RS5A-PATCH1 — Codex Review Packet (Prerequisite/Sequencing Correction) — 2026-06-21

Review scope: RS5A-PATCH1 only. This is the scoped correction Codex required in NEED_RS5A_PATCH1 §13 — repair of the G2 prerequisite & sequencing contract. It does not overwrite RS5A and does not reopen accepted RS4A/PATCH1/PATCH2 identity semantics or the RS5A points Codex accepted (§12).

1. What PATCH1 corrected (against Codex §13 R1–R5 + §11)

residual	correction	file	status
R1 replay/audit "after registration"	hard runtime prerequisites; design-after-decision only; never after runtime registration	[[rs5a-patch1-02]]	CLOSED_FAIL_CLOSED
R2 "Owner executes on accept"	next step = RS5B execution-design + separate authorization; bootstrap unresolved acknowledged	[[rs5a-patch1-03]]	CLOSED
R3 GOV-COUNCIL edge	explicit 10th scope DOT_APPROVAL_QUORUM_AUTHORITY + identity-binding; no broad inheritance	[[rs5a-patch1-04]]	CLOSED
R4 handler ambiguity	DOT_REGISTER_GOVERNED_REPLACEMENT; replace-not-wrap	[[rs5a-patch1-05]]	CLOSED
R5 test oracles	D07/H03/H07/I03/G02/G08 corrected; replay vs idempotency split	[[rs5a-patch1-06]]	CLOSED
R6 (§11) implicit coupling	carrier dependency edges made explicit	[[rs5a-patch1-02]] §4	CLOSED

2. Verdict requested

RS5A_PATCH1_READY_FOR_CODEX_REVIEW — with REGISTRATION_HOLD retained, G2–G7 + bootstrap unresolved carried, and the controlling state fail-closed.

3. Points Codex should adversarially test

1. Does the four-phase graph ([[rs5a-patch1-02]]) truly forbid any reading where replay/audit exist after runtime registration?
2. Is the bootstrap correction non-circular — i.e. does it avoid implying acceptance authorizes execution? ([[rs5a-patch1-03]])
3. Is the 10th scope genuinely narrow (approval authority only) and not a re-introduction of broad approval or a mega-scope? ([[rs5a-patch1-04]])
4. Is the replacement-handler identity unambiguously distinct from the rejected dot-dot-register path? ([[rs5a-patch1-05]])
5. Are the corrected oracle codes discriminating, and is G02/G08 idempotency-vs-rejection correct? ([[rs5a-patch1-06]])
6. Did PATCH1 stay scoped — no overwrite of RS5A, no reopening of accepted identity semantics?

4. Safety attestation

0 runtime mutation · 0 DDL/DML · 0 Owner/scope/APR/register_dot/handler created · 0 approvals · 0 gate flips · 0 registrar/validator patches · no RS-VALIDATOR · no implementation · no registration · no activation · no broad-approval silent use · no wrap/relabel of unsafe registrar · RS5A not overwritten · RS4A/PATCH2 identity semantics not reopened. REGISTRATION_HOLD intact.

5. On accept

ACCEPT_RS5A_PATCH1 → proceed only to RS5B — G2 Owner-of-record execution-design / authorization-design (non-mutating; must solve bootstrap authority; must itself be authorized before any Owner/scope/APR/action write). Each carrier/policy block then separately authorized and built (replace-not-wrap, explicit edges); reconciled validator + negative suites run against the target runtime with real evidence; a later independent gate decides if registration proceeds. Residual ⇒ RS5A-PATCH2.