Incomex AI Portal
KB-FA4E

T1 FIX7 Option Beta - Disposition Model Removal

5 min read Revision 1
fix7t1option-betadisposition-removal2026-06-08

02 - BLOCKER 1: Disposition-Model Removal

What was removed (exact constructs + where)

removed construct where it lived (pre-patch) post-patch state
5-value disposition enum REVOKE_ONLY/STUB_FAIL_CLOSED/FREEZE_NO_CHANGE/DEPRECATE_READONLY/DO_NOT_TOUCH doc 02 §I table; doc 03 patch note; doc 04 S00/S09/S15/S17 + writer-gateway tables; doc 05 S15/note 5; doc 06 G-NOLEGACY-*/G-LEGACY-TARGET-SEALED; doc 07 PKG-B/D/F/H; doc 08 §A QT001-apply row deleted from all load-bearing positions; survives only as a non-authority English mapping table (doc 02 §H.5)
LEGACY_* object_type rows in #20 (LEGACY_FUNCTION/PROCEDURE/TABLE/VIEW) doc 02 §H.2 "sealed authority surface" table; doc 04 S09; doc 06 G-LEGACY-TARGET-SEALED deleted; #20 carries only its approved TABLE/CONSTRAINT/INDEX/runtime-evidence rows incl. the protected_target roots
computed disposition / classifier / truth table / CASE branch doc 02 §I "COMPUTED by a deterministic classifier" + the LEGACY_TABLE→FREEZE… rule; doc 04 S00/S09 "COMPUTED disposition (§I)" deleted; there is no classification step — every member receives the one uniform end-state
external-artifact policy (recheck-1/2 framing of operator_authorization_artifact/STUB body as authority) none remains; evidence_registry is evidence only (doc 05)
STUB_FAIL_CLOSED / legacy body mutation / body-restore source doc 02 §I row + "rollback symmetry rule"; doc 04 S13/S15.2 stub replacement + writer-gateway #27 STUB body binding; doc 05 S15/note 5 Option α/β body restore deleted; no body change for any member (doc 04)
DO_NOT_TOUCH subtraction from U_legacy doc 02 §H.4 − DO_NOT_TOUCH; doc 04 dependency note; doc 06 G-LEGACY-TARGET-CLOSED-DENOMINATOR − sealed DO_NOT_TOUCH deleted; U_legacy has no subtraction; collisions fail closed (doc 06)
policy branching by relkind/prokind/name/owner/pattern/label doc 02 §I "structural class … routine⇒…/table⇒…/view⇒…"; doc 04 writer-gateway per-class owner table deleted; relkind/prokind select PG syntax only; one outcome for all classes

Former-label mapping (non-authority, descriptive only)

The five former labels are retained ONLY as non-load-bearing English in explanatory text/logs (doc 02 §H.5). They are never manifest authority, rule inputs/outputs, guard decisions, package branches, hash members, or SQL predicates. G-LEGACY-NO-DISPOSITION-AUTHORITY (doc 06) FAILS if any of them re-appears as load-bearing.

Former label Non-authoritative meaning under Beta
REVOKE_ONLY body unchanged; sealed #21 excludes executable/mutating rights
STUB_FAIL_CLOSED removed and prohibited; fail-closed comes from unreachability (owner-isolated + no #21 EXECUTE), not a body stub
FREEZE_NO_CHANGE body unchanged; owner isolated; sealed #21 excludes DML/EXECUTE
DEPRECATE_READONLY any retained read access is exactly the sealed #21 SELECT/USAGE rows
DO_NOT_TOUCH boundary description only; collision with a protected boundary fails closed

The new guard

G-LEGACY-NO-DISPOSITION-AUTHORITY (doc 06): inputs = the whole blueprint + sealed manifests + guard/package/order/rollback definitions; PASS iff NO disposition enum, LEGACY_* row, disposition/root_kind column, legacy_disposition catalog family, computed-disposition classifier/CASE branch, STUB/body-mutation/restore path, DO_NOT_TOUCH subtraction, or relkind/prokind/name/owner/pattern/label policy branch exists; relkind/prokind appear only for PG syntax. Plus guard-quality rule 6 binds every guard/package/step/rollback/seal to the same prohibition.

Negative-test matrix (doc 06 §"Option-Beta negative tests")

Each must produce a real rejection / fail-closed, proving labels/class/type/name/pattern cannot change the desired result:

  1. change a member's relkind/prokind → uniform end-state unchanged; only emitted syntax differs.
  2. inject a former label as a manifest field / rule input / guard input / package branch → REJECTED.
  3. add a LEGACY_* object_type row / a disposition column / a legacy_disposition catalog family → REJECTED (catalog families sealed exact set; #20 §2.7 scope; no new column).
  4. introduce a STUB body replacement / body-restore path → REJECTED (no body change permitted).
  5. compute U_legacy with a DO_NOT_TOUCH subtraction / manual exclusion → REJECTED.
  6. closure reaches a protected-boundary object or unsupported class → FAILS CLOSED (separate owner decision; never auto-excluded, never routed later).
  7. leave #21 incomplete and treat a privilege absence as authority → REJECTED by the closed-world both-EXCEPT check.

Self-check

PASS. Every disposition construct named by the amendment is removed from load-bearing design; the only survivors are non-authority English labels gated by G-LEGACY-NO-DISPOSITION-AUTHORITY. No new authority vocabulary was introduced.

Back to Knowledge Hub knowledge/dev/reports/architecture/t1-fix7-blueprint-patch-after-legacy-disposition-option-beta-2026-06-08/02-disposition-model-removal.md