02 - SUPERTRACK B: Legacy-Entrypoint Completeness (highest-risk area)

This is the area FIX2..FIX6 repeatedly failed and the one XHigh explicitly left for Max: is the set of legacy entrypoints that could bypass the new control plane complete, or sampled by adjective?

Live read-only enumeration (DB directus, 2026-06-08)

Queried pg_proc/pg_class/pg_trigger directly (AST-validated, READ ONLY, 5s timeout):

• 46 legacy qt001_* functions (prokind f) + sp_dot_birth_qt001_apply (prokind p). Families: apply (fn_dot_birth_qt001_apply, sp_dot_birth_qt001_apply); planners (fn_dot_birth_qt001_plan_v2, fn_qt001_plan_v5, fn_qt001_plan_all, fn_qt001_plan_all_v5); builders/refresh/rehearsal (fn_qt001_build_plan_registry, fn_qt001_refresh_plan_snapshot, fn_qt001_run_rehearsal); rule engine (fn_qt001_eval_rule_v2..v5, _eval_rule_core, _eval_predicate_v2, _eval_guard_bool, _eval_tier_predicate); tiering (fn_qt001_machine_tier(+_v2..v5), _machine_blocked_reason); signoff (fn_qt001_signoff_row_valid(+_v3..v6), _signoff_satisfies(+_v3..v6)); fingerprint/ checksum (fn_qt001_plan_fingerprint_v2..v5, _fp_compose(+_v3), _rule_checksum); governance (fn_qt001_rule_governance_ok(+_v2)); signals (fn_qt001_collection_signals(+_v2/_v4/_v5)).
• proacl=NULL for ALL 46 + the apply procedure => PostgreSQL default EXECUTE to PUBLIC. Every one is directly callable by any role right now. prosecdef=false for all 46 (no legacy function runs with definer rights - a direct call runs with the caller's privileges).
• 0 triggers on qt001 tables; 0 triggers whose function is a qt001 function. No hidden trigger entrypoint.
• Views: 196 directus-owned (relkind v), = 183 v_qt001_* + 13 other qt001-named; views are read-only and dispositioned LEGACY_DEPRECATE.

The completeness problem

Two bypass classes:

1. Indirect (the new entrypoint transitively calls a legacy object) - closed by the dependency_manifest #11 structural closure (legacy_reached=0), which is a closure over ALL reachable objects, complete by construction. Not a completeness gap.
2. Direct (a role calls a legacy function directly, not via the new entrypoint) - closed only by REVOKING EXECUTE from non-owner roles. This requires enumerating which legacy functions to revoke - and here the blueprint described the set by an adjective.

Pre-Max wording:

• doc 04 S15 / doc 07 PKG-F: "REVOKE EXECUTE on legacy apply/writer entrypoints".
• doc 06 G-NOLEGACY: verifies "legacy authoritative entrypoints executable by non-owner = 0".

"apply/writer" and "authoritative" are adjectives, not an enumerated/sealed set. A worst-case implementer revokes only fn_dot_birth_qt001_apply/sp_* and leaves the other ~44 PUBLIC-executable. Live evidence shows all 46 are PUBLIC-executable, so the sampled subset leaves a real direct-call surface, and there is a window between S15 (neutralize) and S17 (freeze) where the un-revoked functions remain callable. This is precisely the FIX2/FIX3 "PUBLIC EXECUTE bypass" failure mode, re-introduced by under-scoping the neutralization set.

Finding

MB-01 (P1) - neutralization set sampled, not complete

• Fix (PG-native, no hand list): the neutralization/cutover/freeze target is now the COMPLETE S00-captured legacy control-object set, derived live from pg_class/pg_proc (owner=directus, qt001 name pattern) - all 46 functions + sp_dot_birth_qt001_apply + 20 tables + 196 views, each with its prior ownership+ACL. S15/PKG-F now REVOKE EXECUTE - from PUBLIC, directus, and every role except qt001_cp_owner - over the entire captured function set (not "apply/writer"), with fail-closed stubs on the apply/writer entrypoints. G-NOLEGACY's ACL clause verifies non-owner-executable=0 over that whole captured set. This closes the S15->S17 window for every legacy function, with S17 freeze (G-LEGACY-FROZEN) as defense-in-depth over the same set.
• The set is derived (catalog query at S00, re-validated at PKG-D), never a hand-typed name list (the FIX5 lesson), so it stays complete even if the legacy inventory changes.
• Because this widens the S15 operationalization, it is folded into the doc 02 §G / doc 12 "needs Codex confirmation" set (consistent with the existing MX-2 disposition).
• Patched: doc 01 (live evidence), doc 02 (§G), doc 04 (S00 capture, S15), doc 05 (S15 prior-EXECUTE capture), doc 06 (G-NOLEGACY), doc 07 (PKG-F).

MB-02 (P3) - birth-family inventory incomplete; trigger-vector unstated

• doc 01 §C listed 5 fn_birth_* functions but live shows 10 (also fn_birth_auto_certify, fn_birth_change_flag_matrix, fn_birth_gate [owner workflow_admin], fn_birth_onboarding_full_scan [SECURITY DEFINER, PUBLIC EXECUTE], fn_birth_onboarding_full_scan_hc). All are DO_NOT_TOUCH (birth-gateway scope, outside the QT001 refactor), but the 5-row sample read as exhaustive.
• Fix: doc 01 §C records the full 10-function family (all DO_NOT_TOUCH, none a FIX7 control object) and the 0-trigger bypass-vector evidence, so no future reader treats the sample as the set.

Completeness verdict per macro checklist

macro check	result
every legacy entrypoint appears in inventory	PASS-after-fix - 46 fns + apply proc enumerated; 196 views; 0 triggers; birth-family 10
every legacy entrypoint has disposition	PASS - LEGACY_REPLACE/FREEZE/DEPRECATE per doc 01/02; apply = BLOCKED_UNTIL_AUTHORITY
every executable legacy entrypoint blocked/frozen/revoked in plan	PASS-after-fix (MB-01) - S15 revokes the complete set; S17 freezes it
no legacy entrypoint only "unreachable"	PASS - G-NOLEGACY ACL clause over the complete set (blocked, not merely unreachable)
no omitted entrypoint can apply/backfill/approve/bypass	PASS-after-fix - apply path BLOCKED throughout; complete-set REVOKE closes direct calls; 0 trigger vectors

Verdict

LEGACY_ENTRYPOINT_COMPLETENESS_PASS_AFTER_FIX - the legacy set is enumerated and complete; the neutralization is now provably over the entire captured set (live-verified all-PUBLIC), not a sampled subset; no trigger or birth-family surprise remains.