KB-1A7A
T1 FIX7 Blueprint Patch - Stub Scope Disposition Fix (BLOCKER 3)
3 min read Revision 1
fix7codex-patchstub-scopedisposition2026-06-08
04 - BLOCKER 3: Stub-Scope Contradiction Fix (5 dispositions)
Codex finding
PKG-F said "replace each [of the complete set] with a fail-closed stub", while S15/doc02 said "stub only apply/writer entrypoints". Different operations. And rollback (#27) restored only writer/gateway source, so if all routines were stubbed, rollback could not restore the other bodies. (Codex CR-B2 / CR-E2.)
The fix - exactly one disposition per sealed-set member (blueprint doc 02 §I)
| disposition | what changes | body changed? | rollback source | members |
|---|---|---|---|---|
REVOKE_ONLY |
EXECUTE revoked from PUBLIC/directus/non-owner; body unchanged |
NO | captured ACL only | legacy functions NOT on the authoritative apply/writer/planner path |
STUB_FAIL_CLOSED |
EXECUTE revoked AND body replaced with a fail-closed stub | YES | pinned source_sha256 body + captured ACL, in #27 |
authoritative apply/writer/planner entrypoints classified live-reachable by #11 (certain: apply fn fn_dot_birth_qt001_apply + apply proc sp_dot_birth_qt001_apply; rest fixed by sealed #11 classification) |
FREEZE_NO_CHANGE |
writes revoked, sentinel-frozen; body unchanged | NO | restore prior grants/flag | the 20 legacy tables |
DEPRECATE_READONLY |
marked deprecated, read-only history | NO | clear deprecation flag | the 196 legacy views; tables after freeze |
DO_NOT_TOUCH |
nothing | NO | n/a | birth gateway family + DOT-118/119 |
Resolution
- S15/PKG-F now reads: REVOKE EXECUTE over the complete sealed set; replace ONLY the
STUB_FAIL_CLOSED-classified entrypoints with a fail-closed stub; everyREVOKE_ONLYmember keeps its body unchanged. All "replace each with a stub" language over the complete set is removed. - Rollback is symmetric and bounded: only
STUB_FAIL_CLOSEDrequires a body restore, and exactly those bodies are pinned in #27.REVOKE_ONLY/FREEZE_NO_CHANGE/DEPRECATE_READONLYrestore privileges/flags only. There is therefore no "cannot restore N bodies" gap (CR-E2) — the body-restore burden equals the enumeratedSTUB_FAIL_CLOSEDset. - Exact identity (CR-B3): each member bound by
regprocedure/regclass+prokind+ identity args + OID-at-capture, not names. Live split corrected to 45 functions + 1 procedure (the prose "46 functions" conflated the procedure); the count is non-load-bearing (sealed exact-set is authority).
Self-check
PASS only if every legacy entrypoint has exactly one disposition and a matching rollback → PASS. Each sealed-set member carries exactly one disposition (enforced by the #20 typed column); body-changing rollback is pinned only for STUB_FAIL_CLOSED; privilege-only rollback for the rest. G-LEGACY-TARGET-SEALED asserts "every member has exactly one disposition."