Mega Gate — Minimal Pilot Slice Acceptance Criteria
Mega Gate — Minimal Pilot Slice Acceptance Criteria
Date: 2026-06-18 · Workstream: LEGO-PILOT-SLICE-0-B2-MEGA-GATE-BUNDLE-2026-06-18 (Deliverable 15 of 20) · Editorial revision: rev1
Class: design-only / acceptance gate / verification requirement · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NOT remediation · NOT technical design · NOT implementation · NOT a runtime test · NO blocker resolved · NO runtime touched.
Metadata convention. Editorial revision (rev1) only. AgentData storage revision and
content_lengthare authoritative in AgentData metadata at read time; not pinned in this body.
Acceptance-gate lock. This packet defines what the smallest future B2 pilot slice must satisfy to be accepted — as an engineering acceptance gate, never an authority gate. It builds no pilot, runs no test, promotes nothing. Even a fully passing pilot is an engineering result requiring a separate Owner gate before any staging→production promotion.
0. Status and non-authorization
STATUS: PASS — engineering / design-only. This is a complete design-only acceptance gate for a minimal B2 pilot slice: the smallest scope that would prove "nháp nhanh, xóa nhanh, không chạm production," the all-of acceptance criteria (carried AC-1…AC-10), the engineering-vs-authority distinction, and the explicit no-auto-promotion rule.
Engineering PASS ≠ authority PASS. A PASS means the acceptance gate is complete on paper. It is not an Owner authorization to build a pilot, run it, or promote its output. Default disposition: HOLD.
Pipeline position (downstream-only). Deliverable 15 of the Mega Gate Bundle; it deepens the verification plan's §11 minimal pilot acceptance criteria (Deliverable D) into a minimal-scope acceptance gate. It accepts nothing.
Non-authorization (explicit). As Deliverable 1 §0, and specifically: it builds no pilot/producer/staging; runs no test; promotes nothing staging→production; certifies nothing. v0.1/FIX7 V3 not overwritten; v0.2 not authority.
Evidence basis — INHERITED_EVIDENCE. No runtime queried; the producer is MISSING. AgentData metadata authoritative at read time. CAV-3/CAV-4/CAV-5 carried.
Reading discipline (Codex caveat, honored). All sources read directly from AgentData KB, bounded/sequential, by the main process — no parallel/background reader-agents, no sub-agents, no local-prose inference. /tmp = decode-scratch only, never SSOT.
1. Purpose
Answer the macro's sixth question: what minimal pilot slice would prove "nháp nhanh, xóa nhanh, không chạm production"? The packet answers:
- What is the smallest pilot scope that proves it? — §5 minimal scope.
- What are the all-of acceptance criteria? — §5 (AC-1…AC-10).
- What distinguishes an engineering PASS from an authority PASS? — §5 / §4.
- Why does no promotion follow automatically? — §5 firewall.
The one rule, above all detail. The minimal pilot proves the producer half on a disposable surface: invalid input never stamps/certifies/canonicalizes/leaks/PASSes; the surface deletes fast and total; production is provably untouched. Acceptance is all-of; a single fail-open fails the pilot; even a passing pilot is an engineering result needing a separate Owner gate before promotion.
2. Sources read
All 25 required sources read first-hand from AgentData KB, by the main process, sequentially; none SOURCE_NOT_READ (full list in Deliverable 20 §2). Used principally: the verification plan §11 (AC-1…AC-10) + §3 step 7 (engineering vs authority); the staging IO contract §6 (promotion firewall) + §3 (objective); the no-touch / delete-fast deliverables (12/13); the bad-input oracle requirements (Deliverable 14); operating-rules (AP-CLOSE; out-of-scope-blocker STOP).
3. Accepted baseline (carried, not re-derived)
- Minimal pilot acceptance (carried, Deliverable D §11 AC-1…AC-10): all fifteen bad inputs rejected fail-closed; no phantom stamp/unearned certify/canonical leak/fused shortcut; never runs ungoverned; no authority confusion; candidate results never reach a production field; delete-fast total + one unit; rollback = one staging run with no downstream certify; no production/canonical touch; PASS only with evidence; engineering PASS explicitly distinguished from authority PASS, no auto-promotion.
- Acceptance is all-of (carried): a single fail-open condition fails the pilot.
- Promotion firewall (carried, Deliverable C §6): nothing flows staging→production automatically; promotion is a separate Owner gate (Điều 32).
- Blockers — all OPEN. Tool/packet lock carried.
4. Analysis — the smallest scope that still proves the claim
The Owner's "nháp nhanh, xóa nhanh, không chạm production" decomposes into exactly three provable properties: (1) fail-closed producer — invalid input never produces a forbidden effect; (2) delete-fast — the surface disposes in one total move; (3) no production touch — production is provably unchanged. The minimal pilot is the smallest scope that exercises all three with evidence: a single staging run of a candidate producer over a bounded disposable sample (including bad-input fixtures), followed by a delete-fast, bracketed by before/after production snapshots. It does not need the full backlog, the live channel, or B4 — it proves the producer half on a disposable surface. Anything larger is not "minimal"; anything smaller cannot prove all three. This packet states the acceptance gate for that minimal slice; it builds and runs nothing.
5. Minimal pilot slice — scope and acceptance
5.1 Minimal scope (what the smallest pilot exercises)
| Element | Minimal scope | Not in the minimal slice |
|---|---|---|
| Producer | a candidate B2 producer exercised once (one staging run) | the full standing producer; the live channel |
| Input | a bounded disposable sample mirroring the B3 shape + bad-input fixtures (BAD-1…15) | the 1.21M backlog (that is B5, separate); live production rows |
| Output | candidate inspect_* on the disposable surface only |
production inspect_*; certify; canonical |
| Consumer | none — B4 is not run in staging | any certify (staging triggers none by construction) |
| Disposal | one delete-fast of the whole surface | partial/per-row disposal |
| Evidence | rejection + delete-fast + rollback + no-touch evidence (Deliverables 12/13/14) | a manifest that launders results (forbidden) |
5.2 All-of acceptance criteria (carried AC-1…AC-10; minimal-slice readings added)
| # | Acceptance criterion | Proven by (minimal slice) |
|---|---|---|
| AC-1 | All fifteen bad inputs (BAD-1…15) rejected fail-closed | Deliverable 14 oracle verdicts + rejection evidence |
| AC-2 | No phantom stamp / unearned certify / canonical leak / fused shortcut (F-OPEN-1…4 absent) | rejection evidence + no-touch snapshot (Deliverable 12) |
| AC-3 | The producer never runs ungoverned (channel + S2 owner + Điều 32 present) | governance precondition (BAD-9) — in the minimal slice, the staging exercise is itself Owner-gated |
| AC-4 | No authority confusion: v0.2 not FIX7 authority; no audit event acts as approval | tool lock (BAD-10) + S7 records-not-decides (BAD-13) |
| AC-5 | Candidate results never reach a production field (separation holds) | no-touch NT-1/NT-6 + BAD-14 (the load-bearing isolation test) |
| AC-6 | Delete-fast is total and one-unit | delete-fast DF-3/DF-2 (Deliverable 13) + BAD-15 |
| AC-7 | Rollback = one staging run, no downstream certify | DF-5 + NT-6 (B4 never sees candidates) |
| AC-8 | No production/canonical touch — before/after snapshots identical | NT-1…NT-7 (Deliverable 12) |
| AC-9 | PASS only with the §7–§10 evidence attached (no silent PASS) | AP-CLOSE; F-OPEN-10 detection (Deliverable 14 §5.4) |
| AC-10 | Engineering PASS explicitly distinguished from authority PASS; no staging→production promotion follows automatically | the promotion firewall (Deliverable C §6); §5.3 below |
Aggregate (carried). Acceptance is all-of; a single fail-open condition (F-OPEN-1…10) fails the pilot. None is evaluated here — the producer is MISSING.
5.3 Engineering PASS vs authority PASS (the firewall)
Even a minimal pilot that satisfies AC-1…AC-10 is an engineering result: it proves the producer is contract-correct and fail-closed on a disposable surface. It is not an Owner authorization to promote the producer/candidate to production. Promotion staging→production is a separate Owner gate (Điều 32) — nothing flows automatically. A pilot PASS therefore unlocks an Owner decision about promotion, never the promotion itself. (B2-AC-10 / RP-AC-10: no report PASS becomes Owner authorization.)
Verdict: the minimal-pilot acceptance gate is complete on paper; it is not met (no pilot exists; INHERITED_EVIDENCE). A future pilot must satisfy AC-1…AC-10 all-of, with evidence, behind the promotion firewall. No pilot is built or run here.
6. Owner-gated future work
| Future work | Gate required | Forbidden now? |
|---|---|---|
| Build the minimal pilot (producer + bounded sample + staging) | Điều 32 + S2 + channel + staging | Yes |
| Run the single staging exercise + delete-fast | Điều 32 + built pilot + built staging | Yes |
| Generate the AC-1…AC-10 evidence | Điều 32 (within the governed pilot) | Yes |
| Decide promotion after a passing pilot | a separate Owner gate (Điều 32); the firewall holds | Yes |
7. What remains unresolved
- No pilot is built or run; acceptance is a gate, not a result. AC-1…AC-10 are not evaluated (producer MISSING).
- AC-5 (separation) and AC-6 (delete-fast totality) are the load-bearing criteria — they prove "không chạm production" and "xóa nhanh."
- AC-10 firewall holds — even a passing pilot needs a separate Owner gate before promotion.
- Minimal scope excludes the backlog (B5) and the live channel — the minimal slice proves the producer half on a disposable surface only.
- Blockers — all OPEN, none resolved: CONS-002, CONS-003, CELL-003/004/007, HOLD-1, HOLD-2, RISK-BYPASS, GOV-016/017, GOV-REUSE-001, Điều 39 runtime-EMPTY, Điều 35 production-readiness FAIL.
- FUTURE_TECHNICAL_DESIGN_REQUIRED (NOT written here): the pilot, the producer, the staging surface, the fixtures, the snapshot queries, any command sequence.
8. Ready for GPT/Codex review
Yes — as a design-only acceptance gate, not a pilot.
Core rule, kept above all detail: the minimal pilot proves the producer half on a disposable surface — fail-closed on BAD-1…15, delete-fast total, production provably untouched — accepted all-of (a single fail-open fails it), and even a passing pilot is an engineering result needing a separate Owner gate before promotion. No pilot is built or run.
Default disposition: HOLD. Engineering PASS = a complete acceptance gate on paper; it is not an Owner authorization to build, run, or promote. No PASS authorizes writes. All blockers remain OPEN.