03 — Minimal handler design (C1-scope ONLY)

Full code: staged-artifacts/patches/dot-apr-execute-authorize_build_step.handler.additive-design.md. This file is the spec.

Identity

field	value
name	execute_authorize_build_step (bash fn inside dot-apr-execute)
routing key	apr_action_types.handler_ref = 'dot-apr-execute:authorize_build_step'
tier	Cấp B (executed by dot-apr-execute, needs SYNC_SECRET)
scope	EXACTLY one: DRYRUN-NS / dot:c1:vocab / DOT_C1_VOCAB_BUILD
input	$1 = APR JSON (approval_requests row)
output	OK | SKIP:<reason> | FAIL:<detail> (dispatcher protocol)
write channel	run_pg INSERT into governance_build_authorization (raw PG)

Exact insert behavior

One row only, deterministic auth_code='GBA-C1-<apr_code>', INSERT … ON CONFLICT (auth_code) DO NOTHING, then readback SELECT 1 … status='active'. Column mapping per file 02 §A. commit_allowed=false and requires_sovereign_esign=false are literal constants (cannot be overridden by payload). status='active'. request_ref=<apr_code> (FK-safe).

Grant uniqueness / idempotency

• Deterministic PK from the APR ⇒ re-running dot-apr-execute (e.g. after a transient apply-mark failure) cannot double-mint (ON CONFLICT DO NOTHING).
• Gate E single-active: refuses (SKIP:active_grant_exists) if any draft|active grant exists for scope->>'target'='DOT_C1_VOCAB_BUILD'. One live C1 grant at a time.

Single-use / lease-safe semantics

• Mint status='active'. Downstream consumption is a CAS flip to consumed (sets consumed_at/consumed_by; chk_consumed_pair enforces the pair). Re-consumption rejected by the consumer (REJECT_AUTH_ALREADY_CONSUMED) — that consumer is a SEPARATE LEGO (not in scope; this macro only mints).
• Expiry: expires_at = now()+ttl_seconds (default 7200s; clamp 60..86400). chk_expiry enforces expires_at>granted_at.

Revocation

UPDATE … SET status='revoked', revoked_at=now(), revoked_by=<actor>, revoked_reason=<why> WHERE auth_code='GBA-C1-<apr_code>'. chk_revoked_pair enforces all-three-or-none.

Evidence json / approval_ref

• approval_ref = {apr_code, quorum:'passed', manifest_hash} (NOT NULL).
• evidence = {plan_ref, manifest_hash, step_name, mode:'dry-run'}.
• rollback_plan_ref from payload (NOT NULL); granted_by/created_by = handler id.

Owner binding

This minimal handler does not mint an ownership row (ownership is a separate domain/LEGO; the prior macros confirmed ownership=0 and ownership is its own surface). The grant records its authority chain via request_ref (APR), approval_ref (quorum snapshot) and granted_by. An explicit owner principal, if required, is carried in proposed_action and copied into evidence — it is NOT a column on this table.

What it is NOT (anti-scope)

• NOT generic: Gate 0 refuses any proposed_action_code != authorize_build_step (SKIP:reject_action_superset); no arbitrary action_code.
• NOT a production/REAL_RUN minter: commit_allowed hard-false; COMMIT!=false ⇒ FAIL:reject_real_run_commit_not_allowed.
• NOT sovereign: risk='sovereign' ⇒ FAIL; requires_sovereign_esign hard-false.
• NOT cross-scope: any namespace/axis/target ≠ the C1 allowlist ⇒ FAIL:reject_scope_not_c1_dryrun (covers production targets and C2..C7).
• NOT a new table / new CLI / new executor route / new dispatcher.

rollback_plan_ref

DOT_C1_ROLLBACK_CHECK (carried from the staged C1 plan). Revocation SQL above is the concrete reverse. See file 08.

⇒ minimal-handler proof COMPLETE; not generic; no arbitrary action_code; no REAL_RUN.