KB-714B
FIX7 Refactor Blueprint - XHigh Adversarial Review
5 min read Revision 1
fix7architecturerefactor-blueprintxhigh-review
09 - T1-XHigh Adversarial Review
Reviewer posture: assume the High blueprint is wrong until each of the 15 checks proves otherwise.
Findings that require a blueprint change are marked XHIGH_FINDING; the revision and re-check are
recorded in doc 11.
| # | check | verdict | evidence / finding |
|---|---|---|---|
| 1 | confused build-from-scratch with refactor? | PASS | doc 00/02 explicitly model a parallel green-field qt001_cp plus repoint/freeze of live legacy; not a from-nothing build |
| 2 | missed any existing live object? | PASS-with-note | 20 tables/46 fns/196 views/birth gateway/DOTs inventoried live; iu_core/cutter_governance/sandbox_tac schemas hold no QT001 control objects; S00 re-baseline + G-UNKNOWN-ZERO catch residue |
| 3 | classified any object vaguely? | PASS | vocabulary used throughout; 196 views bulk-classed LEGACY_DEPRECATE as one homogeneous class (acceptable; S00 itemizes before freeze) |
| 4 | proposed adding something that already exists? | PASS | birth gateway referenced via #26 only; catalog root confirmed absent; no duplicate add |
| 5 | proposed modifying something that should be frozen? | PASS | DOT-118/119 + birth gateway are DO_NOT_TOUCH; legacy freeze gated behind proof |
| 6 | missed a legacy object that can override the new design? | XHIGH_FINDING (XH-2) | the new manifest path is proven non-reachable-to-legacy by #11, but the legacy apply/writer functions remain directus-owned and PUBLIC-executable between activation (S14) and owner/ACL cutover (S16). A direct caller of fn_qt001_plan_v5/legacy apply bypasses the repoint - this is exactly the FIX2/FIX3 "PUBLIC EXECUTE / writer public bypass" Codex rejected |
| 7 | introduced hardcode or disguised hardcode? | PASS | counts 27/11/14/7 are design invariants; birth anchor 1,210,928 is a reference baseline for G-BIRTH-NEUTRAL, not an authority literal; all thresholds resolve to sealed #05/#06 rows |
| 8 | violated PG-first/native/driven? | PASS | every guard reads PG catalog/data/recomputed hashes; G-NOLEGACY is structural #11 closure, not a name list |
| 9 | omitted rollback for any step? | PASS | doc 05 covers S01-S18; S00/S11/S19 are read-only |
| 10 | omitted test/guard for any step? | XHIGH_FINDING (XH-3) | S05 operator_operand_compatibility had no dedicated guard mapping (typed-operand coverage was implicit) |
| 11 | created a circular dependency? | PASS | FK cycles broken by deferred ALTERs (S08); package sequence is linear |
| 12 | missed Directus read-path impact? | XHIGH_FINDING (XH-4) | doc 04 S16 / doc 07 PKG-G said "REVOKE directus/PUBLIC authority" without scoping it to qt001_cp control objects; an implementer could over-revoke and break the live Directus CMS (directus_* system tables + business base tables Directus legitimately owns) |
| 13 | confused runtime-evidence with authority? | PASS | 11 runtime-evidence tables explicitly non-authority; G-RUNTIME-NONAUTH enforces count and exclusion from 27 |
| 14 | altered the 27/11/14/7 invariants? | PASS | all additions are DATA rows or non-authority tables; exact-set seal verifies 27 |
| 15 | allowed Stage 2.6B or apply path too early? | PASS | all apply/permit/REAL_RUN/2.6B blocked across S00-S19; PKG-E.. operator-gated |
Minor refinement (advisory, not blocking)
- XH-1: doc 02 mapped
qt001_runtime_configsolely understorage_class_manifest#05, but it also holds legacy driver batch/runaway config. Its driver-config role maps to sealed adapter behavior, not retention. Refine the mapping note (no count/severity change).
XHIGH_FINDINGs requiring revision
- XH-2 (P1, real - historical bypass): legacy apply/writer entrypoints remain PUBLIC/directus executable in the activation->cutover window. Revision: (a) bundle legacy-entrypoint neutralization (REVOKE EXECUTE from PUBLIC/directus + fail-closed rollback stub) into S15/PKG-F, not deferred to PKG-G; (b) extend G-NOLEGACY to assert "legacy authoritative entrypoints executable by any non-owner role = 0", proving the legacy path is blocked, not merely unreachable from the new entrypoint.
- XH-3 (minor): add guard G-OPERAND-TYPED (operand type matches
operator_operand_compatibilityfor every rule/measurement-requirement operand) and map it to S05/S11. - XH-4 (P1, real - read-path safety): scope the ACL cutover to
qt001_cpcontrol objects + the enumerated legacyqt001_*/control objects only. Directus retains full authority over its owndirectus_*application tables and the business base tables it legitimately owns; only the control-plane authority and PUBLIC EXECUTE on control objects are revoked. Add G-DIRECTUS-APP-INTACT.
XHigh disposition
3 findings (XH-2, XH-3, XH-4) require blueprint revision; 1 advisory refinement (XH-1). All are revised in doc 11 and the affected checks (6, 10, 12) are re-run there. No invariant (27/11/14/7), no hard block, and no read-only/no-mutation posture is affected by the revisions.