Checkpoint - T1 FIX7 Blueprint Patch After Legacy-Disposition Option Beta

Date: 2026-06-08 Author: T1 (production Agent for Agent Data) Macro: PROGRAM_PATCH_T1_FIX7_BLUEPRINT_AFTER_CODEX_LEGACY_DISPOSITION_OPTION_BETA_AMENDMENT Mode: READ-ONLY production; blueprint KB-doc direct-revision; NO production mutation.

Final status

FIX7_REFACTOR_BLUEPRINT_T1_PATCHED_FOR_OPTION_BETA_READY_FOR_CODEX_RECHECK_3

What was done

Codex (design owner) approved Option Beta for the long-standing blocker-C legacy-disposition amendment (codex-fix7-legacy-disposition-design-amendment-2026-06-08/, status FIX7_LEGACY_DISPOSITION_DESIGN_AMENDMENT_APPROVED_OPTION_BETA). Option Beta replaces the disposition concept — it does not re-home it. T1 patched the FIX7 refactor execution blueprint to that ruling and self-reviewed hardcode/PG-native + cross-layer boundaries to PASS.

Core ruling implemented: one uniform required end-state for every member of a closed, sealed U_legacy set — owner-isolated to the approved NOLOGIN, non-superuser, unreachable qt001_cp_owner; body/definition unchanged; actual effective privileges exactly equal the closed-world sealed privilege_set_manifest #21 rows; unsupported classes / protected-boundary collisions fail closed. relkind/prokind select only PostgreSQL syntax, never policy.

The seven amendment blockers → disposition

#	blocker	disposition	mechanism
1	remove legacy-disposition model completely	DONE	5-value enum / LEGACY_* #20 rows / computed classifier / truth table / CASE branch / external-artifact policy / STUB & body-restore / DO_NOT_TOUCH subtraction / relkind-prokind-name-owner-pattern-label policy all removed from load-bearing design; former labels survive only as non-authority English; +G-LEGACY-NO-DISPOSITION-AUTHORITY; +guard-quality rule 6
2	redefine U_legacy under Option Beta	DONE	U_legacy = closure(#11, roots=#20 protected_target rows bound to candidate manifest); single sealed set; no DO_NOT_TOUCH subtraction; both-EXCEPT vs closed denominator; collisions fail closed; relkind/prokind = syntax only; +G-U-LEGACY-OPTION-BETA-UNIFORM-ENDSTATE
3	remove STUB / body-mutation path	DONE	no body mutation/restore; rollback = forward-only supersede/deactivate + owner/ACL snapshot replay only; source artifacts evidence only; former CR-E3 STUB-body carve-out removed
4	owner isolation + #21 privilege contract as authority	DONE	S15 = owner-transfer → reconcile to exact #21 (both-EXCEPT, role-membership-aware) → verify; directus/runtime effective authority absent unless #21 grants read-only; G-NOLEGACY-POST/G-U-LEGACY-OPTION-BETA-UNIFORM-ENDSTATE verify the uniform end-state, not branches
5	remove DO_NOT_TOUCH as authority exclusion	DONE	DO_NOT_TOUCH = boundary/hard-block label for out-of-scope unrelated objects only (birth gateway, DOTs); never subtracts; collision → fail closed / owner review
6	hardcode / PG-native self-review	PASS	12/12 checks clean; the patch removes (not adds) disguised-hardcode constructs; authority is PG ownership + sealed #20 roots + #11 closure + closed-world #21 + #26/#27 + activation
7	cross-layer boundaries	CONFIRMED unchanged	implementation/2.6B/QT001-apply/permit/REAL_RUN/activation/repoint/cutover BLOCKED; governance/registry-pivot/Đ43/harness later; runtime evidence non-authority; §4G governance-change re-audit gates on PKG-F/PKG-G preserved

Guards and invariants

Test/verification guards 40 → 42 (+G-U-LEGACY-OPTION-BETA-UNIFORM-ENDSTATE, +G-LEGACY-NO-DISPOSITION-AUTHORITY; G-LEGACY-TARGET-SEALED + G-LEGACY-TARGET-CLOSED-DENOMINATOR now fully operational with no disposition/LEGACY_* dependency and no DO_NOT_TOUCH subtraction; G-LEGACY-FROZEN reframed as G-LEGACY-RETAINED; +guard-quality rule 6). These are TEST/VERIFICATION guards, NOT readiness gates. Invariants preserved: AUTHORITY_SURFACES=27 · RUNTIME_EVIDENCE=11_NON_AUTHORITY · READINESS_GATES=14_DATA · HASH_CONTRACTS=7_H01..H07 · NEW_AUTHORITY_SURFACE=0 · NEW_#20_COLUMN=0 · NEW_CATALOG_FAMILY=0 · NEW_READINESS_GATE=0 · NEW_TOP_LEVEL_HASH_CONTRACT=0 · PRODUCTION_MUTATION=0. All hard blocks intact.

Blueprint docs patched

02 (rev 23→24), 03 (rev 3→4), 04 (rev 36→37), 05 (rev 22→23), 06 (rev 29→30), 07 (rev 35→36), 08 (rev 15→16), 12 (rev 14→18). Docs 02/04/05/06/07/08 via update_document (extensive, all non-disposition content preserved verbatim); 03/12 via targeted patch_document.

Output

• Report: t1-fix7-blueprint-patch-after-legacy-disposition-option-beta-2026-06-08/00..10 (11 docs).
• This checkpoint.
• Blueprint checkpoint checkpoint-t1-fix7-existing-system-refactor-execution-blueprint-2026-06-08.md advanced to ..._T1_PATCHED_FOR_OPTION_BETA_READY_FOR_CODEX_RECHECK_3.

Live evidence

No fresh live read was required this pass; the prior read-only pg_roles evidence stands (directus rolsuper=false/rolbypassrls=false; cluster superuser workflow_admin rolsuper=true/rolbypassrls=true; qt001_cp_* roles absent). The Option-Beta end-state is feasible because directus is non-superuser (owner-transfer + privilege reconcile reach effective-EXECUTE=0 without a body stub).

Next

Codex recheck 3 of the Option-Beta-patched blueprint (external; not implementation). Implementation, Stage 2.6B, qt001_backfill_permit, REAL_RUN, QT001 apply, manifest activation, repoint, and owner/ACL cutover all remain BLOCKED. Do not claim implementation approval.