09 - CP-08 Registry And Evidence Placement, Retention, And Archive

All authority/evidence registries live in schema qt001_cp, owner qt001_cp_owner NOLOGIN. Directus/PUBLIC receive no DML/DDL/ownership. Identity/binding/evidence/signoff/activation rows are append-only or superseded/revoked; no history delete.

CREATE TABLE qt001_cp.evidence_registry (
  evidence_id uuid PRIMARY KEY,
  evidence_kind_id uuid NOT NULL REFERENCES qt001_cp.code_catalog_item(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  storage_class_item_id uuid NOT NULL REFERENCES qt001_cp.storage_class_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  artifact_uri qt001_cp.nonempty_text NOT NULL,
  artifact_sha256 qt001_cp.sha256 NOT NULL,
  artifact_size_bytes qt001_cp.nonnegative_bigint NOT NULL,
  issuer_principal_id uuid NOT NULL,
  control_epoch qt001_cp.nonnegative_bigint NOT NULL,
  issued_at timestamptz NOT NULL,
  last_readback_at timestamptz NOT NULL,
  valid_until timestamptz NOT NULL,
  revoked_at timestamptz NULL,
  supersedes_evidence_id uuid NULL REFERENCES qt001_cp.evidence_registry(evidence_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  UNIQUE(storage_class_item_id,artifact_uri,artifact_sha256),
  CHECK(valid_until>issued_at),
  CHECK(revoked_at IS NULL OR revoked_at>=issued_at)
);

CREATE TABLE qt001_cp.analyzer_run (
  run_id uuid PRIMARY KEY,
  analyzer_contract_item_id uuid NOT NULL REFERENCES qt001_cp.analyzer_contract_manifest(item_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  binary_sha256 qt001_cp.sha256 NOT NULL,
  source_set_sha256 qt001_cp.sha256 NOT NULL,
  corpus_result_sha256 qt001_cp.sha256 NOT NULL,
  verifier_principal_id uuid NOT NULL REFERENCES qt001_cp.principal_registry(principal_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  control_epoch qt001_cp.nonnegative_bigint NOT NULL,
  started_at timestamptz NOT NULL,
  finalized_at timestamptz NULL,
  evidence_id uuid NOT NULL REFERENCES qt001_cp.evidence_registry(evidence_id)
    ON UPDATE RESTRICT ON DELETE RESTRICT,
  CHECK(finalized_at IS NULL OR finalized_at>=started_at)
);

ALTER TABLE qt001_cp.evidence_registry
  ADD CONSTRAINT fk_evidence__issuer_principal
  FOREIGN KEY(issuer_principal_id) REFERENCES qt001_cp.principal_registry(principal_id)
  ON UPDATE RESTRICT ON DELETE RESTRICT NOT DEFERRABLE;

High-growth result/event/export tables are range-partitioned by immutable created_at or finalized_at, using the interval and capacity threshold from the row's ACTIVE sealed storage_class_manifest #05 binding. Identity, evidence, and run anchor registries remain unpartitioned immutable identity anchors; high-volume capability/gate/analyzer result events, denied-attempt evidence, dashboard exports, and Level-B packet executions are partitioned. Active lookup indexes:

• evidence (evidence_id), (issuer_principal_id,issued_at DESC), (valid_until,revoked_at);
• runs (control_epoch,finalized_at DESC), (manifest_id,finalized_at DESC);
• identity binding (auth_db_role), (human_identity_id,valid_until);
• signoff (activation_id,human_identity_id), (activation_id,principal_class_id).

Retention is owned by fields on ACTIVE sealed storage_class_manifest #05; there is no separate retention authority surface. It never deletes authority/history needed for audit. Eligible old heavy artifacts are copied to immutable versioned object storage, read back and hash-verified, then PG payload bytes may be detached while retaining immutable metadata, URI, SHA-256, size, lifecycle, and supersession chain. Failure to read archived evidence makes dependent proof invalid. Partition maintenance is Level-B operator-gated and evidence-bound.

This is advisory for current scale because growth follows plans/runs, not business-object count, but it becomes blocking before any retention action or when evidence partitions exceed their sealed capacity threshold.

Exact Runtime-Evidence Category

Normative byte-level DDL is in the RP-correction artifact 02-rp01-runtime-evidence-tables.md. The physical set is exactly 11 tables: signoff_binding, capability_run, capability_measurement, capability_artifact, gate_fact_result, bypass_vector_fact_result, quorum_vote, denied_attempt_evidence, dashboard_export, level_b_packet_execution, and post_activation_verifier_state. capability_environment is deliberately folded into capability_run using environment_sha256 plus environment_evidence_id.

These tables are owner-only, append-only, hash/evidence-bound, and Directus/PUBLIC-inaccessible, but are not authority surfaces. Their exact object/constraint set is represented by typed authority_scope_manifest #20 rows. Their pass/blocked/evaluated values are generic-guard-derived facts; no caller-authored result grants readiness.