FIX7 P0 Final Pre-Real-Data — final-real-data-decision-packet.md
FIX7 P0 - FINAL Real-Data / Production-Data Decision Packet (2026-06-12)
This document selects nothing. Default = HOLD_REAL_DATA.
All safely self-resolvable engineering is now closed (see gap-closure-map.json and final-blocker-map.json). The birth/rollback pattern is proven end-to-end on a generated production-shaped surrogate under the canonical hardened validator; the CI seal-vs-bytes gate has a complete, locally-tested off-production adoption packet; canonical governance is folded through TKT-OBJ-507. The next step is a DECISION, not more preparation.
Options (owner/GPT picks exactly one; nothing here is pre-selected)
1. HOLD_REAL_DATA (DEFAULT)
Do nothing. Everything stays governed and rerunnable. No production exposure.
2. AUTHORIZE_OPERATOR_REAL_DATA_CLONE_HANDOFF
Operator provides the production-shaped, secret-free, isolated REAL DB dump
clone per fix7-p0-operator-real-data-clone-handoff-if-required-2026-06-12.md.
A separately-authorized lane then re-runs THIS lane's rehearsal machinery
(surrogate_rehearsal.py pattern + hardened validator) on the real dump - still
zero production contact. Discharges the real-dump leg of
FIX7-P0-DRYRUN-PROD-ROLLBACK-1 and FIX7-P0-OPERATOR-INPUT-1.
3. AUTHORIZE_PRODUCTION_DRYRUN_ONLY
Read-only production dry-run (operator-safe read path) to scope the real birth
surface (FIX7-P0-PROD-BIRTH-SURFACE-1). Requires explicit grant; no mutation.
4. AUTHORIZE_PRODUCTION_REALRUN_PRECHECK_ONLY
Precheck of REAL_RUN preconditions only (no REAL_RUN itself). Requires the prior options' outputs plus owner OPT-4 scoping.
5. AUTHORIZE_PRODUCTION_EXECUTION
NOT SELECTABLE BY THIS LANE. Requires ALL of: real-dump rehearsal proven
(option 2), production surface scoped (option 3), production OPT-4
(FIX7-P0-PROD-OPT4-1), distinct production-rollback grant, REAL_RUN grant
(FIX7-P0-PLAN-REALRUN-1), and per-action QT001/permit/activation/repoint/
cutover grants (FIX7-P0-PLAN-SEPARATE-AUTH-1). This packet records the
option for completeness only.
Preconditions snapshot (from final-blocker-map.json)
| blocker | engineering | remaining actor |
|---|---|---|
| FIX7-P0-PROD-BIRTH-SURFACE-1 | n/a (live scoping) | operator + owner |
| FIX7-P0-PROD-CI-SCOPE-1 | CLOSED off-production (adoption packet ready) | owner + operator |
| FIX7-P0-DRYRUN-PROD-ROLLBACK-1 | CLOSED for toy + surrogate legs | operator (real dump) + owner |
| FIX7-P0-PLAN-REALRUN-1 | n/a | owner |
| FIX7-P0-PLAN-SEPARATE-AUTH-1 | n/a | owner |
| FIX7-P0-PROD-OPT4-1 | n/a | owner |
| FIX7-P0-OPERATOR-INPUT-1 | surrogate substitute proven | operator |
Boundaries
No option is selected here. P7 alone does not authorize production. The surrogate is GENERATED_SURROGATE_NOT_REAL_PRODUCTION_DUMP and is never to be presented as real production data. Production mutation, REAL_RUN, QT001/apply, permit/activation/repoint/cutover, production CI triggering, and secrets changes all remain forbidden until their own grants exist.