RS-TKT-1 (Phase 1) · 03 — TKT Base Checker Contract Schema

Lane: RS-TKT-1 — Phase 1 TKT Base Design Package (design-only) Date: 2026-06-22 Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations (KB design-doc writes only) Authority: NON_AUTHORITY · may_gate=false · decision_effect=NONE · design-only

The LEGO brick contract. Every checker brick is a LEGO piece: born / tested / changed / rolled back separately, composing only through the shared output schema (R-TKT-1, R-TKT-2). None of this is implemented in Phase 1; it is a contract catalog for review.

---

1. Per-brick contract (every checker brick MUST define all fields)

checker_id          : stable id, e.g. TKT-L0-FILE-001 / TKT-RS-QUORUM-001
component_id        : the brick it belongs to, e.g. TKT-L0-FILE
purpose             : the one concern this brick checks (exactly one)
scope               : what packet surface it reads
input contract      : the input documents/fields it consumes (explicit, no hidden reads)
output contract     : the shared output record it emits (§3) + any brick-specific booleans
dependency          : which levels/bricks must PASS first (e.g. L0+L1+L2 PASS)
bad input           : the adversarial input that MUST be rejected
expected reject     : the deterministic outcome on that bad input
failure code        : the FAIL_* / L*_* / RS_* code emitted on failure
hold code           : the HOLD_* code emitted when context is missing/unsafe
evidence requirement: what evidence the record must carry (path#line, count, sha256, quoted line)
out-of-scope        : what this brick explicitly does NOT assert
birth boundary      : where the brick is born from (policy source); how it is created standalone
test boundary       : the fixture that proves it (and a positive control)
change boundary     : what may change in isolation (e.g. predicate only) without touching others
rollback boundary   : how a run is discarded as one unit (read-only ⇒ discard result; no canonical residue)
composition contract: emits ONLY the shared schema; reads no other brick's internals
authority_effect    : NONE (always)
registration_effect : NONE (always)

A brick missing any field above is not LEGO-ready and must not be marked design-complete.

2. One concern per brick (anti-mega rule)

R-TKT-1 is structural here: a brick that checks two concerns (e.g. the old combined TKT-L3-GOVERNANCE) is split (PATCH1 P2 → 05). A brick that "reads one packet" is bound by candidate_id + packet_hash; it does not scan the whole estate and does not assemble scattered artifacts.

3. Shared output schema (every brick emits one record per check)

{
  "checker_id": "TKT-RS-QUORUM-001",
  "target": "knowledge/dev/laws-new/reports/<stage>/<file>.md",
  "status": "PASS | FAIL | HOLD | N/A",
  "severity": "BLOCKER | HIGH | MEDIUM | INFO",
  "expected": "the rule, stated machine-checkably",
  "found": "what was actually observed",
  "evidence": ["path#line", "count=…", "sha256:…", "quoted line"],
  "recommended_fix": "the repair hint",
  "out_of_scope": "what this checker explicitly does NOT assert",
  "authority_effect": "NONE",
  "registration_effect": "NONE"
}

• status at the brick/level layer may be PASS | FAIL | HOLD | N/A. (The aggregate layer may be only PASS | FAIL | HOLD — see 06 and the closure of Codex caveat §6.)
• authority_effect and registration_effect are always the constant NONE. No brick may emit any other value.

4. Global invariants (carried from the base pack, corrected by PATCH1/PATCH2)

• Authority firewall: no brick may emit a seal, clear REGISTRATION_HOLD, set CAN_PROCEED=YES, or create Owner/scope/APR/register_dot. A brick asked to do so returns FAIL/HOLD.
• Fail-closed default: absent/ambiguous/unsafe input → HOLD (not PASS). HOLD ≠ PASS and ≠ silent skip.
• Forbidden-output detection is structured AND unstructured (PATCH2 P1, see 04). The old "a token counts only if exit==0" rule is withdrawn: a forbidden token/artifact is a FAIL regardless of exit, and exit must also be nonzero (conjunctive). *_REJECTED-style false positives are handled by the safe-rejection-context guard in 04, not by an exit==0 escape hatch.

5. Severity vocabulary (from P6, reused — detect-only)

BLOCKER = packet not review-ready
HIGH    = must-fix before Codex
MEDIUM  = should-fix
INFO    = monitoring

Severity influences review_readiness only (any BLOCKER FAIL ⇒ NOT_READY); it never grants authority. Detect-only discipline (Điều 35 lineage in P6): a brick reports; it does not fix, gate, or mutate.

6. Brick inventory (full contracts in 05 for L3, 08 for RS profile)

Base (L0–L3):
  TKT-L0-FILE            (L0)
  TKT-L1-PACKET          (L1)
  TKT-L2-FAIL-CLOSED     (L2)
  TKT-L3-AUTHORITY-FIREWALL  (L3 sub-brick)
  TKT-L3-CLAIM-AUDIT         (L3 sub-brick)
  TKT-L3-IDENTITY            (L3 sub-brick)
  TKT-L3-NVSZ                (L3 sub-brick)
RS pre-Codex profile (layered on a Base result; 08):
  TKT-RS-PACKAGE · TKT-RS-GATE · TKT-RS-LIFECYCLE · TKT-RS-QUORUM · TKT-RS-REPLAY · TKT-RS-COUNT · TKT-RS-CODEX-PACKET

7. Composition (how bricks compose)

Base order   : TKT-L0-FILE → TKT-L1-PACKET → TKT-L2-FAIL-CLOSED → TKT-L3-{AUTHORITY-FIREWALL, CLAIM-AUDIT, IDENTITY, NVSZ}
RS profile   : TKT-RS-PACKAGE → TKT-RS-GATE → {TKT-RS-LIFECYCLE, TKT-RS-QUORUM, TKT-RS-REPLAY, TKT-RS-COUNT} → TKT-RS-CODEX-PACKET
Communication: ONLY via the shared output schema; no brick reads another's internals.
Aggregate    : a thin combiner over per-brick records (06); advisory; never a gate.