Incomex AI Portal
KB-3C47

Entry-Vector-Set Separation Fix

3 min read Revision 1
fix7t1recheck-3entry-vector-separation2026-06-09

04 - Entry-Vector-Set Separation Fix

What Codex required

U_entry_vector is a DOT/scheduler/external entry-vector set only, used to evaluate bypass risk. It must not be a member of U_legacy_object, must not be subject to owner/body/#21 object proof, and must be covered by bypass guards / DOT no-overwrite / scheduler-disabled / operator-gated checks. Bypass checks join U_entry_vector to target-object reachability, not membership.

What T1 patched (blueprint doc 02 §H.4.C, doc 08, doc 06)

  • §H.4.C (doc 02): U_entry_vector = every entry vector over pg_trigger, pg_event_trigger, the scheduler registry, the frozen DOTs, and any external entrypoint that could reach a write of protected state. Coverage relation: every vector must either (a) target a U_legacy_object member (so neutralizing that object — owner-isolation + #21 — neutralizes the vector) or (b) be independently blocked (frozen DOT via G-DOT-FROZEN; disabled/unauthorized scheduler; operator-gated entrypoint). An uncovered vector FAILS CLOSED. A vector is never a member of U_legacy_object and is never subjected to owner/body/#21 object proof.
  • Live evidence (read-only, 2026-06-08): 0 trigger/event-trigger bypass vector over the qt001 set; DOT-118/119 frozen; no scheduler entry enabled. The relation remains so a future trigger/scheduler/DOT cannot silently add a writer.
  • doc 08 (hard blocks): the birth gateway, DOT-118/119, and the scheduler are explicitly framed as entry-vector / boundary concerns belonging to U_entry_vector and the hard-block list — never members of U_legacy_object; a closure that reaches a boundary object fails closed.
  • Guard G-ENTRY-VECTOR-SEPARATE (doc 06): enforces both the non-membership (no vector in the object set; none subjected to object proof) and the fail-closed coverage (uncovered vector blocks).

Relationship to the accepted DO_NOT_TOUCH removal

Codex accepted that DO_NOT_TOUCH no longer subtracts from the legacy set. The non-PG DOT/scheduler records that used to be discussed alongside DO_NOT_TOUCH are now correctly homed in U_entry_vector (bypass coverage) and the hard-block boundary list — not the PG-object set. A PG object that collides with a protected boundary still fails closed via §H.4.A (object identity intersection).

Self-check

PASS. DOT/scheduler/external vectors live only in U_entry_vector; bypass is a fail-closed coverage relation to objects; no vector is an object member or subject to object proof.

Back to Knowledge Hub knowledge/dev/reports/architecture/t1-fix7-blueprint-patch-after-codex-recheck-3-set-separation-2026-06-08/04-entry-vector-set-separation-fix.md