RS5A-PATCH2-03 — GOV-COUNCIL Canonical Principal & Quorum Identity Contract — 2026-06-21

Macro: RS5A-PATCH2 · Residual R3-canonical-principal · Deliverable: 03 of 6. Completes: RS5A-PATCH1-04 §3 identity-binding contract, which Codex (§6) found necessary-but-insufficient. Scope guard: This is a design-only requirements contract for a future quorum surface. It creates no scope, no principal registry, no APR, no vote, no binding row. The DOT_APPROVAL_QUORUM_AUTHORITY scope remains REQUIRED_NOT_PRESENT and the canonical-principal surface is CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT. Fail-closed until created and proven.

1. Why PATCH1-04 §3 was insufficient (Codex §6)

PATCH1-04 §3 required each approver to resolve to a governance_registry head (or head-delegated identity) and bound ai_council votes to GOV-COUNCIL. Codex showed three gaps:

1. Resolving an approver to some governance head does not prove the principal is authorized for the president quorum slot.
2. Binding council votes to GOV-COUNCIL does not define distinct canonical voting principals — two aliases or two delegations of the same underlying principal could still satisfy a two-vote count.
3. Delegation validity, scope, effective window, revocation, and canonical-principal uniqueness were not stated as quorum conditions.

The only live anti-spoof mechanism is UNIQUE(apr_id, approver) on apr_approvals, which blocks only the same literal approver string twice. It does not verify president authority, and does not prevent two distinct alias strings that map to one underlying principal from both counting. The live president test is approver ILIKE '%president%' (a fail-open text match). Therefore a canonical-principal layer is required.

2. Canonical principal/quorum identity fields (design requirements)

field	definition	replaces / fixes
canonical_principal_id	a stable, unique identifier for one underlying voting principal (one human/agent identity), independent of display name, approver free text, alias, or delegate string. Resolved only through an authoritative principal registry, never from apr_approvals.approver.	free-text approver; UNIQUE(apr_id,approver) literal-string-only guard
canonical_role_slot	the quorum slot a vote may fill: {president, council_member}. A vote fills a slot only if its canonical_principal_id is authoritatively bound to that slot.	approver ILIKE '%president%' substring match
canonical_voting_body	the accountable approval body a council_member vote resolves to: GOV-COUNCIL (the candidate head owning DOT_APPROVAL_QUORUM_AUTHORITY). A council_member vote must come from a canonical_principal_id that is a member-of-record of this body.	self-declared approver_type='ai_council'
principal_resolution_ref	the authoritative policy/registry reference by which approver → canonical_principal_id and canonical_principal_id → canonical_role_slot are resolved.	ILIKE '%president%' and any text heuristic
delegation_ref	when a vote is cast by a delegate, the reference to the delegation grant binding delegate → canonical_principal_id.	undocumented delegation
delegation_scope	the scope a delegation is valid within; MUST equal DOT_APPROVAL_QUORUM_AUTHORITY. A delegation scoped elsewhere cannot satisfy this quorum.	broad/implicit delegation
delegation_effective_window	[effective_from, effective_to]; the vote timestamp MUST fall strictly inside it.	open-ended / expired delegation
revocation_ref / revocation_status	the delegation and the principal binding MUST be unrevoked (revocation_status='active', no controlling revocation_ref) at vote time.	revoked-but-still-counted

3. Quorum identity rules (all conjunctive; each maps to a reject code)

1. President slot resolves through principal_resolution_ref (authoritative policy/ref), never approver text. If unresolvable ⇒ PRESIDENT_ROLE_UNRESOLVED.
2. Council slot resolves to distinct canonical_principal_ids. A council_member vote that cannot resolve to a canonical principal ⇒ COUNCIL_PRINCIPAL_UNRESOLVED.
3. One canonical_principal_id counts at most once per APR. A second vote from the same canonical principal ⇒ CANONICAL_PRINCIPAL_DOUBLE_COUNT.
4. Aliases / delegations of the same principal cannot count twice. Two distinct approver strings or delegate strings that map to one canonical_principal_id ⇒ APPROVER_ALIAS_DOUBLE_COUNT.
5. Delegation must be active, scoped to DOT_APPROVAL_QUORUM_AUTHORITY, unrevoked, and time-valid. Scope ≠ DOT_APPROVAL_QUORUM_AUTHORITY ⇒ DELEGATION_SCOPE_MISMATCH; vote outside delegation_effective_window ⇒ DELEGATION_EXPIRED; revoked ⇒ DELEGATION_REVOKED.
6. Self-declared approver_type is not enough. A vote asserting approver_type='ai_council' without a canonical_voting_body membership binding ⇒ SELF_DECLARED_COUNCIL_IDENTITY_REJECTED.
7. Free-text approver containing "president" is invalid as president authority ⇒ FREE_TEXT_PRESIDENT_REJECTED.
8. GOV-COUNCIL (as candidate head of DOT_APPROVAL_QUORUM_AUTHORITY) owns approval authority only — never DOT_REGISTRATION_AUTHORITY, DOT_ARTIFACT_ADMISSION, or DOT_ACTIVATION_AUTHORITY. MUST_NOT_IMPLICIT_INHERIT holds (carried from PATCH1-04 §2).

Quorum is satisfied for a high-risk effect only when, after canonical resolution: president slot ≥ 1 distinct canonical principal and council_member slot ≥ 2 distinct canonical principals, none double-counted, all delegations valid, and the approval is bound to the exact effect_identity + artifact_hash_ref (carried from PATCH1-04 §3 — necessary-not-sufficient still holds: identity-valid quorum is necessary but not alone sufficient for admission).

4. Canonical reject-code register (this file is authoritative for these nine)

reject code	fires when
PRESIDENT_ROLE_UNRESOLVED	president slot cannot be resolved through principal_resolution_ref
COUNCIL_PRINCIPAL_UNRESOLVED	a council vote cannot resolve to a canonical_principal_id
CANONICAL_PRINCIPAL_DOUBLE_COUNT	one canonical_principal_id counted more than once per APR
APPROVER_ALIAS_DOUBLE_COUNT	two aliases/delegations of one principal both counted
DELEGATION_SCOPE_MISMATCH	delegation_scope ≠ DOT_APPROVAL_QUORUM_AUTHORITY
DELEGATION_EXPIRED	vote timestamp outside delegation_effective_window
DELEGATION_REVOKED	delegation/principal binding revoked at vote time
SELF_DECLARED_COUNCIL_IDENTITY_REJECTED	approver_type self-declared without canonical_voting_body membership
FREE_TEXT_PRESIDENT_REJECTED	president authority claimed via free-text approver containing "president"

These supersede the coarse live QUORUM_APPROVER_IDENTITY_UNVERIFIED for the cases above; RS5A-09 cases A11, A12, F07, F08 now map to the specific code (see [[rs5a-patch2-04]] note). QUORUM_EFFECT_BINDING_MISSING (effect/artifact binding) remains separate and unchanged.

5. Present-state and fail-closed posture

surface	live state	consequence
DOT_APPROVAL_QUORUM_AUTHORITY scope	REQUIRED_NOT_PRESENT (not in governance_responsibility_scope)	scope not created; fail-closed
GOV-COUNCIL accountable ownership row	governance_object_ownership = 0	no bound head; fail-closed
canonical principal registry / role-slot binding / membership-of-record	CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT	president/council cannot be authoritatively resolved today
president authority mechanism (live)	approver ILIKE '%president%' text match	fail-open; rejected as authority
alias/delegation anti-double-count (live)	only UNIQUE(apr_id, approver) literal-string	insufficient; canonical layer required

Because the canonical-principal surface is not present, every quorum-identity decision fails closed today. No principal ID is invented; no scope, registry, or binding row is created.

6. LEGO / non-mega check

DOT_APPROVAL_QUORUM_AUTHORITY still owns exactly one decision class — who may approve and what quorum means — and nothing else. Adding a canonical-principal identity contract does not widen its ownership; it only makes the existing approval decision machine-checkable. It increases separation of duties (it cannot confer registration/admission/activation). No mega-registry, mega-graph, or mega-birth pipeline is introduced.

7. Status

R3-canonical-principal residual CLOSED (design-only, fail-closed). President text-match removed; canonical principal IDs required; alias/delegation double-count forbidden; self-declared council identity rejected; free-text president rejected. …GOV_COUNCIL_EDGE_INSUFFICIENT HOLD condition does not apply. The scope and its surface remain REQUIRED_NOT_PRESENT and are not created by this patch.