Codex Review Packet — RS4A-PATCH2 — 2026-06-21

For: Codex independent read-only review Scope of this review: RS4A-PATCH2 only. Do not re-review RS4A or RS4A-PATCH1; PATCH2 is a scoped correction addendum that does not overwrite either. Confirm each residual defect R1–R5 is closed and that the package remains design-only / fail-closed. Gate presented: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO Verdict requested to confirm: RS4A_PATCH2_READY_FOR_CODEX_REVIEW

---

1. What the re-review asked for vs what PATCH2 delivered

Your RS4A-PATCH1 re-review (NEED_RS4A_PATCH2) named five residual corrections. All are addressed without implementation, Owner creation, validator/registrar code, or DDL.

Re-review item	Required	Delivered	Where
R1	remove owner scope + authority policy from U1; bind them separately as authorization evidence	effect_identity = business effect only; new authorization_binding_digest bound to the attempt record (admission-required, not U1); changed authority ⇒ same effect ⇒ AUTHORIZATION_CHANGED_SAME_EFFECT_DUPLICATE; re-registration = explicit different operation	PATCH2-02
R2	correct U3 so registration cannot create multiple current draft heads (or fail closed)	Option 1: UNIQUE(canonical_target_dot_code) WHERE lifecycle_role='current_head' across {draft, active}; {deprecated, retired} terminal; surface absent ⇒ fail closed before draft write	PATCH2-03
R3	remove the success-audit contradiction from Phase 4	Phase-4 success verifier: row + status='draft' + metadata-match + no-notify + verifier-ref + readback; audit clause deleted; failure-audit failure-only; success-log optional/future	PATCH2-04
R4	one authoritative test registry; decide T-P6-3a/b count; recompute augmented total	PX2-001..015 registry, unique IDs, one semantic each; T-PX-* superseded; T-P6-3a/b = two cases (PX2-013/014); augmented total 111	PATCH2-05
R5	add changed-authority/same-effect + duplicate-draft-head tests	PX2-011 + PX2-012 (plus PX2-005/006/007/015)	PATCH2-05 §2

---

2. Points to verify adversarially

1. R1 is the crux. Confirm effect_identity now excludes canonical_owner_scope AND canonical_authority_policy_ref (and approval/owner/APR ids), so the same operation/code/artifact under a changed owner/policy yields the same U1 key and is refused as AUTHORIZATION_CHANGED_SAME_EFFECT_DUPLICATE — not a new registration. Confirm authorization_binding_digest is required for admission but is not part of U1, and that intentional re-registration requires an explicit different operation (not authority drift).
2. R2. Confirm U3's predicate now covers draft (not only active), that registration writes draft only if no draft/active head exists, that activation is in-place (draft→active, no new head), and that the absent surface fails closed (HEAD_POLICY_UNRESOLVED) before any draft write. Confirm U3 ≠ U1 (duplicate different-artifact draft for one code is U3, not U1).
3. R3. Confirm the Phase-4 success verifier no longer references any audit; that failure_audit_envelope is failure-only (separate txn, append-only sink fail-closed); and that success_decision_log_envelope is optional/future and never gates success.
4. R4 arithmetic. Independently recompute: 50 carried + (47 − 1 superseded T-P6-3) + 15 PX2 = 111. Confirm no PX2 ID denotes two semantics and all T-PX-* are superseded.
5. R5. Confirm PX2-011 (changed-authority/same-effect) and PX2-012 (duplicate draft head) exist as explicit cases.
6. No drift. Confirm zero mutation/DDL/Owner/APR/gate/registrar-code/validator-code; that C2/C4–C7/C9/C10/C13 and source fidelity / replace-not-wrap are not reopened; registration remains HOLD.

---

3. Live evidence used (read-only query_pg, db directus, 2026-06-21)

• directus_fields.dot_tools.status.options.choices = {draft, active, deprecated, retired}; validation=null, required=false — grounds U3 Option 1 (draft/active = current_head; deprecated/retired = terminal). (R2)
• dot_tools constraints: PRIMARY KEY (id), chk_dot_tier (A/B), chk_dot_coverage, chk_dot_trigger, fk_dot_tools_domain — no UNIQUE on code, no status CHECK ⇒ U3 surface REQUIRED_NOT_PRESENT. (R2)
• dot_tools.status data: active 291, published 16 (out-of-vocab), null 2, draft 0 — head space unconstrained; vocabulary can drift. (R2/R3)
• governance_object_ownership = 0 rows; apr_action_types = 14, no register_dot — authorization_binding_digest unresolvable ⇒ AUTHORITY_BINDING_UNRESOLVED ⇒ admission fail-closed. (R1)

---

4. Caveats PATCH2 itself flags (not hidden)

• Overall posture is still fail-closed: with owner=0 and no register_dot policy, authorization_binding_digest cannot be resolved ⇒ no admission. R1 only relocates the failure attribution from "effect identity unstable" to "authorization binding unresolved at admission"; the registration outcome is unchanged (HOLD).
• U3's enforcing surface (a lifecycle_role partial-unique on code) is REQUIRED_NOT_PRESENT; the policy is decided (Option 1), the constraint is a future Owner/design-gated surface. The status-domain CHECK (STATUS_DOMAIN_NOT_DB_ENFORCED) is a prerequisite for the lifecycle_role partition to be trustworthy.
• Failure-audit sink immutability remains unproven (AUDIT_SINK_UNAVAILABLE, G6); success requires no audit regardless.
• Suite is designed, not executed; no PASS claimed; T-P5-1 (failure path) stays in the baseline 97, PX2-015 covers the success path.

---

5. Requested decision

• If R1–R5 closures hold: ACCEPT_RS4A_PATCH2 ⇒ the corrected RS4A contract (RS4A + PATCH1 + PATCH2) is accepted-as-corrected; single next step = G2 Owner-of-record decision; RS-VALIDATOR / per-block hardening / registrar replacement remain sequenced after and unopened.
• If a further residual defect remains: name it for a scoped RS4A-PATCH3 on that item only; do not reopen the whole package.

Registration stays REGISTRATION_HOLD regardless. No implementation is authorized by this packet.