T1 FIX7 Adversarial Review - 13 PG-Native-Driven (SUPERTRACK M)
13 — PG-First / Native / Driven Review (SUPERTRACK M)
Per-subsystem: truth-in-PG? / enforced-by-PG-natives? / data-driven? / Directus-mutable? / runtime-rewrites-denominator? / app-state-influences-eligibility?
| Subsystem | Truth in PG | PG-native enforcement | Manifest-driven | Directus-mutable | Notes |
|---|---|---|---|---|---|
| policy | yes | owner/role + typed engine over sealed rows | yes | no (design) / yes (live, pre-cutover) | no CASE |
| readiness | yes | exact-set over sealed manifest + guard outputs | yes | no (design) | bounded by 14 gates |
| signoff | yes | owner-only tables, LOGIN session_user, content-hash | yes | no (design)/yes(live) | append-only revoke/supersede |
| evidence | yes | owner-only, content-hash, independent read-back | yes | no (design)/yes(live) | |
| capability | yes | controlled VERIFIER measurements | yes | no (design)/yes(live) | numeric thresholds in manifest |
| dependency | yes (+sealed analyzer) | native catalog + sealed analyzer, OID-checked dynamic SQL | yes | no | analyzer external but sealed/source-hash-bound |
| hash | yes | pgcrypto digest sha256 + canonical JSONB | yes | no | key-maps unpublished |
| control_epoch | yes | single owner row, FOR SHARE/FOR UPDATE | yes | no | |
| no-bypass | yes | sealed BYPASS_VECTOR exact-set | yes | no | 14 vectors |
| writer/apply path | yes | forced through control-plane; FOR SHARE + reread; mutates only gateway | yes | no | fail-closed stub on rollback |
Classification
- PG_FIRST: PASS (design) — all truth in PG; the only external is the sealed analyzer (legitimate, source-hash-bound).
- PG_NATIVE: PASS (design) — enforcement is via roles/ownership/constraints/row-locks/
session_user/SECURITY-DEFINER functions, not source-text scans. This is a real upgrade from the FIX4/FIX5 "source-text scans + missing FKs" condition Codex itself flagged asPG_HOSTED_HARDCODE_REMAINS. - PG_DRIVEN: PASS (design) — behavior derives from sealed typed manifest rows + live guard outputs, not embedded code decisions.
- Directus mutate authority? Design: NO. Live: YES (still owns precursor tables; INSERT/DELETE proven prior turn). Closed only at operator cutover.
- Runtime rewrites denominator? No (owner-only sealed manifest).
- App/UI/doc/manual influences eligibility? Design: no. Live: yes until cutover.
Why this is not PG-hosted hardcode
Unlike FIX4/FIX5 (fixed lists/literals in functions, source-text authority, app-owned control), FIX7 puts truth in sealed hashed manifests, enforces via PG role/ownership/constraint boundaries, and derives behavior from typed data. The remaining "app can mutate" condition is not hardcode — it is an un-executed cutover, explicitly operator-gated and readiness-blocking until done.
Verdict: PG_NATIVE_DRIVEN_PARTIAL_OPERATOR_GATED
The design is genuinely PG-first/native/driven (not merely PG-hosted). It is PARTIAL only because enforcement is not yet live — Directus still owns the control plane pending the operator owner/ACL cutover (FIX7b). Not PG_NATIVE_DRIVEN_PASS (not yet enforced); not PG_HOSTED_HARDCODE_REMAINS (design is native-driven, no hardcode).