06 - BLOCKER 5: ACL Snapshot Completeness Fix (column ACL + effective privilege)

Codex finding

The pre-cutover ownership/ACL snapshot omitted column ACLs (pg_attribute.attacl) and did not prove effective privileges through role membership. Table-level relacl does not represent column grants; direct ACL rows do not represent inherited privilege. (Codex CHECK_F NEEDS_FIX.)

The fix - complete PG-native snapshot (blueprint doc 05 invariant 3; doc 06 G-OWNER-CUTOVER; doc 07 PKG-G)

Per control object in the sealed set, the snapshot now captures:

• object owner (pg_class.relowner / pg_proc.proowner → rolname);
• schema privileges (pg_namespace.nspacl);
• table/view privileges — full relacl: SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER (every privtype);
• function/procedure EXECUTE (proacl);
• sequence privileges (relacl of owned sequences);
• column ACL (pg_attribute.attacl) — NEW;
• default privileges (pg_default_acl);
• role memberships / effective privileges (pg_auth_members expansion + aclexplode / has_table_privilege / has_function_privilege with role inheritance) — NEW;
• PUBLIC grants, Directus grants, qt001_cp_owner/migrator/reader grants (enumerated);
• dependency to pg_roles / pg_auth_members (so a role drop/membership change is captured);
• snapshot_sha256 over the canonical snapshot (hash-bound).

Verification (BLOCKER 5 required)

• The snapshot must exist, be hash-bound, read-back-verified, and its restore rehearsed before any REVOKE (blocks the cutover otherwise).
• Rollback replays the exact snapshot.
• Effective privilege after rollback == pre-cutover snapshot, compared in BOTH directions (pre→post and post→pre), role-membership-aware — not raw ACL-row equality.
• G-OWNER-CUTOVER and G-NOLEGACY-POST use effective-privilege checks. Role membership is asserted unchanged by FIX7 packages; if any package changes it, the change is snapshotted and restored explicitly.

Self-check

PASS only if column ACL + effective role membership are covered → PASS. Both pg_attribute.attacl and pg_auth_members-expanded effective privilege are in the snapshot, the guards, and the both-direction rollback verification; an absent/unverified/unhashed snapshot blocks the cutover.