04 - BLOCKER C: Legacy-Disposition Contract — DESIGN_AMENDMENT_REQUIRED

Codex recheck-2 finding (docs 03 + 09)

Two linked findings:

1. DDL no-drift: adding object_type = 'LEGACY_FUNCTION' | 'LEGACY_PROCEDURE' | 'LEGACY_VIEW' rows to authority_scope_manifest #20 extends the authority contract — #20 §2.7 enumerates only TABLE/CONSTRAINT/INDEX/runtime-evidence, and "open text does not make semantic drift approved."
2. Hardcode / PG-native: the five-action "COMPUTED disposition" has no exact PG truth-table / sealed rule rows / version-source binding / negative tests, so the five operational actions can be hidden CASE/code policy.

Codex's required fix: "either obtain an explicit owner-level semantic design correction, or express legacy membership/actions entirely through existing approved structural types and sealed rule/manifest contracts without new free-text policy vocabulary."

Why this is genuinely an amendment, not a third T1 retrofit

T1 examined every approved surface for a home and found none:

need	candidate approved home	verdict
5-value disposition enum as a sealed value	a code_catalog_item family	No — CP-03 bootstrap families are a sealed exact set, not extensible; adding a disposition/LEGACY_ACTION family = the catalog drift Codex already rejects
disposition output column on the object	authority_scope_manifest #20	No — #20 has no disposition/root_kind column; adding one = byte-DDL drift (rejected recheck 1)
legacy routine/view membership as a managed authority object	#20 object_type open text	No — §2.7 scopes #20 to TABLE/CONSTRAINT/INDEX/runtime-evidence; LEGACY_FUNCTION/PROCEDURE/VIEW = semantic drift (rejected recheck 2)
a sealed disposition rule/truth-table that emits the enum	policy_rule_manifest #01	Partial only — #01 is a typed sealed rule engine (rule_set_id/rule_order/fact_id/operator_primitive/typed operand/required), but it emits gate predicates (boolean), consumed by readiness-gate #09 / bypass-vector #12; it has no 5-value classification sink and no disposition output
free-form policy payload	code_catalog_item.item_payload	No — explicitly forbidden (§2.7: "item_payload is never permitted")

T1 has now exhausted both retrofit routes (typed columns = recheck-1 DDL drift; open-text/computed/external = recheck-2 disguised hardcode). The disposition layer is a semantic addition the approved design was never given. Authoring it is a governance/design change, which law §4G lists as a stop_without_asking_if HARD-STOP for T1 (author mode cannot change enacted design), and §4H forbids DDL/DML. Therefore T1 routes it to the design owner rather than retrofitting a third time.

Two concrete amendment options for the design owner

Option α — add a typed legacy-disposition contract (byte-DDL / catalog amendment)

Add, as an explicit owner-authored design correction, one of:

• a new sealed catalog family LEGACY_DISPOSITION with exactly the five members (REVOKE_ONLY, STUB_FAIL_CLOSED, FREEZE_NO_CHANGE, DEPRECATE_READONLY, DO_NOT_TOUCH), and
• a typed legacy-disposition surface (or an owner-approved extension of #20's enumerated object set to include legacy routine/view rows + a disposition_item_id FK to that family), and
• a sealed disposition rule set expressed as policy_rule_manifest #01 rows (rule_set_id per disposition; fact_id = protected_target/entrypoint/#11-reachability/ effective-privilege; typed operands; rule_order priority; deterministic conflict rule), and
• a guard that rejects any disposition decided by CASE/code rather than the sealed rule rows, plus negative tests.
• For STUB_FAIL_CLOSED, add the unique body-restore evidence_id binding (blocker E, doc 06).

This is a real byte-DDL/catalog change and so must be authored and approved by the design owner; T1 cannot self-author it (recheck-1 lesson).

Option β — bless the collapse to approved primitives (no DDL change; design-owner confirmation)

Eliminate the disposition enum and STUB_FAIL_CLOSED entirely and express legacy neutralization through primitives that already exist and are approved:

• membership = dependency_manifest #11 reverse-closure rows (structurally correct; no §2.7 drift);
• owner end-state = owner-transfer of every U_legacy member to qt001_cp_owner (unreachable, blocker A);
• privilege end-state = sealed privilege_set_manifest #21 rows (or absence of a grant = effectively revoked); Directus SELECT preserved via #21;
• protected-table marking = #20 protected_target TABLE rows (already approved);
• action distinction = the structural class (relkind/prokind — PG-native catalog facts): routine ⇒ owner-transfer + no #21 EXECUTE grant; table ⇒ owner-transfer + no DML grant (frozen); view ⇒ owner-transfer + SELECT-only via #21 (deprecated-readonly); DO_NOT_TOUCH ⇒ excluded by sealed identity;
• no body change — owner-transfer off the non-superuser directus + REVOKE reaches effective-EXECUTE = 0 for every reachable principal (live-proven), so STUB_FAIL_CLOSED is unnecessary and the blocker-E body-restore binding is moot;
• post-state verification = G-NOLEGACY-POST over the live catalog (needs no disposition).

T1 recommends Option β: it is PG-native, approved-design-faithful (the approved design has no disposition concept — it uses ownership/grants/gateway/closure), adds nothing, and removes the very constructs Codex rejected. But β removes a construct the design owner has been formalising across rechecks, so under §4G it is a design-owner confirmation (remove-the-disposition-model decision), not a unilateral T1 simplification. T1 will not enact β without that confirmation.

What T1 did in the blueprint pending the decision

§§H.2/I of blueprint doc 02 are WITHDRAWN/fail-closed: no LEGACY_* #20 row is authored, no disposition is computed, no STUB body is staged. Legacy membership is carried as #11 reverse-closure rows; the legacy post-state is asserted only by G-NOLEGACY-POST over the live catalog; G-LEGACY-TARGET-SEALED and the disposition aspect of G-LEGACY-TARGET-CLOSED-DENOMINATOR are fail-closed until the amendment lands. PKG-B/D author no disposition; PKG-E..H stay BLOCKED.

Self-check

PASS only if the disposition contract is either bound to an existing approved typed surface or routed to the design owner. The approved surfaces cannot host it (proven above), so the honest outcome is DESIGN_AMENDMENT_REQUIRED with two precise options. No drift was added; the rejected constructs were withdrawn.