Supertrack C — P-03 H05/H02 Membership + Total-Order Review
03 — Supertrack C: P-03 H05/H02 Membership + Total-Order Review
Verdict: P03_VERIFIED
What P-03 demanded
Pin one canonical PK-terminated total order for each of the four newly-bound runtime aggregates, plus their membership predicates: H05 measurements, H05 artifacts, H02 capability_evidence_hashes, H02 post_activation_verifier_state.
What Codex delivered (patch doc 03) — verified against DDL doc 02 rev 2
| Aggregate | Membership (pinned) | Canonical order | PK-terminated? |
|---|---|---|---|
| H02 signoffs | signoff rows for H02 epoch ⋈ activation at same requested epoch; exact ACTIVE required slots | (target_manifest_id, tier_id NULLS FIRST, action_id, quorum_profile_id, required_principal_class_id, slot_ordinal, reviewer_principal_id, signoff_id) | ends signoff_id (PK) ✓ |
| H05 measurements | capability_measurement.run_id = capability_run.run_id; exact sealed requirement set | (measurement_requirement_id, measured_at, measurement_id) | contains full PK (measurement_id, measured_at) ✓ |
| H05 artifacts | capability_artifact.run_id = capability_run.run_id; sealed requirement/count set | (artifact_requirement_id, created_at, capability_artifact_id) | contains full PK (capability_artifact_id, created_at) ✓ |
| H02 capability hashes | finalized runs for H02 epoch; capability ACTIVE; workload = bound workload; every ACTIVE required capability has a run | (capability_id, workload_profile_id, finalized_at, run_id) | ends run_id (PK) ✓ |
| H02 post-activation state | all valid state rows for executed activations whose requested_control_epoch = H02.control_epoch; ≥1 per executed activation | (activation_id, verifier_principal_id, verified_at, verifier_state_id) | ends verifier_state_id (PK) ✓ |
Global rules: times → UTC; uuids → canonical lowercase COLLATE "C"; required order fields cannot be NULL; missing/extra rows fail; empty permitted only when the corresponding required/parent source set is empty under the exact CP-06 rule; physical/insertion order cannot affect a digest.
NULL-safety of order columns (DDL-checked)
tier_idis the only NULLABLE order column (signoff_binding.tier_id uuid NULL) → handled by explicitNULLS FIRST. Deterministic.capability_run.finalized_atis NULLABLE, but H02-capability membership = "finalized runs" →finalized_atis non-NULL within the membership set. Deterministic.- All other order columns are NOT NULL per DDL.
Determinism conclusion
Each order ends in or contains the table's full PK, so it is a TOTAL order (no ties) — insertion order cannot change a digest. Membership is scoped (run_id for H05; control_epoch/activation for H02) and bounded by sealed requirement sets / ACTIVE required capabilities / per-epoch activation sets — never by all historical rows.
Checklist: H05 measurements/artifacts membership pinned — PASS; H02 capability-hashes & post-activation membership pinned — PASS; orders PK-terminated — PASS; collation/timestamp/NULL/missing/empty explicit — PASS; insertion order can't affect digest — PASS; empty-set rule explicit — PASS; required missing row fails — PASS.
One dependency note (not a gap)
H02 post-activation membership joins through manifest_activation.requested_control_epoch — a column on the pre-existing manifest_activation authority surface (not introduced by this patch). Byte-implementable by reference to that existing surface; consistent with the control_epoch concept carried NOT NULL on signoff_binding / capability_run.
Result: P03_VERIFIED.