KB-28B7

RS4A-PATCH2-04 — Phase 4 Success Verifier and Audit Semantics — 2026-06-21

8 min read Revision 1

rs4a-patch2phase4success-verifierfailure-auditsuccess-decision-logno-success-auditdesign-only2026-06-21

RS4A-PATCH2-04 — Phase 4 Success Verifier and Audit Semantics — 2026-06-21

Macro: RS4A-PATCH2 · Mục tiêu D (closes Codex re-review residual R3: Phase-4 success still required durable audit, contradicting the Phase-5 correction that success audit is not required) Deliverable: 04 of 6 (under rs4a-patch2/) · design-only · scoped correction addendum Corrects: RS4A-PATCH1-05 §3 (Phase-4 verifier pass condition retained "…audit durably written ⇒ success") against PATCH1-05 §4 ("durable audit required only on failure; success audit optional"). Does NOT overwrite PATCH1/RS4A. Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO Status: PHASE4_SUCCESS_AUDIT_CONTRADICTION_REMOVED — the success verifier no longer requires any audit; failure audit is failure-only; success-decision logging is an optional future contract.

0. The residual defect this file closes (Codex re-review §7 / §12.3)

PATCH1 fixed failure-audit sequencing (failure occurs in the Phase-3 txn that rolls back; the failure-audit is written afterward in a separate txn). But one old phrase survived inside the Phase-4 success verifier:

PATCH1-05 §3 (Phase-4 verifier pass condition): "exactly one row for dot_code, metadata == admitted artifact, status='draft' (inert), notify-not-emitted, audit durably written ⇒ success = HTTP-2xx + readback match."
PATCH1-05 §4 (correction): "a durable failure-audit is REQUIRED for failures/rollbacks; a durable success-decision log is NOT required by RS4A."

These contradict each other: §3 makes a durable audit a precondition of success, while §4 says success requires no audit. Codex:

"PATCH2 must remove audit-readback from the success verifier unless a separate success-decision logging contract is adopted. Failure audit cannot be a precondition for a successful transaction that did not fail."

PATCH2 removes the phrase. Failure audit cannot gate a transaction that did not fail.

1. Phase 4 success verifier v2 (closes R3)

Phase 4 success verifier — REQUIRED checks (all must hold):
  - exactly ONE current/head row for canonical_target_dot_code, per the U3 head policy (PATCH2-03)
  - that row's status = "draft" (the canonical inert state, PATCH1-03)
  - the row's metadata matches the admitted artifact (trusted_attested, Interface F)
  - NO activation-notify condition is satisfied  (status='draft' ≠ 'active' ⇒ fn_context_pack_on_dot_register does not fire)
  - postcondition_verifier_ref resolves to a pre-existing, independently-governed verifier (PATCH1-05 §3; no auto-created/per-target row)
  - the write result and readback match  (e.g. HTTP-2xx AND post-commit readback == intended row), where applicable

Phase 4 success verifier — does NOT require:
  - failure_audit_envelope
  - any success audit
  - decision_log_envelope

Key deletion: the clause "audit durably written ⇒ success" is removed from the Phase-4 pass condition. Success is established by row + status + metadata + no-notify + verifier-ref + readback, never by an audit record.

2. Audit envelope semantics v2 (failure-only; success-log optional)

failure_audit_envelope:
    required only on  failure / rollback / reject  that needs a durable forensic record
    written AFTER the rolled-back Phase-3 txn, in a SEPARATE transaction (PATCH1-05 §4) => survives the rollback
    sink must be append-only/immutable — NOT proven on any candidate today (AUDIT_SINK_UNAVAILABLE, G6) => fail-closed
    NOT a precondition of any successful transaction

success_decision_log_envelope:
    OPTIONAL future contract — NOT part of RS4A / RS4A-PATCH2 acceptance
    null unless a separate success-decision logging contract is later defined and governed
    if ever adopted, it is logged AFTER a successful commit and still never gates success

2.1 Contradiction removed (explicit)

No success audit is required by RS4A / PATCH2. A successful registration (one inert draft head, no notify, readback match) is complete without writing any audit.
A failure audit cannot be a precondition for a successful transaction. Failure audit exists only on the failure/rollback path; on the success path there is nothing to audit-as-failure, so requiring it was incoherent.
The output audit_envelope is therefore nullable/scoped: failure_audit_envelope is populated only on failure; decision_log_envelope (a.k.a. success_decision_log_envelope) is null unless a future success-logging contract is adopted.

3. Net Phase-model correction (replaces the residual PATCH1-05 §3 line)

Element	PATCH1-05 (residual)	PATCH2 correction
Phase-4 success pass condition	"…notify-not-emitted, audit durably written ⇒ success = HTTP-2xx + readback match"	"…notify-not-emitted, postcondition_verifier_ref resolved, write/readback match ⇒ success" — audit clause deleted
Success audit	implied required by §3 / by RS4A-02 §3 / RS4A-04 Phase 4	NOT required (success has no audit precondition)
Failure audit	required, written after rollback in a separate txn (§4)	unchanged — failure-only, separate txn, append-only sink fail-closed (`AUDIT_SINK_UNAVAILABLE`)
Decision/success log	"optional `decision_log_envelope`" (§4)	unchanged — optional future `success_decision_log_envelope`, never gates success

Everything else PATCH1 fixed about phases stands (Phase 2 reserves; Phase 3 is the sole atomic consume+write; Phase 4 verifier is an independent reference with one primary row, carrying RS3C-C2). PATCH2 touches only the success-audit clause.

4. Test coverage for this fix (feeds PATCH2-05)

Failure path (durable audit, separate txn): covered by the baseline-97 repaired case T-P5-1 (failure inside the Phase-3 txn that rolls back; failure-audit written afterward in a separate txn ⇒ survives). Retained as-is; not re-counted.
Success path (no audit required): new authoritative case PX2-015 phase4-success-verifier-no-audit-required — Phase-4 success verifier PASSES on one draft head + metadata-match + no-notify + resolved verifier-ref + readback, with no failure_audit_envelope and no success audit present. Forbidden fail-open: treating a missing audit as a Phase-4 success failure, or requiring audit-readback for success.

This keeps the two audit semantics cleanly separated (failure ⇒ T-P5-1; success ⇒ PX2-015) and closes C8/R3 with explicit, non-overlapping tests.

5. Status

PHASE4_SUCCESS_AUDIT_CONTRADICTION_REMOVED — success verifier requires row + status=draft + metadata-match + no-notify + verifier-ref + readback; it does not require any audit.
failure_audit_envelope = failure/rollback only (separate txn, append-only sink fail-closed AUDIT_SINK_UNAVAILABLE); success_decision_log_envelope = optional future contract, never a success precondition.
No transaction code, no mutation. Gate REGISTRATION_HOLD · CAN_PROCEED = NO.