Abstract
This document discloses, enables, and dedicates to the public a generalized database-integrity primitive together with its co-designed hardening. The primitive makes a protected state column writable only by a transaction that has, within the same transaction, appended a matching row to an append-only decision log. The linkage is realized without any application-level privilege: an AFTER INSERT trigger on the log writes a transaction-local marker (PostgreSQL setconfig(..., TRUE)) encoding the exact subject tuple and outcome just logged, delimited by the ASCII Unit Separator (chr(31)); a BEFORE UPDATE guard on the protected column raises an exception unless a same-transaction marker exists whose subject fields match the row being modified. Because the marker is convention-protected, not privilege-protected, three additional, mutually-referencing layers close the residual trust boundary: (1) a comment-stripping, string-flow CI scanner that fails the build on raw UPDATEs, dynamically-concatenated SQL, facade writes, and any application reference to the marker; (2) a red-team test that injects a second writer to prove the scanner is non-vacuous; and (3) an identity-blind deny route returning HTTP 403 for the forbidden direct-set path before authentication is consulted. The primitive is extracted as a parameterized shared core reused across multiple products. A clean-room, dependency-free Node.js (ESM) reference implementation accompanies this disclosure and demonstrates every property offline.
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 License.
Recommended Citation
Assuncao, gustavo matthew, "Generalized Transaction-Local Provenance-Marker Single-Writer Column Enforcement with Co-Designed Forgery Scanner and Non-Vacuity Red-Team", Technical Disclosure Commons, (July 13, 2026)
https://www.tdcommons.org/dpubs_series/10879