15 — Technical Feasibility & Scale Review (SUPERTRACK O)

Live environment (read-only, verified 2026-06-08): PostgreSQL 16.13; pgcrypto 1.3 installed; QT001 control tables still owned by directus; qt001_cp_owner absent (design-only).

Check	Finding	Verdict
constraints/FK/CHECK valid for schema	"exactly one ACTIVE/type" → partial unique index (PG16 ✓); immutability → trigger/owner-only + no-delete; FK manifest↔child standard	FEASIBLE (DDL not published → cannot byte-verify)
role/owner/GRANT/REVOKE without breaking Directus reads	spec REVOKEs DML/DDL/execute from Directus but is silent on retaining SELECT; Directus app/REST read paths need SELECT on any qt001 table it reads	FEASIBLE iff cutover grants Directus SELECT (not all-revoke); must be made explicit — see correction
SECURITY DEFINER without privilege escalation	definer functions owned by NOLOGIN qt001_cp_owner, search_path pinned, no dynamic SQL except OID-checked	FEASIBLE (standard hardening; must pin search_path + REVOKE EXECUTE from PUBLIC)
SHA-256 / canonical JSONB in current PG	pgcrypto digest() present; jsonb_build_object + ordered arrays native to PG16	FEASIBLE (verified)
extension availability / operator-installable	pgcrypto already installed; no install needed	FEASIBLE (verified)
exact-set readiness bounded by gate/manifest count not object count	denominator = 14-gate manifest; gates evaluate control-plane facts, not the 1.2M/100M object table	SCALE-SAFE
control_epoch without deadlock/race	single-row FOR SHARE/FOR UPDATE, consistent order, reread-before-commit	FEASIBLE (low deadlock risk; needs concurrency test)
analyzer output sealed deterministically	sealed binary/version/corpus/expected-result; same corpus→same output	FEASIBLE (T1 must prove determinism)
Level-B pipeline runnable	GitHub Actions + production-owner environment + secret-manager owner credential	OPERATOR/INFRA-GATED — existence not verifiable from PG; fail-closed if absent
rollback restores safe-blocked state	fail-closed writer stub; readiness false; monotonic epoch	FEASIBLE

Scale (assume 100,000,000+ objects)

Anti-pattern	Present?	Evidence
full-table scans on hot paths	No	readiness/gates are control-plane (14 rows + manifest counts), not object scans
row-by-row loops for backfill/apply	N/A to FIX7a	apply/backfill is 2.6B/REAL_RUN, blocked; FIX7 is control-plane only
unbounded recursive dependency expansion	No	analyzer over a sealed function corpus (bounded set), not live object graph
non-indexed exact-set checks	Risk-managed	manifest EXCEPT over ~tens of rows; index (type,lifecycle) + child (manifest_id,ordinal) recommended
JSONB scans without indexed keys	No on hot path	hashing is over manifest/control-state payloads (small), computed at activation, not per object
readiness grows with object count	No	grows with gate/manifest count (constant 14)
hash over unbounded runtime data	No	hashes cover manifest/control state, not object data
ledger/resume unsafe after interruption	Deferred	CRASH_SAFE_RESUME capability gate tests this for the apply path (2.6B); FIX7a control-plane has no long-running backfill
locks blocking production writers	No	epoch is one control-plane row; production object writers are unaffected; the QT001 writer touches only the gateway
evidence/capability tables grow without retention	Minor	append-only evidence/measurement tables grow per run; add retention/partition policy (not load-bearing for correctness) — recommend

Verdict: IMPLEMENTABLE_WITH_OPERATOR_GATED_STEPS

The design is technically feasible in the real PG16 environment and scale-safe (readiness/hash/epoch are control-plane-bounded, object-count-independent). Live steps (role/owner/ACL/extension-if-any/activation/repoint) and the Level-B CI channel are operator/infra-gated. Two explicit feasibility items to confirm in the spec: (1) the owner cutover must retain Directus SELECT so app read paths survive REVOKE; (2) the Level-B GitHub-Actions production-owner environment + secret-manager owner credential must be confirmed to exist (fail-closed if not). Add evidence-table retention/partition as a scale hygiene item.