Macro-5 Build Preflight Forbidden Surfaces — R2-B2 (2026-06-19)
Macro-5 Build Preflight Forbidden Surfaces — R2-B2 (2026-06-19)
Date: 2026-06-19 · Workstream: R2-B2-MACRO-5-STAGING-BUILD-AUTHORIZATION-PACKAGE-2026-06-19 (Deliverable 45 of 110) · Editorial revision: rev1
Class: build preflight forbidden surfaces · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NO write performed.
Metadata convention. Editorial revision (rev1) only. AgentData storage revision/
content_lengthauthoritative at read time.
0. Status and non-authorization
STATUS: PASS — engineering / design-only. The exact production surfaces a build must leave untouched. Engineering PASS ≠ authority PASS. Default: HOLD.
1. Purpose
List the forbidden surfaces a preflight must confirm are unchanged.
2. Sources / evidence read
Macro-4 no-production-touch forbidden surfaces (D45); production-firewall candidate (32); FRESH staging-table classification. Main process, no reader-agents.
3. Accepted baseline (carried)
A workbench run touches none of these; any write to any of them = FAIL.
4. Evidence / analysis — forbidden surfaces
| Surface | Must be unchanged |
|---|---|
birth_registry (all columns incl. inspect_*, certified, canonical_address, owner, jsonb_profile, status) |
yes |
universal_edges (KG provenance/edges) |
yes |
governance_object_ownership |
yes |
dot_config (gate switches incl. app.birth_gate_mode) |
yes |
iu_core.* (production IU staging) + unit_edit_draft + iu_create gateway |
yes |
dot_agent_api_contract (no birth-bound promotion) |
yes |
wf_host_crontab_snapshot / host cron (no birth job) |
yes |
pg_extension (no pg_cron install) |
yes |
5. Candidate / requirement / gate / result
FRESH confirms the only staging-like tables are the production iu_core.* / unit_edit_draft — the workbench must never alias them. A build touches none of these; this macro touched none (read-only). Any write = FAIL.
6. Owner-gated future work
None of these is ever the workbench's surface; neighbors are separate Owner-gated blocks.
7. What remains unresolved
The isolation scheme that keeps these untouched is FUTURE_TECHNICAL_DESIGN_REQUIRED.
8. Ready for GPT/Codex review
Yes — Codex should confirm the forbidden-surface list matches the FRESH substrate.