Checkpoint - T1 FIX7 Existing-System Refactor Execution Blueprint

Date: 2026-06-08 Author: T1 (production Agent for Agent Data) Macro: FIX7_EXISTING_SYSTEM_REFACTOR_MAPPING_EXECUTION_BLUEPRINT_WITH_INTERNAL_XHIGH_MAX_REVIEW Mode: READ-ONLY production / AUTHOR_MODE_ONLY. No production DB/role/grant/trigger/function/ scheduler/UI mutation; no DB object creation; no live SQL; no manifest activation; no ownership/ACL change; no permit; no Stage 2.6B; no REAL_RUN; no QT001 apply; no Directus authority change; no source IU mutation; no Codex-doc edit. KB blueprint documents only.

Final status

FIX7_REFACTOR_BLUEPRINT_T1_PATCHED_AFTER_CODEX_FAIL_READY_FOR_CODEX_RECHECK

(Gate progression: authored ..._READY_FOR_CODEX_CRITICAL_REVIEW -> independent XHigh pass -> ..._XHIGH_REVIEWED_AND_REVISED_READY_FOR_MAX_REVIEW -> independent Max pass 2026-06-08 -> ..._MAX_REVIEWED_AND_REVISED_READY_FOR_CODEX_CRITICAL_REVIEW -> Codex independent critical review FAILED it (..._CODEX_CRITICAL_REVIEW_FAIL_HARDCODE_OR_PG_NATIVE_GAP; 7 blockers; A-K matrix) -> T1 patched all 7 blockers directly in-blueprint (2026-06-08, PROGRAM_PATCH_T1_FIX7_REFACTOR_ BLUEPRINT_AFTER_CODEX_CRITICAL_FAIL) -> the status above. Next = Codex recheck only.)

Codex critical-review patch pass (2026-06-08)

Codex's critical review failed the blueprint on 7 blockers (B/E/G/H/I FAIL; C/D/F NEEDS_FIX; J terminology). T1 patched every blocker directly in the blueprint docs (READ-ONLY production; no production mutation; KB blueprint-doc revision only):

• B1 legacy target = disguised hardcode -> sealed legacy-disposition set in authority_scope_manifest #20 (typed identity + source_sha256 + privilege_acl_hash + expected_legacy_set_sha256, exact-set both-EXCEPT vs catalog); name/owner scan demoted to diagnostic candidate; +G-LEGACY-TARGET-SEALED; G-PGNATIVE extended to reject name-pattern binding authority. **Live proof of fragility (read-only, 2026-06-08): views = 0/183/196 by literal (qt001%/v_qt001%/%qt001%); routines = 45 functions
  • 1 procedure (the prose "46 functions" conflated the apply procedure).**
• B2 G-NOLEGACY deadlock -> split into G-NOLEGACY-PRE (gates PKG-F; no EXECUTE-revoked requirement) + G-NOLEGACY-POST (verifies PKG-F).
• B3 stub-scope contradiction -> 5 dispositions; stub only STUB_FAIL_CLOSED; body-rollback bounded to those (pinned #27); REVOKE_ONLY = privilege change only.
• B4 rollback may reopen PUBLIC EXECUTE -> atomic deactivation-first rollback sequence + G-NOMIXED-AUTHORITY (new path superseded before any legacy EXECUTE restore).
• B5 ACL snapshot incomplete -> +column ACL (pg_attribute.attacl) + effective role-membership privilege (pg_auth_members) + sequence/default/PUBLIC/Directus/cp grants + snapshot_sha256; both-direction effective-privilege rollback verify.
• B6 writer-gateway identity ambiguous -> pinned #26 identity (regprocedure+source+owner), phase-explicit owner table (gateway born qt001_cp_owner, no transition); +G-WRITER-GATEWAY-IDENTITY.
• B7 permit ambiguity -> operator_authorization (package-execution, machine-checkable artifact) separated from the BLOCKED qt001_backfill_permit / REAL_RUN_authority; +G-NO-QT001-PERMIT-DURING-FIX7; law §4G citation corrected (the real §4G makes governance_change a stop_without_asking_if hard-stop; the law has no "permit" term).

Guards 30 -> 35 (all TEST/VERIFICATION guards, not readiness gates). Invariants 27/11/14/7 preserved (0 new authority surface, 0 new readiness gate, 0 new hash contract; the sealed set is DATA rows in existing #20/#27 + one typed disposition column). Blueprint docs patched: 00, 01, 02, 03, 04, 05, 06, 07, 08, 12 + this checkpoint. Patch report: t1-fix7-blueprint-patch-after-codex-critical-fail-2026-06-08/00..12; patch checkpoint checkpoint-t1-fix7-blueprint-patch-after-codex-critical-fail-2026-06-08.md. All hard blocks intact; implementation / Stage 2.6B / qt001_backfill_permit / REAL_RUN / QT001 apply / activation / repoint / owner-ACL cutover all remain BLOCKED.

Design-approval source (confirmed)

FIX7_DESIGN_OFFICIALLY_APPROVED_BY_CODEX_FOR_IMPLEMENTATION_PLANNING - codex-owner-confirmation-fix7-final-design-approval-2026-06-08/05-final-verdict.md (A/B/C/D); T1 final short-review DESIGN_READY_FOR_CODEX_FINAL_APPROVAL (0 blocking); index rev 27.

Central finding (live read-only inventory, 2026-06-08, DB directus)

FIX7 is a parallel green-field qt001_cp control plane, not an in-place edit:

• qt001_cp schema ABSENT (live schemas: cutter_governance, iu_core, public, sandbox_tac).
• qt001_cp_owner/migrator/reader roles ABSENT.
• Legacy qt001_* in public, all owner directus: 20 tables, 46 functions, 196 views (FIX..FIX6).
• Birth gateway (birth_registry + permit/ledger/release + 5 fn_birth_*) present, directus-owned -> DO_NOT_TOUCH.
• DOT-118/119 frozen -> DO_NOT_TOUCH.

Refactor = ADD whole qt001_cp (all MISSING_ADD, operator-gated) + atomic authoritative repoint (proven non-reachable-to-legacy by #11) + legacy freeze/deprecate (never live DROP) + DO_NOT_TOUCH birth gateway/DOTs + ROLE_CUTOVER_LATER for directus-owned control objects.

Phase outcomes

• Phase 1 (High, docs 00-08): authored - inventory, design-to-live mapping (27 surfaces #01..#27, 11 runtime-evidence, 14 gates DATA, 7 hashes DATA), 18-gap matrix, S00-S19 construction order, rollback blueprint (COMPLETE), test/guard blueprint (26 -> 30 guards after independent XHigh), PKG-A..I split, hard-blocks list.
• Phase 2 (XHigh, doc 09): 3 findings + 1 advisory.
  • XH-2 (P1): legacy entrypoints PUBLIC/directus-executable in activate->cutover window (the FIX2/FIX3 bypass) -> neutralization bundled into PKG-F; G-NOLEGACY extended to "blocked, not merely unreachable".
  • XH-3: missing S05 guard -> added G-OPERAND-TYPED.
  • XH-4 (P1): unscoped ACL cutover could break live Directus CMS -> scoped to control objects; added G-DIRECTUS-APP-INTACT.
  • XH-1 (advisory): runtime_config dual-role mapping refined.
• Phase 3 (Max, doc 10): 3 findings.
  • MX-1 (P1): existing Directus SELECT set never captured -> S00 capture artifact; PKG-B precondition; G-DIRECTUS-READ compares against captured set.
  • MX-2 (P2): S15 neutralization + S17/S18 freeze/deprecate flagged as T1 operationalization beyond literal design; Codex confirmation requested.
  • MX-3: ACL rollback snapshot must be captured + read-back-verified + restore-rehearsed before REVOKE.
• Revisions (doc 11): all six findings revised in-macro; affected XHigh checks 6/10/12 and Max checks 1/5/11 re-run to PASS.
• Independent XHigh pass (2026-06-08, separate macro PROGRAM_REVIEW_XHIGH_...): audited vs live evidence (legacy fns proacl=NULL = PUBLIC EXECUTE) and doc consistency; 10 findings directly revised in-blueprint (3 P1): XHI-02 dangling G-LEGACY-FROZEN defined; XHB-01 +G-DOT-NOOVERWRITE (no DOT/non-owner gateway-overwrite); XHB-02 rollback safe-blocked-baseline clarified; XHH-01 +birth-gateway-modification/+registry-pivot hard-block rows; XHL-01 cross-layer OUT-OF-SCOPE (Đ43/QT-006/registry-pivot/raw-birth); XHI-01 guard count 26->30; +XHD-01/XHO-01/XHJ-01/XHM-01. Status advanced to FIX7_REFACTOR_BLUEPRINT_XHIGH_REVIEWED_AND_REVISED_READY_FOR_MAX_REVIEW. Report t1-xhigh-fix7-refactor-blueprint-review-2026-06-08/00..13; checkpoint checkpoint-t1-xhigh-fix7-refactor-blueprint-review-2026-06-08.md. Invariants 27/11/14/7 intact.
• Independent Max pass (2026-06-08, separate macro PROGRAM_REVIEW_MAX_FIX7_REFACTOR_BLUEPRINT_...): audited the XHigh-revised blueprint vs LIVE production + the governing law (did NOT trust prior PASS claims); 7 findings directly revised in-blueprint (3 P1, 3 P2, 1 P3): MB-01 legacy neutralization widened from "apply/writer" to the COMPLETE S00-captured legacy-entrypoint set (live: ALL 46 fns + apply proc proacl=NULL/PUBLIC EXECUTE, none SECURITY DEFINER); MC-01 G-DOT-NOOVERWRITE re-grounded on PG-native owner-isolation (nspacl/ownership) as final authority, DOT-body scan = fail-closed diagnostic; MA-01 stale top-line status corrected; ME-01 ACL rollback snapshot made concrete (ownership + table/view/function/sequence ACLs + nspacl + default privileges); MG-01 fresh Codex re-audit gates before PKG-F/PKG-G (law section 4G); MH-01 guard-quality rules (no vacuous pass / NULL-strict / source-text diagnostic-only); MB-02 birth-family completed (10 fns DO_NOT_TOUCH) + 0-trigger bypass-vector evidence. 30 guards unchanged; invariants 27/11/14/7 intact; 0 blockers. Blueprint docs revised: 01/02/04/05/06/07/08/12 + this checkpoint. Status advanced to FIX7_REFACTOR_BLUEPRINT_MAX_REVIEWED_AND_REVISED_READY_FOR_CODEX_CRITICAL_REVIEW. Report t1-max-fix7-refactor-blueprint-review-2026-06-08/00..12; checkpoint checkpoint-t1-max-fix7-refactor-blueprint-review-2026-06-08.md.

Invariants (preserved, non-regressed)

AUTHORITY_SURFACES=27 · RUNTIME_EVIDENCE=11_NON_AUTHORITY · READINESS_GATES=14_DATA ·
HASH_CONTRACTS=7_H01..H07 · NEW_GATES=0 · NEW_HASH_CONTRACTS=0 · PRODUCTION_MUTATION=0 ·
STAGE_2_6B/PERMIT/REAL_RUN/QT001_APPLY=BLOCKED · OWNER_ACL_CUTOVER/MANIFEST_ACTIVATION=OPERATOR_GATED

Verdicts

• Zero-hardcode (incl. disguised): PASS. PG-first/native/driven: PASS.
• 27/11/14/7: PRESERVED. Rollback: COMPLETE. Dependency-safe order: COMPLETE.
• XHigh: PASS-after-revision. Max: PASS-after-revision.

Output

• Report dir: knowledge/dev/reports/architecture/t1-fix7-existing-system-refactor-execution-blueprint-2026-06-08/00..12 (13 docs).
• Checkpoint: this file.

Next

Codex independently critical-reviews this blueprint from a different perspective. Until that passes, implementation is NOT approved. Then (each separately gated, all currently BLOCKED): implementation- authoring package PKG-A..D (author/rehearsal/read-only) -> Codex re-audit + permit -> PKG-E create/seal/activate (OPERATOR) -> PKG-F repoint+neutralize -> PKG-G owner/ACL cutover -> PKG-H legacy freeze/deprecate -> PKG-I verify -> (separate gates) REAL_RUN / QT001 apply / Stage 2.6B.

Do not claim implementation approval. This macro produced the construction blueprint only.