FIX7 P0 — Production-REHEARSAL-ONLY Rollback + CI-Resolution Packet (2026-06-12)

Macro: FIX7_P0_PRODUCTION_REHEARSAL_ONLY_ROLLBACK_AND_CI_RESOLUTION_LANE_MACRO_2026_06_12 Delegated decision consumed: AUTHORIZE_PRODUCTION_REHEARSAL_ONLY Final status: FIX7_P0_PRODUCTION_REHEARSAL_ONLY_ROLLBACK_READY

Production mutation: NO · REAL_RUN/QT001/cutover: NO · production CI/deploy trigger: NO · secrets change: NO.

This packet proves the production-documented rollback PATTERN byte/row-exact on a provably isolated local clone (never production), classifies the one remaining CI UNKNOWN, and updates the production decision packet. It authorizes nothing in production; production remains HOLD.

What was done (isolated clone only)

• Isolated clone locked (rehearsal-target-lock.json): local mktemp sqlite clone under /private/tmp, proven non-production (no PG/Directus/system_issues/registry/VPS/network contact).
• Rehearsal executed on the clone (rehearsal_clone_rollback.sh → rehearsal-execution-evidence.json, clone-rollback-evidence.json): read-only entry==exit invariant; transactional BEGIN..INSERT..ROLLBACK; committed-insert + snapshot-restore; canonical-executor integrity invariant.
• Rollback proven under the hardened validator (run_hardened_validator.py → hardened-validator-result.json, rollback-recovery-proof.json): after_apply_hash != before_hash (real mutation) and after_rollback_hash == before_hash (exact restore) on every entry; validator --selftest PASS; fabricated no-mutation entry fails closed. The local validator copy is byte-exact to the canonical hardened validator e6547e69…956c47.
• Bad-input probes (rehearsal_bad_input_probes.py → rehearsal-bad-input-probes.json): 10/10 fail closed (production target, REAL_RUN, QT001/apply, cutover, CI deploy, secrets, missing rollback proof, fake no-mutation rollback, PASS-without-isolation, production-PASS-from-rehearsal), control allowed, no PRODUCTION_PASS / REAL_RUN_PASS / CUTOVER_PASS / seal-like token leaked.
• CI UNKNOWN classified (ci-unknown-resolution.json): the FIX7 seal-vs-bytes CI gate is not yet designed, so it is unresolvable read-only and remains blocker FIX7-P0-PROD-CI-SCOPE-1 (owner+operator; design off-production first). It does not affect clone-rehearsal safety.
• Blocker map updated (updated-production-blocker-map.json): 7 OPEN. FIX7-P0-DRYRUN-PROD-ROLLBACK-1 is partially discharged (clone-rehearsal leg proven; production leg still OPEN — needs an operator-provided production-shaped DB dump clone + production OPT-4 + distinct production-rollback grant).
• Forbidden surfaces (forbidden-surface-proof.json): 13/13 untouched / not-requested.

Reproduce

• commands.sh — runs the full rehearsal + validator + probes fresh and aggregates OVERALL PASS.
• RERUN.sh — re-runs harnesses, recomputes HASH_MANIFEST.txt, compares to packet_tree.sha256.

Hard boundary

A clone rehearsal is not production execution. This packet does not authorize production, REAL_RUN, QT001/apply, permit, activation, repoint, cutover, CI/deploy, or secrets changes. Default remains HOLD_PRODUCTION.