KB-7552

RP-07 Catalog Retirement-Evidence FK → Blocking — Refinement

4 min read Revision 1

fix7architecturet1-reviewrp07retirement-evidence-fk

08 - SUPERTRACK H — RP-07 Catalog Retirement-Evidence FK (UPGRADED → REFINED_BLOCKING)

Why blocking

code_catalog_item.retired_reason_evidence_id uuid NULL currently has NO FK, while the parallel manifest_item_envelope.retired_reason_evidence_id gets an ALTER FK to evidence_registry. Without the FK, the AUTHORITY ROOT (the code catalog — the single most sensitive surface) can reference a non-existent evidence UUID when an item is retired. That is a PG-native integrity hole at the worst possible place: a retirement could claim evidence that does not exist, weakening the immutability/audit guarantee the whole model rests on. Hence blocking.

Exact FK

ALTER TABLE qt001_cp.code_catalog_item ADD CONSTRAINT fk_code_catalog_item__retired_evidence FOREIGN KEY(retired_reason_evidence_id) REFERENCES qt001_cp.evidence_registry(evidence_id) ON UPDATE RESTRICT ON DELETE RESTRICT NOT DEFERRABLE;

Ordering

evidence_registry is created AFTER the catalog (bootstrap order). So this is a DEFERRED ALTER applied once evidence_registry exists — it MUST be a member of RP-03's consolidated deferred-ALTER set and of the RP-03 expected-constraint catalog (so a forgotten apply fails OBJECT_AUTHORITY_IMMUTABLE closed).

NULL behavior (already correct via existing CHECK)

The existing CHECK (NOT retired AND retired_reason_evidence_id IS NULL) OR (retired AND retired_reason_evidence_id IS NOT NULL) stands: active items → NULL allowed; retired items → non-NULL AND (now) must reference a real evidence_registry row. The FK + CHECK together guarantee: retired ⇒ evidence exists.

Cross-impact (required fields)

Affected docs: 04 (CP-03 catalog), 09 (evidence_registry), 02 §2.6 / RP-03 (consolidated order).
Affected contracts/tables/manifests: code_catalog_item; evidence_registry; authority_scope_manifest #20 (this FK must appear in the expected-constraint set per RP-03).
Affected hashes: none directly (FK is structure); but the constraint is included in authority_scope expected_constraint_set_sha256 (RP-03) → H01/H02.
Affected readiness gates: OBJECT_AUTHORITY_IMMUTABLE (catalog integrity + constraint exact-set), READINESS_MANIFEST_EXACT.
Affected bypass vectors: "retire-with-fake-evidence" is an audit-integrity bypass at the root; the FK closes it.
Affected rollback path: retiring a catalog item requires a real evidence row; rollback = new catalog version; never edits history. This FK is in the RP-03 reversal/order set.
Affected Directus/read path: none.
Affected PG-native enforcement: FK RESTRICT + existing retired/evidence CHECK; deferred ALTER in consolidated order.
Affected no-hardcode proof: closes the root-integrity gap; consistent with the envelope's retirement-evidence FK.
Verification after Codex edits: insert a retired catalog item with a non-existent evidence UUID → FK rejection; the FK appears in pg_constraint and matches the sealed expected-constraint set (RP-03); active items still accept NULL.