CHECK D — Zero-Hardcode Final Acceptance
04 — CHECK D: Zero-Hardcode Final Acceptance
Verdict: ZERO_HARDCODE_FINAL_ACCEPTED
What CHECK D requires
No hardcode; no disguised hardcode; no hidden CASE/list policy; no numeric-literal threshold as authority; no mutable runtime denominator; no Directus-editable authority; no arbitrary identity string as authority; no MD5/delimiter hash; no source-text/regex as authority; no function/view existence as proof; no routed-later without blocking-now.
Evidence (T1 doc 06 ⋈ CP-06 patch doc 05)
| Risk | Finding | Result |
|---|---|---|
| Fixed answer outside sealed manifest | none — mutable behavior = ACTIVE sealed manifest data | ACCEPTED |
| Policy-shaped CHECK | none — CHECKs are structural only (num_nonnulls(...)=1; bound_at>=signed_at; valid_until>bound_at; finalized_at>=started_at) |
ACCEPTED |
| Boolean policy default | none — evaluated_pass/evaluated_blocked accepted only from owner generic guards, not caller-authored |
ACCEPTED |
| Hidden CASE / list policy | none | ACCEPTED |
| Numeric literal threshold as authority | none — partition boundaries/cadence from the bound sealed storage-class row, never source literals | ACCEPTED |
| Mutable runtime denominator | none — dashboard_export.denominator_set_sha256 is content-bound |
ACCEPTED |
| Fixed partition policy | none — range partitions driven by sealed storage_class_manifest #05 |
ACCEPTED |
| Free-text operand authority | none — item_payload descriptive-only; operational reads fail |
ACCEPTED |
| Directus-editable authority | none — runtime tables Directus/PUBLIC-inaccessible; Directus sealed read-contract only | ACCEPTED |
| Manual inventory as authority | none — typed #20 rows, not hand lists | ACCEPTED |
| Regex / source-text as authority | none — both-EXCEPT over pg_constraint/pg_index structural truth |
ACCEPTED |
| Function/view existence as proof | none | ACCEPTED |
| Arbitrary reviewer/approver/provenance string | none — principal_registry + human_identity_registry FKs |
ACCEPTED |
| MD5 / delimiter hash | none — "No MD5, delimiter concatenation, implicit bytea text cast"; SHA-256 over canonical JSONB | ACCEPTED |
| bool_and NULL-ignore | none — required order/scope fields NOT NULL; missing fails | ACCEPTED |
| Routed-later without blocking-now | none — P-04 fails NOW; no deferral | ACCEPTED |
Law alignment
Against the governing law's only hardcode clause (§5 no_hardcode_absolute: important literals must be discovered from SSOT/config/registry/catalog or clearly classified), every important value here is discovered from a sealed manifest/registry/catalog or is a structural type/constraint — compliant. ("Disguised-hardcode" structural detection is T1/Codex review discipline, applied here as discipline, and clean.)
Determination
No hardcode and no disguised hardcode in the final design state. The CP-06 micro-patch introduced no literal-as-authority, mutable denominator, regex authority, existence-proof, or deferred-blocking vector.
Result: ZERO_HARDCODE_FINAL_ACCEPTED.