04 — Apply-Readiness Decision

Can Phase A · A2 (dirty SSOT) pass after owner decision?

YES — conditional on owner action that has NOT yet happened.

• Classification is complete (file 01); the dirty tree does not collide with the W7 apply target.
• Exact required owner action (pick one, file 02):
  • A (recommended): commit or git stash the 17 modified S177 files + triage untracked (gitignore data/backups; secure the 3 sensitive items) → git status clean; OR
  • C: isolate the apply on a fresh branch from clean HEAD; OR
  • B: record an explicit written apply-on-dirty waiver (not recommended for high-risk).
• A2 cannot be marked PASS by the agent — it requires the owner's clean/stash/triage or signed waiver, read back as actually done.

Can Phase A · A3 (quorum) pass after owner decision?

YES — conditional on owner action that has NOT yet happened.

• The quorum path is fully discoverable and the mechanism is live/exercised (file 03).
• Exact required owner action: marshal, through the governed APR path, 1 human-president approve vote + 2 distinct ai_council approve votes, 0 rejects, proposer ≠ approver —
  • for the patch_ops_code deploy APR (STEP1, high-risk), and
  • (at runtime) for each authorize_build_step APR.
• Plus operator STEP4 (bind handler_ref via migration) and STEP5 (register dot-c1-grant-issue), with SYNC_SECRET supplied at execute time.
• A3 cannot be satisfied in-agent: the agent cannot create a human-president vote or self-certify a 2-member council.

Is it safe to run the W7 apply macro now?

NO.

• A2: tree is dirty (80 entries / 1999 untracked files); owner has not cleaned/stashed/waived.
• A3: 0 approval_requests and 0 approvals for authorize_build_step; 0 for the patch_ops_code deploy path; quorum does not exist.
• The handler is still unimplemented, so even a fully-approved authorize_build_step APR would be blocked at apply by fn_apr_block_unimplemented_handler until STEP1 deploys it.
• Conditional YES is NOT claimed — per the macro, any YES must be conditional on explicit owner action already completed and read back. No such action exists yet. Therefore: NO, do not run W7 apply now.

Precondition checklist the owner must satisfy before W7 apply

1. Tree cleaned/stashed/branch-isolated or signed apply-on-dirty waiver (A2).
2. Sensitive untracked items secured (secrets backup, prod DB dump, cred staging).
3. patch_ops_code deploy APR proposed + 1 president + 2 ai_council approvals recorded (A3 / STEP1).
4. STEP4 migration ready to bind authorize_build_step.handler_ref.
5. STEP5 dot-c1-grant-issue registration ready (dot-dot-register).
6. SYNC_SECRET supplied by operator at execute time (present on VPS; not read here).
7. (Runtime) authorize_build_step APR + quorum for the actual grant issuance.

Only when 1–6 are completed and read back may a W7 apply macro be authorized.