11 — Readiness Gate Hardening (Branch K)

Reviews GOVERNANCE_COVERAGE_PASS (decision-pack doc 04 §4.6 + doc 10 P8/P9 + doc 09 P-09.6). Adversarial. Defines the gate fully per mission §14.

K0. What the pack says (summary)

Doc 04 §4.6: GOVERNANCE_COVERAGE_PASS(feature) = every touched governed object covered==true OR approved-exception; gate fails ⇒ no production; evidence-based (no blind PASS, Đ30 §V); composes with Đ20 Tier 2/3 + Đ32 quorum. Doc 10 P8 = CI for F-ISLAND-1…9; P9 = production acceptance with artifacts. Doc 09 P-09.6 adds the gate to RP's readiness checklist.

Overall: the evidence-based, composes-with-existing-gates stance is right. But the gate is a single binary predicate, while the mission §14 requires a structured gate: which checks, allowed exceptions, who waives, how waiver expires, and what blocks production vs design-patch vs PG/DOT vs UI-route (different phases need different gates). The pack also has no waiver authority and inherits the F3 severity contradiction.

---

K1 — The gate must be tiered by phase (the mission's explicit ask)

• Original: one predicate, applied at "production." Mission §14: "what blocks production; what blocks design patch; what blocks PG/DOT implementation; what blocks UI route."
• Risk: a single production-only gate lets ungoverned concepts flow through design and implementation and only fails at the end — expensive and late. And a too-strict single gate blocks the design-patch phase (which is just KB writing) on the same criteria as production.
• Hardened wording — four phase gates, increasing strictness:

  Gate	Phase	Blocks unless…
  G-DESIGN	canonical design patch (P2)	the design names an accountable owner per scope (Branch C) for every governed object it introduces, and asserts "no local island" — concept-level only; no scan required
  G-IMPL	PG view / DOT build (P4–P6)	the object's coverage profile (B2) is defined; views rehearsed BEGIN..ROLLBACK; DOT paired (Đ35 §3); prerequisite action-types/edges (I1/I2/E2) exist or are explicitly interim-scoped
  G-ROUTE	UI/route ship (P7)	the route is enumerable (G2 — not UNVERIFIABLE); render owner resolved (real or delegated, J6); no UI/Nitro truth-math (G8); Test-4 green
  G-PROD	production acceptance (P9)	zero high/critical orphans for touched objects (severity-aware, F3); evidence artifacts attached; Đ32 quorum + RG human sign-off

• Acceptance test: a design-patch passes G-DESIGN by naming owners (no scan); it cannot reach G-PROD without zero high/critical orphans + artifacts. Each phase has its own pass criteria.
• Open question: none.

---

K2 — Severity-awareness (inherit F3) — the gate blocks on high/critical, tracks warning

• Original: §4.6 "covered==true" (F3 contradiction: warnings block or not?).
• Hardened wording: G-PROD blocks on high/critical (anarchic) orphans only; warning orphans (e.g. draft-owner) are reported with a remediation deadline and do NOT block; info ignored; stale/unverifiable (G6) and UNVERIFIABLE route-class (G2) block (cannot ship what you can't verify). Restate §4.6 accordingly.
• Acceptance test: as F3/J5.
• Open question: OQ-K2 — the warning→high escalation deadline (governed threshold, H3/G4).

---

K3 — No waiver authority / waiver expiry is defined (mission §14: "who can waive; how waiver expires")

• Original: the pack has approved-exceptions (object-level) but no gate-waiver (feature-level "ship despite a known gap").
• Gap: mission §14 explicitly asks who can waive the gate and how the waiver expires. Without it, a blocked feature has only two options (fix everything, or bypass informally → island). A governed waiver is the pressure-relief valve that prevents informal bypass.
• Hardened wording — the gate waiver is a president-only, time-boxed exception:

  "A GOVERNANCE_COVERAGE_PASS failure may be waived only by the president (Đ32 §4.3 — never self-waived by the shipping author), recorded as a gate-waiver exception (Branch E full record: scope=this feature, reason, risk, TTL, replacement_plan=the remediation, review_cadence). The waiver is time-boxed and auto-expires to critical + a regularization issue; it may never waive a safety invariant (E4: no write-outside-DOT, no local approval, no UI truth-math, no unregistered emit — those are non-waivable). A waived feature ships in a SHIPPED-UNDER-WAIVER state visible in the coverage summary, never silently green."

• Acceptance test: a feature with a high orphan can ship only with a president-recorded, TTL-bounded waiver + replacement plan; the waiver appears in the summary; it cannot waive a safety invariant; it auto-expires.
• Open question: OQ-K3 — max waiver TTL and renewal cap (reuse E1's max-2-renewals).

---

K4 — Emergency lane (inherit A4) — the gate must not be brittle

• Original: no emergency path through the gate.
• Hardened wording: an emergency change uses the Đ35 §6.5 ADMIN-fallback lane (A4): president-authorized, admin_fallback_log recorded first, provisional pass, retroactive APR + coverage within 24h or auto-critical. The emergency lane is the only fast path; it is audited and self-expiring. (Distinct from K3 waiver: K3 is a planned ship-despite-gap; K4 is an unplanned incident.)
• Acceptance test: an incident hotfix proceeds via the recorded fallback; missing the 24h regularization auto-fires audit_overdue/critical.
• Open question: none.

---

K5 — "Evidence-based, no blind PASS" is right — define the required evidence artifacts precisely

• Original: §4.6 / P9: evidence-based; "scanner output + exception ledger + CI green + Test-4 green, as artifacts."
• Tightening: "evidence-based" must enumerate the exact artifacts so a PASS can't be claimed with partial evidence (the recurring RP NO_APPROVAL_FOUND / blind-PASS risk).
• Hardened wording — G-PROD evidence manifest (all required):
  1. scanner output showing high/critical orphans(feature) = 0 (or waived/exception list);
  2. the exception/waiver ledger (TTLs unexpired);
  3. CI green for F-ISLAND-1…9 (P8) with a planted-violation proof (CI actually fails something);
  4. Test-4 (100% Nuxt=PG) green for any rendered coverage;
  5. Đ32 quorum record (president + 2 ai_council for high) — note live os_proposal_approvals=0, so a real sign-off must exist (COMMIT_FORBIDDEN otherwise);
  6. last_scanned_at fresh (not stale, G6).
• Acceptance test: a PASS missing any manifest item is rejected; CI that has never failed a planted violation is not accepted as evidence (a CI that can't fail isn't evidence).
• Open question: none.

---

K6 — How CI verifies "no local governance" (mission §14 final ask) — define the CI contract precisely

• Original: doc 10 P8: CI checks for F-ISLAND-1…9; reuse hc_finding_* no-hardcode scanner + Đ28 coverage scanner + Đ30 regression. Plant a violation; CI must fail it.
• Tightening (links A7, G8, D3): specify CI's two surfaces and PG-vs-code split:
  • PG-detectable islands (no-owner policy table = F-ISLAND-3; mutating DOT without paired_dot = F-ISLAND-4, already PG-enforced by Đ35 §3; unregistered event emit = F-ISLAND-7): checked by SQL against substrate.
  • Code-detectable islands (local owner constant = F-ISLAND-1; local approval flag = F-ISLAND-2; UI/Nitro truth-math = F-ISLAND-6, incl. server/api/**): checked by source scan of web/** (the no-hardcode hc_finding_* scanner, extended).
  • LOCAL_GOVERNANCE_ISLAND (D3) = co-located roll-up of the above.
  • Until P8 exists, code-detectable islands are UNVERIFIABLE-pre-CI — the gate cannot claim "no island" before CI exists.
• Acceptance test: CI fails a planted no-owner policy table (SQL) AND a planted UI totalGap=reduce() (code scan, the live anti-pattern); both route to system_issues.
• Open question: OQ-K6 — does CI run in the deploy pipeline (blocking) or as a scheduled scan (detecting)? For a true gate it must block the deploy, not just detect after.

---

K7 — The gate composes with Đ20/Đ32 but the composition order is unspecified

• Original: §4.6: "composes with, does not replace, Đ20 Tier 2/3 and Đ32 quorum."
• Risk: if GOVERNANCE_COVERAGE_PASS and Đ32 quorum are independent gates, which runs first? A feature could get Đ32 approval, then fail coverage (wasted quorum), or vice versa.
• Hardened wording: define the order — coverage gate (G-IMPL/G-ROUTE) precedes Đ32 quorum (you don't ask for sign-off on something that fails coverage); Đ32 quorum is the final human gate before G-PROD. The gate is a precondition of quorum, not a parallel one.
• Acceptance test: quorum is requested only after coverage gates pass; a coverage failure short-circuits before quorum.
• Open question: none.

---

K-summary — Branch K verdict

ID	Severity	Type	Disposition
K1	high	gap (mission-explicit)	four phase gates: G-DESIGN/G-IMPL/G-ROUTE/G-PROD
K2	high	contradiction (F3)	severity-aware gate
K3	high	gap (mission-explicit)	president-only, TTL, replacement-plan gate waiver; non-waivable safety invariants
K4	medium	brittleness (A4)	emergency fallback lane
K5	medium	rigor	exact evidence manifest; CI-must-have-failed proof
K6	medium	rigor	PG-vs-code CI split; UNVERIFIABLE-pre-CI
K7	low	ordering	coverage gate precedes Đ32 quorum

K1 + K3 are the mission-mandated structural additions; K2 + K4 carry the F3/A4 fixes into the gate so it is neither permanently-red nor brittle.