{ "doc": "fix7-p0-production-surface-inventory", "date": "2026-06-12", "discovery_method": "READ-ONLY discovery from governed KB documentation ONLY. No connection was made to any live running system (no query_pg / pg_schema / directus_* / read_file against VPS / docker_logs). Live reads are deferred to an operator-safe method (see required_operator_safe_method).", "live_system_contact": false, "table_B_production_surface_inventory": [ { "surface": "production object-birth pipeline (fn_birth_register / birth_registry row creation)", "path_source": "knowledge/dev/architecture/BIRTH_STAGE2_QT001_APPLY_REAUDIT_PACKET.md; v_birth_register_collision_patch_plan; planning mutation-inventory surface 5", "read_only_evidence": "governed packet states fn_birth_register core collision patch is STAGED not applied; birth-register collision patch plan exists", "mutation_risk": "HIGH (creates production birth rows)", "gate_required": "FIX7-P0-PROD-BIRTH-SURFACE-1 + production OPT-4 + proven prod rollback" }, { "surface": "production PostgreSQL (PG) data/schema", "path_source": "sql/prod/99_run_all.sql (self-guarding executor, sha256 4dc8d2ac..); b_documents; One-Roof prod-release macro; WS-Q5 production-apply log", "read_only_evidence": "executor 'NOT executed on production'; Tier-0 gate aborts unless db=directus AND os_proposal_approvals>=1; WS-Q5 apply BLOCKED (permission denied, production unchanged)", "mutation_risk": "HIGH", "gate_required": "production OPT-4 + proven snapshot/restore (FIX7-P0-DRYRUN-PROD-ROLLBACK-1)" }, { "surface": "production Directus", "path_source": "db=directus Tier-0 gate; 'no schema/GRANT/index/Directus' integrity rule in dot-iu-cutter prod logs", "read_only_evidence": "Directus mutation explicitly excluded by prior production-apply integrity checks", "mutation_risk": "HIGH", "gate_required": "production OPT-4 + Directus-specific rollback proof" }, { "surface": "production system_issues", "path_source": "scope-lock.json (no-production lane) lists system_issues as forbidden surface", "read_only_evidence": "no system_issues mutation issued in any recent lane (forbidden-surface proofs)", "mutation_risk": "MEDIUM-HIGH", "gate_required": "production OPT-4" }, { "surface": "production registry-row insertion (canonical birth registry)", "path_source": "planning mutation-inventory surface 5; operative birth-blueprint (KB reference only)", "read_only_evidence": "governance handled via additive KB addendum only; NO production registry row created in any lane", "mutation_risk": "HIGH", "gate_required": "FIX7-P0-PROD-BIRTH-SURFACE-1 + production OPT-4" }, { "surface": "P7-pinned canonicalizer SSOT body", "path_source": "knowledge/dev/reports/architecture/t1-fix7-existing-system-refactor-execution-blueprint-2026-06-08/canonicalizer-fix7-canon-v1-ssot.md", "read_only_evidence": "P7 pin 49c386a9..b734d0 (38756 bytes); hashed as full normalized content; deliberately NOT edited (edit breaks pin)", "mutation_risk": "HIGH (edit breaks P7 authority pin)", "gate_required": "separate authority re-seal (Codex N7/N8/P7) — NOT a production action but pin-breaking" }, { "surface": "REAL_RUN", "path_source": "precondition-checklist PC-7 FAIL; blocker FIX7-P0-PLAN-REALRUN-1", "read_only_evidence": "never invoked; guard probe fail-closed", "mutation_risk": "HIGH", "gate_required": "separate explicit owner REAL_RUN grant" }, { "surface": "QT001 / apply", "path_source": "BIRTH_STAGE2_QT001_APPLY_REAUDIT_PACKET.md; precondition PC-8 FAIL", "read_only_evidence": "QT-001 apply re-audit packet exists; safe-apply path is future owner-gated macro; never applied here", "mutation_risk": "HIGH", "gate_required": "separate QT001/apply authorization" }, { "surface": "permit / activation / repoint / cutover", "path_source": "checkpoint-birth-stage2 permit/ledger; precondition PC-8 FAIL; blocker FIX7-P0-PLAN-SEPARATE-AUTH-1", "read_only_evidence": "permit/ledger empty in prior staged exercises; none invoked here", "mutation_risk": "HIGH / IRREVERSIBLE", "gate_required": "distinct explicit authorization PER action" }, { "surface": "secrets / credentials / production-selecting env", "path_source": "09-production-ui-deploy-readiness ('No GitHub push credentials'); db=directus environment selector", "read_only_evidence": "no secret/credential read or write in any lane; guard probe fail-closed", "mutation_risk": "HIGH", "gate_required": "separate secrets-change authorization (out of scope for production execution too)" }, { "surface": "runtime toggles selecting production (db=directus, os_proposal_approvals threshold)", "path_source": "sql/prod/99_run_all.sql Tier-0 preflight gate", "read_only_evidence": "gate documented; not toggled", "mutation_risk": "MEDIUM", "gate_required": "production OPT-4 + operator confirmation of target environment" } ], "required_operator_safe_method": "For any live read needed to finalize scoping, use a read-only path the operator authorizes explicitly (e.g. query_pg SELECT-only with entry==exit invariant, as in the One-Roof prod-release macro). This lane intentionally performed NO live read.", "inventory_complete": true, "production_mutation": false }