53 — GCOS Rehearsal Orchestration Plan

Path: knowledge/dev/reports/architecture/one-roof-governance-technical-addendum-and-implementation-index-2026-06-01/ Doc: 53. Role: Defines the sequence and gating of the GCOS author-mode rehearsals — not their execution. It wires the 7 paste-ready prompts of doc 48 into an ordered, prerequisite-gated plan with, per step: prerequisite, input docs, allowed channel, forbidden actions, expected evidence, success criteria, rollback proof, and next gate. Status: ORCHESTRATION / CONTROL DOCUMENT ONLY. Zero execution. Zero mutation. No rehearsal is run by this doc. Every rehearsal, when later run, is author-mode BEGIN..ROLLBACK ending in ROLLBACK, proving entry==exit, and forbids COMMIT (os_proposal_approvals = 0 ⇒ COMMIT_FORBIDDEN). Date: 2026-06-01. Authority: doc 48 (the prompts), doc 42 §42.5 (gate table) / §42.7 (rollback model), doc 45 §45.3 (live corrections) / §45.5 (read order), doc 49 (gate checklist + RE-1..RE-7 + RR-1..RR-12), doc 19 (operator handoff), muc-tieu-mo §6 (gate-before-live-action).

53.0 Orchestration principles (true of every step)

Rehearsal ≠ build. A rehearsal proves DDL/DML is additive and reversible; it never commits. The line between rehearsal and build is a single human act: a recorded sovereign approval (os_proposal_approvals > 0) and every doc-49 gate green. Until then, ROLLBACK is mandatory and COMMIT is forbidden.
Two channels, strictly separated.
- Read-only pre-flight / post-checks → query_pg MCP (AST-validated, READ ONLY, 5 s timeout, 500-row LIMIT — cannot run DDL/DML). This is the channel this mission used for the §53.6 live snapshot.
- BEGIN..ROLLBACK DDL/DML rehearsal → the operator author-mode channel only: ssh contabo → docker exec -it postgres psql -U workflow_admin -d directus (doc 19). The read-only role cannot rehearse DDL; the operator role can, but every rehearsal ends in ROLLBACK.
Live wins, every step. Each step re-runs the doc 45 §45.3 live block first (birth size, table absence, os_proposal_approvals, watermark types, no governance domain) and uses the current numbers. If a target table already exists → STOP (not greenfield). If os_proposal_approvals ≠ 0 is being relied on without a recorded sovereign approval → STOP.
Entry==Exit is the pass test. Every step captures a numeric pre-state and a post-ROLLBACK state and asserts they are identical. A step that cannot prove entry==exit has FAILED — report it, do not "clean up" by mutating, escalate to operator.
Dependency order is binding. SB-10 consumes SB-12 (snapshot/ruleset) + SB-13 (cursors); it cannot be rehearsed meaningfully before them. SB-11 is register-before-emit and comes last. The order below is the doc 42 build order, rehearsed.
Sequence, not execution. This plan schedules which rehearsal runs when and what must already be true. It runs nothing.

53.1 Step R-1 — SB-12 source-snapshot / ruleset registry (BEGIN..ROLLBACK)

Prerequisite. State recovery done (doc 45 read order); G-DESIGN for SB-12 accepted (doc 38); operator author-mode channel available; live block re-verified; governance_ruleset confirmed ABSENT (live 2026-06-01: NULL). No prerequisite rehearsal (SB-12 is first / cheapest).
Input docs. muc-tieu-mo law; doc 45; doc 42; doc 38 (SB-12); doc 46 §46.2/§46.3 (C-7.2/C-7.3 — ruleset ownership context); doc 48 Prompt 1 (the paste-ready prompt).
Allowed channel. Read-only pre-flight via query_pg; the CREATE TABLE governance_ruleset + one evolution_snapshots governance-row insert via operator psql, one transaction, ROLLBACK.
Forbidden actions. No COMMIT; no Directus/Qdrant/Nuxt mutation; no DOT/event registration; no emit; no approval/self-approval; no law write (normative_registry/law_catalog/governance_docs byte-identical); no ruleset activation (status stays draft); no version/status bump.
Expected evidence. Live values (governance_ruleset NULL, evolution_snapshots≈1, measurement_registry 142/140, os_proposal_approvals 0); pre/post snapshot; full BEGIN..ROLLBACK transcript; documented ruleset_version hash recipe (140 enabled measurement rows ⊕ profile ⊕ axis ⊕ scope, canonical order, absent-component marker); proof normative_registry/law_catalog unchanged (doc 38 §38.10 #4).
Success criteria. governance_ruleset created then fully removed by ROLLBACK (DROP-equivalent reversibility); zero row persisted in any reuse/law table; ruleset recorded draft, not activated; os_proposal_approvals still 0; entry==exit proven.
Rollback proof. ROLLBACK drops the empty new table and discards the snapshot insert; post-state: to_regclass('governance_ruleset') IS NULL, evolution_snapshots count unchanged. (doc 42 §42.7 additive-table rollback.)
Next gate. Feeds G-DDL evidence for SB-12. Unblocks R-2 (independent) and is a hard input to R-3 (SB-10 keys on ruleset_version).

53.2 Step R-2 — SB-13 worker-cursor family (BEGIN..ROLLBACK)

Prerequisite. State recovery done; G-DESIGN for SB-13 accepted (doc 39); gov_worker_cursor confirmed ABSENT (live: NULL); the int-vs-uuid watermark mismatch re-verified (live 2026-06-01: birth.id/changelog.id=integer, cursor/outbox=uuid). Independent of R-1 (may run in parallel or before SB-10).
Input docs. muc-tieu-mo law; doc 45; doc 42; doc 39 (SB-13); doc 48 Prompt 2.
Allowed channel. Read-only pre-flight via query_pg (incl. the information_schema.columns watermark-type check); CREATE TABLE gov_worker_cursor (type-generalized text watermark) + one queue_heartbeat governance-row insert via operator psql, one transaction, ROLLBACK.
Forbidden actions. No COMMIT; no worker start; no cron; no emit; no approval; no law/version change.
Expected evidence. Live values (gov_worker_cursor NULL, queue_heartbeat=3, event_pending=0, iu_route_worker_cursor=1, the 4-row watermark-type result); pre/post snapshot; BEGIN..ROLLBACK transcript; keyset predicate tested against BOTH an int source (birth/changelog) AND a uuid source (outbox) — both return rows with no type error (RR-8 / RE-7); 5 worker rows modeled (gov_backfill_sweep, gov_handoff_intake, gov_input_gate, gov_candidate_scan, gov_periodic_full_audit), none started.
Success criteria. gov_worker_cursor created then removed by ROLLBACK; queue_heartbeat governance rows removed by ROLLBACK; last_watermark_id is text and the typed numeric predicate works on int and uuid sources; no worker started; os_proposal_approvals still 0; entry==exit proven.
Rollback proof. ROLLBACK drops the empty cursor table and discards the heartbeat insert; post-state: gov_worker_cursor NULL, queue_heartbeat count unchanged, event_pending=0.
Next gate. Feeds G-DDL evidence for SB-13. Hard input to R-3 (SB-10 is seeded/dirtied via cursors).

53.3 Step R-3 — SB-10 candidate-state store (BEGIN..ROLLBACK) — GCOS keystone

Prerequisite. R-1 (SB-12) and R-2 (SB-13) rehearsed green first (or rehearsed together in R-5); G-DESIGN for SB-10 accepted (doc 40); all 3 candidate tables confirmed ABSENT (live: NULL); birth_registry.canonical_address re-verified 0 non-null (live 2026-06-01) ⇒ candidate_key = collection_name:entity_code.
Input docs. muc-tieu-mo law; doc 45; doc 42; doc 40 (SB-10); doc 34 (Branch D); doc 38 + doc 39 (the two dependencies); doc 48 Prompt 3.
Allowed channel. Read-only pre-flight via query_pg (incl. count(canonical_address)=0 and derived_objects_registry refresh_strategy 3-mode precedent); CREATE TABLE governance_candidate_state (group-grain) + optional governance_candidate_object + candidate_scan_run via operator psql, one transaction, ROLLBACK.
Forbidden actions. No COMMIT; no emit; no approval; no law/version change; no is_governed/checked boolean column (the checked-forever anti-pattern, RR-4); no per-child row explosion.
Expected evidence. Live values (3 tables NULL, birth ≈1.04M / canonical 0, refresh_strategy distribution); pre/post snapshot; BEGIN..ROLLBACK transcript; grep proof the CREATE has NO is_governed/checked column (verdict = decaying triple snapshot⊕ruleset⊕scan_time); candidate_key uses COALESCE(canonical_address, collection_name||':'||entity_code); object table materializes only for the 4 criteria (indep-authoritative / open-finding / exception / high-risk-write); group-grain Δrows=0 inheritance shown.
Success criteria. 3 tables created then removed by ROLLBACK; no checked-forever boolean exists; candidate_key correct under the NULL-canonical correction; group-grain default proven; ruleset_version/source_snapshot_ref resolvable to the SB-12 objects from R-1; os_proposal_approvals still 0; entry==exit proven.
Rollback proof. ROLLBACK drops all 3 empty tables; post-state: all to_regclass NULL, birth_registry count unchanged.
Next gate. Feeds G-DDL evidence for SB-10 (the convergence blocker). Unblocks R-4 (SB-11 references the candidate/finding taxonomy) and the eventual T6 build.

53.4 Step R-4 — SB-11 register-before-emit (BEGIN..ROLLBACK, ZERO new tables, ZERO emit)

Prerequisite. R-1..R-3 rehearsed (or R-5 combined); G-DESIGN for SB-11 accepted (doc 41); event_type_registry confirmed to have no governance domain (live 2026-06-01: iu 16/16, mother 9/0, piece 6/6, staging 5/5, system 4/3); event_outbox baseline recorded.
Input docs. muc-tieu-mo law (incl. Điều 45 Queue Law); doc 45; doc 42; doc 41 (SB-11); doc 24 (T7 taxonomy — for the event-type names); doc 48 Prompt 4.
Allowed channel. Read-only pre-flight via query_pg; NO CREATE TABLE (SB-11 = 0 new tables); rehearse inserting the governance domain rows into event_type_registry with active=false via operator psql, one transaction, ROLLBACK.
Forbidden actions. No COMMIT; NO emit to event_outbox (count must equal baseline inside and after the txn); no DOT registration; no approval; no law change; no active=true row (register-before-emit — rows exist inactive before any emit is even possible, Điều 45).
Expected evidence. Live values (no governance domain; event_outbox baseline; event_pending=0 / event_read≈182k / event_subscription=3); pre/post snapshot; BEGIN..ROLLBACK transcript; zero-emit proof (event_outbox governance count == baseline == 0 throughout, RE-5); proof of 0 new tables (pure reuse — no second bus/store, no-island).
Success criteria. Governance rows registered active=false then removed by ROLLBACK; zero rows ever active=true; zero event_outbox emit; 0 new tables; register-before-emit demonstrated; os_proposal_approvals still 0; entry==exit proven.
Rollback proof. ROLLBACK discards the inactive registry rows; post-state: event_type_registry has 0 governance rows again; event_outbox == baseline; no new tables.
Next gate. Feeds G-RBE discipline evidence (rows registered-before-emit). Governance active=true flip is deferred to T7 build after the full taxonomy — never at rehearsal (RR-9).

53.5 Step R-5 — Combined GCOS substrate rehearsal (SB-12→SB-13→SB-10→SB-11, one ROLLBACK)

Prerequisite. R-1..R-4 individually green is recommended but R-5 may stand alone as the dependency-ordered integration rehearsal; build order = SB-12 → SB-13 → SB-10 → SB-11 (doc 42); all 5 target tables confirmed ABSENT (live 2026-06-01: all NULL).
Input docs. muc-tieu-mo law; doc 45; doc 42 (build order / dependency graph / gate table / rollback); doc 38/39/40/41; doc 46 (C-7); doc 48 Prompt 5.
Allowed channel. Full read-only pre-flight via query_pg (the entire doc 45 §45.3 block); the four blockers' DDL/DML in dependency order via operator psql, ONE transaction across all four, ROLLBACK.
Forbidden actions. No COMMIT; no emit; no worker start; no cron; no approval/self-approval; no law/version change.
Expected evidence. Full live block; pre/post snapshot of all 5 tables + reuse-table counts; one BEGIN..ROLLBACK transcript spanning all four blockers; cross-checks inside the txn: candidate_state.ruleset_version resolvable to governance_ruleset; zero emit; no law tables touched; footprint proven ≤ 4 additive tables (1 optional) + 0 new buses/stores (doc 42 footprint claim); no-island + no-hardcode attestation.
Success criteria. All four blockers rehearsed in dependency order in one reversible transaction; full ROLLBACK leaves entry==exit; no-island proven (one bus / issue-store / audit / cursor-family / candidate-store); no-hardcode proven (classes/axes/scopes/rules sourced from registries); zero emit, zero COMMIT, os_proposal_approvals still 0.
Rollback proof. Single ROLLBACK removes all 5 tables and all reuse-row inserts; post-state: all to_regclass NULL, 0 governance event rows, event_outbox == baseline, all reuse-table counts unchanged.
Next gate. Produces the consolidated G-DDL + G-RBE rehearsal evidence (RE-1..RE-7 for the whole substrate). Hard prerequisite for R-6 (T6/T7 patch) and for any future build authorization.

53.6 Step R-6 — T6/T7 patch rehearsal (the 10 build addenda; additive rows + doc-patch diffs)

Prerequisite. R-5 (or R-1..R-4) green; the 10 addenda count pinned at 10 (doc 45 §45.4; doc 35 §7's "eleven" is OI-45-1 doc-drift); SB-10/11/12/13 rehearsals complete.
Input docs. muc-tieu-mo law; doc 45 §45.4 (the 10 addenda, pinned); doc 42; doc 35 §3.2; doc 24 (T7) + doc 25 (T6) read through the addenda lens; doc 48 Prompt 6.
Allowed channel. Read-only pre-flight via query_pg; Part A — additive-row rehearsal (dot_coverage_required governance rows, 4 GCOS DOT rows in dot_tools, governance event types active=false) via operator psql, one transaction, ROLLBACK; Part B — KB doc-patch DIFF ONLY against docs 24/25/concept §11 (produce the patch text, do not write it).
Forbidden actions. No COMMIT; no DOT registration (no committed dot_tools insert); no event activation (active stays false); no emit; no approval; no law change; no write to docs 24/25 (diffs only — the cross-ref headers from doc 45 §45.9 remain the only change to those docs).
Expected evidence. Live baselines (dot_coverage_required, dot_tools, event_type_registry governance absent/inactive); pre/post snapshot (all unchanged); BEGIN..ROLLBACK transcript for Part A; all 10 addenda enumerated with their exact patch diffs (Part B), confirming #1 dirty+stale L1, #2 input-gate-pre-enforced L2, #3 lifecycle pre-stages, #6 +19 finding types, #7 group_key coalesce + storm ceiling, #8 auto-close re-key by (coalesce_key, ruleset_version), #10 production-gate fail-closed for high-risk stale/unknown; count == 10.
Success criteria. 10 addenda enumerated; PG additive rows rehearsed then rolled back; doc-patch diffs produced but NOT written; no DOT registered, no event activated, no emit, no COMMIT; entry==exit proven.
Rollback proof. Part-A ROLLBACK leaves dot_coverage_required/dot_tools/event_type_registry unchanged; Part B writes nothing (diff-only).
Next gate. This is the last rehearsal before a gated T6/T7 build. T6/T7 build remains NO-GO (gated on SB-10/11/12/13 built + C-7 ruled + the doc 42 gate table + M-1).

53.7 Step R-7 — Rollback / entry==exit verification protocol (read-only; run after ANY rehearsal)

Prerequisite. A rehearsal (R-1..R-6) has just been run; its PRE-STATE snapshot is in hand.
Input docs. muc-tieu-mo law; doc 45 §45.3 (live correction block); doc 42 §42.7 (rollback model); doc 48 Prompt 7.
Allowed channel. query_pg read-only ONLY — no mutation of any kind. (This step never uses the operator channel.)
Forbidden actions. Any mutation; any "clean-up" write (if a difference is found, escalate — never mutate to fix).
Expected evidence. A {object, pre, post, equal?} table covering: all 5 target tables absent (to_regclass NULL); evolution_snapshots WHERE scope LIKE 'governance.%'=0; event_type_registry WHERE event_domain='governance'=0; queue_heartbeat WHERE worker_name LIKE 'gov_%'=0; event_pending=0 unchanged; dot_tools WHERE dot_name LIKE 'dot_governance_%'=0; event_outbox WHERE event_domain='governance'=0 (never emitted); os_proposal_approvals=0; normative_registry count == pre-rehearsal baseline (no law change).
Success criteria. Every object's pre == post; zero governance emit; zero approval; zero law change. All equal ⇒ the rehearsal was non-destructive and reversible (PASS). Any difference ⇒ FAILURE + escalate to operator (do not self-repair).
Rollback proof. This step is the rollback proof — it numerically certifies the prior rehearsal left zero footprint.
Next gate. Closes the rehearsal cycle. Green R-7 across R-1..R-6 = the rehearsal-evidence column of doc 49 §49.4 (RE-1..RE-7) satisfied for the substrate. Build still gated on approvals (M-1) + C-7 + gate table.

53.8 Orchestration sequence diagram (gating)

[State recovery: doc 45 read order] → [Live block re-verify: doc 45 §3 via query_pg]
        │
        ├─ R-1 SB-12 (snapshot/ruleset) ─┐
        ├─ R-2 SB-13 (worker cursors) ───┤  (R-1, R-2 independent; both precede R-3)
        │                                ▼
        │                          R-3 SB-10 (candidate-state keystone)
        │                                │
        │                                ▼
        │                          R-4 SB-11 (register-before-emit, 0 tables, 0 emit)
        │                                │
        └────────────── R-5 COMBINED (SB-12→13→10→11, one ROLLBACK) ──────────────┐
                                         │                                          │
                                         ▼                                          │
                                   R-6 T6/T7 patch (10 addenda; rows + diffs)       │
                                         │                                          │
                                         ▼                                          │
                  R-7 Rollback / entry==exit verification (read-only) ◄─────────────┘
                                         │
                                         ▼
              [Rehearsal-evidence (RE-1..RE-7) satisfied for the substrate]
                                         │
                    ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─  (the build line, NO-GO today)
                                         ▼
        [doc 49 gates ALL green: M-1 os_proposal_approvals>0 + A-1..A-9 + C-7 + addenda] → GATED BUILD

R-7 runs after each of R-1..R-6 (per doc 48 Prompt 7 "after ANY rehearsal"), not only at the end. The combined R-5 is the integration rehearsal; R-1..R-4 are the per-blocker rehearsals that de-risk it.

53.9 Live readiness snapshot for the rehearsals (read-only, this mission, 2026-06-01)

Verified read-only via query_pg for this orchestration (live wins; re-verify at each rehearsal):

Pre-flight fact every prompt asserts	Live value 2026-06-01	Greenfield?
`governance_ruleset` (SB-12)	ABSENT (NULL)	✅
`gov_worker_cursor` (SB-13)	ABSENT (NULL)	✅
`governance_candidate_state` / `_object` / `candidate_scan_run` (SB-10)	all ABSENT (NULL)	✅
`governance_object_ownership` / `_responsibility_scope` (SB-2)	both ABSENT (NULL)	✅
`birth_registry` total / canonical_address non-null	1,042,938 / 0	key = `collection_name:entity_code`
watermark types (birth.id / changelog.id / cursor.last_event_id / outbox.id)	integer / integer / uuid / uuid	text-generalized needed
`event_type_registry` governance domain	absent (mother 9/0 is the inactive precedent)	register `active=false`
`evolution_snapshots` / `measurement_registry` (total/enabled)	1 / 142(140)	ruleset hash input
`event_outbox` / `event_pending` baseline	182,731 / 0	zero-emit baseline; pending free
`os_proposal_approvals`	0 ⇒ COMMIT_FORBIDDEN	master gate red

Every step is greenfield and rehearsable; none is buildable. The rehearsals can be run today (operator channel) and will pass entry==exit; no rehearsal may become a build until doc 49's M-1 + C-7 + gate table are green.

53.10 What this doc does and does not do

Does: sequence the 7 doc-48 rehearsals into a prerequisite-gated plan with, per step, prerequisite / input docs / allowed channel / forbidden actions / expected evidence / success criteria / rollback proof / next gate; provide the gating diagram and a current live readiness snapshot.
Does NOT: execute any rehearsal; run any DDL/DML; COMMIT; emit; register any DOT/event; create any approval; mutate PG/Directus/Qdrant/Nuxt; enact law; bump any version/status; create a competing package. All build remains NO-GO.