49 — GCOS Implementation Gate Checklist (master pre-build gate: approvals, blockers, docs, rehearsal evidence, rollback, no-hardcode/no-island, boundaries, report fields, design-only, 2026-06-01)
49 — GCOS Implementation Gate Checklist
Path:
knowledge/dev/reports/architecture/one-roof-governance-technical-addendum-and-implementation-index-2026-06-01/Doc: 49. Role: The single master checklist that MUST pass before any GCOS / T6 / T7 build step COMMITs anything to PG. If any MUST item is NOT-MET, build is NO-GO for that step. Status: CHECKLIST / CONTROL DOCUMENT ONLY. Zero mutation. As of 2026-06-01 the checklist as a whole is NOT-MET → build NO-GO (G-C7 pending, G-DDL not rehearsed live,os_proposal_approvals=0). Date: 2026-06-01. Authority: doc 42 §42.5 (gate table), doc 46 (C-7), doc 47 §47.12 (residual controls RR-1..RR-12), doc 00 §0.6/§0.9, muc-tieu-mo law §6 (gate-before-live-action) + §5 (constitutional guardrails). How to use: run top-to-bottom before a build/commit. Mark each item PASS / NOT-MET with evidence. A single NOT-MET MUST item ⇒ STOP, do not COMMIT. "Scoped per step" means: a step that only builds SB-12 need not satisfy SB-10's items, but must satisfy every item in its own column.
49.0 The master gate (non-negotiable, checked first)
| # | MUST hold | Evidence | Status 2026-06-01 |
|---|---|---|---|
| M-1 | os_proposal_approvals > 0 with a named human sovereign approval for THIS build step |
SELECT count(*) FROM os_proposal_approvals + the approval row |
NOT-MET (=0) ⇒ COMMIT_FORBIDDEN |
| M-2 | No forbidden action in scope (doc 00 §0.6): no Directus/Qdrant/Nuxt mutation, no law enactment, no version/status bump, no self-approval, no emit before register | step plan reviewed against §0.6 | design-only: MET; build: re-check |
| M-3 | The step is reversible by default (rollback/disable plan staged) | doc 42 §42.7 mapping + this doc §49.4 | depends on step |
| M-4 | The step does not create a second governance roof (no-island) | §49.6 no-island check | MET by design |
| M-5 | No hardcoded class/axis/owner/rule/scope literal introduced (no-hardcode) | §49.6 no-hardcode check | MET by design |
If M-1 is NOT-MET, stop here — nothing else matters; no COMMIT is possible.
49.1 Required approvals (who must have said yes, recorded, not self-approved)
| Approval | Required for | Recorded where | Status |
|---|---|---|---|
| A-1 Human sovereign (President) approval for the specific build step | ANY COMMIT (DDL/DML/registration) | os_proposal_approvals + APR |
NOT-MET (0 rows) |
A-2 Đ32 APR quorum (president + 2 AI council; fn_apr_quorum_check; proposer ≠ approver) |
any apply / ruleset activation / owner-edge write | approval_requests (approved) |
NOT-MET |
| A-3 C-7.1 input-trust ruling | activating dot_governance_input_gate trust classification |
doc 46 §46.1 motion ratified | PENDING |
| A-4 C-7.2 ruleset-owner ruling | activating any governance_ruleset (SB-12) |
doc 46 §46.2 motion ratified | PENDING |
| A-5 C-7.3 backfill-ruleset ruling | seeding backfill verdicts (Branch A) | doc 46 §46.3 motion ratified | PENDING |
| A-6 C-7.4 60-day cut-over ruling | legacy-escalation rule in candidate/exception DOTs | doc 46 §46.4 motion ratified | PENDING |
| A-7 C-7.5 observer-trigger ruling | Option B fail-open observer trigger (optional) | doc 46 §46.5 motion ratified | PENDING (Option A needs none) |
| A-8 C-1 (SB-2 ownership table) + C-2 (SB-1 action-types) | owner-relevant T6 work / the apply DOT | doc 23 council packet | PENDING |
| A-9 H-1/H-2/SB-6 sovereign sign-off | the only mutating DOT dot_governance_assignment_apply |
recorded approval | NOT-MET |
Self-approval bar: every approval above must have proposer ≠ approver; fn_apr_quorum_check enforces it; no agent approves its own proposal. A C-7 ruling is a recorded governed decision, never an inline code default.
49.2 Required blockers cleared (per build step)
| Step | Blockers that MUST be cleared first | Status |
|---|---|---|
Build SB-12 (governance_ruleset + reuse evolution_snapshots) |
G-DESIGN (doc 38 accepted) + G-DDL (rehearsed) + A-1 + A-4 (ruleset owner) | design done; rest PENDING |
Build SB-13 (gov_worker_cursor + reuse queue_heartbeat/event_pending) |
G-DESIGN (doc 39) + G-DDL + A-1 | PENDING |
Build SB-10 (governance_candidate_state + optional object/run) |
G-DESIGN (doc 40) + G-DDL + SB-12 + SB-13 built + A-1 | PENDING |
Register SB-11 governance domain (active=false first) |
G-DESIGN (doc 41) + G-RBE discipline + A-1; activate active=true only at T7 build after full taxonomy |
PENDING |
| Activate Branch A backfill seed | SB-10/12/13 built + A-5 (backfill ruleset) + C-7.3 | PENDING |
| Activate Branch B handoff intake (Option A) | SB-13 built + SB-11 registered | PENDING (Option A needs no Birth change) |
| Activate Branch C/D input-gate + candidate scan | SB-10 built + A-3 (input trust) | PENDING |
| T6 build (register 7 scanner DOTs) | SB-10 + SB-12 + SB-13 built + the 10 addenda + A-1 | NO-GO |
| T7 build (activate governance domain emit) | full taxonomy incl. 19 GCOS types + SB-11 + G-RBE + A-1 | NO-GO |
Apply DOT (dot_governance_assignment_apply) |
SB-1 Phase-B handler flipped + SB-2 live + A-2 quorum + A-9 sovereign + M-1 | NO-GO |
Open substrate blockers (all must reach "built/ruled" for full T6/T7 build): SB-10, SB-11, SB-12, SB-13 (design-complete, build NO-GO); C-7.1–C-7.5 (pending); SB-1/SB-2 (design-complete, build NO-GO); SB-3 (caps IU axis-grain at 3); H-1/H-2/SB-6 (apply).
49.3 Required docs read (in order) before any build step
MUST have read, in the doc 45 §45.5 order: muc-tieu-mo law → doc 00 → doc 03 → doc 45 → doc 42 → docs 38→39→40→41 → docs 31→32→33→34→35 → doc 46 (C-7) → doc 47 (red-team) → docs 24+25 through the lens of the 10 addenda + live corrections → doc 48 (rehearsal) → this doc 49. Evidence: the build report's "controlling sources used" lists them in conflict order (doc 45 §45.2). A build agent that has not read doc 45 and doc 47 is NOT-MET.
49.4 Required rehearsal evidence (per DDL/DML/registration step)
| Item | MUST show | From |
|---|---|---|
| RE-1 | A green read-only pre-flight (doc 45 §3 block): current birth_registry size, target tables ABSENT, os_proposal_approvals, watermark types, no governance event domain |
doc 48 §2 of each prompt |
| RE-2 | A BEGIN..ROLLBACK transcript for the step's DDL/DML, run in author-mode (workflow_admin), ending in ROLLBACK |
doc 48 prompts 1–6 |
| RE-3 | An entry==exit proof: numeric pre/post snapshot table, all equal | doc 48 prompt 7 |
| RE-4 | An additivity proof: only CREATE TABLE/additive rows; greenfield (tables empty at create); DROP/active=false/row-delete is full rollback |
doc 42 §42.7 |
| RE-5 | Zero-emit proof for any registration step: event_outbox governance count == baseline (== 0) |
doc 48 prompt 4/7 |
| RE-6 | No-collision proof: target table names not already present; reuse-table row keys (worker_name/domain/scope) don't collide | doc 48 §2 |
| RE-7 | Watermark predicate tested against both an int source (birth/changelog) and a uuid source (outbox) | doc 48 prompt 2 (RR-8) |
A step lacking RE-1..RE-7 for its scope is NOT-MET.
49.5 Required rollback plan (staged before COMMIT)
Each build step MUST have a pre-written, tested rollback (doc 42 §42.7):
- Additive
CREATE TABLE→DROP TABLE(empty at create; rehearsed in BEGIN/ROLLBACK). evolution_snapshotsgovernance rows →DELETE WHERE scope LIKE 'governance.%'.event_pending/queue_heartbeatgovernance rows →DELETEby distinct worker/domain names.- Registered event types →
active=falseor delete (no emit occurred while inactive → nothing downstream to unwind). - Worker start → stop; the cursor watermark is the durable resume/disable point.
- Apply DOT → N/A today (never reached; blocked by
fn_apr_block_unimplemented_handler). - Disable-before-apply: every mutating member has a kill-switch; no irreversible step exists in the GCOS substrate. A step without a staged, tested rollback is NOT-MET.
49.6 Required no-hardcode / no-island checks
No-hardcode (every literal sourced from a registry/catalog/config; muc-tieu-mo §5; doc 42 §42.9):
- Object classes ←
meta_catalog.entity_type(not a code array). - Members ←
meta_catalog.registry_collection. - Source registries ←
birth_registry.collection_name. - Axes ← Axis Registry (M-DEF-9) / interim
pivot_definitions+law_jurisdiction; absence ⇒axis_unregisteredfinding, never an invented list (RR-? / RT-42). - Scopes ←
governance_responsibility_scope(null-degrade, never guess). - Rules/detectors ← enabled
measurement_registryrows, hashed intoruleset_version. - Severity computed; owner/route via
v_object_effective_owner→default_owner_hint→ GOV-COUNCIL. - grep the build for literal class/axis/owner arrays — none permitted (RR-12 / RT-70). Missing source ⇒ fail-closed + finding.
No-island (one of each central object; doc 42 §42.8):
- One event domain (
event_type_registrygovernance), one bus (event_outbox), one capture lane (event_pending), one issue store (system_issues), one audit (registry_changelog), one heartbeat (queue_heartbeat), one cursor family (gov_worker_cursorshape), one candidate store (governance_candidate_state). - Zero new bus / store / notifier created (RR-10 / RT-60). SB-11 = 0 new tables.
- Detection (GOV-SIV / Đ31) → council/owner approve (Đ32) → GOV-DOT execute (Đ35); no self-apply.
49.7 Required Directus / Nuxt / event / DOT boundaries
- Directus: no schema/collection mutation via the build; governance objects are PG-first (assembly flow PG → Directus → Nuxt; no direct PG from Nuxt).
- Nuxt / UI / API: no full-table scan of
birth_registry(1.04M+) or the candidate store; UI reads coverage summary views only (counts, invariant ledger) — RR-12 / RT-69 / scale control #14 / Điều 28. - Event (Điều 45): register-before-emit — governance event types exist
active=falsebefore any emit is possible; no emit until T7 build + full taxonomy (RR-9 / RT-57); queue carries signal not data; event≠job; MOT-not-executor; silent-gap heartbeat present. - DOT (Điều 35 / DOT-100%): every GCOS DOT registered in
dot_toolswith adot_coverage_requiredrow and a paired test DOT (A/B); GCOS DOTs are tier-A read/propose; the only mutating DOT (dot_governance_assignment_apply) is NO-GO; governance APRs useaction='review', never'add'(RR-11 / RT-64). - Birth boundary: default handoff is Option A (cursor-tail, Birth untouched); any Birth trigger (Option B) is NO-GO until C-7.5 ruled + a rehearsal proving fail-open (RR? / RT-22/RT-23); Option C inline is forbidden.
49.8 Residual build-time controls (from doc 47 §47.12 — all MUST be satisfied)
| ID | Control (MUST hold at build) | Verify |
|---|---|---|
| RR-1 | Cursor primary key = id (int, NN), not born_at; full audit reconciles status vs last-seen |
schema + worker logic |
| RR-2 | GCOS raises input_duplicate/owner_conflict only; never merges cross-registry identities (birth/council job) |
DOT logic |
| RR-3 | ruleset_changed handoff computes affected scope from changed measurement_registry rows; no blanket-dirty; storm ceiling on |
handoff logic + addendum #7 |
| RR-4 | Candidate store has NO is_governed/checked boolean; verdict = decaying triple |
schema review (grep) |
| RR-5 | Group's defining tuple stored beside group_key; tuple-equality verified on read |
schema |
| RR-6 | Emit governance_schema_drift if any IU object presents a 4th axis while iu_three_axis_envelope is 3-column |
scanner logic; SB-3 generalizes |
| RR-7 | Auto-close re-keyed by (coalesce_key, ruleset_version) (addendum #8) — mandatory |
T7 build |
| RR-8 | Watermark is text + typed numeric predicate; rehearsed on int AND uuid sources |
doc 48 prompt 2 |
| RR-9 | Governance event rows active=false until T7 build + full taxonomy; flip only then |
registration step |
| RR-10 | Zero new bus/store/notifier | no-island check §49.6 |
| RR-11 | Every governance APR action='review', never 'add' |
propose DOT |
| RR-12 | UI summary-views only; no hardcoded arrays (grep); doc 49 run before T6/T7 build; cross-ref headers retained in docs 24/25 | review |
49.9 Required final-report fields (every build/rehearsal macro)
Extends doc 00 §0.9 + doc 45 §45.8. The build report MUST contain:
- Status — PASS / PARTIAL (+exact blocker) / BLOCKED.
- Step + gate — which blocker/branch/track + which gate(s) (M-1..M-5, G-DDL/G-RBE/…).
- Controlling sources — in conflict order (doc 45 §45.2); must include docs 45, 42, 47, 49 + the relevant detailed design.
- Live re-verification block — doc 45 §3 facts re-run with current numbers (birth size, table presence,
os_proposal_approvals, governance domain, watermark types). - Approvals — A-1..A-9 status, each with the recorded approval row or "PENDING/NOT-MET"; explicit
os_proposal_approvalscount. - Rehearsal evidence — RE-1..RE-7 transcripts; entry==exit proof.
- Rollback — the staged/tested rollback for the step (§49.5).
- No-hardcode / no-island attestation — §49.6 checkboxes all ticked with evidence.
- Boundaries — §49.7 Directus/Nuxt/event/DOT/Birth boundaries confirmed.
- Residual controls — RR-1..RR-12 applicable to this step, each PASS/NOT-MET.
- Mutation footprint — exact (rows/tables touched, all reversible); ROLLBACK used (rehearsal) or COMMIT authorized (with A-1 evidence).
- C-7 status — which items ruled vs pending; what that unlocked/blocked.
- Next allowed macro — from doc 50.
- Forbidden-compliance — explicit confirmation no forbidden action occurred.
49.10 Overall gate verdict (this checklist, as of 2026-06-01)
BUILD = NO-GO. Reasons (any one suffices): M-1 os_proposal_approvals = 0 ⇒ COMMIT_FORBIDDEN; G-C7 (A-3..A-7) PENDING; G-DDL not yet rehearsed live (doc 48 prompts not executed); SB-10/11/12/13 not built; SB-1/SB-2 not built (owner-relevant work + apply); the 10 addenda not applied. Design-prep = COMPLETE (docs 38–42 + 45–48 + this doc). The checklist becomes runnable the moment a real build macro is authorized; until then it stands as the stop-gate.
To flip a single step to GO: satisfy every MUST item in that step's column of §49.0–§49.8, obtain the named approvals (§49.1), produce the rehearsal evidence (§49.4), stage the rollback (§49.5), pass the no-hardcode/no-island/boundary checks (§49.6–§49.7), and satisfy the applicable residual controls (§49.8). No step may be flipped to GO by self-approval.