00 - Readme First

Date: 2026-06-08 Author: T1 (production Agent for Agent Data) Macro: PROGRAM_PATCH_T1_FIX7_BLUEPRINT_AFTER_CODEX_LEGACY_DISPOSITION_OPTION_BETA_AMENDMENT Mode: READ-ONLY production; blueprint KB-doc direct-revision; NO production mutation.

Final status

FIX7_REFACTOR_BLUEPRINT_T1_PATCHED_FOR_OPTION_BETA_READY_FOR_CODEX_RECHECK_3

What this pass is

Codex (the design owner) approved Option Beta for the long-standing blocker-C legacy-disposition amendment (codex-fix7-legacy-disposition-design-amendment-2026-06-08/, status FIX7_LEGACY_DISPOSITION_DESIGN_AMENDMENT_APPROVED_OPTION_BETA). Option Beta replaces the legacy-disposition concept — it does not re-home it. T1 has patched the FIX7 refactor execution blueprint to that ruling.

The decisive ruling: there is one uniform required end-state for every member of U_legacy — owner-isolated to the approved NOLOGIN, non-superuser, unreachable qt001_cp_owner; body/definition unchanged; actual effective privileges exactly equal the closed-world sealed privilege_set_manifest #21 desired-privilege rows; and unsupported classes / protected-boundary collisions fail closed. relkind/prokind select only PostgreSQL syntax, never policy.

What was removed from load-bearing design

• the five-value disposition enum (REVOKE_ONLY / STUB_FAIL_CLOSED / FREEZE_NO_CHANGE / DEPRECATE_READONLY / DO_NOT_TOUCH as a disposition);
• LEGACY_* authority_scope_manifest #20 object_type semantics;
• computed disposition / classifier / truth table / CASE branch;
• external-artifact policy;
• STUB_FAIL_CLOSED / legacy body mutation / body-restore source;
• DO_NOT_TOUCH subtraction from U_legacy;
• policy branching by relkind, prokind, object name, owner, pattern, or descriptive label.

What remains (approved primitives carrying authority)

PG ownership isolation; sealed #20 protected_target roots; exact #11 analyzer closure; the closed-world sealed #21 privilege set; the #26 protected-gateway identity; the #27 writer-repoint bindings; control_epoch; the manifest lifecycle/activation contracts; and evidence_registry for evidence only.

The seven amendment blockers — all patched

#	amendment blocker	verdict
1	remove legacy-disposition model completely	DONE (doc 02)
2	redefine U_legacy under Option Beta	DONE (doc 03)
3	remove STUB / body-mutation path	DONE (doc 04)
4	owner isolation + #21 privilege contract as the authority path	DONE (doc 05)
5	remove DO_NOT_TOUCH as authority exclusion	DONE (doc 06)
6	hardcode / PG-native self-review	PASS (doc 07)
7	cross-layer boundaries unchanged	CONFIRMED (doc 08)

Two verification guards were added (G-U-LEGACY-OPTION-BETA-UNIFORM-ENDSTATE, G-LEGACY-NO-DISPOSITION-AUTHORITY); test/verification guards go 40 → 42. Invariants 27/11/14/7 are preserved (0 new authority surface, #20 column, catalog family, readiness gate, or top-level hash contract).

Boundaries (unchanged)

Implementation, Stage 2.6B, qt001_backfill_permit, REAL_RUN, QT001 apply, manifest activation, repoint, and owner/ACL cutover all remain BLOCKED. This pass writes only the blueprint-doc revisions, this report (00..10), and the checkpoints. No production object was created, altered, owned, granted, revoked, or executed. Next is Codex recheck 3 only — not implementation.

Report map

• 01 — Option-Beta amendment matrix (blocker → patch → docs).
• 02 — disposition-model removal (exact removed terms/branches; former-label mapping; negative tests).
• 03 — U_legacy redefinition + the uniform end-state.
• 04 — STUB / body-mutation path removal + forward-only rollback.
• 05 — owner isolation + closed-world #21 contract as the authority path.
• 06 — DO_NOT_TOUCH authority-exclusion removal.
• 07 — hardcode / PG-native self-review.
• 08 — cross-layer boundary self-review.
• 09 — direct blueprint revisions applied (doc-by-doc diff matrix).
• 10 — final verdict.