03 — Production review_decision Governance (G3) — Result: Authority Pack

Result: ADVANCED (authority-pack refined). A proposal-only builder is specified with hard guards; it cannot be committed by the agent because review_decision/manifest_envelope live in the privilege-walled cutter_governance schema (invisible to context_pack_readonly; build requires a privileged role operating inside that schema). No self-approval path exists or is created.

1. Live confinement (verified)

• to_regclass('public.review_decision') = NULL, public.manifest_envelope = NULL. They are NOT in public. Per memory + prior bundles they reside in cutter_governance (privilege-walled), confirmed re-introspectable only via workflow_admin.
• Only a test builder exists (fn_iu_test_review_decision_create, test_scope-tagged, automated_agent, cross_signed=false) — explicitly NOT a production Điều 32 artifact.

2. Proposal-only builder — REQUIRED guards (spec)

A production-grade fn_governance_proposal_create(...) (to be built by a privileged human/role inside cutter_governance) must:

1. Create rows with status='proposed' only; verdict NULL or non-final.
2. Refuse any approve/reject/final verdict (raise exception) — finalization is a separate human/council action.
3. Require manifest binding (a real manifest_envelope id, not a sentinel).
4. Require requester identity (human/council actor), reject automated_agent as approver.
5. Cannot be invoked by the agent to self-approve — separation of duties: proposer ≠ approver; approver must be human/council with cross_sign ≥ 2.
6. Emit audit/evidence; reversible (proposals can be withdrawn, not silently deleted).

3. Why only human governance can proceed

• The schema is privilege-walled by design (Điều 32): an agent must never mint a production approval.
• Cross-signing (≥2 human/council signers) and real manifest binding are governance facts the agent cannot manufacture.
• The campaign's forbidden list explicitly bars "production approval shortcut" and "agent self-mint."

4. Exact remaining (human-only)

1. A privileged operator builds fn_governance_proposal_create inside cutter_governance per §2.
2. Human/council establishes the cross-sign + manifest-binding workflow.
3. This unblocks G1/G4 certification (the review_decision that flips birth_registry.certified=true and factory draft→active).

Advancement: G3 moved from "authority-pack" → "proposal-only builder fully specified with separation-of-duties guards + exact privileged-build step." No technical discovery remains; the gate is purely human/privilege.