KB-7A3F rev 7
FIX7 Refactor Blueprint - Hard Blocks and Do-Not-Touch List
8 min read Revision 7
fix7architecturerefactor-blueprinthard-blocks
08 - Hard Blocks and Do-Not-Touch List
Explicit list of objects/actions that must NOT be touched now, why, and the future gate that could unlock each. This blueprint changes none of them.
A. Hard-blocked actions (must remain blocked)
| action | classification | why blocked now | future gate that could unlock |
|---|---|---|---|
| Stage 2.6B (permit/run/keyset/resume + authority revoke) | BLOCKED_UNTIL_AUTHORITY |
separate blocked program; not authorized by FIX7 design approval | its own macro after FIX7 refactor + Codex audit + permit |
qt001_backfill_permit / admission permit (open birth/backfill/apply permit) |
BLOCKED_UNTIL_AUTHORITY |
no admission/backfill permit may be opened in a blueprint/planning phase. This is distinct from operator_authorization (package-execution authority for PKG-E..H), which is NOT a permit, opens no apply/admission/REAL_RUN, and creates no readiness gate (doc 07 §Terminology; Codex BLOCKER 7) |
a separate birth/backfill authority gate, far future - never granted by an operator_authorization |
| REAL_RUN | BLOCKED_UNTIL_AUTHORITY |
scale/capability runs are real production execution | separate gate after activation + operator authority |
QT001 apply (fn_dot_birth_qt001_apply, sp_dot_birth_qt001_apply) |
BLOCKED_UNTIL_AUTHORITY |
apply path has been blocked since Codex NOT_SAFE; unchanged. Under FIX7 both are sealed STUB_FAIL_CLOSED members (doc 02 §I) |
manifest-active path + a separate QT001-apply/qt001_backfill_permit gate, far future - never unlocked by an operator_authorization alone (G-NO-QT001-PERMIT-DURING-FIX7) |
| owner/ACL cutover | OPERATOR_GATED |
destructive; strips directus authority that holds readiness BLOCKED | PKG-G under explicit operator authority |
| manifest activation / seal | OPERATOR_GATED |
requires quorum + epoch binding | PKG-E quorum + operator |
| Directus authority change (control objects only) | OPERATOR_GATED |
Directus owns 262 control objects; SELECT read path must be preserved. Cutover is scoped to qt001_cp + enumerated legacy control objects ONLY - Directus keeps authority over its own directus_* app tables and legitimately-owned business tables (XH-4) |
PKG-G with G-DIRECTUS-READ + G-DIRECTUS-APP-INTACT preflight |
| scheduler / action enablement | BLOCKED_UNTIL_AUTHORITY |
no scheduler/DOT/action is enabled in planning | separate operator gate |
| production writer execution | BLOCKED_UNTIL_AUTHORITY |
live writer stays on current blocked path until PKG-F | PKG-F operator cutover |
| any dangerous DOT unfreeze (DOT-118/119) | DO_NOT_TOUCH |
embed old gateway/direct INSERT; permanently dangerous | no foreseeable unlock; stay frozen |
birth gateway modification (fn_birth_registry_auto/_id, birth_registry, permit/ledger) |
DO_NOT_TOUCH |
FIX7 references the gateway only via gateway_manifest #26; any edit risks birth-neutral + 166 triggers; a CREATE OR REPLACE of the gateway is the DOT-119 hazard - because FIX7 must not (and does not) strip directus's ownership of the birth gateway, its overwrite-protection is DETECTION (G-BIRTH-NEUTRAL gateway norm-md5) + G-DOT-FROZEN (the DOT never runs) + this DO_NOT_TOUCH policy, NOT owner-isolation; owner-isolation under G-DOT-NOOVERWRITE protects only the qt001_cp control objects + the QT001 writer gateway |
separate explicitly-authorized birth-gateway program only |
| registry-pivot repoint (re-point authoritative writers onto the new registry/control-plane as system-of-record) | BLOCKED_UNTIL_AUTHORITY |
must not occur until birth/governance/registry truth all pass; FIX7 repoint (S13-S15) is scoped to the QT001 control-plane writer/gateway, NOT a broader registry-of-record pivot | a later, separately authorized registry-pivot program after governance + registry-truth gates |
B. Do-not-touch objects (no modification now)
| object | classification | why |
|---|---|---|
fn_birth_registry_auto + 166 triggers / 148 tables |
DO_NOT_TOUCH |
live birth gateway; birth-neutral invariant; FIX7 references it only via gateway_manifest #26 |
fn_birth_registry_auto_id (3 BIRTH_REQUIRED tables) |
DO_NOT_TOUCH |
live secondary gateway |
fn_birth_policy_decision/_resolve_identity/_register |
DO_NOT_TOUCH |
live shared foundation fns |
birth_registry (anchor 1,210,928+) |
DO_NOT_TOUCH |
row-count anchor; any delta = birth gateway disturbed |
birth_admission_permit(+v2), birth_backfill_ledger(+v2), birth_gateway_release_registry |
DO_NOT_TOUCH |
live permit/ledger/release contract |
DOT-119 dot-birth-trigger-setup, DOT-118 dot-birth-backfill |
LEGACY_FREEZE / DO_NOT_TOUCH |
frozen dangerous DOTs (Stage 0 freeze 2/2) |
legacy qt001_* (20 tables / 46 fns / 196 views), directus-owned |
LEGACY_FREEZE until PKG-H |
not deleted live; frozen only after qt001_cp active + #11 non-dependence proof |
source IU tables / iu_core / iu_staging_* |
DO_NOT_TOUCH |
source-of-truth ingestion; no FIX7 mutation; 2 birth-trigger-gap tables noted, unchanged |
| Directus SELECT read set on business base tables | DO_NOT_TOUCH (preserve) |
re-granted identically via #21; never migrated to views |
C. What this blueprint explicitly did NOT do
No production DB/role/grant/trigger/function/scheduler/UI mutation; no DB object creation; no live SQL; no manifest activation; no ownership/ACL change; no permit; no Stage 2.6B; no REAL_RUN; no QT001 apply; no Directus authority change; no source IU mutation; no Codex-doc edit. The only writes are the 13 KB blueprint docs + checkpoint.
E. Cross-layer scope boundaries (explicitly OUT OF SCOPE for this blueprint - XHigh-L)
The FIX7 refactor is the QT001 control-plane refactor only. The following adjacent concerns are NOT addressed, NOT included, and remain blocked/future; an implementer must not pull them in:
| concern | classification | why out of scope |
|---|---|---|
| registry-pivot repoint (system-of-record cutover) | BLOCKED_UNTIL_AUTHORITY |
gated on birth/governance/registry-truth passing; separate program |
| Đ43 context-truth reconciliation / dedup | BLOCKED_UNTIL_AUTHORITY |
FIX7 registries (principal/human_identity/evidence) must not duplicate or override Đ43 context truth; alignment is a later cross-layer task |
| QT-006 universal lifecycle / death | BLOCKED_UNTIL_AUTHORITY |
separate approved program (design index Stage 5); not this refactor |
raw birth_registry as managed-object truth |
DO_NOT_TOUCH |
raw birth is birth-event truth, not managed-object/authority truth; FIX7 authority lives in sealed manifests, not raw birth rows |
| memory/harness/Đ43 alignment | BLOCKED_UNTIL_AUTHORITY |
noted as a future cross-layer step if/when required; not in PKG-A..I |
This blueprint asserts these boundaries so a future reader does not mistake the QT001 control-plane repoint for a broader registry/governance/lifecycle change.
D. Unlock chain summary
FIX7 design approved (DONE)
-> this refactor blueprint (DONE, pending Codex critical review)
-> Codex critical review of blueprint (NEXT, external)
-> implementation-authoring authorization (PKG-A..D author/rehearsal/read-only)
-> Codex re-audit + operator permit
-> PKG-E create+seal+activate (OPERATOR)
-> PKG-F repoint cutover (OPERATOR)
-> PKG-G owner/ACL cutover (OPERATOR)
-> PKG-H legacy freeze/deprecate (OPERATOR)
-> PKG-I post-cutover verification
-> (separate gates) REAL_RUN / QT001 apply / Stage 2.6B
Each arrow is a gate. Nothing past "this refactor blueprint" is authorized by the current macro.