E1_E2_Adjudication_Card.md
Memory Rebuild Docs/Stage_6_Charters/E1_E2_DOC81_Scope_Policy/E1_E2_Adjudication_Card.md
# E1/E2 (DOC81 Scope & Policy) — Design Red-Team Adjudication Card
**Date:** 2026-06-03 · **Adjudicator:** Cowork session (architect-supervised) · **Target:** `DOC81_Scope_Policy_Charter_Draft.md` (R1 + 2 CODEX fixes; 1,382 lines)
**Source reviews (this folder, `Reviews/`):**
- **CL** = `E1_E2_Design_Review_Claude_Opus_4.8.md` — verdict `DESIGN_REVISION_NEEDED` (scoped). 9 Blocking + 18 Substantive + 11 Minor + 5 NI; incorporates the **post-review architect discussion on privilege/egress (§1.5)**.
- **GPT** = `DOC81_consolidated_red_team_final_review_AUDITED.md` (the audited copy — egress vocabulary self-corrected; supersedes `DOC81_ChatGPT FULL_red_team_final_review.md`) — verdict `DESIGN_REVISION_NEEDED_BEFORE_RATIFICATION`. 15 Blocking + 20 Substantive + 10 Medium.
- **GK** = `S6 E1:E2 DOC81 Charter Grok RT Reviews.md` (initial + re-review pass) — verdict `MINOR_FIXES_THEN_RATIFY`. 6 Substantive + 3 Minor + 1 ARCHITECT_STOP.
**Synthesis discipline (binding):** every fix with positive net value is included; an item is excluded only if it is BOTH low-value AND high-cost, with reasoning shown. Findings verified against the draft + E0 + Round D R0.2 + Owner Map + ADQ ledger before acceptance — three reviewer claims were ground-truth-checked this round and all three confirmed (U6, U16, U27 notes).
---
## §0. Verdict reconciliation + bottom line
| Reviewer | Verdict | Architecture | What drives the verdict |
|---|---|---|---|
| CL | DESIGN_REVISION_NEEDED | A-grade, stands | Meet/scope **algebra** incomplete (9 blocking) |
| GPT | DESIGN_REVISION_NEEDED_BEFORE_RATIFICATION | A−, stands | Invariants **prose-backed, not schema-backed** (15 blocking) |
| GK | MINOR_FIXES_THEN_RATIFY | B+/A−, stands | Same defects, lower bar — his 4 "minor" fixes overlap CL/GPT blocking items |
**Adjudicated outcome: `DESIGN_REVISION_NEEDED` — one focused R2 revision round, then a delta re-review of changed sections only. Not a re-architecture.** All three reviews agree on the same three facts: (1) the architecture, ownership boundaries, scope/policy split, and E0 binding are correct and **stand untouched**; (2) the defects concentrate in the **executable layer** — the meet algebra, floors, ceilings, stamps, freshness, and the quantitative contracts; (3) every fix is paste-ready and none re-architects the family. GK's `MINOR_FIXES` verdict is overridden two-to-one, and on the merits: his own #1 finding (meet unknown-value handling) is the same defect CL B2/GPT B5 grade blocking.
**Convergence is the story.** Three independent models converged on the same core defects from different directions: the floor→axis table (CL B2 / GPT B8 / GK FLOOR_TO_AXIS_VALUE), the ceiling schema (CL B1 / GPT B6), malformed-axis fail-open (CL via lattice / GPT B5 / GK guard), the destination crosswalk (CL M4↑ / GPT B9 / GK ARCHITECT_STOP), obligation conflicts (CL B9 / GPT B12), equivalence-confidence laundering (CL B13 / GPT S3), and cascade idempotency (CL B5 / GPT S12 / GK). Independent convergence at this rate means these are real, not reviewer style.
---
## §1. Architect inputs binding this card (privilege/egress — CL §1.5)
The post-review architect discussion captured in CL §1.5 is **adjudication-binding** (architect-confirmed 2026-06-03). Its rules, restated, gate everything below:
1. **B20 stays WITHDRAWN.** Privilege is not composable from source privilege (facts aren't privileged; synthesis can create work-product; disclosed-elsewhere defeats privilege invisibly). The system **never makes a privilege determination with legal effect.** No `composeOutputPolicy(sources)` anywhere in DOC81.
2. **Privilege is an egress concern, not an internal access barrier.** DOC81 keeps the **egress decision shape** — destination-class distinction + a **confirmation-required disposition** (the §3.5 `PolicyDisambiguationRequest` shape). DOC81 decides *that* confirmation is required; it never runs it.
3. **OUT of DOC81 → DOC5 security/authorization rebuild + memory governance:** the egress guard (warn/check/block), third-party warning, Local Only mode, autonomous-send checkpoint, "remember until tomorrow" grants, the destination classifier, the privilege/sensitivity **taxonomy** + provenance derivation + user override, the confirmation UI (DOC20/Q).
4. **Sensitivity/privilege characterization enters DOC81 only as a consumed input-seam** (like `VisibilityClass` — referenced, never owned) feeding the conservatism floor and egress gating.
5. **No-save/Incognito rides the existing `mutation_authority` axis** — no new DOC81 surface.
6. **Firewall machinery is dormant until a screen is explicitly declared** — never computed, defaulted, or surfaced for a solo user. B13/B14 are correctness backstops that bite only when a screen exists; zero user-facing cost.
**Effect:** the CL B12 reframe is adopted (render destination-typing exists for local-model support + class distinction + feeding egress controls — **not** per-query cloud confirms); every GPT/GK item that would have pulled destination classification, confirmation flows, or a privilege taxonomy *into* DOC81 is trimmed to the decision-shape boundary above.
### §1-bis. Architect product rulings (2026-06-04 — binding on R2; where these conflict with a cluster or fork recommendation below, THIS section governs)
**R-1 — Internal-use-permissive / egress-gated (the architect's controlling principle: "privilege, privacy, and personal restrictions are meant to block sharing of information, mostly").** Internal use of the user's own memories — retrieval, local rendering, summaries, drafts delivered to the user — defaults to PERMITTED. The exhaustive internal-use block list is: (1) a declared ethical wall (`firewalled`); (2) a revoked/clawed-back source (incl. clawback orders); (3) sealed/protective-order material used outside its own matter (POs restrict *use*, not just sharing); (4) the malformed-record conservative containment (F1). **Nothing else may hard-block an internal-use action**: privilege never blocks internal use (egress-only, per §1); cross-matter confidentiality is handled as relevance/contamination ranking + the send-time gate on outputs, not an internal block; legal holds block destruction ONLY, never use; privacy topics block collection, so there is nothing saved to block. The restrictive machinery concentrates at: **save-time** (privacy topics, incognito, toggles, source exclusion, inert risky topics), **share-time** (the egress gate — typed destinations, send-time confirms, per-destination stamps), **delete-time** (holds, registry default-block), **learning-time** (sealed/firewalled/calibration gates). R2 adds lint **`policy.internal_use_blocked_without_qualifying_basis`** + a fixture: an internal-use block whose basis is not one of the four enumerated is a spec violation. The five-axis/action-scoped design already supports this — R2 states it as a normative default posture for internal actions.
**R-2 — Re-checks are fully silent; the ONLY human-approval event is a wall-crossing (supersedes the F8 recommendation).** Restamps after policy changes run autonomously in both directions (tighten AND restore-up-to-ceiling), including disclosure-raising restamps — because the send-time egress gate (DOC5) already provides the human checkpoint at the actual boundary; one human moment at the right place, not two. `RestampAuthority.human_required` is reserved for `firewalled`-boundary crossings only (dormant for a solo user per §1.6). No batch-approval queues for routine restoration.
**R-3 — Notices are surface-keyed; walls are invisible.** Material behind a declared wall produces NO notice — existence hidden, no count, nothing (confirms the Round D `not_disclosable` rule). For non-wall restrictions (other-matter material, PO material, personal-private, revoked sources): notices shown to the user **in-app** may be specific (matter name, counts — it is the user's own material on the user's machine, expressed as a more-open `ui_disclose` decision); any notice text that can be embedded in an **output** (draft text, export, delegation, anything that can leave) stays generic with bucketed counts (the U8 default). The action-scoped disclosure meet already supports the split (`ui_disclose` vs `render_*`/`export`); R2 states it as the default posture pair.
**R-4 — Privacy-topic ambiguity: don't save + reviewable** (architect-selected from U18's options): ambiguous matches to a suppress/exclude topic are NOT collected and the suppression is listed in a reviewable queue — no interrupting prompt. F1 contain-and-continue confirmed as the malformed-record default.
**R-5 — Multi-principal refinement (Phase-2 networking readiness; architect 2026-06-04).** R-1's "internal use" means **same principal, or principals authorized for the scope** — NOT "any user of a shared database." In Phase 2, delivering one principal's restricted memory to another user IS a sharing event: the egress concept generalizes from "leaves the machine" to "crosses a principal boundary." The contracts already carry the keys (required `principal_ref` on `PolicyEvaluationContext`; `owner_principal_ref` on `ScopeIdentityRoot`; `same_principal` in `relation_to_destination`; the U27(b) cross-principal-bleed invariant; NI-2 replication-safe meet). Per-user restriction rules arrive in Phase 2 as a new **producer** of principal-scoped `MemoryPolicyDecision`s from the DOC5 grants model — no DOC81 schema change. R2 MUST NOT bake a solo-principal assumption into any contract (no dropping principal keys as "unused"); add lint **`policy.internal_use_default_assumed_single_principal`** guarding the posture statement.
---
## §2. Unified finding clusters (deduped across the three reviews)
IDs: **U-n** = unified cluster. Sources cite reviewer IDs. "→ R2" names where the fix lands. Paste-ready bodies live in the named review sections — the R2 commission reads them directly; this card is the instruction layer and records every merge decision where reviewers diverged.
### §2.1 BLOCKING — gate ratification (15 clusters)
| U | Cluster | Sources | Adjudication + merge decision | → R2 |
|---|---|---|---|---|
| **U1** | **`PolicyLattice` + explicit rank maps + coherence + sticky-restrictive + normative step order.** The meet's algebra: typed chains with MIN-meet; unknown value throws→fail-closed; **B6** reveal-direction coherence (capability capped down to the disclosure ceiling, never disclosure raised); **B7** sticky-restrictive (`priorEffective` met in ⇒ input *removal* cannot widen without restamp — makes L1 true over the full op set); **B16** coherence runs last; **B11** floor total order aligned to the content chain; **B3** the E0 §2.2 `DomainProfileRestrictivenessVector` (verified present in E0, never consumed by the draft's meet) enters as an **always-present `DomainProfilePolicyContribution`** in step 2 — DOC81 owns the 9-axis→5-axis crosswalk semantics; the set is never empty, so ⊥ is reserved for "no policy," killing the usability cliff. | CL B2/B3/B6/B7/B11/B16 + NI-5 (§2.1/§2.4/§2.7); GPT #3 meet_v2 + §4.4 rank maps + B5; GK meet guard + floor composition | **ACCEPT — adopt CL §2.1 `PolicyLattice` as new DOC81 §3.0** (the single typed algebra), with GPT §4.4's explicit rank maps as the rank source (never enum declaration order). **Merge decision (F1):** malformed/unknown axis on an *applicable* decision → **floor that axis to ⊥** + record `malformed_axis` in `excluded_decision_refs` + lint (CL/GK position), not GPT's block-the-whole-action (one corrupt record must not DoS an ordinary request; the floored axis is equally safe). Adopt GPT's `excluded_decision_refs` audit field. | §3.0 (new), §3.1–§3.2 |
| **U2** | **Conservatism-floor → per-axis effect table.** `tighten_to_floor` is defined for 1 of 5 floors; 3 floors tag-but-don't-restrict; DOC84/DOC86 would interpret `safe_label_candidate` differently. | CL B2 (§2.2 `FLOOR_CEILING`); GPT B8 (§4.7 `ConservatismFloorEffect`); GK `FLOOR_TO_AXIS_VALUE` | **ACCEPT — adopt GPT §4.7's richer table shape** (`ConservatismFloorEffect`: per-axis maxima + disclosure vector + `movement_allowed` + `disambiguation_required` + `allowed_actions_before_disambiguation`), **seeded with the per-cell MEET of the CL and GPT proposals** (most-restrictive of the two — see §4 F3 for the merged seed). `user_disambiguation_candidate` additionally MUST raise a §3.5 request (CL). Seed values architect-confirmable; the table's existence is not. | §2.4 + §4.6 |
| **U3** | **`PolicyCeiling` schema + restamp chain integrity + discriminated union + trigger authority.** `original_ceiling_ref` is a dangling bare string (draft L38) — ADQ-316 unenforceable; restamp-of-restamp could rebase; `block` restamps carry an authorizing policy ref; the restamp *decision* is ungated. | CL B1/B21 (§2.5); GPT B6/B7 (§4.9.2–4.9.3) | **ACCEPT merged:** `PolicyCeilingSnapshot` with **per-(action, destination) axis ceilings** (GPT) captured at first stamp from the **step-2 policy grant, before the scope floor** (CL capture rule); `RestampChainIntegrity` — every restamp compares to the **root** snapshot, never a prior restamp (no ratcheting); restamp legality = `≤ MIN(root ceiling, CURRENT scope floor)` per axis (CL L4′); **discriminated union** keep/downgrade/block with `block` carrying NO `new_effective_policy_ref` (GPT B7); **`RestampAuthority`** tiers with `human_required` for disclosure-raising or cross-`firewalled` restamps (CL B21; F8). | §3.4 |
| **U4** | **Stamp triple-binding.** `PolicyStamp` carries ONE `EffectiveMemoryPolicyRef` while `PolicyStampScope` claims many actions/destinations — a retrieval-priced stamp can appear valid for render/export. GPT's #1-ranked runtime bug; verified against draft §3.4. | GPT B1 (§4.9.1) | **ACCEPT:** `PolicyStampScopeItem[]` — per-(action, destination?) item each binding its own `effective_policy_ref` + `original_ceiling_ref`; add `lifecycle_state` to the stamp. Invalidation reports **per-item axis deltas** (GPT §4.9.4). | §3.4 |
| **U5** | **Runtime freshness + generation precondition + bitemporal in-force + epoch serialization.** `policy_generation_id` alone can't invalidate after EC toggle/incognito/evaluator/registry/vocab changes (GPT B2); the meet never asserts scope+decisions share the active generation (CL B4); no valid-time predicate (CL B19); epoch supersession can fork/race (CL M7; GK CAS `epoch_version`). | GPT B2 + S17; CL B4/B19/M7; GK epoch_version + `PolicyEpochVersion` | **ACCEPT merged:** (a) `PolicyRuntimeFreshnessKey` (generation + `effective_state_generation_id` + compiled-evaluator hash + registry/vocab versions) on all runtime DOC81 artifacts — **declared by DOC81, components owned by EC/E0 and referenced** (no EC re-declaration); (b) meet step-0 generation-consistency precondition → `RE_PLAN_REQUIRED` (CL §2.4); (c) `valid_from`/`valid_to` + `isInForce(d, effectiveTime)` filter, with the **active epoch itself selected for `effectiveTime`** via `opened_at`/`closed_at` as its valid-time window (CL B19 + GK bitemporal-epoch); (d) epoch = **linear chain under EC CAS** with monotonic `epoch_version` (CL M7 + GK). GK's `PolicyEpochVersion` on E0 `MemoryMutationEnvelope` **declined as redundant** — E0 §7.1 CAS + the epoch chain cover Phase-1; forward-flag a global policy clock for Phase-2 (§5 D4). Cache-key specialization → U26. | §3.2, §3.6, new §3.0-adjacent |
| **U6** | **`PolicyEvaluationContext` + exposure context structurally carried.** Decisions are under-keyed — a local/interactive decision can be reused for a background/cloud evaluation; PropA's `ExposureContextSchema` (NEW-01) is named in §7.3 but not carried on any schema; Round D's `model_class`/`client_kind` were dropped (**verified: Round D L172–173 has both**). | GPT B3/B11 (§4.3); CL M2; GK exposure version-pin | **ACCEPT:** `PolicyEvaluationContext` carrying principal/surface/`exposure_context_ref` (PropA-owned, referenced — this makes the NEW-01 landing executable)/`model_class`/`client_kind`/`interaction_mode` (E0 value set)/bounded user-instruction ref + the applicability rule (context-compatible or excluded-with-reason). Strengthens, not changes, the §7.3 row. | §3.1 + new §3.0-adjacent |
| **U7** | **Egress: destination-specific decisions + render destination + the crosswalk. RESOLVES §13.5.** Destinationless decisions can satisfy an egress meet (GPT B4); render actions are destination-blind though `render→cloud_api` is egress under E0 §22 (CL B12, reframed per §1); the two destination vocabularies have no specified relationship (draft §13.5; GK ARCHITECT_STOP; CL M4↑; GPT B9). | GPT B4/B9 (§4.6/§4.8); CL B12 + M4↑ (§1.5/§2.4); GK §13.5 table | **ACCEPT merged, per the §1 boundary:** (a) egress precondition — for {export, delegate, carryover}: destination present + typed to the 8-value E0 §22 set + **at least one destination-specific applicable decision**; destinationless decisions tighten but never authorize (GPT §4.6(d)); (b) render actions carry `destination` **when content could leave the machine** — exists for local-model support + class distinction + feeding the DOC5 egress controls, NOT per-query confirms; emits the **confirmation-required disposition** for DOC5 (CL B12-reframed); (c) **`DestinationPolicyCrosswalk` lands in DOC81** as a **constraint table** — relation → *allowed* destination classes + floor + attestation-required + disposition (GPT §4.8 audited shape). **GK's total-function table is REJECTED** (§5 D3): it maps `unknown_destination`/`blocked_destination` to a nonexistent E0 class and invents `same_principal→local_file_export`; the audited-GPT constraint model (unknown fails closed *before* classing; relation never substitutes for class) is correct. | §3.1, §3.2, §4.6-adjacent; closes §13.5 |
| **U8** | **Disclosure: vector + scalar reconciliation + count bucketing.** The scalar axis and the `may_disclose_*` booleans are two unreconciled disclosure models (CL S6); the scalar can't carry count/title/reason aggregation (GPT B10); exact counts leak. | GPT B10 (§4.5); CL S6 + M10 (§2.6) | **ACCEPT merged:** `DisclosurePermissionVector` (booleans AND-meet; `count_disclosure_mode` none/bucketed/exact; `max_summary_fidelity`) is the **executable expansion**; the **scalar `disclosure_class` remains the lattice axis** and is **always derived from the vector** (`deriveDisclosureClass`), never independently set — one source of truth, both reviews satisfied. Exact counts only at `full`; bucketed otherwise (GPT bucket scheme). CL's `DISCLOSURE_ALLOWS` bounding becomes the vector↔scalar consistency lint. Derivation-function edge cases get an R2 pass + property fixture. CL M10's residue (aggregate-inference attacks) → Phase-2 forward-flag (§5 D10). | §3.1, §4.1–§4.2 |
| **U9** | **Obligations: conflict model + discharge proof + typed params + expanded kinds + owners.** Union accumulates contradictions (CL B9); no discharge proof so "blocking" is unenforceable (GPT B12); `parameters` untyped; the V15 fold-in rows have no obligation kinds to land on; DOC84/DOC86 discharge obligations but aren't legal owners. | GPT B12 (§4.11); CL B9 (§2.6); GK V15-01 mapping | **ACCEPT merged:** expanded `PolicyObligationKind` incl. the PropA/V15 kinds (`require_migration_plan`, `route_manual_review_only`, verifier-calibration, sealed/firewalled fixture+learning restrictions, DSPy eligibility, critique/counterfactual gates — makes §7.3 executable); typed per-kind parameter union; **CL's transitive dominance closure** for same-kind/dominated resolution; **GPT's `PolicyObligationConflict`** (fail-closed for the action) for genuinely contradictory residue (e.g. `confirmation_prompt_would_leak`); `PolicyObligationDischarge` proof required before movement; `enforcement_owner` += DOC84/DOC86 (ADQ-221: DOC8 stays excluded ✓); CL's `reconcileObligationAxis` (obligation→disclosure ceiling → re-cohere). | §3.3 (+§3.2 step) |
| **U10** | **Equivalence: cluster confidence + firewall guard.** Transitive collapse with no confidence composition launders weak chains; an inferred merge can cross a `firewalled` boundary → silent cross-matter breach. Litigation-critical. | CL B13 (§2.10); GPT S3 (§4.16.2) | **ACCEPT — CL's model as default (F2):** `ScopeEquivalenceCluster` with `cluster_confidence = MIN(spanning bindings)` (weakest link — no laundering), collapse only when ≥ the **strictest member** domain threshold, and **a firewall is crossed only by an `explicit_user_binding` naming both scopes — never by inference** (dormant for a solo user per §1.6). GPT's full-pairwise-matrix-or-zero recorded as the stricter fork alternative — declined as default (n²-evidence requirement defeats legitimate transitive dedupe; the firewall guard is the real safety net). Keep GPT's `collapse_disposition` field + pairwise evidence records where they exist. | §2.1 |
| **U11** | **Topology + traversal: acyclicity, closed registry, budgets, cycle handling.** `contains` can cycle (boundary derivation non-terminating); §8 `relation_kind` has a `\| string` escape hatch (verified, draft L1207) defeating exhaustiveness + default-deny; no depth/variant budget. | CL B14 (§2.10); GPT B13 + S18 (§4.22) | **ACCEPT merged:** `contains` edges form a DAG (EC rejects cycle-creating edges); only `{contains, source_membership→renamed, topic_membership→renamed}` traverse for containment, `{linked_library, analogical_relation}` are affinity-only (CL); **remove `\| string`** — closed `RelationTraversalPolicyRegistry` with `unknown_relation_kind_disposition` default-deny (GPT); `RelationTraversalBudget` (max depth — CL's 16 as seed, max variants, visited-set cycle handling, budget-exceeded fails closed) + `RelationTraversalExecutionTrace` with per-variant policy refs (GPT). | §2.2, §8 |
| **U12** | **Legal hold: destructive-job registry + selector + clearance.** The invariant binds only the *named* jobs by prose — a future destructive job can skip it; `hold_scope_ref` + optional `object_refs` selector semantics ambiguous; `LegalHoldClearanceRef` (E0 §3.3) dangles with no schema on the destruction path. | GPT B14/M9 (§4.21); CL S3 (§2.9) | **ACCEPT all, merged:** `LegalHoldSelector` discriminated union; `DestructiveJobLegalHoldRegistry` with **`default_for_unregistered_destructive_job: 'block'`** — the gate becomes structural at EC job registration (CL's framing), not enumerative; `LegalHoldClearance` schema (`hold_released`/`court_order`/`explicit_authorized_destruction`, human `authorized_by`). Litigation-grade three-way convergence. | §6.1 |
| **U13** | **DOC81→DOC86 export payload.** Too thin to render without recomputing or guessing: no per-(action,destination) eligibility, no disambiguation ref, no count policy, no freshness. | GPT B15 (§4.14); GK (add MFC ref) | **ACCEPT-MODIFIED (F7):** per-(action, destination) `scope_items` (effective-policy ref + `restamp_eligibility` incl. `requires_disambiguation`), disclosure vector + count policy, full safe-label constraints, `pending_disambiguation_ref`, `coordination_trace_ref`, freshness key, + optional `memory_flow_certificate_ref` for Inspector provenance (GK). **EXCISE GPT's `visible_action_disposition` enum** (`enabled`/`disabled_*`/`hidden_*`) — UI availability semantics are DOC86's `AvailabilityDisposition` territory (Owner Map L191; the exact boundary the CODEX fidelity fix already enforced once). DOC86 derives visibility from the exported policy *facts*. "DOC86 never recomputes the meet" rule retained. | §9 |
| **U14** | **§14.2 OPA-landing table is STALE.** The CODEX §7.3 fix did not propagate: §14.2 still carries R1's wrong mappings (verified — e.g. V15-02 listed "→ §4.2 disclosure + safe label" vs corrected §7.3 `SchemaMigrationPlan` → §3.3; V15-05 listed "→ §3.1 destination + §7.4 egress" vs corrected post-retrieval critique → §3.3/§6.3). The lineage table contradicts the operative table. | GPT §4.12 | **ACCEPT — blocking-class consistency defect.** Replace §14.2 with GPT §4.12's corrected table (verified row-accurate against the fixed §7.3). Add lint `propa.opa_landing_table_stale_after_fix`. *(Process note: this was a miss in our own CODEX fix application — fix-record updated at discharge.)* | §14.2 |
| **U15** | **Cascade execution: run state + ordering + idempotency + hold dominance.** 5-plane outcomes named but no per-plane state/receipts/retry — one plane can silently fail; re-fire not idempotent; revocation-triggered erasure vs active hold unstated; `last_active_support_edge_lost` is a conclusion-boolean with no denominator proof. | GPT S12/S13 (§4.20); CL B5/B17 (§2.8); GK idempotency + cascade×restamp race fixture | **ACCEPT merged:** `CascadingSourceInvalidationRun` — idempotency key, per-plane `PlaneCascadeStatus` (receipts/retry/degraded), execution order = **freeze-admission-then-the-5-planes**; plane outcomes are **idempotent monotone-DOWN set-to-floor transitions** (commute under concurrency, CL); **legal-hold dominance** — a held object is invalidated/suppressed, never destroyed (CL B17); `LastActiveSupportEdgeEvaluation` denominator proof (remaining-edge count + refs + polarity recompute-trace ref — also closes GK guess-point 2) (GPT S13); + a cascade×restamp race fixture (GK). **N3 framing preserved (F10):** exactly 5 settled planes; the DOC83 in-flight freeze is a **pre-fanout step**, not a 6th plane; GPT's `doc84_published_views` row is an outcome **within the DOC84 plane**, and the published-view lint gets its owner assigned there (GPT M6). | §5.1–§5.2 |
### §2.2 SUBSTANTIVE — fold all (15 clusters)
| U | Cluster | Sources | Adjudication | → R2 |
|---|---|---|---|---|
| **U16** | **Scope-resolution enrichment:** `unknown_synthetic` scope kind (the §2.4 empty path's "synthetic unknown scope" prose made executable, never reusing `global`); confidence **breakdown** = min-of-required-components (high identity-confidence must not mask low destination/classification confidence); population-generation inputs pinned on the result (so `ScopePopulationHealth` can actually invalidate it); multi-flag `ScopeProtectionStateDerivation` (max-restrictiveness summary, flags preserved, `unknown_sensitive` most restrictive). | GPT S1/S2/S5/S6 (§4.16); CL B8 fields | ACCEPT merged (+ U5's `evaluated_under_policy_generation_id`/`effective_time` and `thresholds_ref` land here). Protection-rank order architect-confirmable. | §2.1, §2.4–§2.5 |
| **U17** | **Threshold semantics:** comparator/equality-rule/version/hysteresis (`ThresholdEvaluation`); `DomainPolicyThresholds` home for `scope_confidence_floor` + `contamination_ceiling` with fail-closed defaults (1.0 / 0.0). Conservative defaults: confidence passes on ≥; risk blocks on ≥; NaN/missing fails closed; hysteresis may only tighten safety gates. | GPT S4 (§4.17); CL B8 (§2.7) | ACCEPT merged. | §4.6-adjacent |
| **U18** | **Collection suppression:** rank table (`collect<suppress<exclude`, most-restrictive wins, matched-empty edge → suppress; **no-topic-match → ordinary admission** — not suppress-everything); **ambiguous match involving any suppress/exclude candidate → fail-closed/review**; `exclude` gets the promised **existing-material backfill** contract (scan ref; cost via U25 quota). EC toggle/incognito composition keyed into freshness (U5). | GPT S10/S11 (§4.18) | ACCEPT. The ambiguity rule is the real privacy-topic protection. | §7.1 |
| **U19** | **Source exclusion:** fix the **input/output cycle** (verified — §7.2's rule carries `effective_policy_ref` while being an input to that meet) → `policy_input_decision_ref`; add `exclusion_closure` + `derived_artifact_classes_blocked` (segments, support edges, syntheses, context products, learning signals, cached delivery). | GPT S8/S9 (§4.19) | ACCEPT. Closure default architect-confirmable (recommend `source_and_derived_artifacts`). | §7.2, §4.3 |
| **U20** | **`learning_scope` gains `same_firewall_only`** (between `same_scope_only` and `partitioned`) — required by the V15-01 body (firewalled-source signals: same-firewall iteration only); plus GK's exact V15-01 axis mapping (sealed → `none`; firewalled → `same_firewall_only`; obligation carrier `restrict_firewalled_learning_to_same_firewall(firewall_scope_ref)`). | GPT S7; GK V15-01 | ACCEPT (F4): lattice value is primary (sourced to OPA_V3_18 §6.25 / DOC73 V1.5.1 §6D.10); the obligation kind (U9) is the PropA-input carrier compiling one-way into the axis. Chain change ripples to U1 rank maps + fixtures. | §3.1, §7.3 |
| **U21** | **DAMS cap + contamination, made derivable:** deterministic `eligibility_ceiling` derivation from the effective axes (CL's function ∪ GPT's incl. disclosure + redacted-product override hook); `PolicyCappedDAMSInput` keyed to context-product request/kind; `ContaminationRiskMeasurement` interface (model ref/generation, score+confidence, features) + the executable threshold-rule revision (threshold value/comparator/`block_on_equal`, GPT §4.26 — merge with U17's `ThresholdEvaluation`, keep the draft's four sourced dispositions). | CL B10 (§2.7); GPT S14/S15 (§4.25–§4.26) | ACCEPT-MODIFIED (F9): derivation + keying land in DOC81. The **measurement record is DOC84's product** (Owner Map L92 — computation @ DOC84): DOC81 names the consumed interface with `schema_owner: 'DOC84'` pending E7/E8 confirmation — a cross-charter handoff, not a DOC81-owned schema (one-owner rule). | §4.4 |
| **U22** | **Membrane disposition DERIVED, not synthesized. RESOLVES §13.4.** `PolicyMembraneDispositionDerivation`: disposition = f(effective policy, boundary kind, obligations) — blocked locality/fail-closed floor → `crossing_blocked`; pending disambiguation → `…requires_disambiguation`; reference-only fidelity → `…reference_only`; blocking obligations → `…with_obligations`; else permitted. | GPT M3 (§4.23); draft §13.4 | ACCEPT (F6): the synthesized 5-value enum is **confirmed** as the disposition vocabulary; what was open — its authority — is closed by making it derived. R2 specifies the derivation rule normatively. | §3.3; closes §13.4 |
| **U23** | **Disambiguation: blocking/non-blocking union + answer object + terminal states.** `defer` legal only when non-blocking; `deadline_at`; `PolicyDisambiguationAnswer` whose `effect` is **never a direct allow** — an answer only creates a new scope/policy input under the current generation and forces a new meet; terminal state machine. | GPT S20 + §4.15/§4.30; CL M6 | ACCEPT merged. The never-direct-allow invariant + `fixture.policy.user_confirmation_forces_new_meet_not_direct_allow` is the keystone. | §3.5 |
| **U24** | **`ScopeSearchCoverageProof`** — `not_found` may be emitted **iff** required scopes were fully searched (numerator/denominator + disposition); closes the Round D §6.3 `not_searched ≠ not_found` rule with a mechanism. | GPT S16 (§4.27) | ACCEPT. DOC81-owned (scope-plane object); EC produces. | §4.2-adjacent |
| **U25** | **Fan-out quota envelopes** for restamp-batch / cascade / exclude-backfill / traversal / legal-hold scans (estimates, maxima, `on_quota_exceeded` incl. fail-closed-for-affected, idempotency + progress). | GPT S19 (§4.29) | ACCEPT — ties to the E0 quota-lint family; prevents restamp/cascade storms on a single M4 Pro. | new §-block in §6 |
| **U26** | **Cache keys** for scope-resolution / effective-policy / UI-export artifacts (composition over U5's freshness key + topology/equivalence/population/classification generations + contributing-decision and obligation-set hashes; exact-match reuse only). | GPT S17 (§4.28); CL B4/B19 substrate | ACCEPT. DOC81 specializes E0 reproducibility; components referenced, not re-owned. | §6.4-adjacent |
| **U27** | **Tightening propagation + portability + Project seam:** (a) consumption-time re-gate — every consumption (delivery, learning replay, UI display) re-gates against current effective policy; tightening is not retroactive claw-back (CL B15, bitemporal framing); (b) portability/separation invariant — an export bundle must not carry memory eligible only under a different principal/scope (CL S1; multi-principal readiness); (c) **Round D §3.8 Project↔scope seam** (verified present at RD L663: "a Project may seed scope identity, but only as an operational hint") — hint-only; no truth identity, no boundary override, no policy broadening, no proof. | CL B15/S1/S2 (§2.9–2.10) | ACCEPT all three. (c) closes a verified source-coverage gap (§14.3 stops at §3.7). | §6.3, new §6.5, §2.2 |
| **U28** | **Lifecycle states + durable/derived split:** lifecycle fields/unions on the ~10 long-lived objects (equivalence binding, container relation, stamp, restamp, disambiguation, cascade, suppression governance, exclusion rule, topic risk, legal hold); drop `E0DurableRecord` from per-request **derived** objects (`ScopeResolutionResult`, `ScopeBoundary`, meet result, `PolicyMembraneDecision`, `PolicyCappedDAMSInput`) or mark `derived_projection`; add the E0 §6 classification rows. | GPT §4.30; CL S5 (§2.12) | ACCEPT merged — the two interlock (lifecycle is for durables; derived objects carry none). | throughout + §14.3 |
| **U29** | **Action closure + permission predicates:** terminal actions imply prerequisite policy checks (render_inline ⇒ retrieve + render_inline + ui_disclose all policy-checked); per-action required-minima predicate table. | GPT §4.10 | ACCEPT-MODIFIED: the **closure table** lands normatively (closes real holes — a render with no retrieve-check). The **predicate minima** land as an architect-confirmable seed (they encode per-action coherence; values reviewed at R2 confirm). | new §4.7 |
| **U30** | **Misc verified substantive:** `VisibilityClass = string` → owner/version-qualified `ExternalVocabularyValueRef` (GPT M7); `ScopeContainerRelation` `source_membership`/`topic_membership` **renamed** to `source_topology_link`/`topic_topology_link` (GPT M1 — §6.2 non-overlap hygiene; Round D values recorded as renamed-from in Retired-Names style); `policy_load_bearing` boolean → optional `load_bearing_effects` (actions × tighten-axes × max-floor, `may_widen: false`) (GPT M2). | GPT M1/M2/M7 | ACCEPT all three (M1/M2 promoted from GPT's "medium" — they guard the §6.2 invariant). | §2.1–§2.2 |
### §2.3 MINOR — fold (cheap)
**U31 Brands (CL S7 + GPT M8, converged):** all ~16 DOC81 primary IDs + the §0 alias block become real brands — `type X = string & { readonly __b: 'X' }` / GPT's `Brand<T,B>`; lint `schema.primary_id_not_branded`. **U32 Tracking rows (CL S4 + S5-part):** add Owner Map rows for every new U-cluster schema (inventory in §6); fix §6.1's `LegalHoldState` citation to "Skeletal §10.3" only. **U33 Batch:** CL M1 (lint-count reword: 11 of the 16 plan-§17.4 lints are DOC81's; name + route the 5 E10/DOC86 ones), CL M3 (brand the cascade refs), CL M5 (golden-scenario phases 2/8/11.5 + §20 `MemoryCoordinationTrace` row), CL M8 (UI→policy is a command/event via EC, not an import — one-line §9 note), CL M9 (§2.1 reason-codes bind to E0 registry), CL M11 (`content_fidelity` documented as content-quantity; identity-disclosure lives on axis 5), GPT M5 (`default_label_ref` **forbidden** when `not_disclosable`; required iff existence disclosable — + lint `safe_label.default_label_present_when_not_disclosable`; adopt the full GPT §4.13 `SafeLabelDisclosurePolicy` revision incl. `internal_suppressed_manifest_label_ref`, the internal-only audit/Inspector label), GPT M4 (`TopicRiskConfirmation` proof object — who/when/scope of the ADQ-213 confirmation; adopt from GPT §4.24 the proof object + `confirmation_ref` + `auto_created_lens_only` **ONLY — see D12 for the declined enum swap in the same patch**), GPT M10 (E0 header/status drift cleanup at the ratification pack), GK (`PolicyUIExport.memory_flow_certificate_ref?` — folded into U13). **NI adoptions:** **NI-1 property-based fixtures** for the algebraic laws (meet idempotence/commutativity/associativity; monotone-down under add AND remove; coherence invariant; obligation-resolution transitivity; floor-clamp idempotence) — ACCEPT into the Stage-8 fixture taxonomy + GPT §8's edge-case fixture list merged; **NI-2/NI-3/NI-4** (CRDT meet-semilattice = Phase-2 networking readiness; DIFC/declassification framing; Cedar/XACML/OPA reference models) — ACCEPT as a short §3.0 design-rationale note (cheap, anchors Stage-7 implementers in studied models).
---
## §3. Specific-question verdicts (cross-review, after fixes)
| Commission question | Adjudicated answer |
|---|---|
| §3.1 Meet correct? | Right shape, wrong algebra as written (U1/U2/U5/U6/U7/U8). Correct after R2. |
| §3.2 Restamp/monotonicity? | Law correct, unenforceable as written (U3/U4); B7 makes L1 true over removals. |
| §3.3 5-plane cascade? | Planes complete + compose with E0; execution proof missing (U15). |
| §3.4 LegalHold? | Invariant right; enumerated-jobs-by-prose → structural registry (U12). |
| §3.5 collection_mode? | Watertight on the happy path (all three confirm); ambiguity + backfill close it (U18). |
| §3.6 PropA fold? | §7.3 clean (all three confirm) — but §14.2 stale (U14) + obligations/context needed to make it executable (U6/U9/U20). |
| §3.7 Relation traversal? | Rule right; `\| string` + no budget defeat it (U11). |
| §3.8 DOC81→DOC86? | Direction/acyclicity clean (all three); payload too thin (U13). |
| §3.9 Scope model? | Sound + right-sized (all three); U10/U11/U16 close the seams. |
| §3.10 Ratify? | **Not yet — after R2 + delta re-review.** |
---
## §4. Fork decisions (decided in-card; architect veto-able)
| F | Decision | Alternative declined |
|---|---|---|
| F1 | Malformed axis on an applicable decision → floor THAT axis to ⊥ + audit + lint | GPT: block the whole action (one corrupt record DoSes ordinary use; flooring is equally safe per-axis) |
| F2 | Cluster confidence = MIN over spanning bindings + strictest-member threshold + firewall-crossing only by explicit user binding | GPT: full n(n−1)/2 pairwise matrix or confidence=0 (defeats legitimate transitive dedupe; firewall guard is the real protection) |
| F3 | Floor seed table = per-cell MEET of CL §2.2 + GPT §4.7 proposals. Merged seed: `reference_only_candidate` {ref_only, local_only, audit_only, candidate_only, **generic_safe_label_only**}; `safe_label_candidate` {safe_label, local_only, none, **none**, generic_safe_label_only}; `user_disambiguation_candidate` {**none**, blocked, none, none, **existence_only**} + MUST raise §3.5 request; `fail_closed_candidate` = ⊥ all axes; `normal_policy_check` = ⊤ (no cap). **All intermediate values architect-confirm at R2 review.** | Either single proposal as-is |
| F4 | `same_firewall_only` inserted into the `learning_scope` chain (`same_scope_only ⊏ same_firewall_only ⊏ partitioned`); obligation kind is the carrier | Obligation-only modeling (loses the meet-able lattice value the V15-01 body requires) |
| F5 | §13.5 crosswalk = **constraint table in DOC81** (relation → allowed classes + floor + attestation flags) | Deferring to EC (GK's ARCHITECT_STOP point stands: the seam invites an E0 §22 default-deny violation); GK's total-function table (factually wrong) |
| F6 | §13.4 disposition enum **confirmed**; authority closed by derivation table (U22) | Re-sourcing the enum (nothing better exists; derivation removes the synthesis concern) |
| F7 | `visible_action_disposition` EXCLUDED from `PolicyUIExport` — DOC86 derives visibility from exported policy facts | GPT's enabled/disabled/hidden enum (recreates the `AvailabilityDisposition` boundary creep the fidelity audit removed) |
| F8 | ~~Disclosure-raising or cross-firewall ⇒ `human_required`~~ **SUPERSEDED BY R-2 (architect):** restamps fully autonomous within ceilings, both directions; `human_required` for `firewalled` crossings ONLY — the send-time egress gate is the human checkpoint for disclosure-sensitive material | Ungated restamp decision (B21); always-human; per-event disclosure approvals (double-gating — the egress gate already covers the boundary) |
| F9 | `ContaminationRiskMeasurement` = DOC84-owned consumed interface (named here, confirmed at E7/E8) | DOC81 ownership (violates Owner Map L92 computation split) |
| F10 | "Exactly 5 planes" language preserved; DOC83 freeze = pre-fanout step; published-views = row within the DOC84 plane with assigned lint owner | A 6th plane (contradicts ratified N3/UR-08/09) |
---
## §5. Declined / withdrawn / forward-flagged (value-vs-cost shown)
| D | Item | Disposition |
|---|---|---|
| D1 | GK: "snake_case/camelCase branded-ref drift; standardize camelCase" | **DECLINE** — unsubstantiated: the draft is uniformly PascalCase types + snake_case fields, matching E0. No instance cited. |
| D2 | GK: add `defer_to_safe_label_only` to `fallback_if_unanswered` | **DECLINE** — un-sourced enum growth (phantom risk); U23's union + answer object solve the actual timeout problem. |
| D3 | GK: §13.5 crosswalk as a total function relation→class | **DECLINE** — maps unknown/blocked to a nonexistent E0 class; `same_principal→local_file_export` invented. Superseded by U7/F5. |
| D4 | GK: `PolicyEpochVersion` on E0 `MemoryMutationEnvelope` (global policy clock) | **FORWARD-FLAG Phase-2** — cross-doc E0 edit; Phase-1 single-EC is covered by U5 (epoch CAS chain + E0 §7.1). Recorded for the networking phase. |
| D5 | GPT: `visible_action_disposition` on the UI export | **DECLINE** (F7) — DOC86 boundary. |
| D6 | GK: formal lattice proofs (math docs) | **DECLINE for Stage 6** (high cost) — NI-1 property fixtures deliver the same assurance executably. Revisit at A+ polish. |
| D7 | GPT: full-pairwise equivalence matrix as the default | **DECLINE as default** (F2) — recorded as stricter alternative. |
| D8 | CL B20 (output inherits source-privilege meet) | **WITHDRAWN by architect** (§1.1) — stays withdrawn; kernel routes to DOC5 + the sensitivity input-seam. |
| D9 | CL B18 (disambiguation timeout unhandled) | **Already handled** in the draft (CL self-declined); only U23 refinements remain. |
| D10 | CL M10 residue: count/aggregate **inference** attacks (N queries triangulating a protected object) | **FORWARD-FLAG Phase-2** — U8's bucketing closes the cheap leak now; query-correlation defense is a cross-cutting Phase-2 concern. |
| D11 | GK: multi-principal axis on `ScopeAffinity` | **DECLINE** — `principal_ref` already on `ScopeResolutionResult`/context (U6); affinity stays a relevance axis. U27(b) carries the multi-principal separation invariant. |
| D12 | GPT §4.24's **silent `TopicRiskClass.risk_level` enum swap** — replaces the draft's `unbounded_requires_review` with `unknown` | **DECLINE** — the draft's value set is the sourced one (ADQ-213 landing); GPT's swap is an unsourced regression that loses the requires-review semantics. The §4.24 *additions* (confirmation proof, `auto_created_lens_only`) land via U33; the enum stands. Caught at audit — a reminder that adopted patch packs must be diffed field-by-field at R2 application, not pasted whole (regression-checklist item 2/5 applies). |
---
## §6. New-schema inventory for R2 (Owner Map discharge list)
**New DOC81-owned contracts** (~28): `PolicyLattice` (§3.0 module: chains/`PolicyPoint`/`BOTTOM`/`TOP`/`meetPoints`/`makeCoherent`), `ConservatismFloorEffect` (+ floor chain + `meetFloors`), `PolicyCeilingSnapshot`, `RestampChainIntegrity`, `RestampAuthority`, restamp union (Keep/Downgrade/Block), `PolicyStampScopeItem`, `PolicyRuntimeFreshnessKey`, `PolicyEvaluationContext`, `DomainPolicyThresholds`, `DomainProfilePolicyContribution` (B3 — DOC81 owns the 9-axis→5-axis crosswalk semantics; the registry stays E0's), `DestinationPolicyCrosswalk`, `DisclosurePermissionVector` (+ `CountDisclosurePolicy`), `PolicyObligationConflict`, `PolicyObligationDischarge`, typed obligation union, `PolicyDisambiguationAnswer` (+ lifecycle states), `ScopeEquivalenceCluster` (+ `ScopeEquivalencePairEvidence`), `ScopeResolutionConfidenceBreakdown`, `ScopeProtectionStateDerivation`, `ScopeSearchCoverageProof`, `ThresholdEvaluation`, `CascadingSourceInvalidationRun` (+ `PlaneCascadeStatus`), `LastActiveSupportEdgeEvaluation`, `LegalHoldSelector`, `LegalHoldClearance`, `DestructiveJobLegalHoldGate`/`Registry`, `CollectionSuppressionEvaluation`, `RelationTraversalPolicyRegistry`/`Budget`/`ExecutionTrace`, `PolicyMembraneDispositionDerivation`, `TopicRiskConfirmation`, `EligibilityCeilingDerivation`, `MemoryPolicyActionClosureRule`, `ActionPermissionPredicate`, `DOC81BatchOperationQuotaEnvelope`.
**Cross-charter named-not-owned:** `ContaminationRiskMeasurement` (DOC84, F9); `ExternalVocabularyValueRef` pattern (vocab owners). **Plus** CL S4's row list for the R1 objects that never got Owner Map rows (`PolicyStampRestamp`, `CollectionModeSuppressionGovernance`, `SourceExclusionFilterRule`, `RelationTraversalScopeCheckPolicy`, `PolicyUIExport`, `LegalHoldState` citation fix).
**Magnitude note:** R2 roughly doubles the charter (≈1,400 → ≈2,600 lines). That is the *intended* charter weight — the reviews converge that these ARE the contracts downstream charters bind to; deferring them to Stage 7 re-creates the guess-points the no-phantom discipline exists to kill. Value-table *seeds* (floor cells, predicate minima, crosswalk rows, protection ranks) are marked architect-confirm so the shapes land now and the constants get one cheap confirm pass.
---
## §7. R2 application plan (edit units, by draft section)
| # | Section | Edit unit | Clusters |
|---|---|---|---|
| 1 | **NEW §3.0** | `PolicyLattice` + rank maps + `PolicyRuntimeFreshnessKey` + `PolicyEvaluationContext` + NI-2/3/4 rationale note | U1, U5, U6 |
| 2 | §2.1–§2.2 | Equivalence cluster + firewall guard; `unknown_synthetic`; DAG + renames (`*_topology_link`) + `load_bearing_effects`; Project↔scope seam; `VisibilityClassRef` | U10, U11, U16, U27c, U30 |
| 3 | §2.4–§2.5 | Floor order + `ConservatismFloorEffect` (F3 seed); confidence breakdown; population pinning; protection derivation; generation/time stamps; `ScopeSearchCoverageProof` | U2, U16, U24, U5 |
| 4 | §3.1 | Brands; `same_firewall_only`; context ref; disclosure vector field; `model_class`/`client_kind`; valid-time window | U31, U20, U6, U8, U5 |
| 5 | §3.2 | **meet v2** — full ordered normative pipeline (generation precondition → in-force filter → context applicability → per-axis MIN incl. domain contribution → floor → sticky-restrictive → obligations resolve/reconcile → coherence LAST → egress gate) + `excluded_decision_refs` + lints | U1, U5, U6, U7, U9 |
| 6 | §3.3 | Obligation kinds/union/conflict/discharge/owners; membrane derivation table | U9, U22 |
| 7 | §3.4 | Ceiling snapshot + chain integrity + restamp union + authority + stamp scope-items + per-item invalidation deltas | U3, U4 |
| 8 | §3.5–§3.6 | Disambiguation union + answer + terminal states; epoch CAS chain | U23, U5 |
| 9 | §4.1–§4.2 | Disclosure vector + derivation + count policy + `DISCLOSURE_ALLOWS` lint; safe-label conditionality + internal manifest label (GPT §4.13) | U8, U33 |
| 10 | §4.3–§4.5 | Envelope refs (exclusion rules, gate result, governance ref); DAMS derivation + keying; contamination measurement interface + executable threshold rule (F9, GPT §4.25–§4.26); `TopicRiskConfirmation` (D12 enum guard) | U19, U21, U33 |
| 11 | §4.6 + NEW §4.7 | `ThresholdEvaluation` + `DomainPolicyThresholds`; `DestinationPolicyCrosswalk` constraint table (F5); action closure + predicates (seed) | U17, U7, U29 |
| 12 | §5 | Cascade run state + ordering + hold dominance + `LastActiveSupportEdgeEvaluation` + F10 framing | U15 |
| 13 | §6 | Legal-hold selector/registry/clearance; tightening consumption re-gate; NEW §6.5 portability; cache keys; quota envelopes | U12, U27a/b, U26, U25 |
| 14 | §7 | Suppression rank/ambiguity/backfill; exclusion cycle fix + closure; V15-01 exact mapping | U18, U19, U20 |
| 15 | §8 | Closed registry + default-deny + budget + trace | U11 |
| 16 | §9 | Expanded `PolicyUIExport` (F7 exclusion applied) + M8 command note | U13, U33 |
| 17 | §10–§11 | New lints/fixtures rolled up; NI-1 property-fixture family; M1 lint-count fix | U33, NI-1 |
| 18 | §12–§13 | §12-bis: golden-scenario steps 2 (preflight) / 8 (re-check) / 11.5 (egress) + the §20 `MemoryCoordinationTrace` row + degraded states (CL M5); §13.4 → RESOLVED (U22); §13.5 → RESOLVED (U7); §13.1/§13.2 → CONFIRMED (see below); lifecycle/derived split notes | U33, U22, U7, U28 |
| 19 | §14 | **§14.2 replaced** (U14); §14.3 adds Round D §3.8 + new SM/Owner rows; classification rows | U14, U27c, U32, U28 |
**§13 dispositions:** **§13.1 CONFIRMED** — the `ScopeAffinity` union stands (CL: correct no-loss reconciliation; GK: right traceable choice); R2 adds a one-line definition of `shared` (GPT B+ note). **§13.2 CONFIRMED** — `existence_only ⊏ generic_safe_label_only` (CL: sound; GK: "mathematically correct… total order holds"). **§13.4 RESOLVED** (U22/F6). **§13.5 RESOLVED** (U7/F5). → R1's two OFAR items go to zero; R2 introduces architect-confirm *seeds* (F3 floor cells, U29 predicate minima, U16 protection rank, U19 closure default, F8 tier mapping) which are value-constants, not open design questions.
**R2 regression checklist (the §15.5-style gate):** (1) no E0 contract re-declared (the freshness key + context reference EC/E0 components, never redefine them); (2) no retired name reintroduced; (3) B1 acyclicity — §9 still exports downward only; (4) §7.3 ↔ §14.2 row-for-row consistent; (5) one-owner — every new schema names exactly one owner; F7/F9 boundaries held; (6) `| string` escapes = 0; bare-string primary IDs = 0; (7) the §10 gate+lint+fixture triple extended to every new invariant (freshness, triple-binding, coherence, sticky-restrictive, closure, dormant-firewall); (8) golden scenario + §18 fixture set updated for the new chain value (U20) and the egress phase; (9) line count and §0 bind-list updated; (10) CL §1.5 boundary audit — nothing classifies destinations, runs confirmations, or owns a privilege taxonomy.
---
## §8. Process + next steps
1. **Architect reviews this card** — especially §4 forks (F1–F10) and the §6 magnitude note. Anything vetoed is struck before application.
2. **R2 application commission** (Claude Code): apply §7's 19 edit units against the draft, reading the paste-ready bodies from the three reviews per the U-cluster pointers + this card's merge decisions. Same hard constraints as E0 application (no files outside the charter folder; no git; report per edit unit).
3. **CODEX application-fidelity audit** of R2 (did the card land as written — including U14's own lesson: lineage tables updated with operative tables).
4. **Delta design re-review** (ChatGPT + Claude) of changed sections only, per CL's recommendation.
5. **Ratification + discharge sweep** (Owner Map rows from §6; SM/Retired-Names entries for the U30 renames; OPA notes; `E1_E2_CODEX_Audit_Fix_Record.md` addendum recording the §14.2 miss).
*End of adjudication card. Every finding in the three reviews is dispositioned above (accepted into a U-cluster, declined in §5 with reasoning, or confirmed). Git history is the version record.*