09 — Owner apply runbook + readback checklist (LATER; not executed this turn)

Pre-req: owner authorizes execution AND the agent (or operator) holds a governed exec channel (SYNC_SECRET, VPS shell / governed APR approval). None of these steps run in this macro. No W1→W9, no dry-run, no Codex.

STEP 1 — Apply the handler code patch (DOT-approved)

• Build patched dot-apr-execute (add arm + execute_authorize_build_step; bump to v2.3.0).
• Propose patch_ops_code APR: request_type=fix_repair_dot, action_code=patch_ops_code, proposed_action={dot_code:"DOT-310", file_path:"/opt/incomex/dot/bin/dot-apr-execute", patch_mode:"full_replace", new_content_base64:<…>, session_code:"S-C1-ABS-001", test_plan:"bash -n passes; dispatch arm present; KG/create/update/add_field/patch_ops regress OK"}.
• Approve to high-risk quorum → dot-apr-execute self-patches (flock/backup/bash -n/atomic mv).

STEP 2 — Load new code

• Run one no-op governed dot-apr-execute pass (no pending grant APR) so the next invocation uses the patched file. (Self-patch swaps the file under the running process; new code is live next run.)

STEP 3 — Tests (handler unit/negative, no real grant)

• Run the file 07 fail-closed plan against execute_authorize_build_step in a disposable harness: every negative fixture → exact SKIP/FAIL + count(governance_build_authorization) unchanged.
• Positive fixture (simulated quorum) → exactly 1 row; re-run → still 1 (idempotency).

STEP 4 — Bind handler_ref via DOT-approved path (file 05 PATH 1)

• Apply migration/bind-authorize_build_step-handler.staged.sql through the governed migration mechanism (NOT raw psql). In-txn readback assertion must pass (UPDATE 1).
• Readback: SELECT handler_ref FROM apr_action_types WHERE action_code='authorize_build_step'; → dot-apr-execute:authorize_build_step.

STEP 5 — Register reworked dot-c1-grant-issue lifecycle (separate owner-gated)

• Birth → admit → register (dot_tools/CAT-006) → catalog → ledger → readback, per the project DOT lifecycle. (This is the issuer's DOT registration — outside this macro's staged scope; listed for completeness.)

STEP 6 — No-write end-to-end rehearsal

• dot-c1-grant-issue --manifest-hash <cser-v1> --dry-run → prints the APR, mints nothing.
• dot-apr-execute --dry-run over a proposed (un-approved) APR → "would dispatch", no write.

STEP 7 — Readback checklist (after a REAL governed run, owner-authorized later)

• SELECT count(*) FROM governance_build_authorization; == 1 (was 0)
• the row: auth_code='GBA-C1-<apr>', status='active', commit_allowed=false, requires_sovereign_esign=false, scope->>'target'='DOT_C1_VOCAB_BUILD', request_ref=<apr_code>, expires_at>granted_at.
• apr_action_types.authorize_build_step.handler_ref='dot-apr-execute:authorize_build_step'.
• APR status='applied', applied_at set; quorum_passed(<apr>)='t'.
• vps_deploy_log row for the patch = status='success', is_known_good=true.

STEP 8 — Re-run prewrite gate, THEN proceed

• Re-run the W1→W9 prewrite gate (reports/c1-lego-…/13). W7 should now be executable (handler bound + implemented). On PASS → owner-approved per-write execution, then Codex final confirmation + Owner dry-run authorization.

STOP CONDITIONS (abort + rollback per file 08)

• bash -n/syntax fail at STEP 1 → backup auto-restored; abort.
• Any negative fixture mints a row (STEP 3) → abort, do not bind.
• count(gba) > 1 after a single APR → abort, revoke, investigate idempotency.
• handler_ref PATCH/update does not persist (Directus drop) → use PATH 1 migration only.
• quorum_passed=false at apply → expected block; do not force.

Rollback

Per file 08 §A (reverse order: revoke grant → unbind → restore code).

⇒ owner runbook COMPLETE ⇒ C1_AUTH_HANDLER_HOLD_OWNER_RUNBOOK_INCOMPLETE does not fire.