02 - Non-Self-Referential Revision Anchor (recheck-7 blocker A)

Load-bearing copy: doc 00 §Codex detached seal anchor contract — non-self-referential revision anchor. This doc is the rationale.

The defect (revision-layer self-reference)

Recheck-6 broke the content-hash cycle (N1–N9 DAG, accepted), but left a revision-layer cycle: the anchor required the recheck-N Codex checkpoint's own platform revision to be recorded (in doc 00) and read back for equality. A platform revision is assigned only after the write; recording it forces another write at a new revision; and because doc 00 (which records it) is itself sealed by the detached seal in that checkpoint, the value must be known before sealing — circular. Codex: "the procedure cannot complete in a finite, predeclared sequence without improvisation."

The fix — Option 1 (parent/child detached seal), own-revision NOT load-bearing

• The detached seal binds prior, already-existing inputs: sealed_envelope_manifest_sha256 (N7), sealed_active_corpus_sha256 (N6), sealed_active_membership_hash (N2), guard_set (N5), the canonicalizer SSOT hash, and parent_checkpoint_id (the recheck-7 checkpoint — already written, its revision already assigned). It records no revision of its own checkpoint.
• The recheck-N checkpoint's own platform revision is reclassified NON_AUTHORITY_DIAGNOSTIC (post-seal audit only); it gates nothing; no read-back equality on it.
• Seal authority = detached_seal_sha256 content recompute over the live seal block (excl detached_seal_sha256 + signature) == recorded, plus MCP read-back that the seal block exists; plus the manifest/corpus/canonicalizer hash equalities.

Finite ordered sealing procedure (no improvisation)

1. T1 (now): STAGE the envelope with SEAL_AT_CODEX_RECHECK_8 placeholders + the canonicalizer SSOT identity.
2. Codex (recheck 8): compute all content hashes via the SSOT; author the CODEX_DETACHED_SEAL in the recheck-8 checkpoint binding N2/N5/N6/N7 + canonicalizer hash + parent_checkpoint_id. No own-revision.
3. Platform: assigns the recheck-8 checkpoint a revision after step 2.
4. Optional follow-on diagnostic (post-seal audit only): record that revision + checkpoint content hash as NON_AUTHORITY_DIAGNOSTIC; not sealed, gates nothing.

Each step uses only values that exist when it runs. No value is needed before it exists. (G-NO-SELF-REVISION-ANCHOR, status SELF_REVISION_ANCHOR_REJECTED.)

Explicitly accepted weaker guarantee

This detects any content edit of the seal block (via detached_seal_sha256 recompute) but, by design, no longer detects a hypothetical same-content re-write at a different revision. Without a cryptographic/platform-immutable signature, that residual is accepted and compensated by separation of duties (the checkpoint is Codex-authored, not T1/Directus-editable) + "any checkpoint change → fresh recheck." Codex offered exactly this (option 3 of its anchor recheck) as acceptable.

Why this is the implementer-proof form

There is now a finite, predeclared sequence with no step that depends on a not-yet-existing value, and no load-bearing field is a self-revision. The self-revision detector in the SSOT (SELF_REVISION_INPUTS must be empty; adding a self edge is detected as a cycle) is run in --selftest (doc 07, scenario 15).