RS5B-CLOSEOUT-PATCH2 05 — C2 Schema Evolution & I5 Authority Non-Weakening — 2026-06-21

Scope: close Codex blocker B8 (Codex §4 / §12.5): I5 (authority non-weakening) must cover C2 wherever schema evolution can weaken required authorization inputs. Supersede the PATCH1-02 §4 coverage-matrix cell that marked I5 "not applicable to C2" and the "discharged transitively" parenthetical. Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 mutations (design-only). Supersession: PATCH1-02 §4 (I5 row: C2 = —) and its closing parenthetical ("For C1/C2/C4/C5 the authority-non-weakening obligation is discharged transitively … those live in C3/C6/C7") are SUPERSEDED_BY_RS5B_CLOSEOUT_PATCH2 for C2 (file 08 M16). C1/C4/C5 transitive discharge is unaffected.

---

1. Why I5 must cover C2 (the Codex argument, reconstructed)

C2 is the effect_identity / authorization_binding_digest schema carrier. It does not itself store authority values, but it defines which authority references are required in the envelope. Codex §4:

"A successor C2 schema could preserve old packets while weakening required fields for new packets. The current C2 rollback rule forbids changing old semantics but does not forbid a forward successor from dropping owner, authority-policy, founding-authority, approval-mode, or nonce requirements without a separately governed authority-policy transition. I5 must cover C2 wherever schema evolution can weaken required authorization inputs."

The PATCH1 defence — "authority fields live in C3/C6/C7, so C2's I5 is discharged transitively" — is insufficient precisely because C2 controls whether those references are required at all. A successor schema that no longer requires canonical_owner_head_ref does not need to touch C3 to weaken authority: it simply stops demanding the reference. Transitive discharge covers the values; it does not cover the requirement. Therefore I5 applies to C2 directly.

2. The C2 forward-authority non-weakening rule

Rule (C2-I5-forward): A C2 schema rollback may evolve the schema only by versioned supersession that does not reduce the set of required authority references for new packets. A successor C2 protocol_version MUST NOT:

1. drop canonical_owner_scope from the required input set;
2. drop canonical_owner_head_ref from the required input set;
3. drop canonical_authority_policy_ref from the required input set;
4. drop founding_authority_ref from the required input set;
5. make approval_mode optional (it is a required, explicit digest field, PATCH1-05 §2);
6. omit approval / quorum / principal refs (approval_evidence_ref, quorum_evidence_ref, canonical_principal_resolution_refs) when approval_mode = APPROVAL_USED;
7. omit nonce / window refs (nonce_mode, authorization_nonce_ref, authorization_nonce_issuer, authorization_window) where policy requires replay control;
8. make any required authority field optional without a separately governed authority-policy transition (a change governed by its own authority, not smuggled in as a schema rollback).

Violation of any of 1–8 ⇒ ROLLBACK_WEAKENS_AUTHORITY (RBP-6, forward branch). (Fixture XBI-27 and sub-cases 27-a/b/c, file 04 §5.)

2.1 What C2 schema evolution MAY still do (the safe path)

• Introduce a successor protocol_version that adds fields or tightens requirements.
• Keep old protocol_version packets readable and verifiable under their original schema (PATCH1-02 §3 C2; I4 — no silent reinterpretation; this is the prior-semantics protection, unchanged).
• Route new packets to the successor (I6 forward fail-closed; new use of a retired schema version is fail-closed unless the successor governs it).
• Relax a requirement only via a separately governed authority-policy transition that is itself authorized — never as an implicit consequence of a schema rollback.

3. Coverage matrix correction (supersedes PATCH1-02 §4)

The I5 row of the PATCH1 coverage matrix is corrected so that C2 = ✔:

Invariant	C1	C2	C3	C4	C5	C6	C7
I5 authority non-weakening	—	✔ (PATCH2)	✔	—	—	✔	✔

• C2 = ✔ because C2 defines the required-reference set of authorization_binding_digest; a successor schema can weaken authority by dropping/optionalizing a required reference (§2). This is the forward branch of I5 (the prior branch — old packets keep their original requirement — is the I4/semantic protection already in PATCH1-02 §3 C2).
• C1/C4/C5 remain —: their rollback genuinely cannot alter which authority references are required in a historical or future authorization_binding_digest — they carry vocabulary (C1), artifact-hash (C4), and policy-text-reference (C5) payloads, not the requirement set. Their authority-non-weakening obligation is still discharged transitively. Only the C2 cell changes.
• C3/C6/C7 = ✔ unchanged (owner authority, replay protection, approval requirement).

4. Interaction with the oracle (RBP-6 forward branch)

RBP-6 (ROLLBACK_WEAKENS_AUTHORITY) now has two disjoint triggers, both ¬I5:

• prior weakening — an already-bound effect's required authority is retroactively reduced (e.g. XBI-16: old approval-required envelope no longer needs approval; C6 nonce-reuse);
• forward weakening — a successor schema (C2) requires fewer authority inputs for new packets (XBI-27).

Both emit ROLLBACK_WEAKENS_AUTHORITY at precedence rank 6. RBP-6 precedes RBP-7 (successor-absent) and RBP-8 (forward-fail-closed): a C2 successor that weakens authority has a successor rule (¬RBP7) and is not about a retired value remaining admissible (¬RBP8) — it is authority weakening, and RBP-6 dominates. This keeps the C2-weakening input single-coded (file 04 §5; self-review A8–A10, file 09).

5. Boundary attestation

This file changes no runtime state, alters no live schema, creates no C2 carrier, and clears no blocker. It extends invariant I5 (does not weaken it) to cover C2 forward schema evolution at design level. The C7 approval_mode rule (PATCH1-05) is referenced, not reopened. REGISTRATION_HOLD retained; REGISTRATION_CAN_PROCEED = NO; Job A not reopened; I1–I10 strengthened (C2 now under I5), never weakened.