70 — GCOS Build Order & Stop Conditions

Path: knowledge/dev/reports/architecture/one-roof-governance-technical-addendum-and-implementation-index-2026-06-01/ Doc: 70. Role: Branch D of the gated build-intake packet. Defines the possible future build order with per-step prerequisite / live re-verify / allowed-mutation-if-authorized / stop-condition / success-evidence / rollback-evidence. This document does NOT build anything. Status: BUILD-INTAKE / PLAN DOCUMENT ONLY. No mutation, no COMMIT. Every step below is conditional on authorization that does not exist yet (M-1 NOT-MET). Date: 2026-06-01. Extends: doc 45 (build index, phase order), doc 42 (gate table), doc 49 (gate checklist). Pairs with: doc 69 (drift fold-in), doc 71 (rollback), doc 72 (authorization template).

---

70.0 Master precondition for EVERY step below

No step may begin its COMMIT until M-1 (os_proposal_approvals>0, named sovereign approval for THAT step) is recorded AND every doc-49 MUST item green for that step. Live: os_proposal_approvals=0 ⇒ COMMIT_FORBIDDEN for all steps. Each step re-runs the doc-45 §45.3 live read-only block and the doc-48 pre-flight first. No step flips to GO by self-approval. Authorization is per step, not blanket.

70.1 Build order (Phase-1 gated DDL, then activation)

Dependency graph (doc 45): SB-12 + SB-13 → SB-10 → (+ SB-11) → [T6/T7 addenda] → Branch B → Branch A → Branch C/D. SB-1/SB-2 is a parallel decision-gated line, not on this chain.

Step 1 — SB-12 (snapshot/ruleset)

• Prerequisite: M-1 for step 1; A-4 (C-7.2 ruleset-owner) recorded if any ruleset will be activated (creation as status='draft' does not activate). Drift: none on this object.
• Live re-verify: governance_ruleset ABSENT; evolution_snapshots baseline (1); measurement_registry 140 enabled (hash input); law counts 47/5/12.
• Allowed mutation if authorized: CREATE TABLE governance_ruleset; INSERT 1 draft ruleset row (status='draft', NOT activated); INSERT 1 evolution_snapshots gov row. No law version bump (ruleset = operational config versioning).
• Stop condition: ruleset would be created active/activated without A-4; any law-version write; evolution_snapshots schema change; hash recipe references anything outside SSOT measurement_registry.
• Success evidence: governance_ruleset present, 1 draft row; evolution_snapshots +1 gov row; law 47/5/12 unchanged. (Rehearsed R-2.)
• Rollback evidence: DROP TABLE governance_ruleset; DELETE evolution_snapshots WHERE scope LIKE 'governance.%' → back to baseline (proven entry==exit R-2/R-8).

Step 2 — SB-13 (worker-cursor)

• Prerequisite: M-1 for step 2. Fold-in F-57-1 mandatory (queue_heartbeat real cols + Điều-45 metadata safe-check).
• Live re-verify: gov_worker_cursor ABSENT; queue_heartbeat baseline (3); event_pending 0; watermark types int(birth/changelog)/uuid(cursor/outbox).
• Allowed mutation if authorized: CREATE TABLE gov_worker_cursor (text watermark, PK (worker_name, source)); INSERT up-to-5 worker rows (none started); INSERT queue_heartbeat gov rows (executor_kind='PG_worker', metadata {}).
• Stop condition: any worker started / cron scheduled at build time; watermark typed as int/uuid (must be text-generalized); heartbeat metadata carries data keys (Điều-45 violation); PK on born_at instead of id (RR-1).
• Success evidence: gov_worker_cursor present; text watermark stores both int (1055575) and uuid (00004a74-…) (RR-8/RE-7); queue_heartbeat gov rows present; no worker running. (Rehearsed R-3.)
• Rollback evidence: DROP TABLE gov_worker_cursor; DELETE queue_heartbeat WHERE executor_name LIKE 'gov\_%'.

Step 3 — SB-10 (candidate-state, keystone)

• Prerequisite: M-1 for step 3; SB-12 + SB-13 already COMMITTED (FK candidate→ruleset). Drift: candidate_key uses COALESCE(canonical_address, collection_name||':'||entity_code) (C-2 NULL correction).
• Live re-verify: all 3 candidate tables ABSENT; governance_ruleset present (FK target); birth_registry size at build time (live, ~1.043M growing).
• Allowed mutation if authorized: CREATE TABLE ×3 (governance_candidate_state GROUP grain PK (group_key, ruleset_version); governance_candidate_object optional; candidate_scan_run). NO is_governed/checked boolean (RR-4). FK (ruleset_version) REFERENCES governance_ruleset.
• Stop condition: any checked-forever boolean present (grep must return 0, RR-4); group's defining tuple not stored beside group_key (RR-5); birth_registry written to; verdict not a decaying triple.
• Success evidence: 3 tables present; grep for {is_governed,checked,is_checked,governed,checked_forever} = 0; FK resolves; group-grain Δrows=0 (one group row per (group_key, ruleset_version)). (Rehearsed R-4/R-6.)
• Rollback evidence: DROP TABLE ×3 in reverse FK order (candidate_scan_run, governance_candidate_object, governance_candidate_state).

Step 4 — SB-11 (event domain, register-before-emit)

• Prerequisite: M-1 for step 4. Fold-in F-57-2/3/4 mandatory (CHECK enum values). A-3 (C-7.1) recorded before any input-gate trust activation downstream.
• Live re-verify: event_type_registry 40 (governance 0); event_outbox governance 0.
• Allowed mutation if authorized: register 5 governance-domain rows in event_type_registry with active=false (RR-9). 0 new tables.
• Stop condition: any row active=true (RR-9, flip deferred to T7 build + full taxonomy); any emit (event_outbox governance must stay 0, RE-5); a second bus/store created (RR-10).
• Success evidence: 5 governance rows active=false; event_outbox governance = 0 (zero emit); 0 new tables. (Rehearsed R-5/R-6.)
• Rollback evidence: DELETE FROM event_type_registry WHERE event_domain='governance'. No emit to unwind.

Step 5 — Combined verification (post steps 1–4)

• Prerequisite: steps 1–4 committed.
• Live re-verify: entry==exit-style numeric snapshot vs the pre-build baseline for all reuse tables (only the 5 new tables + the additive governance rows should differ); os_proposal_approvals matches the recorded approvals; FK candidate→ruleset enforced.
• Allowed mutation if authorized: none (verification only).
• Stop condition: any unexpected delta on a reuse table; any governance event active=true; FK not enforced; any emit.
• Success evidence: footprint = exactly 5 new tables (4 core + 1 optional) + additive governance rows; 0 new buses (doc 62 footprint claim re-confirmed live).
• Rollback evidence: the staged DROP/DELETE set from steps 1–4 (doc 71).

Step 6 — T6/T7 addenda patch (10 addenda)

• Prerequisite: SB-10/11/12/13 committed; C-7 formal intake where the addendum activates trust/seed; fold-in F-R7-1 (dot_domains first) + F-R7-2 (DOT naming decision) mandatory; OI-45-1 reconciled (count = 10).
• Live re-verify: dot_domains 46 (GCOS subdomains absent); dot_tools 309 (gov 0); dot_coverage_required 11.
• Allowed mutation if authorized: INSERT 4 dot_domains (GCOS subdomains) → INSERT 4 GCOS DOTs (tier-A read/propose) → INSERT 4 dot_coverage_required; apply the 10 KB doc addenda to docs 24/25 (surgical, recorded); register T7 finding types. dot_governance_assignment_apply (the mutating DOT) is NOT created (G-APPLY NO-GO).
• Stop condition: the mutating apply DOT created without A-9; any governance APR action='add' instead of 'review' (RR-11); dot_coverage_required insert before dot_domains (FK, F-R7-1); any event flipped active=true without full taxonomy.
• Success evidence: 4 GCOS domains, 4 tier-A DOTs, 4 coverage rows; T7 finding types registered; docs 24/25 patched; apply DOT absent. (Rehearsed R-7.)
• Rollback evidence: DELETE coverage → DOTs → domains (reverse FK order); revert doc 24/25 patches (KB revision rollback).

Step 7 — SB-1 / SB-2 (separate decision-gated line)

• Prerequisite: A-8 (C-1 + C-2) recorded + M-1 for this line. SB-2 must be REHEARSED first (W6 — not done in the docs 57–66 run; use the doc-19 author-mode line).
• Live re-verify: governance_object_ownership + governance_responsibility_scope ABSENT; apr_action_types 6 (no governance types); the 6 owner agencies present; no GOV-IU.
• Allowed mutation if authorized: CREATE TABLE governance_object_ownership + 6-row governance_responsibility_scope + v_object_effective_owner; INSERT 4 APR action-type rows (assign_governance_owner, grant_governance_exception, delegate_authority, assign_axis_owner) Phase-A handler_ref='unimplemented' (fail-closed). Do NOT widen governance_relations CHECK.
• Stop condition: widening governance_relations CHECK (migration risk); Phase-B handler activated; accountable-owner uniqueness not per-scope; supporting/delegated/exception role masquerading as accountable; any action='add' for governance APR.
• Success evidence: owner table + scope + view present; 4 action-types present, all Phase-A unimplemented; fn_apr_quorum_check enforces proposer≠approver.
• Rollback evidence: DROP VIEW v_object_effective_owner; DROP TABLE owner + scope; DELETE the 4 action-type rows.

Step 8 — DOT/event activation (register-before-emit gates satisfied)

• Prerequisite: SB-11 committed (active=false); full T7 finding taxonomy built; A-3 (input-trust) recorded for input-gate; M-1 for activation.
• Allowed mutation if authorized: flip specific event_type_registry governance rows to active=true; activate non-mutating GCOS DOTs (read/propose only).
• Stop condition: activation before register (Điều-45 violation); the mutating apply DOT activated; activation without full taxonomy (RR-9).
• Success evidence: governance events active=true; first emit appears in event_outbox after registration; propose-only DOTs running, no apply.
• Rollback evidence: set active=false; disable DOTs (DOT disable, not drop).

Step 9 — Backfill seed (candidate/input/ruleset gates green)

• Prerequisite: A-5 (C-7.3 backfill-ruleset) + A-3 (input-trust) + A-4 (ruleset-owner) recorded; candidate/input/ruleset substrate committed and green; M-1 for seed.
• Allowed mutation if authorized: run gov_backfill_sweep incrementally/resumably over birth_registry (keyset on id, idempotency key collection_name:entity_code); seed candidate verdicts under the named draft/active ruleset. High-risk verdicts stay unknown/fail-closed until ruleset activation (C-7.3).
• Stop condition: non-resumable/blanket full scan that times out (5s statement limit); high-risk verdict auto-resolved before activation; backfill modifies Birth; 60-day cut-over auto-remediates (C-7.4 forbids auto-remediation — escalate to findings only).
• Success evidence: candidate rows seeded incrementally; high-risk = unknown; Birth untouched; cursor advances.
• Rollback evidence: truncate/delete seeded candidate rows by last_run_id; reset gov_worker_cursor watermark; Birth never touched so nothing to restore there.

70.2 Global stop conditions (any one halts the build immediately)

1. os_proposal_approvals reads 0 at the moment of a COMMIT step (M-1 lost).
2. Any forbidden action becomes reachable: Directus/Qdrant/Nuxt mutation, law enactment/version/status change, self-approval, emit-before-register.
3. A rehearsal-for-this-exact-step did not first pass entry==exit, or a step's pre-flight (doc 45 §45.3 + doc 48) fails.
4. Any drift fold-in (doc 69) not applied for the step being built.
5. The mutating DOT dot_governance_assignment_apply is about to be created without A-9.
6. An idle_in_transaction session is left open, or a transaction errors and is not rolled back.
7. Footprint exceeds 5 new tables / introduces a new bus/store/notifier (no-island breach).
8. A C-7/C-1/C-2 decision is treated as ratified by silence (silence ≠ approval) or recorded by an agent that may not record (D10 sovereign).

70.3 Build-order verdict

A complete, dependency-correct, per-step build order exists with prerequisites, live re-verify, allowed mutations, stop conditions, success evidence, and rollback evidence for all 9 steps. Every Phase-1 step (1–6) has already been proven live under BEGIN..ROLLBACK. No step is authorized to COMMIT today (M-1 NOT-MET). This is a plan, not a build.