05 - Rollback / Cutover Safety

Verdict

CHECK_E_ROLLBACK_FAIL_NEEDS_T1_FIX

Blockers

CR-E1 - S15 rollback reopens complete PUBLIC EXECUTE

The rollback explicitly restores the all-PUBLIC legacy EXECUTE baseline while the new qt001_cp plane remains present. Safety is asserted through an independent apply/permit block, but the rollback does not explicitly and atomically supersede/deactivate the new active path before restoring legacy executability. This does not prove that mixed old/new authority cannot exist.

Required T1 fix: define one atomic coherent rollback state and its exact operations. Before any legacy EXECUTE restoration, prove the new authoritative path is inactive/superseded and the standing block is mechanically effective. Prefer restoring only the minimum safe legacy execution needed, not blanket PUBLIC EXECUTE. G-ROLLBACK-SAFE must prove effective executability and active-path exclusivity.

CR-E2 - Stub/body rollback incomplete

If PKG-F really replaces every legacy function/procedure with a stub, #27 restoring only prior writer/gateway source is incomplete. Every replaced body, signature, owner, ACL, config, security mode, and dependency-relevant property would need captured and restored.

Required T1 fix: reconcile stub scope and provide symmetric rollback for every mutation.

CR-E3 - Pinned hash is not itself a restore mechanism

The blueprint says rollback never CREATE OR REPLACEs the gateway but also says it restores prior source. T1 must specify the actual authorized PG-native restore operation and prove it can restore without contradicting PostgreSQL function replacement semantics.