Doc 02 — Branch C: Production review_decision Governance Path Authority Pack

Verdict: DEFER — agent must not implement a production approval builder. Doing so would let code self-mint Đ32 approvals = a Đ32 bypass (forbidden). Full authority pack below.

---

1. Live evidence (read-only, 2026-05-28)

1.1 Test builder fn_iu_test_review_decision_create(p_actor, p_reason, p_manifest_tag='TEST/hardening')

SECURITY DEFINER. Mints two rows in cutter_governance:

• manifest_envelope: operation_kind='test_governance', status='test', source_doc_ref=p_manifest_tag, reviewer=actor.
• review_decision: governance_event_kind='test_review_decision', review_scope='manifest', manifest_unit_local_id=NULL, status='decided', verdict='approve', findings={test_scope:true, builder:..., macro:...}, reviewer_class='automated_agent', reviewer_identity={agent:'iu_hardening_macro', test:true}, risk_class_assessment='standard', cross_signed_by_dot_verifier=false, version='test-1'.
• Self-labels: "TEST-ONLY. Not a production Dieu 32 approval. For cloned test IUs only."
• Catalog: dot_iu_test_review_decision_create, category=lifecycle, mutating=true, reversible=true.

1.2 review_decision columns (from builder INSERT — schema readonly-denied, governance-sensitive)

review_decision_id, governance_event_kind, manifest_id, manifest_version, review_scope, manifest_unit_local_id, status, verdict, findings, reviewer_class, reviewer_identity, risk_class_assessment, decision_at, decided_by, cross_signed_by_dot_verifier, version, created_at, updated_at.

1.3 manifest_envelope columns

envelope_id, operation_kind, status, source_doc_ref, created_by, created_at, reviewer, reviewed_at, rationale.

Note: cutter_governance is privilege-walled from the readonly role (introspection denied). The schema above is reconstructed from the live builder body — authoritative for the columns it touches; a full-rewrite macro should re-introspect via workflow_admin.

1.4 How split/merge consume it

Per prior bundles: fn_iu_piece_split/merge are SECDEF additive and require a FK-probed review_decision_id. They do not open a gate or run a cut state machine; they create draft children / merged row, source untouched. So the review_decision is the governing approval token for any structural mutation.

---

2. The test vs production gap

Dimension	TEST builder (live)	PRODUCTION requirement
governance_event_kind	test_review_decision	real kind (e.g. iu_structure_cut, iu_backfill)
manifest_envelope.status	test	decided/approved real manifest
manifest_unit_local_id	NULL (skips composite FK)	bound to the real cut unit
reviewer_class	automated_agent	human / sovereign / council
reviewer_identity	{agent, test:true}	real reviewer identity (Đ32 subject)
cross_signed_by_dot_verifier	false	true (cross-sign required)
findings.test_scope	true	absent/false
risk_class_assessment	standard	risk-tiered per operation

---

3. Why an agent must NOT implement the production builder now

• A production review_decision is, by Đ32, an act of authority by an identified human/council. A function that mints verdict='approve' on its own behalf is exactly the "production review_decision shortcut" and "bypass of Điều 32" the macro forbids.
• The test builder is lawful only because it is test_scope-tagged, automated_agent, cross_signed=false, and usable on cloned TEST IUs only. Removing those guards = removing the safety.
• Therefore Branch C is delivered as an authority pack, not code.

---

4. Authority pack — production review_decision requirements

4.1 Who/what can decide

• Decision authority = an identified human principal holding the relevant governance role (per Đ37 governance registry + Directus role/field allowlist — note Đ37 has no human roles, so human identity is carried by the Directus auth layer + Đ32, per the Rev5 cross-law finding D-1).
• For high-risk cuts: sovereign or Council cross-sign.
• An automated agent may only prepare a draft decision (status='proposed', verdict=NULL) — never decided/approve.

4.2 Required reviewer identity

• reviewer_class ∈ {human, council, sovereign} (NOT automated_agent for approval).
• reviewer_identity carries the authenticated principal (Directus user id / council id), not an agent label.
• decided_by = same principal; auditable to a real session.

4.3 Verdict vocabulary

• verdict ∈ {approve, reject, approve_with_conditions, abstain} (ratify exact set via Đ32). No implicit approve.

4.4 Manifest / cut binding

• manifest_id → a real manifest_envelope with operation_kind matching the cut and status reflecting a real review.
• manifest_unit_local_id bound to the actual unit being cut (not NULL) so the composite FK to the manifest line is enforced.
• review_scope set to manifest or unit per operation.

4.5 Cross-sign

• cross_signed_by_dot_verifier=true required for production — a second, independent verifier (DOT verifier) co-signs. Two-key principle.

4.6 Audit

• Decision recorded with decision_at, immutable; any change appends a new version (Đ31). Tie to dot_iu_command_run audit actor.

4.7 Rollback / retire

• A review_decision is not deleted; if mis-issued it is superseded by a corrective decision (verdict=reject / new version), and any IU mutation it authorized is reversed via fn_iu_retire (Đ30/Đ32/Đ31), never hard-deleted.

4.8 No-bypass invariants

• iu_enact.allow_no_review_decision stays false forever (never_flip).
• Split/merge keep requiring a FK-probed review_decision_id.
• The production builder must refuse to set reviewer_class='automated_agent' for an approving verdict.
• Test and production builders remain separate functions; the test one stays test_scope-tagged and TEST-IU-only.

---

5. Outcome

• Applied this run: nothing.
• Deliverable: test-vs-prod gap matrix + production builder requirements.
• Dependency: Branch B backfill needs this production path (a real Đ32 approval) before block_all.
• Next macro: IU_PRODUCTION_REVIEW_DECISION_GOVERNANCE_PATH_*X (doc 06, macro 2).