RS-TKT-1 (Phase 1) · 02 — TKT Base Level Policy L0–L3

Lane: RS-TKT-1 — Phase 1 TKT Base Design Package (design-only) Date: 2026-06-22 Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations (KB design-doc writes only) Authority: NON_AUTHORITY · may_gate=false · decision_effect=NONE · design-only

Per-level input / output / PASS / FAIL / HOLD conditions, and the binding dependency chain. Status semantics and the aggregate truth table are in 06; the four L3 sub-bricks are in 05.

---

1. Level dependency chain (binding — PATCH1 P7 + PATCH2 P7)

L0  — no prior dependency.
L1  — depends on L0 = PASS.
L2  — depends on L0 = PASS AND L1 = PASS.
L3  — depends on L0 = PASS AND L1 = PASS AND L2 = PASS.
L3 sub-bricks (AUTHORITY-FIREWALL, CLAIM-AUDIT, IDENTITY, NVSZ) — each depend on L0+L1+L2 = PASS;
   they are independent of EACH OTHER (no cross-brick dependency).

level_reached caps at the highest fully-passed level. A level that is N/A because a lower level failed/held is not evidence of anything — never PASS.

2. L0 — FILE PASS

input    : a packet directory + its ledger (hash_manifest.sha256; legacy HASH_MANIFEST.txt normalized first, see 07) + packet_tree.sha256.
output   : shared schema record(s); level_status ∈ {PASS, FAIL, HOLD}; per-file {path, sha256, present}.
PASS  iff: tree-pin sha256(hash_manifest.sha256) == packet_tree.sha256 AND every listed file present AND every file hash recomputes-match AND no governed file unlisted.
FAIL  if : any listed file absent (L0_FILE_MISSING) | any hash mismatch (L0_HASH_MISMATCH) | tree-pin mismatch (L0_TREE_PIN_MISMATCH) | a governed file is unlisted (L0_UNLISTED_GOVERNED_FILE).
HOLD  if : the ledger or tree-pin cannot be read/collected (HOLD_OUTPUT_SURFACE_UNAVAILABLE-class); input is ambiguous/absent. HOLD is never PASS.

Out of scope: file meaning — only bytes/presence.

3. L1 — PACKET RECONSTRUCTION PASS

input    : packet (L0 PASS) + the TKT reconstruction/verifier recipe (commands.sh / RERUN.sh skeleton) + exit_codes.json anchor — INERT FIXTURES ONLY.
output   : shared schema; RERUN_RESULT; regenerated verdict-anchor sha256.
PASS  iff: TKT re-runs its OWN recipe in a fresh workspace over inert fixtures and the regenerated verdict anchor is byte-identical (byte-exact classes) / functionally equal (functional classes) to the pinned anchor.
FAIL  if : regenerated pin != published pin (L1_RECONSTRUCT_DRIFT) | non-deterministic regeneration (L1_NONDETERMINISTIC).
HOLD  if : the packet cannot be reconstructed/verified WITHOUT invoking subject-under-test runtime → HOLD_RUNTIME_SURFACE_REQUIRED (PATCH1 P4). NEVER PASS in that case — the work belongs to Phase 4.

Binding boundary (PATCH1 P4): L1 MAY run only the TKT verifier recipe on inert fixtures (recompute hashes, re-verify tree pin, re-run the TKT probe harness, re-emit the TKT verdict anchor). L1 MUST NOT invoke the candidate's production/runtime behaviour, call registrar/handler/validator/PG/Directus/external runtime, or read/write live system state. Out of scope: semantic correctness of the rerun.

4. L2 — FAIL-CLOSED PASS

input    : packet (L0+L1 PASS) + the bad-input catalog (old P1–P10 ∪ pilot BAD-1..15 ∪ BAD-FC-001..008, see 04/17).
output   : shared schema; probes p/p; the deterministic outcome code per probe (04 §8).
PASS  iff: every invalid-input probe is SAFE_REJECT under the 6-conjunct invalid_input_safe predicate (04) AND ≥1 positive control PASSes (not trivially always-fail).
FAIL  if : any probe yields FAIL_UNSTRUCTURED_FORBIDDEN_TOKEN | FAIL_FORBIDDEN_AUTHORITY_ARTIFACT | FAIL_INVALID_EXIT_ZERO | no positive control (L2_NO_POSITIVE_CONTROL).
HOLD  if : the scan surface is incomplete/uncollectable → HOLD_OUTPUT_SURFACE_UNAVAILABLE. Missing visibility is HOLD, never PASS.

Out of scope: whether the valid path is semantically right.

5. L3 — GOVERNANCE CONSISTENCY PASS

input    : packet (L0+L1+L2 PASS) + governance refs (one-roof registry refs, lane id, read-only) + NVSZ escrow records.
output   : shared schema; the four sub-brick records + a thin combiner record.
PASS  iff: AUTHORITY-FIREWALL PASS AND CLAIM-AUDIT PASS AND IDENTITY PASS AND NVSZ PASS (05).
FAIL  if : any sub-brick FAIL (per-brick codes in 05).
HOLD  if : any sub-brick HOLD with none FAIL.

The four sub-bricks are independent and may run in parallel; no sub-brick reads another's internals; the aggregate is computed by a thin combiner over the four records (05/06). Out of scope: semantic truth of content (L5).

6. Why HOLD must exist at every level

Default = HOLD (R-TKT-7). Any level whose required context is missing, ambiguous, unsafe, or unauthorized to assess returns HOLD, never PASS and never a silent skip. HOLD ≠ N/A: HOLD = "could not safely assess"; N/A = "a prerequisite failed/held, or out of scope." This is the safe-fallback that keeps a bad packet from coasting to PASS through missing evidence.

7. What this policy does not do

It defines no runtime, schedules nothing, runs nothing. It is the level state machine on paper. The aggregate of these levels is advisory only and carries authority_effect = NONE, registration_effect = NONE on every output (06).