05 — Final Decision

VERDICT

C1_W7_PREAPPLY_REMEDIATION_PACKET_READY_FOR_OWNER_DECISION

Production writes: 0 · APR proposed/approved/executed: 0 · handler deployed: no · handler_ref bound: no · grant-issuer registered: no · files stashed/committed/restored: none · dry-run: none · before == after.

This is NOT a HOLD: every dirty file is classified (no ..._HOLD_DIRTY_SSOT_UNCLASSIFIED), the quorum path is fully discoverable and live (no ..._HOLD_QUORUM_PATH_UNCLEAR), and the KB package read back (no ..._HOLD_KB_READBACK_FAILED). No fabrication, no manual SQL/Directus/registry write, no apply-ready overclaim.

Dirty-tree classification summary (A2)

• VPS feat/s177-sprint1-round-a @ bbf9c43: 80 status entries = 17 modified + 63 untracked paths → 1999 untracked files expanded.
• 100% classified: 17 modified per-file; 1999 untracked into well-defined buckets.
• Theme: S177 sprint WIP + operational backups/staging/data. No dirty path is the W7 apply target or any C1/APR governance code (dot-apr-execute, dot-apr-propose, dot-dot-register all CLEAN).
• Risk type = provenance/hygiene, not collision. Two governance files (dot-birth-backfill, dot-birth-trigger-setup) are gutted to stubs with originals preserved as .stage0-frozen-2026-06-06.
• Sensitive untracked surfaced: a .deploy-secrets.pre-rotate backup, a prod-directus-preamend.sql.gz dump, dieu44 cred_* staging temp → secure before any commit.

Owner options for the dirty tree (A2)

• A (recommended): commit/stash S177 + gitignore data/backups + secure sensitives → clean tree.
• C: isolate apply on a fresh branch from clean HEAD (best provenance).
• B: explicit written apply-on-dirty waiver (not recommended for high-risk).

Quorum packet summary (A3)

• authorize_build_step = high-risk, handler_ref=unimplemented, status active.
• Rule (from fn_apr_quorum_check): high ⇒ ≥1 human president + ≥2 ai_council, 0 rejects, no self-approve; re-proofed at apply and blocked while handler unimplemented.
• Current: 0 approval_requests, 0 approvals, 0 grants for the action.
• Mechanism is live/exercised: 42 approvals over 14 requests (president human + gemini/gpt… council); APR total 230.
• The W7 apply runs through patch_ops_code (high-risk, also needs the quorum) + STEP4 migration + STEP5 registration.

Exact remaining owner actions (out-of-band, operator-only)

1. Tree: clean/stash/branch-isolate (Option A or C) and secure the 3 sensitive untracked items.
2. Deploy quorum: propose patch_ops_code APR (STEP1) and record 1 president + 2 ai_council approvals.
3. Bind: STEP4 operator migration to set authorize_build_step.handler_ref.
4. Register: STEP5 dot-c1-grant-issue via dot-dot-register.
5. Secret: supply SYNC_SECRET at dot-apr-execute invocation.
6. Runtime: authorize_build_step APR + quorum for each grant issuance.

May the W7 apply macro run now?

NO. Both locks require owner action not yet taken (tree not cleaned/waived; quorum = 0). Any future YES must be conditional on items 1–5 above being completed and read back.

Self-check (YES/NO)

1. Avoided all production/runtime mutations? YES (RO reads + KB evidence only).
2. Avoided propose/approve/execute APR? YES.
3. Avoided file stash/commit/restore? YES.
4. Classified every dirty file? YES (17 per-file + 1999 bucketed = 100%).
5. Identified owner options for the dirty tree? YES (file 02; 3 options + sensitive triage).
6. Separated capability from authority? YES (file 03).
7. Identified quorum requirements + current missing approvals? YES (1 president + 2 ai_council; missing = 1 proposal + 1 president + 2 council).
8. Avoided fabricating approvals? YES.
9. Avoided claiming W7 apply-ready unless owner actions complete? YES (apply = NO).
10. Wrote + read back the KB evidence package? YES (6 files; readback in this run).

Readiness flags

• W7 apply macro may run now: NO
• ready for Claude re-verification: NO unless actual state changed (re-verify only warranted after owner completes tree-clean + quorum; otherwise re-run reproduces this packet)
• ready for Codex final confirmation: NO
• ready for governed dry-run: NO
• ready for production: NO