04 - Owner Isolation / #21 Contract Recheck

Verdict

OWNER_ISOLATION_21_CONTRACT_NEEDS_FIX

The owner-isolation and #21 closed-world approach is correct: owner implicit privileges move to unreachable qt001_cp_owner; effective privileges for non-owner/non-superuser principals are reconciled both directions to sealed #21; body definitions remain unchanged; superuser is separately break-glass controlled.

The contract is not yet fully executable because the principal universe is currently mixed into the U_legacy object denominator. T1 must specify it separately and exactly:

• Object universe: typed U_legacy_object only.
• Principal universe: PUBLIC plus every relevant login/member role derived through PG role membership, excluding the controlled owner from removable-privilege equality and separately dispositioning superusers.
• Privilege tuple shape: object identity, principal identity, privilege kind, grant option/column scope where applicable.
• #21 completeness/count/hash and both-EXCEPT must operate over that exact tuple shape.

After this separation, G-NOLEGACY-POST and uniform-endstate can be machine-checkable.