Checkpoint - T1 FIX7 Blueprint Patch After Codex Recheck (Owner Semantics)

Date: 2026-06-08 Author: T1 (production Agent for Agent Data) Macro: PROGRAM_PATCH_T1_FIX7_BLUEPRINT_AFTER_CODEX_RECHECK_OWNER_SEMANTICS_FAIL Mode: READ-ONLY production; blueprint KB-doc direct-revision; NO production mutation.

Final status

FIX7_REFACTOR_BLUEPRINT_T1_PATCHED_AFTER_CODEX_RECHECK_READY_FOR_CODEX_RECHECK_2

What was done

Codex's recheck FAILED the previously-patched FIX7 refactor blueprint (..._CODEX_RECHECK_FAIL_HARDCODE_OR_PG_NATIVE_GAP) with a decisive root cause: PostgreSQL owner semantics. T1 re-patched every recheck blocker (A-H) directly in the blueprint, grounded on fresh read-only live evidence and the approved byte-level DDL, then self-reviewed against Codex's 10 recheck checks (all PASS). No design amendment required.

Decisive root cause + fix

At S15 the legacy routines were still owned by directus; a PostgreSQL owner keeps implicit privileges, so REVOKE alone could not make directus effective EXECUTE = 0 - G-NOLEGACY-POST was impossible as ordered. Fix: S14 STAGED (no activation); S15 atomic ordered owner-transfer (off directus→qt001_cp_owner) → REVOKE/stub → verify G-NOLEGACY-POST → activate+repoint; snapshot captured at S14 before the transfer; superuser dispositioned.

Live evidence (read-only, DB directus, 2026-06-08, query_pg)

• directus: rolsuper = false (NON-superuser) → ownership-transfer-off-directus + REVOKE CAN reach effective EXECUTE = 0. Feasibility confirmed.
• Cluster superuser workflow_admin: rolsuper/rolbypassrls = true → inherently ACL-bypassing; explicitly dispositioned in every effective-privilege guard.
• qt001_cp_owner/migrator/reader roles ABSENT; legacy qt001_* directus-owned.

The 8 recheck blockers fixed

1. A PG owner semantics / G-NOLEGACY → owner-transfer-first phase model + superuser disposition (doc 02).
2. B closed legacy denominator → U_legacy (reverse write-effect ∪ effective-EXECUTE ∪ entry-vectors − DO_NOT_TOUCH) + G-LEGACY-TARGET-CLOSED-DENOMINATOR (doc 03).
3. C approved byte-DDL conflict → map to existing approved #20 columns (object_type/ protected_target/entrypoint/expected_owner_role/expected_acl_sha256/source_sha256); disposition COMPUTED; set integrity = manifest seal; 0 new column (doc 04).
4. D no-mixed vs S14 ACTIVE → STAGED activation; activate in atomic PKG-F; G-NOMIXED keys on the ACTIVE route fact (doc 05).
5. E rollback source artifact → sealed evidence_registry body (artifact_uri+artifact_sha256) pinned by #27; no-artifact ⇒ REVOKE_ONLY (doc 06).
6. F operator_authorization / set-hash contract → operator_authorization_artifact = evidence_registry non-authority evidence + PG-native consuming decision; expected_legacy_set_sha256 eliminated (doc 07).
7. G permit wording → "operator permit" → operator_authorization; grep claim (doc 09).
8. H ACL snapshot order → snapshot at S14 before transfer; superuser dispositioned (doc 08).

Invariants (preserved)

27 authority surfaces · 11 runtime-evidence non-authority · 14 readiness gates (DATA) · 7 hash contracts (H01..H07) · 0 new authority surface · 0 new readiness gate · 0 new hash contract · 0 new #20 column · 0 new catalog family · production mutation 0. Guards 35 → 36 (+G-LEGACY-TARGET-CLOSED-DENOMINATOR; four guards tightened; guard-quality rule 5). All hard blocks intact.

Blueprint docs patched

02 (rev 17), 04 (rev 33), 05 (rev 18), 06 (rev 25), 07 (rev 28), 08 (rev 10), 12 (rev 12); blueprint checkpoint updated.

Output

• Report: t1-fix7-blueprint-patch-after-codex-recheck-owner-semantics-2026-06-08/00..13 (14 docs).
• This checkpoint.
• Blueprint docs + blueprint checkpoint advanced to ..._T1_PATCHED_AFTER_CODEX_RECHECK_READY_FOR_CODEX_RECHECK_2.

Next

Codex recheck 2 of the patched blueprint (external gate). Implementation, Stage 2.6B, qt001_backfill_permit, REAL_RUN, QT001 apply, manifest activation, repoint, and owner/ACL cutover all remain BLOCKED. Not ready for implementation. Do not claim implementation approval.