Directus SELECT Retention And Owner Cutover

Authority is sealed ACTIVE PRIVILEGE_SET, never handwritten list. Post-cutover Directus: schema USAGE + SELECT only manifest-listed presentation views (base-table SELECT only separately proven); no DML/TRUNCATE/REFERENCES/TRIGGER/CREATE/TEMP/EXECUTE/ownership/grant option; no authority-role membership. PUBLIC none. Reads continue through sealed views.

Preflight captures exact access-log+registered read inventory, current/proposed owner ACL/default privileges, smoke request expected hashes, denied authority tests, rollback ACL hash. Any observed read missing from proposed manifest => BLOCKED_READ_PATH, no ad-hoc grant.

Atomic FIX7b under epoch lock: revalidate packet/hash/epoch/quorum/read inventory; transfer exact scope to cp_owner; revoke authority; apply exact SELECT/USAGE; fix default privileges; prove denied authority; prove every read smoke hash; increment epoch and keep apply blocked.

Any read mismatch/4xx/5xx/missing/uncertain/unmanifested need aborts BLOCKED_READ_PATH. Postcommit regression revokes writer and owner-gated rollback restores prior reviewed SELECT only, never unsafe authority; rollback increments epoch/readiness false.