RS4A-01 — Source Defect Ledger (line-level) — 2026-06-21
RS4A-01 — Source Defect Ledger (line-level) — 2026-06-21
Macro: RS4A — REGISTRAR-HARDENING-DESIGN-SOURCE-AWARE GOVERNANCE CONTRACT PACKAGE · Mục tiêu A
Deliverable: 01 of 14 · source-aware, line-cited
Source-of-record: RS3C-02 §2, operational dot-dot-register sha256 31d5cf1508c7950cc30a2a6abb46d7cee868e1cbf951a6095ff0aee7ba48583f (193 lines / 5,813 B, bash), proven hash-equal to recorded OPERATIONAL snapshot row id 6022; RS3C-02 §3, operational dot-catalog-sync sha256 7dd84cda6d1e220fc7f54419bf40ec9ad05a952b6a402360df73f0af3fa355cd (264 lines / 7,134 B, bash), snapshot id 5963.
Date: 2026-06-21 · read-only · 0 mutations · DESIGN-ONLY (no implementation, no patch, no registration)
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO
Rule: every defect cites a source line/fragment from the RS3C-02 mirror. RP-03 prose is not used; where source contradicts RP-03, source wins.
Carried Codex caveats (P1–P5):
- P1 — "byte-identical to deployed OPERATIONAL" means mirror sha256 equals the recorded same-day snapshot hash (
wf_fs_dot_bin_snapshot); it is not a Codex-live deployed attestation or signature. - P2 — the writer-set conclusion is scoped to the two examined scripts
{dot-dot-register, dot-catalog-sync}only; other runtime writers were not exhaustively inventoried. - P3 — the dedup is source-proven fragile / fail-open-prone; the unqualified "absolute-vs-normalized never matches" is not asserted as universal here.
- P4 — trigger execution is evidenced and (this macro) the activation trigger's function body was read live; notification is conditional (
tier ∈ watch_tiers AND status='active'), not unconditional. See RS4A-09. - P5 — design only: no implementation, no patch, no registration, no validator hardening.
1. Headline
The operational registrar dot-dot-register is a bash mass-scan auto-registrar that, on real-run, discovers every dot-* on the VPS, derives metadata heuristically, and issues one independent Directus POST /items/dot_tools per untracked file with status:"active" hardcoded — no transaction, no authority binding, no artifact hash, no DB uniqueness backstop, fail-open success logging, and an activation side-effect. This ledger enumerates 24 defects/risks (D01–D24), each line-cited, mapped to the contract it violates and to a required disposition. It is the source basis for the controlling finding SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIOR carried into RS4A.
Disposition vocabulary (decided per defect; basis = RS4A-10): REPLACE (real-run path must be a new governed registrar) · REJECT_REAL_RUN (this code path must be retired for governed registration) · WRAP_DRY_ONLY (usable only as --dry-run scan/report) · REUSE_HELPER_ADVISORY (a pure classifier reusable as advisory input only) · CONTRACT_BACKSTOP (defect closed by a contract/DB constraint the replacement must add).
Evidence tiers: SRC = direct source line in RS3C-02 mirror · LIVE = my own read-only query_pg (2026-06-21) · SCHEMA = pg_constraint/information_schema live · PROSE = RP-03/RS3B inference (used only where source is silent, flagged).
2. Registrar defect ledger — dot-dot-register (D01–D20)
| Defect ID | Source line / fragment (RS3C-02 §2) | Unsafe behavior | Violated contract | Blast radius | Required disposition | Evidence tier |
|---|---|---|---|---|---|---|
| D01 mass-scan | L121 DISK_FILES=$(run_remote "ls -1 ${DOT_BIN_DIR}/dot-* 2>/dev/null"), DOT_BIN_DIR=/opt/incomex/dot/bin (L25) |
discovers every dot-* on disk as the registration input set |
Single-Artifact (one admitted artifact per invocation); MASS_REGISTRATION_ATTEMPTED prohibition |
every untracked dot-* on the VPS (workstation listing ≈165 files, P1: not a proven VPS count) |
REPLACE + REJECT_REAL_RUN | SRC |
| D02 mass loop | L131 while IFS= read -r filepath … done <<< "$DISK_FILES" |
one invocation creates many rows in a loop | one-effect-per-logical-key; atomic single-artifact write | N rows per run | REPLACE | SRC |
| D03 no scalar target arg | arg parse L95–100 handles only --help/-h, --dry-run; no --one/--code/--path |
cannot register a single named DOT; scan is the only mode | scalar dot_code+artifact_path input contract |
n/a (capability gap) | REPLACE | SRC |
| D04 REST POST per file | L156 curl -sS --globoff -k -X POST "${BASE_URL}/items/dot_tools" |
independent app-layer write per discovered file | atomic Phase-1 boundary; single governed write | per-row | REPLACE | SRC |
| D05 status active hardcoded | L173 status: "active" in the POST body |
registers active, not inert/pending | Closed-at-registration / inert status invariant | every created row is born active | REPLACE + CONTRACT_BACKSTOP (inert status) | SRC |
| D06 no transaction | L131–L184 independent curl POST per iteration; no BEGIN/COMMIT anywhere |
partial-batch failure leaves committed rows | atomic transaction boundary (RS2-PATCH1) | partial registry state | REPLACE | SRC |
| D07 no rollback / no compensation | same region; set -euo pipefail (L13) aborts mid-loop |
abort mid-loop = committed-prefix rows, no undo | rollback + compensation rule | committed prefix | REPLACE | SRC |
| D08 no Owner/APR/gate check | nothing in L94–L191 reads ownership, approvals, APR, or any admission gate before POST | zero authorization binding on the write | Owner Authority Envelope; register_dot APR envelope |
unbounded (no authority) | REPLACE + CONTRACT_BACKSTOP (RS4A-05) | SRC + LIVE (governance_object_ownership=0; apr_action_types has no register_dot) |
| D09 no deployed-artifact hash | POST body L167–L174 sends {code,name,file_path,tier,domain,status,paired_dot} only |
row is not bound to any specific artifact content | Interface F artifact-hash binding | identity not provable | REPLACE + CONTRACT_BACKSTOP (RS4A-06) | SRC + SCHEMA (dot_tools 0 hash cols) |
| D10 fail-open success logging | L156 curl has no -f/--fail and > /dev/null 2>&1; L176 if [[ $? -eq 0 ]] tests curl process exit, 0 on HTTP 4xx/5xx |
logs Registered: $CODE even when Directus rejected the write |
success = HTTP-2xx + readback | every false-success | REPLACE + REJECT_REAL_RUN (its success signal is untrustworthy) | SRC |
| D11 defective dedup (path mismatch) | L128 REGISTERED=$(run_pg "SELECT file_path FROM dot_tools WHERE file_path IS NOT NULL;"); L135 `if echo "$REGISTERED" |
grep -qF "$filepath"` | disk path is absolute (/opt/incomex/dot/bin/...); stored values are normalized/relative and trigger-rewritten; unanchored grep -qF is fragile / fail-open-prone (P3) |
exact-identity idempotency | re-runs may re-register already-registered tools → duplicates | REPLACE + CONTRACT_BACKSTOP (DB UNIQUE) |
| D12 NULL file_path excludes rows from dedup | L128 WHERE file_path IS NOT NULL |
81/309 rows have NULL file_path (LIVE) → excluded from the dedup SELECT → never matched |
exact-identity idempotency | up to 81 identity-blind rows | REPLACE + CONTRACT_BACKSTOP | SRC + LIVE (null_fp=81) |
| D13 no DB UNIQUE backstop | dedup is the sole guard; dot_tools constraints = dot_tools_pkey PRIMARY KEY (id) + CHECKs + 1 FK only |
DB accepts duplicate code/file_path |
DB uniqueness on the identity axis | duplicate identities | CONTRACT_BACKSTOP (add UNIQUE on identity axis) | SCHEMA (LIVE: only PK(id), chk_dot_tier, chk_dot_coverage, chk_dot_trigger, fk_dot_tools_domain) |
| D14 hardcoded VPS IP + root SSH key path | L20 VPS_HOST="38.242.240.89", L21 VPS_KEY="${HOME}/.ssh/contabo_vps"; run_pg/run_remote ssh -i "$VPS_KEY" … root@${VPS_HOST} |
infra identifiers + root SSH embedded in the artifact; reads can run as root | credential/secret handling; least privilege | host-level | REPLACE + REJECT_REAL_RUN | SRC |
| D15 curl -k (TLS verify skipped) | L156 curl … -k … |
TLS certificate verification disabled on the write | transport integrity | MITM-exposed write | REPLACE | SRC |
| D16 reads bypass Directus permission layer | run_pg → docker exec -i postgres psql -U directus or ssh root@… (run_pg/run_remote defs) |
registry reads bypass the app permission layer (raw psql / root) | least-privilege read path | read-side authority bypass | REPLACE | SRC |
| D17 heuristic tier/domain | classify_tier (A iff -health/-scan/-report/-audit/-check/-verify/-integrity/-coverage, else B), classify_domain (filename pattern table) |
metadata derived by filename heuristics, not by an admitted contract; mis-tier risk (and tier feeds the activation watch-set) | metadata from admitted artifact, not caller heuristic | mis-classification | REUSE_HELPER_ADVISORY (advisory only; never authority) | SRC |
| D18 code derivation inconsistent | L143 `CODE=$(echo "$BASENAME" | tr '[:lower:]' '[:upper:]' | tr '-' '_')→dot-foo→DOT_FOO` |
underscore code form differs from manual DOT-NNN convention; also overridden by gen_code_dot_tools BEFORE INSERT |
deterministic, contract-derived identity | inconsistent codes |
| D19 activation side-effect at insert | L173 status:"active" → fires trg_context_pack_dot_register AFTER INSERT/UPDATE → fn_context_pack_on_dot_register → pg_notify('context_pack_event', …) when tier ∈ ["A","B","C"] AND status='active' |
registration emits an automation activation signal; mass active inserts = mass notifications | no-activation-at-registration (G7) | every watch-tier active insert | REPLACE + CONTRACT_BACKSTOP (inert status fences the notify) | SRC + LIVE function body (closes P4: condition is tier∈watch ∧ status='active'; context_pack_mode='warn') |
| D20 no audit written by registrar | no audit/changelog write in L94–L191; any registry_changelog row is a DB-side trigger effect, not the registrar |
a failed/rolled-back registration leaves no durable registrar-authored audit | durable failure-audit sink (RS4A-08) | no forensics on failure | REPLACE + CONTRACT_BACKSTOP (RS4A-08) | SRC |
3. Cross-cutting / metadata-fidelity defects (D21–D24)
| Defect ID | Source / live fragment | Unsafe behavior | Violated contract | Required disposition | Evidence tier |
|---|---|---|---|---|---|
| D21 artifact-type mislabel | RS3C-02 §2 L1 #!/usr/bin/env bash; live dot_tools.DOT-REGISTER.file_path = bin/dot/dot-dot-register.ts |
registry metadata claims .ts (TypeScript); the deployed artifact is a bash executable |
registry must truthfully describe the deployed artifact | REPLACE/metadata-correction (design-time only; no live patch in RS4A) | SRC + PROSE |
| D22 dry-run default is real-run | L27 DRY_RUN=false; writes occur unless --dry-run passed (L98, L155 if [[ "$DRY_RUN" == false ]]) |
the only in-code safety toggle defaults OFF; default invocation is real-run | safe-by-default; explicit-authority-to-write | WRAP_DRY_ONLY (only --dry-run is usable; real-run path rejected) |
SRC |
| D23 no post-write readback / verifier | nothing reads the created row back; pairing is a text field only (L148–151) | no proof the committed row matches intent; no post-commit verify | post-commit verifier obligation | REPLACE + CONTRACT_BACKSTOP (paired verifier, RS4A-04 Phase 4) | SRC |
| D24 paired_dot copied as a field, not a contracted pairing | L148–151 if [[ "$TIER" == "B" ]]; then PAIRED="DOT-HEALTH-DOT"; fi; L166/L174 paired_dot: $paired |
every tier-B target gets paired_dot="DOT-HEALTH-DOT" copied verbatim — a field copy, not a content-derived pairing, and not a second row |
pair cardinality must be content-derived (Codex C2) | REPLACE (derive pair from target contract) | SRC |
C2 note (not a defect, recorded for completeness): the
paired_dotfield copy creates no seconddot_toolsrow. Per-target cardinality is one primary row; theDOT-REGISTER ↔ DOT-HEALTH-DOTrelationship is a control-plane pair of two pre-existing identities, not a per-target two-row rule. See RS4A-09 / RS3C-08.
4. Catalog-sync — boundary facts (not registry defects)
dot-catalog-sync (sha256 7dd84cda…, 264 lines) is in-scope only to bound the dual-writer question. Its only mutation is PATCH /items/meta_catalog/{id} writing record_count (L68); it issues no POST/PATCH/DELETE to /items/dot_tools anywhere in L1–L264 (filesystem scan L84, lookup L52, entrypoint L264). Therefore (P2-scoped): dot_tools writer set among {dot-dot-register, dot-catalog-sync} = {dot-dot-register}. Catalog-sync's residual risk is advisory count drift (meta_catalog.record_count), never a registry-row write. Notably it uses --globoff without -k (no TLS-skip), unlike the registrar (D15). No catalog-sync defect is admitted to this ledger; case 48 (CATALOG_SYNC_SOURCE_CONTRADICTS_BOUNDARY) is retained as a future regression guard only (RS4A-11).
5. Disposition roll-up
- REPLACE_FOR_GOVERNED_REGISTRATION is forced by D01–D10, D14–D16, D18–D20, D23–D24: the real-run write path is mass-scan + active + non-atomic + fail-open + unauthorized. A wrapper cannot fix an internally-unsafe write loop without bypassing it. See RS4A-10.
- REJECT_CURRENT_REAL_RUN_PATH for D01, D10, D14 (their unsafety is irreducible).
- WRAP_ONLY_FOR_DRY_RUN_SCAN_REPORT is the only safe reuse of the existing artifact (D22):
--dry-rundiscovery/report, no writes. - REUSE_ONLY_CLASSIFICATION_HELPERS applies to
classify_tier/classify_domain(D17) — but as advisory input to an admitted contract, never as authority. - CONTRACT_BACKSTOP items (D05, D08, D09, D11–D13, D19, D20, D23) are closed by constraints/envelopes the replacement contract must require (RS4A-02/04/05/06/08/09).
6. Status
- Defect ledger:
SOURCE_DEFECT_LEDGER_COMPLETE— 24 line-cited defects (≥20 required). - Controlling finding (carried):
SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIOR. - No defect overclaimed: dedup framed fragile/fail-open-prone (P3); fidelity = mirror-hash = recorded-snapshot-hash (P1); writer-set scoped (P2); activation notify conditional with live-read body (P4).
- Gate:
REGISTRATION_HOLD·REGISTRATION_CAN_PROCEED = NO. No implementation, no patch, no registration.