KB-235A
FIX7 Refactor Blueprint - Max Adversarial Review
5 min read Revision 1
fix7architecturerefactor-blueprintmax-review
10 - T1-Max Adversarial Review (stricter than XHigh)
Max posture (assumed worst case): a future implementer will misread the blueprint; any ambiguity causes production damage; any unlisted dependency will break; any hidden hardcode scale-fails; any missing rollback is costly. Max reviews the already-XHigh-revised blueprint.
| # | check | verdict | evidence / finding |
|---|---|---|---|
| 1 | can a future T1 implement without guessing? | MAX_FINDING (MX-1) | PKG-B must author privilege_set_manifest #21 rows equal to "the existing Directus SELECT set", but that set is referenced, never captured. Without an explicit enumeration artifact, PKG-B guesses the read contract - a no-guess violation and a Directus-read-regression risk |
| 2 | can Codex review without reading whole history? | PASS | doc 00 carries status, invariants, sources, and the central refactor finding; each component cites its approved source doc |
| 3 | can operator run only allowed parts? | PASS | every package marks who = T1 vs OPERATOR; PKG-A..D have no production mutation |
| 4 | can a live apply be split safely later? | PASS | PKG-E..H split create/seal/activate / repoint+neutralize / owner-ACL cutover / freeze+deprecate, each independently gated and reversible |
| 5 | all live/refactor changes traceable to approved FIX7 design? | MAX_FINDING (MX-2) | the 27/11/14/7 model, byte-DDL, hashes, #26/#27 repoint are traceable to approved docs. But two operational dispositions - S15 legacy-entrypoint neutralization (REVOKE EXECUTE + fail-closed stub) and S17/S18 legacy freeze/deprecate - extend beyond the literal approved design text. They introduce no new authority surface/gate/hash, but must be explicitly flagged as T1-operationalization requiring Codex confirmation, not presented as already-approved design |
| 6 | all non-authority tables clearly non-authority? | PASS | 11 runtime-evidence tables; G-RUNTIME-NONAUTH; never counted in 27 |
| 7 | all authority surfaces exact-set counted? | PASS | 27 named; G-AUTH-27 both-EXCEPT vs envelope |
| 8 | all future SQL actions staged, not live? | PASS | author/rehearsal/read-only for PKG-A..D; operator-gated for PKG-E..H |
| 9 | all destructive actions operator-gated? | PASS | seal/activate/repoint/REVOKE/cutover/freeze all OPERATOR |
| 10 | all "routed later" items currently blocking? | PASS | G-17 + apply/permit/REAL_RUN/2.6B blocked across all steps |
| 11 | can rollback restore safe-blocked state? | MAX_FINDING (MX-3, minor) | doc 05 requires the S16 prior-ownership+ACL snapshot, but does not require it to be captured, read-back-verified, and rollback-rehearsed before the REVOKE runs. A snapshot taken but not verified could fail to restore exact grants |
| 12 | does every package have a no-go condition? | PASS | PKG-A..I each carry an explicit no-go |
| 13 | is every gap resolved, planned, or blocked? | PASS | doc 03 disposition guarantee; 7 P0 / 9 P1 / 2 P2 / 0 open |
| 14 | is the blueprint ready for Codex independent critical review? | PASS-after-revision | yes once MX-1/MX-2/MX-3 are revised below |
MAX_FINDINGs requiring revision
- MX-1 (P1, real - no-guess / read-path): add an explicit artifact "enumerate the current Directus SELECT grant set on business base tables" as an output of S00 (re-baseline) and PKG-D, consumed by PKG-B to author #21 rows. G-DIRECTUS-READ input updated to compare #21 against this captured set. Until captured, PKG-B is blocked.
- MX-2 (P2, traceability/honesty): mark S15 legacy-neutralization and S17/S18 freeze/deprecate as T1 operationalization beyond the literal approved design, consistent with the approved no-bypass discipline and #26/#27 rollback-stub mechanics, introducing no new authority/gate/hash, and explicitly request Codex confirmation of these dispositions in the critical review. Recorded in doc 02 and doc 12.
- MX-3 (minor): strengthen doc 05 / PKG-G precondition: the prior-ownership+ACL snapshot must be captured, read-back-verified, and its restore rehearsed before any REVOKE executes.
Max disposition
3 findings (MX-1, MX-2, MX-3). None alters the 27/11/14/7 invariants, the hard blocks, or the read-only/no-mutation posture. All are revised in doc 11; affected checks (1, 5, 11) are re-run there. After revision, the blueprint can withstand a misreading implementer and is ready for Codex independent critical review.