Codex Required Patches — PIDX v0.2

Static re-review carry-forward only. No build authorization; no DDL/DML executed.

HIGH — H1 Gate procedure lifecycle and unknown usability

• Include the top-level pidx_procedure.status in rollup: non-active procedure cannot return READY.
• For lifecycle-bearing sources, NULL/unrecognized lifecycle must not silently satisfy with no warning.
• Add SOURCE_USABILITY_UNKNOWN or equivalent and define whether required unknown usability is NOT_READY or RWW; it must never be bare READY.
• Make bare ambiguous-label usability deterministic across all matched rows.
• Add top-level retired/draft and required inactive/unknown-lifecycle tests.

HIGH — H2 Enforce immutable identity and retire-only behavior

• Keep surrogate IDs and RESTRICT FK.
• Specify roles/grants so normal/governed writers cannot DELETE procedures or UPDATE procedure_code.
• Use retirement for lifecycle changes.
• Add paired verifier checks for attempted delete/code mutation and dependency conservation.
• Do not rely on comments or “immutable by policy.”

HIGH — H3 Make rollback fail closed on data and provenance

• Add seed/provenance metadata to ingredient rows or another exact way to distinguish seed from non-seed declarations.
• Enforce the non-seed guard inside the rollback transaction with RAISE EXCEPTION.
• Require and verify a backup artifact before any drop when data is present.
• Expand dependency evidence beyond view rewrites; retain no-CASCADE as final guard.
• Replace the relation-name MD5 with structural fingerprints/object-definition evidence and persist pre/post values.

HIGH — H4 Complete the governed build/access/idempotency contract

• Decide Điều 33/Directus classification before generating executable build artifacts.
• Specify object owner, reader/writer roles, GRANT/REVOKE, view security behavior, and context_pack_readonly access.
• Provide a concrete idempotent registered migration DOT (or equivalent governed artifact) and paired Cấp-A verifier; prose saying “idempotent later” is insufficient.
• Add collision, exact-definition, grants, and negative-permission assertions.

HIGH — H5 Correct and extend deterministic tests

• Correct expected totals to READY×3, READY_WITH_WARNINGS×2, NOT_READY×6, UNMAPPED×2.
• Add top-level draft/retired procedure tests.
• Add required inactive and unknown lifecycle tests.
• Actually test bare-label resolution; document AMBIGUOUS_LABEL as unexercised/N/A while current data has no duplicates.
• Add trigger dedup and post-build access/grant assertions.
• Statically validate the exact complete CREATE VIEW text before authorization without executing DDL.

MEDIUM — M1 Align warning causes

• Emit APPROVAL_HANDLER_UNIMPLEMENTED only when the handler is absent/unimplemented.
• Emit SOURCE_NOT_USABLE for inactive/retired approval lifecycle.
• Align label ambiguity warnings between facet-qualified inventory rows and bare readiness refs.

MEDIUM — M2 Complete READ_BLOCKED semantics

• Decide whether READ_BLOCKED is schema-only.
• If it means “source cannot be verified,” include object-level SELECT/EXECUTE privilege facts so inaccessible objects do not false-MISSING.

LOW — L1 Remove static SQL ambiguity

• Write LATERAL unnest(t7.warns) AS u(w) and aggregate w explicitly.
• Add an exact SQL parse/lint evidence step for the complete statements.

Re-review acceptance gate

v0.3 is ready for final static re-review only when:

1. no inactive/retired/unknown-usability procedure can return bare READY;
2. immutable identity/delete rules are enforced by permissions/gateway plus verifier;
3. rollback aborts on unprotected data and has exact provenance/backup/fingerprint evidence;
4. governed apply/access/idempotency is concrete;
5. all 13 expected rows and new negative tests are internally consistent.