02 - G-NOLEGACY Phase Recheck

Verdict

G_NOLEGACY_PHASE_FAIL

The PRE/POST split removes the previous textual deadlock, but POST is impossible under PostgreSQL ownership semantics.

At S15 the legacy routines remain owned by directus until S16. Object owners retain implicit privileges; revoking EXECUTE from the owner does not remove the owner's effective ability to execute. Therefore G-NOLEGACY-POST's required directus effective EXECUTE = 0 cannot pass for REVOKE_ONLY routines after S15.

Required T1 fix:

• Reorder or atomically combine the minimum ownership isolation required for legacy executable objects with S15 neutralization, or use another PG-native mechanism that makes owner-call bypass impossible.
• Make guard expectations account explicitly for owner and superuser semantics.
• Do not claim effective privilege zero through REVOKE while the bypassing principal still owns the routine.