02 — Manifest / Engine Spec Review (SUPERTRACK B)

Source: 02-manifest-engine-specs.md.

What is concretely specified (good)

• Ownership: all qt001_cp authority objects owned by qt001_cp_owner NOLOGIN; Directus/PUBLIC have no DML/DDL/control-writer execute. (Native, correct.)
• Common manifest_set envelope columns (names): UUID, type, version, parent, lifecycle, expected_count, payload SHA-256, canonicalizer, candidate_epoch, validity, creator, seal, activation, supersession.
• Lifecycle invariants: exactly one ACTIVE per type; sealed/active/superseded immutable; no delete; rollback = activate a new prior-payload version.
• Child rows: bind manifest + item envelope + ordinal + item hash.
• Engines: fixed signatures; no metadata-ID CASE/list; missing/extra/NULL/unknown fail.
• 27 child contracts named: policy, operator, metric, unit, artifact, storage, principal, action, separation, readiness, hash, dependency, bypass, capability, measurement, artifact, signoff, tier, activation, quorum, authority-scope, privilege, dynamic-target, workload, analyzer, plan, gateway, writer.

Per-manifest checklist (macro SUPERTRACK B requires: exact columns, PK, FK, CHECK, owner, role access, activation state, version, hash, exact-set rule, rollback, negative test)

Manifest	columns	PK	FK	CHECK	owner	role	activation	version	hash	exact-set	rollback	neg-test
common envelope	names only	✗type	✗	✗	✓	✓	✓	✓	✓	✓	✓	✗
policy/operator/measurement/principal/evidence/readiness-gate/hash-component/dependency/bypass/activation (+ 17 more)	named only	✗	✗	✗	✓ (inherits)	✓	✓	✓	✓	✓	✗

Reading: the envelope-level requirements (owner, activation state, version, payload hash, exact-set rule, immutability/rollback) are specified once and inherited by all manifests — that is genuinely strong and consistent. But the per-manifest exact columns, column types, PK declaration, FK targets, CHECK expressions, and per-manifest negative tests are not published for any of the 10 review-listed manifests or the 27 child contracts. Doc 02 lists names and asserts the contracts "exist."

Adversarial probes

• Can a manifest be Directus-mutated? Design: no (owner-only, no-delete, immutable-when-sealed). Cannot confirm the CHECK/role DDL that enforces it — not shown. Live today Directus still owns the precursor tables (operator-gated cutover).
• Is the exact-set rule machine-enforced or prose? The rule (missing/extra/NULL/unknown fail; expected_count == payload child count) is stated as engine behavior — but the engine bodies and the count-CHECK are not shown.
• Are the 27 child contracts real schemas or labels? Cannot tell — only names are given.

Verdict: MANIFEST_SPEC_PARTIAL

Envelope/lifecycle/ownership/exact-set/rollback design is complete and sound; the per-manifest and 27-child exact column/type/PK/FK/CHECK DDL and negative tests are not published. Required correction: publish the exact DDL + per-manifest negative tests as reviewable artifacts (or surface them if already authored). Until then T1 would guess column types, FK targets, and CHECK expressions — a macro reject trigger ("schema columns").