<!-- DOC_STATUS: ACTIVE_NON_AUTHORITY -->

FIX7 P0 — Implementation Dry-Run Design (2026-06-11)

• Authority: PLANNING_NON_AUTHORITY. Designs a FUTURE dry-run lane. Runs nothing against production now. staging_only=true, production_target=false.
• Machine form: fix7-p0-implementation-dryrun-design-2026-06-11.json (byte-identical to the packet's dryrun-design.json).

Dry-run steps (staging/temp only)

id	step	gate	rollback ref
DR-0	precondition readback (planning_packet_validator.py)	validator exit 0	N/A (read-only)
DR-1	seal-vs-bytes recheck: rev3 sha256 == 49c386a9…b734d0 & 38756 B	exact match else ABORT	N/A (read-only)
DR-2	stage operative blueprint doc in mktemp (sealed digests only)	digest cross-check PASS	RB-2
DR-3	stage canonicalizer operative-status marker on /tmp copy	body unchanged, P7 verify_pin PASS	RB-3
DR-4	stage governance addendum + collision scan	0 collisions; APPLY_NOW=NO	RB-4
DR-5	reconstruct + fail-closed proof in clean mktemp	RERUN PASS; 0 fail-open	N/A (read-only)

Every step is read-only or carries a rollback ref (every_command_has_rollback_or_is_readonly=true).

Policies

• No production. Any production surface touched → ABORT (out of dry-run scope).
• No-vector raw evidence: raw dry-run logs stay local + hashed + regenerable; only summaries + hashes enter the vector KB. NVSZ root still owner/operator-pending (V02-PB-NVSZ-1).
• TKT Base Pack: use L0–L3 checks (shasum -c, RERUN reconstruct, fail-closed harness, governance consistency) as the dry-run evidence base; fall back to v0.2-proven base checks if a check is unavailable. TKT-BASE-GOV-FOLD-1 pending does not block dry-run design.

Abort criteria

DR-1 mismatch → TRUE_BLOCKER, no mutation · OPT-4 absent → ABORT before DR-2 · any rollback path unverified before its apply → ABORT that step · any production surface touched → ABORT.

This macro does not run the dry-run. It only designs it. The dry-run itself requires owner AUTHORIZE_DRYRUN_ONLY (or higher).