RS4A-03 — Contract-vs-Source Delta Matrix — 2026-06-21

Macro: RS4A · Mục tiêu C Deliverable: 03 of 14 · design-only Inputs: RS4A-01 (defect ledger, D01–D24), RS4A-02 (target contract v0.2), RS3C-02/03 (source). Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO

Each row compares the current operational source behavior (line-cited) against the required contract behavior (RS4A-02), assigns a delta severity, and decides Can be wrapped? / Must be replaced?. "Wrapped" = a guard placed around the existing script without changing its internal logic. The decisive rule (RS4A-10): a wrapper that still invokes the script's mass-scan real-run path cannot satisfy the contract, so wrapping is viable only for --dry-run scan/report.

Severity: CRITICAL (irreducible unsafety / authority gap) · HIGH (fail-open or activation) · MED (fidelity / consistency).

---

1. Delta matrix (24 rows)

#	Current source behavior (line)	Required contract behavior (RS4A-02)	Δ severity	Can be wrapped?	Must be replaced?	Evidence
1	Mass glob ls .../dot-* is the input set (L121)	Scalar dot_code+artifact_path; glob ⇒ MASS_REGISTRATION_ATTEMPTED	CRITICAL	No (input model is the unsafety)	Yes	D01
2	Loop registers every untracked file (L131)	One effect per logical_request_key	CRITICAL	No	Yes	D02
3	No single-target arg (L95–100)	Single-target argument required	CRITICAL	No (no single-target mode to call)	Yes	D03
4	Independent REST POST per file (L156)	One governed write inside atomic Phase-1	CRITICAL	No	Yes	D04
5	status:"active" hardcoded (L173)	Inert/non-active status at registration	HIGH	Partial only if wrapper rewrites body (≠ wrap)	Yes	D05
6	No transaction (L131–184)	Atomic transaction boundary	CRITICAL	No	Yes	D06
7	No rollback / compensation (L13 abort)	Rollback + compensation rule	CRITICAL	No	Yes	D07
8	No Owner/APR/gate check (L94–191)	Owner + register_dot APR envelope before write	CRITICAL	No (authority absent in code)	Yes + CONTRACT_BACKSTOP	D08; LIVE owner=0, no register_dot
9	No deployed-artifact hash carried (L167–174)	Bind trusted_attested.artifact_hash (Interface F)	CRITICAL	No	Yes + CONTRACT_BACKSTOP	D09; SCHEMA 0 hash cols
10	Fail-open success: curl no -f, $?-check (L156/L176)	Success = HTTP-2xx + readback	HIGH	No (its success signal is untrustworthy)	Yes; REJECT_REAL_RUN	D10
11	Fragile dedup grep -qF abs-vs-normalized (L128/L135)	Exact-identity idempotency + DB UNIQUE	HIGH	No	Yes + CONTRACT_BACKSTOP	D11 (P3)
12	WHERE file_path IS NOT NULL skips 81 rows (L128)	Identity check covers all rows	HIGH	No	Yes	D12; LIVE null_fp=81
13	No DB UNIQUE (only PK(id))	UNIQUE on identity axis	HIGH	Partial (DB constraint addable independently)	CONTRACT_BACKSTOP	D13; SCHEMA
14	Hardcoded VPS IP + root SSH key (L20–21)	Least-privilege, no embedded root creds	CRITICAL	No	Yes; REJECT_REAL_RUN	D14
15	curl -k TLS-skip on write (L156)	TLS-verified transport	HIGH	No (in write path)	Yes	D15
16	Reads via root psql/ssh bypass (run_pg/run_remote)	Permissioned read path	HIGH	No	Yes	D16
17	Heuristic tier/domain (classify_*)	Metadata from admitted artifact; classifier advisory only	MED	Partial (reusable as advisory helper)	REUSE_HELPER_ADVISORY	D17
18	Code = uppercase/underscore (L143), also trigger-overridden	Deterministic contract-derived identity	MED	No	Yes	D18
19	Active insert fires trg_context_pack_dot_register notify (L173)	Inert status ⇒ notify condition not met (G7 fenced)	HIGH	No	Yes + CONTRACT_BACKSTOP	D19; LIVE function body (tier∈watch ∧ status='active')
20	Registrar writes no audit (L94–191)	Durable failure-audit outside rolled-back txn	HIGH	No	Yes + CONTRACT_BACKSTOP	D20; RS4A-08
21	Metadata .ts vs bash artifact (L1)	Truthful artifact type	MED	Partial (metadata correction is data-only, not a wrap of behavior)	Yes/correction	D21
22	DRY_RUN=false default = real-run (L27)	Safe-by-default; explicit write authority	HIGH	Yes — for --dry-run only	WRAP_DRY_ONLY	D22
23	No post-write readback / verifier (L148–151)	Post-commit paired verifier	HIGH	No	Yes + CONTRACT_BACKSTOP	D23
24	paired_dot copied as field for every tier-B (L148–151)	Content-derived pairing; one primary row	MED	No	Yes	D24 (C2)

---

2. Decision summary per disposition class

Disposition	Rows	Meaning
MUST_REPLACE (cannot wrap; behavior internally unsafe)	1,2,3,4,6,7,8,9,10,14,15,16,18,19,20,23,24 (17 rows)	the governed real-run registrar must be a new design; the existing write loop cannot be made compliant by wrapping
CONTRACT_BACKSTOP (closed by a DB/envelope constraint the replacement adds)	8,9,11,12,13,19,20,23	uniqueness, hash carrier, owner/APR envelope, inert status, durable audit, verifier
WRAP_DRY_ONLY (safe reuse of existing artifact)	22	only --dry-run discovery/report; never the write path
REUSE_HELPER_ADVISORY (pure classifier, advisory)	17	classify_tier/classify_domain as advisory metadata input, never authority
REJECT_REAL_RUN (irreducible; retire the path)	1,10,14	mass-scan input, fail-open success, root-SSH/-k write

---

3. Wrapping feasibility verdict

A wrapper around dot-dot-register would have to either (a) call it with no target → it mass-scans and writes active rows (rows 1–5), or (b) call it with --dry-run → it performs no write. There is no single-target write mode to wrap (row 3), the success signal is untrustworthy (row 10), and there is no transaction or authority in the code (rows 6–8). Therefore: the contract cannot be satisfied by wrapping the real-run path. Only --dry-run scan/report is wrappable. This forces the RS4A-10 decision REPLACE_FOR_GOVERNED_REGISTRATION + REJECT_CURRENT_REAL_RUN_PATH, with WRAP_ONLY_FOR_DRY_RUN_SCAN_REPORT and REUSE_ONLY_CLASSIFICATION_HELPERS as the only safe residual reuses.

4. Status

• Delta matrix: DELTA_MATRIX_COMPLETE — 24 rows (≥20 required), each line-cited and dispositioned.
• 17/24 deltas are MUST_REPLACE; only 1 row (--dry-run) is wrappable.
• No code, no patch. Gate REGISTRATION_HOLD · CAN_PROCEED = NO.