17 — Final Go / No-Go (SUPERTRACK Q)

FINAL: DESIGN_NEEDS_CODEX_CORRECTION_BEFORE_IMPLEMENTATION

IMPLEMENTATION_FEASIBILITY_VERDICT: IMPLEMENTABLE_WITH_OPERATOR_GATED_STEPS

(The macro permits this pairing: it forbids DESIGN_CONFIRMED unless feasibility ∈ {IMPLEMENTABLE_AS_SPECIFIED, IMPLEMENTABLE_WITH_OPERATOR_GATED_STEPS} — a necessary, not sufficient, condition. Feasibility is met; the block is artifact-completeness / "without guessing.")

Why not each alternative

• NOT DESIGN_CONFIRMED_T1_CAN_IMPLEMENT_FIX7A: three classes of byte-level build artifact are asserted but not published/reviewable — exact manifest_set + 27 child-contract DDL (types/PK/FK/CHECK), the 14 readiness gate adapter rule sets, and the 7 hash payload key-maps. The macro lists "schema columns" and "hash inputs" as guess-rejection triggers and forbids "assuming resolved." I cannot confirm artifacts I cannot see; Codex's "are specified" + self-eval 20/20 are evidence, not authority (doc 12 states it is a self-check, not verification).
• NOT DESIGN_FAIL_HARDCODE_OR_PG_NATIVE_GAP: no hardcode found; the design is genuinely PG-first/native/driven (sealed hashed manifests, role/ownership/constraint/row-lock/session_user enforcement, no CASE). Zero-hardcode and disguised-hardcode scans PASS at design level.
• NOT DESIGN_FAIL_SCALE_RISK: readiness/hash/epoch are control-plane-bounded (constant 14 gates), object-count-independent; capability uses a fixed 1M representative workload; no hot-path full scans or object-blocking locks. Scale-safe.
• NOT READ_PATH_BLOCKED: all 14 Codex docs + checkpoints + context read; verdict rendered.

What is accepted (do not re-litigate)

The decisions for all 12 prior blockers are accepted and sound: quorum (D), signoff lifecycle (E), capability (F), dependency/analyzer (H), control_epoch (I), Level-B spec (J), boundary (K), risk/rollback (N), and feasibility (O). PG16+pgcrypto verified live. This is a large, genuine advance over the prior DESIGN_BLOCKED.

Exact corrections required before T1 implements (narrow)

1. Publish exact manifest DDL — manifest_set column types/PK/FK/CHECK + all 27 child-contract schemas + per-manifest negative tests, as reviewable docs/files. (SUPERTRACK B → MANIFEST_SPEC_PARTIAL)
2. Publish the 14 readiness gate adapter rule sets + per-gate freshness (the enforcement logic per named gate). (C)
3. Publish the 7 hash payload key-maps — ordered key list + domain tag + NULL rule + sensitivity tests per contract. (G → HASH_SPEC_PARTIAL)
4. Enumerate the 14 bypass vectors explicitly (not by coverage description) so the exact-set seal is reviewable. (L/P low risks)
5. Make two feasibility items explicit: owner cutover must retain Directus SELECT (so REVOKE doesn't break app read paths); confirm the Level-B GitHub-Actions production-owner environment + secret-manager owner credential exist (fail-closed if absent). (O)
6. Add the required T1 self-audit dashboard as a named deliverable (FIX6 discipline: self-audit + independent adversarial read-only sub-check; self_audit_pass + independent CONFIRM). (K.7)
7. Add one operational control for the single-human-controls-two-login-roles quorum-defeat. (N)

Alternatively: if the full-spec artifacts (1–3) already exist as authored files outside the KB, surface them into a reviewable location and this flips to CONFIRMED in a short re-review. Codex must NOT delegate authoring of these authoritative artifacts to T1 without a subsequent Codex re-audit of what T1 authored (else the FIX..FIX6 divergence loop repeats).

If/when CONFIRMED — the boundary that will apply (not yet authorized)

• GO (author/test only): T1 authors repo DDL/functions/tests/manifests/packets/analyzer + local rehearsal; runs the required self-audit + independent adversarial sub-check.
• NO-GO (operator-gated): all live role/owner/ACL/REVOKE/extension/activation/scheduler/writer-repoint; FIX7b; FIX7c; manual privileged SQL.
• HARD BLOCK (unchanged & confirmed): No Stage 2.6B. No permit. No REAL_RUN. No QT001 apply. Readiness stays BLOCKED and scale NOT_SAFE until owner cutover + fresh post-activation evidence + a fresh independent Codex re-audit.

One line

Decisions complete and sound; technically feasible and scale-safe on the live PG16 stack; but publish the exact manifest/child DDL, the 14 gate adapter rule sets, and the 7 hash key-maps for review first — then a short re-review → DESIGN_CONFIRMED_T1_CAN_IMPLEMENT_FIX7A.