Revision/Hash Fail-Closed Guards
03 - Revision / Hash Fail-Closed Guards
Four verification guards ADDED to doc 06 (47 → 51). All are TEST/VERIFICATION guards run at the authoring-entry gate + every PKG-A..I input + S19 — never readiness gates.
G-ACTIVE-AUTHORITY-APPROVAL-ENVELOPE
A SEALED envelope exists, is well-formed (all required fields), is anchored to the Codex recheck
checkpoint (Codex-sealed, not T1/Directus-editable post-approval), and covers exactly the
ACTIVE_AUTHORITY corpus (membership both-EXCEPT vs the doc 00 registry). FAILS (→
ACTIVE_AUTHORITY_ENVELOPE_MISMATCH, block authoring) if the envelope is absent, still STAGED
(unsealed) at authoring time, malformed, has a missing/extra ACTIVE doc, or is not anchored to a Codex
recheck checkpoint.
G-ACTIVE-AUTHORITY-HASH-MATCH
For every ACTIVE doc/section, the live normalized content SHA-256 (per the normalization spec) ==
the sealed envelope value; plus marker_fence_registry_sha256, superseded_boundary_sha256,
guard_set_sha256, active_corpus_membership_sha256, envelope_manifest_sha256 live-recompute ==
sealed. Any difference → ACTIVE_AUTHORITY_ENVELOPE_MISMATCH. Non-vacuous: hashes recomputed over
present content at check time, never trusted from a cache or a prose claim.
G-ACTIVE-AUTHORITY-REVISION-MATCH
For every ACTIVE doc, the live KB revision == the sealed kb_revision. Because a KB edit
increments the revision, any post-approval edit is caught even before hashing. The two self-referential
hosts (doc 00, blueprint checkpoint) are pinned by their exclude-region content hash, not revision
(hosting the envelope changes their revision).
G-ACTIVE-AUTHORITY-CHANGE-FAIL-CLOSED
The umbrella fail-closed guard: ANY detected delta in content / DOC_STATUS marker /
SUPERSEDED_NON_AUTHORITY fence / doc 00 registry / guard set / active-section identity-or-range /
corpus membership vs the sealed envelope → ACTIVE_AUTHORITY_ENVELOPE_MISMATCH and blocks
implementation-authoring planning until a NEW Codex recheck. On mismatch the correct next step is
Codex recheck, NOT "continue authoring" (guard-quality rule 9). An absent/unsealed envelope is
itself a fail-closed mismatch.
The fail-closed state and the no-silent-drift rule (doc 00 + doc 07)
The blueprint now states explicitly: after Codex PASS, any change to ACTIVE docs/sections/markers/ fences/registry/guard-set invalidates approval; implementation-authoring planning is BLOCKED until a fresh Codex recheck re-seals the envelope. PKG-A's precondition (doc 07) requires the envelope to be SEALED and verified green before any authoring begins.