RS5B-PATCH1-02 — Corrected Effect-Identity and Authorization-Binding Contract — 2026-06-21

Macro: RS5B-PATCH1 · Deliverable: 02 of 7 · design-only · authoritative correction of RS5B-05 item 5 wording. Grounded on: RS4A-PATCH2-02 (EFFECT_IDENTITY_BUSINESS_EFFECT_ONLY + AUTHORIZATION_BINDING_SEPARATED), read full this macro ([[01-source-and-defect-map]] P8). Does not reopen or restate RS4A-PATCH2; it re-states RS5B-05 item 5 to match the accepted RS4A-PATCH2 contract. Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations.

1. The one-sentence correction

The effect_identity is kept pure (authority excluded from it) — it is NOT kept out of the authorization binding. The authorization_binding_digest binds the pure effect_identity to the authorization envelope.

This replaces the RS5B-05 item-5 phrase "effect_identity … kept out of the authorization binding (separation)". The separation that is correct is authority-out-of-effect_identity, not effect_identity-out-of-authorization-binding.

2. `effect_identity` — business-only (pure)

effect_identity = H(
    protocol_version,
    operation = "register_dot",
    canonical_target_dot_code,
    canonical_artifact_identity,
    canonical_artifact_hash
)

effect_identity MUST NOT include (carried verbatim from RS4A-PATCH2-02 §1.1):

canonical_owner_scope (authority/accountability)
canonical_authority_policy_ref (authority policy version)
approvals / APR ids / owner row ids (volatile authority-instance ids)
authorization_nonce, attempt_id, attempt_no, run_id
timestamps / date_created / TTL / freshness window
operator / session / host / VPS IP

Rule (EFFECT_IDENTITY_BUSINESS_EFFECT_DISCIPLINE): effect_identity answers which registry effect is requested — operation, target code, artifact identity, artifact hash. Any authority/credential/execution field is excluded. A vote on whether the effect is authorized never changes which effect it is.

3. `authorization_binding_digest` — MUST include `effect_identity`

authorization_binding_digest = H(
    protocol_version,
    effect_identity,                     # REQUIRED: binds authorization TO the exact effect
    canonical_owner_scope,
    canonical_owner_head_ref,
    canonical_authority_policy_ref,
    approval_mode,
    approval_evidence_ref,               # if approval is used
    quorum_evidence_ref,                 # if approval is used
    canonical_principal_resolution_refs, # if approval is used
    nonce_mode,
    authorization_nonce_ref,             # if nonce/replay is used
    authorization_nonce_issuer,
    authorization_window,
    artifact_hash_ref,
    u3_head_policy_ref,
    status_policy_ref,
    audit_policy_ref,
    founding_authority_ref               # REQUIRED for bootstrap owner designation
)

Rules (carried/extended from RS4A-PATCH2-02 §2.1, applied to the RS5B founding-act packet):

authorization_binding_digest is REQUIRED for admission, and effect_identity is a REQUIRED input of it. A digest that omits effect_identity ⇒ AUTHORIZATION_BINDING_MISSING_EFFECT (fail-closed).
The binding ties one authorization envelope to one exact effect. Authority changes may authorize/deny an attempt, but two attempts with different authorization_binding_digest and the same effect_identity are two attempts at one effect.
Same effect + changed authority = same effect_identity ⇒ duplicate, not a new registration (AUTHORIZATION_CHANGED_SAME_EFFECT_DUPLICATE). Intentional re-registration uses a different operation (changing effect_identity legitimately), never authority-digest drift.
effect_identity impurity is rejected. If effect_identity is computed with any authority/credential/execution field, ⇒ EFFECT_IDENTITY_IMPURE.
Conditional evidence is canonical, never silently omitted. approval_mode and nonce_mode determine whether their evidence refs are required. When a mode is not used, its fields are encoded with a governed tagged NOT_USED_BY_POLICY value. A bootstrap owner-designation packet always requires founding_authority_ref.
Owner and policy references remain distinct. Scope, accountable head, and authority policy are separate digest inputs; U3, status, and audit policies are also separate inputs. Implementations must not collapse them into an ambiguous aggregate field.

4. The two separations, stated unambiguously

separation	direction	correct?
authority out of `effect_identity`	owner scope / policy / approval / nonce / operator / session / timestamp are excluded from `effect_identity`	✅ this is the real separation (purity)
`effect_identity` inside `authorization_binding_digest`	`effect_identity` is a required input of the binding	✅ the binding contains the effect
~~`effect_identity` out of authorization binding~~	~~the binding excludes the effect~~	❌ SUPERSEDED — this was the RS5B-05 item-5 slip

5. Corrected RS5B-05 item 5 (authoritative replacement text)

5 — effect_identity (pure) + authorization binding. Provide the business-only effect_identity = H(protocol_version, operation, canonical_target_dot_code, canonical_artifact_identity, canonical_artifact_hash) (authority/credential/execution fields excluded — EFFECT_IDENTITY_IMPURE if not), and ensure it is included as a required input of the authorization_binding_digest, which binds the pure effect to owner scope/head, policy, approval/quorum + canonical-principal evidence (if approval used), nonce ref/issuer/window (if nonce/replay is used), artifact-hash ref, separate U3/status/audit policy refs, and the founding-authority ref (for a bootstrap owner-designation packet). Reject if: approval/authorization not bound to the exact effect → APPROVAL_NOT_BOUND_TO_EFFECT_IDENTITY; binding omits effect → AUTHORIZATION_BINDING_MISSING_EFFECT; effect_identity impure → EFFECT_IDENTITY_IMPURE; same effect + changed authority → AUTHORIZATION_CHANGED_SAME_EFFECT_DUPLICATE. Maps to: RS4A-PATCH2-02, RS5A-07.

This replacement keeps item 5's existing reject code (APPROVAL_NOT_BOUND_TO_EFFECT_IDENTITY) and adds the two it should always have implied (AUTHORIZATION_BINDING_MISSING_EFFECT, EFFECT_IDENTITY_IMPURE).

6. Non-overclaim guard

This correction is wording only and design-only. It does not: make effect_identity include the authorization envelope (rule 4 forbids it); make authorization_binding_digest omit effect_identity (rule 1 forbids it); imply runtime readiness; create any column/schema/row. The live surfaces remain REQUIRED_NOT_PRESENT and fail-closed (RS4A-PATCH2-02 §4: AUTHORITY_BINDING_UNRESOLVED at admission). REGISTRATION_HOLD retained.

7. Status

EFFECT_AUTHORIZATION_BINDING_CONTRACT_CORRECTED — effect_identity pure (authority excluded); authorization_binding_digest includes effect_identity and binds it to the authorization envelope; the inverted "kept out of authorization binding" reading is superseded; new reject codes AUTHORIZATION_BINDING_MISSING_EFFECT and EFFECT_IDENTITY_IMPURE made explicit (both already implicit in RS4A-PATCH2). Design-only; fail-closed; no overclaim.