FIX7 Refactor Blueprint - Design-to-Live Mapping
02 - Design-to-Live Mapping
Each approved FIX7 component is mapped to its live state, classification, required action, and
action type. Action types: KEEP / MODIFY / ADD / FREEZE / DEPRECATE / REPLACE / REVOKE_LATER /
OPERATOR_GATED / DO_NOT_TOUCH. Design source unless noted: codex-fix7-spec-artifact-correction-...
(byte DDL doc 02; catalog doc 04; hash doc 07; thresholds doc 06) and
codex-fix7-design-correction-from-t1-rp-refinements-... (runtime-evidence doc 02; consolidated
DDL/constraint catalog doc 06; Directus read doc 07) and the CP-06 hash micro-patch package.
A. Foundation (roles, schema, domains, catalog root, anchors)
| Component | Live | Classification | Action | Type |
|---|---|---|---|---|
roles qt001_cp_owner/migrator/reader |
absent | MISSING_ADD |
create NOLOGIN roles | ADD (op-gated) |
schema qt001_cp |
absent | MISSING_ADD |
create AUTHORIZATION owner | ADD (op-gated) |
domains sha256,nonempty_text,positive_bigint,nonnegative_bigint |
absent | MISSING_ADD |
create | ADD (op-gated) |
code_catalog_set/_family/_item (catalog root, doc 04) |
absent (legacy has no catalog root) | MISSING_ADD |
create + sealed bootstrap + owner-only immutable | ADD (op-gated) |
manifest_set, manifest_item_envelope |
absent | MISSING_ADD |
create (global-unique item_id conservation) | ADD (op-gated) |
operator_operand_compatibility |
absent | MISSING_ADD |
create (RP-03 step 5) | ADD (op-gated) |
B. The 27 authority surfaces (exact-set; all MISSING_ADD, all ADD op-gated)
All 27 are absent live and added as qt001_cp child contracts. None maps to a legacy table
in-place; legacy equivalents are REPLACE targets (col C).
| # | Surface | Legacy object it supersedes | Classification |
|---|---|---|---|
| 01 | policy_rule_manifest |
qt001_tier_rule_registry(_v2) (predicate rows) |
MISSING_ADD |
| 02 | operator_primitive_manifest |
fn_qt001_eval_predicate_v2/eval_rule_* operators |
MISSING_ADD |
| 03 | metric_manifest |
(none; new) | MISSING_ADD |
| 04 | unit_manifest |
(none; new) | MISSING_ADD |
| 05 | storage_class_manifest (owns retention/archive) |
qt001_runtime_config (retention/partition part only; its driver batch/runaway config maps to sealed adapter behavior, not retention - XH-1) |
MISSING_ADD |
| 06 | principal_class_manifest |
qt001_authority_identity_registry (class semantics) |
MISSING_ADD |
| 07 | authority_action_manifest |
(implicit in legacy) | MISSING_ADD |
| 08 | principal_separation_manifest |
(implicit; same-human checks) | MISSING_ADD |
| 09 | readiness_gate_manifest (hosts 14 gate DATA rows) |
qt001_readiness_guard_registry_v9 + readiness views |
MISSING_ADD |
| 10 | hash_component_manifest (hosts 7 H01..H07 contracts) |
fn_qt001_plan_fingerprint_v*/fp_compose*/rule_checksum |
MISSING_ADD |
| 11 | dependency_manifest |
qt001_authoritative_object_registry + callgraph views |
MISSING_ADD |
| 12 | bypass_vector_manifest |
v_qt001_no_bypass_proof_* views |
MISSING_ADD |
| 13 | capability_manifest |
qt001_capability_contract/_behavior_registry |
MISSING_ADD |
| 14 | capability_measurement_requirement |
qt001_capability_operational_evidence (req side) |
MISSING_ADD |
| 15 | capability_artifact_requirement |
(none; new) | MISSING_ADD |
| 16 | signoff_requirement_manifest |
fn_qt001_signoff_row_valid_v* (requirement side) |
MISSING_ADD |
| 17 | tier_manifest |
qt001_tier_registry |
MISSING_ADD |
| 18 | activation_policy_manifest |
(none; new) | MISSING_ADD |
| 19 | quorum_requirement_manifest |
(none; new) | MISSING_ADD |
| 20 | authority_scope_manifest (TABLE/CONSTRAINT/INDEX/runtime-evidence + expected-constraint) |
qt001_hardcode_inventory (object set) |
MISSING_ADD |
| 21 | privilege_set_manifest (Directus read contract) |
(none; ACL was ad-hoc) | MISSING_ADD |
| 22 | dynamic_sql_target_manifest |
(legacy TG_ARGV scan diagnostics) | MISSING_ADD |
| 23 | workload_profile_manifest |
(none; scale evidence was free-text) | MISSING_ADD |
| 24 | analyzer_contract_manifest (binds adapter input set) |
(none; new) | MISSING_ADD |
| 25 | plan_payload_manifest |
qt001_plan_registry/_snapshot/_content_binding |
MISSING_ADD |
| 26 | gateway_manifest |
registers/binds the QT001 control-plane writer gateway (identity + source_sha256 + fail_closed); records the existing gateway/birth_gateway_release_registry identity for fail-closed reference. It does NOT replace fn_birth_registry_auto - the birth gateway stays DO_NOT_TOUCH (XHigh-MAP) |
MISSING_ADD |
| 27 | writer_repoint_manifest |
the repeated FIX..FIX6 repoint act, now declarative | MISSING_ADD |
Net new authority surfaces vs approved design: 0 (exactly 27; the legacy objects in col C are NOT authority surfaces under FIX7 and are REPLACE/DEPRECATE targets, not additions).
C. The 11 runtime-evidence tables (non-authority; all MISSING_ADD)
signoff_binding, capability_run, capability_measurement, capability_artifact,
gate_fact_result, bypass_vector_fact_result, quorum_vote, denied_attempt_evidence,
dashboard_export, level_b_packet_execution, post_activation_verifier_state.
| Property | Mapping |
|---|---|
| live state | absent |
| authority? | NO - non-authority runtime facts/evidence; enumerated by typed #20 rows |
| owner | qt001_cp_owner; Directus/PUBLIC no access; append-only after finalization |
| 7 of 11 partitioned | measurement/artifact/gate_fact/bypass_fact/denied/dashboard/level_b RANGE on event time |
| hash binding | H04->signoff_binding; H05->capability_run/measurement/artifact; H02->signoff+capability+post-activation |
These must NEVER be counted among the 27. Guard G-RUNTIME-NONAUTH (doc 06) enforces the count.
D. Sealed DATA components (manifest rows, not new schema)
| Component | Hosted in surface | Classification | Type |
|---|---|---|---|
| 14 readiness gates | readiness_gate_manifest #09 rows |
MISSING_ADD (DATA) |
ADD op-gated (seal) |
| 7 hash contracts H01..H07 | hash_component_manifest #10 rows |
MISSING_ADD (DATA) |
ADD op-gated (seal) |
| H04_SCOPE_V1 (8-key scope) | #10 + signoff_binding cols |
MISSING_ADD (DATA) |
ADD op-gated |
| H02/H05 total orders | #10 stable_order_key[] rows |
MISSING_ADD (DATA) |
ADD op-gated |
| expected-constraint set | typed #20 CONSTRAINT/INDEX rows + table expected_constraint_set_sha256 |
MISSING_ADD (DATA) |
ADD op-gated |
| catalog-family enforcement | 3 exact-set families in catalog root | MISSING_ADD (DATA) |
ADD op-gated |
| item_payload descriptive-only | enforced by #24 + dependency_manifest edges | MISSING_ADD (rule) |
ADD op-gated |
| same-human slot-scope | signoff_binding UNIQUE + #08 separation |
MISSING_ADD (rule) |
ADD op-gated |
| retention/partition policy | storage_class_manifest #05 rows |
MISSING_ADD (DATA) |
ADD op-gated |
| Directus read contract | privilege_set_manifest #21 rows |
MISSING_ADD (DATA) |
ADD op-gated (preserves existing Directus SELECT) |
| control_epoch | column on activation + runtime-evidence | MISSING_ADD |
ADD op-gated |
| Level-B pipeline | level_b_packet_execution + #21 |
MISSING_ADD |
ADD op-gated |
| evidence/principal/human-identity registries | 3 support tables | MISSING_ADD |
ADD op-gated |
| analyzer_run / source-hash | analyzer_run + #24 |
MISSING_ADD |
ADD op-gated |
E. Legacy / live system disposition
| Live component | Classification | Action | Type |
|---|---|---|---|
20 legacy qt001_* tables |
LEGACY_REPLACE/LEGACY_DEPRECATE/LEGACY_FREEZE (per doc 01 B.1) |
replace via manifest world; freeze; never DROP live | REPLACE/FREEZE/DEPRECATE (op-gated) |
legacy qt001 routines (live: 45 functions + 1 procedure; §H.1) |
sealed STUB_FAIL_CLOSED (apply/writer/planner path) or REVOKE_ONLY (rest), per §I |
REVOKE EXECUTE on the whole sealed set; stub only STUB_FAIL_CLOSED; repoint authoritative callers; freeze |
REVOKE/REPLACE/FREEZE (op-gated) |
196 legacy qt001 views (by %qt001%; §H.1) |
sealed DEPRECATE_READONLY |
deprecate after qt001_cp active+proven | DEPRECATE (op-gated) |
legacy apply fn_dot_birth_qt001_apply/sp_* |
BLOCKED_UNTIL_AUTHORITY then LEGACY_REPLACE |
stays blocked; replaced by manifest activation path | REPLACE (op-gated) |
| birth gateway (5 fns + 6 relations) | DO_NOT_TOUCH |
preserve birth-neutral; reference by #26 only | DO_NOT_TOUCH |
| DOT-118 / DOT-119 | LEGACY_FREEZE/DO_NOT_TOUCH |
keep frozen | DO_NOT_TOUCH |
directus ownership of all control objects |
ROLE_CUTOVER_LATER |
transfer to qt001_cp_owner + REVOKE directus/PUBLIC |
REVOKE_LATER (op-gated) |
| Directus SELECT read set on business base tables | EXISTS_OK (preserve) |
re-grant identically via #21; do NOT migrate to views | KEEP (op-gated) |
F. Hash contracts H01..H07 mapping
| Contract | Meaning (approved) | Live equivalent | Classification |
|---|---|---|---|
| H01 | top-level composite (recomputes transitively) | fn_qt001_plan_fingerprint_v5 composite |
MISSING_ADD (DATA) |
| H02 | capability + post-activation total order | (none, byte-pinned in CP-06 patch) | MISSING_ADD |
| H03 | unchanged contract | n/a | MISSING_ADD |
| H04 | signoff scope (8-key H04_SCOPE_V1) + evidence deref to evidence_registry.artifact_sha256 |
qt001_signoff_plan_binding (loose) |
MISSING_ADD |
| H05 | capability measurements/artifacts total order | qt001_capability_operational_evidence |
MISSING_ADD |
| H06 | unchanged | n/a | MISSING_ADD |
| H07 | unchanged | n/a | MISSING_ADD |
New top-level hash contracts vs approved design: 0 (exactly 7).
G. Traceability note - operational dispositions beyond literal design (MX-2)
Two refactor steps are T1 operationalization of the approved design, not verbatim design text, and are explicitly flagged for Codex confirmation in the critical review:
- S15 legacy-entrypoint neutralization - REVOKE EXECUTE (from PUBLIC /
directus/ every non-qt001_cp_ownerrole) on the COMPLETE sealed legacy-disposition set (§H), then replace only the entrypoints classifiedSTUB_FAIL_CLOSED(the authoritative apply/writer/planner path) with a fail-closed stub; every other legacy entrypoint isREVOKE_ONLY(privilege change only, body unchanged). The operational membership of the set is the sealedauthority_scope_manifest#20 typed rows +writer_repoint_manifest#27 bindings, NOT a name pattern or a prose count (Codex BLOCKER 1 / CR-B1/CR-B3). Derives from the approved no-bypass discipline and thewriter_repoint_manifest#27rollback_stub_sourcemechanic; it answers the FIX2/FIX3 Codex "PUBLIC EXECUTE bypass" rejection. Introduces no new authority surface, readiness gate, or hash contract - it adds typed DATA rows to the existing surface #20 and a typed disposition column. - S17/S18 legacy freeze/deprecate of the 20 tables / 46 fns / 196 views. This is the refactor's disposition of superseded objects (append-only/new-version, never live DROP). Introduces no new authority surface, gate, or hash; the legacy objects are not FIX7 authority surfaces.
Both are consistent with the approved 27/11/14/7 model and change none of the invariants, but because they extend beyond the literal approved-design documents they require Codex confirmation rather than being asserted as already-approved.
H. Sealed legacy-disposition set - PG-native operational authority (Codex BLOCKER 1 + 3 fix)
This section replaces the prior "S00 name-pattern set as binding authority" mechanic that Codex critical-review CHECK_B/CHECK_H/CHECK_I failed. Name patterns and owner filters are diagnostic candidate-discovery only; they never decide the operational set.
H.1 Why a name pattern cannot be authority (live proof, read-only, DB directus, 2026-06-08)
The same live catalog yields a different "legacy set" for every pattern an implementer might pick:
query (schema public) |
result |
|---|---|
routines proname LIKE '%qt001%' |
45 functions (prokind f) + 1 procedure (prokind p) = 46 routines |
routines matching the prefix list fn_qt001%/sp_qt001%/fn_dot_birth_qt001%/sp_dot_birth_qt001% |
45 functions + 1 procedure (no routine sits outside the prefix list - verified 0 extra) |
views relname LIKE 'qt001%' |
0 |
views relname LIKE 'v_qt001%' |
183 |
views relname LIKE '%qt001%' |
196 |
tables relname LIKE 'qt001%', relkind r |
20 |
routines with qt001 in name outside schema public |
0 |
All 46 routines: owner directus, proacl = NULL (PUBLIC EXECUTE), prosecdef = false. All 196
views: owner directus. The view count alone swings 0 → 183 → 196 purely by choice of literal,
and the earlier blueprint prose "46 functions" conflated the 45 functions with the 1 procedure.
A load-bearing set that changes with the literal is disguised hardcode. The count is evidence,
never authority.
H.2 The sealed authority surface
The operational neutralization / freeze / cutover target is the sealed legacy-disposition set,
materialized as typed DATA rows in authority_scope_manifest #20 (the same surface that already
hosts typed TABLE/CONSTRAINT/INDEX/runtime-evidence rows - no new surface), with the apply/writer
body/rollback bindings carried in writer_repoint_manifest #27. Each row pins exact object
identity, not a name:
object_kindtyped enum:LEGACY_FUNCTION/LEGACY_PROCEDURE/LEGACY_TABLE/LEGACY_VIEW(extends #20's existing typed-kind dimension);object_refregprocedure(for routines, includes identity arguments) orregclass(relations);prokind(routines),oid_at_capture(diagnostic provenance, never the authority key);schema,name,identity_arguments;owner_at_capture(pg_proc.proowner/pg_class.relownerresolved torolname);source_sha256(pg_get_functiondef/pg_get_viewdef);privilege_acl_hash(canonical hash overproacl/relacl/pg_attribute.attaclfor the object - so a privilege change is detectable);disposition(exactly one of the five categories in §I);- the whole set carries an
expected_legacy_set_sha256(a per-set roll-up, analogous to #20's existingexpected_constraint_set_sha256- it is a roll-up of existing per-row hashes, not a new top-level hash contract; the 7 H01..H07 contracts are unchanged).
H.3 How membership is established (candidate → sealed, no name authority)
- S00 discovery (diagnostic): enumerate candidates by name + owner over
pg_class/pg_proc. Output is candidate evidence only and is explicitly non-binding. - Typed classification: each candidate is classified by structural dependency evidence
(
dependency_manifest#11 closure: is it reachable from / does it expose the authoritative writer path?) and effective-privilege evidence (who can EXECUTE/DML it, role-membership expanded), and assigned exactly one disposition (§I). - Exact-set proof: the sealed set is
both-EXCEPTcompared against the live catalog of relevant executable + dependency surface (pg_proc/pg_class/pg_depend): sealed − live = ∅ AND live-relevant − sealed = ∅, andcount(UNKNOWN_REQUIRES_REVIEW) = 0. A candidate the pattern missed but#11shows reachable must be classified before seal; a pattern hit that#11shows irrelevant is excluded with recorded reason. - Seal (S12, OPERATOR + quorum): only after the exact-set proof passes are the #20 rows sealed. From that point the sealed set is the sole operational authority for S15/S16/S17.
Guard G-LEGACY-TARGET-SEALED (doc 06) FAILS if any of S15/S16/S17 derive their target from a
name pattern alone, from an unsealed candidate set, or from a set whose both-EXCEPT vs catalog is
non-empty or whose expected_legacy_set_sha256 does not recompute. G-PGNATIVE is extended to
reject name-pattern binding authority anywhere in the blueprint.
I. Disposition categories (Codex BLOCKER 3 - resolves the "stub all" vs "stub apply/writer" contradiction)
Every member of the sealed set carries exactly one disposition. This removes all "replace each with a stub" language over the complete set and makes rollback symmetric (only body-changing dispositions need a body restore).
| disposition | what changes | body changed? | rollback source | live members (by classification) |
|---|---|---|---|---|
REVOKE_ONLY |
EXECUTE revoked from PUBLIC/directus/non-owner; body unchanged |
NO | replay captured ACL only (no body) | the legacy functions NOT on the authoritative apply/writer/planner path |
STUB_FAIL_CLOSED |
EXECUTE revoked and body replaced with a fail-closed stub | YES | pinned source_sha256 body + captured ACL, both in #27 |
the authoritative apply/writer/planner entrypoints classified live-reachable by #11 (the apply function fn_dot_birth_qt001_apply + apply procedure sp_dot_birth_qt001_apply are certain members; the precise writer/planner members are fixed by the sealed #11 classification at authoring time, not guessed) |
FREEZE_NO_CHANGE |
writes revoked, sentinel-frozen; body unchanged | NO | restore prior grants/flag | the 20 legacy tables |
DEPRECATE_READONLY |
marked deprecated, read-only history retained | NO | clear deprecation flag | the 196 legacy views; tables after their freeze period |
DO_NOT_TOUCH |
nothing | NO | n/a | birth gateway family + DOT-118/119 (never in the QT001 sealed set) |
Rollback symmetry rule: only STUB_FAIL_CLOSED requires a body restore, and exactly those bodies
are pinned in #27. REVOKE_ONLY/FREEZE_NO_CHANGE/DEPRECATE_READONLY restore privileges/flags only.
There is therefore no "rollback cannot restore 46 bodies" gap (Codex CR-E2): the body-restore burden
is bounded to the enumerated STUB_FAIL_CLOSED set.
This whole section adds 0 authority surfaces, 0 readiness gates, 0 top-level hash
contracts; it adds typed DATA rows to existing #20 + #27 and one typed disposition column. It is a
T1 operationalization of Codex's own prescribed mechanism (BLOCKER 1: "authority_scope_manifest #20
typed rows ... or writer_repoint_manifest #27 ... explicitly sealed object identity rows with
OID/regclass/regprocedure + source hash + owner + privilege hash") and is flagged for Codex
confirmation in the recheck.