RS5A-PATCH4-02 — Quorum Evaluation Unit & Total Code Order — 2026-06-21

Macro: RS5A-PATCH4 · Residuals R1+R2+R3 (P1/P3 ambiguity + evaluation unit) · Deliverable: 02 of 5. Class: scoped semantic-closure correction. Additive. Supersedes (narrow): PATCH3-03 §2 sentence "Within a band, the listed predicates are mutually exclusive (no input matches two predicates in the same band)" → replaced by the total-order rule in §3 below. All other PATCH3-03 content (the P0→P5 bands, the P2/P4 internal orders, the delegation interval, the ten-code register) stands and is preserved by this total order. Scope guard: design-only requirements contract for a future quorum surface. Creates no scope, no principal registry, no APR, no vote, no binding row. DOT_APPROVAL_QUORUM_AUTHORITY remains REQUIRED_NOT_PRESENT; CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT carried. Fail-closed until created and proven. Gate carried: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 mutations.

1. The defect (Codex §5, blocking)

PATCH3-03 stated band order P0→P5 and asserted that within each band the predicates are mutually exclusive — but it did not prove exclusivity for P1 or P3, and provided no within-band discriminator:

P1: one input can be a free-text "president" claim (approver='president-bot') and a self-declared ai_council (approver_type='ai_council' without canonical_voting_body membership). It matches both FREE_TEXT_PRESIDENT_REJECTED and SELF_DECLARED_COUNCIL_IDENTITY_REJECTED. P0 satisfied does not solve this — it only masks it while the surface is absent.
P3: a single vote claiming both an unresolved president slot and an unresolved council slot matches both PRESIDENT_ROLE_UNRESOLVED and COUNCIL_PRINCIPAL_UNRESOLVED.

Without a within-band order or a total order, a future implementer must invent the tie-break — exactly what Codex §11 forbids.

2. Evaluation unit (Codex §5 correction 3)

A reject code is meaningless without the unit it is computed over. PATCH4 defines three nested units.

2.1 Vote claim — the primary evaluation unit

The primary evaluation unit is a single vote claim within one APR. A vote claim is the tuple:

vote_claim {
  vote_id, apr_id,
  raw_approver           : string         # the literal approver surface string
  raw_approver_type       : string         # e.g. 'human' | 'ai_council'
  claimed_role_slots      : set<role>       # roles ASSERTED by the raw input (e.g. {president}, {council_member})
  claimed_voting_body     : string | null   # body ASSERTED by the raw input
  delegation_ref          : ref | null      # delegation invoked by this vote, if any
  canonical_principal_id  : id  | null       # RESOLVED principal, if resolvable from the surface of record
  canonical_role_slots    : set<role>        # RESOLVED roles the principal actually holds, if resolvable
  canonical_voting_body   : string | null    # RESOLVED body membership of record, if resolvable
  vote_timestamp          : ts
}

claimed fields = what the raw input asserts (used by spoof predicates and resolution predicates).
canonical fields = what the surface of record resolves (used by counting and double-count predicates).
Per-vote predicates compare claimed against canonical for one vote claim.

2.2 APR — the aggregation unit

The APR-level evaluation unit is the whole APR over the set of its VALID vote claims (vote claims that emitted no per-vote code). APR-level predicates (duplicate, count) aggregate the canonical_principal_id / canonical_role_slots of the valid claims.

2.3 Context — the structural precondition unit

Q00 CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT is evaluated over the whole evaluation context (does the canonical-principal surface exist at all?), before any per-vote work. It is the present-state fail-closed gate today.

2.4 Per-vote vs APR-level code partition

code	evaluation unit	nature
`Q00 CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT`	context (whole)	structural precondition
`Q10 FREE_TEXT_PRESIDENT_REJECTED`	per vote claim	spoof (claimed ≠ proven)
`Q11 SELF_DECLARED_COUNCIL_IDENTITY_REJECTED`	per vote claim	spoof
`Q20 DELEGATION_REVOKED`	per vote claim	delegation invalid
`Q21 DELEGATION_SCOPE_MISMATCH`	per vote claim	delegation invalid
`Q22 DELEGATION_NOT_YET_EFFECTIVE`	per vote claim	delegation invalid (lower bound)
`Q23 DELEGATION_EXPIRED`	per vote claim	delegation invalid (upper bound)
`Q30 PRESIDENT_ROLE_UNRESOLVED`	per vote claim	resolution failure
`Q31 COUNCIL_PRINCIPAL_UNRESOLVED`	per vote claim	resolution failure
`Q40 APPROVER_ALIAS_DOUBLE_COUNT`	APR over valid claims	duplicate (distinct surfaces → 1 principal)
`Q41 CANONICAL_PRINCIPAL_DOUBLE_COUNT`	APR over valid claims	duplicate (identical canonical ref)
`Q50 QUORUM_NOT_SATISFIED`	APR over valid claims	terminal count

3. Total code-level order (Codex §5 correction 1 — the authoritative oracle precedence)

PATCH4 defines a single total order over all quorum identity codes. This is the authoritative oracle precedence and overrides the descriptive P-band labels of PATCH3-03 (the bands remain as readable groupings; the Q-order is the contract).

Q00  CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT   (was band P0)
Q10  FREE_TEXT_PRESIDENT_REJECTED                        (was band P1)
Q11  SELF_DECLARED_COUNCIL_IDENTITY_REJECTED             (was band P1)
Q20  DELEGATION_REVOKED                                  (was band P2)
Q21  DELEGATION_SCOPE_MISMATCH                           (was band P2)
Q22  DELEGATION_NOT_YET_EFFECTIVE                        (was band P2)
Q23  DELEGATION_EXPIRED                                  (was band P2)
Q30  PRESIDENT_ROLE_UNRESOLVED                           (was band P3)
Q31  COUNCIL_PRINCIPAL_UNRESOLVED                        (was band P3)
Q40  APPROVER_ALIAS_DOUBLE_COUNT                         (was band P4)
Q41  CANONICAL_PRINCIPAL_DOUBLE_COUNT                    (was band P4)
Q50  QUORUM_NOT_SATISFIED                                (was band P5)

Q00 < Q10 < Q11 < Q20 < Q21 < Q22 < Q23 < Q30 < Q31 < Q40 < Q41 < Q50.

3.1 Selection rule — predicates may overlap; the total order picks exactly one

Predicates MAY overlap. The oracle does NOT rely on within-band mutual exclusivity. The total Q-order selects exactly one canonical code: the lowest matching Q-code at the relevant evaluation unit.

This is strictly stronger than PATCH3-03's exclusivity assertion and removes the need to prove exclusivity. The two within-band orderings Codex demanded are now explicit and total:

P1: Q10 FREE_TEXT_PRESIDENT_REJECTED < Q11 SELF_DECLARED_COUNCIL_IDENTITY_REJECTED. Rationale: a president claim is the highest-privilege singular slot; when one input simultaneously spoofs a president role and a council type, the president spoof is the more security-diagnostic fault and is reported first.
P3: Q30 PRESIDENT_ROLE_UNRESOLVED < Q31 COUNCIL_PRINCIPAL_UNRESOLVED. Same rationale, applied to resolution failure: president-slot resolution failure precedes council-principal resolution failure.

The accepted orderings are preserved by Q-order: inter-band P0→P5 (Q00 < Q10… < Q50); P2 internal revoked → scope → not-yet-effective ∥ expired (Q20<Q21<Q22, Q23); P4 internal alias → canonical (Q40<Q41). Q22 and Q23 partition disjoint timestamp regions (before effective_from vs at/after effective_to), so a single vote can match at most one of them; their relative Q-order is defined for completeness but is never exercised by one vote.

3.2 The deterministic oracle function

function quorum_reject(apr):
  # Stage 0 — structural precondition (context unit)
  if canonical_principal_surface_absent(apr.context):
      return Q00                                  # fires today; fail-closed

  # Stage 1 — per-vote evaluation unit (single vote claim)
  per_vote_codes = []
  for vc in apr.vote_claims:
      matched = matching_per_vote_predicates(vc)   # subset of {Q10,Q11,Q20,Q21,Q22,Q23,Q30,Q31}
      if matched not empty:
          vc.code = min_by_Q(matched)              # lowest matching Q-code wins for this vote
          per_vote_codes.append(vc.code)
      else:
          vc.code = VALID
  if per_vote_codes not empty:
      return min_by_Q(per_vote_codes)              # single APR canonical = lowest emitted per-vote code

  # Stage 2 — APR-level evaluation unit (whole APR over VALID claims)
  matched_apr = matching_apr_predicates(valid_claims)   # subset of {Q40,Q41,Q50}
  if matched_apr not empty:
      return min_by_Q(matched_apr)
  return IDENTITY_PASS    # necessary-not-sufficient: effect/artifact binding is orthogonal (carried)

Totality: every APR maps to exactly one element of {Q00, Q10, Q11, Q20, Q21, Q22, Q23, Q30, Q31, Q40, Q41, Q50, IDENTITY_PASS}. No input is unmapped; no input maps to two codes. A multi-fault single vote → lowest Q among its matched predicates. A multi-faulty-vote APR → each vote carries its own per-vote code (primary unit), and the single APR canonical outcome is the lowest Q among the emitted per-vote codes. Per-vote invalidity is always evaluated before APR-level duplicate/count, so spoof/delegation/resolution faults never get masked by, or mixed with, the APR-level count.

3.3 Why this is not merely masked by P0/Q00

Codex §5 warned that P0 only masks P1/P3 ambiguity while the surface is absent. The Q-order is defined for the future surface-present state: when Q00 does not fire (surface present), Stage 1 still resolves every multi-fault vote to one code via the lowest-Q rule. The contract is total independent of P0. The fixtures in [[rs5a-patch4-03]] are written assuming the surface is present, precisely so they exercise P1/P3 — not P0.

4. Effect/artifact binding remains orthogonal (carried)

QUORUM_EFFECT_BINDING_MISSING / live QUORUM_EFFECT_BINDING_INSUFFICIENT is not an identity code and is not in the Q-order. Identity-valid quorum (IDENTITY_PASS) is necessary-not-sufficient for admission; effect-binding is evaluated separately (carried unchanged from PATCH1-04 / RS5A).

5. Identity-case mapping is preserved

A11, A12, F07, F08 keep the canonical outcomes accepted in PATCH2-04 / PATCH3-03; the Q-order makes them total rather than declared:

A11 (approver='president-bot') → Q10 FREE_TEXT_PRESIDENT_REJECTED (Q10 < Q30) ✔ — single vote claim.
A12 (self-declared ai_council) → Q11 SELF_DECLARED_COUNCIL_IDENTITY_REJECTED (Q11 < Q31) ✔ — single vote claim.
F07 (approver='vice-president') → Q10 FREE_TEXT_PRESIDENT_REJECTED ✔ — single vote claim.
F08 (two aliases of one principal) → Q40 APPROVER_ALIAS_DOUBLE_COUNT (Q40 < Q41) ✔ — APR-level, both votes individually valid.

No scenario is added or renumbered. Count stays 84 parent IDs / 86 executable scenarios (see [[rs5a-patch4-04]]).

6. LEGO / non-mega check

A total code order and a stated evaluation unit do not widen DOT_APPROVAL_QUORUM_AUTHORITY. It still owns exactly one decision class — who may approve and what quorum means — and confers no registration/admission/activation authority (MUST_NOT_IMPLICIT_INHERIT carried). No code is added; no mega-registry / mega-graph / mega-birth pipeline is introduced.

7. Status

R1 (P1) + R2 (P3) + R3 (evaluation unit) residuals CLOSED (design-only, fail-closed): a single total order Q00<…<Q50 over all twelve identity codes, with the rule predicates may overlap, lowest matching Q-code at the evaluation unit wins, makes the quorum reject oracle a total deterministic function; the primary unit is the single vote claim (comparing claimed vs resolved slots), the APR unit aggregates valid claims, and Q00 is a context precondition; the two Codex-flagged within-band orderings (Q10<Q11, Q30<Q31) are explicit. …QUORUM_PRECEDENCE_INSUFFICIENT HOLD condition does not apply.