RS4A-PATCH2-06 — Decision Packet — 2026-06-21
RS4A-PATCH2-06 — Decision Packet — 2026-06-21
Macro: RS4A-PATCH2 — EFFECT IDENTITY, HEAD UNIQUENESS, SUCCESS-AUDIT, AND SUITE-ID RECONCILIATION
Deliverable: 06 of 6 (under rs4a-patch2/) · design-only
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO
1. Verdict
RS4A_PATCH2_READY_FOR_CODEX_REVIEW
Not forced. All five Codex residual defects (R1–R5) are closed with concrete decisions:
- effect identity is not authorization-keyed ⇒ not
RS4A_PATCH2_HOLD_EFFECT_IDENTITY_STILL_AUTHORIZATION_KEYED; - U3 head policy is decided (Option 1, consistent with the live Directus vocabulary) ⇒ not
RS4A_PATCH2_HOLD_U3_HEAD_POLICY_UNRESOLVED; - the Phase-4 success-audit contradiction is removed ⇒ not
RS4A_PATCH2_HOLD_PHASE4_AUDIT_CONTRADICTION; - the test registry is deterministic (111) ⇒ not
RS4A_PATCH2_HOLD_TEST_REGISTRY_AMBIGUOUS; - no implementation/scope drift, no fail-open ⇒ not any
REJECT_*.
Controlling finding retained from RS4A/RS3C: SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIOR · REPLACE_FOR_GOVERNED_REGISTRATION + REJECT_CURRENT_REAL_RUN_PATH.
2. Exact fixes (one line each)
- R1 —
effect_identity = H(protocol_version, operation="register_dot", canonical_target_dot_code, canonical_artifact_identity, canonical_artifact_hash); owner scope, authority policy, approval/owner/APR ids, nonce, run/attempt, timestamps excluded; authority moved to a separateauthorization_binding_digestbound to the attempt record (required for admission, not U1); changed authority ⇒ same effect ⇒AUTHORIZATION_CHANGED_SAME_EFFECT_DUPLICATE; re-registration = explicit different operation. → CLOSED (PATCH2-02) - R2 — U3 =
UNIQUE(canonical_target_dot_code) WHERE lifecycle_role='current_head'= one current head across{draft, active};{deprecated, retired}terminal; registration writesdraftonly if no draft/active head; surface absent ⇒ fail closed before draft write. → CLOSED (PATCH2-03) - R3 — Phase-4 success verifier = row +
status='draft'+ metadata-match + no-notify + resolved verifier-ref + readback; no audit required; failure audit is failure-only; success-decision log optional/future. → CLOSED (PATCH2-04) - R4 — one authoritative
PX2-001..015registry; allT-PX-*superseded; collisions split;T-P6-3a/b= two cases (PX2-013/014); augmented total 111, deterministic. → CLOSED (PATCH2-05) - R5 —
PX2-011changed-authority/same-effect +PX2-012duplicate-draft-head, plusPX2-005/006/007(run_id/approval/nonce) andPX2-015(success-no-audit). → CLOSED (PATCH2-05)
3. Effect identity formula (final)
effect_identity = logical_request_key = H(
protocol_version, operation = "register_dot",
canonical_target_dot_code, canonical_artifact_identity, canonical_artifact_hash
)
Excluded from U1: canonical_owner_scope, canonical_authority_policy_ref, approval-instance id, APR row id, owner row id, authorization_nonce, attempt_id, attempt_no, run_id, timestamps, TTL/freshness window, operator/session/host.
4. Authorization binding formula (final)
authorization_binding_digest = H(
protocol_version, effect_identity,
canonical_owner_scope, canonical_authority_policy_ref,
approval_evidence_ref, quorum_evidence_ref,
authorization_nonce_issuer, authorization_window
)
Required for admission; bound to the Phase-3 attempt/consume record as non-identity evidence; excluded from U1. Unresolvable today (owner=0, no register_dot) ⇒ AUTHORITY_BINDING_UNRESOLVED ⇒ admission fail-closed.
5. U3 / head policy (final)
| Lifecycle role | Statuses | Head count per code |
|---|---|---|
| current_head (non-terminal) | draft, active |
at most one |
| terminal / non-head | deprecated, retired |
unconstrained (history) |
UNIQUE(canonical_target_dot_code) WHERE lifecycle_role='current_head'; rejects DUPLICATE_CURRENT_HEAD / DRAFT_HEAD_ALREADY_EXISTS / ACTIVE_HEAD_ALREADY_EXISTS; surface REQUIRED_NOT_PRESENT ⇒ HEAD_POLICY_UNRESOLVED fail-closed before any draft write.
6. Phase 4 audit correction (final)
Success verifier requires no audit. failure_audit_envelope = failure/rollback only (separate txn, append-only sink fail-closed AUDIT_SINK_UNAVAILABLE). success_decision_log_envelope = optional future contract, never a success precondition. Failure path tested by baseline T-P5-1; success-no-audit by PX2-015.
7. Test registry count (final)
50 carried + (47 − 1 superseded T-P6-3) + 15 PX2 = 111
Baseline 97 unchanged (origin); augmented 111; designed, not executed; no PASS. RS4A-11 42/92 and PATCH1 105 superseded.
8. Files created (PATCH2 package, all rev1)
knowledge/dev/laws-new/reports/rs4a-patch2/
rs4a-patch2-index-effect-identity-head-uniqueness-suite-id-reconciliation-2026-06-21.md
01-codex-rereview-defect-closure-map-2026-06-21.md
02-effect-identity-with-authorization-binding-separated-2026-06-21.md
03-u3-current-head-uniqueness-policy-2026-06-21.md
04-phase4-success-verifier-and-audit-semantics-2026-06-21.md
05-authoritative-test-registry-and-count-2026-06-21.md
06-rs4a-patch2-decision-packet-2026-06-21.md
codex-review-packet-rs4a-patch2-effect-identity-head-uniqueness-suite-id-reconciliation-2026-06-21.md
knowledge/dev/laws-new/reports/
macro-rs4a-patch2-effect-identity-head-uniqueness-suite-id-reconciliation-2026-06-21.md
RS4A and PATCH1 files are not overwritten; PATCH2 is a scoped addendum.
9. Registration gate
REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO. No Owner created, no APR created, no register_dot action created, no gate flipped, no registrar/validator patch, no schema/column/constraint, no DOT registered/wired/run, no implementation, no migration SQL, no Directus mutation payload, no RS-VALIDATOR opened, no registration opened.
10. Single next recommendation
Codex reviews RS4A-PATCH2 only. On ACCEPT_RS4A_PATCH2, the corrected RS4A contract (RS4A + PATCH1 + PATCH2) is accepted-as-corrected and the single next step is the G2 Owner-of-record decision (author the governance_object_ownership accountable head + a governed register_dot APR action with quorum binding) — the deciding blocker. Per-block hardening (U1/U2 replay surface, U3 current-head partial-unique, status-domain CHECK, Interface F hash carrier, append-only audit sink) and RS-VALIDATOR-HARDENING are sequenced after acceptance + the Owner decision; they are not bundled here. If Codex finds a further residual defect, open a scoped RS4A-PATCH3 on that item only.