05 — Branch E: Production review_decision Governance Foundation (G3)

Goal: advance G3 without agent self-approval. Result: ADVANCED — walled schema captured (37 cols); proposal-only builder spec'd; cross-sign path defined. Builder NOT committed (writes to governance SoT → council call).

1. Live schema captured (cutter_governance.review_decision, 37 cols)

Key columns (introspected via workflow_admin): review_decision_id (uuid, NN) · manifest_id (uuid, NN) · manifest_version (text, NN) · manifest_unit_local_id (text, null) · status (text, NN) · verdict (text, NN) · decided_by (text, NN) · decision_at (NN) · reviewer_class (text, NN) · reviewer_identity (jsonb, NN) · reviewer_independence_evidence (jsonb, null) · cross_signed_by_dot_verifier (bool, NN) · governance_event_kind (text, NN) · review_scope (text, NN) · risk_class_assessment (text, NN) · findings (jsonb, NN) · prior_review_decision_id · superseded_by_review_decision_id · version (text, NN) · created_at/updated_at

Companion cutter_governance.manifest_envelope: envelope_id · operation_kind (NN) · source_doc_ref (NN) · status (NN) · created_by (NN) · cut_change_set_ref · reviewer · reviewed_at · rationale · superseded_by_envelope_id.

Critical constraint: verdict is NOT NULL. The mission's "verdict=NULL" is impossible against this schema — a proposal must use a non-approve sentinel verdict (e.g. 'pending'/'proposed') subject to the live verdict CHECK (verify exact allowed set before building).

2. Proposal-only builder spec (PREPARED — deferred)

CREATE OR REPLACE FUNCTION cutter_governance.fn_iu_prod_review_decision_propose(
  p_manifest_id uuid, p_manifest_version text, p_review_scope text,
  p_risk_class text, p_findings jsonb, p_proposer_identity jsonb
) RETURNS uuid LANGUAGE plpgsql AS $$
DECLARE v_id uuid := gen_random_uuid();
BEGIN
  -- HARD INVARIANTS (cannot be overridden by caller):
  --   status        := 'proposed'
  --   verdict       := 'pending'            (sentinel; NEVER 'approve'/'reject')
  --   reviewer_class := 'proposed_builder'  (NOT a human/council class)
  --   cross_signed_by_dot_verifier := false
  -- REQUIRE manifest binding: p_manifest_id must exist in manifest_envelope
  IF NOT EXISTS (SELECT 1 FROM cutter_governance.manifest_envelope WHERE envelope_id = p_manifest_id)
     THEN RAISE EXCEPTION 'manifest binding required'; END IF;
  INSERT INTO cutter_governance.review_decision(
    review_decision_id, manifest_id, manifest_version, status, verdict,
    decided_by, decision_at, reviewer_class, reviewer_identity,
    cross_signed_by_dot_verifier, governance_event_kind, review_scope,
    risk_class_assessment, findings, version, created_at, updated_at)
  VALUES (v_id, p_manifest_id, p_manifest_version, 'proposed', 'pending',
    'proposed_builder', now(), 'proposed_builder', p_proposer_identity,
    false, 'proposal', p_review_scope, p_risk_class, p_findings, '1', now(), now());
  RETURN v_id;
END $$;

Refuses any approve/reject (it hard-codes status='proposed'/verdict='pending'). Requires manifest binding. Rollbackable (DROP FUNCTION). Does not bypass Đ32 — it only emits proposals, never approvals.

Why deferred (not committed): it writes into the governance SoT schema cutter_governance. Even a proposal-only writer in the governance schema should be council-introduced, and the exact verdict/status/reviewer_class/governance_event_kind CHECK vocabularies must be read first (walled — needs a workflow_admin introspection pass on pg_constraint for that schema). The prior fn_iu_test_review_decision_create is test-scope only; this prod proposer must be distinct and council-blessed.

3. Human/council/sovereign cross-sign path

1. Agent/tool → fn_iu_prod_review_decision_propose → row {status=proposed, verdict=pending}.
2. Human reviewer (reviewer_class ∈ human roles, see doc 06) reads manifest + findings → sets verdict approve/reject, status=decided, decided_by=human identity.
3. DOT verifier cross-signs → cross_signed_by_dot_verifier=true (independence evidence in reviewer_independence_evidence).
4. Council/sovereign for high risk_class_assessment → second signature (≥2 cross-sign). No single agent identity may move a row from proposed→approved.

Advancement: G3 moved from "authority-packed (schema unknown)" → "schema fully captured + proposal-only builder spec'd + cross-sign path defined." Blocked on: read walled CHECK vocab + council introduction of the proposer + human reviewer role law (doc 06).