08 - BLOCKER G: Forward-Only Activation History (in-blueprint)

Codex recheck-2 finding (doc 04)

The blueprint repeatedly said rollback clears activated_at, while the governing invariant is that active/history objects are immutable and post-activation rollback creates and activates a prior-payload candidate with a new epoch/quorum/evidence. Required fix: remove every clear/edit-active path; rollback/supersede must be append-only (a new state row); current active must be derived by the latest valid state, not by deleting history; G-NOMIXED-AUTHORITY must test the authoritative route/activation record, not a mutable cleared timestamp.

The fix — align the blueprint to the approved forward-only model

The approved design already mandates forward-only (CP-01 §2.1: "Sealed/active/superseded rows ... are immutable; DELETE/TRUNCATE denied. Rollback creates and activates a new version." §2.4: "Rollback is a new candidate with prior payload, new version/epoch/quorum/evidence; no old row is edited or deleted."). The blueprint violated it by saying "clear/supersede activated_at." The patch aligns the blueprint to the approved model:

1. Rollback supersedes FORWARD. A rollback is a NEW manifest_activation of a prior-payload candidate manifest (new activation_id / control_epoch / quorum / evidence) plus setting the predecessor's superseded_by_manifest_id. No activated_at is ever cleared or edited; no activation/history row is deleted.
2. Current active is derived, not mutated. The authoritative current-active row is computed by the approved partial unique index manifest_set_one_active_type: activated_at IS NOT NULL AND superseded_by_manifest_id IS NULL. After a forward supersession this yields no active manifest for the writer type — without touching the predecessor's activated_at.
3. G-NOMIXED-AUTHORITY reads the derived current-active route, never a cleared timestamp. A STAGED manifest (activated_at NULL) beside executable legacy is not mixed; an ACTIVE manifest beside executable legacy is forbidden and cannot occur (activation S15.4 follows neutralization S15.1–S15.3 atomically). During rollback the new path is proven non-authoritative by the derived fact before any legacy EXECUTE/owner is restored.
4. Rollback verification checks "no active route", not "erased history". Readiness-BLOCKED and gateway-cannot-route are proven against the derived current-active, leaving the full activation history intact and auditable.

Where patched

• Blueprint doc 04: S15.4 rollback note + the "Activation order / no mixed authority" dependency note rewritten to forward-only.
• Blueprint doc 05: the S15 rollback table row, note-5 step 1, and the header principle made explicitly forward-only (the header was already forward-only; the S15 specifics were not).
• Blueprint doc 06: G-NOMIXED-AUTHORITY corrected to read the derived current-active fact.
• Blueprint doc 07: PKG-F rollback corrected to forward supersession.

Interaction with blocker E

Forward-only rollback also resolves the manifest-object half of blocker E: the rollback "source" is the prior immutable sealed manifest version (never a loose hash-identified artifact), which is inherently uniquely identified by its manifest_id and carries its own sealed payload + evidence (doc 06).

PG-native, no new surface

Uses the approved manifest_set (activated_at, superseded_by_manifest_id, partial unique index) + manifest_activation lifecycle exactly as designed. No new surface/column.

Self-check

PASS only if no rollback path clears/edits activated_at, history is append-only, and the guard reads the derived current-active. PASS — rollback is forward supersession; activated_at is immutable; G-NOMIXED-AUTHORITY keys on activated_at IS NOT NULL AND superseded_by_manifest_id IS NULL.