KB-36D6
T1 FIX7 Adversarial Review - 14 Risk Rollback (SUPERTRACK N)
3 min read Revision 1
QT001FIX7T1riskrollbacksupertrack-n
14 — Risk & Rollback Review (SUPERTRACK N)
Source: 11-risk-rollback-no-go.md (+ 08, 09, 06).
Risk-register coverage (macro-required categories)
| Category | Covered? | Where |
|---|---|---|
| hardcode recurrence | yes | engines no-CASE + sealed manifests |
| Directus mutation | yes | owner-only + REVOKE (operator-gated) |
| readiness denominator | yes | sealed exact-set + quorum-to-reduce |
| signoff spoof | yes | LOGIN identity + content-hash + self-sign block |
| fake capability | yes | controlled VERIFIER measurements |
| hash ambiguity | yes | canonical JSONB + pgcrypto; (key-maps unpublished) |
| dependency/callgraph limitation | yes | sealed analyzer + source-hash drift |
| TOCTOU | yes | control_epoch FOR SHARE/FOR UPDATE |
| manual SQL | yes | Level-B only; no psql/SSH/Directus fallback |
| privileged deploy | yes | quorum + production-owner environment |
| rollback | yes | layer-specific (below) |
| extension dependency | yes | PG16+pgcrypto NO-GO/operator-install (present live) |
| operator mistakes | partial | quorum + drift-invalidation reduce; two-distinct-login-roles-one-person residual not addressed → add operational control |
Rollback coverage (macro-required layers)
| Layer | Rollback specified? |
|---|---|
| owner/ACL | yes — owner-gated Level-B, epoch-incrementing |
| manifests | yes — activate prior-payload version (no delete) |
| activation | yes — readiness/manifest activation rollback |
| writer repoint | yes — repoint to fail-closed stub |
| extension | yes — operator Level-B install/remove |
| analyzer manifest | yes — prior-version activation |
| readiness manifest | yes — prior-version activation |
| evidence/signoff state | yes — append-only revoke/supersede |
| epoch | yes — never decrements (monotonic; rollback = new forward state) |
Global no-go: missing rollback/evidence, unprovable sets, anchor drift, bypass, unknown dependency/evidence, bad quorum/freshness, missed 15-min verifier, pipeline unavailable/manual SQL. Unsafe restore → revoke writer + FIX7_FORWARD_COMPENSATION_BLOCKED.
Adversarial probes
- Does rollback restore the safe-blocked state? Yes — rollback is fail-closed (writer → fail-closed stub; readiness false); it never restores an unsafe writer and never deletes history. The monotonic epoch (no-decrement, forward-compensation) is the correct pattern.
- Residual: the two-distinct-login-roles controlled by one human quorum-defeat is not addressed (organizational control). Add to risk register.
Verdict: RISK_ROLLBACK_COMPLETE
Risk register and rollback are comprehensive and fail-closed across all required layers. One additive operational control to add (operator-mistake / single-human-two-roles). Rollback restores the safe-blocked state by design.