RS5B-CLOSEOUT-PATCH1 06 — Two-Gate Sequencing: Baseline vs P2-Open — 2026-06-21

Scope: close Codex HOLD §4 / §11.6 (residual R8). Split the single ambiguous gate (closeout R12 + output P2_ENTRY_DESIGN_READY_FOR_INDEPENDENT_REVIEW) into two deterministic gates with distinct outputs. Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 mutations. Neither gate opens P2; Gate A authorizes only preparing a plan, Gate B authorizes only opening a named design/build lane — never registration.

---

1. The ambiguity (reconstructed)

Codex §4: closeout R12 already required "an independent review to accept both the entry-gate design and the specific build plan," yet the all-pass output was named P2_ENTRY_DESIGN_READY_FOR_INDEPENDENT_REVIEW — "although R12's independent review has already been required to pass." And "this closeout package contains no carrier-specific build plan, so acceptance of this package cannot satisfy the plan-specific part of R12." One gate conflated two reviews of two different objects (the baseline design and a specific build plan). PATCH1 separates them.

2. Gate A — Baseline design acceptance gate

Purpose: accept the closeout / P2-entry design baseline (the consolidated contract + the entry-gate design as corrected by PATCH1). Reviews the design, not any build.

Inputs (conjunctive; any absent ⇒ fail-closed):

1. RS5B consolidated contract (closeout file 02) accepted at contract layer (Codex §3 PASS carried).
2. Independent (GPT, then Codex) review accepts this PATCH1 closeout patch (dependency-safe rollback + C7 rule + gate split).
3. The five PATCH2 caveats (C1–C5) propagated (closeout file 04), plus PATCH1's dependency-safe-rollback and gate-split constraints.
4. Dependency-safe rollback contract is valid at design level — every C1–C7 rollback pattern satisfies invariants I1–I10 (file 02) and the RBP oracle returns ROLLBACK_CONTRACT_VALID_FOR_REVIEW for the design-level rollback patterns (file 04).
5. C7 conditionality resolved deterministically by approval_mode (file 05).
6. The rollback/gate XBI fixtures (XBI-11..XBI-25) all fail closed (file 04).

Output: P2_BASELINE_ENTRY_DESIGN_ACCEPTED.

Meaning (and only this):

• Permits preparing a carrier-specific P2 build plan.
• Does not open P2.
• Does not authorize any write.
• Does not substitute for Chairman authorization.
• P2_BASELINE_ENTRY_DESIGN_ACCEPTED is necessary-not-sufficient: it is the precondition for drafting a plan that Gate B will later judge — nothing more.

Failure code if Gate-A output is mis-promoted to open P2: BASELINE_ACCEPTANCE_NOT_P2_OPEN_AUTHORIZATION (XBI-22).

3. Gate B — P2-open gate for a specific carrier plan

Purpose: authorize opening one specific P2 carrier/policy build design lane — still not registration, activation, or real register_dot.

Inputs (conjunctive; any absent ⇒ fail-closed):

1. Gate A accepted (P2_BASELINE_ENTRY_DESIGN_ACCEPTED recorded).
2. A carrier-specific build plan exists (a concrete plan for named carriers, which the baseline package deliberately did not contain).
3. The exact carriers in scope are named (subset of C1–C7, with C7 governed by approval_mode, file 05).
4. Dependency-safe rollback proof for each carrier in scope — per-carrier invariant proof (file 02) + dependency-edge preservation (file 03), classified ROLLBACK_CONTRACT_VALID_FOR_REVIEW by the RBP oracle. Absent ⇒ P2_OPEN_GATE_ROLLBACK_PROOF_MISSING (XBI-25).
5. Read-only preflight current — re-run at Gate-B time (discharges caveat C4; closeout R4). FAIL ⇒ STOP.
6. Explicit Chairman authorization scoped to that exact carrier-specific plan (packet item 13). Absent ⇒ G2_EXECUTION_REQUIRES_SEPARATE_AUTHORIZATION (XBI-23); generic/wrong-scope ⇒ CHAIRMAN_AUTHORIZATION_SCOPE_MISMATCH (XBI-24).
7. Independent review accepts the specific build plan (distinct from Gate A's review of the design baseline). Absent ⇒ INDEPENDENT_REVIEW_NOT_OBTAINED.
8. No runtime mutation in review — any DDL/DML/write observed ⇒ RUNTIME_MUTATION_REJECTED (short-circuit, file 04 RBP-0).

Output: P2_OPEN_AUTHORIZED_FOR_NAMED_CARRIER_PLAN_ONLY.

Meaning (and only this):

• Only the named P2 design/build lane may open.
• No registration. No activation. No real register_dot. No P3.
• No runtime write unless the specific P2 plan authorizes a specific write and all separate write gates are passed (each write remains its own separately-authorized act under item 13).

4. Deterministic sequencing (state machine)

[contract accepted] ──A──▶ P2_BASELINE_ENTRY_DESIGN_ACCEPTED ──(prepare plan)──▶
   [carrier-specific plan + rollback proof + preflight + scoped Chairman token + plan review]
   ──B──▶ P2_OPEN_AUTHORIZED_FOR_NAMED_CARRIER_PLAN_ONLY ──(later, separate gates)──▶ P3 register_dot

Evaluation is ordered and fail-closed:

• RUNTIME_MUTATION_REJECTED short-circuits at any point.
• Gate A inputs evaluated first; first missing input emits its code.
• Gate B is unreachable until Gate A emits P2_BASELINE_ENTRY_DESIGN_ACCEPTED.
• Gate B's Chairman-token and rollback-proof checks are distinct from Gate A's design review; passing Gate A never satisfies any Gate B input.

No transition rule says "Gate A accepted → P2 open." If any report infers that, it is rejected (BASELINE_ACCEPTANCE_NOT_P2_OPEN_AUTHORIZATION), and by the controlling stop condition the package would HOLD at RS5B_CLOSEOUT_PATCH1_HOLD_GATE_SPLIT_AMBIGUOUS. This file makes the two gates cleanly separable, so that stop does not apply.

5. Supersession of the old single gate (carried into file 07)

• Closeout R12 ("independent review accepts both entry-gate design and specific build plan") is split: the entry-gate-design review → Gate A input 2; the specific-build-plan review → Gate B input 7.
• Closeout output P2_ENTRY_DESIGN_READY_FOR_INDEPENDENT_REVIEW is superseded by the two distinct outputs P2_BASELINE_ENTRY_DESIGN_ACCEPTED (Gate A) and P2_OPEN_AUTHORIZED_FOR_NAMED_CARRIER_PLAN_ONLY (Gate B). Marker SUPERSEDED_BY_RS5B_CLOSEOUT_PATCH1.

6. Non-overclaim

Neither gate opens P2, authorizes a write, creates a carrier, or clears a blocker. Gate B's output authorizes only the opening of a named design/build lane; every actual runtime write remains behind its own later, separately-authorized gate plus Chairman item-13 authorization. REGISTRATION_HOLD retained; REGISTRATION_CAN_PROCEED = NO.