Codex FIX7 Control-Plane Immutability Design Plan

Date: 2026-06-07
Mode: design-only; no production DB/role/grant/function/scheduler/source/UI/permit/ledger/REAL_RUN mutation.
Status: STAGE2_6A_FIX7_CONTROL_PLANE_IMMUTABLE_READINESS_SIGNOFF_CAPABILITY_HASH_READY_FOR_T1_IMPLEMENTATION

This package is an implementation contract, not an authorization to apply it. It keeps QT001 and Stage 2.6B blocked until FIX7 is implemented by T1/operator and independently re-audited.

Decision

Build a separate qt001_cp authority schema owned by a NOLOGIN role. Directus becomes read-only. All mutable evidence enters through narrow SECURITY DEFINER functions that authenticate the actual database session_user. Readiness, signoff, capability, dependency, and no-bypass results must bind to sealed SHA-256 manifests and exact-set checks.

Three Declarations

1. Permanent: the root authority boundary is fixed; app-owned rows can no longer define or rewrite what safe means.
2. Impossible to mistake: missing/extra/NULL/unknown/stale/spoofed/self-attested facts fail, while Directus/Public mutation and writer execution are denied by PostgreSQL ownership/ACL.
3. 100% automatic: controlled verifier runs produce evidence; PostgreSQL evaluates exact manifests and blocks automatically without manual readiness edits.

Required Order

1. FIX7a additive authority schema/manifests/hash contracts.
2. FIX7b operator-owned role/ownership/ACL cutover.
3. FIX7c controlled writers/verifiers and authoritative-path repoint.
4. Independent Codex negative-test re-audit.
5. Only after PASS may a separate decision consider Stage 2.6B.