03 - Envelope Manifest Authority-Field Roster

(Codex recheck-5 blocker B + C.) envelope_manifest_sha256 must bind every authority-bearing field so that a complete live envelope can be proven equal to the approved envelope. Codex recheck-4's manifest covered only {document_id, kb_revision, normalized_active_content_sha256} rows + membership / registry / guard hashes — so editing an omitted field (superseded boundary, section identity, approval metadata, anchor, recheck-on-change flag) would evade the equality proof. This patch makes the manifest a hash over the complete closed roster.

The fixed roster (manifest field order)

Each field is one TAB-joined record terminated by LF, in this exact order, EXCEPT envelope_manifest_sha256 and detached_seal_sha256 (self / anchor):

1. canonical_encoding_version
2. seal_version
3. blueprint_id
4. envelope_state
5. approved_status
6. approval_epoch
7. approved_by_role
8. approved_at_utc
9. parent_recheck_checkpoint_id
10. approved_by_recheck_checkpoint
11. next_required_recheck_on_change
12. digest_algorithm
13. full_document_hash_policy
14. active_corpus_membership_sha256
15. active_corpus_sha256
16. marker_fence_registry_sha256
17. superseded_boundary_sha256
18. guard_set_revision
19. guard_set_sha256
20. per-active-doc tuples (sorted by document_id), each document_id \t doc_status \t active_section_id_or_range \t kb_revision \t normalized_active_content_sha256
21. superseded_non_authority list (sorted)
22. detached_seal_anchor binding fields: codex_checkpoint_id, codex_checkpoint_kb_revision, codex_checkpoint_content_sha256, any_change_requires_new_recheck

Why each field is authority-bearing

Every field above changes what authoring may consume or whether approval is valid: approval metadata (3–10) identifies who/when/which checkpoint approved; next_required_recheck_on_change (11) is the fail-closed contract; digest_algorithm + canonical_encoding_version (1, 12) fix how to verify; full_document_hash_policy (13) declares the diagnostic exclusion; 14–19 are the aggregate content/structure digests; 20–21 are the exact active/superseded partition with per-doc revisions and content hashes; 22 binds the immutable anchor. If any of these could change without changing the manifest, an attacker (or an accidental edit) could alter authoring authority undetected.

Closed-set rule (the self-test #12 hole, closed)

The roster is a closed set. G-ENVELOPE-MANIFEST-AUTHORITY-COMPLETE fails closed if:

• an authority-bearing field is present in the live envelope but not in this roster (it would be editable without changing the manifest hash); or
• a roster field is missing from the live envelope; or
• an unknown/extra field is treated as authority.

Computationally modeled in doc 08 (test 12): live_fields − ROSTER non-empty → reject.

Fields deliberately excluded (with reason)

• envelope_manifest_sha256 — the manifest cannot hash itself (circular). Excluded; the manifest value is what the detached seal pins.
• detached_seal_sha256 — lives in the Codex detached seal, not the envelope authority set; excluded to avoid the anchor hashing the manifest that pins the anchor.
• per-doc full_document_sha256 — declared NON_AUTHORITY_DIAGNOSTIC by full_document_hash_policy (which IS bound). It is recorded for human cross-check only; no guard depends on it. Excluding the values while binding the policy string is what removes the doc 00 self-reference (doc 04) without leaving an unbound authority field.

Self-reference safety

The manifest input excludes exactly the two self-referential fields (manifest + detached seal). The live envelope's manifest is recomputed at authoring time and compared to the Codex detached seal's sealed_envelope_manifest_sha256 (doc 06). Editing the live envelope changes the recomputed manifest → diverges from the sealed anchor → ACTIVE_AUTHORITY_ENVELOPE_MISMATCH. There is no loop because the manifest never includes itself and doc 00's own content hash excludes the whole envelope block.