Mega Gate — B2 Non-TD Outline

Date: 2026-06-18 · Workstream: LEGO-PILOT-SLICE-0-B2-MEGA-GATE-BUNDLE-2026-06-18 (Deliverable 8 of 20) · Editorial revision: rev1 Class: design-only / TD table-of-contents (obligations only) / decision-support · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NOT remediation · NOT technical design · NOT implementation · NO blocker resolved · NO runtime touched.

Metadata convention. Editorial revision (rev1) only. AgentData storage revision and content_length are authoritative in AgentData metadata at read time; not pinned in this body.

Outline-not-TD lock — the critical lock of this packet. This packet lists what a future actual B2 TD must contain — its sections, the questions each must answer, the obligations each must satisfy — and writes none of that content. It contains no schema/DDL, table/column definition, migration, function body, SQL-mutate plan, scheduler/runner/cron implementation, command sequence, rollback script, staging schema, or live-data-extraction plan. Every entry is a requirement on the future TD, never a design. If any actual design appears, that is ACTUAL_TD_DRIFT → HOLD.

0. Status and non-authorization

STATUS: PASS — engineering / design-only. This is a complete design-only table-of-contents-with-obligations for a future actual B2 TD: the sections that TD must contain, the questions each section must answer, the obligations/constraints each must satisfy, and the explicit forbidden-content list — with no actual design written.

Engineering PASS ≠ authority PASS. A PASS means the outline of what TD must contain is complete on paper. It is not TD, not an authorization to write TD, and not a producer design. Default disposition: HOLD.

Pipeline position (downstream-only). Deliverable 8 of the Mega Gate Bundle; it answers "what would actual B2 TD need to contain, without writing that TD" (macro question 5). It writes no TD and opens none.

Non-authorization (explicit). As Deliverable 7 §0, and specifically: it writes no schema/DDL/table/migration/function-body/SQL-mutate/scheduler/runner/cron/command-sequence/rollback-script/staging-schema/extraction-plan. v0.1/FIX7 V3 not overwritten; v0.2 not authority.

Evidence basis — INHERITED_EVIDENCE. No runtime queried. The contract/obligations are inherited from the accepted B2 TD-prep + interface packets. AgentData metadata authoritative at read time. CAV-3/CAV-4/CAV-5 carried.

Reading discipline (Codex caveat, honored). All sources read directly from AgentData KB, bounded/sequential, by the main process — no parallel/background reader-agents, no sub-agents, no local-prose inference. /tmp = decode-scratch only, never SSOT.

1. Purpose

Answer the macro's fifth question: what would actual B2 TD need to contain, without writing that TD? The packet answers:

What sections must the future TD contain? — §5 outline.
What must each section answer / satisfy (as obligations, not answers)? — §5.
What must the future TD never contain? — §5 forbidden-content.
How does the outline stay on the non-TD side of the line? — §4.

The one rule, above all detail. This is the shape of the future TD, not the TD. Each entry is a requirement the eventual designer must meet; none is a design, a schema, a function, or a command. The outline makes the eventual TD reviewable and bounded; it does not pre-empt it.

2. Sources read

All 25 required sources read first-hand from AgentData KB, by the main process, sequentially; none SOURCE_NOT_READ (full list in Deliverable 20 §2). Used principally: the B2 TD-prep packet (the 13-field contract, B2-AC-1…14, BI-1…12, PO-1…9, the §10 S8 unit, the §9 S7 contract); the interface packet (S3/S4/S7/S8); the Điều 0-G rule-set (the PEN/STAMP/GATE meaning the TD must encode — referenced, not reproduced); Điều 32 (governance the TD must route through); operating-rules (Assembly First; fail-closed; AP-CLOSE).

3. Accepted baseline (carried, not re-derived)

B2 in one line (carried): inspect producer only — reads uncertified birth_registry rows + the Đ0-G rule-set; writes inspect_pen/inspect_stamp/inspect_gate only (genuine per-stage, one column each, PEN→STAMP→GATE order, idempotent, fail→audit-queue); never certify/canonicalize/mint identity/KG provenance/fake now()/fused INSERT/net-new columns.
The 13-field contract is frozen (F-1); the TD designs to it.
The nine proof obligations (PO-1…PO-9) and the bad-input matrix (BI-1…BI-12) are the TD's acceptance conditions (carried).
Blockers — all OPEN. Tool/packet lock carried.

4. Analysis — staying on the non-TD side of the line

The boundary between "what the TD must contain" and "the TD itself" is: an obligation says the TD must answer X / satisfy Y; a design answers X / provides Y. This packet writes only obligations. Concretely, for each future-TD section it states the questions to answer and the constraints to satisfy, and explicitly does not provide the schema, the function body, the SQL, the cron command, the runner, the rollback script, or the staging schema that would answer them. The forbidden-content list (§5) is the explicit guard; Codex must verify no entry crosses into design.

5. Outline of a future actual B2 TD (obligations only — no design written)

Each row names a TD section, the questions it must answer, and the obligations it must satisfy. None is answered here.

TD section (future)	Questions the TD must answer	Obligations the TD must satisfy (constraints, not designs)
T-0. Scope & non-authorization	What is in/out of B2's scope? What stays Owner-gated?	Restate B2 = inspect producer only; carry all locks; engineering PASS ≠ authority PASS
T-1. Input handling	How does the producer select uncertified rows and the Đ0-G rule-set?	Input = `certified=false` rows, PEN scope `governed`; must not require a `certified` precondition; must read the rule-set from the authoritative source (GATE-3) — the TD states the selection obligation; it writes no query
T-2. PEN/STAMP/GATE logic	How does each stage decide pass/fail per the Đ0-G criteria?	Encode the Đ0-G PEN (identity-completeness), STAMP (metadata-completeness), GATE (species-fit/business-rules) meanings (referenced, not redefined); one column per inspector; PEN→STAMP→GATE order; STAMP/GATE are least-precedented (PO-1 caveat) — the TD states the logic obligations; it writes no function body
T-3. Output writes	How are `inspect_*` set, idempotently, per stage?	Set only an unset column; only on a genuine pass; never blanket `now()`; never `certified`/canonical/identity/KG; never net-new columns (B2-AC-1…6, 12, 14) — the TD states the write obligations; it writes no UPDATE/DDL
T-4. Channel integration	How does the chosen channel invoke the producer?	The channel (GATE-4, Owner-selected) must stay an external, replaceable internal; the contract must not change with it (B2-AC-7); the producer owns its own atomicity/idempotency (no channel is transactional) — the TD states the integration obligation; it writes no cron/contract/runner spec
T-5. Fail-closed behavior	How does each BAD-1…BAD-15 / BI-1…BI-12 case fail closed at runtime?	Bad input → no stamp + audit append; never stamp/certify/canonicalize/leak/PASS on invalid input; commit to runtime verification (GATE-9) — the TD states the fail-closed obligations + a verification plan; it runs no test
T-6. S7 evidence	What does the producer append, and how does it stay records-not-decides?	Per-run counts/ids/timestamps/channel-id/rule-set-hash + per-failure audit (AP-CLOSE); S7 never approves/certifies; the producer never reads S7 to decide (B2-AC-8) — the TD states the evidence obligation; it writes no writer body
T-7. Rollback (S8)	What is the per-run rollback unit and how is it executed?	One producer run is the unit; account for the downstream B4 auto-certify interaction; evaluate `fn_iu_enact`/Đ39-snapshot patterns (not copy); a design with no clean rollback unit is not authorized (HOLD-2 open) — the TD states the rollback obligation; it writes no rollback script
T-8. Governance & ownership	Who owns/runs B2, and how does every write route through Điều 32?	S2 owner assigned (GATE-5); DOT-100% / no manual SQL / no curl bypass (Đ32 §2.1); new/fix DOT in approval scope (§2.4) — the TD states the governance obligation; it assigns no owner and writes no approval
T-9. Isolation test (PO-9)	How is B2 tested in isolation before any live run?	Tested on a controlled fixture in the disposable staging surface (GATE-6) before any production write; the bad-input plan (Deliverable 14) becomes executed tests — the TD states the test obligation; it builds no staging and runs no test
T-10. Acceptance & rollback-readiness	How is the TD itself accepted, and what must precede a build?	Codex review → Owner approval → rollback plan → runtime-verification plan, in order; no automatic build; carry all blockers OPEN — the TD states the acceptance obligation; it authorizes no build

Forbidden content for the future TD (and absent here). The future TD — and certainly this outline — must not contain, in this packet: schema/DDL; table/column definition; migration plan; function body; SQL-mutate plan; producer implementation; scheduler/cron implementation; runner build plan; exact command sequence; rollback script; backlog-execution plan; concrete staging schema; live-data-extraction plan. None of these appears here; this packet writes only the obligations above.

Reading of the outline. A future TD that contains sections T-0…T-10, answers each section's questions, and satisfies each section's obligations — while never crossing the forbidden-content line and never violating the Deliverable 7 hard floor — would be a complete, reviewable, LEGO-isolated B2 TD. That TD is not written here; only its required shape is.

6. Owner-gated future work

Future work	Gate required	Forbidden now?
Write the actual B2 TD (fill in T-0…T-10)	Owner decision after the Deliverable 7 entry gate is Go	Yes
Encode the Đ0-G PEN/STAMP/GATE logic (T-2)	GATE-3 (authoritative source) + Điều 32	Yes
Design the channel integration (T-4)	GATE-4 (channel selected) + Điều 32	Yes
Build the producer / S7 writers / rollback mechanism (T-3/T-6/T-7)	Điều 32 + S2 + channel + staging	Yes
Run the isolation/bad-input tests (T-5/T-9)	built producer + staging (Deliverable 14/15)	Yes

7. What remains unresolved

No TD is written. This packet is the outline only; the TD is a separate Owner-gated act.
T-2 (PEN/STAMP/GATE logic) is the least-precedented section — STAMP/GATE were Phase B, never built; it depends most on GATE-3 (Đ0-G authoritative).
T-4 (channel) cannot be filled until GATE-4 (channel selected by the Owner).
T-7 (rollback) carries HOLD-2 — no atomic end-to-end birth-certify promote transaction today.
Blockers — all OPEN, none resolved: CONS-002, CONS-003, CELL-003/004/007, HOLD-1, HOLD-2, RISK-BYPASS, GOV-016/017, GOV-REUSE-001, Điều 39 runtime-EMPTY, Điều 35 production-readiness FAIL.
FUTURE_TECHNICAL_DESIGN_REQUIRED (NOT written here): all of T-0…T-10's actual content.

8. Ready for GPT/Codex review

Yes — as a design-only TD table-of-contents with obligations, not a TD.

Codex must check: that every entry is an obligation on the future TD and not a design — i.e. no schema/DDL/function/SQL/cron/runner/command/rollback-script/staging-schema/extraction-plan appears anywhere in this packet.

Core rule, kept above all detail: the future B2 TD must contain sections T-0…T-10, each answering stated questions and satisfying stated obligations, never crossing the forbidden-content line or the hard floor. The TD is not written here; only its required shape is.

Default disposition: HOLD. Engineering PASS = a complete TD outline on paper; it is not TD and not an authorization to write TD. No PASS authorizes writes. All blockers remain OPEN.