Hardcode / PG-Native Self-Review
08 - Hardcode / PG-Native Self-Review
Codex recheck-3 verdicts HARDCODE_NEEDS_FIX / PG_NATIVE_DRIVEN_NEEDS_FIX were contract-precision
defects (the mixed-type denominator could not be one exact PG-native set; the no-disposition guard
lacked a precise normative-vs-historical input boundary), not the return of name/pattern/classifier/STUB
authority. The recheck-3 patch adds no fixed list, new surface, hash contract, catalog family, or
readiness gate; it uses existing typed object closure, role/catalog facts, bypass-vector
manifests/guards, and explicit superseded-non-authority document boundaries — exactly as Codex
required.
| # | check | verdict | basis |
|---|---|---|---|
| 1 | object membership is PG-native, not a name/owner scan | PASS | U_legacy_object = closure(#11/#22, roots = sealed #20 protected_target); name/owner = diagnostic only (doc 02 §H.1/§H.2) |
| 2 | object both-EXCEPT is one exact PG-native set | PASS | object-shape denominator only (§H.4.A); G-LEGACY-TARGET-CLOSED-DENOMINATOR |
| 3 | principal universe is catalog-derived, not a literal list | PASS | PUBLIC + pg_auth_members-expanded roles (§H.4.B); G-PRINCIPAL-SET-SEPARATE |
| 4 | privilege authority is the sealed #21 tuple set, not a CASE/literal | PASS | object × principal both-EXCEPT to #21 (§H.4.B) |
| 5 | entry-vector coverage is catalog-derived (pg_trigger/pg_event_trigger/scheduler/DOT) |
PASS | §H.4.C; G-ENTRY-VECTOR-SEPARATE; live 0 trigger vector |
| 6 | relkind/prokind select syntax only, never policy |
PASS | doc 02 §H.2/§H.3; guard-quality rule 6 |
| 7 | no disposition enum / LEGACY_* row / STUB-body / DO_NOT_TOUCH subtraction re-introduced |
PASS | G-LEGACY-NO-DISPOSITION-AUTHORITY (ACTIVE_AUTHORITY scope) |
| 8 | the active/superseded boundary is not a disguised authority surface | PASS | document metadata only; not a Directus collection / #20 row / runtime table (doc 00; G-ACTIVE-AUTHORITY-SCOPE) — adds 0 to 27/11/14/7 |
| 9 | no manual-history scan acts as authority | PASS | superseded text is audit trail; G-NO-SUPERSEDED-CONSUMPTION forbids consumption; no package derives authority from it |
| 10 | no new fixed list / hash / family / gate added | PASS | the 5 new guards are TEST/VERIFICATION (not readiness gates); the boundary is doc metadata |
| 11 | unresolved/uncovered/mixed-type/collision all fail closed | PASS | §H.4.A/B/C + guard-quality rules 7+8 |
Verdict
ZERO_HARDCODE_PASS / PG_NATIVE_DRIVEN_PASS. Authority remains PG ownership + sealed #20 roots + #11
closure + closed-world sealed #21 + #26/#27 + manifest activation; the recheck-3 patch only refines
the typing of the comparisons and fences history — it introduces no name/pattern/owner/manual-history
authority.