T1 FIX7 Blueprint Patch - Writer Gateway Identity Fix (BLOCKER 6)
07 - BLOCKER 6: Writer Gateway Identity Fix (pinned, phase-explicit)
Codex finding
The identity and ownership phase of the live writer/gateway were ambiguous across S15 (before S16
owner/ACL cutover). G-DOT-NOOVERWRITE referred to the gateway as owned by qt001_cp_owner, but the
blueprint did not make the gateway's exact identity and per-phase owner explicit. (Codex CHECK_D
HOLD.)
The fix - pinned identity + phase-explicit ownership (blueprint doc 04 §Writer-gateway-identity)
The QT001 control-plane writer gateway is pinned as the single sealed gateway_manifest #26 row:
| attribute | contract |
|---|---|
| identity | regprocedure (schema qt001_cp + name + identity args) + prokind, in #26 |
| owner (before S15 / after S15 / after S16) | qt001_cp_owner / qt001_cp_owner / qt001_cp_owner — born owner-isolated at PKG-E; NO directus phase; NO owner transition (resolves CHECK_D) |
| source hash before/after | the #26-bound source_sha256, unchanged — cutover repoints via manifest_activation, it does not rewrite the gateway body |
| expected active path (after S15 / before S15) | live writer → #26 gateway → manifest-active path / legacy apply-writer (directus-owned, sealed-set member) |
| rollback stub source | #27 rollback_stub_source_sha256 |
| #26 / #27 bindings | gateway identity + source + fail_closed; old/new source_sha256 + rollback stub + STUB_FAIL_CLOSED body bindings |
fn_birth_registry_auto |
DO_NOT_TOUCH; explicitly NOT the QT001 writer gateway (birth layer; directus-owned; protected by G-BIRTH-NEUTRAL + G-DOT-FROZEN + policy, not owner-isolation) |
A phase-explicit owner table covers the new gateway, the legacy apply/writer (directus until S16), other legacy routines (directus until S16), and the birth gateway (directus, DO_NOT_TOUCH).
G-WRITER-GATEWAY-IDENTITY (new): the post-S15 active writer == the #26-bound regprocedure with
matching source_sha256 and owner qt001_cp_owner; the legacy writer/apply objects are members of
the sealed #20/#27 set; fn_birth_registry_auto is unchanged. No guard may assume the post-S16
owner state at S15. S15/S16 reference this pinned identity, never a name pattern.
Key clarification that resolves CHECK_D
The ambiguity dissolves once the two object classes are separated: the new gateway is born
qt001_cp_owner in PKG-E (so owner-isolation holds at S15, no transition at S16); the legacy
apply/writer objects are directus-owned until S16 (when transferred or frozen). They are different
objects; "the gateway" is never the directus-owned legacy object.
Self-check
PASS only if exact identity/owner/hash/binding are pinned per phase → PASS. #26 pins
regprocedure+prokind+source_sha256+fail_closed; the phase table pins owner at each of
before-S15/after-S15/after-S16; #27 pins old/new/rollback source; G-WRITER-GATEWAY-IDENTITY enforces
it and forbids assuming post-S16 owner state at S15.