01 - SUPERTRACK A — CP-01 Byte-Level Exactly-27 DDL Review

Source reviewed: doc 02-cp01-byte-level-27-contract-ddl.md (revision 5).

Verdict: CP01_VERIFIED

My prior CP-01 offered path A (publish the byte-level expanded DDL) or path B (explicit downscope + mandatory re-audit). Codex took path A and published a genuinely reviewable artifact. The core gap that drove CP-01 — "a Normative full DDL artifact that defers byte-level CREATE TABLE to an unsurfaced local artifact" — is closed.

Checklist evidence

• Exactly 27 child contracts — VERIFIED. Counted 01 policy_rule_manifest, 02 operator_primitive_manifest, 03 metric_manifest, 04 unit_manifest, 05 storage_class_manifest, 06 principal_class_manifest, 07 authority_action_manifest, 08 principal_separation_manifest, 09 readiness_gate_manifest, 10 hash_component_manifest, 11 dependency_manifest, 12 bypass_vector_manifest, 13 capability_manifest, 14 capability_measurement_requirement, 15 capability_artifact_requirement, 16 signoff_requirement_manifest, 17 tier_manifest, 18 activation_policy_manifest, 19 quorum_requirement_manifest, 20 authority_scope_manifest, 21 privilege_set_manifest, 22 dynamic_sql_target_manifest, 23 workload_profile_manifest, 24 analyzer_contract_manifest, 25 plan_payload_manifest, 26 gateway_manifest, 27 writer_repoint_manifest. 27 unique table names.
• No extra threshold table — VERIFIED (thresholds are fields on existing children: max_age_seconds, minimum_count, required_count, row_count; see CP-05 review).
• No shorthand symbols (e.g. "H") — VERIFIED. Full identifiers throughout.
• Exact CREATE TABLE content — VERIFIED. Explicit column type, PK (manifest_id,item_id), UNIQUE(item_id), normative envelope FK header FOREIGN KEY (manifest_id,item_id) REFERENCES manifest_item_envelope(manifest_id,item_id), business-key UNIQUE, typed domains (sha256, nonempty_text, positive_bigint, nonnegative_bigint).
• No policy-shaped CHECK — VERIFIED. Every CHECK is structural/temporal/shape only: valid_until>valid_from; retired/evidence pairing; num_nonnulls(...)=1; jsonb/schema pairing; cardinality(stable_order_key)>0 AND array_position(...,NULL) IS NULL; collision_row_count<=row_count; activation parent<>candidate and executed_at>=requested_at. None embeds a policy value, enumerated code, or threshold. Self-review item 7 confirms the prior policy-shaped left_class_id<>right_class_id CHECK was removed in favour of a must_differ boolean evaluated by a generic guard — correct.
• No DEFAULT false hidden policy — VERIFIED. The only DEFAULT is created_at ... DEFAULT clock_timestamp(). Every boolean (retired, required, must_differ, may_*, strict, side_effect_free, immutable_versioned, grantable, fail_closed, protected_target, entrypoint) is NOT NULL with no default → author must supply a sealed value.
• Rollback/drop order — VERIFIED. §2.6 gives the exact reverse-dependency drop order (writer_repoint → ... → manifest_item_envelope → manifest_set; catalog root last) and states rollback never drops active/history.
• Owner/role expectation — VERIFIED. qt001_cp_owner / _migrator / _reader; Directus/PUBLIC/runtime/signer/verifier/binder roles get no DML/DDL/REFERENCES/TRIGGER/EXECUTE; writers are SECURITY DEFINER with pinned search_path.
• Implementable in PG16.13 — VERIFIED. Uses DOMAIN, regprocedure/regclass/oid, num_nonnulls, array_position, cardinality, partial unique index, UNIQUE NULLS NOT DISTINCT (PG15+), clock_timestamp() — all valid in 16.13.

Cross-impact observations (raised as RP, not CP-01 defects)

• The package also defines, beyond the 27, the support tables manifest_activation, evidence_registry, analyzer_run, human_identity_registry, principal_registry, operator_operand_compatibility, and the catalog root — good. But the global CREATE + deferred-ALTER order across docs 02/03/04/09/10 is not consolidated → RP-03.
• manifest_activation (a core table here) has NOT NULL FKs to evidence_registry/principal_registry; those are defined in docs 09/10 (verified) — so CP-01 completeness depends on the cross-doc ordering being correct (RP-03).
• The 27 manifest children are byte-complete, but the RUNTIME instance/result tables those manifests measure (signoff bindings, capability runs/measurements/artifacts, gate fact-results) are not byte-defined; they are consumed by H04/H05/H06 → RP-01. This is the runtime-evidence layer, distinct from the 27 manifest children, so it does not reduce the CP-01 verdict — but it must close before final approval.

Conclusion

CP-01 is genuinely resolved at the manifest/contract layer. Verdict CP01_VERIFIED, with the byte-level completeness of the adjacent runtime-evidence layer (RP-01) and the consolidated apply order (RP-03) carried into the proposal package.