11 — Final decision

VERDICT

C1_AUTHORIZE_BUILD_STEP_HANDLER_PATCH_STAGED_FOR_OWNER_REVIEW

The smallest DOT-approved path to implement + bind authorize_build_step is staged and proven sufficient to unblock W7. Not applied, not dry-run-ready, not Codex-ready.

• ready for prewrite gate: NO (until deploy+bind+re-gate by owner)
• ready for Codex final confirmation: NO
• ready for governed dry-run: NO
• ready for production: NO
• production writes this macro: 0 (read-only probes + evidence package to local tree + AgentData KB only)

Why this verdict (not a HOLD)

The macro's HOLD conditions each require a missing/unclear element; all are satisfied:

• handler architecture found (file 01) → not …HANDLER_ARCHITECTURE_UNCLEAR
• binding path DOT-approved (file 05 PATH 1) → not …BINDING_PATH_NOT_DOT_APPROVED
• live schema mapping complete (file 02) → not …LIVE_SCHEMA_MAPPING_INCOMPLETE
• issuer rework design-complete (file 06) → not …GRANT_ISSUER_REWORK_INCOMPLETE
• reject matrix 14/14 (file 07) → not …REJECT_MATRIX_INCOMPLETE
• owner runbook complete (file 09) → not …OWNER_RUNBOOK_INCOMPLETE
• internal Codex passes (file 10) → not …INTERNAL_CODEX_REVIEW_FAILED
• no bypass / no generic system / no ready-overclaim → no GOVERNED_C1_DRYRUN_REJECT_*

Live schema proof

governance_build_authorization: 22 cols, PK=auth_code, FK request_ref→approval_requests(code), 6 CHECKs (file 02). gba is a raw PG table (NOT Directus). Mapping complete.

Handler architecture proof

dot-apr-execute v2.2.0 case dispatch on apr_action_types.handler_ref; execute_* bash fns; patch_ops_code precedent writes raw PG via run_pg; self-patch deploy path exists; DB gates trg_apr_block_unimplemented + quorum_passed (file 01).

Minimal handler patch summary

One case arm + execute_authorize_build_step: mints ≤1 single-use, manifest/plan/TTL-bound, C1-scoped grant via run_pg; commit_allowed/requires_sovereign_esign hard-false; idempotent; Gates 0/A/B/C/D/E. Not generic, no REAL_RUN (file 03 + staged patch).

Binding path proof

PATH 1 operator governed migration (authority-approved, origin=MIGRATION precedent), ordered after deploy, idempotent + rollback. PATH 2 (update_item APR) disclosed unreliable (file 05).

Reworked grant issuer summary

Proposes a governed authorize_build_step APR via dot-apr-propose; no Directus gba POST; no wrong columns; --dry-run mints nothing; live-schema preflight (file 06 + staged script).

Reject matrix

14/14 required rows, all fail-closed by design; runtime proof deferred to runbook (file 07).

Rollback / retire

Per-step reverse (revoke grant → unbind handler_ref → restore code) + DOT-manage ledger interleave (file 08).

Owner apply runbook

8 steps + readback checklist + stop conditions (file 09).

Self-check (macro §7)

1 no prod writes — YES (0). 2 read live gba schema — YES (file 02). 3 found handler architecture — YES (file 01). 4 minimal C1 handler only — YES (file 03). 5 avoided generic auth system — YES. 6 avoided manual SQL/Directus bypass — YES (run_pg handler + governed migration; no raw psql, no Directus gba POST). 7 DOT-approved binding path defined — YES (file 05). 8 reworked issuer uses governed path — YES (file 06). 9 rollback/retire — YES (file 08). 10 owner runbook — YES (file 09). 11 internal Codex passed — YES (file 10). 12 avoided claiming prewrite/Codex/dry-run-ready — YES (all NO).

Remaining blockers (to actually unblock W7 — all owner/operator-gated)

1. Deploy execute_authorize_build_step to VPS dot-apr-execute via governed patch_ops_code APR (needs owner approval + high-risk quorum + exec channel; agent env has none).
2. Bind handler_ref via the governed migration (operator step, after #1).
3. (Separate) Register the reworked dot-c1-grant-issue as a born+admitted+registered DOT.
4. Then re-run the W1→W9 prewrite gate; on PASS proceed to owner-approved per-write execution.

Gates (explicit)

ready for prewrite gate: NO · ready for Codex final confirmation: NO · ready for governed dry-run: NO · ready for production: NO.

staged≠applied · design≠deployed · design-complete≠registered DOT · authority-approved-migration≠ad-hoc-SQL · authorization≠capability.