12 - SUPERTRACK L — Codex Design-Correction Handoff

Codex is the design owner and performs all edits. T1 supplied refined proposals only.

Which proposals Codex should edit (and where)

• RP-01 (BLOCKING) → docs 07/09/10 + gate-adapter spec: add the 12 category-(c) runtime-evidence tables (or explicit path-B downscope) + the sealed runtime_evidence_object_set; bind H04/H05/H02 sub-payload keys to named table.columns. Decide table 5 (capability_environment) standalone vs folded.
• RP-02 (BLOCKING) → docs 02(#05)/06/09/11: add retention_interval_seconds + partition_capacity + archive fields to storage_class_manifest (option i, preferred) OR add counted retention_policy_manifest #28 (option ii, update all "27"→"28").
• RP-03 (BLOCKING) → docs 02/03/04/09/10 + #20: publish the single consolidated CREATE+deferred-ALTER order; add expected_constraint_set_sha256 + per-constraint expected payload to authority_scope_manifest; specify pg_constraint/pg_index both-EXCEPT verification.
• RP-04 (BLOCKING) → docs 03/04/05/06: declare reference_contract (exists), operand_column_contract, structural_literal_class as code_catalog families; specify exact-set coverage at seal.
• RP-05 (BLOCKING) → docs 04/06 + analyzer spec: rule + adapter_input_contract (item_payload excluded) + SA15/analyzer fail-closed scan.
• RP-06 (ADVISORY) → doc 10 + RP-01 tables: slot-scoped UNIQUE + manifest-driven separation (join principal_separation_manifest).
• RP-07 (BLOCKING) → docs 04/09 + RP-03 order: add the catalog retirement-evidence deferred-ALTER FK.
• RP-08 (ADVISORY) → doc 08 + cutover runbook: sealed Directus read-contract + sealed freshness max_age (no hardcoded window).

Exact order to fix (dependency-correct)

1. RP-04 + RP-05 (code_catalog families + input-contract) — one catalog version.
2. RP-01 (runtime-evidence tables) — defines signoff_binding/quorum_vote/etc.
3. RP-06 (uniqueness/separation on RP-01 tables).
4. RP-02 (storage_class retention; RP-01 tables bind storage_class).
5. RP-07 (catalog retirement-evidence FK).
6. RP-03 LAST (consolidated order + expected-constraint catalog — must enumerate the final constraint set including RP-01/02/04/07 FKs).
7. RP-08 (Directus read-contract) — independent, any time in the pass.

What NOT to change (do not regress)

The 27 byte-level child contracts; the no-policy-CHECK / no-DEFAULT-false discipline; the typed-operand num_nonnulls=1 + compatibility; the sealed catalog root + one-active index; CP-05 every-threshold-sealed / no-threshold-table; CP-06 canonical hash rules (encode hex, trim_scale, UTC, COLLATE C, total order, JSON-null, no MD5/delimiter, PG-major gate); CP-07 path A + real-query preflight; the byte-defined evidence/principal/identity/analyzer registries + ALTER-broken FK cycles. The "exactly 27 authority surfaces" invariant must remain true (RP-01 tables are non-authority; RP-02 prefer option i).

What to re-run after correction

• Seal both-EXCEPT (child vs envelope) for any changed manifest.
• Catalog seal + family exact-set coverage (RP-04) and adapter input-contract scan (RP-05).
• Recompute H01/H02/H04/H05 over the now-defined instance columns; re-run CP-06 determinism fixtures.
• pg_constraint/pg_index both-EXCEPT vs the new expected-constraint catalog (RP-03); rehearse dropping one deferred ALTER → expect OBJECT_AUTHORITY_IMMUTABLE FAIL.
• RP-01 negative tests; RP-06 same-human separation tests; RP-07 fake-evidence rejection; RP-08 unknown/stale read-path block.

What T1 should review next

After Codex republishes the corrected design, T1 performs a short re-review confirming: all 6 blocking RP resolved; "27 / no 28th authority surface" still holds (or "28" consistently updated); H04/H05/H02 byte-implementable; expected-constraint catalog catches a dropped ALTER; family coverage exact; item_payload rule enforced; FK present. Target then: DESIGN_READY_FOR_CODEX_FINAL_APPROVAL → Codex final approval. No implementation, permit, REAL_RUN, QT001 apply, or Stage 2.6B before that.