RS5B-CLOSEOUT 06 — Minimal P2 Carrier Scope & LEGO Boundaries — 2026-06-21

Scope: define the minimal candidate carrier set for a future P2 lane, for review only. Do not build it. No rows, schema, code, handler, migration, validator, or registrar patch is created here. REGISTRATION_HOLD retained · 0 mutations.

LEGO rule (applies to every carrier): each carrier is a separate LEGO — born separately, tested separately, changed separately, rolled back separately, joined to others only by an explicit contract edge, and never merged into a mega-registry / mega-graph / mega-birth pipeline. A carrier bundle that collapses these = LEGO_BOUNDARY_INSUFFICIENT (file 07 XBI-6).

1. Candidate carriers (minimal set, design-only)

P2-C1 — Canonical-operation vocabulary contract

Born separately: a standalone governed vocabulary contract defining valid canonical_operation values per act type.
Tested separately: its own fixtures (OP-BI-1..4 family) verifying register_dot ≠ default, founding/scope ≠ register_dot, vocabulary-absent ⇒ HOLD.
Changed separately: vocabulary entries added/superseded per-entry, versioned by protocol_version.
Rolled back separately: drop/disable the vocabulary contract without touching effect/digest carriers.
Joined by explicit contract: referenced by C2 only via canonical_operation lookup, never inlined.
Pre/post-runtime: pre-runtime prerequisite (must exist + PASS before any real register_dot).
Must-not-inherit: defining a vocabulary entry grants no authority to register/activate; vocabulary presence ≠ registration permission.
State today: CANONICAL_OPERATION_VOCABULARY_REQUIRED_NOT_PRESENT — design-only; no runtime row created (R5).

P2-C2 — `effect_identity` / `authorization_binding_digest` schema carrier

Born separately: the two-digest schema (pure effect_identity; authorization_binding_digest that includes it), per file 02 §4–§5.
Tested separately: BI-E1..E7 classifier fixtures (DEFINED_NOT_EXECUTED) with discriminator P, layered BI-E6→BI-E1.
Changed separately: schema fields revised under protocol_version; purity invariant (authority-out-of-effect) enforced independently.
Rolled back separately: revert schema version without touching owner/scope rows.
Joined by explicit contract: consumes C1 (operation), C4 (artifact hash), C5 (U3/status/audit refs), C3 (owner scope/head), C6 (nonce), C7 (approval/principal refs) by reference.
Pre/post-runtime: pre-runtime prerequisite.
Must-not-inherit: BINDING_CHECK_PASS is necessary-not-sufficient — never a registration/authority/activation PASS.

P2-C3 — Owner / scope binding carrier

Born separately: owner-of-record + scope-binding rows (one scope per row, no bundling), candidate head from governance_registry (Option B), never free-text/operator.
Tested separately: owner-identity fixtures (OPERATOR_NOT_OWNER, FREE_TEXT_OWNER_REJECTED, OWNER_SCOPE_MISMATCH).
Changed separately: per-row supersession with rollback_ref.
Rolled back separately: revoke/drop a single ownership row independently.
Joined by explicit contract: bound to objects via FK; bound to effects only via C2's canonical_owner_scope / canonical_owner_head_ref.
Pre/post-runtime: pre-runtime prerequisite (owner must exist before registration authority is real).
Must-not-inherit: owner scope grants exactly its scope_code; DOT_REGISTRATION_AUTHORITY ↛ DOT_ACTIVATION_AUTHORITY (R8).

P2-C4 — Artifact hash carrier

Born separately: canonical_artifact_hash + artifact_hash_ref carrier (trusted attested hash, never request_proposed).
Tested separately: ARTIFACT_HASH_MISMATCH / ARTIFACT_HASH_CARRIER_UNPROVEN fixtures.
Changed separately: hash carrier updated per artifact, independent of schema/owner.
Rolled back separately: drop a hash record without touching the digest schema.
Joined by explicit contract: referenced by C2 as artifact_hash_ref.
Pre/post-runtime: pre-runtime prerequisite.
Must-not-inherit: a valid hash proves artifact integrity only, not authority to register.

P2-C5 — U3 / status / audit policy references

Born separately: distinct U3-head policy, status-domain policy, and audit-sink policy reference surfaces.
Tested separately: STATUS_VALUE_OUT_OF_VOCABULARY, U3-uniqueness, and success/failure-audit-contract fixtures.
Changed separately: each policy reference versioned and rolled back on its own.
Rolled back separately: disable one policy reference without affecting the others.
Joined by explicit contract: referenced by C2 as u3_head_policy_ref / status_policy_ref / audit_policy_ref.
Pre/post-runtime: pre-runtime prerequisites (replay surface + failure-audit sink must exist + PASS before any real register_dot, and may never be introduced after runtime registration).
Must-not-inherit: carried blockers STATUS_DOMAIN_NOT_DB_ENFORCED, U3_PARTIAL_UNIQUE_SURFACE_ABSENT remain open; these references do not by themselves resolve them.

P2-C6 — Replay / nonce carrier

Born separately: nonce issuance + replay-surface carrier; single-use nonce, half-open [from,to) window.
Tested separately: NONCE_ISSUER_NOT_AUTHORITY, AUTHORIZATION_WINDOW_EXPIRED, idempotent-prior-decision fixtures.
Changed separately: nonce policy revised independently of approval/owner.
Rolled back separately: disable the replay surface without touching effect identity.
Joined by explicit contract: referenced by C2 as nonce_mode / authorization_nonce_ref / authorization_nonce_issuer / authorization_window.
Pre/post-runtime: pre-runtime prerequisite (replay surface is a hard pre-runtime carrier).
Must-not-inherit: issuing a nonce confers no registration authority.

P2-C7 — Approval / quorum / principal-resolution carrier (only if approval is used)

Born separately: approval-binding + quorum + canonical-principal-resolution carrier (effect-bound approval, ≥1 president + ≥2 ai_council, self-exclusion, 0 reject).
Tested separately: RS5A-PATCH4 total-Q-order fixtures (Q00..Q50), APPROVAL_NOT_BOUND_TO_EFFECT_IDENTITY, principal double-count fixtures.
Changed separately: approval policy and principal surface versioned independently.
Rolled back separately: disable approval-as-a-check without affecting owner/registration carriers.
Joined by explicit contract: referenced by C2 as approval_evidence_ref / quorum_evidence_ref / canonical_principal_resolution_refs.
Pre/post-runtime: pre-runtime prerequisite if approval is used; optional otherwise.
Must-not-inherit: DOT_APPROVAL_QUORUM_AUTHORITY ↛ DOT_REGISTRATION_AUTHORITY — approval authority never inherits registration or activation authority (R8). Quorum PASS is necessary-not-sufficient; CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT remains open.

2. Carrier join graph (explicit edges only)

C1 vocabulary ──(canonical_operation)──▶ C2 effect/digest schema ◀──(artifact_hash_ref)── C4 hash
C3 owner/scope ──(owner_scope/head_ref)──▶ C2
C5 U3/status/audit ──(policy refs)──▶ C2
C6 replay/nonce ──(nonce refs)──▶ C2
C7 approval/quorum/principal ──(approval/quorum/principal refs; ONLY if approval used)──▶ C2

Every arrow is an explicit reference edge, never an inheritance edge. No carrier authorizes another. C2 is a consumer of references, not a merge point that absorbs the others into one block — that distinction is what keeps the set LEGO and not a mega-registry.

3. Must-not-inherit edge set (carried)

DOT_APPROVAL_QUORUM_AUTHORITY ↛ DOT_REGISTRATION_AUTHORITY (C7 ↛ C3/registration).
DOT_REGISTRATION_AUTHORITY ↛ DOT_ACTIVATION_AUTHORITY (registration ↛ activation; activation is the only post-registration-capable scope and is never inherited).
vocabulary presence (C1) ↛ registration permission.
artifact-hash validity (C4) ↛ authority.
BINDING_CHECK_PASS (C2) ↛ registration/authority/activation PASS.

4. Pre-runtime vs post-runtime classification

All seven carriers above are pre-runtime prerequisites for any real register_dot (they must exist and PASS before P3, and the replay surface and failure-audit sink may never be introduced after runtime registration). The only post-registration-capable scope is activation (DOT_ACTIVATION_AUTHORITY); it is out of the minimal pre-runtime carrier set and is never inherited from registration.

5. Boundary attestation

This file creates no carrier. It is a candidate scope for a future authorized review. Building any carrier requires the P2 entry gate (file 05) to be accepted by an independent review and explicit Chairman authorization for the specific build. LEGO_BOUNDARY_HELD.