08 - Hardcode / PG-Native Recheck

Verdicts

• HARDCODE_NEEDS_FIX
• PG_NATIVE_DRIVEN_FAIL

T1 removed direct name-pattern operational authority. Remaining disguised-hardcode/PG-native risks:

1. live-relevant has no closed derivation. Without a precise reverse/write-effect relevance universe, the both-EXCEPT denominator can still be selected by implementer judgment.
2. The five disposition values are embedded as a new typed column vocabulary without showing their FK binding to the sealed code catalog.
3. expected_legacy_set_sha256 is authoritative but is declared not to be a hash contract. Any authoritative hash requires an explicit canonicalization, component set, ordering, null encoding, and verification contract. It cannot avoid hash-contract governance by being called a roll-up.
4. operator_authorization_artifact lacks a specified PG-native authority home.
5. S15 REVOKE assumes ACL can remove owner execution, which is false in PostgreSQL.

Required T1 fix: resolve these through approved PG schema/data contracts and PostgreSQL-feasible enforcement. Do not hide new authority/hash behavior in blueprint prose.