99 — Phase 1 Build SQL Pack Specification (NO EXECUTION)

Mission §10 (Branch G). Tier: the structure a future build SQL pack must take. Mutation footprint: ZERO. This doc specifies file layout, required sections, transaction boundaries, and checks — it does NOT contain final executable build SQL. The authoritative DDL/DML lives in the design docs (16/17/38/39/40/41) + the doc-86 fold-ins; the build agent assembles each step's script from those under that step's authorization. Writing final SQL here would be implementation — forbidden. One file per step. One transaction per file. One authorization per file.

---

99.1 Pack layout (one file per build step)

phase1-build-pack/                         (assembled by the build agent at build time; NOT created now)
  00_preflight.sql            -- read-only checks (doc 96); NO BEGIN/COMMIT; safe to run anytime
  01_sb12_ruleset.sql         -- STEP 1
  02_sb13_worker_cursor.sql   -- STEP 2
  03_sb10_candidate_state.sql -- STEP 3   (asserts governance_ruleset exists)
  04_sb11_event_domain.sql    -- STEP 4
  05_sb2_ownership.sql        -- STEP 5   (requires C-1)
  06_sb1_action_types.sql     -- STEP 6   (requires C-2; includes F-83-1 trigger re-wire)
  rollback/                    -- one mirror file per step (doc 97 SQL), staged before its COMMIT
    01_sb12_rollback.sql ... 06_sb1_rollback.sql
  verify/
    post_step.sql             -- doc 101 post-build verification block

Each NN_*.sql is self-contained: its own preflight assertions, its own single transaction, its own in-file rollback section, its own verification queries.

99.2 Required sections in every step file (canonical order)

-- SECTION A — HEADER COMMENT
--   step id; component; package path; authorizing docs (93/94/95/98/99);
--   M-1 os_proposal_approvals row id = <quoted>; council record (C-1/C-2) = <quoted or n/a>;
--   pg_dump path of touched reuse-tables; date; author/channel.
--   "REHEARSAL-ONLY unless the M-1 row + council record are live-verified."

-- SECTION B — PREFLIGHT ASSERTIONS (read-only; abort if any fails)
--   master gate (os_proposal_approvals > 0 for THIS step);
--   target ABSENT (greenfield) or vocabulary baseline (SB-1);
--   FK parents present where required (SB-10 ⇒ governance_ruleset);
--   governance_relations = 8; event_outbox governance = 0; idle_in_transaction = 0.
--   (Use plpgsql DO $$ ... RAISE EXCEPTION ... $$ guards so a failed assertion aborts the script.)

-- SECTION C — BEGIN + SESSION GUC
--   BEGIN;
--   SET LOCAL statement_timeout='5s'; SET LOCAL lock_timeout='3s'; SET LOCAL idle_in_transaction_session_timeout='15s';

-- SECTION D — FOLD-INS (only the step's mandatory ones; reference doc 86)
--   SB-13: F-57-1 column/kind conventions; L-WATERMARK text col.
--   SB-11: F-57-2/3/4 enum values.
--   SB-10: L-CANON-NULL candidate_key expression; NO checked-forever boolean.
--   SB-1:  F-83-1 trigger re-wire (doc 98) — FIRST statement after BEGIN, before the INSERTs.

-- SECTION E — THE ADDITIVE DDL/DML (from the design docs; see §99.4 per step)
--   greenfield CREATE TABLE/VIEW, or additive INSERTs only; NO ALTER of governance_relations.

-- SECTION F — IN-TRANSACTION VERIFICATION + NEGATIVE TESTS (assert, do not COMMIT yet)
--   positive: object present / row counts as expected;
--   negative: the step's rejection tests (SB-2: dup-accountable, phantom FK, bad scope, bad kind, delegated-no-TTL;
--             SB-1: PK collision, bad risk, bad status; SB-10: bad ruleset_version FK);
--   entry==exit fields captured for the rehearsal variant.

-- SECTION G — COMMIT BOUNDARY (conditional)
--   REHEARSAL VARIANT:  ROLLBACK;   -- proves entry==exit, zero residue
--   BUILD VARIANT:      COMMIT;     -- ONLY if SECTION B master gate + council record verified live
--   The two variants differ ONLY in this final keyword. Default is ROLLBACK.

-- SECTION H — POST-COMMIT VERIFICATION (build variant only; doc 101)
--   re-run doc 96 slice; record delta; confirm event_outbox governance=0; law/version unchanged.

-- SECTION I — ROLLBACK REFERENCE (comment pointer to rollback/NN_*.sql, doc 97)

99.3 BEGIN/COMMIT boundary rules

• Exactly one BEGIN and one terminal ROLLBACK-or-COMMIT per step file. No nested transactions, no COMMIT mid-file.
• The default terminal keyword is ROLLBACK (rehearsal). The build variant flips only that one keyword to COMMIT, and only after SECTION B confirms the live master gate + council record.
• SET LOCAL (not SET) so timeouts scope to the transaction and reset on its end.
• 00_preflight.sql and verify/post_step.sql have no BEGIN/COMMIT — they are read-only.
• The rollback mirror files (rollback/NN_*.sql) each carry their own BEGIN … COMMIT and run only under a reversal authorization (doc 97).

99.4 Per-step DDL/DML source map (where the real SQL comes from — assemble, don't invent)

Step	File	Additive objects	Authoritative source	Mandatory fold-in
1 SB-12	01_sb12_ruleset.sql	CREATE TABLE governance_ruleset (draft) + 1 evolution_snapshots row	doc 38	—
2 SB-13	02_sb13_worker_cursor.sql	CREATE TABLE gov_worker_cursor (text watermark) + gov queue_heartbeat rows	doc 39	F-57-1, L-WATERMARK
3 SB-10	03_sb10_candidate_state.sql	CREATE TABLE governance_candidate_state (+optional object) + candidate_scan_run, FK→ruleset	doc 40	L-CANON-NULL, no-checked-forever
4 SB-11	04_sb11_event_domain.sql	5 event_type_registry rows active=false	doc 41	F-57-2/3/4
5 SB-2	05_sb2_ownership.sql	governance_responsibility_scope (+6) + governance_object_ownership + 2 views	doc 17	additive-only (no CHECK-widen), trigger-less
6 SB-1	06_sb1_action_types.sql	F-83-1 trigger re-wire + 4 apr_action_types rows	doc 16 + doc 98	F-83-1 (load-bearing), action≠'add' convention

The build agent copies the proven DDL/DML from these design docs, applies the named fold-ins, and wraps it in the §99.2 sections. It does not author novel schema here.

99.5 Mandatory comment requirements

Every step file must comment, at minimum:

• the authorizing os_proposal_approvals row id and council record (or "REHEARSAL-ONLY");
• for every additive object: which design doc it comes from;
• for every fold-in: the F-/L- id and one line of why (e.g. -- F-83-1: re-wire so entity_code uses action_code, else NULL-violates birth_registry);
• at the COMMIT boundary: a one-line restatement that COMMIT is forbidden unless the gate is live;
• the no-hardcode and no-island attestations (§99.6/§99.7).

99.6 No-hardcode checks (assert in SECTION B/F)

• Action-type names/risk/handler are rows in apr_action_types; quorum derives from risk_level (no enum/code-branch list).
• Responsibility scopes are rows in governance_responsibility_scope (6 seed), not literals in code.
• Owners resolve to governance_registry (FK), not literal owner strings.
• Event types are rows in event_type_registry; DOTs (post-Phase-1) are rows in dot_tools.
• The candidate ruleset is a row/hash (SB-12), not an inline constant; candidate_key is computed, not hardcoded.
• Exempt (contract constants, not data): the action='review' protocol value; the three timeout GUCs; the 'governance' event-domain literal at registration (it is the new domain being registered, register-before-emit). Comment each exemption.

99.7 No-island checks (assert before COMMIT)

• SB-1 adds vocabulary to the existing Đ-32 spine and reuses fn_apr_quorum_check / fn_apr_block_unimplemented_handler — no private approval table.
• SB-2 owner writes target governance_object_ownership (the canonical owner store), never a second/private table; Đ-37 stays the single roof (REFERENCE to Đ-32).
• Events go through event_outbox after registration in event_type_registry — no side-channel emit.
• Candidate verdicts live in governance_candidate_state only; cursors in gov_worker_cursor + reuse queue_heartbeat — no shadow ledger.
• Run the CI island scan (canon §5 dual channel) before any COMMIT; a second governance "roof" anywhere = STOP.

99.8 What this spec deliberately does NOT contain

• No final CREATE TABLE/INSERT column lists (those are in docs 16/17/38/39/40/41) — reproducing them as runnable SQL here would be implementation.
• No os_proposal_approvals INSERT (sovereign-only; never scripted by the agent).
• No event active=true / emit; no DOT registration; no Phase-B handler; no governance_relations ALTER.

Branch G verdict: the SQL-pack structure is specified — one self-contained file per step (header/preflight/BEGIN+GUC/fold-ins/additive DDL/in-txn verify+negatives/COMMIT-boundary/post-verify/rollback-pointer), default-ROLLBACK with a single-keyword flip to COMMIT gated on the live master gate + council record, a source map pointing at the proven design-doc SQL, and explicit no-hardcode/no-island assertions. No executable build SQL authored here; assembly + COMMIT remain authorization-gated (M-1=0).