TKT Base Review Template — FIX7 P0 Dry-Run / Execution-Readiness

Authority: NON_AUTHORITY / NOT_PROMOTED / SUPPORT_LANE
Host: T2 / CLAUDE CODE / FABLE
Object: TKT-OBJ-382 (PROPOSED, governed by TKT-OBJ-388)
Status: TEMPLATE ONLY. T1 dry-run output is not yet published (T1_DRYRUN_NOT_YET_PUBLISHED — verified 2026-06-11; only the paper planning packet + a staging-only dry-run design exist, execution_ready=false). This is a ready-to-apply checklist for the reviewer who runs after T1 publishes. It does not review nonexistent output.

Apply this template to whatever T1 publishes next (dry-run packet / execution-readiness report). It is keyed to the TKT Base output levels L0–L3 (the honest structural-evidence floor; ceiling = L3). Levels are cumulative: a FAIL at L(n) caps level_reached at L(n-1); higher levels report N/A, never PASS.

0. Readback Table C — Future T1 output → Base level → evidence → blocker

Future T1 output	Base level check	Evidence required	Blocker if missing
dry-run packet files + HASH_MANIFEST	L0 FILE	`shasum -a256 -c HASH_MANIFEST`; `sha256(manifest)==packet_tree.sha256`	DRYREV-L0-FAIL (missing/altered file)
RERUN.sh / commands.sh / exit_codes.json	L1 RECONSTRUCTION	`bash RERUN.sh`→PASS in fresh mktemp; `exit_codes.json` byte-stable	DRYREV-L1-FAIL (non-reproducible)
bad_input_probes.py	L2 FAIL-CLOSED	probes N/N fail-closed; `any_fail_open=false`; invalid emits no PASS/cert/digest/seal	DRYREV-L2-FAIL (fail-open)
governance addendum / object range	L3 GOVERNANCE	IDs no-collision (>388); no orphan; lanes respected; firewall holds	DRYREV-L3-FAIL (collision/orphan/leak)
dry-run design / run logs	scope guard	staging/temp only; no production target; no REAL_RUN/QT001/apply/permit/activation/repoint/cutover	DRYREV-SCOPE-FAIL (production leak)
rollback/recovery section	claim audit	`rollback_proof_status` must read NOT_YET_PROVEN unless a real rollback was executed+verified	DRYREV-ROLLBACK-OVERCLAIM
any "ready to execute" verdict	overclaim guard	`execution_ready` must be false unless OPT-4 + separate dry-run auth present	DRYREV-EXEC-OVERCLAIM
any semantic/IU claim	overclaim guard	must NOT emit IU_TRACEABILITY_PASS / SEMANTIC_TEXT_AS_CODE_PASS / RELEASE_BUNDLE_PASS	DRYREV-SEMANTIC-OVERCLAIM

1. L0 — FILE PASS

Pass condition (verbatim, Base policy §2): "every load-bearing file exists + hash matches; no missing file; sha256(manifest)==tree_pin."

Every file in HASH_MANIFEST exists at its packet path (no missing file).
shasum -a 256 -c HASH_MANIFEST.txt → ALL OK (N/N).
sha256(HASH_MANIFEST.txt) == packet_tree.sha256 pin.
No governed file present that is absent from the manifest (unlisted-file check; cf. harness P4).
FAIL → cap at none; do not evaluate L1+. Blocker DRYREV-L0-FAIL.

2. L1 — PACKET RECONSTRUCTION PASS

Pass condition (verbatim): "manifest + tree pass; commands/RERUN pass; exit_codes.json byte-stable."

bash RERUN.sh reconstructs into a fresh mktemp -d and re-verifies manifest+tree+gates → RERUN_RESULT: PASS (exit 0), independent of working dir.
bash commands.sh → OVERALL PASS (exit 0).
exit_codes.json byte-stable across reruns (before == after); record its sha256.
KB round-trip byte-exact (fetch-from-KB reconstruct == published tree).
FAIL → cap at L0. Blocker DRYREV-L1-FAIL.

3. L2 — FAIL-CLOSED PASS

Pass condition (verbatim): "bad input rejected; invalid emits no PASS/cert/digest/seal; any_fail_open=false."

Run bad_input_probes.py → all probes fail-closed (N/N); any_fail_open=false.
Confirm any_PASS_emitted_for_invalid=false and any_SEAL_emitted_for_invalid=false.
Detector-correctness rule (verbatim Base §validation): a rejection message containing a token substring (e.g. text SEMANTIC_TEXT_AS_CODE_PASS) is not an emitted token if the process exits nonzero → token_emitted=false. Do not miscount a *_REJECTED message as fail-open.
Probes cover the dry-run's own risk surface (e.g. a probe that tries to flip staging→production must be rejected).
FAIL → cap at L1. Blocker DRYREV-L2-FAIL.

4. L3 — GOVERNANCE CONSISTENCY PASS

Pass condition (verbatim): "IDs no-collision; no orphan; lanes respected; firewall holds; no-vector evidence has hash+pointer+regen."

New object IDs allocated above the current safe ceiling 388 (cross-host) — no collision with 225..388.
Every new object is governed by a named addendum (no orphan).
APPLY_NOW discipline: dry-run packet does not fold registry JSON / 00-index; standalone addendum only.
Authority firewall holds (F1–F9): the packet claims no gate/seal authority; N7/N8/P7 are consumed/verified, not re-authored.
Any raw evidence carries hash + pointer + regeneration command (no-vector policy); no raw log in vector KB.
FAIL → cap at L2. Blocker DRYREV-L3-FAIL.

5. Scope-leak guard (production / REAL_RUN / cutover)

A dry-run packet must be staging/temp only. Reject and FAIL if any of these appear as an executed action (not merely a named future step in a design):

No production target (production_target=false, staging_only=true).
No REAL_RUN, QT001, apply, permit, activation, repoint, or cutover executed.
No PG / Directus / registry-row / system_issues mutation.
No Codex call / owner-ask performed by the packet itself.
FAIL → Blocker DRYREV-SCOPE-FAIL (production leak). This is fatal regardless of L0–L3.

6. Claim-audit guards (overclaim detection)

Rollback proof: rollback_proof_status must be NOT_YET_PROVEN unless a real rollback was executed and verified in staging. A "rollback works" claim without an executed+verified rollback = DRYREV-ROLLBACK-OVERCLAIM.
Execution readiness: execution_ready must be false unless owner OPT-4 (FIX7-P0-PLAN-EXEC-AUTH-1) and a separately-authorized dry-run macro both exist. Any "ready to execute / ready for prod" verdict otherwise = DRYREV-EXEC-OVERCLAIM.
P7-alone: packet must state implementation_authorized_by_p7_alone=false (the seal does not authorize execution).
Semantic Text-as-Code: packet must not emit IU_TRACEABILITY_PASS (L4) / SEMANTIC_TEXT_AS_CODE_PASS (L5) / RELEASE_BUNDLE_PASS (L6), and must not claim "the Tool is complete for semantic Text-as-Code." Any such token = DRYREV-SEMANTIC-OVERCLAIM (Base ceiling is L3).

7. Verdict block (reviewer fills in)

level_reached: L_/none
L0_file: PASS|FAIL|NA
L1_reconstruction: PASS|FAIL|NA
L2_fail_closed: PASS|FAIL|NA
L3_governance: PASS|FAIL|NA
scope_leak: NONE|PRODUCTION_LEAK
rollback_claim: NOT_YET_PROVEN|OVERCLAIM|PROVEN_IN_STAGING
execution_ready_claim: false|OVERCLAIM
semantic_overclaim: NONE|DETECTED
any_fail_open: true|false
blockers: [ ... ]
overall: PASS_TO_L3 | CAPPED_AT_L_ | FAIL

8. Notes for the next reviewer

If T1 dry-run output exists by the time you read this, enumerate its paths and apply §1–§7; do not re-derive levels from prose.
The discovered T1 planning paths (for orientation, not to re-review): dev/reports/architecture/fix7-p0-implementation-planning-packet-2026-06-11/ (16 files, tree f470d0d0…fe8f), …/fix7-p0-implementation-dryrun-design-2026-06-11.{md,json} (design only, staging_only=true). The dry-run run packet does not exist yet.