Incomex AI Portal
KB-7C94

RS-TKT-0A · 04 TKT Checker Block Catalog (draft)

15 min read Revision 1
tool-kiem-thulegolaws-newrs-tkt-0achecker-catalogblock-contractsnon-authorizing2026-06-21

RS-TKT-0A · 04 — TKT Checker Block Catalog (draft)

Lane: RS-TKT-0A · Date: 2026-06-21 Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations (KB writes only) Authority: NON_AUTHORITY · may_gate=false · decision_effect=NONE · draft block contracts, design-only

Each block is a LEGO brick: it can be born, tested, changed, and rolled back separately, and composes only through the shared output schema. None of these blocks is implemented in this lane; this is a contract catalog for review.

0. Shared output schema (every block emits one record per check)

{
  "checker_id": "TKT-RS-QUORUM-001",
  "target": "knowledge/dev/laws-new/reports/<stage>/<file>.md",
  "status": "PASS|FAIL|HOLD",
  "severity": "BLOCKER|HIGH|MEDIUM|INFO",
  "expected": "the rule, stated machine-checkably",
  "found": "what was actually observed",
  "evidence": ["path#line", "count=…", "sha256:…", "quoted line"],
  "recommended_fix": "the repair hint",
  "out_of_scope": "what this checker explicitly does NOT assert"
}

Global invariants (carried from the old base pack):

  • Detector-correctness rule: a PASS/seal/cert token counts as emitted only when the producing process exits 0. (Prevents *_REJECTED substring false-positives.)
  • Authority firewall: no block may emit a seal, clear REGISTRATION_HOLD, set CAN_PROCEED=YES, or create Owner/scope/APR/register_dot. A block that is asked to do so returns FAIL/HOLD.
  • Fail-closed default: absent/ambiguous input → HOLD (not PASS). HOLD ≠ PASS and ≠ silent skip.

Severity mapping (from P6, reused): BLOCKER = packet not review-ready; HIGH = must-fix before Codex; MEDIUM = should-fix; INFO = monitoring.

A. Base blocks (L0–L3)

TKT-L0-FILE

  • component_id / checker_id: TKT-L0-FILE (checks TKT-L0-FILE-001..003).
  • purpose / scope: prove every load-bearing file exists at its declared path and hash-matches; no missing, no unlisted governed file.
  • input contract (input docs): a packet dir + its HASH_MANIFEST.txt(or .sha256) + packet_tree.sha256.
  • rule: (001) tree-pin: sha256(HASH_MANIFEST) == packet_tree.sha256; (002) forward hash recompute per line; (003) forward existence — every listed file is actually present; and no governed file is unlisted.
  • expected evidence: per-file {path, sha256, present:true}; tree-pin equality.
  • bad input: a manifest line for an absent file → must FAIL (not PASS).
  • output: shared schema; failure code L0_FILE_MISSING | L0_HASH_MISMATCH | L0_TREE_PIN_MISMATCH | L0_UNLISTED_GOVERNED_FILE.
  • severity: BLOCKER.
  • repair hint: add/restore the file or fix the manifest; recompute tree-pin.
  • dependencies: none.
  • out-of-scope: file meaning; only bytes/presence.
  • birth/test/change/rollback: born from the manifest policy; tested by a tamper fixture (delete one listed file → expect FAIL); change = manifest schema only; rollback = discard result (read-only, nothing to undo).

TKT-L1-PACKET

  • scope: packet reconstructs from governed source and reruns deterministically to the same verdict.
  • input docs: packet + commands.sh/RERUN.sh skeleton + exit_codes.json anchor.
  • rule: clean-room reconstruct into a fresh workspace; rerun; assert the regenerated verdict anchor is byte-identical to the pinned one (byte-exact classes) / functionally equal (functional classes).
  • expected evidence: RERUN_RESULT: PASS; regenerated exit_codes.json sha256 == pinned.
  • bad input: a reconstruction whose pin ≠ published pin → FAIL ("not the same packet").
  • failure code: L1_RECONSTRUCT_DRIFT | L1_NONDETERMINISTIC.
  • severity: HIGH. dependencies: TKT-L0-FILE PASS. out-of-scope: semantic correctness of the rerun.
  • birth/test/change/rollback: born from packet_tree + RERUN skeleton; tested by running twice → same verdict; rollback = discard temp workspace (delete-fast).

TKT-L2-FAIL-CLOSED

  • scope: invalid input is rejected; no PASS/cert/digest/seal under any bad input.
  • input docs: the packet + a bad-input catalog (old P1–P10 ∪ pilot BAD-1..15, see 06).
  • rule: run each probe in a fresh mktemp-style workspace; assert any_invalid_exit0=false, any_PASS_emitted_for_invalid=false, any_SEAL_emitted_for_invalid=false; ≥1 positive control must PASS (not trivially always-fail).
  • expected evidence: probes p/p, any_fail_open=false.
  • bad input: the probes themselves are the bad input.
  • failure code: L2_FAIL_OPEN | L2_NO_POSITIVE_CONTROL.
  • severity: BLOCKER. dependencies: TKT-L0-FILE. out-of-scope: whether the valid path is semantically right.
  • birth/test/change/rollback: born from the probe policy; tested by injecting a fail-open packet → expect FAIL; change = add probe classes; rollback = discard.

TKT-L3-GOVERNANCE

  • scope: IDs (no orphan/collision; routed to one-roof, no new TKT registry), lane boundaries, authority firewall holds, NVSZ evidence has hash+pointer+regen, every report claim maps to a real file/command/exit.
  • input docs: packet + governance refs (one-roof registry refs, lane id) + NVSZ escrow records.
  • rule: authority-firewall F1–F9 (no seal under any input; filename-only seal refused); report-vs-file audit (recompute every cited hash/PASS/pointer against reality); object-ID collision (reserved ≠ committed; no orphan); NVSZ record completeness.
  • expected evidence: firewall no_seal_emitted=true; audit all_claims_recomputed=true; orphan=0, collision=0.
  • bad input: a dev fixture claiming a Codex seal → REFUSED (exit nonzero).
  • failure code: L3_AUTHORITY_CLAIM_REJECTED | L3_REPORT_CLAIM_UNVERIFIED | L3_OBJECT_ID_COLLISION | L3_ORPHAN_OBJECT | L3_NVSZ_RECORD_INCOMPLETE.
  • severity: BLOCKER (firewall) / HIGH (audit). dependencies: L0–L2. out-of-scope: semantic truth of content (L5).
  • birth/test/change/rollback: born from firewall+audit+collision+NVSZ policies; tested by a laundering attempt → expect REFUSED; rollback = discard.

B. RS profile blocks (laws-new RS packets; layered on Base)

These encode the defects Codex actually caught on the RS5A chain (see 06 for the full pre-Codex profile; this section gives the block contracts).

TKT-RS-PACKAGE

  • scope: the RS packet file-set is complete, non-empty, non-truncated, additive (no overwrite of a prior package).
  • input docs: reports/<stage>/ listing + the top-level macro-<stage> rollup.
  • rule: require index + contiguous 01..NN (last = decision-packet) + codex-review-packet in the subfolder, plus a matching macro-<stage> rollup at reports/; each file revision=1, content_length>0, truncated=false; prior-stage directories still all revision=1.
  • expected evidence: count=N, next_offset=null, truncated=false; "Does NOT overwrite …" enumeration present.
  • bad input: a missing topic file, an empty target, or a bumped revision on a prior package → FAIL.
  • failure code: RS_PKG_FILE_MISSING | RS_PKG_EMPTY_OR_TRUNCATED | RS_PKG_ROLLUP_MISSING | RS_PKG_PRIOR_OVERWRITTEN.
  • severity: BLOCKER. dependencies: TKT-L0-FILE. out-of-scope: content correctness.
  • birth/test/change/rollback: born from the packet-structure convention; tested by removing a file → FAIL; rollback = discard.

TKT-RS-GATE

  • scope: the registration-hold gate is present and correctly closed.
  • rule: every index/decision/codex-packet/rollup contains literal REGISTRATION_HOLD, literal REGISTRATION_CAN_PROCEED = NO (flag any = YES or any HOLD-clearing phrase), and 0 mutations/0 runtime mutations; no Owner/scope/APR/register_dot creation claimed; no RS-VALIDATOR/implementation/registration opened.
  • expected evidence: the three literals found in each required file.
  • bad input: a file with CAN_PROCEED = YES or "clear/lift HOLD" wording → FAIL.
  • failure code: RS_GATE_HOLD_MISSING | RS_GATE_CAN_PROCEED_OPENED | RS_GATE_MUTATION_CLAIMED | RS_GATE_OWNER_OBJECT_CREATED.
  • severity: BLOCKER. out-of-scope: whether the HOLD should be lifted (Owner's call).
  • birth/test/change/rollback: born from the gate convention; tested by injecting =YES → FAIL; rollback = discard.

TKT-RS-LIFECYCLE

  • scope: replay/audit/activation lifecycle taxonomy is the 3-axis form, not a single combined column.
  • rule: assert three distinct axes — A first-availability (before admission), B post-admission persistence/operation, C business-transition (only activation, post-registration); flag any single "after registration?" column; assert MUST_NOT_IMPLICIT_INHERIT on registration→activation; assert "no prerequisite — least of all replay or audit — first introduced after runtime registration."
  • expected evidence: the three axes present and distinct; forbidden phrases absent.
  • bad input: "replay/audit may be introduced after registration" or "3 deferrable" → FAIL.
  • failure code: RS_LIFE_AXES_COLLAPSED | RS_LIFE_REPLAY_AUDIT_DEFERRED | RS_LIFE_ACTIVATION_INHERITED.
  • severity: HIGH. out-of-scope: runtime correctness of the lifecycle.

TKT-RS-QUORUM

  • scope: quorum oracle is deterministic via a total Q-code order with a stated evaluation unit.
  • rule: assert the full chain Q00 < Q10 < Q11 < Q20 < Q21 < Q22 < Q23 < Q30 < Q31 < Q40 < Q41 < Q50 present; "lowest matching Q-code at the evaluation unit wins" rule present; Q-order declared authoritative over the descriptive P-band labels; three evaluation units defined (context / single-vote-claim / APR-over-valid-claims); per-vote codes (Q10–Q31) numerically below APR-level (Q40–Q50); compound inputs map to one code (P1, P3 examples); delegation interval half-open [effective_from, effective_to) with ==from valid, ==to/after → DELEGATION_EXPIRED, before → DELEGATION_NOT_YET_EFFECTIVE, revocation overrides.
  • expected evidence: the Q-chain + selection rule + eval-unit definition + half-open interval quoted in the target.
  • bad input: a "predicates are mutually exclusive" claim asserted-not-proven, or a closed [from,to] interval paired with "strictly inside" → FAIL.
  • failure code: RS_QUORUM_ORDER_INCOMPLETE | RS_QUORUM_EVAL_UNIT_MISSING | RS_QUORUM_PREDICATE_AMBIGUOUS | RS_QUORUM_DELEGATION_INTERVAL_BAD.
  • severity: BLOCKER (this defect caused the real REJECT_RS5A_PATCH3). out-of-scope: runtime quorum behaviour.

TKT-RS-REPLAY

  • scope: replay/idempotency mutual-exclusion is well-formed.
  • rule: assert the effect→envelope decision tree — different effect → G02b NONCE_REUSE_DIFFERENT_EFFECT; same effect + different envelope/digest → G02c NONCE_REUSE_AUTHORIZATION_MISMATCH; same effect + same envelope + prior durable decision → G02a IDEMPOTENT_PRIOR_DECISION_RETRIEVAL; partition claimed only within domain D (prior durable decision exists); the in-flight case same nonce·same effect·same envelope·NO prior durable decision is named NO_PRIOR_DURABLE_DECISION_STATE_UNSPECIFIED as a design-only label, not a reject code, not an executable scenario; G08 is a distinct client-observation fixture.
  • expected evidence: the decision tree + domain restriction + the out-of-domain label present.
  • bad input: a G02a definition lacking "same authorization envelope" (so a changed-envelope retry matches both G02a and G02c) → FAIL.
  • failure code: RS_REPLAY_G02_OVERLAP | RS_REPLAY_DOMAIN_UNRESTRICTED | RS_REPLAY_INFLIGHT_AS_CODE.
  • severity: BLOCKER. out-of-scope: runtime replay behaviour.

TKT-RS-COUNT

  • scope: test/oracle counts are internally consistent and not silently changed.
  • rule: assert 84 parent IDs / 86 executable scenarios with 84 − 1 + 3 = 86; suite labelled DEFINED_NOT_EXECUTED; aliases marked documentation_alias_only; each executable scenario has exactly one canonical expected code; compound fixtures (e.g. CQ01–CQ09 = nine) match the actual fixtures present (flag any "eight" vs nine drift); filename numeric claims match in-doc titles (e.g. 09 "80-cases" vs body "84").
  • expected evidence: the arithmetic + label + one-code-per-scenario.
  • bad input: a count statement saying "eight fixtures" while nine exist, or G02a/b/c enumerated separately while claiming only 84 → FAIL.
  • failure code: RS_COUNT_ARITH_MISMATCH | RS_COUNT_ORACLE_NONCANONICAL | RS_COUNT_FIXTURE_DRIFT | RS_COUNT_FILENAME_TITLE_DRIFT.
  • severity: HIGH. out-of-scope: whether the scenarios are correct (only counted/consistent).

TKT-RS-CODEX-PACKET

  • scope: the codex-review-packet is self-consistent and reconstructable.
  • rule: verdict token, gate, scenario count, and "single next step" identical across index ↔ decision-packet ↔ codex-review-packet ↔ rollup; every [[wikilink]] resolves to an existing doc; verdict token matches the allowed vocabulary (RS5x_READY_FOR_<reviewer>_REVIEW, ACCEPT_*, REJECT_*, NEED_*_PATCH); every "CLOSED" cites the superseding wording + fixture; "0 mutations" treated as attestation not proof; no engineering PASS upgraded to authority/runtime PASS.
  • expected evidence: cross-file agreement table; resolved links.
  • bad input: index says ACCEPT but rollup says NEED_PATCH → FAIL.
  • failure code: RS_CODEX_CROSSFILE_DISAGREE | RS_CODEX_DANGLING_LINK | RS_CODEX_VERDICT_VOCAB | RS_CODEX_PASS_UPGRADED.
  • severity: HIGH. out-of-scope: whether Codex will accept (only that the packet is review-ready).

5. Composition contract (how the blocks compose)

  • Base order: TKT-L0-FILE → TKT-L1-PACKET → TKT-L2-FAIL-CLOSED → TKT-L3-GOVERNANCE (cumulative cap; a FAIL caps level_reached).
  • RS profile runs on top of a Base result for RS-series packets: TKT-RS-PACKAGE → TKT-RS-GATE → {TKT-RS-LIFECYCLE, TKT-RS-QUORUM, TKT-RS-REPLAY, TKT-RS-COUNT} → TKT-RS-CODEX-PACKET. The four braced blocks are independent (no ordering between them) and may run in parallel.
  • Communication is only via the shared output schema; no block reads another's internals.
  • Aggregate verdict = the worst per-block status; any BLOCKER FAIL ⇒ packet not review-ready; the aggregate is advisory, never a gate.

6. Out-of-scope for the whole catalog

Semantic Text-as-Code validity (L5), IU traceability (L4), release/bundle readiness (L6), runtime behaviour of quorum/replay/lifecycle, authority/seal granting, and any production/registration effect. All deferred or forbidden per 02/03.