02 — Reuse-first approval channel survey

Goal: find any existing lawful path by which a real president and ai_council seat can cast a vote into apr_approvals. Each candidate evaluated; no approval was created during this survey.

Legend — columns: rec-pres = can record human president vote · rec-coun = can record ai_council vote · real-id = requires/binds real approver identity · no-self = structurally prevents self-approval · no-manual = avoids manual SQL/Directus.

Candidates

C1. CLI: dot-content-approve (DOT-018, bin/dot/dot-content-approve)

• rec-pres NO · rec-coun NO · real-id n/a · no-self n/a · no-manual n/a
• Evidence: domain = content approval workflow, not the APR governance ledger; does not touch apr_approvals.
• Decision: REJECT (wrong domain).

C2. DOT: dot-apr-propose (DOT-309) / dot-apr-execute (DOT-310) / dot-apr-health (DOT-311) / dot-apr-types-register

• rec-pres NO · rec-coun NO
• Evidence: propose creates an APR; execute runs an already-approved APR (handler_ref dot-apr-execute:patch_ops); health = checks; types-register = registers action types. None records an apr_approvals vote. The lifecycle is propose → [GAP: no approve] → execute. No dot-apr-approve row exists in dot_tools.
• Decision: REJECT (the approve step is the missing primitive).

C3. Directus UI/API on apr_approvals collection

• rec-pres NO · rec-coun NO · real-id NO · no-self NO · no-manual NO
• Evidence: apr_approvals is registered in directus_collections (note "APR approvals ledger (D33 APR)") but has 0 directus_fields ⇒ no usable managed API binding. A raw item-create would (a) not exist cleanly, (b) author under the caller's token, not bind the approver identity (approver is free text), (c) hit no insert-time guard. An agent doing it = fabrication; forbidden by hard locks ("no manual Directus").
• Decision: REJECT (raw manual write, not an identity-bound channel).

C4. DB functions

• rec-pres NO · rec-coun NO
• Evidence: of 8 functions referencing apr_approvals (fn_apr_quorum_check, quorum_passed, fn_pa_president_vote_present, fn_pa_post_vote_dryrun, fn_pa_domain_handler, fn_process_axis_execute_guarded_action, fn_qt001_run_rehearsal, fn_wf_candidate_action_execute), none INSERTs — all READ the ledger to check votes. There is no fn_record_approval / vote-casting function.
• Decision: REJECT (no governed insert function exists).

C5. MCP tools (query_pg, directus_create, write_file)

• rec-pres NO · rec-coun NO · no-manual NO
• Evidence: query_pg = read-only SELECT (cannot write). directus_create/write_file driven by the agent = agent-authored manual write = bypass/fabrication.
• Decision: REJECT (agent-side; forbidden).

C6. Auto-approve mechanisms

• rec-coun NO
• Evidence: fn_auto_approve_add was neutered 2026-06-06 (P0 authority-bypass containment — it now only writes a review_note, no auto-vote). Flow "AI Discussion Auto-Approval Timer" operates on ai_discussions (sets status→reviewing after timeout), not apr_approvals. Flow "[S155-P1c] APR Created → Execute Signal" only logs. No governed auto-council path.
• Decision: REJECT (deliberately disabled / unrelated).

C7. Historical approval method (the 42 rows)

• rec-pres NO (as a repeatable channel) · rec-coun NO
• Evidence: see file 03 — the 42 rows were batch back-fills (identical microsecond timestamps per APR; "retroactive"/"bootstrap"/"back-filled" rationales). This is a one-off operator/migration insert, not a repeatable identity-authenticated channel; reusing it = the manual-SQL convenience the hard locks forbid.
• Decision: REJECT (not a lawful repeatable channel).

C8. president channel / ai_council mechanism (identity substrate)

• real-id NO
• Evidence: the president (human) and council identities (gemini, gpt, ai_council_1/2, …) exist only as free-text approver strings in past rows. There is no per-approver credential/auth binding that authenticates "the caller IS the president / IS this council seat." Identity today is an unverified string.
• Decision: REJECT (no authenticated identity binding exists).

Survey result

No reusable lawful channel found. Every existing path is wrong-domain, read-only, disabled, or a raw manual write that cannot bind/authenticate the approver. ⇒ proceed to the minimal missing primitive (dot-apr-approve, file 05), staged only.