04 - Rollback No-Mixed-Authority Recheck

Verdict

ROLLBACK_NO_MIXED_AUTHORITY_NEEDS_FIX

Deactivation-first rollback is directionally correct. The guard definition is not phase-consistent.

G-NOMIXED-AUTHORITY currently reads ACTIVE manifest_activation plus legacy effective executability. S14 activates the new manifest before S15, while legacy routines remain PUBLIC-executable and owner-executable. Thus the guard's claimed invariant is already violated after S14.

Required T1 fix:

• Distinguish manifest ACTIVE but unrouted from authoritative routed/executable using a PG-native route/authority fact.
• Define permitted states and forbidden state transitions for S14, S15, S16, and rollback.
• Make the S15 transaction and rollback prove the route state, not merely manifest lifecycle.
• Bind actual restorable source artifacts; hashes alone cannot restore bodies.