05 - BLOCKER 4: Rollback No-Mixed-Authority Fix (atomic deactivation-first)

Codex finding

S15 rollback restored blanket legacy PUBLIC EXECUTE while the qt001_cp plane remained present, and the "dormant/superseded" claim was an assertion, not an explicit atomic action/proof. It did not prove that a mixed old+new authoritative state cannot exist. (Codex CHECK_E FAIL; CR-E1/CR-E3.)

The fix - explicit ordered atomic rollback + new guard (blueprint docs 04, 05)

G-NOMIXED-AUTHORITY (new): at every cutover/rollback checkpoint, the new qt001_cp authoritative path and any legacy executable path are mutually exclusive — it is impossible for both to be active/executable simultaneously. Fails closed otherwise.

S15 rollback is rewritten as a strict ordered, fail-closed sequence (doc 05 note 5):

1. Deactivate/supersede the new authoritative path in manifest_activation (no ACTIVE manifest for the writer type; #26 gateway routes fail-closed).
2. Verify readiness is BLOCKED.
3. Verify the writer gateway cannot route to the new active path.
4. Only THEN restore legacy state, per sealed disposition — STUB_FAIL_CLOSED: pinned #27 source_sha256 body + captured ACL; REVOKE_ONLY: captured ACL only. Restoration replays the verified pre-cutover snapshot (which includes the legacy PUBLIC state) — it does not issue a fresh blanket GRANT ... TO PUBLIC, so the restored set is exactly the captured prior set, the minimum needed to reach the pre-cutover baseline (addresses Codex "prefer restoring only minimum safe legacy execution").
5. Verify G-NOMIXED-AUTHORITY + G-BIRTH-NEUTRAL.

Because steps 1-3 precede step 4, there is no window where both paths are executable. Any step that cannot prove its safe-blocked condition halts the rollback fail-closed.

CR-E3 restore-mechanism distinction

The "never CREATE OR REPLACE the gateway" rule applies to the qt001_cp writer gateway (owner-isolated) and the birth gateway (DO_NOT_TOUCH); rollback restores those by re-pointing manifest_activation, not by replacing a body. Restoring a STUB_FAIL_CLOSED legacy body to its pinned prior source is a separate authorized operator function-replacement of a legacy object — a different object class — and does not contradict the gateway rule. This resolves the apparent "restores prior source but never CREATE OR REPLACEs" contradiction Codex flagged.

Self-check

PASS only if mixed old/new authority is impossible → PASS. The deactivation-first order + G-NOMIXED-AUTHORITY make it structurally impossible for the new active path and legacy executability to coexist; rollback halts fail-closed if it cannot prove the superseded/blocked state before restoring any legacy EXECUTE.