04 — Authenticated approver substrate: proof + independent-seat provisioning spec

This is the binding file. It proves why the substrate cannot be made real in this session, specifies what a real substrate is, and gives the exact out-of-band procedure to provision 3 independent seats before any future bootstrap consumption.

1. What "authenticated" must mean

A substrate is real authentication only if each seat's secret is held by, and only by, that seat's genuine principal. The tool must verify secret(caller) → seat, and seat == --approver, before writing. A --approver free-text flag with no secret is just a fakeable insert (the current state).

2. Live evidence — no authenticated substrate exists

probe	result
qt001_authority_identity_registry columns	identity_key, identity_class, reviewer_type, authority_lock, evidence_path, active, created_at — no credential/token/hash column
its rows	1: STAGE2.6A-FIX2-MACHINE-POLICY (APPROVER, lock=true) — not president/council
directus_users president seat	none (only owner nmhuyen@gmail.com)
directus_users ai_council seats	none; AI agent logins (gemini,chatgpt,…) are suspended, operator-controlled
apr_approvals historical approvers	all free-text (president,gemini,gpt,ai_council_1/2,…), 0 credential binding
quorum match rule	approver ILIKE '%president%' / approver_type='ai_council' — a string test, trivially fakeable

Conclusion: identity today is an unverified string; there is no per-seat credential anywhere.

3. Why it cannot be made real in this session (the HOLD reason)

Only one principal is present this turn: the operator (root/SSH/GCP-owner). To "create" a substrate now I would generate three seat secrets — but the operator would then hold all three. So:

authenticated-as-president  = operator
authenticated-as-council_1  = operator
authenticated-as-council_2  = operator

Three seats collapse to one principal. That is precisely the quorum-fabrication wall ("capability ≠ authority"), now at the credential layer — forbidden by the hard locks ("Do not fabricate president/council votes; do not treat root/SYNC_SECRET/GCP-owner as quorum"). The dot-manage addendum §3 independently forbids standing seats up via "manual registry insertion / using Secret Manager to bypass DOT". Therefore: APR_APPROVAL_BOOTSTRAP_HOLD_NO_ AUTHENTICATED_APPROVER_SUBSTRATE — the only honest state, and the one the owner confirmed.

4. Target substrate spec (to build later, once seats are real)

Reuse-first: extend qt001_authority_identity_registry (do not duplicate it) or add a sibling apr_approver_seat table — governed via DOT, never manual:

seat_key        text   -- 'president' | 'ai_council_1' | 'ai_council_2'  (or richer keys)
approver_type   text   -- 'human' | 'ai_council'   (CHECK)
secret_hash     text   -- argon2/bcrypt/scrypt hash of the seat secret  (NEVER the secret; NEVER a reversible ref alone)
secret_ref      text   -- OPTIONAL pointer to Secret Manager entry (reference only)
active          boolean
rotated_at      timestamptz
created_at      timestamptz
-- UNIQUE(seat_key); index on approver_type

dot-apr-approve G3 then: read caller secret from env (never argv), hash it, look up the matching seat_key, require active=true and seat_key == --approver and matching approver_type. Token value never printed; audit stores seat_key + auth-result, never the secret.

5. Independent-seat provisioning — OUT-OF-BAND, NOT THIS SESSION (owner asked for this explicitly)

The defining rule: no single party may generate or hold more than one seat's secret. Recommended procedure:

SEAT 1 — president (human):
  • The real human president (sovereign) chooses/sets their OWN secret on their OWN device.
  • Only the argon2 hash is registered (via a governed DOT, in a future warranted session); the cleartext
    never leaves the president and is never seen by the operator/agent.

SEAT 2 — ai_council_1 (independent):
  • A DISTINCT operator/custodian (not the president, not the bootstrap operator) provisions this seat's secret.
  • If a model identity (e.g. Gemini council seat), its secret is held by that seat's independent custodian.

SEAT 3 — ai_council_2 (independent):
  • A THIRD distinct custodian provisions this seat's secret. Must not equal seat 1 or seat 2's holder.

INTEGRITY CHECKS before consuming the warrant:
  • 3 distinct secret-holders (separation-of-duties attestation, logged).
  • Each secret set/rotated by its own holder; bootstrap operator demonstrably never held cleartext.
  • Hashes registered through a governed DOT path with ledger + KB readback (not manual SQL/Directus).
  • Optional: distribute secrets via Secret Manager entries owned by distinct principals (reference-only in DB).

Only after this exists is a real quorum_passed=true reachable without fabrication.

6. Honest caveat on "Deploy now" (the path NOT taken)

Even the rejected "deploy mechanism now" option could not have produced real authentication — it would have seeded all three secrets from one operator, exactly the collapse above. The owner correctly declined it. Building the mechanism is cheap; the value is entirely in the independent secret custody, which is an out-of-band, multi-party act — not an agent deliverable.