Mega Gate — Owner Decision Options (R2-B2 toward actual TD)

Date: 2026-06-18 · Workstream: LEGO-PILOT-SLICE-0-B2-MEGA-GATE-BUNDLE-2026-06-18 (Deliverable 1 of 20) · Editorial revision: rev1 Class: design-only / Owner decision options / decision-support · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NOT remediation · NOT technical design · NOT implementation · NO channel selected · NO blocker resolved · NO runtime touched.

Metadata convention. This body uses editorial revision (rev1) only. AgentData storage revision and content_length are authoritative in AgentData metadata at read time; they are deliberately not pinned in this body.

Decision-options lock. This packet enumerates and classifies the next-step options for an Owner. It chooses nothing for the Owner, selects no channel as authority, opens no TD, builds nothing, and authorizes no write. A recommendation is offered as decision-support; it is not an action.

0. Status and non-authorization

STATUS: PASS — engineering / design-only. This is a complete design-only Owner decision-options packet: a classified menu (Options A–G) for the step after the accepted Pilot-Slice-0 planning bundle, each with disposition, reason, risk, what it would unblock, what it must not do, and what stays Owner-gated — plus a recommendation-only ordering.

Engineering PASS ≠ authority PASS. A PASS here means the option space is complete and fairly classified on paper. It is not an Owner authorization to open any option, to select a channel, to write TD, to build staging, or to remediate. Default disposition: HOLD.

Pipeline position (downstream-only).

… → R2-B2 Inspect Producer TD-prep (accepted, Codex PASS_WITH_CAVEATS) → Pilot-Slice-0 R2-B2 planning bundle (Deliverables A–E, accepted, Codex PASS_WITH_CAVEATS) → this Mega Gate Bundle (20 deliverables) — Deliverable 1 → (only if separately authorized, and only once readiness is met) actual B2 technical design with a chosen channel → (only if separately authorized again) producer build / write-enabled remediation.

This packet compresses the path toward actual B2 TD into an explicit Owner decision; it does not take the decision and opens no package.

Non-authorization (explicit). This document does not, and cannot: run any DB write / DDL / DML; restart/reload any container/service; run any worker/cron/job; trigger DOT/KG/birth/certify/promote/repair execution; set inspect_pen/inspect_stamp/inspect_gate; set certified=true; flip app.birth_gate_mode or any dot_config gate; assign a governance owner; install pg_cron or any extension; promote any agent-api contract DRY_RUN→REAL_RUN; enable any queue worker/master switch; write env/config; patch source code or any prior law/draft/note/report; create a current corpus or staging corpus/schema; write technical design; implement; resolve any blocker; select or wire a channel; overwrite the v0.1-stable / FIX7 V3 baseline; promote or use Tool-Kiem-Thu v0.2-hardening as authority.

Evidence basis — INHERITED_EVIDENCE. No runtime was queried in this run. Every runtime fact is inherited from the accepted read-only reports (R2a root-cause, R2 readiness scope, Phase-1, Phase-1B) and accepted design packets. AgentData metadata is authoritative at read time. CAV-3/CAV-4/CAV-5 bound what is provable.

Reading discipline (Codex operational caveat, honored). All sources were read directly from AgentData KB, in bounded, sequential reads, by the main process — no parallel reader-agents, no background reader-agents, no sub-agent outsourcing, no inference from local prose. Oversized reads were decoded locally by the main process only to render already-fetched bytes readable; /tmp was a decode-scratch surface only, never an SSOT. This honors the Codex Process Caveat that flagged the interface packet's parallel-reader-agent pattern.

1. Purpose

Give the Owner one clear decision: what is the safest, fastest next step toward an eventual actual B2 TD, without bypassing any gate? The packet answers:

What options exist? — §5 (Options A–G).
Which are safe now, which are premature, which are scope creep? — §5.
What does each option unblock, and at what risk? — §5.
What is recommended (recommendation-only)? — §5 recommendation.
What stays Owner-gated regardless of the choice? — §6.

The one rule, above all detail. B2 remains the only primary block; B5/B7 remain dependencies only; the channel stays a replaceable internal compared but not selected; staging stays an IO contract; no option authorizes a write. The Owner picks one option; nothing follows automatically.

2. Sources read

All 25 sources of the Mega Gate Bundle's required set read first-hand, directly from AgentData KB, by the main process, sequentially, none SOURCE_NOT_READ. (Full list in the Deliverable 20 execution report §2; AgentData storage revision/content_length authoritative in metadata at read time.) Used here principally: the accepted Pilot-Slice-0 planning bundle (A–E) + its Codex review (the next-step menu); the R2-B2 TD-prep packet + Codex review (the No-Go posture, PO-1…9); R2a root-cause (the substrate state); Phase-1B (the blocker bundle + macro framing); operating-rules (out-of-scope-blocker STOP; fail-closed default).

3. Accepted baseline (carried, not re-derived)

The planning bundle is accepted (Codex PASS_WITH_CAVEATS, "Further Claude patch needed? no"). Its verdict: a channel is compared but not selected; actual B2 TD is aggregate No-Go today; staging is an IO contract only; the verification plan runs no test.
Actual B2 TD Go/No-Go (carried from Deliverable B §14): 1 Go (the frozen 13-field contract), 5 No-Go (Điều 0-G source authority; channel decision; S2 owner; staging surface; CONS/CELL + Đ0-G recovery prerequisites), 5 Partial (B3/B4 runtime re-confirm; S7 writers; S8 mechanism + downstream-certify; bad-input runtime tests; B7 warn-mode + transient GUC). Aggregate: NO-GO.
Substrate (INHERITED_EVIDENCE): producer MISSING; switches OFF; queue idle; pg_cron absent; no birth cron; 1,402 certified vs 1,211,557 uncertified; only fn_birth_auto_certify reads inspect_*, nothing writes them.
Blockers — all OPEN: CONS-002, CONS-003, CELL-003/004/007, HOLD-1, HOLD-2, RISK-BYPASS, GOV-016/017, GOV-REUSE-001, Điều 39 runtime-EMPTY (2199 edges / 0 provenance), Điều 35 production-readiness FAIL.
Tool/packet lock (carried, §see Deliverable 20): v0.1-stable / FIX7 V3 baseline not overwritten; v0.2-hardening not authority.

4. Analysis — the decision space

The accepted bundle leaves the Owner at a single fork: which prerequisite (or set of prerequisites) to open next, and in what order, on the path to an eventual actual B2 TD. Because actual B2 TD is aggregate No-Go, opening it first (Option A) would either stall at the gate or force the Owner to waive No-Go criteria. The other options each retire one or more No-Go/Partial criteria before TD, lowering the eventual TD's risk.

The options are not mutually exclusive over time — several can be sequenced — but they are a single "what first" decision now. They divide into:

Prerequisite-retiring, write-free (E read-only re-verify; F B3/B4 re-check; D Đ0-G source authority) — each retires a Partial/No-Go criterion with no write.
Decision steps the Owner alone can take (B channel selection; C staging build readiness → later staging build) — these advance the gate but the acts they enable stay Owner-gated.
Premature / out of scope (A open TD now; G expand to B5/B7) — A is gate-blocked today; G is B5_B7_SCOPE_CREEP.

Key constraint carried (operating-rules §8 + the LEGO locks): the Owner picks one first move; opening one option does not open another; no option authorizes a write; the channel is never selected by this packet.

5. Owner decision options (A–G) — classified

Each option's "what it would unblock" maps to the No-Go/Partial criteria of Deliverable B §14 (carried). "Write-enabled later?" states whether the option's downstream eventually needs a write gate — none is authorized now.

Option	What it is	Disposition	Reason	Risk if chosen	Unblocks (G-criteria)	Must NOT do	Write-enabled later?
A	Open actual B2 technical design now	HOLD / No-Go unless the Owner explicitly accepts the open prerequisites	Actual B2 TD is aggregate No-Go (Deliverable B §14): Đ0-G source, channel, S2 owner, staging surface all open. Opening TD now means designing against unfrozen inputs.	TD built on a working-source rule-set, an undecided channel, no owner, no staging → unverifiable/likely-rework; risk of `ACTUAL_TD_DRIFT`.	(would attempt all, but cannot close them)	Write actual TD here; waive a No-Go silently	Yes (the TD itself, and everything after, stays Owner-gated)
B	Open the R2-D2 channel decision as an Owner authority step (Owner selects a channel from the compared candidates)	Candidate near-term step (recommendation-only) — the selection is the Owner's act, not this packet's	Channel is one of two unblocking decisions (G-4) only the Owner can make; the comparison is complete (Deliverable A). Retiring G-4 is the single largest TD-readiness unlock.	Selecting before liveness is provable (substrate fail-closed) risks deciding on paper only; mitigated by the channel proof-obligations (Deliverable 6).	G-4 (channel decided)	Let this packet select the channel (that is `CHANNEL_AUTHORITY_DRIFT`); wire/install anything	Yes (wiring/promotion/install all Owner-gated)
C	Open staging build TD-readiness → (separately) staging build	Safe, but channel-independent and still leaves G-4 open	Staging is the disposable workshop B2 TD needs (G-6). Building readiness is write-free; the build itself is a separate gate.	Building staging while the channel is undecided is fine (staging is channel-agnostic) but does not advance G-4; risk of `STAGING_SCHEMA_OR_CORPUS_DRIFT` if it slips into schema.	G-6 (staging surface)	Create staging schema/corpus/SQL; extract live data	Yes (the build, and any data population, Owner-gated)
D	Resolve the Điều 0-G source authority first (out-of-band recovery to an authoritative source)	Safe and foundational, but Owner-controlled / out-of-band and may slow the pilot	Đ0-G is read from a working source with a broken Constitution reference (G-3 / PO-1); STAMP/GATE are the least-precedented logic. Recovery makes the rule-set authoritative.	Recovery is external/out-of-band; it may take time and is not something this lane can do — risk is schedule, not safety.	G-3 (Đ0-G authoritative)	Treat the working source as authoritative silently; invent a rule-set	Yes (any rule-set adoption Owner-gated)
E	Run a read-only runtime re-verification macro first (re-confirm substrate state under read-only tools)	Safest first move (recommendation-only) — write-free, retires Partial criteria	The bundle is INHERITED_EVIDENCE; a fresh read-only pass would re-confirm B3 column shape/order, B4 consumer, switches/queue/cron/pg_cron state, and counts — converting carried facts into current evidence (G-2, partial G-7/G-10).	Lowest risk (read-only); only cost is time; does not by itself decide the channel or build staging.	G-2 (B3/B4 runtime re-confirm) + evidence refresh for G-7/G-10	Mutate anything; treat read-only verify as authorization	No (read-only); downstream actions still Owner-gated
F	Open a B3/B4 compatibility re-check (narrow: the inspect-result stud + the certify consumer)	Safe, narrow prerequisite — a focused subset of E	B3 is the load-bearing stud; B4 is the live-but-starved consumer. A focused re-check retires G-2 and de-risks the eventual TD's most coupling-sensitive interface.	Narrow scope is its strength and its limit — it advances only G-2.	G-2 (B3 stable + B4 re-verified)	Change B3; couple B2 to B4 internals; run a producer	No (read-only re-check); any contract change Owner-gated
G	Expand now to B5 (backlog) and/or B7 (GUC policy) design	REJECT — `B5_B7_SCOPE_CREEP`	B5 and B7 are dependencies only, not primary blocks. Opening their design here violates the primary-block lock and the macro boundary.	Scope creep; dilutes the B2-only focus; would trigger HOLD.	(none — out of scope)	Open B5/B7 design at all	Yes (B5/B7 are separate future Owner-gated packages)

Recommendation (RECOMMENDATION_ONLY — NOT AUTHORITY — OWNER_GATE_REQUIRED). As decision-support, not a decision:

Safest first move: Option E (read-only runtime re-verification) — write-free, converts the largest block of INHERITED_EVIDENCE into current evidence, and retires/strengthens G-2/G-7/G-10. F is the narrow subset of E if a smaller scope is preferred.
Highest-leverage near-term decision: Option B (the Owner's channel selection) — it is the single largest TD-readiness unlock (G-4) and only the Owner can take it; pair it with the channel proof-obligations (Deliverable 6) so the selection is not "on paper only."
D (Đ0-G source authority) is foundational and should be opened in parallel out-of-band because it gates the least-precedented STAMP/GATE logic and may take time.
C (staging build readiness) is safe to sequence after B/D, since staging is channel-agnostic but most useful once the contract inputs are frozen.
A (open actual TD) should follow only after G-3/G-4/G-5/G-6 are Go (Deliverable 7 entry gate); G is rejected.

A defensible sequence is therefore E (or F) → B + D (parallel) → C → A, with each step a separate Owner gate. This is a recommendation; the Owner chooses.

6. Owner-gated future work

Every action below is forbidden now (OWNER_GATE_REQUIRED). Listing is scoping, not authorization.

Future work	Gate required	Forbidden now?
Open actual B2 TD (Option A)	Owner decision after readiness met (Deliverable 7)	Yes
Select the B2 channel (Option B)	Owner decision (the channel comparison is complete)	Yes
Build the staging surface (Option C downstream)	Điều 32 (staging build is future TD)	Yes
Recover the Điều 0-G source (Option D)	external S6 — Owner out-of-band	Yes
Run the read-only re-verification macro (Option E/F)	Owner authorization to open the read-only pass (same class of act as Phase-1)	Yes
Open B5/B7 design (Option G)	separate future Owner-gated package (rejected here)	Yes
Assign the birth-producer governance owner (S2)	Điều 37 → Điều 32	Yes

7. What remains unresolved

No option is chosen here (by design). This packet classifies; the Owner decides.
Actual B2 TD remains aggregate No-Go (Deliverable B §14; re-stated in Deliverable 2 closure matrix and Deliverable 7 entry gate).
CHANNEL not selected — Option B is the Owner's act; this packet selects nothing (CHANNEL_AUTHORITY_DRIFT guarded).
SOURCE_RECOVERY_REQUIRED — Điều 0-G (Option D / PO-1): working source, broken Constitution reference; external S6, out-of-band.
B5/B7 remain dependencies only (Option G rejected; B5_B7_SCOPE_CREEP guarded).
Blockers — all OPEN, none resolved: CONS-002, CONS-003, CELL-003/004/007, HOLD-1, HOLD-2, RISK-BYPASS, GOV-016/017, GOV-REUSE-001, Điều 39 runtime-EMPTY, Điều 35 production-readiness FAIL.
FUTURE_TECHNICAL_DESIGN_REQUIRED (NOT written here): any TD, channel wiring, staging schema, runtime test, or command sequence.

8. Ready for GPT/Codex review

Yes — as a design-only Owner decision-options packet, not a decision and not a TD.

Core rule, kept above all detail: B2 is the only primary block; B5/B7 are dependencies only; the channel is compared but never selected here; staging is an IO contract; no option authorizes a write. The Owner picks one first move (recommended safest-first: E/F → B + D → C → A; reject G); nothing follows automatically.

Default disposition: HOLD. Engineering PASS = a complete option menu on paper; it is not an Owner authorization to open any option. No PASS authorizes writes. All blockers remain OPEN.