07 — Observation Status Upgrade Rules (Workstream F)

Goal: prevent status inflation. The anti-fake runtime logic stays strong; this macro added a wrapper layer without weakening it.

The status ladder (enforced by v3 views — verified live)

structural_candidate
  → simulated_observed              (SIMULATED_DRY_RUN counts > 0)
  → dry_run_observed                (DRY_RUN counts > 0)
  → real_run_observed               (REAL_RUN counts > 0)
  → verified_candidate              (v2 has_real_runtime AND cross_component_correlation)
  → birth_ready                     (verified_candidate AND NOT owner_missing)

Gate labels: SIMULATED_PROOF_ONLY_NOT_VERIFIED → DRY_RUN_PROOF_ONLY_NOT_VERIFIED → REAL_RUN_NEEDS_FULL_BAR → VERIFIED_PENDING_OWNER → BIRTH_READY.

Where each transition is enforced

• v_process_discovery_runtime_observed — counts evidence_type per candidate (the only source of run counts).
• v_process_discovery_candidate_status_v3 — derives candidate_status_v3/birth_gate_status_v3. Critical: verified_candidate is taken only from v2.readiness_class='verified_candidate', which itself requires has_real_runtime AND has_cross_component_correlation. Simulated/dry counts feed only the *_observed rungs, never verified.
• v_process_discovery_verified_candidates_v3 — filters to {verified_candidate, real_run_observed, birth_ready}. Simulated/dry cannot appear.

Invariants (re-proven live this macro)

1. Simulated can never become verified — dot:kg is simulated_observed / SIMULATED_PROOF_ONLY_NOT_VERIFIED; absent from verified_candidates_v3. Only job:cut is verified.
2. Dry-run can never become real-run — distinct evidence_type values; counted in separate FILTER buckets; no view promotes DRY_RUN→REAL_RUN.
3. REAL_RUN cannot be written without enablement — fn_process_*_observe refuse REAL_RUN unless process_dot_runtime.real_run_enabled=true (false). Enforced at write time, not just read time.

"DRY_RUN_PREPARED" — deliberately NOT a new evidence_type

The macro mentions DRY_RUN_PREPARED. The evidence_type CHECK has only REAL_RUN/DRY_RUN/SIMULATED_DRY_RUN/BACKFILLED_EVIDENCE. A "prepared but unexecuted" dry-run is still not a dry-run — it must not count toward dry_run_count or it would inflate the rung. Therefore "prepared" is modelled as evidence_type=SIMULATED_DRY_RUN + evidence_ref.wrapper_phase='prepared', leaving the ladder and all v3 views unchanged. This is the honest choice.

Optional CHECK-amendment packet (NOT applied): if first-class is ever wanted, add 'DRY_RUN_PREPARED' to both CHECK constraints AND a FILTER bucket in v_process_discovery_runtime_observed that maps it to the simulated rung (never the dry rung). Owner-gated; default = do not amend.

Owner-approved dry-run rule (explicit, for future use only)

If an owner ever rules that a true DRY_RUN (real plan-mode execution, no mutation) may satisfy verification, that is a v4 view change + an approval_requests row — never a silent reinterpretation. Until then: dry-run is proof-only, verification requires REAL_RUN + correlation.