RS5A-PATCH1-02 — Hard Prerequisite Graph Before register_dot — 2026-06-21

Macro: RS5A-PATCH1 · Mục tiêu A + R1/R6 · Deliverable: 02 of 10. Supersedes: RS5A-04 §1/§4 and RS5A-10 Option A/B "unlocks registration" wording, and any reading of RS5A-06 that treats replay/audit/hash/U3/status/authority as post-registration enhancements. Controlling correction: Nothing in RS5A may be read to mean replay, failure-audit, artifact-hash, U3, status-domain, effect-bound approval, or authority-binding can exist AFTER real runtime register_dot. They are hard runtime prerequisites. Replay surface and failure-audit sink may be DESIGNED after the G2 decision, but must exist and pass before any real register_dot admission.

1. Four-phase sequencing (replaces "gate vs deferrable" framing)

Phase	Allowed activity	Required before next phase	Forbidden in this phase
P0 — done	RS4A/PATCH1/PATCH2 contract accepted; RS5A decision dossier authored; RS5A-PATCH1 correction	Codex ACCEPT_RS5A_PATCH1	any mutation; any Owner execution
P1 — G2 execution-design / authorization-design (RS5B)	design-only: bootstrap-authority design, scope-row shape, ownership-row shape, approval/action creation path, rollback plan, read-only dry-run plan, Codex/Owner authorization packet	a separate authorization to mutate (Owner + Codex gate)	creating Owner/scope/APR/action; any write
P2 — authorized carrier/policy build	under separate authorization, build each carrier/policy block (replace-not-wrap, explicit scope edges)	all hard runtime prerequisites (§3) EXIST and PASS	bundling; mega-build; activation; bypassing replace-not-wrap
P3 — real register_dot admission	governed replacement handler admits inert draft under bound authority	a later independent gate decides if registration proceeds	admission while any §3 prerequisite is absent or failing

No phase may be skipped. P3 never begins while any §3 item is REQUIRED_NOT_PRESENT or failing.

2. Design-after-decision vs exist-before-runtime (the exact R1 distinction)

Item	may be DESIGNED after G2 decision?	must EXIST and PASS before real register_dot?	may exist after runtime registration?
replay surface (nonce/U1/U2)	yes (P1/P2)	YES	NO — forbidden wording
failure-audit sink/policy	yes (P1/P2)	YES	NO — forbidden wording
artifact-hash carrier	yes (P1/P2)	YES	NO
U3 current-head surface	yes (P1/P2)	YES	NO
status-domain enforcement	yes (P1/P2)	YES	NO
effect-bound approval	yes (P1/P2)	YES	NO
authority-binding carrier	yes (P1/P2)	YES	NO

3. Hard runtime prerequisites for any real register_dot admission (all conjunctive)

1. Owner-of-record active accountable head bound to DOT_REGISTRATION_AUTHORITY.
2. register_dot action present (apr_action_types, not unimplemented).
3. effect-bound approval (approval bound to exact effect_identity, not target row ref).
4. authorization_binding_digest carrier (attempt-record, outside U1 — RS5A-07).
5. artifact-hash carrier (canonical_artifact_hash, DOT_HASH_CARRIER).
6. nonce / replay surface (U1/U2 single-use; idempotent prior-decision retrieval).
7. U3 current-head uniqueness surface (UNIQUE(code) WHERE lifecycle_role='current_head').
8. status-domain CHECK / enforcement (inert draft; reject out-of-vocab).
9. failure-audit sink / policy (failure-only, separate txn; no success audit).
10. postcondition verifier (Phase-4 semantics; verifies the inert write, no success audit).
11. governed replacement handler (replace-not-wrap — [[rs5a-patch1-05]]).

Each absent ⇒ fail-closed reject (codes in RS5A-06 / corrected in [[rs5a-patch1-06]]).

4. Carrier dependency edges are EXPLICIT (closes Codex §11 / R6)

"One ownership row per scope" proves independent rollback only if the shared carriers are explicit, not implicit. The following edges are named, not inherited:

carrier	owned under scope	bound by	NOT supplied by
effect-bound approval	DOT_APPROVAL_QUORUM_AUTHORITY ([[rs5a-patch1-04]])	authority envelope approval_evidence_ref	broad approval scope (forbidden)
nonce/replay	DOT_REPLAY_SURFACE	authorization_binding_digest	registration scope
artifact hash	DOT_HASH_CARRIER	artifact_hash_ref	registration scope
failure audit	DOT_AUDIT_SINK	audit_policy_ref	registration scope

No carrier is implicitly coupled; per-scope rollback (rollback_ref) is therefore valid. No undefined broad-approval cluster is used as hidden coupling.

5. Status

PREREQUISITE_GRAPH_CORRECTED — replay/audit/hash/U3/status/authority are hard runtime prerequisites; only their design may follow the G2 decision; none may follow runtime registration. R1 + R6 CLOSED_FAIL_CLOSED.