Incomex AI Portal
KB-42E4

Checkpoint BIRTH Stage2.6A-FIX5 QT-001 Remove Legacy Planner + False-Proof Rebuild

10 min read Revision 1
checkpointqt001fix5stage2.6acallgraphhardcodepg-drivenbirth

Checkpoint — BIRTH Stage 2.6A-FIX5 — QT-001 Remove Legacy Planner v2 + False-Proof Rebuild

Date: 2026-06-07. Mode: EXECUTION (principal-delegate). Live mutation: YES (additive/reversible/birth-neutral). MCP read-back: PASS. Status: PARTIAL → STAGE2_6A_FIX5_LEGACY_PLANNER_REMOVED_FALSE_PROOF_REBUILT_READY_FOR_CODEX_REAUDIT.

What this answered

Codex 4th reject STAGE2_6A_FIX4_FAIL_HARDCODE_OR_BYPASS_STILL_DANGEROUS. The repeated root cause across FIX/FIX2/FIX3/FIX4: T1 graded newly-created guards in isolation while the real writer/driver/builder/current-plan path still called legacy objects, and the "no-legacy" guard was a hand-maintained NAME deny-list that never traced the actual dependency closure. FIX5 inspects the REAL callgraph first (recursive pg_depend/functiondef closure from authoritative roots), then repoints every authoritative caller off legacy planner v2, and rebuilds the false proofs as behavioral/structural controls.

Codex FIX4 defects — reproduced LIVE then fixed (12/12 now_safe)

  • B01 writer→fn_dot_birth_qt001_plan_v2 (first statement, trusts eligibility): FIXED → writer first stmt now fn_qt001_plan_v5.
  • B02 driver→plan_v2 (+ batch 1000 / runaway 1000000 literals): FIXED → driver calls plan_v5; batch/runaway from qt001_runtime_config.
  • B03 builder→refresh→plan_all→plan_v2 transitive: FIXED → refresh→fn_qt001_plan_all_v5fn_qt001_plan_v5.
  • B04 current plan not authoritative (legacy planner participated): FIXED → CURRENT plan = fingerprint v5 composite, no root reaches v2.
  • B05 fingerprint omitted signoff/capability, used old scale guard: FIXED → fingerprint v5 includes signoff/capability/scale-behavioral/authority-risk/keyset state.
  • B06 NULL guard false-pass (6 NULL rows vs pass=true): FIXED → null accounting consistent; eligible-NULL→invalid; the 6 are documented ineligible (no_go_reason).
  • B07 capability proof = to_regproc/to_regclass existence only: FIXED → behavioral contract (behavior_demonstrated AND operational_evidence); existence/free-text cannot satisfy.
  • B08 capability negative test = literal true: FIXED → negative tests read pg_get_viewdef / contract state (real evaluations).
  • B09 no-bypass (NOT pass) IS NOT NULL tautology: FIXED → explicit booleans per chain; v_qt001_no_tautology_proof_guard scans the proof for IS NOT NULL.
  • B10 hardcode guard v5 false-pass: FIXED → hardcode v6 consumes structural callgraph + behavioral guards (not inventory/source-text).
  • B11 runtime full-scan/row-by-row/no keyset/resume: ROUTED_2_6B_BLOCKING → scale stays NOT_SAFE (behavioral), keeps readiness BLOCKED.
  • B12 PG verdict PG_HOSTED_HARDCODE_REMAINS: FIXED → scorecard verdict now PG_DRIVEN_PARTIAL_BLOCKED.

Headline structural fix (SUPERTRACK B/C)

Built a RECURSIVE structural callgraph: v_qt001_callgraph_edges_v2 (word-boundary edges parsed from pg_get_functiondef/pg_get_viewdef over all qt001 objects) → v_qt001_authoritative_callgraph_v2 (MATERIALIZED edges, node-deduped reachability closure from the 3 registered roots: writer/driver/builder) → v_qt001_authoritative_legacy_dependency_guard (FAIL-CLOSED on any reached object that is legacy_superseded OR unclassified). Legacy is identified by the registry TABLE qt001_authoritative_object_registry (data, never scanned for edges) — NO reachable guard view embeds a legacy object NAME literal (a literal would create a spurious structural edge; this was the bug that initially exploded the closure to 60 legacy-reached). LIVE: pass=true, legacy_reached=0, unclassified_reached=0.

Live verification (COMMITTED state, MCP/ssh read-back)

  • callgraph guard pass=t (legacy 0, unclassified 0); no_legacy_planner pass=t (roots_reaching_planner_v2=0, roots_reaching_legacy=0); planner_v2_sentinel_only pass=t.
  • writer repoint: writer_uses_plan_v5/readiness_v8/fingerprint_v5/signoff_v5 = t; driver_uses_plan_v5 = t; pass=t.
  • readiness v8: overall_ready=FALSE, SSOT 13/15 (2 red = public_execute + directus_dml, routed 2.6B), APPLY 0/4, reason BLOCKED_STAGE2.6A_FIX5_6_GATES_RED.
  • hardcode v6 pass=t + negative tests all pass; no_bypass_proof_v3 all_blocked=t; no_tautology pass=t.
  • capability behavioral: all 3 capabilities UNSATISFIED (behavior not demonstrated); scale_behavioral scale_not_safe=true (0/3 satisfied).
  • fingerprint v5: invalid=false, eligible_null_rows=0, documented_ineligible_null_rows=6, sensitivity tests all pass.
  • scorecard verdict = PG_DRIVEN_PARTIAL_BLOCKED; must_not_proceed pass=t; failure matrix 12/12 now_safe.
  • CURRENT plan = PLAN-d0272db42f77 v5, composite d0272db42f7773809eaa42c715440b0b, 74 rows all v5 (0 not-v5).
  • Machine tier dist: TIER2=7, TIER3=6, TIER_BLOCKED=6, TIER_INELIGIBLE=55, TIER1=0 (identical to FIX4 — repoint changed implementation, not the governed outcome).

Safety (production no-worse)

gateway norm-md5 = 9393db3c068a6de6bbcb68be2c8d1692 (UNCHANGED), tga=129 (unchanged), apr_approvals=42 (unchanged), birth_total=1,211,106 (drift from realtime only), qt001_origin_births=0, open_permits=0, done_ledgers=0, signoff_bindings=0, tiers_apply_allowed=0, Stage0 DOT freeze PASS 2/2, gateway integrity all_ok=true. NO apply / NO permit / NO birth write / NO trigger change / NO gateway body change / NO old DOT unfreeze / NO 2.6B.

Objects (additive/reversible)

New tables: qt001_authoritative_object_registry (+is_sentinel_planner), qt001_signal_registry, qt001_capability_behavior_registry, qt001_runtime_config. New functions: fn_qt001_plan_v5, fn_qt001_plan_all_v5, fn_qt001_collection_signals_v5, fn_qt001_eval_rule_v5, fn_qt001_machine_tier_v5, fn_qt001_signoff_satisfies_v5, fn_qt001_signoff_row_valid_v5, fn_qt001_plan_fingerprint_v5. Repointed (CREATE OR REPLACE, FIX4 bodies captured in ROLLBACK_fix5_to_fix4.sql): fn_dot_birth_qt001_apply (writer), sp_dot_birth_qt001_apply (driver), fn_qt001_build_plan_registry (builder), fn_qt001_refresh_plan_snapshot, fn_qt001_machine_tier (wrapper→v5), fn_qt001_machine_blocked_reason. New views (~25): callgraph edges/closure/legacy/no-legacy-planner/sentinel; behavioral probe/contract/scale/no-exists/neg-tests; fingerprint v5 null-guard/sensitivity/current-plan-v5; block_rule_v5/tier_signal_v5/no_v5_plan_hash; no_tautology; hardcode v6 (+neg); readiness v8 dashboard/guard; no_bypass v3; writer repoint status v5; scorecard; reproduction; failure matrix; must_not_proceed; safety audit. plan_v2 / signals_v4 / fingerprint_v4 / machine_tier_v4 etc. RETAINED as frozen sentinels (classified legacy_superseded; reached by NO authoritative root).

Legacy planner is sentinel-only

fn_dot_birth_qt001_plan_v2 still exists (not dropped) but is registry-classified legacy_superseded + is_sentinel_planner, and roots_reaching=0. Same for plan_all/v4 chain/old fingerprints/old scale-literal guard.

GOTCHAs (for next layer / re-audit)

  • Edge extractor matches object names by word-boundary in function/view BODIES — so ANY guard that names a legacy object as a string literal (even to assert its absence) creates a spurious edge and explodes the closure. RULE: reachable guards use POSITIVE assertions + registry joins only; never embed a legacy object NAME. (This caused the first rehearsal's 60 legacy-reached; fixed by registry-join + is_sentinel_planner flag + rewording no-bypass descriptions.)
  • The recursive closure must MATERIALIZE edges once and dedup at NODE level (no per-row path string) or it path-explodes and times out (readiness hit 180s before optimization; ~3.5s after). callgraph_hash was removed from fingerprint v5 to stop every fingerprint call re-running the closure (engine_hash already captures v5 body changes; callgraph is a dedicated readiness gate).
  • Word boundary \m..\M: _ IS a word char in PG regex, so fn_qt001_machine_tier\M does NOT match inside fn_qt001_machine_tier_v4 — wrapper vs v4 distinguished correctly.
  • plpgsql late-binds view refs → fingerprint v5 could be created before the callgraph guard; SQL-language fns resolve referents at CREATE → create order: scale/capability views before signals_v5; signoff_v5 before signals_v5; fingerprint before its null/sensitivity/current-plan guard views.
  • View create-cycle avoided: readiness v8 does NOT reference no_bypass_v3 (one-way: no_bypass→readiness); no_tautology scans no_bypass by pg_class name lookup (runtime, not ::regclass at create).
  • qt001 objects live in DB directus/public. DDL via ssh contabo→docker exec -i postgres psql -U directus -d directus; host SQL files cat|piped to stdin. write allowlist /opt/incomex/docs/mcp-writes needs mkdir+chmod 2777. MCP query_pg RO 5s/500 → heavy closure/build via ssh psql statement_timeout=180000.
  • Rehearsed BEGIN..ROLLBACK twice (full build + guard battery) before COMMIT; ROLLBACK_fix5_to_fix4.sql staged (6 FIX4 bodies + plan revert).

NEXT

BIRTH_STAGE2_6A_FIX5_CODEX_REAUDIT → fresh independent Codex re-audit of FIX5 BEFORE any permit/apply/2.6B. Remaining structurally-blocking 2.6B risks: PUBLIC EXECUTE revoke (open=35; writer/builder=4), Directus owner DML separation (17 control tables), real keyset/resume/perf capability. Do NOT proceed to 2.6B until Codex PASS.

Report dir: knowledge/dev/reports/architecture/birth-stage2-6a-fix5-qt001-remove-legacy-planner-false-proof-rebuild-2026-06-07/00..13. SQL + rollback: /opt/incomex/docs/mcp-writes/birth-stage2-6a-fix5-2026-06-07/sql/.

Back to Knowledge Hub knowledge/dev/reports/architecture/checkpoint-birth-stage2-6a-fix5-qt001-remove-legacy-planner-false-proof-rebuild-2026-06-07.md