T1 FIX7 Blueprint Patch After Codex Recheck 3 (Set Separation) - Readme First
00 - Readme First
Date: 2026-06-09
Author: T1 (production Agent for Agent Data)
Macro: PROGRAM_PATCH_T1_FIX7_BLUEPRINT_AFTER_CODEX_RECHECK_3_SET_SEPARATION_AND_SUPERSEDED_HISTORY
Mode: READ-ONLY production. Blueprint KB-doc direct-revision. NO production mutation.
Final status
FIX7_REFACTOR_BLUEPRINT_T1_PATCHED_AFTER_CODEX_RECHECK_3_READY_FOR_CODEX_RECHECK_4
What this is
A narrow blueprint repair after Codex recheck 3
(codex-fix7-blueprint-recheck-3-after-option-beta-patch-2026-06-08/, status
FIX7_REFACTOR_BLUEPRINT_CODEX_RECHECK_3_NEEDS_T1_FIX). Codex accepted the Option-Beta work
(STUB/body path removed; DO_NOT_TOUCH no longer an authority exclusion; 27/11/14/7 invariants
preserved; boundaries blocked) and raised exactly two remaining blocker classes. T1 patched both
in-blueprint; no design amendment required; Option Beta is not reopened or redesigned.
The two blockers and the fix
-
Set separation.
U_legacywas typed as a PG-object set, but its closed denominator unioned PG objects with effective-privilege principals and DOT/scheduler entry-vectors and then asserted object both-EXCEPT over the union — a type error (a principal/vector cannot own, have a body, or carry object state). Fix: split into three distinct typed universes:U_legacy_object— PG objects only (regclass/regprocedure); the only set subject to the uniform end-state (owner isolated, body unchanged, effective privileges == sealed #21).U_effective_privilege_principal— roles only; the privilege-evaluation universe, joined to objects asU_legacy_object × U_effective_privilege_principaland reconciled to #21.U_entry_vector— trigger/event-trigger/scheduler/DOT/external; a fail-closed bypass-coverage relation mapped to objects, never object membership.U_legacy≡U_legacy_objecteverywhere unless explicitly stated. GuardsG-U-LEGACY-OBJECT-ONLY,G-PRINCIPAL-SET-SEPARATE,G-ENTRY-VECTOR-SEPARATE.
-
Superseded-history boundary.
G-LEGACY-NO-DISPOSITION-AUTHORITYscanned the whole blueprint while historical sections still contained old disposition/STUB instructions, so it could not tell current authority from audit trail. Fix: a machine-readable ACTIVE_AUTHORITY vs SUPERSEDED_NON_AUTHORITY boundary — a doc 00 registry + a per-docDOC_STATUS:marker +SUPERSEDED_NON_AUTHORITY BEGIN/ENDfences around retained history; the boundary lives in the blueprint KB document structure (not Directus-editable). The no-disposition guard is re-scoped to ACTIVE_AUTHORITY (reports fenced history, never fails on it). GuardsG-ACTIVE-AUTHORITY-SCOPE,G-NO-SUPERSEDED-CONSUMPTION.
Guards 42 → 47 (+5) + guard-quality rules 7 (set-type separation) and 8 (active-authority scope). Invariants 27/11/14/7 preserved (the boundary is document metadata, not a DB authority surface). All hard blocks intact.
Document map
| Doc | Content |
|---|---|
| 00 | This readme |
| 01 | Codex recheck-3 failure matrix (what Codex accepted / what needed fixing) |
| 02 | U_legacy_object object-only fix |
| 03 | Principal-set separation fix |
| 04 | Entry-vector-set separation fix |
| 05 | Uniform end-state proof scope (object/principal/vector) |
| 06 | ACTIVE_AUTHORITY vs SUPERSEDED_NON_AUTHORITY boundary |
| 07 | No-disposition guard scope fix |
| 08 | Hardcode / PG-native self-review |
| 09 | Cross-layer boundary self-review |
| 10 | Direct blueprint revisions applied |
| 11 | Final verdict + Codex-style self-check |
Boundaries (unchanged)
This is NOT implementation, Stage 2.6B, a permit, REAL_RUN, QT001 apply, manifest activation, repoint, or owner/ACL cutover. All remain BLOCKED. Production was READ-ONLY throughout; no object was created, altered, owned, granted, revoked, or executed. The only writes were the blueprint-doc revisions, this report, and the checkpoints. Next is Codex recheck 4 only.