KB-5DEC
RS4A-05 — Owner / APR Authority Contract — 2026-06-21
6 min read Revision 1
rs4aowner-authorityaprregister_dotfail-closeddesign-only2026-06-21
RS4A-05 — Owner / APR Authority Contract — 2026-06-21
Macro: RS4A · Mục tiêu E
Deliverable: 05 of 14 · design-only (does NOT create any Owner, APR, or action type)
Inputs: RS3-PATCH1/PATCH2 authority-evidence model; live reads (this macro).
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO
Status: AUTHORITY_CONTRACT_FAIL_CLOSED — every authority precondition is absent in live runtime; therefore, with this contract in force, no owner ⇒ no write today. The contract specifies the criteria that must be satisfied before any governed registration; it does not satisfy them and must not.
1. Live authority surface (my own read-only reads, 2026-06-21)
| Surface | Live fact | Consequence |
|---|---|---|
governance_object_ownership |
0 rows | no owner-of-record for any object ⇒ OWNER_ABSENT fail-closed (G2) |
apr_action_types |
14 codes, none is register_dot; the register-shaped codes (register_axis, register_topic_node, assign_governance_owner, assign_axis_owner, delegate_authority, grant_governance_exception, authorize_build_step, activate_event_type, amend_law, enact_nrm) are all handler_ref='unimplemented', risk_level='high'; only add_field, create_item, update_item, patch_ops_code have implemented dot-apr-execute:* handlers |
no governed register_dot action with an implemented quorum-bound handler ⇒ APR_NOT_BOUND_TO_ARTIFACT fail-closed (G3) |
quorum_passed(p_code text) / fn_apr_quorum_check() |
both exist (prosecdef=false) | quorum primitives exist, but there is no register_dot code to bind them to |
dot_tools.owner column |
exists (28-col schema) but registrar never sets it; governance_object_ownership is the head-of-record, not this column |
owner authority is not a free-text dot_tools.owner string |
The registrar source performs zero authority checks (D08, RS3C-03 B19). So both the runtime (no owner, no register_dot) and the registrar (no check) are authority-absent.
2. Authority contract (criteria, fail-closed)
2.1 Owner-of-record precondition
- Required: a head row in
governance_object_ownershipfor the target object scope, withowner_kind ∈ {accountable, supporting, delegated, exception}(RS3-PATCH1 enum) and the head selected byuq_gov_obj_accountable. - Reject: no head row ⇒
OWNER_ABSENT. (Live: 0 rows ⇒ always rejects today.) - Hard rule: the owner is an authority-evidence row, not the caller. Caller-supplied owner strings are
request_proposed.*and never authority (must-not-do: caller ≠ authority).
2.2 register_dot governed-action precondition
- Required: an
apr_action_typesrowregister_dotwith an implemented handler andrisk_levelset, so the action can be quorum-gated. - Reject: action absent or
handler_ref='unimplemented'⇒APR_NOT_BOUND_TO_ARTIFACT. (Live: absent ⇒ always rejects today.) - Note: the existing
actionenum from RS3-PATCH1 ({add, modify, delete, review}) excludes register-of-DOT; a governedregister_dotaction type would be authored by the Owner, not by RS4A or the registrar.
2.3 Approval / APR binding to artifact_hash
- Required: an approval (
approval_requests+apr_approvals) whose payload binds thistrusted_attested.artifact_hash(from Interface F, RS4A-06), the canonical operationregister_dot, and the canonical target. - Reject: approval not bound to the exact artifact_hash ⇒
APR_NOT_BOUND_TO_ARTIFACT. Hash present in payload proves reference, not authorization; the binding must be to the attested hash, not a caller-proposed one.
2.4 Quorum proof
- Required:
quorum_passed('register_dot')true (orfn_apr_quorum_checkequivalent) for the bound approval, evaluated fail-closed (skip/unknown ⇒ not passed). - Reject: quorum not proven ⇒
APR_QUORUM_NOT_PROVEN.
2.5 Lifecycle / supersession state
- Required: the owner/approval evidence is in an admissible
lifecycle_status(active, notsuperseded/revoked/expired— RS3-PATCH1 enum); revocation =revoked. - Reject: evidence superseded/revoked/expired ⇒
AUTHORITY_SUPERSEDED.
3. Reject table (authority layer)
| Code | Trigger | Live status |
|---|---|---|
OWNER_ABSENT |
no governance_object_ownership head row |
always fires (0 rows) |
APR_NOT_BOUND_TO_ARTIFACT |
no register_dot action / approval not bound to attested artifact_hash |
always fires (no action) |
APR_QUORUM_NOT_PROVEN |
quorum_passed('register_dot') not true |
fail-closed |
AUTHORITY_SUPERSEDED |
owner/approval lifecycle ≠ active | fail-closed |
CALLER_AS_AUTHORITY |
caller-supplied owner/approval used as authority | reject by construction |
4. What RS4A does NOT do
- Does not create an owner row, an APR, an approval, or a
register_dotaction type. - Does not flip a gate or approve anything.
- Does not treat
dot_tools.ownerfree-text or any caller assertion as authority.
These are Owner-of-record decisions (G2 is the deciding blocker). Until the Owner authors the owner-of-record head and a governed register_dot action with quorum binding, the authority contract is AUTHORITY_CONTRACT_FAIL_CLOSED and no governed registration can proceed.
5. Status
- Authority contract: defined, fail-closed (no owner = no write).
- G2 (owner) and G3 (
register_dot) remain OPEN — controlling/deciding (RS4A-12). - Gate
REGISTRATION_HOLD·CAN_PROCEED = NO. No mutation, no APR, no owner created.