RS5B-04 — Preferred Non-Mutating Execution-Design Runbook — 2026-06-21

Macro: RS5B · Deliverable: 04 of 9 · design-only runbook (describes a future path; executes nothing). Model: D (founding act under Constitution + Chairman) layered on E (runtime HOLD) — [[03-authority-chain-candidate-models-and-rejection-matrix]]. Boundary reminder: every step below is a design statement. RS5B performs none of them. Steps marked [GATE] require the [[05-authorization-packet-requirements-before-any-write]] packet and explicit Chairman authorization before they may ever run in a later, separately-authorized lane.

1. Where this sits in the 4-phase graph (PATCH1-02, carried)

P0  done        RS4A/PATCH·, RS5A/PATCH1–4 accepted, RS5B authored        ← we are completing P0→P1 here
P1  RS5B        design-only: this runbook + authorization packet           ← NON-MUTATING
P2  [GATE]      authorized carrier/policy build (replace-not-wrap)         ← needs separate authorization
P3  [GATE]      real register_dot admission (inert draft) under bound owner ← needs a later independent gate

RS5B is entirely inside P1. Nothing here crosses into P2/P3.

2. The founding-act runbook (design specification, not execution)

Each row is a future step with its authority source, its non-mutating preflight, its mutation class, and its rollback. R-steps are read-only and may inform RS5B; W-steps are writes and are all [GATE] (never done by RS5B).

step	class	description	authority source	rollback
R1	read-only	re-derive LIVE state (ownership=0; scopes; action types; approval columns; registry heads) — the [[01-source-register-and-current-state-reconstruction]] §2 queries; optionally re-run pg_get_functiondef to clear the F5 flag	none (read-only)	n/a
R2	read-only	confirm REQUIRED_NOT_PRESENT set still holds (no registration scope, no register_dot, no DOT_APPROVAL_QUORUM_AUTHORITY, no canonical-principal surface)	none	n/a
R3	read-only	assemble the founding-act authorization packet (RS5B-05) as a document, including candidate owner set (Option B: registration/admission→GOV-DOT, integrity/head-uniqueness/audit→GOV-SIV, approval/quorum→GOV-COUNCIL)	none	n/a
W1 [GATE]	DDL/seed	author the missing scope rows (the 10-scope taxonomy, PATCH2-02) in governance_responsibility_scope, one row per scope, each an independent LEGO	Chairman founding act	DELETE/deprecate each scope row independently; per-scope
W2 [GATE]	DDL/handler	make the owner-mint path lawful: implement (or replace) the assign_governance_owner handler so it is no longer unimplemented, or define a one-time governed founding migration — under Điều 32 §7 it must pass the DB gate legitimately	Chairman founding act + Điều 32	revert handler/migration; action returns to unimplemented (fail-closed default)
W3 [GATE]	data/APR	create the first accountable ownership row(s) via the now-lawful path, with approval_ref/audit_ref populated; Option B = one row per scope cluster	the W2 path, authorized by Chairman	lifecycle_status='superseded' per row; isolated rollback_ref
W4 [GATE]	data/seed	author register_dot action (high) + the carrier/policy surfaces (hash, U3, status-domain, replay, audit, approval-binding) — each a separate block	the bound owner of each scope	retire action; drop each carrier independently

Critical sequencing (carried, unchanged): W4's replay surface and failure-audit sink are hard pre-runtime prerequisites (PATCH2-02) — they must EXIST and PASS before any real register_dot (P3), and may never be introduced after runtime registration. Activation (DOT_ACTIVATION_AUTHORITY) is the only post-registration-capable scope.

3. Read-only preflight design (the only part RS5B may model concretely)

The future founding act must begin with a read-only preflight whose PASS is necessary (not sufficient) before any W-step is authorized:

preflight check	expected	fail action
governance_object_ownership = 0 (no head already bound for the target scope)	true (else this is not a bootstrap; use normal path)	STOP — not a founding-act case
target scope_code absent	true	STOP — scope already exists; re-evaluate
assign_governance_owner still unimplemented (or replacement not yet wired)	true	STOP — mint path state changed; re-derive
Chairman authorization token present in the packet	true	STOP — BOOTSTRAP_AUTHORITY_UNRESOLVED
canonical-principal surface present iff the founding act uses quorum as a check	consistent	STOP — CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT

Preflight is read-only; it mutates nothing and is the design's first fail-closed barrier.

4. Non-mutating guarantees of this runbook

1. RS5B runs only R-steps conceptually and writes only KB design docs. No W-step is performed. No scope row, ownership row, action, APR, approval, principal registry, or handler is created.
2. Every W-step is [GATE] behind the RS5B-05 packet + explicit Chairman authorization + a later independent gate (P2/P3). Acceptance of this runbook by GPT/Codex is not that authorization (G2_EXECUTION_REQUIRES_SEPARATE_AUTHORIZATION).
3. Replace-not-wrap is preserved: W2/W4 build the DOT_REGISTER_GOVERNED_REPLACEMENT identity (PATCH1-05); they never wrap/relabel/reuse the unsafe dot-dot-register mass-scan real-run path.
4. Default fail-closed: if any preflight or gate is missing/failing, the system stays in Model E (no owner ⇒ no register_dot). The absence of a surface is a reject, never a pass.

5. Rollback philosophy (per-block, designed up front)

Each future write is independently reversible (LEGO, RS5A-11):

• scope rows: per-row delete/deprecate;
• ownership rows: per-row lifecycle_status='superseded' with isolated rollback_ref;
• handler/migration (W2): revert → action returns to unimplemented (fail-closed);
• register_dot + carriers (W4): retire/drop per block.

No write is allowed without its rollback defined in the packet (RS5B-05 item 9). A W-step "execution-ready" claim is invalid unless its rollback is specified — see the BI07 probe ([[06-fail-closed-adversarial-self-check-and-bad-inputs]]).

6. What this runbook deliberately does NOT do

• does not select the final owner (Chairman decides; Option B is a recommendation);
• does not author any scope/action/handler/row;
• does not implement assign_governance_owner;
• does not open RS-VALIDATOR or patch the registrar/validator;
• does not clear REGISTRATION_HOLD or assert REGISTRATION_CAN_PROCEED.

7. Status

PREFERRED_DESIGN_IS_NON_MUTATING — the founding-act path is specified as a read-only-preflight-first, per-block, rollback-defined, [GATE]-guarded runbook whose only RS5B-executed steps are KB writes. Every mutation is deferred to a separately-authorized P2/P3 lane under Chairman authority. Model E remains the runtime posture; REGISTRATION_HOLD retained.