RS5B-CLOSEOUT-PATCH1 03 — Carrier Dependency Map & Reference Preservation — 2026-06-21

Scope: close Codex HOLD §11.2 (residuals R1–R5). Make the carrier dependencies an explicit graph, then prove, per edge, what breaks if the producer is destroyed and what safe rollback rule preserves the reference. Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 mutations (design-only). Determinism rule: every edge below carries a bad input mapped to a file-04 oracle code. If any edge lacked a bad input, the only allowed stop would be RS5B_CLOSEOUT_PATCH1_HOLD_DEPENDENCY_MAP_INCOMPLETE. None lacks one.

---

1. Dependency graph (explicit reference edges, never inheritance edges)

E1  C1 ──canonical_operation──────────────▶ C2
E2  C3 ──owner_scope / head_ref───────────▶ C2
E3  C4 ──artifact_hash_ref────────────────▶ C2
E4  C5 ──u3 / status / audit_policy_ref───▶ C2
E5  C6 ──nonce / window refs──────────────▶ C2
E6  C7 ──approval / quorum / principal────▶ C2     (edge exists only when approval_mode = APPROVAL_USED — file 05)
E7  C2 ──audit / evidence refs────────────▶ historical decisions
E8  C3 / C4 / C7 ──evidence refs──────────▶ audit / history

C2 is the consumer hub (the effect_identity / authorization_binding_digest schema). It absorbs nothing: every arrow is a reference, not an authority inheritance. This is the same join graph as closeout file 06 §2, now annotated with destruction-impact and a safe-rollback rule per edge. The graph is acyclic for production (producers C1/C3/C4/C5/C6/C7 → consumer C2 → history); E8 records that the authority-bearing producers also write directly to audit/history, which is why their rollback must preserve those records (invariant I2/I8).

2. Per-edge reference-preservation table

Columns: producer · consumer · reference field · what breaks if producer is destroyed · safe rollback rule · post-rollback invariant · bad input (→ oracle code).

E1 — C1 → C2 (canonical_operation)

• Producer: C1 canonical_operation vocabulary. Consumer: C2 effect schema.
• Reference field: canonical_operation input of effect_identity = H(protocol_version, canonical_operation, …).
• What breaks if producer destroyed: every historical effect_identity that hashed a now-deleted operation value becomes uninterpretable; the C1→C2 edge dangles; replay/audit of those effects cannot resolve the operation.
• Safe rollback rule: retire the value/version (mark superseded), keep it resolvable, add successor mapping if replaced (file 02 C1).
• Post-rollback invariant: I1 (value resolvable), I3 (edge intact), I6 (new use of retired value fail-closed).
• Bad input: drop a canonical_operation value referenced by an existing C2 effect → ROLLBACK_DELETES_REFERENCED_IDENTITY (XBI-11).

E2 — C3 → C2 (owner_scope / head_ref)

• Producer: C3 owner/scope binding. Consumer: C2 (canonical_owner_scope, canonical_owner_head_ref).
• Reference field: canonical_owner_scope, canonical_owner_head_ref inputs of authorization_binding_digest.
• What breaks if producer destroyed: historical authorization bindings can no longer identify the owner/scope they were bound to; audit and prior decisions that name that owner row dangle; authority provenance is lost.
• Safe rollback rule: revoke/supersede the row with status + successor/ref, preserving row identity and audit (file 02 C3).
• Post-rollback invariant: I1, I2, I5 (future authority fail-closed if revoked; never retroactively weakened).
• Bad input: delete an owner/scope row referenced by a prior binding/audit → ROLLBACK_DELETES_REFERENCED_IDENTITY (XBI-12).

E3 — C4 → C2 (artifact_hash_ref)

• Producer: C4 artifact hash carrier. Consumer: C2 (artifact_hash_ref; and canonical_artifact_hash inside effect_identity).
• Reference field: artifact_hash_ref (envelope) and canonical_artifact_hash (effect input).
• What breaks if producer destroyed: the artifact proof behind a historical effect/authorization can no longer be reproduced or audited; reproducibility and durable evidence are lost.
• Safe rollback rule: mark hash record superseded/invalid-for-new-use, preserve the record (file 02 C4).
• Post-rollback invariant: I2 (reproducible), I1 (hash resolvable), I6 (new use follows successor hash).
• Bad input: drop a hash referenced by effect_identity/audit → ROLLBACK_ERASES_HISTORY (XBI-13).

E4 — C5 → C2 (u3 / status / audit_policy_ref)

• Producer: C5 U3/status/audit policy refs. Consumer: C2 (u3_head_policy_ref, status_policy_ref, audit_policy_ref).
• Reference field: the three policy-ref inputs of authorization_binding_digest.
• What breaks if producer destroyed: old C2 references to the disabled policy cannot resolve (orphan) or, if a different policy silently takes the slot, the old envelope's meaning changes.
• Safe rollback rule: policy version supersession + compatibility; preserve prior policy text/ref (file 02 C5).
• Post-rollback invariant: I3 (references resolve), I4 (no silent reinterpretation), I2 (prior policy readable).
• Bad input: disable a referenced status/U3/audit policy so old C2 references cannot resolve → ROLLBACK_ORPHANS_DEPENDENCY (XBI-14). (Variant: if references resolve but to a re-meant policy → ROLLBACK_CHANGES_HISTORICAL_SEMANTICS; precedence ORPHANS < CHANGES, file 04.)

E5 — C6 → C2 (nonce / window refs)

• Producer: C6 replay/nonce carrier. Consumer: C2 (nonce_mode, authorization_nonce_ref, authorization_nonce_issuer, authorization_window).
• Reference field: the four nonce/window inputs of authorization_binding_digest.
• What breaks if producer destroyed: consumed-nonce history is lost, making a previously consumed nonce reusable (replay regression); prior replay decisions become unauditable.
• Safe rollback rule: retire nonce policy version/issuer, preserve consumed-nonce/audit records (file 02 C6).
• Post-rollback invariant: I2 (replay decisions auditable), I5 (no nonce reuse becomes possible), I8.
• Bad input: reset the replay surface / delete nonce history so a prior nonce can be reused → ROLLBACK_WEAKENS_AUTHORITY (replay-protection weakening; XBI-16 family — recorded explicitly in file 04 as the C6 instance of authority weakening).

E6 — C7 → C2 (approval / quorum / principal refs) — conditional edge

• Producer: C7 approval/quorum/principal carrier. Consumer: C2 (approval_evidence_ref, quorum_evidence_ref, canonical_principal_resolution_refs).
• Edge existence: present only when approval_mode = APPROVAL_USED (file 05). When approval_mode = APPROVAL_NOT_USED_BY_POLICY, the edge is absent by policy proof, not by silent omission.
• Reference field: the three approval inputs of authorization_binding_digest.
• What breaks if producer destroyed: approval evidence for historical approval-required effects becomes unreadable (history erased) or those effects retroactively no longer require approval (authority weakened).
• Safe rollback rule: retire/supersede approval policy/principal-resolution version, preserve approval evidence for old effects, new mode explicit (file 02 C7).
• Post-rollback invariant: I2 (evidence readable), I5 (old envelopes keep original requirement), I4 (new mode forward-only).
• Bad input (two distinct): (a) disable approval carrier so prior approval evidence becomes unreadable → ROLLBACK_ERASES_HISTORY (XBI-15); (b) change mode so an old approval-required envelope no longer requires approval → ROLLBACK_WEAKENS_AUTHORITY (XBI-16).

E7 — C2 → historical decisions (audit / evidence refs)

• Producer: C2 schema (its emitted effect_identity / authorization_binding_digest values are referenced by the audit/decision record). Consumer: historical decisions / audit sink.
• Reference field: the digest/effect values recorded against each historical decision.
• What breaks if producer destroyed: changing the meaning of old digest fields (a C2 "rollback" by mutation) silently changes what every historical decision attests to.
• Safe rollback rule: schema version supersession only; old protocol_version stays readable (file 02 C2).
• Post-rollback invariant: I4 (old decisions verify under old version), I1, I2.
• Bad input: roll back C2 by rewriting old digest field meanings → ROLLBACK_CHANGES_HISTORICAL_SEMANTICS (XBI-14 variant / file 04 RBP-5).

E8 — C3 / C4 / C7 → audit / history (evidence refs)

• Producer: the three authority/evidence-bearing carriers. Consumer: audit / history sink.
• Reference field: owner-designation events (C3), artifact-attestation events (C4), approval events (C7) recorded in the audit/history.
• What breaks if producer destroyed: the audit/history loses the evidence record even though the carrier row is "rolled back"; an auditor cannot reconstruct who owned / what was attested / who approved.
• Safe rollback rule: preserve-with-supersession (file 02 C3/C4/C7) and write a rollback_ref audit entry for the rollback itself (I8).
• Post-rollback invariant: I2 (evidence preserved), I8 (rollback itself audited).
• Bad input: a carrier rollback that leaves no audit trail / no rollback_ref → ROLLBACK_AUDIT_TRAIL_ABSENT (XBI-18).

3. Cross-carrier locality check (I9)

A rollback that can only "work" by silently rewriting C2's digest/envelope references for already-emitted effects is non-local and rejected: ROLLBACK_NOT_LOCAL (XBI-19). The dependency graph above is the test surface — if rolling back producer X would require mutating consumer C2's historical rows, X's rollback fails I9. Safe rollback acts only on the producer's own version/status surface and relies on the preserved reference remaining resolvable, never on rewriting the consumer.

4. Completeness statement

All eight edges (E1–E8) have producer, consumer, reference field, destruction impact, safe rollback rule, post-rollback invariant, and a bad input mapped to a file-04 oracle code. No edge is left without a bad input. Therefore this map does not stop at RS5B_CLOSEOUT_PATCH1_HOLD_DEPENDENCY_MAP_INCOMPLETE. No carrier is merged; the graph is reference-only; LEGO_BOUNDARY_HELD; REGISTRATION_HOLD retained.