09 - SUPERTRACK I — RP-08 Directus Observation Completeness (REFINED_ADVISORY)

Refinement: sealed/manifest-driven completeness criterion, NOT a hardcoded observation window

The CP-07 preflight derives Directus's actual emitted-query surface from collection metadata + db access/audit evidence. The completeness of that observation must NOT be a fixed time window (a hardcoded window is itself a disguised literal). Instead, define a SEALED Directus read-contract and bind freshness to a sealed field.

Sealed completeness criteria

1. Define the EXPECTED Directus read surface as sealed data — recommend hosting within / deriving from the ACTIVE PRIVILEGE_SET manifest (child 21) SELECT subset for the Directus runtime principal, plus a sealed directus_read_pattern set covering: query families; endpoint groups; business base tables and any manifest-listed views; required smoke/read patterns. This is manifest-driven, owner-controlled, hash-bound — no new uncounted surface (use PRIVILEGE_SET #21 + a read-pattern component, or a code_catalog family for pattern kinds).
2. Observation completeness = the OBSERVED emitted-read surface must COVER the sealed expected read-contract in BOTH EXCEPT directions. Observed-not-in-expected → unknown read path → block. Expected-not-in-observed → incomplete observation → operator required.
3. Freshness: bind observation freshness to a SEALED max_age_seconds field (e.g. on the read-contract / privilege manifest), not a hardcoded duration. Stale observation → operator required.
4. Observation SOURCE must be enumerated/sealed (which audit/log/metadata sources count), so completeness is provable, not assumed.

No-go rules

• Unknown read path (observed read not in sealed expected set) → block cutover (BLOCKED_READ_PATH).
• Incomplete observation (sealed expected not fully covered) OR stale (> sealed max_age) → operator required; readiness stays blocked.

Cross-impact (required fields)

• Affected docs: 08 (CP-07 Directus read path), and the Level-B / cutover runbook + post-cutover smoke spec.
• Affected contracts/tables/manifests: privilege_set_manifest #21 (Directus SELECT subset + read-pattern); optionally a code_catalog family for read-pattern kinds; cutover evidence rows (evidence_registry).
• Affected hashes: the sealed read-contract is part of PRIVILEGE_SET manifest → manifest_set hash → H01/H02; cutover smoke response/status hashes are evidence.
• Affected readiness gates: not a steady-state gate among the 14; it gates the FIX7b CUTOVER preflight + post-cutover smoke (readiness stays blocked until authority-zero + read-smoke evidence fresh/hash-bound). Touches GATEWAY_PASS / OBJECT_AUTHORITY_IMMUTABLE via authority-zero evidence.
• Affected bypass vectors: an under-captured read surface that breaks post-cutover is a feasibility bypass; sealed both-EXCEPT coverage + sealed freshness closes it.
• Affected rollback path: CP-07 rollback restores the prior reviewed SELECT/USAGE manifest as a new version; unchanged.
• Affected Directus/read path: this IS the Directus read-path completeness control; keeps path A safe.
• Affected PG-native enforcement: expected read surface is sealed manifest data; comparison is both-EXCEPT; freshness is a sealed field; no hardcoded window.
• Affected no-hardcode proof: removes the only remaining hardcoded-window risk from CP-07.
• Verification after Codex edits: the expected read-contract is sealed and hash-bound; observation freshness is a sealed max_age field; an unobserved-but-expected read → operator required; an observed-but-unexpected read → BLOCKED_READ_PATH.

Status

Remains ADVISORY (CP-07 path A is already fail-closed at smoke). Should land in the same Codex pass since it sharpens the CP-07 cutover.

Refined verdict: REFINED_ADVISORY (sealed read-contract + sealed freshness; no hardcoded window).