Hardcode / PG-Native Self-Review
10 - Hardcode / PG-Native Self-Review
This pass is judged against recheck-2 self-review checks 9 (no disguised hardcode) and 10 (PG-native
authority). The recheck-2 verdicts were HARDCODE_FAIL and PG_NATIVE_DRIVEN_FAIL; each remaining
disguised-hardcode item is dispositioned below.
Recheck-2 disguised-hardcode items → disposition
| recheck-2 item | disposition this pass |
|---|---|
U_legacy roots/exclusions depend on unexplained "legacy/QT001/DO_NOT_TOUCH" membership (circular) |
RESOLVED — roots = sealed #20 protected_target TABLE rows + #26 protected_target_set_sha256 (independent approved authority); closure = sealed #24 analyzer into #11; DO_NOT_TOUCH by sealed identity (doc 03) |
object_type='LEGACY_*' is free-text policy vocabulary in an open column |
REMOVED — LEGACY_* #20 rows are WITHDRAWN; legacy membership lives in #11 reverse-closure (structurally correct, no vocab). The home for legacy-routine-as-authority-object is the blocker-C amendment (doc 04) |
| computed-disposition classifier has no sealed truth table / rule rows / negative tests | REMOVED + ROUTED — the COMPUTED classifier is WITHDRAWN; the disposition contract is DESIGN_AMENDMENT_REQUIRED (doc 04 Option α sealed rule rows / Option β no enum at all) |
| authorization package scope/hash remains unparsed external artifact content | RESOLVED — operator authorization bound to typed PG rows (#07/#20/#21/#16/#19/#08 + CP-09 + manifest_activation payload/epoch); artifact demoted to supporting evidence (doc 05) |
Recheck-2 PG-native-violation items → disposition
| recheck-2 item | disposition |
|---|---|
| no typed PG authority input for package-specific operator authorization | RESOLVED (doc 05) |
no exact evidence_id binding for rollback source |
RESOLVED for the load-bearing sources — manifest rollback = prior immutable sealed version; legacy owner/ACL = S14 snapshot via manifest_activation.rollback_evidence_id; STUB body rides on C (doc 06) |
| owner-role/superuser reachability not a PG guard contract | RESOLVED — G-OWNER-UNREACHABLE (A, doc 02) + G-SUPERUSER-BREAKGLASS (F, doc 07) |
active/history rollback still permits clearing activated_at |
RESOLVED — forward-only; G-NOMIXED-AUTHORITY reads derived current-active (G, doc 08) |
The key principle this pass follows
Codex's instruction: "do not solve schema constraints by moving authority into prose or classifier code. Either bind behavior to existing approved typed manifests/rules, or explicitly route the necessary semantic contracts as a design-owner correction." This pass does exactly that:
- For A/B/D/E/F/G/H it binds to existing approved typed PG surfaces (catalog ownership/ACL,
pg_auth_members, #07/#20/#21/#16/#19/#08, CP-09 registries,manifest_activation, the forward-onlymanifest_setlifecycle,pg_trigger/pg_event_trigger) — final authority is PG-native. - For C it routes the semantic contract to the design owner rather than re-encoding it as prose/classifier/open-text — exactly the path Codex named.
The patch does not ADD any disguised hardcode; it removes the rejected constructs (LEGACY_* #20
rows, the computed classifier, the evidence-as-authority framing, the activated_at clear) and either
re-expresses them via approved PG-native surfaces or routes them to the design owner.
Verdict
- Disguised hardcode (check 9): no T1-introduced hardcode remains. The rejected constructs are withdrawn; the residual is a missing DESIGN surface (C), captured as the amendment — not a hidden literal/classifier.
- PG-native (check 10): the patched blockers (A/B/D/E/F/G/H) are PG-native/manifest-bound. The only non-resolved item is the legacy-disposition design gap, which is honestly a missing typed surface, not a T1 PG-native violation.
This is why the final status is REQUIRES_DESIGN_AMENDMENT and not FAIL_HARDCODE_OR_PG_NATIVE_GAP:
the gap that remains is a design-owner surface decision, and T1's own work introduced no hardcode and
no PG-native authority via prose/code.