Checkpoint - T1 FIX7 Blueprint Patch After Codex Critical Fail

Date: 2026-06-08 Author: T1 (production Agent for Agent Data) Macro: PROGRAM_PATCH_T1_FIX7_REFACTOR_BLUEPRINT_AFTER_CODEX_CRITICAL_FAIL Mode: READ-ONLY production; blueprint KB-doc direct-revision; NO production mutation.

Final status

FIX7_REFACTOR_BLUEPRINT_T1_PATCHED_AFTER_CODEX_FAIL_READY_FOR_CODEX_RECHECK

What was done

Codex independently critical-reviewed the FIX7 Existing-System Refactor Execution Blueprint and FAILED it (..._CODEX_CRITICAL_REVIEW_FAIL_HARDCODE_OR_PG_NATIVE_GAP; 7 blockers; A-K matrix: B/E/G FAIL, H/I FAIL, C/D/F NEEDS_FIX, J terminology, K NOT_READY). T1 patched all 7 blockers directly in the blueprint docs and self-reviewed against Codex's own 10 checks (all PASS).

Live evidence (read-only, DB directus, 2026-06-08, query_pg)

• Routines with qt001 in name, schema public: 45 functions (prokind='f') + 1 procedure (prokind='p', sp_dot_birth_qt001_apply) = 46 routines; ALL owner directus, ALL proacl=NULL (PUBLIC EXECUTE), ALL prosecdef=false; 0 qt001 routines outside public.
• Views, schema public: qt001% prefix = 0, v_qt001% prefix = 183, %qt001% substring = 196 (all owner directus). Tables qt001% = 20. qt001_cp schema + 3 roles still absent.
• Decisive BLOCKER-1 proof: the legacy "set" swings 0/183/196 (views) and 45/46 (routines) by the name literal chosen → a name pattern cannot be operational authority. The prior prose "46 functions" conflated the apply procedure.

The 7 blockers fixed

1. Legacy target = disguised hardcode → sealed legacy-disposition set in authority_scope_manifest #20 (typed identity regprocedure/regclass+prokind+source_sha256+privilege_acl_hash+ disposition+expected_legacy_set_sha256; candidate→classified→exact-set both-EXCEPT→sealed); name/owner scan = diagnostic candidate; +G-LEGACY-TARGET-SEALED; G-PGNATIVE extended.
2. G-NOLEGACY deadlock → split G-NOLEGACY-PRE (gates PKG-F, no EXECUTE-revoked requirement) + G-NOLEGACY-POST (verifies PKG-F, effective-privilege).
3. Stub-scope contradiction → 5 dispositions (REVOKE_ONLY / STUB_FAIL_CLOSED / FREEZE_NO_CHANGE / DEPRECATE_READONLY / DO_NOT_TOUCH); stub only STUB_FAIL_CLOSED; body-rollback bounded to those (pinned #27).
4. Rollback may reopen PUBLIC EXECUTE → atomic deactivation-first sequence (supersede new path → verify BLOCKED → verify no route → restore per disposition → verify no-mixed) + G-NOMIXED-AUTHORITY; CR-E3 restore-mechanism distinction.
5. ACL snapshot incomplete → +column ACL (pg_attribute.attacl) + effective role-membership privilege (pg_auth_members) + sequence/default/PUBLIC/Directus/cp grants + snapshot_sha256; both-direction effective-privilege rollback verify.
6. Writer-gateway identity ambiguous → pinned #26 identity (regprocedure+source+owner) + phase- explicit owner table (gateway born qt001_cp_owner, no transition); +G-WRITER-GATEWAY-IDENTITY.
7. "permit" ambiguity → operator_authorization (package-execution, machine-checkable artifact) vs BLOCKED qt001_backfill_permit vs REAL_RUN_authority; +G-NO-QT001-PERMIT-DURING-FIX7; law §4G citation corrected (real §4G = "Surgical Drift Patch Allowance", governance_change hard-stop; law has no "permit" term — read in full via sliced subagent).

Self-review (Codex's 10 checks)

1 legacy target authority PASS · 2 G-NOLEGACY phase PASS · 3 stub scope PASS · 4 rollback no-mixed PASS · 5 ACL snapshot PASS · 6 writer-gateway identity PASS · 7 terminology PASS · 8 hardcode PASS · 9 PG-native PASS · 10 cross-layer PASS.

Invariants (preserved)

27 authority surfaces · 11 runtime-evidence non-authority · 14 readiness gates (DATA) · 7 hash contracts (H01..H07) · 0 new authority surface · 0 new readiness gate · 0 new hash contract · production mutation 0. Guards 30 → 35 (all TEST/VERIFICATION guards, NOT readiness gates; the sealed set is DATA in existing #20/#27 + one typed disposition column). All hard blocks intact.

Blueprint docs patched

00 (rev 3), 01 (rev 5), 02 (rev 8), 03 (rev 3), 04 (rev 23), 05 (rev 10), 06 (rev 16), 07 (rev 21), 08 (rev 7), 12 (rev 8), blueprint checkpoint (rev 6).

Output

• Patch report: t1-fix7-blueprint-patch-after-codex-critical-fail-2026-06-08/00..12 (13 docs).
• This checkpoint.
• Blueprint docs + blueprint checkpoint advanced to ..._T1_PATCHED_AFTER_CODEX_FAIL_READY_FOR_CODEX_RECHECK.

Next

Codex independent recheck of the patched blueprint (external gate). Implementation, Stage 2.6B, qt001_backfill_permit, REAL_RUN, QT001 apply, manifest activation, repoint, and owner/ACL cutover all remain BLOCKED. Not ready for implementation. Do not claim implementation approval.