FIX7 P0 — Production-Readiness Surface Scoping — Evidence Packet (2026-06-12)

Macro: FIX7_P0_PRODUCTION_READINESS_SURFACE_SCOPING_AND_GOVERNANCE_LANE_MACRO_2026_06_12 Authorization: GPT-delegated production-readiness SCOPING ONLY (+ canonical fold 442..461 if safe). Final status: FIX7_P0_PRODUCTION_READINESS_SURFACE_SCOPING_READY Production mutation: NO · REAL_RUN/QT001/cutover: NO · Live-system contact: NONE.

What this packet proves

1. Governance fold 442..461 — APPLIED (governance-fold-442-461-result.json). Canonical body max 441→461, next free 462; 0 collision / 0 orphan / 0 gap / 0 overlap; JSON valid; objects[] unchanged; before/after pins recorded; reverse-patch rollback proven byte-exact in staging. Live revs after: registry JSON rev24, registry MD rev24, 00-index rev116.
2. Production surface inventory (production-surface-inventory.json, Table B) — 11 surfaces, read-only, evidence-cited, mutation-risk + required gate per surface. No live read performed.
3. CI/deploy inventory (ci-deploy-surface-inventory.json, Table C) — 4 surfaces incl. the UNKNOWN FIX7 CI seal-vs-bytes scope (listed as blocker, not invented).
4. Production rollback/rehearsal plan (production-rollback-rehearsal-plan.md) — design only, not run; before-state capture, mutation boundary, rollback trigger/action, verification, forbidden fail-open cases.
5. Production bad-input design + harness (production-bad-input-design.json, production_bad_input_probes.py) — 9 forbidden classes, 9/9 fail-closed, 0 fail-open, no PRODUCTION_PASS leaked. Purely local/static.
6. Production blocker map (production-blocker-map.json) — 7 OPEN production blockers.
7. Forbidden-surface proof (forbidden-surface-proof.json) — every production/REAL_RUN/QT001/ cutover/secrets/evidence-deletion surface UNTOUCHED; only authorized mutation = the 442..461 fold.
8. Next production decision packet (next-production-decision-packet.md) — options with default HOLD_PRODUCTION; no option selected.

Integrity / rerun

• commands.sh — recompute hashes + re-run probes (PASS expected).
• RERUN.sh — re-run the production bad-input probe harness (exit 0 expected).
• exit_codes.json — recorded exit codes.
• HASH_MANIFEST.txt — sha256 of every packet file.
• packet_tree.sha256 — single tree hash over the sorted HASH_MANIFEST.
• manifest.json — object-id map (TKT-OBJ-462..484) + boundaries.

Boundaries

NO production mutation; NO REAL_RUN/QT001/apply/permit/activation/repoint/cutover; NO production PG/Directus/system_issues mutation; NO CI/deploy trigger; NO secrets/credential change; NO evidence deletion. The only canonical mutation is the GPT-authorized governance fold of TKT-OBJ-442..461. P7-pinned canonicalizer untouched; N7/N8/P7 untouched.