KB-8D99
T1 FIX7 Adversarial Review - 04 Quorum (SUPERTRACK D)
3 min read Revision 1
QT001FIX7T1quorumsupertrack-d
04 — Quorum Review (SUPERTRACK D)
Sources: 02, 04, readme.
| # | Requirement | Spec answer | Verdict |
|---|---|---|---|
| D.1 | critical quorum = OPERATOR_MIGRATION + CODEX_REVIEWER + T2_HUMAN_REVIEWER | Q_CRITICAL_3 exact classes |
PASS |
| D.2 | standard quorum = OPERATOR_MIGRATION + CODEX_REVIEWER | Q_STANDARD_2 exact classes |
PASS |
| D.3 | approval max age 24h | approval ≤24h | PASS |
| D.4 | stale approvals invalidate | invalidate on hash/epoch/scope/principal/evidence drift; ≤24h | PASS (strong — drift-invalidation beyond just time) |
| D.5 | self-approval blocked | principals are distinct LOGIN session_user classes; activation validates exact quorum; no SET ROLE/proxy/shared role | PASS (one actor cannot satisfy two classes via proxy) |
| D.6 | quorum binds exact manifest hash | approval "exact hash/epoch/evidence bound"; activation validates against the candidate payload hash | PASS |
| D.7 | post-activation evidence required | activation keeps readiness false pending fresh verifier; ≤15 min deadline | PASS |
| D.8 | actor identities controlled, not strings | principal classes via controlled principal manifest + LOGIN session_user (PG-native identity), not free-text |
PASS |
Adversarial probes
- Can one human satisfy two classes? Classes are bound to distinct LOGIN roles; no SET ROLE/proxy/shared role → a single session cannot impersonate two classes. Mitigated. (Residual operational risk: a person controlling two distinct login roles — an operator-process control, noted in risk register R-OPERATOR.)
- Can a stale approval be reused? No — drift on hash/epoch/scope/principal/evidence invalidates, plus ≤24h. Strong.
- Can the operator alone activate? No — Q_CRITICAL_3 requires three independent classes; "operator alone cannot activate." Mitigated.
Residual
The principal/quorum child contract DDL (exact columns binding class → login role, approval rows → manifest hash/epoch) is named-not-shown (cross-ref B). The quorum policy is complete; the schema that stores it is summarized.
Verdict: QUORUM_SPEC_COMPLETE
The quorum policy is fully and correctly specified (exact classes, sizes, freshness, drift-invalidation, anti-self-approval, hash/epoch binding, controlled identities). Only the storage DDL pends publication (B). This is the strongest-specified subsystem alongside capability.