05 - SUPERTRACK E: Owner/ACL Cutover Snapshot & Rehearsal

XHigh left for Max: is the owner/ACL rollback snapshot concrete enough before REVOKE?

Checks

check	result
snapshot includes owner, grants, default privileges, schema privileges, function EXECUTE, view/table SELECT/DML, sequence privileges	PASS-after-fix (ME-01) - was "ownership+ACL" only; now enumerated
snapshot hash-bound and stored before cutover	PASS - mandatory package output; captured at S16/PKG-G start before any REVOKE
rehearsal defined before real REVOKE	PASS - MX-3: captured + read-back-verified + restore-rehearsed before any REVOKE; unverified snapshot blocks cutover
rollback uses the snapshot exactly	PASS - S16 rollback restores prior ownership+ACL from the verified snapshot
Directus SELECT retention verified before and after cutover	PASS - G-DIRECTUS-READ preflight (S00-captured set) before; re-grant exact #21 SELECT + G-DIRECTUS-READ after
control objects separated from business objects	PASS - cutover scoped to qt001_cp + the S00-captured legacy control-object set ONLY; G-DIRECTUS-APP-INTACT preserves directus_* + business-table authority (XH-4)
qt001_cp_owner/migrator/reader role assumptions explicit	PASS - S01 creates the 3 roles, owner-isolated; ownership moves to qt001_cp_owner
no manual SQL can bypass the Level-B pipeline	PASS - G-LEVELB-NOSQL; privileged deploy only via sealed level_b_packet_execution owner entrypoint

Finding

ME-01 (P2) - ACL snapshot not concrete enough

• doc 05 invariant 3 and doc 07 PKG-G required a "prior ownership+ACL snapshot" but did not enumerate its contents. A worst-case implementer could snapshot table ACLs and silently omit sequence grants, default privileges, or schema privileges - then fail to restore them on rollback, leaving Directus or the writer mis-privileged.
• Fix (doc 05 invariant 3 + doc 07 PKG-G scope/precondition): the snapshot is now PG-native and concrete - per control object it captures ownership (pg_class.relowner/pg_proc.proowner), the full ACL (relacl/proacl - table/view SELECT+DML and function EXECUTE), owned-sequence ACLs, schema-level privileges (pg_namespace.nspacl on qt001_cp and any touched schema), and default privileges (pg_default_acl). Every privilege class S16 changes is restorable exactly; nothing silently dropped.
• Symmetry with MB-01: the S15 legacy-EXECUTE revoke also gets its prior-grant state (S00-captured, all PUBLIC) read-back-verified before the revoke, so S15 is verified-recoverable too.

Verdict

OWNER_ACL_CUTOVER_PASS_AFTER_FIX - the snapshot is concrete across every privilege class, captured + verified + rehearsed before REVOKE, scoped to control objects, with Directus read and app authority preserved and verified on both sides. No manual SQL path bypasses Level-B.