RS5B-CLOSEOUT 05 — P2 Entry Gate Requirements (Non-Mutating, Future Only) — 2026-06-21

Scope: Job B — define, but do not execute, the entry gate for a future P2 lane. P2 must not start until a later independent review accepts this entry-gate design. This file authorizes nothing; it specifies the preconditions that a future authorized lane must satisfy before any P2 build/carrier work may begin. REGISTRATION_HOLD retained · REGISTRATION_CAN_PROCEED = NO · 0 mutations.

What is P2? P2 = a future carrier/policy build design lane (still non-registration). It is the P2 of the RS5B 4-phase graph (P0 reconnaissance → P1 RS5B exec-design → P2 authorized build → P3 real register_dot). This gate sits between contract acceptance and any P2 work. Opening P2 before this gate is accepted = RS5B_CLOSEOUT_REJECT_P2_OPENED_EARLY.

---

1. The twelve P2 entry-gate requirements

Each is conjunctive (all required; any one absent ⇒ the gate is fail-closed and P2 may not open) and each maps to a fail-closed oracle in file 07.

R1 — Accepted RS5B consolidated contract

The consolidated RS5B_CONTRACT_AS_CORRECTED_BY_PATCH1_PATCH2 (file 02), with PATCH1+PATCH2 supersessions (file 03), must be accepted by an independent review. Without it the entry gate has no contract baseline.

• Fail-closed if absent: UNIFIED_CONTRACT_NOT_ACCEPTED.

R2 — Explicit Chairman authorization packet for the P2 design/build lane

A recorded, out-of-band Chairman authorization token (packet item 13), distinct from any GPT/Codex acceptance, scoped to the P2 design/build lane. Contract acceptance is necessary-not-sufficient; it never substitutes for item 13.

• Fail-closed if absent: G2_EXECUTION_REQUIRES_SEPARATE_AUTHORIZATION / BOOTSTRAP_AUTHORITY_UNRESOLVED.

R3 — P2 scope limited to carrier/policy build design, not registration

P2's scope is carrier/policy build (and build design), explicitly excluding registration, activation, and real register_dot admission. Any registration attempt inside P2 is out of scope.

• Fail-closed if violated: P2_SCOPE_DRIFT_REGISTRATION_ATTEMPT.

R4 — Read-only preflight

A read-only preflight (RS5B-04 §3 style) must re-establish current state at P2-entry time (ownership count, scope set, registry, apr_action_types, vocabulary presence, blocker set). Preflight FAIL ⇒ STOP. (Discharges caveat C4: current state must be re-verified live, not assumed from this package's attestation.)

• Fail-closed if absent/failed: PREFLIGHT_FAIL (STOP).

R5 — Canonical-operation vocabulary design, not runtime row creation (unless separately authorized)

P2 may design the canonical-operation vocabulary contract; it may not create runtime vocabulary rows unless that creation is itself separately authorized (item-13-grade authorization for that specific act). Until then the vocabulary stays CANONICAL_OPERATION_VOCABULARY_REQUIRED_NOT_PRESENT.

• Fail-closed if violated: VOCABULARY_RUNTIME_OVERCLAIM.

R6 — Rollback plan per carrier

Every carrier in scope (file 06) must carry a per-carrier rollback plan before any build of that carrier. No carrier without a rollback surface.

• Fail-closed if absent for any carrier: ROLLBACK_PLAN_ABSENT.

R7 — Separate LEGO boundaries

Each carrier must be a separate LEGO: born separately, tested separately, changed separately, rolled back separately, joined only by explicit contract edges. No mega-registry / mega-graph / mega-birth pipeline.

• Fail-closed if violated: LEGO_BOUNDARY_INSUFFICIENT.

R8 — No inherited authority between approval, registration, activation

Authority must not implicitly flow between scopes. Explicit MUST_NOT_IMPLICIT_INHERIT edges: DOT_APPROVAL_QUORUM_AUTHORITY ↛ DOT_REGISTRATION_AUTHORITY; DOT_REGISTRATION_AUTHORITY ↛ DOT_ACTIVATION_AUTHORITY. Approval-authority ≠ registration-authority ≠ activation-authority.

• Fail-closed if violated: IMPLICIT_AUTHORITY_INHERITANCE_REJECTED.

R9 — No unsafe registrar reuse

P2 must use the DOT_REGISTER_GOVERNED_REPLACEMENT identity (replace-not-wrap). It must never wrap/relabel/reuse the unsafe dot-dot-register mass-scan real-run path. Allowed reuse is limited to dry-run / classify-advisory / source / warning surfaces.

• Fail-closed if violated: UNSAFE_REGISTRAR_REUSE_REJECTED.

R10 — No register_dot real admission

P2 performs no real register_dot admission. register_dot real-run remains a P3 act behind a separate later gate, after all hard pre-runtime prerequisites (replay surface, failure-audit sink) exist and PASS.

• Fail-closed if violated: P2_SCOPE_DRIFT_REGISTRATION_ATTEMPT.

R11 — No RS-VALIDATOR unless separately authorized

P2 does not open RS-VALIDATOR or patch the registrar/validator unless that work is separately authorized as its own scoped act under explicit Chairman authorization.

• Fail-closed if violated: RS_VALIDATOR_NOT_AUTHORIZED.

R12 — Codex (independent) review before any write

Before any P2 write, an independent Codex/GPT review must accept the P2 entry-gate design and the specific build plan. Acceptance of this closeout is necessary-not-sufficient: it gates entry-design review, not the writes themselves.

• Fail-closed if absent: INDEPENDENT_REVIEW_NOT_OBTAINED.

---

2. Gate evaluation order (deterministic, fail-closed)

The gate is a conjunction; for a deterministic single-reason readout, evaluate in this order and emit the first failing requirement's code (lowest-numbered failing R wins; any runtime write/DDL/DML observed at any point short-circuits to RUNTIME_MUTATION_REJECTED):

R4 preflight  →  R1 contract accepted  →  R12 independent review of entry design
   →  R2 Chairman packet  →  R3 scope=build-design  →  R10 no register_dot
   →  R5 vocabulary design-only  →  R9 no unsafe registrar reuse  →  R11 no RS-VALIDATOR
   →  R8 no inherited authority  →  R7 LEGO separate  →  R6 rollback per carrier
   →  ALL PASS ⇒ P2_ENTRY_DESIGN_READY_FOR_INDEPENDENT_REVIEW (still not P2 authorization)

P2_ENTRY_DESIGN_READY_FOR_INDEPENDENT_REVIEW is necessary-not-sufficient: it means the entry-gate design is complete enough to be reviewed — not that P2 is authorized, not that any write may occur. P2 opens only on R12 acceptance plus R2 Chairman authorization, both recorded.

3. What this gate explicitly does NOT do

• It does not open P2. It is a future gate definition, design-only.
• It creates no Owner / scope / APR / register_dot / approval / handler.
• It creates no canonical-operation runtime rows.
• It does not patch the registrar or validator, and does not open RS-VALIDATOR.
• It runs no DDL/DML and mutates no PG/Directus/runtime.
• It does not clear REGISTRATION_HOLD or assert REGISTRATION_CAN_PROCEED.

4. Relationship to carried blockers

This gate resolves no carried blocker. BOOTSTRAP_AUTHORITY_UNRESOLVED, OWNER_MINT_PATH_FAIL_CLOSED, CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT, QUORUM_EFFECT_BINDING_INSUFFICIENT, QUORUM_APPROVER_IDENTITY_UNVERIFIED, STATUS_DOMAIN_NOT_DB_ENFORCED, U3_PARTIAL_UNIQUE_SURFACE_ABSENT, and G2–G7 remain open and are inputs the future P2 lane must address under its own authorization — not preconditions this closeout clears.