T1 FIX7 Focused Review - 12 Feasibility/Scale Review (SUPERTRACK L)
12 - Feasibility / Scale Review (SUPERTRACK L)
Assumed future scale 100,000,000+ objects. Verdict: FEASIBILITY_SCALE_VERIFIED (advisory CP-08 only).
Feasibility check
- Valid PG16.13 implementation: YES. Roles NOLOGIN, schema ownership, FK/CHECK/UNIQUE, partial unique indexes (one active unsuperseded per type), STABLE functions, advisory/row locks, generated columns - all PG16-native. (PG16 + pgcrypto verified live in the prior T1 review and FIX-series memory.)
- pgcrypto usage feasible: YES. digest(...,'sha256') is pgcrypto and available. The canonicalization via jsonb_build_object(...)::text + convert_to(...,'UTF8') is valid PG SQL. Only correction is bytea-encoding determinism (CP-06), which is a correctness, not a feasibility, issue.
Scale check (per macro reject-list)
| Risk | Result | Basis |
|---|---|---|
| Hot-path full scans | PASS | Readiness/gates/hashes operate on control-plane state, not object tables. |
| Row-by-row apply | PASS | Apply path is gateway+acceptance + sealed plan; not per-object loops in the readiness/control plane. (Per-object apply mechanics are Stage 2.6B/QT001-apply, which remain blocked and out of FIX7 scope.) |
| Unbounded recursive dependency expansion | PASS | Dependency is a sealed manifest (#11) + analyzer contract (#24) + dynamic-SQL targets (#22); bounded by manifest edge count, not by transitive object graph. unknown=fail. |
| Hashing unbounded runtime object data | PASS | All 7 hashes are over control-plane state (manifests, evidence, epoch); bounded by gate/manifest/edge counts, object-count-independent (see doc 04). |
| Readiness proportional to object count | PASS | Readiness exact-set is the constant 14 gates (sealed); object-count-independent. |
| Unindexed JSONB hot checks | PASS | jsonb is built/hashed in the control plane, not scanned per-object on a hot path; payloads are bounded. |
| Ledger/resume unsafe after interruption | PASS | control_epoch + immutable evidence + writer shared-lock/reread (BV11); rollback returns safe-blocked state with epoch increment. |
| Locks blocking production writers | PASS | Activation uses exclusive lock on control-plane state only; writer uses shared lock + reread; no lock on production object tables in the readiness/control path. |
| Evidence/capability tables without retention/partitioning | ADVISORY (CP-08) | Evidence/capability-run/dashboard-export/human-identity rows accumulate. They scale with plans/activations/runs (NOT with the 100M object count), so this is not a scale blocker - but a retention/partitioning note should be added for long-horizon operation. |
Capability workload feasibility
SCALE_SAFE / capability uses a fixed representative workload (workload_profile_manifest #23: row_count, collision_count<=row_count, seed/expected/environment hashes) with keyset+resume and perf bounds. This is the correct object-count-independent way to prove scale-safety - a bounded representative run, not a full-corpus pass. Thresholds must be sealed (CP-05), but the approach is feasible and scale-sound.
Verdict
FEASIBILITY_SCALE_VERIFIED. The design is a valid PG16.13 + pgcrypto implementation; readiness/hash/epoch/dependency are control-plane-bounded and object-count-independent; no hot-path full scans, row-by-row apply, unbounded recursion, or production-writer-blocking locks; rollback returns a safe-blocked state. Only advisory: add an evidence/registry retention-partitioning note (CP-08). No SCALE_RISK_FAIL.