KB-37BF rev 3

CP-06 Canonical Hash Encoding Ordering And Scalar Forms

6 min read Revision 3

fix7architecturecp06

07 - CP-06 Canonical Hash Encoding, Ordering, And Scalar Forms

Canonical Representation

Every hash payload is built from explicit keys using PG16 JSONB and then SHA-256:

digest(
  convert_to(
    jsonb_build_object(
      'domain', domain_text,
      'schema_version', schema_version_bigint,
      'payload', payload_jsonb
    )::text,
    'UTF8'
  ),
  'sha256'
)

Rules:

bytea/SHA-256 in payload: encode(value,'hex'), lowercase, exactly 64 ASCII hex characters; implicit bytea text cast and base64 are forbidden;
integers: JSONB integer form, no leading plus/zero, no exponent;
numeric: trim_scale(value) then JSONB numeric form; NaN/infinity and floating types forbidden;
boolean: JSON true/false;
UUID/OID: lowercase canonical UUID text / JSON integer OID;
timestamp: UTC via to_char(value AT TIME ZONE 'UTC','YYYY-MM-DD\"T\"HH24:MI:SS.US\"Z\"');
text: UTF-8, bytewise COLLATE "C" ordering; no locale-dependent comparison;
JSONB: explicit-key schema only; unknown/missing key fails; SQL NULL forbidden; optional value is JSON null; string "NULL" is ordinary text;
arrays: every jsonb_agg has an explicit total unique ORDER BY ... COLLATE "C" ending in immutable UUID/item ID; no unordered aggregate;
delimiter concatenation and MD5 are forbidden.

Total Orders

Manifest children (ordinal,item_id); active manifests (manifest_type_id,version_no,manifest_id); signoffs (target_id,tier_id NULLS FIRST,action_id,reviewer_principal_id,signoff_id); evidence (evidence_kind_id,evidence_id); dependencies (root_identity COLLATE "C",kind_id, dependency_identity COLLATE "C",item_id); dynamic targets (callsite_identity COLLATE "C", target_oid,item_id).

Exact Seven Contract Key Maps

Contract/domain	Exact ordered payload keys
H01 `incomex.qt001.plan-content.v1`	`plan_payload`, `policy_manifest`, `operator_manifest`, `tier_manifest`, `readiness_manifest_hash`, `capability_manifest`, `dependency_manifest_hash`, `hash_component_manifest`, `bootstrap_manifest`, `gateway_manifest`, `trigger_fingerprints`, `freeze_fingerprints`, `writer_source_hash`
H02 `incomex.qt001.control-state.v1`	`plan_content_hash`, `control_epoch`, `active_manifest_set`, `owner_acl_fingerprint`, `signoff_binding_hashes`, `capability_evidence_hashes`, `dependency_evidence_hashes`, `activation_state`, `post_activation_verifier_state`
H03 `incomex.qt001.readiness-manifest.v1`	`manifest_envelope`, `gates`, `policy_rules`, `fact_adapters`, `primitives`
H04 `incomex.qt001.signoff-binding.v1`	`target_id`, `plan_content_hash`, `scope_hash`, `tier_id`, `action_id`, `reviewer_principal_id`, `binder_principal_id`, `reviewer_human_identity_id`, `binder_human_identity_id`, `reviewer_evidence_hash`, `binding_evidence_hash`, `control_epoch`, `signed_at`, `bound_at`, `valid_until`
H05 `incomex.qt001.capability-evidence.v1`	`capability_manifest`, `measurement_requirements`, `artifact_requirements`, `workload_profile`, `run`, `measurements`, `artifacts`, `environment`
H06 `incomex.qt001.dependency-manifest.v1`	`manifest_envelope`, `roots`, `edges`, `source_hashes`, `analyzer_contract`, `analyzer_run`, `dynamic_targets`
H07 `incomex.qt001.activation.v1`	`manifest_type_code`, `parent_manifest_id`, `parent_payload_sha256`, `candidate_manifest_id`, `candidate_payload_sha256`, `added_set_sha256`, `retired_set_sha256`, `impact_evidence_sha256`, `rollback_packet_sha256`, `requested_control_epoch`, `quorum_profile_hash`, `requester_principal_id`

H01 excludes signoff/approval/evidence/activation lifecycle times. H03 envelope excludes lifecycle timestamps. H04 permits JSON null for tier_id only when the active signoff requirement permits it. All H07 keys are required. Canonicalizer source/signature hashes and PG major version are bound in the active canonicalizer/catalog contract. A PostgreSQL major upgrade blocks activation until cross-version fixtures reproduce all expected digests.

Runtime-Evidence Column Bindings

H04 target_id = signoff_binding.target_manifest_id; all remaining H04 keys map one-to-one to named signoff_binding columns. H04 excludes slot metadata from its published key list only if scope_hash canonically includes quorum profile, principal class, slot ordinal, and action.
H05 run = capability_run; measurements = capability_measurement; artifacts = capability_artifact; environment is folded into capability_run.environment_sha256/environment_evidence_id. No standalone environment table.
H02 signoff_binding_hashes, capability_evidence_hashes, and post_activation_verifier_state consume the corresponding named runtime-evidence rows.
H06 is unchanged: its inputs were already byte-defined.

The 11 runtime-evidence tables are non-authority facts. Their object/constraint identities are enumerated by sealed authority_scope_manifest #20 rows, but their values never define policy. Net new authority surfaces, readiness gates, and hash contracts are all zero.

Determinism Fixtures

Fixtures prove: identical logical bytea from different display settings yields identical hex and digest; row reorder/locale change does not change digest; numeric scale normalization is stable; timestamp timezone/session setting does not change digest; JSON null differs from string NULL; unknown/missing keys fail; each real input mutation changes the relevant digest.