05 - ACL Snapshot Recheck

Verdict

ACL_SNAPSHOT_ACCEPTED_WITH_EXECUTION_ORDER_DEPENDENCY

T1 added column ACLs, schema/table/view/function/sequence/default privileges, PUBLIC/Directus/cp-role grants, role-membership expansion, snapshot hash, and both-direction effective privilege verification. This closes the prior snapshot-completeness blocker.

The snapshot design does not solve the separate S15 owner-bypass problem: directus remains owner until S16. T1 must change execution order/atomic scope without weakening the accepted snapshot requirements.

Effective-privilege guards must explicitly disposition superuser roles, because superusers cannot be made privilege-zero by object ACL changes.