06 — C1 Authorization Verifier and Test/Sandbox Grant Proof — 2026-06-22
06 — C1 AUTHORIZATION VERIFIER + TEST/SANDBOX GRANT PROOF — 2026-06-22
1. Grant store reality (live)
governance_build_authorization: 0 grants. dot_iu_runtime_lease: 0 leases. governance_object_ownership: 0 rows (no C1 owner). Status CHECK domain = {draft,active,consumed,expired,revoked}. Columns present and structurally complete for a sovereign grant: scope (jsonb), requires_sovereign_esign, sovereign_esign_ref, rollback_plan_ref, expires_at, consumed_at/by, revoked_*, with constraints chk_expiry, chk_sov_esign, chk_consumed_pair, chk_revoked_pair. (E5)
2. Verifier spec (from PATCH2, exact)
status='active' + exact sorted set-equality on action set + sovereign e-sign authenticity + binding to the approved request + expiry/revocation + single-use/dry-run-safe lease + no generic token + no loose superset + no stale/reused grant. This spec is correct and would reject wrong/no/generic/stale/reused authorization if it existed as a governed handler.
3. Why no grant can exist or be created here
- A grant requires an owner-authorized sovereign e-sign (
requires_sovereign_esign+sovereign_esign_ref); no such authority is present (ownership=0). Presence of an esign ref would not even prove authenticity. - Creating a grant row requires a write to
governance_build_authorization— not in the governed write allowlist (file 02); and would be a production mutation, forbidden. - The verifier itself is a PL/pgSQL handler that does not exist and cannot be created (no DDL).
So both halves are blocked: the verifier (DDL) and any grant to verify (governed write + sovereign authority).
4. Creation attempted
Per macro §3.6 ("create test/sandbox grant if authorized and available"): there is no available, governed, isolated grant path. The only write that succeeds is docs authoring, which cannot create a grant row. No sandbox lane exists to hold an isolated test grant. The grant path is therefore absent.
5. Status
Authorization verifier: spec-complete, not implemented (DDL blocked). Test/sandbox grant: uncreatable (no governed write, no sovereign authority, no sandbox). Gap remains.