02 - U_legacy_object Object-Only Fix

What Codex required

U_legacy_object must be a PG object set only — members addressable as regclass/regprocedure — and the only set subject to the Option-Beta uniform end-state (owner isolated; body unchanged where applicable; effective privileges == sealed #21). The uniform-end-state both-EXCEPT must apply only to PG objects.

What T1 patched (blueprint doc 02 §H, doc 06)

• §H intro (doc 02): introduced the three-set model with a typed table and the rule U_legacy ≡ U_legacy_object unless explicitly stated otherwise; no set is a member of another; mixed-type membership FAILS CLOSED.
• §H.2 (doc 02): U_legacy_object = closure(#11, roots = #20 protected_target rows hash-sealed by #26 protected_target_set_sha256). Every member is a PG object identity (regclass / regprocedure); relkind/prokind is a syntax discriminator only. A principal or an entry vector is never a member. The exact-set proof is object-shape only (§H.4.A).
• §H.4.A (doc 02): the object denominator is the reverse write-effect object closure from the sealed #20 roots via #11/#22 + sealed analyzer edges — regclass/regprocedure on both sides; proof U_legacy_object − object_denominator = ∅ AND object_denominator − U_legacy_object = ∅, 0 unknown; unresolved edges fail closed; protected-boundary collision is a typed object-identity intersection that FAILS CLOSED (never auto-excluded, never subtracted).
• §H.5 (doc 02): establishment order separated — object membership is the #11/#22 object closure ONLY; effective-privilege and entry-vector facts are NOT membership criteria (they are evaluated downstream over the already-fixed object set).
• Guard G-U-LEGACY-OBJECT-ONLY (doc 06): every U_legacy_object member resolves to a live PG object identity; no member is a role/principal and no member is an entry-vector; the both-EXCEPT object comparison is object-shape on both sides; non-vacuity asserted; fails closed on any mixed-type member.
• G-LEGACY-TARGET-CLOSED-DENOMINATOR re-scoped (doc 06): now compares U_legacy_object against the object-shape denominator only, with no principal or entry-vector union into the comparison and no DO_NOT_TOUCH subtraction; fails closed if a principal/vector is unioned into the object comparison (the recheck-3 type error).
• Guard-quality rule 7 (doc 06): no guard may both-EXCEPT-compare across unlike identity types.

Self-check

PASS. U_legacy_object contains PG objects only; the uniform-end-state both-EXCEPT runs only over PG objects; principals/entry-vectors cannot be members; G-U-LEGACY-OBJECT-ONLY + G-LEGACY-TARGET-CLOSED-DENOMINATOR fail closed on a mixed-type member.