11 - Blueprint Revisions From XHigh and Max Reviews

Every finding, what changed, which docs were patched, and the re-run of the affected review check. All revisions were made inside this macro (not hidden); production stayed READ-ONLY throughout.

XHigh revisions

XH-1 (advisory) - qt001_runtime_config dual role

• Change: doc 02 row #05 now notes runtime_config's retention/partition part maps to #05, while its driver batch/runaway config maps to sealed adapter behavior, not retention.
• Patched: doc 02 (rev 2).
• Re-run: not a blocking check; mapping precision improved. No count/severity change.

XH-2 (P1) - legacy entrypoints PUBLIC/directus-executable in activate->cutover window

• Change: legacy-entrypoint neutralization (REVOKE EXECUTE from PUBLIC/directus + fail-closed stub) bundled into S15/PKG-F, not deferred to PKG-G. G-NOLEGACY extended to assert "legacy authoritative entrypoints executable by any non-owner role = 0" (blocked, not merely unreachable). Rollback stub now also restores prior EXECUTE grants.
• Patched: doc 04 (S15), doc 06 (G-NOLEGACY), doc 07 (PKG-F).
• Re-run XHigh check 6 ("missed a legacy object that can override the new design?"): now PASS - the legacy path is provably blocked AND unreachable; the historical PUBLIC-EXECUTE bypass is closed.

XH-3 (minor) - missing guard for S05

• Change: added G-OPERAND-TYPED (operand type vs operator_operand_compatibility); mapped to S05/S11/S19.
• Patched: doc 04 (S05), doc 06 (new guard + coverage note).
• Re-run XHigh check 10 ("omitted test/guard for any step?"): now PASS - every S step maps to at least one required guard.

XH-4 (P1) - unscoped ACL cutover could break live Directus CMS

• Change: ACL cutover scoped to qt001_cp + enumerated legacy control objects ONLY; Directus retains authority over directus_* app tables and legitimately-owned business tables; added G-DIRECTUS-APP-INTACT.
• Patched: doc 04 (S16), doc 06 (new guard), doc 07 (PKG-G), doc 08 (Directus row).
• Re-run XHigh check 12 ("missed Directus read-path impact?"): now PASS - over-revoke risk removed; CMS app authority preserved.

Max revisions

MX-1 (P1) - existing Directus SELECT set never captured -> #21 guessing

• Change: S00 now enumerates and captures the current Directus SELECT grant set; it is a PKG-D output and a PKG-B precondition (read-only capture runs ahead of PKG-B); G-DIRECTUS-READ compares #21 against the captured set.
• Patched: doc 04 (S00), doc 06 (G-DIRECTUS-READ input + S00 timing), doc 07 (PKG-B precondition, PKG-D output).
• Re-run Max check 1 ("implement without guessing?"): now PASS - #21 is authored from a captured set, not guessed.

MX-2 (P2) - traceability of operational dispositions

• Change: doc 02 §G explicitly flags S15 neutralization and S17/S18 freeze/deprecate as T1 operationalization beyond the literal approved design, consistent with the no-bypass discipline and #26/#27, introducing no new authority/gate/hash, and requiring Codex confirmation.
• Patched: doc 02 (§G), doc 12 (records the Codex-confirmation ask).
• Re-run Max check 5 ("traceable to approved design?"): now PASS - traceable, with honest flagging of the two dispositions that need Codex confirmation.

MX-3 (minor) - ACL rollback snapshot must be verified before REVOKE

• Change: prior-ownership+ACL snapshot must be captured, read-back-verified, and restore-rehearsed before any REVOKE; an unverified snapshot blocks the cutover.
• Patched: doc 05 (invariant 3), doc 07 (PKG-G precondition).
• Re-run Max check 11 ("rollback restore safe-blocked state?"): now PASS - rollback path is verified-recoverable before the destructive step runs.

Invariant non-regression after all revisions

invariant	before	after
authority surfaces	27	27
runtime-evidence tables	11 non-authority	11 non-authority
readiness gates	14 (DATA)	14 (DATA)
top-level hash contracts	7 (H01..H07)	7 (H01..H07)
new readiness gates	0	0
new hash contracts	0	0
production mutation	0	0
Stage 2.6B / permit / REAL_RUN / QT001 apply	blocked	blocked
hard blocks / do-not-touch	intact	intact

No revision added an authority surface, gate, or hash contract, or relaxed any hard block. The revisions only tightened bypass closure, read-path scoping, guard coverage, no-guess capture, and rollback verifiability. All affected XHigh checks (6, 10, 12) and Max checks (1, 5, 11) re-run to PASS. No finding remains open.