Checkpoint — T1 FIX7 Implementation-Spec Full Adversarial Review

Date: 2026-06-08. Verifier: T1 (production Agent for Agent Data). Mode: READ-ONLY production. Live mutation: NONE except the 18 review docs 00–17 + this checkpoint. No DB object created; no SQL applied; no role/owner/ACL/manifest/permit/apply.

FINAL: DESIGN_NEEDS_CODEX_CORRECTION_BEFORE_IMPLEMENTATION

IMPLEMENTATION_FEASIBILITY_VERDICT: IMPLEMENTABLE_WITH_OPERATOR_GATED_STEPS

Big, genuine advance over the prior DESIGN_BLOCKED_REQUIRES_CODEX_UPDATE: every one of the 12 prior blockers now has a concrete decision, and the design is technically feasible + scale-safe on the live PG16 stack. But three classes of byte-level build artifact are asserted ("in the full spec" / "are specified") yet not published for review (KB search + directory listing confirm only 14 summary docs exist):

1. exact manifest_set + 27 child-contract DDL (types/PK/FK/CHECK + negative tests);
2. the 14 readiness gate adapter rule sets + per-gate freshness;
3. the 7 hash payload key-maps (ordered keys + domain tag + NULL rule + sensitivity tests). Cannot CONFIRM artifacts I cannot see ("schema columns"/"hash inputs" are macro reject triggers; "no assuming resolved"). One short publish-and-review cycle from CONFIRMED — not a re-design.

Per-supertrack verdicts

• A prior blockers: 8–9/12 RESOLVED (decision); PARTIAL on T1-01 (manifest DDL), T1-02 (gate adapters), T1-06 (hash key-maps); 0 STILL_OPEN.
• B manifest/engine: MANIFEST_SPEC_PARTIAL (envelope/lifecycle/ownership complete; per-manifest + 27-child DDL not published).
• C readiness: READINESS_SPEC_COMPLETE (14 named gates, exact-set both-EXCEPT, NULL-strict, sealed, quorum-to-reduce, bounded by gate count) — per-gate adapter rule sets pend (B).
• D quorum: QUORUM_SPEC_COMPLETE (Q_CRITICAL_3 / Q_STANDARD_2, ≤24h, drift-invalidation, anti-self-approval, hash/epoch binding, controlled LOGIN identities).
• E signoff: SIGNOFF_SPEC_COMPLETE (LOGIN session_user, content-hash evidence, append-only revoke/supersede, exact binding, self-sign/Directus blocked).
• F capability: CAPABILITY_SPEC_COMPLETE (exact codes/workload 1M/thresholds 600000ms·1GiB/freshness; controlled VERIFIER; fake/existence/free-text fail).
• G hash: HASH_SPEC_PARTIAL (PG16+pgcrypto verified, method/domain-sep/no-MD5/plan-vs-control-state complete; per-contract key-maps not published).
• H dependency: DEPENDENCY_SPEC_COMPLETE (PG limit acknowledged, sealed analyzer + source-hash drift, unknown-fails, OID-checked dynamic SQL, regex diagnostic-only).
• I control_epoch: CONTROL_EPOCH_SPEC_COMPLETE (single owner row, FOR SHARE/FOR UPDATE, reread-before-commit, epoch-bound evidence, no-decrement).
• J Level-B: LEVEL_B_SPEC_COMPLETE (exact paths/packet regex/stages/rollback/no-manual-SQL); runnable CI artifact operator/infra-gated.
• K boundary: T1_BOUNDARY_COMPLETE (author/test + SPEC_CONFLICT-stop) with one gap: K.7 self-audit dashboard not specified.
• L zero-hardcode: ZERO_HARDCODE_PASS (design); 2 low risks = unverifiable artifacts (hash key-maps, bypass enumeration).
• M PG-native-driven: PG_NATIVE_DRIVEN_PARTIAL_OPERATOR_GATED (genuinely native/driven; enforcement not yet live — Directus still owns control plane pending cutover).
• N risk/rollback: RISK_ROLLBACK_COMPLETE (all layers fail-closed; add single-human-two-roles operational control).
• O feasibility/scale: IMPLEMENTABLE_WITH_OPERATOR_GATED_STEPS (PG16.13 + pgcrypto 1.3 verified; control-plane-bounded; 2 items to make explicit: retain Directus SELECT on cutover; confirm Level-B CI env exists).
• P disguised-hardcode: ZERO_DISGUISED_HARDCODE_PASS (design); same 2 low artifact risks.
• Q final: DESIGN_NEEDS_CODEX_CORRECTION_BEFORE_IMPLEMENTATION.

Live read-only evidence (2026-06-08, no mutation)

PostgreSQL 16.13; pgcrypto 1.3 installed+available; QT001 control tables still owned by directus; qt001_cp_owner absent; (prior turn) Directus INSERT/DELETE on signoff + INSERT on capability evidence; signoff_plan_binding=0, capability_operational_evidence=0 → readiness BLOCKED, scale NOT_SAFE, no false-green.

Corrections required (narrow) — see doc 17

1 publish manifest/child DDL + neg tests; 2 publish 14 gate adapter rule sets; 3 publish 7 hash key-maps + sensitivity tests; 4 enumerate 14 bypass vectors; 5 make explicit: retain Directus SELECT on cutover + confirm Level-B CI channel exists; 6 add T1 self-audit dashboard deliverable; 7 add single-human-two-roles operational control. If full-spec files already exist outside the KB, surface them → short re-review → CONFIRMED. Do not let T1 author authoritative artifacts without a Codex re-audit of them.

Unchanged hard blocks

No Stage 2.6B. No permit. No REAL_RUN. No QT001 apply. Readiness BLOCKED until owner cutover + fresh post-activation evidence + fresh independent Codex re-audit.

Artifacts

Report dir: knowledge/dev/reports/architecture/t1-fix7-implementation-spec-full-adversarial-review-2026-06-07/00..17. Checkpoint: this file. Next: route corrections 1–7 to Codex; on a corrected/published package, re-run the focused review of the three artifact classes before any FIX7a authoring.