14 — Final Go / No-Go (SUPERTRACK N)

FINAL: DESIGN_BLOCKED_REQUIRES_CODEX_UPDATE

T1 must not implement FIX7a yet. Not because the architecture is wrong — its direction is the correct answer to the FIX..FIX6 / Codex rejection history — but because the corrected FIX7 design, as it exists in the KB, is a set of high-level property assertions, not an implementable specification, and the per-dimension review docs the verdict rests on were never authored. Implementing now would force T1 to invent governance-critical decisions ("fix by assuming"), which the macro forbids.

Why not the other statuses:

• NOT DESIGN_CONFIRMED_T1_CAN_IMPLEMENT_FIX7A: ≥8 governance-critical implementation decisions are undefined (doc 01 A.5); confirming would require guessing.
• NOT READ_PATH_BLOCKED: I successfully read all existing sources and rendered a substantive verdict; the path is only partially blocked (final-review 01–09 absent), which I report as a finding rather than a read failure.
• NOT merely DESIGN_NEEDS_CORRECTION_BEFORE_T1: the dominant defect is incompleteness of Codex's package (missing per-dimension specification + missing review evidence), which only Codex can resolve — it is not a self-contained correction T1 can apply, and T1 must not self-author authoritative design.

Design corrections required before T1 (in priority order)

1. Author the concrete FIX7a specification (the missing per-dimension design): manifest table DDL for policy/operator/measurement/principal/action/tier/hash/vector/gate, with seal columns and worked examples. (R1, R12)
2. Readiness denominator spec: exact-set both-directions, NULL-strict, count = count(sealed_active_gate_manifest); gate-result source ≠ manifest; runtime zero-DML; include a sealed "control-plane owned by qt001_cp_owner AND Directus has no write" gate. (R3)
3. Signoff/principal/evidence schema: FK principal/reviewer, content-addressed evidence scheme, independence predicate, self-sign rejection, and the expiry/supersede/revoke lifecycle (silent in FIX7). (R4)
4. Capability spec: per-measurement behavioral test + threshold + evidence schema + verifier-FK + "fresh post-activation" (epoch-bound) window; owner-only storage. (R5)
5. Hash spec: exact primitive + extension prerequisite with operator-install staging if missing (H.1); canonical-JSONB/ordered-row; NULL=FAIL; domain-separation tags; full component list + sensitivity tests; keep plan-content vs control-state separation. (R6)
6. Dependency/analyzer spec: analyzer trust/seal/quorum; source-hash staleness binding (manifest invalid if any pg_get_functiondef changes); unknown-node fail-closed; dynamic-SQL OID-check predicate. (R7)
7. TOCTOU concurrency spec: lock type + id, hold scope = whole writer txn, pre-commit epoch_start == epoch_now else abort, evidence epoch-stamping. (R8)
8. Level-B pipeline + deploy spec: pipeline artifact/entrypoint/owner-credential source; approval/quorum record; read-back/proof log; rollback snapshots/scripts per stage; or explicitly classify FIX7b/c AUTHOR_MODE-until-pipeline-exists. (R9, R10, R11)
9. Operator runbook: exact step sequence for owner cutover (REASSIGN/ALTER OWNER → REVOKE directus,PUBLIC → GRANT SELECT), extension install, manifest activation quorum. (R2, R10)

After corrections — the boundary that WILL apply (do not act on this yet)

• GO (author/test only): T1 authors FIX7a/b/c artifacts, candidate manifests, generic engines, control-epoch, DOT/tests/negative-tests, rollback, analyzer + Level-B package; local BEGIN..ROLLBACK rehearsal; self-audit + independent adversarial sub-check.
• NO-GO (operator-gated): all live role/owner/ACL/REVOKE/extension/manifest-activation/scheduler/writer-repoint actions; FIX7b; FIX7c; manual privileged SQL.
• HARD BLOCK (unchanged): No Stage 2.6B. No permit. No REAL_RUN. No QT001 apply. Readiness must stay BLOCKED and scale NOT_SAFE until owner cutover + fresh evidence + a fresh independent Codex re-audit.

Safety baseline at time of review (live, read-only)

Control tables owned by directus (cutover not done); qt001_cp_owner absent; signoff_plan_binding=0; capability_operational_evidence=0 → readiness BLOCKED, scale NOT_SAFE; no present false-green. No production mutation was made by this verification other than these KB report docs + checkpoint.

One-line verdict

Architecture direction: sound. Design package: not implementation-ready. Status: DESIGN_BLOCKED_REQUIRES_CODEX_UPDATE. Implementation stays blocked; Codex must publish the concrete per-dimension specification (corrections 1–9) before T1 builds FIX7a.