KB-3D3B
RS5A-07 — Authority Envelope v1 for authorization_binding_digest — 2026-06-21
5 min read Revision 1
rs5ag2authority-envelopeauthorization-binding-digesteffect-identitypatch22026-06-21
RS5A-07 — Authority Envelope v1 for authorization_binding_digest — 2026-06-21
Macro: RS5A · Mục tiêu F · Deliverable: 07 of 15 · design-only.
Binds to (not reopened): PATCH2-02 — effect_identity is business-only; authorization_binding_digest is a separate digest bound to the attempt record, REQUIRED-for-admission, NOT part of U1/effect_identity. RS5A-07 fills in what is inside that authorization digest.
1. Hard partition (the safety line)
Identity (U1) carries business effect only. Authority lives in a separate envelope. Authority MUST NOT re-enter U1.
| partition | fields | enters effect_identity / U1? |
|---|---|---|
| A — identity (reference only) | bound_effect_identity (= PATCH2 effect_identity) |
it is U1; referenced, not recomputed |
| B — authorization | owner_scope, owner_head_ref, authority_policy_ref, nonce_issuer, authorization_window |
NO |
| C — evidence refs | approval_evidence_ref, quorum_evidence_ref, artifact_hash_ref |
NO |
| D — policy refs | u3_head_policy_ref, status_policy_ref, audit_policy_ref |
NO |
| E — non-identity audit | attempt_id, nonce, decided_at, decided_by_head |
NO (and never keying) |
2. Envelope v1 field table
| field | partition | source of truth | fail-closed code if unresolved |
|---|---|---|---|
bound_effect_identity |
A | PATCH2 effect_identity |
— (input) |
owner_scope |
B | governance_responsibility_scope(scope_code) = DOT_REGISTRATION_AUTHORITY |
OWNER_SCOPE_MISMATCH |
owner_head_ref |
B | active accountable governance_object_ownership → governance_registry(code) |
OWNER_OF_RECORD_ABSENT / ACCOUNTABLE_HEAD_UNRESOLVED |
authority_policy_ref |
B | source_law/source_design ref of the ownership row | AUTHORITY_BINDING_UNRESOLVED |
nonce_issuer |
B | head/delegated identity that issued the nonce | NONCE_ISSUER_NOT_AUTHORITY |
authorization_window |
B | [effective_from, effective_to) of the (delegated) authority |
AUTHORIZATION_WINDOW_EXPIRED |
approval_evidence_ref |
C | applied APR code bound to this bound_effect_identity |
APPROVAL_NOT_BOUND_TO_EFFECT_IDENTITY |
quorum_evidence_ref |
C | quorum proof for that APR (risk=high) | QUORUM_NOT_SATISFIED |
artifact_hash_ref |
C | canonical_artifact_hash carrier (DOT_HASH_CARRIER) |
ARTIFACT_HASH_CARRIER_UNPROVEN |
u3_head_policy_ref |
D | PATCH2 U3 policy id | U3_HEAD_POLICY_UNDECLARED |
status_policy_ref |
D | inert-state draft policy (PATCH1) |
STATUS_POLICY_UNDECLARED |
audit_policy_ref |
D | failure-only sink policy (PATCH2-04) | FAILURE_AUDIT_POLICY_UNDECLARED |
attempt_id, nonce, decided_at, decided_by_head |
E | attempt record | (non-keying, audit only) |
3. The digest
authorization_binding_digest = H(
bound_effect_identity, -- ties authority to THIS effect (anti-substitution)
owner_scope, owner_head_ref, authority_policy_ref,
nonce_issuer, authorization_window,
approval_evidence_ref, quorum_evidence_ref, artifact_hash_ref,
u3_head_policy_ref, status_policy_ref, audit_policy_ref )
- Computed at admission, stored on the attempt record, not on the registration identity.
- Because it includes
bound_effect_identity, an approval for effect X cannot be replayed to admit effect Y (APPROVAL_NOT_BOUND_TO_EFFECT_IDENTITY). - Because authority fields are outside U1, changing the authority does not change the effect ⇒ PATCH2 rule
AUTHORIZATION_CHANGED_SAME_EFFECT_DUPLICATEis preserved: re-authorising the same business effect is a duplicate, not a new registration.
4. Anti-patterns this envelope forbids
| anti-pattern | why forbidden | guard |
|---|---|---|
put owner_scope/authority_policy_ref into effect_identity |
would make authority changes mint new effects (identity instability) | partition A vs B (§1) |
bind approval to request_proposed hash |
caller-proposed bytes ≠ producer-attested artifact | APPROVAL_BOUND_TO_REQUEST_PROPOSED_HASH |
trust quorum_passed=true alone |
quorum doesn't bind effect/artifact ([[rs5a-08]]) | require approval_evidence_ref bound to bound_effect_identity |
key on attempt_id/nonce |
per-attempt fields must never key the effect | partition E non-keying |
5. Status
AUTHORITY_ENVELOPE_V1_DEFINED — design complete, 0 rows/columns created. Every partition-B/C/D source is currently absent or unenforced in live substrate ⇒ envelope evaluates fail-closed until the Owner decision + missing surfaces land.