Incomex AI Portal
KB-68C5 rev 10

CP-01 Byte-Level Exactly 27 Child-Contract DDL

32 min read Revision 10
fix7architecturecp01byte-level-ddl

02 - CP-01 Byte-Level Exactly 27 Child-Contract DDL

This is the reviewable byte-level DDL contract. Object creation remains operator-gated. Names, types, constraints, ownership, access, indexes, and rollback order are fixed; T1 stops on conflict.

2.1 Roles, Schema, Shared Domains, And Envelope

CREATE ROLE qt001_cp_owner NOLOGIN;
CREATE ROLE qt001_cp_migrator NOLOGIN;
CREATE ROLE qt001_cp_reader NOLOGIN;
CREATE SCHEMA qt001_cp AUTHORIZATION qt001_cp_owner;

CREATE DOMAIN qt001_cp.sha256 AS bytea
  CHECK (VALUE IS NOT NULL AND octet_length(VALUE) = 32);
CREATE DOMAIN qt001_cp.nonempty_text AS text
  CHECK (VALUE IS NOT NULL AND btrim(VALUE) <> '');
CREATE DOMAIN qt001_cp.positive_bigint AS bigint
  CHECK (VALUE IS NOT NULL AND VALUE > 0);
CREATE DOMAIN qt001_cp.nonnegative_bigint AS bigint
  CHECK (VALUE IS NOT NULL AND VALUE >= 0);

-- Root catalog DDL is defined byte-for-byte in doc 04 and is created before manifest_set.

CREATE TABLE qt001_cp.manifest_set (
  manifest_id uuid PRIMARY KEY,
  manifest_type_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  version_no qt001_cp.positive_bigint NOT NULL,
  parent_manifest_id uuid NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  lifecycle_status_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  expected_item_count qt001_cp.positive_bigint NOT NULL,
  payload_sha256 qt001_cp.sha256 NOT NULL,
  canonicalizer_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  candidate_control_epoch qt001_cp.nonnegative_bigint NOT NULL,
  valid_from timestamptz NOT NULL,
  valid_until timestamptz NULL,
  created_by_principal_id uuid NOT NULL,
  created_at timestamptz NOT NULL DEFAULT clock_timestamp(),
  sealed_by_activation_id uuid NULL,
  sealed_at timestamptz NULL,
  activated_by_activation_id uuid NULL,
  activated_at timestamptz NULL,
  superseded_by_manifest_id uuid NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  UNIQUE (manifest_type_id, version_no),
  CHECK (valid_until IS NULL OR valid_until > valid_from)
);
CREATE UNIQUE INDEX manifest_set_one_active_type
  ON qt001_cp.manifest_set(manifest_type_id)
  WHERE activated_at IS NOT NULL AND superseded_by_manifest_id IS NULL;

CREATE TABLE qt001_cp.manifest_item_envelope (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  ordinal qt001_cp.positive_bigint NOT NULL,
  item_sha256 qt001_cp.sha256 NOT NULL,
  retired boolean NOT NULL,
  retired_reason_evidence_id uuid NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE (item_id),
  UNIQUE (manifest_id,ordinal),
  CHECK ((NOT retired AND retired_reason_evidence_id IS NULL)
      OR (retired AND retired_reason_evidence_id IS NOT NULL))
);

The globally unique item_id enforces the conservation rule and permits typed child-to-child FKs. No ID or ordinal is reused. Sealed/active/superseded rows are protected by an owner-only immutable trigger; DELETE/TRUNCATE is denied. Rollback creates and activates a new version.

2.2 Normative Child Header And Access

Every child table below contains the exact header:

manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
item_id uuid NOT NULL,
PRIMARY KEY (manifest_id,item_id),
FOREIGN KEY (manifest_id,item_id)
  REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id)

Every qt001_cp authority table is OWNER TO qt001_cp_owner; Directus receives no access to these authority tables. Doc 08 separately preserves Directus SELECT on its exact manifest-listed existing business base-table read set and does not migrate those reads to views. PUBLIC, directus, runtime roles, signer roles, verifier roles, and binder roles receive no INSERT/UPDATE/DELETE/TRUNCATE/REFERENCES/TRIGGER or schema CREATE on qt001_cp. Writer functions are SECURITY DEFINER, owner-controlled, pinned search_path=pg_catalog,qt001_cp, and PUBLIC/Directus EXECUTE is revoked.

2.3 Exact 27 Child Contracts

The following expanded DDL is normative. Every referenced *_id FK targets qt001_cp.manifest_item_envelope(item_id) unless a different target is explicitly named. All code/text columns use qt001_cp.nonempty_text; all hash columns use qt001_cp.sha256; all positive/nonnegative integers use the matching domain.

-- 01
CREATE TABLE qt001_cp.policy_rule_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  rule_set_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  rule_order qt001_cp.positive_bigint NOT NULL,
  fact_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  operator_primitive_id uuid NOT NULL,
  operand_type_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  operand_bigint bigint NULL, operand_numeric numeric NULL, operand_text text NULL,
  operand_boolean boolean NULL, operand_uuid uuid NULL, operand_oid oid NULL,
  operand_sha256 qt001_cp.sha256 NULL, operand_timestamptz timestamptz NULL,
  operand_jsonb jsonb NULL,
  operand_json_schema_item_id uuid NULL REFERENCES qt001_cp.code_catalog_item(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  required boolean NOT NULL,
  UNIQUE(manifest_id,rule_set_id,rule_order),
  CHECK (num_nonnulls(operand_bigint,operand_numeric,operand_text,operand_boolean,operand_uuid,
                      operand_oid,operand_sha256,operand_timestamptz,operand_jsonb)=1),
  CHECK ((operand_jsonb IS NULL AND operand_json_schema_item_id IS NULL)
      OR (operand_jsonb IS NOT NULL AND operand_json_schema_item_id IS NOT NULL
          AND jsonb_typeof(operand_jsonb) IS NOT NULL))
);
-- 02
CREATE TABLE qt001_cp.operator_primitive_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  primitive_code qt001_cp.nonempty_text NOT NULL, implementation_regprocedure regprocedure NOT NULL,
  source_sha256 qt001_cp.sha256 NOT NULL, signature_sha256 qt001_cp.sha256 NOT NULL,
  volatility_code_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  strict boolean NOT NULL, side_effect_free boolean NOT NULL,
  UNIQUE(manifest_id,primitive_code)
);
-- 03
CREATE TABLE qt001_cp.metric_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  metric_code qt001_cp.nonempty_text NOT NULL,
  unit_id uuid NOT NULL,
  value_type_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  UNIQUE(manifest_id,metric_code)
);
-- 04
CREATE TABLE qt001_cp.unit_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  unit_code qt001_cp.nonempty_text NOT NULL, dimension_code qt001_cp.nonempty_text NOT NULL,
  UNIQUE(manifest_id,unit_code)
);
-- 05
CREATE TABLE qt001_cp.storage_class_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  storage_code qt001_cp.nonempty_text NOT NULL, immutable_versioned boolean NOT NULL,
  readback_adapter regprocedure NOT NULL, adapter_source_sha256 qt001_cp.sha256 NOT NULL,
  adapter_signature_sha256 qt001_cp.sha256 NOT NULL,
  retention_interval_seconds qt001_cp.positive_bigint NOT NULL,
  partition_capacity_rows qt001_cp.positive_bigint NOT NULL,
  archive_required boolean NOT NULL,
  archive_storage_class_id uuid NULL REFERENCES qt001_cp.storage_class_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  UNIQUE(manifest_id,storage_code)
);
-- 06
CREATE TABLE qt001_cp.principal_class_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  class_code qt001_cp.nonempty_text NOT NULL, may_sign boolean NOT NULL, may_bind boolean NOT NULL,
  may_verify boolean NOT NULL, may_migrate boolean NOT NULL, UNIQUE(manifest_id,class_code)
);
-- 07
CREATE TABLE qt001_cp.authority_action_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  action_code qt001_cp.nonempty_text NOT NULL, UNIQUE(manifest_id,action_code)
);
-- 08
CREATE TABLE qt001_cp.principal_separation_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  action_id uuid NOT NULL REFERENCES qt001_cp.authority_action_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  left_class_id uuid NOT NULL REFERENCES qt001_cp.principal_class_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  right_class_id uuid NOT NULL REFERENCES qt001_cp.principal_class_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  must_differ boolean NOT NULL, UNIQUE(manifest_id,action_id,left_class_id,right_class_id)
);
-- 09
CREATE TABLE qt001_cp.readiness_gate_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  gate_code qt001_cp.nonempty_text NOT NULL, fact_adapter regprocedure NOT NULL,
  adapter_source_sha256 qt001_cp.sha256 NOT NULL, adapter_signature_sha256 qt001_cp.sha256 NOT NULL,
  policy_rule_set_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  max_age_seconds qt001_cp.positive_bigint NOT NULL, required boolean NOT NULL,
  UNIQUE(manifest_id,gate_code)
);
-- 10
CREATE TABLE qt001_cp.hash_component_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  hash_contract_code qt001_cp.nonempty_text NOT NULL, component_code qt001_cp.nonempty_text NOT NULL,
  domain_separator qt001_cp.nonempty_text NOT NULL,
  canonicalizer_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  source_relation regclass NOT NULL, stable_order_key text[] NOT NULL,
  required boolean NOT NULL, UNIQUE(manifest_id,hash_contract_code,component_code),
  CHECK(cardinality(stable_order_key)>0 AND array_position(stable_order_key,NULL) IS NULL)
);
-- 11
CREATE TABLE qt001_cp.dependency_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  root_object_identity qt001_cp.nonempty_text NOT NULL, root_source_sha256 qt001_cp.sha256 NOT NULL,
  dependency_identity qt001_cp.nonempty_text NOT NULL, dependency_source_sha256 qt001_cp.sha256 NOT NULL,
  dependency_kind_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  resolution_status_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  analyzer_run_id uuid NOT NULL, evidence_id uuid NOT NULL,
  UNIQUE(manifest_id,root_object_identity,dependency_identity,dependency_kind_id)
);
-- 12
CREATE TABLE qt001_cp.bypass_vector_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  vector_code qt001_cp.nonempty_text NOT NULL, fact_adapter regprocedure NOT NULL,
  adapter_source_sha256 qt001_cp.sha256 NOT NULL, adapter_signature_sha256 qt001_cp.sha256 NOT NULL,
  policy_rule_set_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  max_age_seconds qt001_cp.positive_bigint NOT NULL, required boolean NOT NULL,
  UNIQUE(manifest_id,vector_code)
);
-- 13
CREATE TABLE qt001_cp.capability_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  capability_code qt001_cp.nonempty_text NOT NULL,
  verifier_class_id uuid NOT NULL REFERENCES qt001_cp.principal_class_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  workload_profile_id uuid NOT NULL,
  max_age_seconds qt001_cp.positive_bigint NOT NULL, required boolean NOT NULL,
  UNIQUE(manifest_id,capability_code)
);
-- 14
CREATE TABLE qt001_cp.capability_measurement_requirement (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  capability_id uuid NOT NULL REFERENCES qt001_cp.capability_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  metric_id uuid NOT NULL REFERENCES qt001_cp.metric_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  operator_primitive_id uuid NOT NULL REFERENCES qt001_cp.operator_primitive_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  operand_type_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  operand_bigint bigint NULL, operand_numeric numeric NULL, operand_text text NULL,
  operand_boolean boolean NULL, operand_uuid uuid NULL, operand_oid oid NULL,
  operand_sha256 qt001_cp.sha256 NULL, operand_timestamptz timestamptz NULL,
  operand_jsonb jsonb NULL,
  operand_json_schema_item_id uuid NULL REFERENCES qt001_cp.code_catalog_item(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  required boolean NOT NULL, UNIQUE(manifest_id,capability_id,metric_id),
  CHECK(num_nonnulls(operand_bigint,operand_numeric,operand_text,operand_boolean,operand_uuid,
                     operand_oid,operand_sha256,operand_timestamptz,operand_jsonb)=1),
  CHECK ((operand_jsonb IS NULL AND operand_json_schema_item_id IS NULL)
      OR (operand_jsonb IS NOT NULL AND operand_json_schema_item_id IS NOT NULL
          AND jsonb_typeof(operand_jsonb) IS NOT NULL))
);
-- 15: artifact_kind_id references BOOTSTRAP code_catalog_item, not a separate child contract.
CREATE TABLE qt001_cp.capability_artifact_requirement (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  capability_id uuid NOT NULL REFERENCES qt001_cp.capability_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  artifact_kind_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  minimum_count qt001_cp.positive_bigint NOT NULL, UNIQUE(manifest_id,capability_id,artifact_kind_id)
);
-- 16
CREATE TABLE qt001_cp.signoff_requirement_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  scope_type_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  tier_id uuid NULL,
  action_id uuid NOT NULL REFERENCES qt001_cp.authority_action_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  required_principal_class_id uuid NOT NULL REFERENCES qt001_cp.principal_class_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  max_age_seconds qt001_cp.positive_bigint NOT NULL,
  UNIQUE NULLS NOT DISTINCT(manifest_id,scope_type_id,tier_id,action_id,required_principal_class_id)
);
-- 17
CREATE TABLE qt001_cp.tier_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  tier_code qt001_cp.nonempty_text NOT NULL, rank qt001_cp.positive_bigint NOT NULL,
  UNIQUE(manifest_id,tier_code), UNIQUE(manifest_id,rank)
);
-- 18
CREATE TABLE qt001_cp.activation_policy_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  target_manifest_type_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  quorum_profile_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  approval_max_age_seconds qt001_cp.positive_bigint NOT NULL,
  post_activation_deadline_seconds qt001_cp.positive_bigint NOT NULL,
  UNIQUE(manifest_id,target_manifest_type_id)
);
-- 19
CREATE TABLE qt001_cp.quorum_requirement_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  quorum_profile_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  required_principal_class_id uuid NOT NULL REFERENCES qt001_cp.principal_class_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  required_count qt001_cp.positive_bigint NOT NULL,
  UNIQUE(manifest_id,quorum_profile_id,required_principal_class_id)
);
-- 20
CREATE TABLE qt001_cp.authority_scope_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  object_identity qt001_cp.nonempty_text NOT NULL, object_type qt001_cp.nonempty_text NOT NULL,
  parent_object_identity text NULL,
  protected_target boolean NOT NULL, entrypoint boolean NOT NULL, expected_owner_role name NOT NULL,
  expected_acl_sha256 qt001_cp.sha256 NOT NULL, source_sha256 qt001_cp.sha256 NOT NULL,
  expected_constraint_set_sha256 qt001_cp.sha256 NULL,
  expected_definition_sha256 qt001_cp.sha256 NULL,
  UNIQUE(manifest_id,object_identity)
);
-- 21
CREATE TABLE qt001_cp.privilege_set_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  privilege_set_code qt001_cp.nonempty_text NOT NULL, grantee_role name NOT NULL,
  object_identity qt001_cp.nonempty_text NOT NULL,
  privilege_code_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  query_family_id uuid NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  endpoint_group_id uuid NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  observation_source_id uuid NULL REFERENCES qt001_cp.code_catalog_item(item_id),
  read_pattern_sha256 qt001_cp.sha256 NULL,
  observation_max_age_seconds qt001_cp.positive_bigint NULL,
  grantable boolean NOT NULL,
  UNIQUE(manifest_id,privilege_set_code,grantee_role,object_identity,privilege_code_id)
);
-- 22
CREATE TABLE qt001_cp.dynamic_sql_target_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  callsite_identity qt001_cp.nonempty_text NOT NULL, callsite_source_sha256 qt001_cp.sha256 NOT NULL,
  target_oid oid NOT NULL, target_identity qt001_cp.nonempty_text NOT NULL, template_sha256 qt001_cp.sha256 NOT NULL,
  UNIQUE(manifest_id,callsite_identity,target_oid)
);
-- 23
CREATE TABLE qt001_cp.workload_profile_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  profile_code qt001_cp.nonempty_text NOT NULL, row_count qt001_cp.positive_bigint NOT NULL,
  collision_row_count qt001_cp.nonnegative_bigint NOT NULL, seed_sha256 qt001_cp.sha256 NOT NULL,
  expected_set_sha256 qt001_cp.sha256 NOT NULL, environment_sha256 qt001_cp.sha256 NOT NULL,
  UNIQUE(manifest_id,profile_code), CHECK(collision_row_count<=row_count)
);
-- 24
CREATE TABLE qt001_cp.analyzer_contract_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  analyzer_code qt001_cp.nonempty_text NOT NULL, binary_sha256 qt001_cp.sha256 NOT NULL,
  version_text qt001_cp.nonempty_text NOT NULL, supported_feature_set_sha256 qt001_cp.sha256 NOT NULL,
  test_corpus_sha256 qt001_cp.sha256 NOT NULL, expected_corpus_result_sha256 qt001_cp.sha256 NOT NULL,
  allowed_input_set_sha256 qt001_cp.sha256 NOT NULL,
  max_age_seconds qt001_cp.positive_bigint NOT NULL,
  UNIQUE(manifest_id,analyzer_code,version_text)
);
-- 25
CREATE TABLE qt001_cp.plan_payload_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  plan_id uuid NOT NULL, target_set_sha256 qt001_cp.sha256 NOT NULL,
  rule_manifest_sha256 qt001_cp.sha256 NOT NULL, tier_manifest_sha256 qt001_cp.sha256 NOT NULL,
  strategy_manifest_sha256 qt001_cp.sha256 NOT NULL, expected_delta qt001_cp.nonnegative_bigint NOT NULL,
  source_snapshot_sha256 qt001_cp.sha256 NOT NULL, UNIQUE(manifest_id,plan_id)
);
-- 26
CREATE TABLE qt001_cp.gateway_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  gateway_identity qt001_cp.nonempty_text NOT NULL, gateway_regprocedure regprocedure NOT NULL,
  source_sha256 qt001_cp.sha256 NOT NULL, signature_sha256 qt001_cp.sha256 NOT NULL,
  protected_target_set_sha256 qt001_cp.sha256 NOT NULL, fail_closed boolean NOT NULL,
  UNIQUE(manifest_id,gateway_identity)
);
-- 27
CREATE TABLE qt001_cp.writer_repoint_manifest (
  manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id),
  item_id uuid NOT NULL,
  PRIMARY KEY (manifest_id,item_id),
  UNIQUE(item_id),
  FOREIGN KEY (manifest_id,item_id) REFERENCES qt001_cp.manifest_item_envelope(manifest_id,item_id),
  writer_identity qt001_cp.nonempty_text NOT NULL, old_source_sha256 qt001_cp.sha256 NOT NULL,
  new_source_sha256 qt001_cp.sha256 NOT NULL,
  gateway_item_id uuid NOT NULL REFERENCES qt001_cp.gateway_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  rollback_stub_source_sha256 qt001_cp.sha256 NOT NULL, UNIQUE(manifest_id,writer_identity)
);

2.4 Exact-Set, Lifecycle, Activation, And Rollback

  • The typed cross-manifest FK constraints in doc 03 are part of this byte-level DDL package and are applied after all 27 tables exist, before any candidate row may be sealed.
  • manifest_type_id -> child table identity is an owner-only sealed bootstrap catalog mapping.
  • Seal verifies child-table exact set equals envelope exact set in both EXCEPT directions, count equals expected_item_count, ordinals are contiguous 1..expected_item_count, and every item hash/payload hash recomputes exactly.
  • Active runtime reads only one ACTIVE manifest per type and rejects any unknown type/table.
  • SEALED/ACTIVE/SUPERSEDED/REVOKED rows and children are immutable.
  • Activation uses exact quorum and epoch binding; no caller-supplied lifecycle value can activate.
  • Rollback is a new candidate with prior payload, new version/epoch/quorum/evidence; no old row is edited or deleted.

2.5 Required Negative Tests

Each of the 27 contracts must run: missing child, extra child, orphan child, wrong-manifest child, NULL required field, unknown FK, duplicate business key, invalid hash length, Directus DML, PUBLIC DML, sealed UPDATE, sealed DELETE, wrong expected count, noncontiguous ordinal, and payload hash mismatch. Family-specific tests additionally mutate every CHECK/UNIQUE/FK shown above.

Required outcomes: DDL constraint/permission rejection before seal, or seal/activation rejection. No negative test may be represented only by a literal PASS row.

2.6 Indexes, Ownership, Access, And Reversal Order

Activation support DDL, created after manifest_set and identity/evidence support tables:

CREATE TABLE qt001_cp.manifest_activation (
  activation_id uuid PRIMARY KEY,
  parent_manifest_id uuid NOT NULL REFERENCES qt001_cp.manifest_set(manifest_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  candidate_manifest_id uuid NOT NULL UNIQUE REFERENCES qt001_cp.manifest_set(manifest_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  parent_payload_sha256 qt001_cp.sha256 NOT NULL,
  candidate_payload_sha256 qt001_cp.sha256 NOT NULL,
  added_set_sha256 qt001_cp.sha256 NOT NULL,
  retired_set_sha256 qt001_cp.sha256 NOT NULL,
  impact_evidence_id uuid NOT NULL REFERENCES qt001_cp.evidence_registry(evidence_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  rollback_evidence_id uuid NOT NULL REFERENCES qt001_cp.evidence_registry(evidence_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  requester_principal_id uuid NOT NULL REFERENCES qt001_cp.principal_registry(principal_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  requested_control_epoch qt001_cp.nonnegative_bigint NOT NULL,
  activation_sha256 qt001_cp.sha256 NOT NULL,
  requested_at timestamptz NOT NULL,
  executed_at timestamptz NULL,
  CHECK(parent_manifest_id<>candidate_manifest_id),
  CHECK(executed_at IS NULL OR executed_at>=requested_at)
);

ALTER TABLE qt001_cp.manifest_set
  ADD CONSTRAINT fk_manifest_set__creator FOREIGN KEY(created_by_principal_id)
  REFERENCES qt001_cp.principal_registry(principal_id)
  ON UPDATE RESTRICT ON DELETE RESTRICT NOT DEFERRABLE;
ALTER TABLE qt001_cp.manifest_set
  ADD CONSTRAINT fk_manifest_set__sealed_activation FOREIGN KEY(sealed_by_activation_id)
  REFERENCES qt001_cp.manifest_activation(activation_id)
  ON UPDATE RESTRICT ON DELETE RESTRICT NOT DEFERRABLE;
ALTER TABLE qt001_cp.manifest_set
  ADD CONSTRAINT fk_manifest_set__activated_activation FOREIGN KEY(activated_by_activation_id)
  REFERENCES qt001_cp.manifest_activation(activation_id)
  ON UPDATE RESTRICT ON DELETE RESTRICT NOT DEFERRABLE;
ALTER TABLE qt001_cp.manifest_item_envelope
  ADD CONSTRAINT fk_manifest_item__retired_evidence FOREIGN KEY(retired_reason_evidence_id)
  REFERENCES qt001_cp.evidence_registry(evidence_id)
  ON UPDATE RESTRICT ON DELETE RESTRICT NOT DEFERRABLE;

Required indexes are every declared PK/UNIQUE plus:

CREATE INDEX manifest_item_envelope_manifest_ordinal_idx
  ON qt001_cp.manifest_item_envelope(manifest_id,ordinal);
CREATE INDEX readiness_gate_manifest_adapter_idx
  ON qt001_cp.readiness_gate_manifest(fact_adapter);
CREATE INDEX bypass_vector_manifest_adapter_idx
  ON qt001_cp.bypass_vector_manifest(fact_adapter);
CREATE INDEX dependency_manifest_root_idx
  ON qt001_cp.dependency_manifest(root_object_identity);
CREATE INDEX authority_scope_manifest_identity_idx
  ON qt001_cp.authority_scope_manifest(object_identity);
CREATE INDEX privilege_set_manifest_grantee_object_idx
  ON qt001_cp.privilege_set_manifest(grantee_role,object_identity);

All listed tables/domains/indexes are owner qt001_cp_owner. Directus/PUBLIC receive no authority privilege. Exact SELECT-only grants are manifest-driven per doc 08. All mutation is through owner-controlled SECURITY DEFINER entrypoints with pinned search path and revoked PUBLIC/Directus EXECUTE.

Rollback never drops active/history objects. Pre-activation rehearsal reversal drops empty candidate-only objects in this exact dependency order: writer_repoint, gateway, plan_payload, analyzer_contract, workload_profile, dynamic_sql_target, privilege_set, authority_scope, quorum_requirement, activation_policy, tier, signoff_requirement, capability_artifact_requirement, capability_measurement_requirement, capability, bypass_vector, dependency, hash_component, readiness_gate, principal_separation, authority_action, principal_class, storage_class, unit, metric, operator_primitive, policy_rule, then manifest_item_envelope and manifest_set. Catalog root reversal is last and only when no FK/reference/history exists.

2.7 RP Refinement Authority-Surface Rules

  • Exactly 27 child authority surfaces remain. No retention, runtime-evidence, adapter-input, or expected-constraint table is added as an authority surface.
  • storage_class_manifest #05 owns retention/archive policy. Seal generically rejects archive_required rows whose archive target is absent or whose target is not an immutable, versioned storage-class row; this policy is data-driven and is not encoded as a CHECK literal.
  • authority_scope_manifest #20 enumerates TABLE/CONSTRAINT/INDEX/runtime-evidence objects. TABLE rows carry expected_constraint_set_sha256; CONSTRAINT/INDEX rows carry parent_object_identity and expected_definition_sha256. This typed row model replaces the proposed free-form expected-constraint JSON payload.
  • privilege_set_manifest #21 owns the Directus read contract. Generic seal requires the read-contract fields for the sealed Directus SELECT subset; no privilege-code CASE/CHECK exists.
  • analyzer_contract_manifest #24 binds the exact permitted adapter input set. The expected adapter-to-column edges themselves are sealed dependency_manifest rows; observed analyzer edges must match in both EXCEPT directions. code_catalog_item.item_payload is never permitted.
Back to Knowledge Hub knowledge/dev/reports/architecture/codex-fix7-spec-artifact-correction-from-t1-proposals-2026-06-07/02-cp01-byte-level-27-contract-ddl.md