RS4A-10 — Replacement vs Wrapper Decision — 2026-06-21
RS4A-10 — Replacement vs Wrapper Decision — 2026-06-21
Macro: RS4A · Mục tiêu J
Deliverable: 10 of 14 · design decision only (does NOT implement a replacement; no code)
Inputs: RS4A-01 (defects), RS4A-03 (delta), RS3C-02/03 (source).
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO
The question: can the operational dot-dot-register be safely wrapped for governed registration, or must it be replaced? Decided strictly against the criteria in the macro brief.
1. Criteria test (against the recovered source)
| Criterion (macro §1.10) | Source fact | Outcome |
|---|---|---|
| If the script mass-scans and sets status active, a wrapper must prevent real-run entirely unless it bypasses script logic | L121 mass glob + L173 status:"active" |
wrapper would have to bypass the script's own write loop ⇒ not a wrapper |
| If a wrapper calls the script with no target arg, it is unsafe | no single-target arg exists (L95–100); calling it triggers the mass scan | unsafe |
| If the script has no single-target mode, it cannot be safely adapted without rewriting/replacing | no --one/--code/--path (D03) |
replace |
| If fail-open logging remains, success from it cannot be accepted | curl no -f, $?-check (L156/L176, D10) |
success signal untrustworthy ⇒ cannot accept |
| If there is no transaction, it cannot meet the phase model | independent POST per file, no BEGIN/COMMIT (L131–184, D06/D07) | cannot meet Phase-3 atomic boundary |
Every criterion points the same way: the real-run write path is internally unsafe and offers no single-target, atomic, authorized, honest-success mode to wrap.
2. Decision
| Path | Decision |
|---|---|
| Governed real-run registration | REPLACE_FOR_GOVERNED_REGISTRATION — a new registrar designed to RS4A-02 contract v0.2 (scalar target, authority envelopes, Interface F hash, atomic Phase-3, inert status, paired verifier, durable audit). The existing write loop is not adaptable by wrapping. |
Current real-run path (DRY_RUN=false POST loop) |
REJECT_CURRENT_REAL_RUN_PATH — retired for governed registration; must not be invoked in real mode for registration. Its mass-scan + active + fail-open + root-SSH/-k behavior is irreducibly unsafe (D01, D05, D10, D14). |
| Discovery / reporting | WRAP_ONLY_FOR_DRY_RUN_SCAN_REPORT — the existing artifact may be reused only via --dry-run to enumerate untracked dot-* and report drift; it performs no writes in that mode (D22). Output is advisory input to the governed registrar, never an authority. |
| Classification helpers | REUSE_ONLY_CLASSIFICATION_HELPERS — classify_tier / classify_domain are pure functions reusable as advisory metadata suggestions, never as the authoritative tier/domain (which must derive from the admitted artifact contract). Note tier feeds the activation watch-set, so a wrong tier is safety-relevant — advisory only. |
Combined verdict: REPLACE_FOR_GOVERNED_REGISTRATION (primary) + REJECT_CURRENT_REAL_RUN_PATH, with WRAP_ONLY_FOR_DRY_RUN_SCAN_REPORT and REUSE_ONLY_CLASSIFICATION_HELPERS as the only safe residual reuses.
3. Why not a wrapper (explicit)
A wrapper has exactly two ways to invoke the script:
- No
--dry-run⇒ the script mass-scans (L121), loops (L131), and POSTsstatus:"active"per file (L156/L173) with no transaction (D06), no authority (D08), no hash (D09), and reports success on curl-exit (D10). A wrapper that allows this has wrapped an unsafe mass-writer. --dry-run⇒ the script performs no write (L155 guard). Useful only for discovery/report.
There is no third mode (single-target, atomic, authorized) to wrap. The must-not-do rule "do not make a wrapper if the wrapper still calls the mass-scan real-run path" therefore forbids the wrapper approach for registration. The only governed path is a replacement designed to the contract.
4. Scope guard (no implementation)
This deliverable decides replace; it does not write the replacement. No executable, no migration, no Directus mutation payload, no patch to dot-dot-register/dot-catalog-sync/source-law is produced or authorized. The replacement is gated on the G2 Owner-of-record decision and Codex acceptance of this contract package (RS4A-12). Building the replacement before that gate would be implementation drift (RS4A_REJECT_IMPLEMENTATION_DRIFT).
5. Status
- Replacement decision:
REPLACE_FOR_GOVERNED_REGISTRATION+REJECT_CURRENT_REAL_RUN_PATH(+WRAP_ONLY_FOR_DRY_RUN_SCAN_REPORT,REUSE_ONLY_CLASSIFICATION_HELPERS). - No code, no patch. Gate
REGISTRATION_HOLD·CAN_PROCEED = NO.