16 — Disguised-Hardcode Adversarial Scan (SUPERTRACK P)

Hunt for hardcode hidden inside "manifest / rule / threshold / registry / evidence / dependency / readiness".

Suspected disguised-hardcode pattern	Finding	Class
manifest with fixed answers but not sealed/hashed/versioned/owner-controlled	manifests are sealed (payload SHA-256), versioned, owner-only, one-ACTIVE/type, immutable, no-delete	CLEAN
rule row that is prose/label, not machine-enforced	rules are typed operator/policy rows executed by generic engines; missing/extra/NULL/unknown fail	CLEAN (engine bodies not yet built; design CLEAN)
tier/verdict/action decided by hidden CASE/list in a function	"no metadata-ID CASE/list"; verdicts computed from sealed rows; "no caller PASS"	CLEAN
fixed threshold without manifest provenance + activation quorum	capability thresholds (1M/600000ms/1GiB/7d/24h) are measurement/workload manifest rows under activation quorum	CLEAN (schema not shown → verify on publish)
readiness denominator editable by rows	denominator = sealed manifest, owner-only, reduce-only via Q_CRITICAL_3	CLEAN
bypass-vector list manually curated, not exact-set sealed	14 vectors = sealed BYPASS_VECTOR exact-set; but enumerated only by coverage in KB	DISGUISED_HARDCODE_RISK (low) — enumerate
dependency manifest manually trusted, not source-hash/analyzer-bound	analyzer output sealed + source-hash drift-invalidation; unknown fails	CLEAN
capability proof = "verified=true" row without controlled verifier	capability = controlled-VERIFIER typed measurements; lifecycle cannot assert PASS	CLEAN
principal/reviewer as string label	LOGIN session_user classes via controlled manifest; no proxy/shared role	CLEAN
routed-later without blocking-now	owner cutover/REVOKE routed to operator, but readiness BLOCKED now (cutover-complete + Directus-no-write gates; live: signoff=0/cap=0)	CLEAN
hash key-map fixed but not published/reviewable	7 contracts named; key-maps asserted, not shown	DISGUISED_HARDCODE_RISK (low) — publish

Net

No HARD_FAIL. Every "configuration/manifest/threshold/evidence" surface is, by design, sealed + hashed + versioned + owner-controlled + quorum-gated — i.e. not disguised hardcode. The two low DISGUISED_HARDCODE_RISK items are identical to the final-verdict gap: the artifacts (explicit 14 bypass vectors; 7 hash key-maps) are asserted to be exact-set/specified but not published for review. The risk is "unverifiable," not "hardcoded."

Verdict: ZERO_DISGUISED_HARDCODE_PASS (design), 2 low risks pending artifact publication

Closed by the same correction as the final verdict — publish the enumerated bypass-vector set and the hash key-maps so "exact-set sealed" is reviewable rather than taken on assertion.