T1 FIX7 Option Beta - STUB / Body-Mutation Path Removal
04 - BLOCKER 3: STUB / Body-Mutation Path Removal + Forward-Only Rollback
What the amendment requires
- no legacy body mutation;
- no body restore path;
- no STUB source artifact path;
- rollback no longer restores routine bodies;
- rollback restores authority state through forward-only supersede/deactivate and the privilege/owner snapshot;
- source artifacts may remain evidence only, not rollback body authority.
What T1 patched
No body change anywhere (doc 02 §H.3, doc 04 S15.2, doc 07 PKG-F)
The uniform end-state changes no object body. The former STUB_FAIL_CLOSED action (which
replaced the apply/writer entrypoints with a fail-closed stub body) is removed. Fail-closed behavior
for the apply functions now comes from unreachability — owner-isolated to the unreachable
qt001_cp_owner + no #21 EXECUTE grant → effective EXECUTE = 0 — which is the live-proven mechanism
(directus is non-superuser, so owner-transfer + privilege reconcile reach effective-EXECUTE=0
without a stub). S15.2 reconciles privileges to exact #21; it never replaces a body.
Forward-only rollback, owner+ACL snapshot only (doc 05 banner, S15 row, note 5; doc 04 rollback note)
The S15 rollback is the atomic, ordered, deactivation-first sequence:
- supersede the new authoritative path FORWARD — new
manifest_activationof a prior-payload candidate + set the predecessor'ssuperseded_by_manifest_id; never clear/editactivated_at; the active route is derived byactivated_at IS NOT NULL AND superseded_by_manifest_id IS NULL; - verify readiness BLOCKED via the derived current-active route;
- verify the gateway cannot route the new path;
- restore legacy by replaying the verified S14 owner+ACL snapshot — restore the prior owner
(
directus) + captured effective-privilege ACL, with NO body change (Option Beta), uniquely sourced viamanifest_activation.rollback_evidence_id→evidence_registry.evidence_id(a single approved FK; fails closed on a missing/revoked/expired row); - verify
G-NOMIXED-AUTHORITY+G-BIRTH-NEUTRAL.
Because steps 1–3 precede step 4, there is no window in which both the new qt001_cp path and the
legacy path are simultaneously executable. The pre-cutover baseline returned to was itself
safe-blocked.
Source artifacts are evidence only
The former "sealed evidence_registry STUB body artifact" pinned by #27 rollback_stub_source_sha256
is removed. evidence_registry is now used by the legacy path only for the S14 owner/ACL snapshot
— evidence consumed by a PG-native restore, never a body-restore authority. #27 carries the
re-point bindings (old_source_sha256/new_source_sha256/rollback_stub_source re-point), not a
legacy body artifact.
The former CR-E3 carve-out is gone
Earlier passes carved out "restoring a STUB_FAIL_CLOSED legacy body from its sealed
evidence_registry source is a separate authorized function-replacement." Under Option Beta there is
no legacy body operation at all on rollback, so the carve-out is removed entirely. The
"never CREATE OR REPLACE the gateway" rule now applies cleanly to the qt001_cp writer gateway and
the birth-gateway boundary, with no legacy-body exception.
Where applied
doc 04 (S13/S15 rows + activation/no-mixed note + writer-gateway #27 row), doc 05 (banner, S15 + S17 rows, note 5, completeness verdict), doc 06 (G-REPOINT-SRC, G-ROLLBACK-SAFE, G-NOLEGACY-POST "body unchanged"), doc 07 (PKG-F rollback, PKG-E snapshot framing).
Self-check
PASS. No legacy body is mutated, stubbed, or restored anywhere; rollback is forward-only and restores authority state through supersede/deactivate + the single owner/ACL snapshot; source artifacts are evidence only. The body-restore risk surface is eliminated (resolves recheck-2 BLOCKER E for legacy routines without any per-object body binding).