KB-2E2A
RS-TKT-1 (Phase 1) · 10 Future Construction Blueprint — Module Boundaries
7 min read Revision 1
tool-kiem-thulegolaws-newrs-tkt-1phase1-designfuture-construction-blueprintmodule-boundariesnon-executable2026-06-22
RS-TKT-1 (Phase 1) · 10 — Future Construction Blueprint: Module Boundaries
NON_EXECUTABLE_DESIGN_EXAMPLE
FUTURE_CONSTRUCTION_BLUEPRINT_ONLY
NOT_IMPLEMENTED
NOT_AUTHORIZED_FOR_RUNTIME
Lane: RS-TKT-1 — Phase 1 TKT Base Design Package (design-only)
Date: 2026-06-22
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations
Authority: NON_AUTHORITY · may_gate=false · decision_effect=NONE
Each future module is a LEGO component: born / tested / changed / rolled back separately, composing only through the shared output schema (03 §3). The descriptions are paper. No module is built.
1. Module table (input / output / dependency / forbidden dependency / boundaries)
file_checker (would-be TKT-L0-FILE)
input : packet dir + hash_manifest.sha256 + packet_tree.sha256 (inert).
output : output_schema records; per-file {path,sha256,present}.
dependency : none.
forbidden dependency: no SUT runtime; no PG/Directus; no other checker's internals.
rollback boundary : read-only; discard the result record.
test boundary : delete a listed file ⇒ FAIL (L0_FILE_MISSING); positive control = intact packet ⇒ PASS.
composition contract: emits output_schema only.
packet_reconstructor (would-be TKT-L1-PACKET)
input : packet (L0 PASS) + TKT verifier recipe + exit_codes.json anchor (INERT fixtures only).
output : output_schema; RERUN_RESULT; regenerated anchor sha256.
dependency : file_checker PASS (L0).
forbidden dependency: MUST NOT invoke subject-under-test runtime / registrar / handler / validator / PG / Directus.
If reconstruction needs SUT runtime ⇒ HOLD_RUNTIME_SURFACE_REQUIRED (never PASS).
rollback boundary : discard the temp workspace as one unit (delete-fast); no canonical residue.
test boundary : run twice ⇒ same verdict; drift ⇒ FAIL (L1_RECONSTRUCT_DRIFT).
composition contract: emits output_schema only.
fail_closed_detector (would-be TKT-L2-FAIL-CLOSED)
input : packet (L0+L1 PASS) + bad-input catalog (P1–P10 ∪ BAD-1..15 ∪ BAD-FC-001..008).
output : output_schema; per-probe deterministic outcome (04 §7).
dependency : file_checker + packet_reconstructor PASS (L0+L1).
forbidden dependency: no SUT runtime; no shrinking the reserved token floor (04 §3).
rollback boundary : fresh disposable workspace per probe; discard.
test boundary : inject a fail-open packet ⇒ FAIL; ≥1 positive control PASS.
composition contract: emits output_schema only.
authority_firewall / claim_auditor / identity_checker / nvsz_checker (would-be L3 sub-bricks)
input : packet (L0+L1+L2 PASS) + the brick-specific surface (05).
output : output_schema; the brick's boolean (no_seal_emitted / all_claims_recomputed / orphan=0,collision=0 / nvsz_records_complete).
dependency : L0+L1+L2 PASS only.
forbidden dependency: NO sub-brick reads another sub-brick's internals; no SUT runtime; no new registry (identity_checker).
rollback boundary : read-only; discard.
test boundary : the per-brick bad input in 05 ⇒ the per-brick FAIL code.
composition contract: emits output_schema only; the aggregator combines records, the bricks never combine each other.
rs_profile_checker (would-be TKT-RS-* groups A–G)
input : a Base (L0–L3) result + an RS-stage packet bound by candidate_id+packet_hash + profile_id/scope_class.
output : output_schema per group; RS_* findings.
dependency : a Base result (layered on top).
forbidden dependency: an RS5A_SPECIFIC rule MUST NOT fire on a non-RS5A packet (configuration error, not a finding);
RS5B BI01–BI10 MUST NOT be auto-promoted (08 §5).
rollback boundary : read-only; discard.
test boundary : per-group fixtures (e.g. quorum order incomplete ⇒ RS_QUORUM_ORDER_INCOMPLETE).
composition contract: emits output_schema only.
aggregator (would-be thin combiner)
input : the set of per-brick/per-level output_schema records.
output : aggregate_status ∈ {PASS,FAIL,HOLD} + review_readiness + authority_effect=NONE + registration_effect=NONE (06).
dependency : all brick records.
forbidden dependency: MUST NOT read brick internals (only their emitted records); MUST NOT emit any authority/registration value other than NONE; MUST NOT gate.
rollback boundary : pure function over records; nothing to roll back.
test boundary : truth-table rows 1–10 (06) reproduce mechanically.
composition contract: a thin function; advisory output only.
report_writer (would-be JSON/MD emitter)
input : the aggregate + all records.
output : result.json + result.md per the schema in 13 (advisory).
dependency : aggregator.
forbidden dependency: MUST NOT write to PG/Directus/registry/system_issues; MUST NOT emit a seal/cert/digest; MUST NOT set CAN_PROCEED=YES.
rollback boundary : output files are disposable as one unit with the run (delete-fast).
test boundary : an attempt to write a forbidden grant token ⇒ caught by fail_closed_detector / BAD-FC.
composition contract: writes only the report schema; carries authority_effect/registration_effect = NONE.
2. Dependency graph (acyclic, paper)
file_checker → packet_reconstructor → fail_closed_detector → {authority_firewall, claim_auditor, identity_checker, nvsz_checker}
↓ (records only)
aggregator → report_writer
rs_profile_checker depends only on a completed Base result; groups {C,D,E,F} are mutually independent.
No cycles; no module reaches into another's internals; the only shared currency is the output schema.
3. Forbidden module behaviors (all modules)
No module executes the subject under test (that is Phase 4 + a Call Contract).
No module mutates PG / Directus / registry / system_issues.
No module emits a seal/cert/authority-digest, clears REGISTRATION_HOLD, or sets CAN_PROCEED=YES.
No module creates Owner/scope/APR/register_dot.
No module becomes a mega-registry / mega-graph / mega-birth pipeline.
This file builds none of these modules. NOT_IMPLEMENTED · NOT_AUTHORIZED_FOR_RUNTIME.