KB-312A
Supertrack F — Zero-Hardcode / Disguised-Hardcode Final Scan
3 min read Revision 1
fix7architecturet1-reviewcp06hardcode-scansupertrack-f
06 — Supertrack F: Zero-Hardcode / Disguised-Hardcode Final Scan
Verdict: ZERO_HARDCODE_VERIFIED (incl. no disguised hardcode)
Scanned the final design state (CP-06 patch + grounding DDL) for each listed risk:
| Risk | Finding |
|---|---|
| fixed answer outside sealed manifest | none — mutable behavior = ACTIVE sealed manifest data |
| policy-shaped CHECK | none — CHECKs are structural only (num_nonnulls(...)=1; bound_at>=signed_at; valid_until>bound_at; finalized_at>=started_at) |
| boolean policy default | none — evaluated_pass/evaluated_blocked accepted only from owner generic guards, not caller-authored; no policy default |
| hidden CASE/list policy | none |
| numeric literal threshold as authority | none — partition boundaries/cadence from the bound sealed storage-class row, never source literals |
| extra authority surface | none — 27 |
| fixed partition policy | none — range partitions driven by sealed storage_class_manifest #05 |
| free-text operand authority | none — item_payload descriptive-only; operational reads fail |
| unsealed code catalog | none — catalog families inside sealed catalog root, exact-set both-EXCEPT |
| Directus-editable authority | none — runtime tables Directus/PUBLIC-inaccessible; Directus sealed read-contract only |
| mutable denominator | none — dashboard_export carries denominator_set_sha256 (content-bound) |
| manual inventory as authority | none — typed #20 rows, not hand lists |
| regex / source-text as authority | none — both-EXCEPT over pg_constraint/pg_index structural truth |
| function/view existence as proof | none |
| arbitrary reviewer/approver/provenance string | none — principal_registry + human_identity_registry FKs |
| MD5 / delimiter hash | none — "No MD5, delimiter concatenation, implicit bytea text cast"; SHA-256 over canonical JSONB |
| bool_and NULL-ignore | none — required order/scope fields NOT NULL; missing fails |
| routed-later without blocking-now | none — P-04 fails NOW; no deferral |
| image/URL/path hardcode | none operational |
Against the governing law's only hardcode clause (§5 no_hardcode_absolute: "literal quan trọng phải discover từ SSOT/config/registry/catalog hoặc phân loại rõ"), every important value here is discovered from a sealed manifest/registry/catalog or is a structural type/constraint — compliant. ("Disguised-hardcode" structural detection is T1/Codex review discipline, not a law clause; applied here as discipline, and clean.)
Result: ZERO_HARDCODE_VERIFIED.