RS5A-PATCH3-05 — Decision Packet — 2026-06-21
RS5A-PATCH3-05 — Decision Packet — 2026-06-21
Macro: RS5A-PATCH3 · Deliverable: 05 of 6 · consolidated.
Verdict: RS5A_PATCH3_READY_FOR_CODEX_REVIEW (not forced)
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 mutations
1. One-screen summary
| dimension | result |
|---|---|
| Verdict | RS5A_PATCH3_READY_FOR_CODEX_REVIEW |
| Scope | deterministic lifecycle / oracle predicates only (3 corrections); does NOT overwrite RS5A / PATCH1 / PATCH2; does NOT reopen accepted owner, bootstrap, handler, identity, U3, or hard-prerequisite semantics |
| Residual 1 — lifecycle availability vs persistence | CLOSED — PATCH2-02 §4's single "may act/exist after registration?" column split into three orthogonal axes (first-availability gate / post-admission persistence / business-transition timing); replay & audit are hard pre-runtime and persist/operate after admission; activation is the only post-registration business transition ([[rs5a-patch3-02]]) |
| Residual 2 — quorum precedence & delegation interval | CLOSED — deterministic P0→P5 reject-code ladder with mutually-exclusive predicates; half-open delegation window [effective_from, effective_to) with boundary outcomes; new DELEGATION_NOT_YET_EFFECTIVE; revocation overrides interval; design-only, fail-closed ([[rs5a-patch3-03]]) |
| Residual 3 — replay/idempotency mutual exclusion & G08 | CLOSED — G02a/G02b/G02c partition "same nonce" via effect→envelope decision tree (G02a now requires same authorization envelope); G08 distinguished by client-observation fixture; count stays 84 parent / 86 executable ([[rs5a-patch3-04]]) |
| Registration gate | REGISTRATION_HOLD retained |
| Single next step | Codex reviews RS5A-PATCH3 → on accept, proceed to RS5B (G2 Owner-of-record execution-design / authorization-design), non-mutating |
2. Residual 1 — lifecycle availability / persistence / business transition (R1-lifecycle)
PATCH2-02 §4 marked "may act/exist AFTER runtime registration? = no" for all nine pre-runtime scopes, conflating first-introduced-after (forbidden for replay/audit) with persists/operates-after (required for every prerequisite). PATCH3-02 replaces that single column with three orthogonal axes: A first-availability (before admission — unchanged, gate not weakened), B post-admission persistence/operation (yes for every prerequisite — replay answers idempotent retry/prior-decision retrieval, audit retains failure records, hash/U3/status/authority/approval remain available for verification & lifecycle integrity), C business-transition timing (only DOT_ACTIVATION_AUTHORITY, draft → active, after inert registration, never inherited). Canonical wording: pre-runtime prerequisite surfaces must exist before admission and remain available after admission as their contracts require; activation is the only post-registration business transition; replay/audit may never be first introduced after registration.
3. Residual 2 — quorum reject precedence & delegation interval (R2-precedence)
PATCH3-03 defines a deterministic precedence ladder so one input maps to one code: P0 structural (CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT, fires today) → P1 explicit spoof (FREE_TEXT_PRESIDENT_REJECTED, SELF_DECLARED_COUNCIL_IDENTITY_REJECTED) → P2 delegation invalid (DELEGATION_REVOKED → DELEGATION_SCOPE_MISMATCH → DELEGATION_NOT_YET_EFFECTIVE ∥ DELEGATION_EXPIRED) → P3 resolution (PRESIDENT_ROLE_UNRESOLVED, COUNCIL_PRINCIPAL_UNRESOLVED) → P4 double-count (APPROVER_ALIAS_DOUBLE_COUNT → CANONICAL_PRINCIPAL_DOUBLE_COUNT) → P5 count (QUORUM_NOT_SATISFIED). Spoof beats generic-unresolved; distinct-alias double-count beats exact-identity double-count. Delegation window is the single half-open interval [effective_from, effective_to): lower bound inclusive (valid), upper bound exclusive (DELEGATION_EXPIRED), before-window → new DELEGATION_NOT_YET_EFFECTIVE, revocation overrides interval. The new code is declared in PATCH3 only; no PATCH2 file is edited; surface remains REQUIRED_NOT_PRESENT; fail-closed.
4. Residual 3 — replay/idempotency mutual exclusion (R3-replay-exclusivity)
PATCH3-04 sharpens G02a to require same nonce + same effect + same canonical authorization envelope/digest + prior durable decision, and partitions the "same nonce" space with a two-discriminator decision tree: different effect_identity → G02b NONCE_REUSE_DIFFERENT_EFFECT; same effect + different envelope → G02c NONCE_REUSE_AUTHORIZATION_MISMATCH; same effect + same envelope → G02a IDEMPOTENT_PRIOR_DECISION_RETRIEVAL. Different-effect and different-envelope are both checked before idempotent retrieval, so the authorization-substitution case lands on G02c, never G02a. G08 is kept as a distinct executable scenario, differing from G02a only by client-observation fixture (known-response retry vs unknown-response/lost-response recovery), same canonical outcome. Count remains 84 parent IDs / 86 executable scenarios (84 − 1 + 3 = 86); suite DEFINED_NOT_EXECUTED.
5. Blockers & must-not-do
Carried unchanged: G2–G7 + STATUS_DOMAIN_NOT_DB_ENFORCED + U3_PARTIAL_UNIQUE_SURFACE_ABSENT + OWNER_MINT_PATH_FAIL_CLOSED + QUORUM_EFFECT_BINDING_INSUFFICIENT + QUORUM_APPROVER_IDENTITY_UNVERIFIED + BOOTSTRAP_AUTHORITY_UNRESOLVED + CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT. The only new artifact is the reject code DELEGATION_NOT_YET_EFFECTIVE (an oracle/interval sharpening, not a blocker). All must-not-do held; REGISTRATION_HOLD not cleared; no Owner / scope / principal-registry / APR / register_dot / approval / handler / activation created; no DDL/DML; no validator/registrar patch; no RS-VALIDATOR opened.
6. Single next step
Codex reviews RS5A-PATCH3 (this package only). On ACCEPT_RS5A_PATCH3 → proceed to RS5B (G2 Owner-of-record execution-design / authorization-design), non-mutating, which must solve bootstrap authority and itself be authorized before any write; the canonical-principal surface and DOT_APPROVAL_QUORUM_AUTHORITY scope must exist and pass before any real register_dot. Further residual ⇒ RS5A-PATCH4.