addendum that does not overwrite RS4A. Confirm each C1–C13 closure and that the package remains design-only / fail-closed. Gate presented: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO Verdict requested to confirm: RS4A_PATCH1_READY_FOR_CODEX_REVIEW

---

1. What HOLD asked for vs what PATCH1 delivered

Your RS4A review (NEED_RS4A_PATCH) named 13 corrections. All are addressed without implementation, Owner creation, validator/registrar code, or DDL.

Codex item	Required	Delivered	Where
C1	stable effect identity (drop run_id; define approval-binding)	canonical effect_identity w/ explicit exclusions + authority scope/policy canonicalization + AUTHORITY_BINDING_IDENTITY_UNSTABLE	PATCH1-02
C2	exact canonical inert status	draft (governed Directus choice; ≠active ⇒ no notify)	PATCH1-03
C3	exact uniqueness axes	U1/U2 mandatory + U3/U4 policy; code→U3, path/hash→U4, effect→U1	PATCH1-02 §2
C4	separate logical fields from dot_tools columns	logical_envelope_fields vs current_persistence_carrier vs carrier_status=REQUIRED_NOT_PRESENT	PATCH1-04
C5	nonce = authority credential, not request_proposed	reclassified AUTHORITY_CREDENTIAL	PATCH1-05 §1
C6	Phase 2/3 consume semantics	Phase 2 reserves (no durable consume); Phase 3 sole atomic consume+write	PATCH1-05 §2
C7	independent verifier, no auto-pair	postcondition_verifier_ref reference; carry RS3C-C2 (one primary row)	PATCH1-05 §3
C8	Phase 5 audit after rollback (separate txn)	failure-audit in a separate txn post-rollback; success-audit not required	PATCH1-05 §4
C9	narrow Interface F overclaim	"no proven carrier among reviewed candidates"	PATCH1-06 §1
C10	narrow audit immutability overclaim	"immutability not proven"; lane/type/dedup = contract requirements	PATCH1-06 §2
C11	repair T-P5-1, T-P6-3	both repaired (separate-txn audit; consumer-injected / active-update-outside-registration)	PATCH1-07 §2
C12	fix count to 47 new / 97 total	recounted 50+47=97; +8 ⇒ 105 augmented, explained	PATCH1-07 §1/§4
C13	relabel D13 evidence tier	D13 = SRC+SCHEMA environment/contract blocker; 23 line-cited + D13	PATCH1-01 §2

---

2. Live evidence newly available to PATCH1 (Codex had NO_CODEX_LIVE_READ on RS4A)

Claude ran read-only query_pg (db directus, 2026-06-21). These upgrade several packet-tier facts to LIVE-tier:

• directus_fields.dot_tools.status.options.choices = {draft, active, deprecated, retired}; validation=null, required=false. (C2)
• dot_tools constraints: PRIMARY KEY (id), chk_dot_tier (A/B), chk_dot_coverage, chk_dot_trigger, fk_dot_tools_domain — no UNIQUE, no status CHECK. (C2/C3/C13)
• dot_tools.status data: active 291, published 16 (out-of-vocab), null 2. (C2)
• dot_tools 28 columns — no deployed_artifact_hash/owner_envelope_ref/approval_envelope_ref; only free-text owner + extra_metadata jsonb. (C4)
• governance_object_ownership = 0 rows. (authority)
• apr_action_types = 14 codes, no register_dot; register-shaped codes all handler_ref='unimplemented', risk_level='high'. (authority)
• iu_route_attempt: UNIQUE(idempotency_key, attempt_no) + CHECK(attempt_no>=1) — retry ledger, re-rejected. (C1)
• context_pack_manifest: PK(id) + 4 status CHECKs + trigger_source FK; no UNIQUE on either checksum, no immutability trigger. (C9)
• event_outbox: only trg_event_outbox_type_validate BEFORE INSERT; no UPDATE/DELETE-blocking trigger (immutability not proven, not disproven). (C10)

---

3. Points to verify adversarially

1. C2 is the crux. Confirm draft is (a) a governed choice, (b) accepted by constraints, (c) inert at the activation producer. Confirm PATCH1 does not claim consumer-inertness for the activation-UPDATE path (G7-consumer carried), and that it adds a STATUS_DOMAIN_NOT_DB_ENFORCED backstop rather than assuming the DB enforces the vocabulary.
2. C1 stability. Confirm effect_identity excludes run_id/attempt/nonce/timestamp/approval-instance, and that a fresh approval under unchanged policy yields REPLAY_DUPLICATE (not a new effect).
3. C3 axis discipline. Confirm U1≠U2≠U3≠U4 and that "duplicate code" is U3, not the effect identity.
4. C9/C10 narrowing. Confirm the conclusions are now "not proven / no proven candidate," not exhaustive global negatives.
5. C12 arithmetic. Independently re-count: P0 9 / P1 6 / P2 8 / P3 8 / P4 5 / P5 4 / P6 4 / SRC 3 = 47; +50 carried = 97; +8 PATCH1 = 105.
6. No drift. Confirm zero mutation/DDL/Owner/APR/gate/registrar-code/validator-code; registration remains HOLD.

---

4. Caveats PATCH1 itself flags (not hidden)

• Authority terms unresolvable today (owner=0; no register_dot) ⇒ effect_identity is fail-closed in practice; the formula is correct but cannot be computed until G2/G3 are decided by the Owner.
• U1/U2 replay surface, a per-artifact hash carrier (Interface F), an append-only audit sink, and a status-domain CHECK are all REQUIRED_NOT_PRESENT / NEEDS_FUTURE_SURFACE — design-only here.
• G7-consumer (context_pack consumer body) remains unread; consumer-inertness is asserted only via producer-no-notify for the registration path.
• Suite is designed, not executed; no PASS claimed.

---

5. Requested decision

• If the C1–C13 closures hold: ACCEPT_RS4A_PATCH1 → the corrected RS4A contract is accepted; single next step = G2 Owner-of-record decision; RS-VALIDATOR / per-block hardening / registrar replacement remain sequenced after and unopened.
• If a residual defect remains: name it for a scoped RS4A-PATCH2 on that item only; do not reopen the whole package.

Registration stays REGISTRATION_HOLD regardless. No implementation is authorized by this packet.