Incomex AI Portal
KB-3350 rev 5

CP-03 Bootstrap Code Catalog Seal And Ownership

6 min read Revision 5
fix7architecturecp03

04 - CP-03 Bootstrap Code Catalog, Seal, And Ownership

The code catalog is the PG-native authority root. It is versioned/sealed and is not a mutable lookup table.

CREATE TABLE qt001_cp.code_catalog_set (
  catalog_set_id uuid PRIMARY KEY,
  version_no qt001_cp.positive_bigint NOT NULL UNIQUE,
  parent_catalog_set_id uuid NULL REFERENCES qt001_cp.code_catalog_set(catalog_set_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  expected_family_count qt001_cp.positive_bigint NOT NULL,
  expected_item_count qt001_cp.positive_bigint NOT NULL,
  payload_sha256 qt001_cp.sha256 NOT NULL,
  candidate_control_epoch qt001_cp.nonnegative_bigint NOT NULL,
  created_by_principal_id uuid NOT NULL,
  created_at timestamptz NOT NULL DEFAULT clock_timestamp(),
  sealed_at timestamptz NULL,
  activated_at timestamptz NULL,
  superseded_by_catalog_set_id uuid NULL REFERENCES qt001_cp.code_catalog_set(catalog_set_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  CHECK (activated_at IS NULL OR sealed_at IS NOT NULL)
);
CREATE UNIQUE INDEX code_catalog_set_one_active
  ON qt001_cp.code_catalog_set((true))
  WHERE activated_at IS NOT NULL AND superseded_by_catalog_set_id IS NULL;

CREATE TABLE qt001_cp.code_catalog_family (
  catalog_set_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_set(catalog_set_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  family_id uuid NOT NULL,
  family_code qt001_cp.nonempty_text NOT NULL,
  ordinal qt001_cp.positive_bigint NOT NULL,
  family_sha256 qt001_cp.sha256 NOT NULL,
  PRIMARY KEY(catalog_set_id,family_id),
  UNIQUE(family_id),
  UNIQUE(catalog_set_id,family_code),
  UNIQUE(catalog_set_id,ordinal)
);

CREATE TABLE qt001_cp.code_catalog_item (
  catalog_set_id uuid NOT NULL,
  family_id uuid NOT NULL,
  item_id uuid NOT NULL,
  item_code qt001_cp.nonempty_text NOT NULL,
  ordinal qt001_cp.positive_bigint NOT NULL,
  item_payload jsonb NOT NULL,
  item_sha256 qt001_cp.sha256 NOT NULL,
  retired boolean NOT NULL,
  retired_reason_evidence_id uuid NULL,
  PRIMARY KEY(catalog_set_id,item_id),
  UNIQUE(item_id),
  UNIQUE(catalog_set_id,family_id,item_code),
  UNIQUE(catalog_set_id,family_id,ordinal),
  FOREIGN KEY(catalog_set_id,family_id)
    REFERENCES qt001_cp.code_catalog_family(catalog_set_id,family_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  CHECK(jsonb_typeof(item_payload)='object'),
  CHECK((NOT retired AND retired_reason_evidence_id IS NULL)
     OR (retired AND retired_reason_evidence_id IS NOT NULL))
);

item_payload is descriptive metadata only. No adapter, readiness gate, bypass vector, capability/tier evaluator, or generic rule engine may read it for an operational decision. Operational typed values live only in named child columns and typed operands. The ACTIVE analyzer_contract_manifest.allowed_input_set_sha256 plus sealed expected dependency edges exclude item_payload; analyzer/SA15 detection of an operational read blocks readiness.

Taxonomy And Activation

Required bootstrap families are rows, not code literals: manifest type, lifecycle status, operand type, value type, artifact kind, privilege code, volatility, dependency kind, resolution status, scope type, quorum profile, rule set, fact definition, canonicalizer, unit, and reference contract, operand column contract, and structural literal class. Their exact set/count comes from code_catalog_set.expected_family_count; no code literal states the count.

Exact-set seal rules:

  • one reference_contract item per catalog-typed FK column;
  • one operand_column_contract item per ACTIVE operand type and exact physical operand column;
  • one structural_literal_class item per numeric literal permitted in hash-bound adapter/function source. Any unclassified numeric literal blocks readiness.

Bootstrap packet is the only pre-catalog operation and requires offline exact critical quorum evidence. After bootstrap, every catalog change is a new candidate set, exact-set sealed, SHA-256-bound, activated under the ACTIVE activation/quorum policy, and increments control epoch. Referenced/active/history rows are immutable; rollback activates a new version containing the prior payload.

Ownership And Access

All three tables owner qt001_cp_owner NOLOGIN. Directus/PUBLIC/runtime receive no table DML, TRUNCATE, REFERENCES, TRIGGER, ownership, schema CREATE, or writer EXECUTE. Curated SELECT views may be granted through the ACTIVE privilege manifest. Only owner SECURITY DEFINER seal/activate entrypoints may write; PUBLIC/Directus EXECUTE revoked.

Negative tests: Directus/PUBLIC DML, update sealed row, delete referenced row, duplicate/reused ID, wrong count/hash/ordinal, unknown family, item payload non-object, activation without exact quorum, rollback editing history, missing enforcement-contract coverage, operational item_payload read, and unclassified numeric literal all reject.

After evidence_registry exists, the consolidated deferred-ALTER set adds:

ALTER TABLE qt001_cp.code_catalog_item
  ADD CONSTRAINT fk_code_catalog_item__retired_evidence
  FOREIGN KEY(retired_reason_evidence_id) REFERENCES qt001_cp.evidence_registry(evidence_id)
  ON UPDATE RESTRICT ON DELETE RESTRICT NOT DEFERRABLE;

The FK is part of the sealed expected-constraint set. Active items may retain NULL; every retired item must reference real immutable evidence.

Back to Knowledge Hub knowledge/dev/reports/architecture/codex-fix7-spec-artifact-correction-from-t1-proposals-2026-06-07/04-cp03-code-catalog-bootstrap-seal-ownership.md