KB-7CDD
RS5B-03 — Authority-Chain Candidate Models and Rejection Matrix — 2026-06-21
9 min read Revision 1
rs5bg2candidate-modelsrejection-matrixbootstrap-authorityfail-closed2026-06-21
RS5B-03 — Authority-Chain Candidate Models and Rejection Matrix — 2026-06-21
Macro: RS5B · Deliverable: 03 of 9 · design-only (selects no model for execution; mints nothing).
Input: the bootstrap circularity ([[02-g2-owner-of-record-bootstrap-problem-statement]]) and the reconstructed state ([[01-source-register-and-current-state-reconstruction]]).
Rule: a model is ALLOWED only if it is non-circular, non-mutating in RS5B, fail-closed, identity-bound, and free of implicit inheritance. Otherwise REJECTED or HOLD.
1. Candidate models compared
Model A — Owner directly minted by the current operator
| facet | assessment |
|---|---|
| classification | REJECTED |
| reason | the operator/caller is never an authority (RS5A-03 §2: OPERATOR_NOT_OWNER, CALLER_SELF_ASSERTED_OWNER_REJECTED); Điều 32 §2.1 forbids manual SQL/curl mint |
| failure mode | self-mint = fail-open authority; whoever runs the registrar becomes "owner" — exactly the spoof RS5A-09 A01/A08 defeat |
| required evidence to ever allow | none can rescue it; operator authority is categorically excluded |
| LEGO boundary | violates separation of duties (operator = authority) |
Model B — Owner minted by GOV-DOT alone
| facet | assessment |
|---|---|
| classification | REJECTED (as a source of authority) — GOV-DOT may be the subject (candidate accountable head), never the minting authority of its own binding |
| reason | GOV-DOT is a governance object/system (LIVE L5: gov_type='system', active), not a promulgating principal; letting the to-be-owned head authorize its own ownership row is the circularity of [[02-g2-owner-of-record-bootstrap-problem-statement]] §2 (self-authorizing first owner) |
| failure mode | self-authorization → no independent authority chain; also single-head concentration (registration+admission+audit on one head) — the C05/I06 fail-open class |
| required evidence to ever allow | GOV-DOT can be named as candidate head in a founding act, but the authority to bind it must come from outside (Chairman/Constitution), with an explicit assign_governance_owner path that is implemented and owner-authorized |
| LEGO boundary | acceptable only as subject under Option B split; never as the authority source |
Model C — Owner minted by GOV-COUNCIL approval alone
| facet | assessment |
|---|---|
| classification | REJECTED |
| reason | approval authority ≠ registration ownership. DOT_APPROVAL_QUORUM_AUTHORITY → DOT_REGISTRATION_AUTHORITY is a forbidden implicit inheritance (PATCH1-04 §2, PATCH2-03 §3.8). Worse, the approval itself cannot be validly formed today: DOT_APPROVAL_QUORUM_AUTHORITY is REQUIRED_NOT_PRESENT (F6) and the canonical-principal surface is absent (F7), so quorum identity is unverifiable; using the broad live approval scope as registration authority is SCOPE_DRIFT / FAIL_OPEN |
| failure mode | council approval silently treated as registration authority → broad-approval inheritance; spoofable quorum (president via ILIKE '%president%') |
| required evidence to ever allow | council can approve a founding act (as a check), but the ownership-granting authority must be the Chairman/Constitution, and even that approval requires the canonical-principal + quorum-authority surfaces to exist and pass first |
| LEGO boundary | council = approval LEGO only; binding it to registration ownership builds a mega-scope |
Model D — Owner minted by a founding/bootstrap authorization packet with explicit owner-designation scope
| facet | assessment |
|---|---|
| classification | PREFERRED — for design (P1) only; execution deferred to a separately-authorized later lane (P2+) |
| reason | breaks the circularity legitimately: the authority derives from promulgated law (Constitution v4.6.3) + the Chairman ([[02-g2-owner-of-record-bootstrap-problem-statement]] §4), i.e. from above the empty substrate, not from inside it; "AI proposes, does not self-promulgate" is honored (the AI authors the design; the Chairman authorizes the act) |
| failure mode (guarded) | if mis-executed it could still self-mint — so RS5B keeps it non-mutating, gates execution behind the RS5B-05 authorization packet, requires read-only preflight, audit, and rollback, and forbids implicit inheritance |
| required evidence (before any future write) | the full RS5B-05 packet: founding-act reference, exact scope, candidate owner, object, effect/authorization intent, approval/quorum binding if used with canonical-principal resolution, rollback plan, read-only preflight, explicit final Chairman authorization |
| LEGO boundary | one founding act → one (or a split set of) explicit ownership row(s); each scope born/tested/changed/rolled-back separately; MUST_NOT_IMPLICIT_INHERIT |
Model E — Deferred no-owner state / HOLD until an authority path is created
| facet | assessment |
|---|---|
| classification | ALLOWED — and is the active runtime posture now |
| reason | with no legitimate runtime path yet, the only safe runtime state is the default fail-closed HOLD (no owner ⇒ no register_dot); this is the status quo RS5A established and RS5B does not weaken it |
| failure mode | none (it is the safe state); risk is only stagnation if D's design is never authorized |
| required evidence | none to remain in E; exiting E requires D's design + a separately-authorized execution |
| LEGO boundary | n/a (no binding created) |
2. Rejection matrix (one screen)
| model | verdict | breaks circularity? | non-mutating in RS5B? | identity-bound? | no implicit inherit? | primary reject/marker |
|---|---|---|---|---|---|---|
| A operator self-mint | REJECTED | no | n/a | no | no | OPERATOR_NOT_OWNER / CALLER_SELF_ASSERTED_OWNER_REJECTED |
| B GOV-DOT self-mint | REJECTED (subject-only) | no (self-auth) | n/a | partial | no | self-authorizing first owner |
| C GOV-COUNCIL approval-as-authority | REJECTED | no | n/a | no (F7) | no (forbidden inherit) | MUST_NOT_IMPLICIT_INHERIT / SCOPE_DRIFT |
| D founding act (Constitution + Chairman) | PREFERRED (design only) | yes (authority from above) | yes | yes (when packet complete) | yes | execution gated by RS5B-05 |
| E deferred no-owner HOLD | ALLOWED (current posture) | n/a | yes | n/a | n/a | BOOTSTRAP_AUTHORITY_UNRESOLVED (safe) |
3. Chosen design posture (combination, not a single mutate-now pick)
RS5B adopts D-as-design on top of E-as-runtime-posture:
- Stay in Model E at runtime now — no owner minted;
REGISTRATION_HOLDretained; default fail-closed. - Design Model D as the legitimate future exit — the founding-act path whose authority is the Constitution + Chairman, specified non-mutatingly in [[04-preferred-non-mutating-execution-design-runbook]], with execution gated by the [[05-authorization-packet-requirements-before-any-write]] packet.
- Never use B or C as the authority source — GOV-DOT may be a candidate subject and GOV-COUNCIL a check, but neither originates ownership authority; A is categorically excluded.
This is exactly the PATCH1-03 §4 instruction ("design only … a constitutional/founding authority could create the first capability/head, with audit, rollback, dry-run, then present a Codex/Owner authorization packet"), made concrete.
4. Models requiring runtime mutation are pushed to a later lane
Per RS5B §5: any model that needs a runtime mutation to even be tested (D's execution, B/C if ever salvaged as subject/check) is moved to the separately-authorized execution lane (P2+ of PATCH1-02). RS5B's deliverable is the design and the gate, never the write.
5. Status
CANDIDATE_MODELS_COMPARED — five models classified; A/C rejected outright, B rejected as authority-source (subject-only), D preferred for design-only, E the safe runtime posture. Broad/implicit/self-mint authority is rejected; the only ALLOWED/PREFERRED paths are fail-closed and non-mutating in RS5B. No model is executed.