02 - 27-Child-Contract DDL Review (SUPERTRACK B)

Source: artifact 02 (manifest-set-and-27-child-contract-ddl.md, content_length 4329, full read). Verdict: DDL_SPEC_NEEDS_CORRECTION.

Count check - PASS

Children enumerated 01..27 literally: policy_rule_manifest, operator_primitive_manifest, metric_manifest, unit_manifest, storage_class_manifest, principal_class_manifest, authority_action_manifest, principal_separation_manifest, readiness_gate_manifest, hash_component_manifest, dependency_manifest, bypass_vector_manifest, capability_manifest, capability_measurement_requirement, capability_artifact_requirement, signoff_requirement_manifest, tier_manifest, activation_policy_manifest, quorum_requirement_manifest, authority_scope_manifest, privilege_set_manifest, dynamic_sql_target_manifest, workload_profile_manifest, analyzer_contract_manifest, plan_payload_manifest, gateway_manifest, writer_repoint_manifest. T1 counts exactly 27. The 28->27 correction (ARTIFACT_KIND demoted to sealed bootstrap code-catalog family, not a standalone child) is genuine, consistent across the package, and resolves the prior off-by-one. No off-by-one mismatch remains in the published enumeration.

What is verified strong

• Roles/schema explicit: qt001_cp_owner / qt001_cp_migrator / qt001_cp_reader NOLOGIN; schema qt001_cp owned by qt001_cp_owner.
• Structural domains explicit: sha256 = bytea length 32; nonempty_text; positive/nonnegative bigint.
• Anti-hardcode posture explicit and correct: "Policy values are FK-bound sealed code-catalog rows, never CHECK literals."
• Shared child header explicit: (manifest_id uuid FK manifest_set, item_id uuid, PK(manifest_id,item_id), FK(manifest_id,item_id)->manifest_item_envelope); owner-only.
• Lifecycle/seal/immutability: sealed/active/history immutable; no delete; rollback = new version; seal proves both-EXCEPT empty + count/hash/contiguous-ordinal exact; activation = exact quorum + epoch.
• Negative-test suite enumerated per child (missing/extra/orphan/wrong-manifest/NULL/unknown-FK/duplicate/invalid-hash/Directus+PUBLIC DML/sealed update+delete/wrong-count/noncontiguous-ordinal/hash-mismatch + every family CHECK/UNIQUE/FK mutation).

This is materially more specific than the prior implementation-spec and the architecture design plan. The contract surface is coherent.

Blocking gaps (force implementer to guess)

B-1 The artifact is contract-level, not byte-level; authoritative DDL not surfaced (CP-01)

The doc titles itself "Normative full DDL artifact" and ends "The authoritative local artifact expands the shared header in all 27 CREATE TABLE statements; authored SQL must match the expanded DDL exactly." But the published body contains column NAMES + constraint INTENT in parentheses, NOT byte-level CREATE TABLE statements with explicit per-column type, PK, FK, and CHECK. The thing an implementer must "match exactly" is absent from the reviewable KB. This is exactly the prior T1 correction #1, and it is only partially met: the spec is richer, but the byte-level DDL is deferred to an unsurfaced local artifact, and doc 10 confirms residual stop "dashboard SA01 must prove authored SQL matches the expanded exact 27-table DDL" — i.e. the expanded DDL does not yet exist / is not verified. Self-description "full DDL" overstates content (coherence defect).

B-2 Inter-manifest FK targets unspecified (CP-02)

The shared header gives only the (manifest_id,item_id)->envelope FK. Many children carry cross-manifest references whose FK target and form are NOT stated, e.g.: policy_rule_manifest.operator_primitive_id (-> operator_primitive_manifest?), .fact_id, .operand_type_id; capability_measurement_requirement.capability and .metric; capability_artifact_requirement.capability and .artifact_kind_id (-> bootstrap catalog); principal_separation_manifest.left_class_id/right_class_id/action_id (-> principal_class / authority_action); readiness_gate_manifest.policy_rule_set_id; privilege_set_manifest.privilege_code_id; signoff_requirement_manifest required-class. Because children are keyed (manifest_id,item_id) and item_id is globally UNIQUE, a cross-child FK could be by item_id, by a natural code, or by a separate id - the doc does not say. An implementer must guess referential integrity. Macro guess-rejection trigger (FK targets).

B-3 Bootstrap code_catalog root unspecified (CP-03)

The entire "FK-bound, never CHECK literal" anti-hardcode mechanism depends on a "sealed bootstrap code-catalog family" that holds manifest_type, lifecycle_status, operand_type, ARTIFACT_KIND, privilege_code, volatility_code, etc. The doc names it but gives NO DDL, NO seal mechanism, NO ownership/ACL, NO statement of who may INSERT codes or that Directus/PUBLIC cannot. If the catalog is mutable or unsealed, the authority simply moved from CHECK literals to an unsealed table - the disguised-hardcode root. This must be specified with the same rigor as the 27 children.

B-4 "Exactly-one typed operand" CHECK not reviewable (CP-04)

policy_rule_manifest (01) and capability_measurement_requirement (14) require "exactly-one typed operand," but the typed operand columns (e.g. operand_bigint / operand_text / operand_sha256 / operand_uuid / operand_code_id) and the exact CHECK (num_nonnulls(...) = 1 AND the chosen column matches operand_type_id) are not enumerated. CHECK semantics cannot be reviewed without the column set.

Coherence/CHECK notes (non-isolated)

• CHECK-as-constraint vs CHECK-as-prose: where intent is given (left<>right for 08; collision_count<=row_count for 23; grantable false for 21; fail_closed=true for 26; required_count=1 for 19) these are constraint-shaped and acceptable once columns/types are pinned. None embed business policy literals - good.
• Ownership/access stated (owner-only children; Directus/PUBLIC no authority DML/DDL/execute) - good.
• Activation/rollback stated at family level - good; per-child rollback is "new version" (uniform) - acceptable.

Verdict

DDL_SPEC_NEEDS_CORRECTION. Resolve B-1..B-4 (CP-01..CP-04). The count and contract surface are correct; the byte-level DDL, inter-manifest FKs, catalog root, and typed-operand CHECKs must be made reviewable so no implementer guesses. Do NOT delegate authoring of the authoritative DDL to T1 without a subsequent Codex re-audit (prior review warning; FIX..FIX6 divergence risk).