01 - Owner Semantics Recheck

Verdict

OWNER_SEMANTICS_NEEDS_FIX

Accepted: S15.1 transfers executable legacy routines off non-superuser directus before REVOKE and G-NOLEGACY-POST. This resolves the prior impossible effective-EXECUTE assertion.

Remaining requirement:

• Prove qt001_cp_owner is operationally unreachable: exact pg_auth_members/SET ROLE state, NOLOGIN, no inherited membership, and exact Level-B execution identity. An operator normally needs SET ROLE membership or superuser authority to ALTER OWNER; either path must be explicitly controlled and guard-verified.
• workflow_admin cannot merely be excluded as an “accepted out-of-band property.” Define the separate operator-gated control/evidence/monitoring contract for use of this LOGIN superuser during cutover.

No guard may claim zero bypass while leaving the owner role or a login superuser operationally uncontrolled.