KB-7A97
XHigh Review - Refactor vs Greenfield
4 min read Revision 1
fix7architecturexhigh-reviewrefactor-vs-greenfield
02 - SUPERTRACK B: Refactor-vs-Greenfield Review
The central risk flagged by the macro: does the blueprint confuse "parallel new control-plane" with "safe cutover", "new objects authored" with "old authority removed", etc.
Checks
| check | result |
|---|---|
all relevant public.qt001_* legacy objects inventoried |
PASS - 20 tables / 46 fns / 196 views live-counted; named families in doc 01 B |
| birth gateway + dangerous/frozen DOTs classified | PASS - DO_NOT_TOUCH / LEGACY_FREEZE |
| existing Directus ownership/grants captured | PASS - directus owns all control objects; ROLE_CUTOVER_LATER; S00 captures SELECT set |
| public-executable legacy functions not hand-waved | PASS-after-evidence - XHigh confirmed proacl=NULL=PUBLIC EXECUTE live; doc 04 S00 now records this |
| FIX1..FIX6 guard/view/function objects dispositioned | PASS - 196 views LEGACY_DEPRECATE; 46 fns LEGACY_REPLACE; plan_v2 frozen sentinel |
every new qt001_cp object has live-to-design mapping |
PASS - doc 02 §A/B/C/D |
| every live object classified with allowed vocabulary | PASS - no vague labels; UNKNOWN_REQUIRES_REVIEW handled by S00/G-UNKNOWN-ZERO |
The five confusions (macro critical lens)
| confusion | blueprint stance | verdict |
|---|---|---|
| "parallel new control-plane" vs "safe cutover" | new plane built (PKG-A..E) then separately repointed (PKG-F) then ACL-cutover (PKG-G) then legacy frozen (PKG-H); each gated | not confused |
| "legacy unreachable" vs "legacy neutralized" | G-NOLEGACY requires legacy_reached=0 AND non-owner-executable=0; PKG-F bundles REVOKE EXECUTE | not confused (see doc 03) |
| "new objects authored" vs "old authority removed" | old authority removed only at PKG-F (EXECUTE) + PKG-G (ownership/ACL), operator-gated, never in author-only packages | not confused |
| "Directus read retained" vs "Directus authority retained" | #21 retains SELECT; PKG-G revokes only control-object authority; G-DIRECTUS-APP-INTACT keeps app authority | not confused (see doc 04) |
| "runtime evidence" vs "authority surface" | 11 runtime-evidence non-authority; G-RUNTIME-NONAUTH; never in the 27 | not confused |
| "blueprint complete" vs "implementation approved" | doc 12 + every doc: implementation BLOCKED until Codex review + authorization | not confused |
Finding
XHM-01 (P2) - #26 mapping could read as replacing the birth gateway
- doc 02 row #26 read "gateway contract was
fn_birth_registry_auto/birth_gateway_release_registry(kept)". A careless reader could infergateway_manifest#26 replaces the birth gateway, which would contradict DO_NOT_TOUCH and the birth-neutral invariant. - Fix: reworded - #26 registers/binds the QT001 control-plane writer gateway (identity +
source_sha256 + fail_closed) and records the existing gateway identity for fail-closed
reference; it does NOT replace
fn_birth_registry_auto, which stays DO_NOT_TOUCH.
Verdict
REFACTOR_VS_GREENFIELD_PASS_AFTER_FIX - the blueprint correctly treats this as an existing-system
refactor, not greenfield, and does not conflate authoring-new with removing-old. One wording fix
applied to remove a misread risk.