KB-373E

RS-TKT-0A-PATCH1 · 02 L3 LEGO Boundary Split Patch (P2)

5 min read Revision 1

tool-kiem-thulegolaws-newrs-tkt-0a-patch1p2l3-splitlego-boundarynon-authorizing2026-06-21

RS-TKT-0A-PATCH1 · 02 — L3 LEGO Boundary Split Patch (P2)

Lane: RS-TKT-0A-PATCH1 · Date: 2026-06-21 Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations (KB writes only) Authority: NON_AUTHORITY · may_gate=false · decision_effect=NONE · design-only

Supersedes: the single block TKT-L3-GOVERNANCE in 04 §A (and its references in 03 §3 table and 06). L3 is now the aggregate of four one-concern LEGO bricks.

1. The defect (Codex P2, BLOCKER)

TKT-L3-GOVERNANCE combined authority-firewall + report-vs-file audit + object-ID collision/orphan + NVSZ completeness. That is four concerns in one brick, contradicting R-TKT-1 (one checker block = one concern). Split into independent bricks; compose only through the shared output schema; no brick reads another's internals.

2. The four L3 bricks

TKT-L3-AUTHORITY-FIREWALL

purpose: refuse any authority/seal/gate/promotion claim; prove the packet self-describes as NON_AUTHORITY.
input contract: packet self-description + any oracle/result docs claiming authority.
output contract: shared schema; no_seal_emitted_under_any_input:true.
bad input: a dev fixture claiming a Codex/owner seal; a filename-only seal.
failure code: L3_AUTH_CLAIM_REJECTED (firewall F1–F9 family).
dependency: L0+L1+L2 PASS.
out-of-scope: report claim recomputation (→ CLAIM-AUDIT); IDs (→ IDENTITY); NVSZ (→ NVSZ).
birth: from old authority_firewall_policy. test: laundering attempt → REFUSED (nonzero, no grant per 01). change: firewall rule set. rollback: discard result (read-only). composition: emits only the shared schema.

TKT-L3-CLAIM-AUDIT

purpose: every load-bearing claim in reports maps to a real governed file/command/exit, recomputed against reality, not prose.
input contract: the packet's reports + the governed files/hashes they cite.
output contract: shared schema; all_claims_recomputed:true.
bad input: a cited hash that will not recompute; a prose-only PASS; a dangling pointer.
failure code: L3_REPORT_CLAIM_UNVERIFIED.
dependency: L0+L1+L2 PASS.
out-of-scope: authority claims (→ AUTHORITY-FIREWALL); ID collision; NVSZ.
birth: from report_vs_file_audit_policy. test: inject a prose-only PASS → FAIL. change: audit check list. rollback: discard. composition: shared schema only.

TKT-L3-IDENTITY

purpose: object IDs have no collision/orphan and are routed to one-roof (no new TKT registry).
input contract: packet object IDs + one-roof registry refs (read-only).
output contract: shared schema; orphan=0, collision=0, routed_to_one_roof:true.
bad input: an ID in an existing/reserved range; a born object with no one-roof entry; a new TKT registry proposed.
failure code: L3_OBJECT_ID_COLLISION | L3_ORPHAN_OBJECT | L3_NEW_REGISTRY_PROPOSED.
dependency: L0+L1+L2 PASS.
out-of-scope: authority; report audit; NVSZ.
birth: from object_id_collision_policy (policy only; old reserved-range table retired). test: inject a colliding ID → FAIL. change: collision predicate. rollback: discard. composition: shared schema only.

TKT-L3-NVSZ

purpose: every raw-evidence pointer has {hash, pointer, regeneration_command, determinism, nvsz_root}; no raw log in vector KB; byte-exact classes recompute; secrets quarantine; root designated_by ∈ {owner,operator} or designated=false.
input contract: packet escrow records + KB-summary pointers.
output contract: shared schema; nvsz_records_complete:true.
bad input: a raw log in vector KB; a pointer missing a field; an agent-designated root.
failure code: L3_NVSZ_RECORD_INCOMPLETE (+ the namespaced escrow code from 05, e.g. ESCROW_E3).
dependency: L0+L1+L2 PASS.
out-of-scope: authority; report audit; IDs.
birth: from nvsz_no_vector_evidence_policy. test: inject a raw log into a KB path → FAIL (ESCROW_E5). change: escrow schema. rollback: discard. composition: shared schema only.

3. L3 aggregate

L3_GOVERNANCE_CONSISTENCY_PASS =
      TKT-L3-AUTHORITY-FIREWALL PASS
  AND TKT-L3-CLAIM-AUDIT       PASS
  AND TKT-L3-IDENTITY          PASS
  AND TKT-L3-NVSZ              PASS

If any sub-brick FAIL ⇒ L3 FAIL (per 07 cumulative rules). The four bricks are independent (no ordering between them) and may run in parallel. No sub-brick may read another sub-brick's internals — composition is only through the shared output schema, and the aggregate is computed by a thin combiner over the four records.

4. Out-of-scope (whole L3 layer)

Semantic truth of content (L5), IU traceability (L4), release readiness (L6), runtime behaviour, and any authority/seal/gate effect.