Checkpoint - T1 FIX7 Blueprint Patch After Codex Recheck 2 (PG Authority Contract)
Checkpoint - T1 FIX7 Blueprint Patch After Codex Recheck 2 (PG Authority Contract)
Date: 2026-06-08
Author: T1 (production Agent for Agent Data)
Macro: PROGRAM_PATCH_T1_FIX7_BLUEPRINT_AFTER_CODEX_RECHECK_2_PG_AUTHORITY_CONTRACT_FAIL
Mode: READ-ONLY production; blueprint KB-doc direct-revision; NO production mutation.
Final status
FIX7_REFACTOR_BLUEPRINT_PATCH_AFTER_RECHECK_2_REQUIRES_DESIGN_AMENDMENT
What was done
Codex recheck 2 FAILED the owner-semantics-patched FIX7 refactor blueprint
(..._CODEX_RECHECK_2_FAIL_HARDCODE_OR_PG_NATIVE_GAP) with 8 blockers. T1 analysed each against the
approved byte-level DDL and a fresh read-only pg_roles read, patched 6.5/8 directly in-blueprint, and
routed blocker C (the legacy-disposition contract) to the design owner.
The 8 recheck-2 blockers → disposition
| blocker | disposition | mechanism |
|---|---|---|
A qt001_cp_owner operational reachability |
PATCHED | NOLOGIN (CP-01 §2.1) + no inbound pg_auth_members membership + Level-B-only SET ROLE; G-OWNER-UNREACHABLE |
B U_legacy independent root |
PATCHED | roots = sealed #20 protected_target TABLE rows + #26 protected_target_set_sha256; closure = sealed #24 analyzer into #11; dynamic calls fail closed |
C disposition rule / LEGACY_* drift |
DESIGN_AMENDMENT_REQUIRED | no approved home (sealed exact catalog CP-03; no #20 disposition column; §2.7 scope; item_payload forbidden). Option α add typed contract / Option β collapse to approved primitives |
| D operator authorization typed PG inputs | PATCHED | bound to CP-09 Level-B + #07/#20/#21/#16/#19/#08 + manifest_activation payload/epoch; evidence artifact supporting-only; G-OPERATOR-AUTH-PG-NATIVE |
E rollback evidence_id uniqueness |
PATCHED (fwd-only) | manifest rollback = prior immutable sealed version; legacy owner/ACL = S14 snapshot via manifest_activation.rollback_evidence_id; STUB body rides on C |
F workflow_admin superuser/bypassrls |
PATCHED | break-glass/operator-gated; Level-B-only operator session; readiness = no-unauthorized-use-path; G-SUPERUSER-BREAKGLASS |
| G forward-only history | PATCHED | rollback supersedes forward (never clears activated_at); current-active derived by activated_at IS NOT NULL AND superseded_by_manifest_id IS NULL; G-NOMIXED-AUTHORITY reads it |
| H author/rehearse/seal order | PATCHED | #11/#20/#26/#27 + denominator authored (PKG-B) before the PKG-C rehearsal seal; PKG-D read-only re-validation; G-SEAL-AFTER-AUTHOR-REHEARSE |
Why blocker C is an amendment (not a third retrofit)
T1 has bounced between two rejected failure modes: typed columns (recheck-1 DDL drift) and
computed/open-text/external policy (recheck-2 disguised hardcode). The 5-value disposition enum + its
sealed rule + legacy-routine-as-authority-object have no approved home: CP-03 catalog families are a
sealed exact set; #20 has no disposition/root_kind column and §2.7 scopes it to
TABLE/CONSTRAINT/INDEX/runtime-evidence; item_payload is forbidden. Authoring it is a
governance/design change — law §4G HARD-STOP for T1. T1 routes it to the design owner with two precise
options (α add a typed contract / β collapse to approved primitives, T1 recommends β).
Live evidence (read-only, DB directus, 2026-06-08, query_pg)
directus:rolsuper=false/rolbypassrls=false/login → non-superuser (owner-transfer+REVOKE can zero effective EXECUTE; STUB unnecessary under β).workflow_admin:rolsuper=true/rolbypassrls=true/login → cluster superuser, break-glass (F).qt001_cp_owner/migrator/reader: absent (MISSING_ADD); blueprint specifies attributes (A).
Invariants (preserved)
27 authority surfaces · 11 runtime-evidence non-authority · 14 readiness gates (DATA) · 7 hash contracts (H01..H07) · 0 new authority surface · 0 new readiness gate · 0 new hash contract · 0 new #20 column · 0 new catalog family · production mutation 0. Test/verification guards 36 → 40 (+G-OWNER-UNREACHABLE, +G-SUPERUSER-BREAKGLASS, +G-SEAL-AFTER-AUTHOR-REHEARSE, +G-OPERATOR-AUTH-PG-NATIVE; G-NOMIXED-AUTHORITY forward-only; G-LEGACY-TARGET-SEALED + the disposition aspect of G-LEGACY-TARGET-CLOSED-DENOMINATOR fail-closed pending the C amendment). All hard blocks intact.
Blueprint docs patched
02 (rev 17→23), 04 (rev 33→36), 05 (rev 18→22), 06 (rev 25→29), 07 (rev 28→35), 08 (rev 10→15), 12 (rev 12→14); blueprint checkpoint updated.
Output
- Report:
t1-fix7-blueprint-patch-after-codex-recheck-2-pg-authority-contract-2026-06-08/00..13(14 docs). - This checkpoint.
- Blueprint docs + blueprint checkpoint advanced to
..._PATCH_AFTER_RECHECK_2_REQUIRES_DESIGN_AMENDMENT.
Next
Design-owner amendment for blocker C (Option α or β) → T1 re-patch against the amended design →
Codex recheck 3. Implementation, Stage 2.6B, qt001_backfill_permit, REAL_RUN, QT001 apply,
manifest activation, repoint, and owner/ACL cutover all remain BLOCKED. Not ready for implementation.
Do not claim implementation approval.