{"hash":"935f3cc04e7e814d5dec8c695a9f409e37945ce5848d404cebd79d7b26c59e71","short_code":"2026-05-12T23:37:00+00:00","title":"PERMIT — surface_authority for lightsail_kernel: drift-fix + boot-guard-wired (timeline cf20d5f9 + unit with ExecStartPre 368be7d7); supersedes f048d1ef","kind":"surface_authority","principal":"doctortheisen","scope_tag":"lightsail_kernel","tier":"architect","issued_at":"2026-05-12T23:37:00+00:00","expires_at":"","surface":"espadvisorygroup.com Lightsail FastAPI kernel + boot guard + systemd unit","chain_hash":"","conditions":[["polymorphic_typed_hole","Each GOVERNED_FILES entry is polymorphic: {path, sha256, bytes, kernel_code_block}. kernel_code_block accepts string hash or [[]] typed hole."],["captured_at","2026-05-12T23:31Z (sha refresh after parallel session deploy + new unit content)"],["bytes_total_governed",56366],["governance_invariant","Identity-via-name doesn't transfer approval; identity-via-hash does. Boot guard refuses uvicorn if any disk sha != authority sha."],["unit_change_critical","/etc/systemd/system/... entry changed: kernel_code_block now 56befcd6 (with ExecStartPre line). Disk file at /etc/systemd/system/espadvisory-kernel.service still has OLD content (sha 3c13bc81). Phase 2 sudo cp + daemon-reload + restart needed to align disk with authority — UNTIL THAT HAPPENS, guard would FAIL on the unit if invoked. Guard NOT YET invoked at boot (current unit has no ExecStartPre)."],["filled_blocks_count","5 of 10 entries now have kernel_code_block hash (main, config, timeline NEW, guard, unit NEW). 5 routers still [[]]."]],"hash_short":"935f3cc04e7e","register_source":"espadvisorygroup_sister","register_genesis":"f3363f614347023565e0916ed13eff0c6ca42d830b60f2a56c56612975b2f91c","federation_note":"v_permit row from sister register; mint event sha256 preserved in main FIELD.db; bundler declaration at 110b3009"}