KB-A7B1
XHigh Review - Rollback Blueprint
3 min read Revision 1
fix7architecturexhigh-reviewrollback
06 - SUPERTRACK F: Rollback Blueprint Review
Checks
| check | result |
|---|---|
| rollback order reverse-safe | PASS - doc 05 invariant 1 = exact reverse of doc 02 §2.6 (writer_repoint ... policy_rule -> envelope -> manifest_set) |
| rollback can return to safe-blocked state | PASS - invariant 4; G-ROLLBACK-SAFE on every step |
| rollback before vs after activation differs where needed | PASS - pre-activation drops empty candidate-only; post-activation = new candidate with prior payload (never drops) |
| rollback does not re-enable legacy bypass | PASS-after-fix - XHB-02; doc 05 note 5 makes the safe-blocked baseline explicit |
| rollback restores Directus read behavior | PASS - S16 rollback restores prior ownership+grants from verified snapshot |
| rollback snapshot exists before ACL/grant changes | PASS - MX-3: captured + verified + rehearsed before REVOKE |
| rollback covers owner/role/grant changes | PASS - S16 row |
| rollback covers manifest activation failure | PASS - S14 row (re-activate prior payload) |
| rollback covers partial creation failure | PASS - S04-S08 pre-activation reverse-order drop of empty objects |
| rollback covers expected-constraint mismatch | PASS - S08/S11 no-go halts before seal; candidate-only objects dropped in reverse order |
Finding (carried from SUPERTRACK C)
XHB-02 (P1) - rollback re-opening legacy executability
- Already detailed in doc 03. The rollback table (S15) restored prior legacy EXECUTE grants without stating why that is safe.
- Fix: doc 05 note 5 - S15 rollback returns to the exact pre-cutover baseline, which was itself safe-blocked (apply blocked since Codex NOT_SAFE; no permit open); the new control plane is not deleted (dormant/superseded); G-ROLLBACK-SAFE asserts the independent apply/permit block holds.
Additional rigor check - "rollback completeness" claim
doc 05 claims ROLLBACK_BLUEPRINT_COMPLETE for S01..S18. Verified each row has action +
dependency + order + verify + operator + safe-blocked. S00/S11/S19 are read-only (no rollback
needed) - correctly omitted. The one hard precondition (verified ACL snapshot) is a mandatory
package output, not implicit. Claim stands.
Verdict
ROLLBACK_PASS_AFTER_FIX - every future change has a defined, reverse-safe, safe-blocked-preserving
rollback; the one ambiguity (legacy EXECUTE on S15 rollback) is now explicitly justified.