KB-295E
Supertrack L — PG-First / Native / Driven Final Scan
3 min read Revision 1
fix7architecturet1-reviewpg-nativesupertrack-l
12 — Supertrack L: PG-first / native / driven final scan
Verdict: PG_NATIVE_DRIVEN_VERIFIED.
| Check | Result | Basis |
|---|---|---|
| truth lives in PG | ✅ | sealed manifest rows + runtime fact rows + pg_constraint/pg_index/pg_class structural truth |
| enforcement uses PG roles / ownership / FK / CHECK / constraints / functions / views | ✅ | owner qt001_cp_owner NOLOGIN; RESTRICT/RESTRICT/NOT DEFERRABLE FKs; typed-domain CHECKs; UNIQUE slot keys; generic guards; both-EXCEPT comparison views |
| behavior is manifest / rule-driven | ✅ | thresholds, retention, separation pairs, quorum slots, partition cadence, family count — all sealed rows, not code |
| functions do not embed policy decisions | ✅ | generic guards derive pass/blocked from sealed rows + facts; no literals; fn_assert_catalog_family / fn_assert_typed_operand are no-literal |
| readiness exact-set sealed | ✅ | both-EXCEPT child/envelope, family coverage, constraint set, adapter edges, Directus reads |
| writer / apply path forced through control-plane | ✅ | runtime tables owner-only + append-only; Directus/PUBLIC no DML; pass/blocked not caller-authored |
| Directus cannot mutate authority after cutover | ✅ | SELECT-only listed business objects; sealed read-contract #21; no control-plane authority |
| readiness blocked before cutover | ✅ | seal/activate only if every both-EXCEPT/hash/constraint check passes; all live actions operator-gated |
| no UI/app/manual state affects eligibility | ✅ | eligibility from sealed manifests + PG-structural truth + evidence; no UI/app input |
The one PG-native caveat (does not change the verdict)
The H-series runtime-evidence binding is PG-native in mechanism (SHA-256 over explicit-key JSONB
from named columns), but is not yet complete enough to be byte-implementable without guessing
(Supertrack B / P-01..P-03). That is a spec-completeness gap inside a PG-native contract, not a
PG-hosted-hardcode risk. No policy was moved out of PG; no decision was hosted in app/UI/manual
state. Hence PG_NATIVE_DRIVEN_VERIFIED, with the completeness gap routed to the proposals.
Conclusion
No PG-hosted-hardcode risk. Truth and enforcement remain in PostgreSQL; behavior is manifest-driven; the control plane gates the writer/apply path.