KB-7A93
T1 FIX7 Adversarial Review - 08 Dependency Analyzer (SUPERTRACK H)
3 min read Revision 1
QT001FIX7T1dependencyanalyzersupertrack-h
08 — Dependency Truth / Analyzer Review (SUPERTRACK H)
Source: 07-dependency-truth-analyzer-spec.md.
| # | Requirement | Spec answer | Verdict |
|---|---|---|---|
| H.1 | PG native dependency scope defined | PG catalog authoritative for identity/owner/ACL/native exposed edges/source | PASS |
| H.2 | PL/pgSQL body limitation acknowledged | "PG cannot prove full function-body callgraph" | PASS (correctly does not pretend; FIX6 proved func_to_func=0) |
| H.3 | external static analyzer manifest defined | analyzer in scripts/fix7/analyzer with sealed binary/version/feature/corpus/expected-result contract |
PASS (contract defined; binary is a T1-built artifact) |
| H.4 | analyzer output sealed | sealed + manifest-bound | PASS |
| H.5 | source hash binds analyzer output | valid run requires exact roots/source set; immediate invalidation on drift | PASS (staleness binding — the prior-round gap, now closed) |
| H.6 | stale analyzer output fails | ≤24h + drift-invalidation; stale fails | PASS |
| H.7 | unknown dependency fails | no parse/unsupported/unresolved/unknown; unknown fails | PASS |
| H.8 | dynamic SQL manifest-bound + runtime OID checks | dynamic SQL forbidden unless target OID/template/callsite sealed + runtime membership checked | PASS |
| H.9 | no regex/source-text as authority | regex/source text diagnostic only | PASS |
Adversarial probes
- Is the analyzer trusted blindly? No — output is sealed, version/corpus/expected-result bound, ≤24h, and invalidated immediately on source drift. This closes the prior-round "staleness binding unspecified" gap.
- Can a body-call edge be hidden? The native subset is required to be a subset of analyzer edges; unknown/unsupported/unresolved fail-closed. Body-call truth comes from the analyzer, not pg_depend — consistent with the proven
func_to_func=0limitation. - Residual: the analyzer binary itself does not exist yet (T1 builds it in FIX7a) and its determinism must be proven (same corpus → same output). That is an implementation check (doc 15), not a spec gap. The contract is complete.
Verdict: DEPENDENCY_SPEC_COMPLETE
The dependency-truth contract is complete and correct: PG limitation acknowledged, external sealed analyzer with source-hash staleness binding, unknown-fails, OID-checked dynamic SQL, regex demoted to diagnostic. No fake-callgraph authority. Implementation check: prove analyzer determinism + seal in FIX7a before any gate consumes it.