FIX7 P0 — Owner/GPT Production Decision Packet AFTER Shaped-Clone Rehearsal Attempt (2026-06-12)
FIX7 P0 - Owner / GPT Production Decision Packet AFTER Shaped-Clone Rehearsal Attempt (2026-06-12)
This document selects nothing. Default = HOLD_PRODUCTION.
The production-shaped clone rehearsal lane could not run its rehearsal because no operator-provided production-shaped clone exists. The clone-independent work the macro allows was completed: the CI seal-vs-bytes gate is now designed (off-production), the hardened validator is re-proven, bad inputs fail closed, and the exact production-shaped clone requirement is specified. Production itself is still not authorized and remains separately gated.
What changed (this lane)
- CI seal-vs-bytes gate DESIGNED off-production - design doc + runnable reference
checker; selftest fails closed on sha mismatch, byte-length mismatch, em-dash/Unicode
drift,
ensure_asciiJSON re-encode drift, BOM, CRLF, and missing file (7/7). No CI triggered. (Design portion ofFIX7-P0-PROD-CI-SCOPE-1; blocker stays OPEN.) - Production-shaped clone requirement fully specified (
schema-compatibility.json,clone-provenance.json), narrowingFIX7-P0-OPERATOR-INPUT-1. - Hardened validator re-proven byte-exact + selftest PASS + neg-control fail-closed.
- 10/10 bad-input probes fail closed; no production/seal/cutover token leaked.
- No rehearsal mutation, production mutation, REAL_RUN, QT001/apply, permit/activation/repoint/cutover, CI/deploy trigger, or secrets change.
Options (choose exactly one; default HOLD)
- HOLD_PRODUCTION (default, recommended) - do nothing further.
- AUTHORIZE_PRODUCTION_DRYRUN_ONLY - production read-only dry-run (entry==exit), no mutation.
- AUTHORIZE_PRODUCTION_REALRUN_PRECHECK_ONLY - real-run pre-checks, still no mutation.
- AUTHORIZE_PRODUCTION_EXECUTION - actual production apply (requires ALL blockers resolved + per-action grants).
Preconditions before ANY production execution (all OPEN)
| blocker | status | actor | gate |
|---|---|---|---|
FIX7-P0-DRYRUN-PROD-ROLLBACK-1 |
production-shaped leg OPEN (toy leg proven) | operator (+sep. auth) | prove snapshot/restore on a production-shaped DB dump clone |
FIX7-P0-PROD-CI-SCOPE-1 |
design delivered, OPEN | owner (adopt?) + operator | wire designed gate in a non-production branch, review |
FIX7-P0-PROD-BIRTH-SURFACE-1 |
OPEN | owner + operator | scope production object-birth surface (not invented) |
FIX7-P0-PROD-OPT4-1 |
OPEN | owner | explicit production OPT-4 |
FIX7-P0-PLAN-REALRUN-1 |
OPEN | owner | separate REAL_RUN grant |
FIX7-P0-PLAN-SEPARATE-AUTH-1 |
OPEN | owner | distinct grant per QT001-apply/permit/activation/repoint/cutover |
FIX7-P0-OPERATOR-INPUT-1 |
narrowed | operator | provide the production-shaped, secret-free, isolated DB dump clone |
Recommendation
If you are not holding, the single highest-leverage next step is not a production
option - it is the operator providing a production-shaped, secret-free, isolated DB
dump clone (per clone-provenance.json + schema-compatibility.json). A
separately-authorized lane then proves snapshot/restore on that clone under the hardened
validator, still with zero production contact. Only after that, and only with
production OPT-4 plus a distinct production-rollback grant, should a production rehearsal
be considered. Do not jump to option 4 until every blocker above is closed and each
irreversible action has its own explicit grant.