Incomex AI Portal
KB-21DB

T1-Max Review - G-DOT-NOOVERWRITE Feasibility & Authority

5 min read Revision 1
fix7architecturemax-reviewdot-nooverwritepg-native

03 - SUPERTRACK C: G-DOT-NOOVERWRITE Feasibility & Authority

XHigh added G-DOT-NOOVERWRITE and explicitly left for Max: does it mechanically scan DOT bodies on PG16 without source-text becoming the final authority?

The macro's questions, answered

  • What does it inspect / where is the authoritative DOT source? DOTs are deployment artifacts (SQL files / KB documents on the filesystem), NOT pg_proc objects. So a "DOT body scan" is inherently a read of out-of-database text - it cannot be a pg_catalog operation and cannot be PG-native. This is the crux: any DOT-body scan is, at best, a diagnostic.
  • Can it detect CREATE OR REPLACE of the gateway / control-plane writer / indirect sourced SQL? A text scan can flag a literal CREATE OR REPLACE (e.g. DOT-119 embeds CREATE OR REPLACE FUNCTION fn_birth_registry_auto()), but it cannot prove the absence of indirect overwrite through dynamically-sourced SQL. Text scanning is therefore necessary-but-insufficient and must not be the blocking authority.
  • Does it depend on regex/source-text as final authority? Pre-Max wording listed "DOT bodies" FIRST as the guard input, which invited exactly that (the FIX5 anti-pattern). Defect.
  • What is the PG-native final blocking proof? For qt001_cp control objects + the QT001 writer gateway: owner-isolation. The schema is CREATE ... AUTHORIZATION qt001_cp_owner with no CREATE privilege for PUBLIC/directus/any non-owner (pg_namespace.nspacl), and every control object is owned by qt001_cp_owner (pg_class.relowner/pg_proc.proowner). A CREATE OR REPLACE requires ownership of the existing object (or DROP+CREATE requires CREATE on the schema); a non-owner role - including whatever role a DOT runs as, unless it is qt001_cp_owner - simply cannot. This is catalog-checkable and is the final authority.
  • Is it implementable on PG16? Yes - the PG-native half is pure catalog reads (nspacl, relowner, proowner) plus the bound source_sha256 in #26/#27. The DOT-body half is an out-of-DB diagnostic.
  • Failure mode if DOT source is unavailable? Because the blocking decision rests on owner-isolation (which does not read DOT bodies at all), DOT-source unavailability does not weaken it. The DOT-body diagnostic itself fails closed: an unreadable/absent DOT body is treated as a candidate overwrite vector and blocks, never passes by default.

The birth-gateway subtlety (precision Max added)

fn_birth_registry_auto is directus-owned and DO_NOT_TOUCH; FIX7 never owns it (only qt001_cp control objects are cutover). So owner-isolation does not prevent directus from CREATE OR REPLACE-ing the birth gateway. Its overwrite-protection is therefore detection + freeze + policy, not prevention: G-BIRTH-NEUTRAL (gateway norm-md5 unchanged before/after every step) detects any overwrite; G-DOT-FROZEN keeps DOT-118/119 frozen so they never execute; and the §A "birth gateway modification = DO_NOT_TOUCH" hard block forbids it. FIX7 itself never issues a CREATE OR REPLACE against it. Lumping "a qt001_cp control object or the active gateway" together (pre-Max wording) hid this asymmetry.

Finding

MC-01 (P1) - source-text risked as final authority; two protection models conflated

  • Fix (doc 06 G-DOT-NOOVERWRITE rewritten):
    • PG-native final authority = qt001_cp nspacl (no non-owner CREATE) + control-object ownership (relowner/proowner == qt001_cp_owner) + bound #26/#27 source_sha256.
    • DOT-body scan = diagnostic/preflight only, explicitly non-PG-native, fails closed.
    • (a) qt001_cp objects + QT001 writer gateway: overwrite impossible by owner-isolation, proven from catalog, not from DOT text; (b) directus-owned birth gateway: overwrite detected (G-BIRTH-NEUTRAL) + prevented-in-practice (G-DOT-FROZEN) + policy.
  • Added a guard-quality rule (MH-01, doc 06) stating source-text is diagnostic for ALL guards that read it (G-NOHARDCODE/G-NODISGUISE/G-DOT-NOOVERWRITE), final authority always PG-native.
  • doc 08 birth-gateway hard-block row updated to state its protection is detection+freeze+policy, not owner-isolation.

Verdict

DOT_NOOVERWRITE_PASS_AFTER_FIX - the guard's final blocking authority is now PG-native owner-isolation (catalog-checkable on PG16), the DOT-body scan is a fail-closed diagnostic and cannot become the authority, missing DOT visibility fails closed, and the birth-gateway protection model is stated honestly (detection, not prevention).

Back to Knowledge Hub knowledge/dev/reports/architecture/t1-max-fix7-refactor-blueprint-review-2026-06-08/03-dot-nooverwrite-feasibility.md