KB-2454
Hardcode and PG-Native/Driven Self-Review
4 min read Revision 1
fix7codex-recheck-patchhardcodepg-nativeself-review2026-06-08
10 - Hardcode / PG-Native-Driven Self-Review
Re-running Codex recheck CHECK_H (HARDCODE_NEEDS_FIX) and CHECK_I (PG_NATIVE_DRIVEN_FAIL) against the patched blueprint.
Codex's five residual hardcode/PG-native risks → resolution
live-relevanthad no closed derivation. → RESOLVED: the closed PG-native denominatorU_legacy(doc 03) is the only denominator; both-EXCEPT runs against it; name/owner scans are diagnostic-only; G-LEGACY-TARGET-CLOSED-DENOMINATOR enforces it. No implementer judgment selects the denominator.- Five disposition values as a new typed column vocabulary without catalog FK. → RESOLVED:
disposition is COMPUTED by a sealed deterministic classifier over sealed PG-native facts (#20
object_type/protected_target/entrypoint+ #11 reachability + effective-privilege). There is no stored vocabulary and no new catalog family, so there is nothing to FK-bind. expected_legacy_set_sha256authoritative but called a roll-up. → RESOLVED: eliminated. Set integrity is the existing governed manifest seal (payload_sha256+item_sha256) + both-EXCEPT. No authoritative hash escapes governance because there is no new hash.operator_authorization_artifactlacks a PG-native home. → RESOLVED: it is a sealedevidence_registryrow (non-authority evidence) consumed by a PG-native authority decision (role grant + activation quorum/epoch + live==approved both-EXCEPT). A filesystem/prose artifact is never final authority.- S15 REVOKE assumed ACL can remove owner execution. → RESOLVED: S15.1 transfers ownership off
the (non-superuser)
directusBEFORE the REVOKE; effective-privilege guards compute over non-owner roles and disposition the superuser. The blueprint now obeys PostgreSQL owner/superuser semantics.
Final-authority audit (PG-native everywhere)
| operational decision | final authority (PG-native) |
|---|---|
| which legacy objects are in the target set | sealed #20 LEGACY_* rows == U_legacy (catalog/manifest closure), manifest-seal-integrity-bound |
| which neutralization action per object | computed from #20 booleans + #11 + effective-privilege (no stored enum) |
| legacy effective EXECUTE removed | pg_proc/proacl/relacl effective privilege over non-superuser non-owner roles, post owner-transfer |
| owner isolation | pg_class.relowner/pg_proc.proowner == qt001_cp_owner; directus no longer owner |
| no mixed authority | manifest_set.activated_at route fact vs legacy effective-executability |
| body restore | sealed evidence_registry artifact + post-restore live pg_get_functiondef hash match |
| package authorization | PG role grant + manifest_activation quorum/epoch + live==approved hash |
| set integrity | manifest seal (payload_sha256 + item_sha256) + both-EXCEPT vs U_legacy |
No name pattern, owner filter, prose count, free-form enum, or filesystem artifact is the binding authority for any operational set. Name/owner/source-text scans are diagnostic candidates only (G-PGNATIVE; guard-quality rules 3 and 5).
Self-check
CHECK_H (hardcode): PASS. CHECK_I (PG-native/driven): PASS. All five residual risks are resolved through approved PG schema/data contracts and PostgreSQL-feasible enforcement; no new authority/hash behavior is hidden in blueprint prose.