05 - BLOCKER 4: Owner Isolation + #21 Privilege Contract as the Authority Path

What the amendment requires

• U_legacy members moved to the isolated owner where applicable;
• effective privileges set/verified against the sealed #21 contract;
• body unchanged;
• directus/runtime effective authority absent unless #21 explicitly allows read-only behavior;
• G-NOLEGACY-POST verifies this uniform end-state, not disposition branches.

What T1 patched (doc 04 §S15, doc 06)

Owner isolation (S15.1) — every supported member

ALTER ... OWNER TO qt001_cp_owner for every supported sealed U_legacy member. relkind/prokind choose only the syntax (ALTER FUNCTION / ALTER TABLE / ALTER VIEW), never a different outcome. The owner-transfer is required first because PostgreSQL owners keep implicit privileges — directus (live rolsuper=false) owns the legacy routines, so REVOKE alone cannot zero its effective EXECUTE; moving ownership off directus to the unreachable qt001_cp_owner is what makes effective-EXECUTE=0 reachable (Codex recheck BLOCKER A, unchanged).

G-OWNER-UNREACHABLE (unchanged) proves qt001_cp_owner is NOLOGIN, non-superuser, has no inbound pg_auth_members membership from any login role, and holds no grant to any login role — so the owner-implicit privilege is held by an unreachable principal, not relocated to a reachable one.

Closed-world #21 as the privilege authority (S15.2/S15.3)

Effective privileges are reconciled to exactly the closed-world sealed privilege_set_manifest #21 rows over the COMPLETE sealed set, compared both-EXCEPT (realized − #21 = ∅ AND #21 − realized = ∅), role-membership-aware (pg_auth_members expansion). #21 is closed-world: its completeness, expected count, and hash binding are what make absence of a grant authoritative. For legacy members #21 grants no EXECUTE/DML, so the reconcile REVOKEs from PUBLIC/directus/every role except qt001_cp_owner; any retained Directus read exists only because an exact #21 SELECT row grants it.

Body unchanged

No body/definition is mutated for any member (doc 04, doc 05). The fail-closed property of the apply functions is unreachability, not a body stub.

Directus/runtime authority absent unless #21 allows read

After S15/S16, directus and runtime roles hold no effective authority over U_legacy members except the exact #21 read-only grants. Directus retains full authority over its own directus_* app tables and the business base tables it legitimately owns (XH-4, unchanged) — those are not U_legacy members.

Guards verify the uniform end-state, not branches

• G-NOLEGACY-POST: non-superuser, non-owner effective EXECUTE/DML = 0 over the entire sealed set (i.e. realized == exact #21); reachable only because ownership moved first; superuser dispositioned; body unchanged; non-vacuous.
• G-U-LEGACY-OPTION-BETA-UNIFORM-ENDSTATE: every member has owner=qt001_cp_owner, definition hash unchanged, effective privileges == exact #21 (both-EXCEPT). No disposition branch.
• G-OWNER-CUTOVER (S16): effective-privilege over non-superuser non-owner roles, role-membership-aware, column-ACL-inclusive; superuser dispositioned; Directus SELECT preserved.

Guard-quality rule 5 (PG privilege semantics: effective-privilege over non-owner roles + superuser disposition) is preserved and extended to G-U-LEGACY-OPTION-BETA-UNIFORM-ENDSTATE.

Where applied

doc 02 §H.3 (the end-state); doc 04 S15.1–S15.3 + owner-semantics/owner-reachability notes + writer-gateway phase table; doc 05 invariant 3 (snapshot covers effective privilege both-direction); doc 06 G-NOLEGACY-POST / G-U-LEGACY-OPTION-BETA-UNIFORM-ENDSTATE / G-OWNER-CUTOVER / G-OWNER-UNREACHABLE; doc 07 PKG-F/PKG-G.

Self-check

PASS. Owner isolation + the closed-world sealed #21 privilege contract are the authority path; body is unchanged; directus/runtime effective authority is absent unless #21 grants read-only; G-NOLEGACY-POST and G-U-LEGACY-OPTION-BETA-UNIFORM-ENDSTATE verify the uniform end-state rather than any disposition branch.