03 - SUPERTRACK C: Legacy Neutralization / Bypass Review (highest-risk area)

This is the area where FIX2..FIX6 repeatedly failed (new safe layers built while the real authoritative callers and PUBLIC-executable legacy entrypoints stayed live). Reviewed hardest.

Live evidence (read-only)

pg_proc.proacl for fn_dot_birth_qt001_apply, sp_dot_birth_qt001_apply, fn_qt001_plan_v5, fn_dot_birth_qt001_plan_v2 = NULL -> PostgreSQL default EXECUTE to PUBLIC. The legacy apply/writer entrypoints are PUBLIC-executable right now. "Unreachable from the new entrypoint" is therefore NOT sufficient on its own - a direct caller still reaches them until EXECUTE is revoked. This confirms the blueprint's neutralization step is load-bearing, and exposed a missing overwrite guard.

Checks

check	result
old public.qt001_* entrypoints cannot bypass new control-plane during activation/cutover	PASS - G-NOLEGACY (legacy_reached=0 AND non-owner-executable=0); PKG-F bundles REVOKE EXECUTE + fail-closed stub
"unreachable" not accepted as enough	PASS - executability clause present (blocked, not merely unreachable)
directus-owned legacy treated as bypass risk until cutover	PASS - LEGACY_FREEZE until PKG-H; neutralized at PKG-F
PKG-F / S15 neutralization sufficient + correctly ordered	PASS-after-fix - bundled into PKG-F (XH-2 already), now also guarded against overwrite
rollback does not re-open legacy bypass silently	XHB-02 found + fixed
no old/frozen DOT can overwrite the gateway/control-plane	XHB-01 found + fixed

Findings

XHB-01 (P1) - no overwrite guard for DOT / non-owner against gateway/control-plane

• DOT-119 dot-birth-trigger-setup embeds CREATE OR REPLACE FUNCTION fn_birth_registry_auto(). More generally, the blueprint had G-DOT-FROZEN (DOTs stay frozen) but no guard that a DOT, if ever executed, or any non-owner role, cannot CREATE OR REPLACE/overwrite a qt001_cp control object or the active gateway. Overwriting the gateway/writer is the most direct bypass of the whole control plane.
• The mitigating fact (qt001_cp objects are owner-isolated from creation - schema AUTHORIZATION qt001_cp_owner, no non-owner CREATE) was implicit, not asserted as a guard.
• Fix: added G-DOT-NOOVERWRITE (doc 06): no DOT (frozen or otherwise) and no non-owner role can CREATE OR REPLACE/overwrite a qt001_cp control object or the active gateway_manifest #26 target; qt001_cp objects owner-isolated; DOT-119 cannot re-replace the gateway. Mapped to S00/S15/S19; added to PKG-E and PKG-I validation; added a "birth gateway modification" + "registry-pivot repoint" hard-block row (doc 08).

XHB-02 (P1) - S15 rollback restores legacy EXECUTE (silent-bypass appearance)

• doc 05 S15 rollback said "restore prior writer + prior EXECUTE grants" with no safety rationale. Restoring legacy EXECUTE literally re-opens the PUBLIC-executable legacy path - exactly the thing PKG-F closed. Without explanation this reads as "rollback silently re-opens the bypass."
• The truth: rolling back the repoint MUST restore the prior writer (the new path failed), and the prior writer is the legacy path; this returns the system to the pre-cutover baseline, which was itself safe-blocked (QT001 apply blocked since Codex NOT_SAFE; no permit open). The new control plane is NOT deleted on S15 rollback - it stays dormant/superseded.
• Fix: doc 05 note 5 added making this explicit; doc 04 S14 rollback cell now points to it; G-ROLLBACK-SAFE asserts apply/permit remain independently blocked after any S15 rollback, which is the condition under which restoring legacy executability is acceptable.

Cross-impact checked

• G-DOT-NOOVERWRITE does not alter any invariant; it is a verification guard. It complements (does not replace) G-DOT-FROZEN and G-NOLEGACY.
• The rollback clarification does not weaken neutralization: forward cutover still requires non-owner-executable=0; only the rollback-to-prior-baseline path restores legacy EXECUTE, and only because the standing apply/permit block holds.

Verdict

LEGACY_NEUTRALIZATION_PASS_AFTER_FIX - legacy is blocked (not merely unreachable), the gateway/control-plane is now explicitly overwrite-protected, and rollback is shown not to silently re-open the bypass. Live evidence (proacl=NULL) substantiates the necessity of every step.