FIX7 Refactor Blueprint - Live Existing-System Inventory
01 - Live Existing-System Inventory (read-only)
Source of evidence: live read-only PostgreSQL introspection of DB directus on 2026-06-08 via
query_pg (AST-validated, READ ONLY transaction, statement_timeout 5s), cross-checked against
BIRTH_GATEWAY_DESIGN_INDEX.md rev 27. No mutation performed.
A. Schemas and FIX7 control-plane roles
| Object | Live state | Evidence | Classification |
|---|---|---|---|
schema qt001_cp |
ABSENT (live: cutter_governance, iu_core, public, sandbox_tac) | pg_namespace | MISSING_ADD |
role qt001_cp_owner |
ABSENT | pg_roles (0 rows) | MISSING_ADD |
role qt001_cp_migrator |
ABSENT | pg_roles (0 rows) | MISSING_ADD |
role qt001_cp_reader |
ABSENT | pg_roles (0 rows) | MISSING_ADD |
Consequence: every FIX7 qt001_cp.* object is green-field. There is nothing to edit in place; the
control plane is built beside the legacy objects, then the authoritative path is repointed.
B. Legacy QT001 objects (FIX..FIX6) - schema public, owner directus
Counts (live, by %qt001% substring in public): 20 tables, 45 functions + 1 procedure (46
routines), 196 views, all owner directus. These counts are diagnostic evidence, not the
operational authority - see doc 02 §H (the sealed authority_scope_manifest #20 set is the
authority; the count is whatever its exact-set both-EXCEPT proves). Note the historical blueprint
prose "46 functions" conflated the 45 functions with the 1 apply procedure sp_dot_birth_qt001_apply.
B.1 Legacy tables (20) - representative roles
| Table | Current role | Classification |
|---|---|---|
qt001_plan_registry, qt001_plan_snapshot, qt001_plan_content_binding |
legacy plan SSOT / fixed-point | LEGACY_REPLACE (-> plan_payload_manifest #25 + manifest_*) |
qt001_tier_registry, qt001_tier_rule_registry, qt001_tier_rule_registry_v2 |
legacy tiering data | LEGACY_REPLACE (-> tier_manifest #17 + policy_rule_manifest #01) |
qt001_independent_review_signoff, qt001_signoff_plan_binding, qt001_review_validated_collection |
legacy signoff | LEGACY_REPLACE (-> signoff_requirement_manifest #16 + runtime signoff_binding) |
qt001_authority_identity_registry, qt001_evidence_registry |
legacy identity/evidence | LEGACY_REPLACE (-> principal_registry/human_identity_registry/evidence_registry) |
qt001_capability_contract, qt001_capability_operational_evidence, qt001_capability_behavior_registry |
legacy capability | LEGACY_REPLACE (-> capability_manifest #13 + runtime capability_run/measurement/artifact) |
qt001_hardcode_inventory, qt001_authoritative_object_registry |
legacy audit/callgraph registry | LEGACY_DEPRECATE (superseded by #20 + #11) |
qt001_readiness_guard_registry_v9, qt001_signal_registry, qt001_runtime_config |
legacy readiness/config | LEGACY_REPLACE (-> readiness_gate_manifest #09 + sealed rows) |
qt001_apply_rehearsal_audit |
legacy rehearsal audit | LEGACY_FREEZE (history retained, read-only) |
B.2 Legacy functions (46) - representative roles
| Function family | Members (live) | Classification |
|---|---|---|
| legacy planner | fn_dot_birth_qt001_plan_v2, fn_qt001_plan_v5, fn_qt001_plan_all, fn_qt001_plan_all_v5 |
LEGACY_REPLACE (gateway/writer repoint; plan_v2 stays frozen unreachable sentinel) |
| apply path | fn_dot_birth_qt001_apply, sp_dot_birth_qt001_apply |
BLOCKED_UNTIL_AUTHORITY then LEGACY_REPLACE |
| tiering | fn_qt001_machine_tier(+_v2.._v5), fn_qt001_eval_tier_predicate |
LEGACY_REPLACE |
| rule engine | fn_qt001_eval_rule_v2..v5, fn_qt001_eval_rule_core, fn_qt001_eval_predicate_v2, fn_qt001_eval_guard_bool |
LEGACY_REPLACE |
| signoff | fn_qt001_signoff_row_valid(+_v3.._v6), fn_qt001_signoff_satisfies(+_v3.._v6) |
LEGACY_REPLACE |
| fingerprint/checksum | fn_qt001_plan_fingerprint_v2..v5, fn_qt001_fp_compose(+_v3), fn_qt001_rule_checksum |
LEGACY_REPLACE (-> hash_component #10 contracts) |
| governance | fn_qt001_rule_governance_ok(+_v2) |
LEGACY_REPLACE |
| signals/build/refresh/rehearsal | fn_qt001_collection_signals(+_v2/_v4/_v5), fn_qt001_build_plan_registry, fn_qt001_refresh_plan_snapshot, fn_qt001_run_rehearsal |
LEGACY_REPLACE/LEGACY_DEPRECATE |
| machine blocked reason | fn_qt001_machine_blocked_reason |
LEGACY_REPLACE |
B.3 Legacy views (196)
The 196 qt001_* views (readiness v3..v9, hardcode guards v2..v7, callgraph, no-bypass,
no-go guards, dashboards, scorecards, failure matrices) are the FIX..FIX6 enforcement surface.
Classification: LEGACY_DEPRECATE after the qt001_cp path is sealed/activated/proven; they are
NOT authority surfaces under FIX7 and are not deleted live (retained as read-only history until the
deprecation package runs).
C. Birth gateway (DO_NOT_TOUCH - birth-neutral)
| Object | Owner | Classification |
|---|---|---|
fn_birth_registry_auto (guarded; 166 triggers / 148 tables) |
directus | DO_NOT_TOUCH |
fn_birth_registry_auto_id (3 BIRTH_REQUIRED tables) |
directus | DO_NOT_TOUCH |
fn_birth_policy_decision, fn_birth_resolve_identity, fn_birth_register |
directus | DO_NOT_TOUCH |
birth_registry (row anchor 1,210,928+; birth-neutral invariant) |
directus | DO_NOT_TOUCH |
birth_admission_permit(+_v2), birth_backfill_ledger(+_v2), birth_gateway_release_registry |
directus | DO_NOT_TOUCH |
Birth-family completeness (Max 2026-06-08). The live fn_birth_* family is broader than the 5
representative rows above - there are 10 fn_birth_* functions: also fn_birth_auto_certify,
fn_birth_change_flag_matrix, fn_birth_gate (owner workflow_admin), fn_birth_onboarding_full_scan
(SECURITY DEFINER, PUBLIC EXECUTE), and fn_birth_onboarding_full_scan_hc. ALL are
DO_NOT_TOUCH (birth-gateway scope, outside the QT001 refactor; FIX7 references the gateway only
via #26 and stays birth-neutral). They are recorded here so no future reader treats the 5-row sample
as exhaustive; none is a FIX7 control object, and none is touched by PKG-A..I.
D. Dangerous DOTs (frozen)
| DOT | Identity | State | Classification |
|---|---|---|---|
| DOT-119 | dot-birth-trigger-setup (embeds old fn_birth_registry_auto without exempt guard) |
frozen (Stage 0 freeze 2/2) | LEGACY_FREEZE / DO_NOT_TOUCH |
| DOT-118 | dot-birth-backfill (direct INSERT INTO birth_registry) |
frozen | LEGACY_FREEZE / DO_NOT_TOUCH |
E. Authority/ownership posture
- All control objects (legacy
qt001_*, birth gateway) are owned bydirectus. Memory record:directusowns 262 control objects - the structural reason FIX5/FIX6 readiness stays BLOCKED. - FIX7 requires these to be owned by
qt001_cp_ownerwithdirectus/PUBLIC stripped of authority privilege. That ownership/ACL transition is destructive andROLE_CUTOVER_LATER/BLOCKED_UNTIL_AUTHORITY(see docs 04, 08).
F. What is NOT present and must be added (summary)
All FIX7 qt001_cp objects: 3 roles, 1 schema, 4 domains, catalog root (3 tables), 2 manifest
anchors, 27 child authority surfaces, operator_operand_compatibility, 5 registry/runtime-support
tables (evidence_registry, human_identity_registry, principal_registry, analyzer_run,
manifest_activation), 11 runtime-evidence tables, plus all sealed manifest DATA (catalog rows,
27-manifest item rows, 14 readiness-gate rows, bypass-vector rows, 7 hash contracts, #20
authority-scope rows, #21 Directus read-contract rows). Every one is MISSING_ADD, operator-gated.
G. Inventory completeness note
Function/view bodies were not dumped here (read-only counts + names + index history are
sufficient for classification). A future implementation-authoring package must, before any repoint,
re-dump pg_get_functiondef/pg_get_viewdef for the authoritative apply path and bind their
source_sha256 into writer_repoint_manifest #27 / gateway_manifest #26 - see doc 06 guard
G-REPOINT-SRC. Any object whose role is not yet bound to a FIX7 component is
UNKNOWN_REQUIRES_REVIEW and blocks the repoint package until classified.
Live re-verification (2026-06-08, read-only query_pg, DB directus). Schema public,
%qt001% substring: 20 tables, 45 functions (prokind='f') + 1 procedure (prokind='p',
sp_dot_birth_qt001_apply) = 46 routines, 196 views - all owner directus. All 46 routines
have proacl=NULL (PUBLIC EXECUTE) and prosecdef=false (none SECURITY DEFINER); 0 routines
with qt001 in name exist outside public; there are 0 triggers on qt001 tables and 0
triggers invoking a qt001 function (no trigger bypass vector).
The count is NOT the authority - name-pattern fragility is live-proven (Codex BLOCKER 1 / CR-B1 / CR-B3 / CHECK_H / CHECK_I). The same catalog yields a different "legacy set" for every literal an implementer might choose:
- routines: prefix list
fn_qt001%/sp_qt001%/fn_dot_birth_qt001%/sp_dot_birth_qt001%→ 45 fns- 1 proc;
%qt001%substring → identical 46 routines (0 extra outside the prefix list);
- 1 proc;
- views:
qt001%prefix → 0;v_qt001%prefix → 183;%qt001%substring → 196.
A load-bearing set that swings 0 → 183 → 196 by choice of literal is disguised hardcode.
Therefore neutralization (S15), owner/ACL cutover (S16) and freeze (S17) target the sealed
legacy-disposition set (doc 02 §H: typed authority_scope_manifest #20 rows + writer_repoint_manifest
#27 bindings, established candidate→classified→exact-set-proven→sealed), never this name-pattern
scan, which is candidate evidence only. Each routine/relation is bound by regprocedure/regclass
prokind+ identity arguments +source_sha256+privilege_acl_hashand assigned exactly one disposition (doc 02 §I). GuardG-LEGACY-TARGET-SEALED(doc 06) fails any step whose target is name-pattern-derived or unsealed.