95 — Phase 1 Per-Step Authorization Forms

Mission §6 (Branch C). Tier: authorization templates. Mutation footprint: ZERO. These are blank forms to be filled by the authorizing authority — filling one does NOT itself authorize anything; the binding act is the sovereign os_proposal_approvals row + the council record being created in the live system. Authority model (doc 88): (1) Sovereign (President) = the only writer of os_proposal_approvals; satisfies M-1/A-1/A-2/A-9. (2) Council = records C-1/C-2/C-7.x (silence ≠ approval). (3) GPT/agent = may sequence/authorize rehearsal only; never a COMMIT. A GPT or agent statement is never a substitute for the sovereign row.

95.1 How a form becomes binding

A filled form is an instruction to authorize. It is binding only when, in the live directus DB:

an os_proposal_approvals row exists naming THIS step (M-1), created by the President; and
the step's council record (C-1/C-2/C-7.x) exists where required; and
the build agent has quoted both in its build prompt and re-verified them live (doc 96).

Absent (1) or (2) → the step runs rehearsal-only (BEGIN..ROLLBACK), regardless of any filled form.

95.2 Common form header (prepend to every step form)

STEP: <n>  COMPONENT: <SB-xx>
PACKAGE: knowledge/dev/reports/architecture/one-roof-governance-technical-addendum-and-implementation-index-2026-06-01/
READ FIRST: docs 00, 88, 86, 89, 93, 94, 96, 97, 98(if SB-1), 99
CHANNEL: ssh contabo → docker exec -i postgres psql -U workflow_admin -d directus  (PG 16.13)
SESSION GUC: statement_timeout='5s'; lock_timeout='3s'; idle_in_transaction_session_timeout='15s'
MASTER GATE (M-1): os_proposal_approvals row id = __________  (for THIS step; if none → REHEARSAL-ONLY)
COUNCIL RECORD: <C-1/C-2/C-7.x or "n/a"> id/ref = __________
REHEARSAL ENTRY==EXIT PROVEN THIS SESSION: yes / no   (must be yes before COMMIT)
PG_DUMP OF TOUCHED REUSE-TABLES TAKEN: path = __________

95.3 STEP 1 form — SB-12 ruleset/snapshot

AUTHORIZED OBJECTS: CREATE TABLE governance_ruleset (+index/constraint); 1 evolution_snapshots reuse row.
RULESET STATUS: 'draft' ONLY (activation is C-7.2, NOT authorized here).
COMMIT ALLOWED: yes IFF M-1(SB-12) present; else REHEARSAL-ONLY.
MAX MUTATION SCOPE: +1 new table, +1 evolution_snapshots row. No other object.
ROLLBACK REQUIREMENT: in-flight ROLLBACK or post-commit DROP TABLE + DELETE evo row (doc 97).
REQUIRED LIVE RE-VERIFY: doc 96 §SB-12 slice, before and after.
FINAL REPORT FIELDS (doc 89 §89.8): step id; M-1 id; pre/post counts; fold-ins (n/a); entry==exit; pg_dump path; COMMIT y/n; delta; rollback SQL on file; no-hardcode; no-island; events emitted=0; law/version unchanged; stop-conditions.
STOP CONDITIONS: M-1 absent; ruleset would be non-draft; trigger added; entry≠exit; idle_in_tx>0.

95.4 STEP 2 form — SB-13 worker cursor

AUTHORIZED OBJECTS: CREATE TABLE gov_worker_cursor (last_watermark_id TEXT); optional queue_heartbeat rows (executor_name LIKE 'gov_%', executor_kind='PG_worker', metadata='{}').
MANDATORY FOLD-IN: F-57-1 (heartbeat cols), L-WATERMARK (text watermark).
COMMIT ALLOWED: yes IFF M-1(SB-13); else REHEARSAL-ONLY.
MAX MUTATION SCOPE: +1 new table (+ gov_ heartbeat rows). No other object.
ROLLBACK REQUIREMENT: DROP TABLE gov_worker_cursor; DELETE queue_heartbeat WHERE executor_name LIKE 'gov\_%'.
REQUIRED LIVE RE-VERIFY: doc 96 §SB-13 slice.
FINAL REPORT FIELDS: doc 89 §89.8 (+ confirm watermark col type=text; no Đ45 safe-check RAISE).
STOP CONDITIONS: M-1 absent; watermark not text; safe-check RAISE; entry≠exit.

95.5 STEP 3 form — SB-10 candidate-state store

PRECONDITION: STEP 1 COMMITTED (governance_ruleset exists) — FK parent. If absent → STOP.
AUTHORIZED OBJECTS: CREATE TABLE governance_candidate_state (+ optional object table) + candidate_scan_run; FK→governance_ruleset.
MANDATORY FOLD-IN: L-CANON-NULL (candidate_key = COALESCE(canonical_address, collection_name||':'||entity_code)). NO checked-forever boolean.
COMMIT ALLOWED: yes IFF M-1(SB-10) AND STEP 1 committed; else REHEARSAL-ONLY.
MAX MUTATION SCOPE: +2 (or +3) new tables. ZERO candidate rows committed.
ROLLBACK REQUIREMENT: DROP TABLE candidate_scan_run; DROP TABLE governance_candidate_state; (+ object table first).
REQUIRED LIVE RE-VERIFY: doc 96 §SB-10 slice; confirm FK enforced (negative test).
FINAL REPORT FIELDS: doc 89 §89.8 (+ 0 candidate rows; FK negative test rejected).
STOP CONDITIONS: SB-12 absent; M-1 absent; verdict-boolean present; candidate rows seeded; entry≠exit.

95.6 STEP 4 form — SB-11 event domain registration

AUTHORIZED OBJECTS: 5 INSERTs into event_type_registry (event_domain='governance', delivery_lane='delayed', event_stream∈{alert,health}, default_severity∈{info,warning}, active=false).
MANDATORY FOLD-IN: F-57-2/3/4 enum values.
COMMIT ALLOWED: yes IFF M-1(SB-11); else REHEARSAL-ONLY.
MAX MUTATION SCOPE: +5 event_type_registry rows, all active=false. ZERO event_outbox rows.
ROLLBACK REQUIREMENT: DELETE FROM event_type_registry WHERE event_domain='governance'.
REQUIRED LIVE RE-VERIFY: doc 96 §SB-11 slice; confirm event_outbox governance=0.
FINAL REPORT FIELDS: doc 89 §89.8 (+ governance registry=5 active=false; outbox governance=0).
STOP CONDITIONS: M-1 absent; any active=true; any event_outbox row; CHECK enum failure; entry≠exit.
NOTE: activation/trust requires C-7.1 — NOT authorized by this form.

95.7 STEP 5 form — SB-2 ownership substrate

COUNCIL RECORD REQUIRED: C-1 (SB-2 ownership table build record). Absent → REHEARSAL-ONLY even if M-1 present.
AUTHORIZED OBJECTS (one txn): CREATE TABLE governance_responsibility_scope (+6 seed) + governance_object_ownership (20-col, partial UNIQUE per (object_type,object_ref,scope), delegated requires effective_to) + v_object_effective_owner + v_object_owner_gap.
COMMIT ALLOWED: yes IFF M-1(SB-2) AND C-1; else REHEARSAL-ONLY.
MAX MUTATION SCOPE: +2 tables, +2 views, +6 seed scopes. NO governance_relations ALTER. NO trigger. NO real owner rows.
ROLLBACK REQUIREMENT: DROP VIEW (x2); DROP TABLE governance_object_ownership; DROP TABLE governance_responsibility_scope.
REQUIRED LIVE RE-VERIFY: doc 96 §SB-2 slice; confirm governance_relations count unchanged (8); 5 negative tests reject.
FINAL REPORT FIELDS: doc 89 §89.8 (+ 5 negative tests; relations unchanged).
STOP CONDITIONS: C-1/M-1 absent; governance_relations ALTER in script; trigger added; a negative test fails to reject; entry≠exit.

95.8 STEP 6 form — SB-1 APR action-types (F-83-1) — special risk

COUNCIL RECORD REQUIRED: C-2 (SB-1 action-types build record). Absent → REHEARSAL-ONLY even if M-1 present.
READ FIRST: doc 98 (F-83-1 trigger fix).
AUTHORIZED OBJECTS (one txn):
  1) DROP TRIGGER trg_birth_apr_action_types ON apr_action_types;
  2) CREATE TRIGGER trg_birth_apr_action_types AFTER INSERT ON apr_action_types
       FOR EACH ROW EXECUTE FUNCTION fn_birth_registry_auto('action_code');   -- F-83-1 fix
  3) INSERT 4 rows: assign_governance_owner / grant_governance_exception / delegate_authority / assign_axis_owner,
       all handler_ref='unimplemented', risk_level='high', status='active', _dot_origin set.
COMMIT ALLOWED: yes IFF M-1(SB-1) AND C-2; else REHEARSAL-ONLY.
MAX MUTATION SCOPE: re-wire 1 trigger; +4 apr_action_types rows; +4 birth_registry rows (auto). NOTHING else.
EXPLICITLY FORBIDDEN: flip any handler_ref to a real handler; create approval_requests row (esp. action='add'); emit; touch governance_relations.
ROLLBACK REQUIREMENT: in-flight ROLLBACK (rows+birth gone, trigger restored); post-commit RETIRE action-types (status='retired'), KEEP F-83-1 trigger fix (doc 98 §98.5).
REQUIRED LIVE RE-VERIFY: doc 96 §SB-1 slice; expect TRIGGER-GUARD WARNING (must be WARNING not ERROR); birth_apr rows 0→4 in rehearsal.
FINAL REPORT FIELDS: doc 89 §89.8 (+ apr_action_types 6→10; birth_apr=4; approval_requests/apr_approvals unchanged; trigger def now 'action_code').
STOP CONDITIONS: C-2/M-1 absent; TRIGGER-GUARD at ERROR level; F-83-1 fix not effective (INSERT still NULL-violates); approval_requests row would be created; entry≠exit.

95.9 NO-GO / REHEARSAL-ONLY form (default when gates not green)

MODE: REHEARSAL-ONLY (BEGIN..ROLLBACK). USE WHEN: M-1 absent for the step, OR a required council record
  (C-1/C-2/C-7.x) absent, OR any stop condition tripped, OR the author wants a dry proof first.
AUTHORIZED: open one transaction; set the three timeouts; run the step's DDL/DML; run the negative tests;
  prove entry==exit; then ROLLBACK. Read-only query_pg for independent verification.
FORBIDDEN: COMMIT; leaving a session idle-in-transaction; any persistent object; any emit; any approval row;
  any Directus/Qdrant/Nuxt mutation; any law/version/status change.
REQUIRED PROOF: entry count == exit count for every touched object; targets ABSENT→ABSENT (greenfield);
  apr_action_types 6→(6 on rollback); event_outbox governance=0; idle_in_transaction=0; no session left open.
REPORT: doc 89 §89.8 fields with COMMIT=no; explicitly state "ZERO COMMIT, entry==exit, rehearsal-only."
RULE: a GPT/agent direction may authorize THIS rehearsal mode; it may NEVER authorize a COMMIT.

95.10 Sovereign `os_proposal_approvals` note (M-1) — what the row must say

The load-bearing authorization is the sovereign row itself, not this form. Per doc 88/89, the row must scope to one build step (e.g. "SB-12 build — CREATE governance_ruleset draft + 1 evo snapshot row, per docs 93/94/99"), be created by the President (A-1), traverse the Đ-32 quorum where the governance process requires (A-2; proposer≠approver), and never be self-approved. The build agent must quote the row id in its prompt and re-verify it live (doc 96) immediately before COMMIT. No agent or GPT may create this row.

Branch C verdict: per-step forms (STEP 1–6) + a NO-GO/rehearsal-only form are defined, each pinning authorized objects, COMMIT condition, max mutation scope, rollback, required re-verify, report fields, and stop conditions. Filling a form authorizes nothing; the live sovereign row + council record do. M-1=0 ⇒ all forms currently resolve to REHEARSAL-ONLY.