Checkpoint - T1 FIX7 Blueprint Patch After Codex Recheck 3 (Set Separation)

Date: 2026-06-09 Author: T1 (production Agent for Agent Data) Macro: PROGRAM_PATCH_T1_FIX7_BLUEPRINT_AFTER_CODEX_RECHECK_3_SET_SEPARATION_AND_SUPERSEDED_HISTORY Mode: READ-ONLY production; blueprint KB-doc direct-revision; NO production mutation.

Final status

FIX7_REFACTOR_BLUEPRINT_T1_PATCHED_AFTER_CODEX_RECHECK_3_READY_FOR_CODEX_RECHECK_4

What was done

Codex recheck 3 (codex-fix7-blueprint-recheck-3-after-option-beta-patch-2026-06-08/, status FIX7_REFACTOR_BLUEPRINT_CODEX_RECHECK_3_NEEDS_T1_FIX) accepted the Option-Beta work (STUB/body removed; DO_NOT_TOUCH no longer an authority exclusion; 27/11/14/7 intact; boundaries blocked) and raised exactly two remaining blocker classes. T1 patched both in-blueprint; no design amendment; Option Beta not reopened.

Blocker 1 — set separation (typed sets)

The single U_legacy was used for a denominator that unioned PG objects + effective-privilege principals + DOT/scheduler entry-vectors, then asserted object both-EXCEPT over the union (a type error). Split into three distinct typed universes:

• U_legacy_object — PG objects only (regclass/regprocedure); the ONLY set subject to the uniform end-state (owner isolated, body unchanged, effective privileges == sealed #21); object both-EXCEPT vs an object-shape denominator (doc 02 §H.4.A).
• U_effective_privilege_principal — roles only (PUBLIC + pg_auth_members-expanded; owner excluded from removable equality; superuser dispositioned); the privilege check is the join U_legacy_object × U_effective_privilege_principal reconciled both-EXCEPT to #21 (§H.4.B).
• U_entry_vector — trigger/event-trigger/scheduler/DOT/external; a fail-closed bypass-coverage relation (every vector targets a U_legacy_object member or is independently blocked), never object membership (§H.4.C).
• U_legacy ≡ U_legacy_object; no set is a member of another (mixed-type membership fails closed).
• +G-U-LEGACY-OBJECT-ONLY, +G-PRINCIPAL-SET-SEPARATE, +G-ENTRY-VECTOR-SEPARATE; G-LEGACY-TARGET-CLOSED-DENOMINATOR re-scoped object-shape; guard-quality rule 7.

Blocker 2 — superseded-history boundary

G-LEGACY-NO-DISPOSITION-AUTHORITY scanned the whole blueprint while history retained old disposition/STUB instructions. Introduced a machine-readable ACTIVE_AUTHORITY vs SUPERSEDED_NON_AUTHORITY boundary: a doc 00 §Active-authority boundary registry + a per-doc DOC_STATUS: marker + SUPERSEDED_NON_AUTHORITY BEGIN/END fences; the boundary lives in the blueprint KB document structure (not a Directus collection / #20 row / runtime table → not Directus-editable). The no-disposition guard is re-scoped to ACTIVE_AUTHORITY (reports fenced history, never fails on it; fails on a removed construct in ACTIVE_AUTHORITY or on superseded consumption). +G-ACTIVE-AUTHORITY-SCOPE, +G-NO-SUPERSEDED-CONSUMPTION; guard-quality rule 8. Historical pass sections fenced in docs 00/12 and the blueprint checkpoint; docs 09/10/11 marked SUPERSEDED_NON_AUTHORITY.

Guards and invariants

Test/verification guards 42 → 47 (+5). Invariants preserved: AUTHORITY_SURFACES=27 · RUNTIME_EVIDENCE=11_NON_AUTHORITY · READINESS_GATES=14_DATA · HASH_CONTRACTS=7_H01..H07 · NEW_AUTHORITY_SURFACE=0 · NEW_#20_COLUMN=0 · NEW_CATALOG_FAMILY=0 · NEW_READINESS_GATE=0 · NEW_TOP_LEVEL_HASH_CONTRACT=0 · PRODUCTION_MUTATION=0. The three new sets are evaluation constructs over existing catalog/manifest facts; the active/superseded boundary is document metadata — neither is a DB authority surface. All hard blocks intact.

Internal self-check

11/11 PASS (object-only · principal-separate · entry-vector-separate · uniform-end-state scope · object × principal privilege · fail-closed bypass · machine-readable boundary · no-disposition guard scope · no superseded consumption · zero-hardcode/PG-native · cross-layer blocked). Detail: report doc 11.

Blueprint docs patched

00 (rev 3→6), 01 (5→6), 02 (24→33), 03 (4→6), 04 (37→39), 05 (23→24), 06 (30→38), 07 (36→40), 08 (16→17), 09 (1→2), 10 (1→2), 11 (1→2), 12 (18→29), blueprint checkpoint (9→17). All via patch_document (targeted, section-level; unchanged regions byte-identical).

Output

• Report: t1-fix7-blueprint-patch-after-codex-recheck-3-set-separation-2026-06-08/00..11 (12 docs).
• This checkpoint.
• Blueprint checkpoint checkpoint-t1-fix7-existing-system-refactor-execution-blueprint-2026-06-08.md advanced to ..._T1_PATCHED_AFTER_CODEX_RECHECK_3_READY_FOR_CODEX_RECHECK_4.

Live evidence

No fresh live read required this pass; the prior read-only pg_roles evidence stands (directus rolsuper=false; cluster superuser workflow_admin rolsuper=true/rolbypassrls=true; qt001_cp_* roles absent; 0 trigger bypass vector over the qt001 set).

Next

Codex recheck 4 of the recheck-3 set-separation-patched blueprint (external; not implementation). Implementation, Stage 2.6B, qt001_backfill_permit, REAL_RUN, QT001 apply, manifest activation, repoint, and owner/ACL cutover all remain BLOCKED. Do not claim implementation approval.