03 - BLOCKER 2: U_legacy Redefinition + the Uniform End-State

U_legacy under Option Beta (single sealed set, no subtraction)

U_legacy = closure( dependency_manifest #11 ,
                    roots = authority_scope_manifest #20 rows with protected_target = true,
                            bound to the candidate manifest and hash-sealed by
                            gateway_manifest #26 protected_target_set_sha256 )

• roots = the sealed #20 protected_target TABLE rows (already first-class in the approved design — §2.7-sanctioned), hash-sealed by #26 protected_target_set_sha256 before use. The roots are an independent approved authority; they are not defined by the closure they seed and not by a name scan.
• closure = the sealed analyzer (analyzer_contract_manifest #24 + analyzer_run evidence) derives dependency_manifest #11 reverse edges + dynamic_sql_target_manifest #22 rows. Dynamic/unsupported/unresolved edges fail closed (run UNRESOLVED, blocks seal).
• no DO_NOT_TOUCH subtraction (the − DO_NOT_TOUCH term is removed) and no class-based exclusion. U_legacy is the exact closure.
• boundary collisions fail closed. If the closure ever reaches a protected-boundary object (the #26 gateway identity, the birth gateway, a frozen DOT, or any object that cannot receive the uniform end-state), the package FAILS CLOSED and requires a separate owner decision — never a silent exclusion, never routed later.

Both-EXCEPT exact-set proof (the closed PG-native denominator, doc 02 §H.4)

U_legacy is both-EXCEPT compared against the closed denominator = (reverse write-effect closure from the #20 roots via #11/#22 + sealed analyzer edges) ∪ (effective-EXECUTE to PUBLIC/directus/ non-qt001_cp via proacl+pg_auth_members) ∪ (trigger/event-trigger/scheduler/DOT entry-vector writers) — with no subtraction:

• sealed U_legacy − denominator = ∅ AND denominator − sealed U_legacy = ∅;
• count(UNKNOWN_REQUIRES_REVIEW) = 0;
• the denominator is derived ONLY from catalog/manifest facts; name/owner scans may widen candidate discovery but never define or close it;
• non-vacuity: each closure proves its roots are present and the traversal is non-empty.

Guards: G-LEGACY-TARGET-SEALED (the operational set IS the sealed U_legacy; manifest seal + fresh analyzer evidence; no LEGACY_*/disposition/expected_legacy_set_sha256) and G-LEGACY-TARGET-CLOSED-DENOMINATOR (both-EXCEPT, no subtraction, collisions fail closed). Both are fully operational under Option Beta (no longer fail-closed pending an amendment).

The single uniform end-state (one condition for every member)

Every member of the sealed U_legacy set converges to the SAME authority-neutralized condition — no per-object disposition, no classifier, no truth table, no CASE branch:

1. Owner isolated: ALTER ... OWNER TO qt001_cp_owner (NOLOGIN, non-superuser, no inbound pg_auth_members membership from any login role, holds no grant to any login role — owner-implicit privilege held by an unreachable principal; G-OWNER-UNREACHABLE). relkind/prokind choose only the syntax form.
2. Body unchanged: no body/definition is mutated, replaced, or stubbed (pg_get_functiondef/ pg_get_viewdef digest unchanged).
3. Effective privileges == exact sealed #21: actual effective privileges (over non-superuser, non-owner roles via proacl/relacl/pg_attribute.attacl expanded through pg_auth_members) reconciled to EXACTLY the closed-world sealed #21 rows, both-EXCEPT (realized − #21 = ∅ AND #21 − realized = ∅). For legacy routines #21 grants no EXECUTE → effective EXECUTE = 0; for tables/views any retained SELECT/USAGE exists only because an exact #21 row grants it. Absence is authoritative only because #21 is complete, sealed, expected-count/hash bound.
4. No directus/runtime authority remains except where #21 explicitly grants a read-only privilege.
5. Superuser disposition: workflow_admin is excluded from the effective-privilege claim (inherently ACL-bypassing), recorded as an accepted out-of-band property (G-SUPERUSER-BREAKGLASS).
6. Fail closed on unsupported object class, protected-boundary collision, incomplete #21 coverage, analyzer uncertainty, privilege mismatch, or rollback-evidence failure.

The new guard

G-U-LEGACY-OPTION-BETA-UNIFORM-ENDSTATE (doc 06; the amendment's G-LEGACY-UNIFORM-NEUTRALIZATION): for EVERY U_legacy member, verifies (a) owner == qt001_cp_owner; (b) definition hash unchanged from the captured baseline; (c) effective privileges over non-superuser non-owner roles == exactly the sealed #21 rows (both-EXCEPT). No member is exempt by class/type/name/owner/label; unsupported class / boundary collision / incomplete #21 / analyzer uncertainty / privilege mismatch FAILS CLOSED; non-vacuity asserted (set non-empty; #21 closed-world).

Where applied in the blueprint

doc 02 §H.2/§H.3/§H.4 (membership + end-state + denominator), doc 04 S00/S09/S13/S15/S17 (the construction order now reconciles to the uniform end-state), doc 06 (the two new guards + the reframed legacy guards), doc 07 PKG-B/D/F/H (generic reconciliation packages).

Self-check

PASS. U_legacy is a single sealed in-scope set with no subtraction and no class exclusion; collisions fail closed; every member reaches one uniform PG-native end-state verified by G-U-LEGACY-OPTION-BETA-UNIFORM-ENDSTATE; relkind/prokind select syntax only.