FIX7 Refactor Blueprint - Test / Guard Blueprint
06 - Test / Guard Blueprint
Every guard is PG-native (pg_constraint, pg_index, pg_depend, pg_proc, information_schema,
recomputed hashes, both-EXCEPT set comparisons) - never a regex name list or a literal PASS row.
"required for PASS" guards must be green before the step they gate may be sealed/activated/cut over.
| guard | input | expected output | failure meaning | when run | required for PASS |
|---|---|---|---|---|---|
| G-NOHARDCODE | pg_get_functiondef/viewdef of all qt001_cp writer/adapter fns |
no operational numeric/string literal drives authority; all thresholds resolve to sealed manifest rows | direct hardcode | S11, S19 | YES |
| G-NODISGUISE | adapter/readback sources vs sealed #05/#06 rows | every threshold/interval/capacity dereferences a sealed row, not a CASE/CHECK literal | disguised hardcode | S10, S11, S19 | YES |
| G-PGNATIVE | guard implementations + every operational target/authority set | all guards read PG catalog/data; no name pattern, owner filter, or prose count is the binding authority for any operational set (neutralize/freeze/cutover/repoint) - final authority is sealed manifest rows + catalog ownership/ACL + pg_depend closure + recomputed hash; name/owner scans are diagnostic candidates only |
PG-native violation / name-pattern binding authority (Codex CHECK_I) | S00, S11, S13, S15, S19 | YES |
| G-AUTH-27 | child tables vs envelope, both-EXCEPT | exactly 27 authority surfaces; count and set exact | surface count drift | S11, S19 | YES |
| G-RUNTIME-NONAUTH | runtime-evidence tables vs #20 typed rows | exactly 11; none classed as authority | runtime/authority confusion | S07, S11, S19 | YES |
| G-GATES-14 | readiness_gate_manifest rows |
exactly 14 sealed gate rows; 0 new gate schema | gate count drift | S10, S19 | YES |
| G-HASH-7 | hash_component_manifest contracts |
exactly 7 (H01..H07); 0 new top-level contracts | hash contract drift | S10, S19 | YES |
| G-HASHDET | recompute H01/H02/H04/H05 over fixtures (CP-06 encoding: hex, COLLATE C, UTC, trim_scale, JSON-null, total order) | byte-identical digests across two independent recomputes | hash non-determinism (the FIX..FIX6 divergence loop) | S10, S11, S19 | YES |
| G-H04-SCOPE | H04_SCOPE_V1 8-key order vs signoff_binding cols + UNIQUE |
8 NOT NULL cols, closed set, evidence deref to evidence_registry.artifact_sha256 |
scope hash under-binding | S10, S11 | YES |
| G-EXACTSET-20 | #20 expected vs realized pg_constraint/pg_index, both EXCEPT directions |
both EXCEPT empty; dropped deferred FK -> OBJECT_AUTHORITY_IMMUTABLE; any extra index fails (no BENIGN exemption) |
silent integrity hole | S08, S11, S19 | YES |
| G-CATALOG-SEAL | catalog root bootstrap + 3 families both-EXCEPT | sealed, owner-only immutable; family coverage exact | FK-authority root tamper | S02, S19 | YES |
| G-DIRECTUS-READ | S00-captured existing Directus SELECT set (MX-1) vs #21 rows | #21 == captured existing SELECT set; SELECT-only base-table reads preserved; no view migration; stale/unknown read path blocks | Directus read regression / read-path break | S00, S09, S16, S19 | YES |
| G-OWNER-CUTOVER | post-cutover ownership + full ACL (incl. pg_attribute.attacl column ACL, sequence ACL, nspacl, pg_default_acl) + effective privilege via pg_auth_members role expansion vs #20/#21 expected and vs the verified pre-cutover snapshot (doc 05 invariant 3) |
all control objects owned by qt001_cp_owner; directus/PUBLIC authority revoked (proven by effective privilege, not only direct ACL rows); Directus SELECT intact; snapshot present + hash-bound + both-direction effective-privilege match |
ownership/ACL drift; column-ACL or role-membership leak; false readiness un-block; absent/unverified snapshot | S16, S19 | YES |
| G-ITEMPAYLOAD | adapter dependency edges (#11) vs #24 allowed input set, both-EXCEPT | code_catalog_item.item_payload never operationally read; observed edges == sealed edges |
operational payload read | S15, S19 | YES |
| G-CATFAMILY | 3 catalog families exact-set both-EXCEPT | full coverage; no extra/missing family member | catalog-family gap | S02, S11 | YES |
| G-SAMEHUMAN | signoff_binding UNIQUE + #08 separation rows |
reviewer/binder human identities must differ per slot scope; slot-scoped not blanket | same-human bypass | S11, S19 | YES |
| G-EVIDENCE-FK | evidence/identity/principal FK integrity (RESTRICT/RESTRICT NOT DEFERRABLE) | no orphan; fake/missing evidence rejected (ON DELETE RESTRICT) | evidence forgery | S08, S19 | YES |
| G-RETENTION-SEAL | #05 retention/archive rows; archive_required target check | archive target present, immutable, versioned; data-driven not CHECK literal | retention authority gap | S10, S19 | YES |
| G-EPOCH-TOCTOU | activation control_epoch read vs bound epoch | epoch read and bound atomically; no caller-supplied lifecycle | TOCTOU activation | S14, S19 | YES |
| G-LEVELB-NOSQL | Level-B packet execution path | no manual SQL path; only sealed level_b_packet_execution via owner entrypoint |
manual SQL bypass | S15, S19 | YES |
| G-REPOINT-SRC | live writer/gateway source_sha256 vs #27 old/new |
bound source matches live before/after; rollback stub source pinned | unpinned repoint | S13, S15 | YES |
| G-NOLEGACY-PRE | dependency_manifest #11 closure from the new entrypoints + the sealed legacy-disposition set (#20) |
(structural/closure proof, does NOT require EXECUTE already revoked) legacy_reached = 0 from the new entrypoints (recursive structural closure, not a name list); the sealed set is complete (0 UNKNOWN_REQUIRES_REVIEW; both-EXCEPT vs catalog empty); every member has exactly one disposition; rollback artifacts staged (pinned #27 source for STUB_FAIL_CLOSED, captured ACL for REVOKE_ONLY). Non-vacuity: the closure must prove its roots (the new entrypoints) exist and traversal reached a non-empty object set, so legacy_reached=0 cannot pass via a mis-seeded/empty closure |
repoint would leave a legacy object reachable, or be authored against an incomplete/unsealed set, OR a vacuous false-green | S13 (PKG-D), S15 in-transaction precondition (PKG-F) | YES |
| G-NOLEGACY-POST | pg_proc/proacl/relacl effective privilege (role-membership expanded via pg_auth_members) over the sealed legacy-disposition set, after S15 |
non-owner-effective-EXECUTE = 0 over the entire sealed set (PUBLIC / directus / any role != qt001_cp_owner); every STUB_FAIL_CLOSED member is fail-closed; REVOKE_ONLY members are EXECUTE-revoked with body unchanged (XH-2: blocked, not merely unreachable - over the complete sealed set, not a sampled subset). Non-vacuity: the sealed set is non-empty and the check ran over all of it |
legacy bypass (the repeated FIX..FIX6 PUBLIC-EXECUTE failure) survived the cutover | S15 post-proof (PKG-F), S19 | YES |
| G-OPERAND-TYPED | every policy_rule_manifest/capability_measurement_requirement operand vs operator_operand_compatibility |
operand type compatible with operator for every rule/requirement; no incompatible operand seals | typed-operand mismatch (XH-3) | S05, S11, S19 | YES |
| G-DIRECTUS-APP-INTACT | Directus authority over directus_* application tables + legitimately-owned business base tables, before/after S16 |
unchanged; cutover touches only qt001_cp + enumerated legacy control objects |
over-revoke breaks live CMS (XH-4) | S16, S19 | YES |
| G-BIRTH-NEUTRAL | birth_registry row count + gateway norm-md5 before/after |
row delta = 0; gateway hash unchanged; 166 triggers intact | birth gateway disturbed | S15, S16, S17, S19 | YES |
| G-ROLLBACK-SAFE | post-rollback state for each step | apply/permit/REAL_RUN/QT001 blocked; directus-owned restorable; birth-neutral | rollback leaves unsafe state | each rollback | YES |
| G-DOT-FROZEN | DOT-118 / DOT-119 freeze flags | both remain frozen (2/2) | dangerous DOT unfreeze | S00, S19 | YES |
| G-DOT-NOOVERWRITE | PG-native final authority: pg_namespace.nspacl of qt001_cp (no CREATE for PUBLIC / directus / any non-owner) + pg_class.relowner / pg_proc.proowner of every qt001_cp control object incl. the QT001 writer gateway (all == qt001_cp_owner) + gateway_manifest#26 / writer_repoint_manifest#27 bound source_sha256. Diagnostic/preflight only (never final authority): a scan of DOT deployment-artifact bodies for a CREATE OR REPLACE of a control object/gateway - DOTs are filesystem/KB deploy scripts, not pg_proc, so a body scan is non-PG-native and advisory |
(a) qt001_cp control objects + the QT001 writer gateway: a non-owner CREATE OR REPLACE/overwrite is impossible by owner-isolation, proven from catalog ownership + nspacl, NOT from any DOT text; (b) the directus-owned birth gateway (DO_NOT_TOUCH; FIX7 never owns it, so owner-isolation cannot apply): an overwrite is DETECTED by G-BIRTH-NEUTRAL (gateway norm-md5 unchanged) and prevented-in-practice by G-DOT-FROZEN (DOT-118/119 never execute) + the section A "birth gateway modification" hard block; (c) the DOT-body diagnostic FAILS CLOSED - an unreadable/absent DOT body is treated as a candidate overwrite vector and blocks, never passes by default |
old/frozen DOT or non-owner overwrites gateway/control-plane | S00, S15, S19 | YES |
| G-LEGACY-FROZEN | legacy qt001_* (20 tables/46 fns/196 views) grants + sentinel flags after S17 |
writes revoked; objects sentinel-frozen and unreachable; no live-required object (birth/QT-002) depends on a frozen target; never live-DROPped | legacy un-frozen or freeze breaks a live dependency | S17, S19 | YES |
| G-UNKNOWN-ZERO | classification of every live qt001_*/control object |
0 UNKNOWN_REQUIRES_REVIEW before repoint |
no-guess violation | S00, S13 | YES |
| G-LEGACY-TARGET-SEALED | the operational target set used by S15/S16/S17 vs the sealed authority_scope_manifest #20 legacy-disposition rows + live catalog |
the operational set is the sealed #20 set (not a name pattern / owner scan / prose count); sealed set both-EXCEPT vs catalog = ∅ both directions; 0 unclassified; expected_legacy_set_sha256 recomputes; every member has exactly one disposition + identity (regprocedure/regclass+prokind+source_sha256+privilege_acl_hash) |
operational target derived from name pattern alone / unsealed / set-hash mismatch / both-EXCEPT non-empty (Codex BLOCKER 1) | S00, S09, S15, S17, S19 | YES |
| G-NOMIXED-AUTHORITY | active manifest_activation for the writer type + effective executability of the sealed legacy set, at every cutover/rollback checkpoint |
the new qt001_cp authoritative path and any legacy executable path are mutually exclusive - it is impossible for both to be active/executable simultaneously; during S15 rollback the new path is proven superseded BEFORE any legacy EXECUTE is restored |
mixed old+new authority window (Codex BLOCKER 4 / CR-E1) | S15, S16, each rollback, S19 | YES |
| G-WRITER-GATEWAY-IDENTITY | live active writer vs the #26-pinned gateway (regprocedure+prokind+source_sha256+owner) + #27 bindings (doc 04 §Writer-gateway-identity) |
post-S15 active writer == #26-bound regprocedure with matching source_sha256 and owner qt001_cp_owner (born owner-isolated, no directus phase); legacy writer/apply objects are members of the sealed #20/#27 set; fn_birth_registry_auto unchanged and is NOT the QT001 gateway; no guard assumes the post-S16 owner state at S15 (phase-explicit) |
gateway identity ambiguous / name-pattern-bound / phase-confused owner (Codex BLOCKER 6 / CHECK_D) | S13, S15, S16, S19 | YES |
| G-NO-QT001-PERMIT-DURING-FIX7 | every FIX7 package's authorization + any qt001_backfill_permit / admission-permit / REAL_RUN-authority state |
no FIX7 package (PKG-A..I) opens, consumes, or depends on a qt001_backfill_permit (admission/birth permit), REAL_RUN authority, or QT001 apply authority; operator_authorization is package-execution authority ONLY and grants none of those |
a FIX7 package conflates operator_authorization with the blocked qt001_backfill_permit / opens QT001 apply (Codex BLOCKER 7 / CHECK_J) |
S14, S15, S16, S17, S19 | YES |
Guard-quality rules (anti-false-green; Max-hardened 2026-06-08)
These rules bind every guard above; a guard that violates them is itself a defect:
- No vacuous pass. Any guard whose pass condition is "= 0", "empty", or "both-EXCEPT empty" (G-NOLEGACY-PRE/POST, G-LEGACY-TARGET-SEALED, G-NOMIXED-AUTHORITY, G-EXACTSET-20, G-UNKNOWN-ZERO, the G-AUTH-27 / G-RUNTIME-NONAUTH set-diffs) must ALSO assert the underlying input set/closure is non-vacuous and well-formed: the expected set is populated (27 surfaces; the sealed legacy-disposition set) and any closure actually traversed from present roots. A mis-seeded or empty computation must not produce a false green (the FIX5 lesson: an empty / mis-rooted closure once "proved" zero legacy reach).
- NULL-strict aggregates. No guard may decide PASS via
bool_and(...)/bool_or(...)over a nullable column where NULL is silently ignored; use NULL-strict count-match (expected count == realized non-NULL count) so a NULL component fails closed (the FIX5/FIX6 lesson). - Source-text is diagnostic, never authority. Any guard that reads
pg_get_functiondef/pg_get_viewdef/ DOT bodies (G-NOHARDCODE, G-NODISGUISE, G-DOT-NOOVERWRITE) uses that text only to FLAG candidates; the FINAL blocking authority is PG-native: catalog ownership/ACL,pg_constraint/pg_index,pg_dependstructural closure, sealed manifest rows, or a recomputed hash. Missing source-text visibility fails closed, never passes by default. - No existence-only proof. A guard may not pass because an object/row merely exists; it must test behavior, an exact set, or a recomputed value.
Guard family coverage check (vs macro SUPERTRACK F)
All required guard families are mapped: no hardcode (G-NOHARDCODE), no disguised hardcode (G-NODISGUISE), PG-first/native/driven (G-PGNATIVE), authority=27 (G-AUTH-27), runtime=11 (G-RUNTIME-NONAUTH), gates=14 (G-GATES-14), hashes=7 (G-HASH-7), H04/H02/H05 determinism (G-HASHDET, G-H04-SCOPE), constraint exact-set both-EXCEPT (G-EXACTSET-20), Directus read preflight (G-DIRECTUS-READ), owner/ACL cutover (G-OWNER-CUTOVER), item_payload no operational read (G-ITEMPAYLOAD), catalog-family exact-set (G-CATFAMILY), same-human slot-scope (G-SAMEHUMAN), evidence FK integrity (G-EVIDENCE-FK), retention authority seal (G-RETENTION-SEAL), control_epoch TOCTOU (G-EPOCH-TOCTOU), Level-B no manual SQL (G-LEVELB-NOSQL), rollback safe-blocked (G-ROLLBACK-SAFE). Plus refactor-specific additions: G-REPOINT-SRC, G-NOLEGACY-PRE + G-NOLEGACY-POST (phase-split; legacy entrypoint blocked, not merely unreachable), G-BIRTH-NEUTRAL, G-DOT-FROZEN, G-DOT-NOOVERWRITE (old/frozen DOT cannot overwrite gateway/control-plane - XHigh-2), G-LEGACY-FROZEN (XHigh-1 dangling-ref fix), G-UNKNOWN-ZERO, G-OPERAND-TYPED (XH-3), G-DIRECTUS-APP-INTACT (XH-4), G-LEGACY-TARGET-SEALED (Codex BLOCKER 1), G-NOMIXED-AUTHORITY (Codex BLOCKER 4), G-WRITER-GATEWAY-IDENTITY (Codex BLOCKER 6), G-NO-QT001-PERMIT-DURING-FIX7 (Codex BLOCKER 7).
Total guards: 35 (was 26 High → 30 after the independent XHigh/Max passes → 35 after the Codex critical-review patch pass 2026-06-08: G-NOLEGACY split into G-NOLEGACY-PRE/POST (+1 net, BLOCKER 2), +G-LEGACY-TARGET-SEALED (BLOCKER 1), +G-NOMIXED-AUTHORITY (BLOCKER 4), +G-WRITER-GATEWAY-IDENTITY (BLOCKER 6), +G-NO-QT001-PERMIT-DURING-FIX7 (BLOCKER 7); G-PGNATIVE and G-OWNER-CUTOVER tightened, not added). These 35 are PG-native TEST/VERIFICATION guards in this doc - NOT readiness gates. The invariants are unchanged: readiness gates remain 14 (DATA rows in surface #09), hash contracts remain 7 (H01..H07), authority surfaces remain 27, runtime-evidence 11; the sealed legacy-disposition set is DATA rows in the existing surface #20, not a new surface. The SUPERTRACK-G families the High draft under-covered are now explicit: "legacy entrypoint blocked, not merely unreachable" (G-NOLEGACY-POST), "old DOT/gateway overwrite impossible" (G-DOT-NOOVERWRITE), "no name-pattern authority" (G-LEGACY-TARGET-SEALED + G-PGNATIVE), and "no mixed authority on rollback" (G-NOMIXED-AUTHORITY).
Negative-test requirement (from approved design §2.5)
Each of the 27 contracts must run the full negative suite (missing/extra/orphan/wrong-manifest child, NULL required, unknown FK, duplicate key, invalid hash length, Directus DML, PUBLIC DML, sealed UPDATE/DELETE, wrong count, noncontiguous ordinal, payload-hash mismatch) plus family-specific CHECK/UNIQUE/FK mutations. No negative test may be a literal PASS row - each must produce a real DDL/permission rejection or seal/activation rejection. This is the explicit defense against the historical false-green pattern.